Symantec Security Summary – February 2021

Nation-state attacks escalate. As the New Year kicked off, so did news of cyber-attacks linked to nation states. North Korean hackers were accused of stealing virtual assets worth $316.4 million between 2019 and November 2020, according to a confidential United Nations report. The report, obtained by CNN, accused the North Korean regime of conducting “operations against financial institutions and virtual currency exchange houses” to fund its nuclear and missile programs and to keep the country’s struggling economy afloat.

Links between North Korean hackers and cryptocurrency exchanges have already been credibly established: A 2019 report alleged the heavily-sanctioned nation state had amassed around $2 billion from its infiltration of cryptocurrency exchanges in the preceding five years. And as Broadcom/Symantec research noted, the recent appreciation in the price of Bitcoin means that if that particular cryptocurrency was part of the heist, the illegal bounty is worth far more today than it was when stolen.

Another nation state made a debut in the on-going SolarWinds cyber security saga.  Russia was purportedly behind the massive supply chain hack last December that took aim at high-profile targets like the U.S. Commerce, Treasury, Homeland Security, and Energy departments along with private companies. But now Reuters is reporting that Chinese hackers also got in on the game, choosing a different line of attack. The Russia-backed hackers orchestrated the breach by planting malicious code in software updates to the Orion network monitoring tool, impacting as many as 18,000 customers. However, the suspected Chinese crew exploited a separate software flaw in the SolarWinds platform to break into other government agencies, potentially compromising data on thousands of government employees.

As the fallout from the SolarWinds attack continues, the U.S. court system has ditched electronic submission of legal documents in sensitive cases due to concerns its systems have been compromised. The federal courts handed down an order specifying that any documents that “contain information that is likely to be of interest to the intelligence service of a foreign government” will now go back to having to be printed out and delivered in a physical format.

Apart from these high-profile examples, Iranian state-based hacking groups hit the radar screen, accused of spying on Iranian citizens around the globe, according to research from Check Point and SafeBreach Labs. The so-called Domestic Kitten group, has reportedly been conducting widespread surveillance for the last four years on a target list of about 1,200 individuals using a mobile malware called Furball to carry out its spying. The malware is then spread using phishing, Iranian websites, Telegram channels, and malicious SMS messages and can grab call logs, record communications, even steal files. The same research team highlighted another Iran-linked group, dubbed Infy, which was involved in similar spying campaigns, but with far fewer targets.

In response to heightened activity, the Biden administration is taking steps to improve cyber security measures. At a recent national security speech at the State Department, President Biden said they have “elevated the status of cyber issues within our government” and “are launching an urgent initiative to improve our capability, readiness, and resilience in cyberspace.” As part of the plan, the administration hired National Security Agency (NSA) official Anne Neuberger to serve in the new position of Deputy National Security Adviser for cyber and emerging technology. Previously, Neuberger led the NSA cyber security defense operations and was behind the agency group tasked with protecting the 2018 mid-term elections from Russian interference.

* * * 

Industrial IoT cyber security nightmare. An incident in early February is a nod to future cyber security disasters as more devices and critical civil infrastructure is connected to the Internet. An unknown hacker broker into a water treatment plant in Oldsmar, FL, and took over the controls system to increase the levels of lye in the water to dangerous levels. Luckily, a watchful plant operator saw the breach happening in real-time, shutting the infiltration down and remedying the systems before the public was in danger.

Timing of the breach was also alarming—it occurred the Friday of Super Bowl weekend, which was held in nearby Tampa. The plant has disabled the remote access capabilities for its systems for now and is working with the FBI and Secret Service to investigate.

* * * 

Cyber criminals hit pay dirt. All that ransomware activity seems to be paying off. Despite an overall decline in cyber-criminal activity, payments to ransomware gangs surged during 2020. According to research from Chainalysis, a blockchain analysis firm, ransomware payments using cryptocurrency spiked 311% in 2020, reaching a total volume of $350 million. Profits appear to be concentrated among a core group of attackers—80% of the money gleaned from ransomware attacks has been traced to less than 200 cryptocurrency wallets, the research found.

On the up side, Chainalysis found there is some distance between digital currency transactions and cyber-crime. Cyber-crime transactions using cryptocoins shrunk nearly in half to approximately $10 billion, and because the overall cyptocurrency transaction volumes are up, the share of cyber crime is even smaller ­– now only .34% of transactions in 2020, down from more than 2% in 2019.