Welcome back to The Cybersecurity 202! My household managed to see family in Iowa and North Carolina over the holiday break and return to negative coronavirus tests. I wish everyone was so lucky.
Expect big hacks this year
The cybersecurity world is starting off 2022 in crisis mode.
The newest culprit is the log4j software bug, which Cybersecurity and Infrastructure Security Agency (CISA) Director Jen Easterly called “the most serious vulnerability I have seen in my decades-long career.” It forced many cybersecurity pros to work through the holidays to protect computer systems at Big Tech firms, large and small companies and government agencies.
But crises like log4j have become the norm rather than the exception during the past few years.
Last year kicked off with the SolarWinds hack — a Russian government operation that compromised reams of sensitive information from U.S. government agencies and corporations. The year also began with a raft of baseless election hacking claims from former president Donald Trump and a drive by government officials to defend the election’s credibility.
The big picture
Digital threats of all sorts are growing far faster than the capability to defend against them. If past is prologue, 2022 is likely to be a year of big hacks, big threats and plenty more crises.
“We’re always in crisis is the long and short of it,” Jake Williams, a former National Security Agency (NSA) cyber operator and founder of the firm Rendition Infosec, told me. “Anyone looking for calm rather than the storm in cyber is in the wrong field.”
Fast response
There was some good news where log4j is concerned.
Government agencies and Big Tech firms moved rapidly to counteract the worst damage.
The Department of Homeland Security (DHS) issued an emergency directive on Dec. 17, just days after the bug was discovered, requiring all civilian government agencies to protect against it by Dec. 23. That’s a major shift from just a few years ago when it would have been effectively impossible for the government to implement such a big fix on such short notice.
When two major bugs known as Shellshock and Heartbleed were discovered in 2014, DHS urged federal agencies to probe their computer systems for the vulnerabilities and protect against them. But the department’s lead cybersecurity agency had far less visibility into other agencies’ computer systems and no authority to mandate that they implement any cyber protections.
The private sector also moved far quicker to protect its computer systems against log4j than it has in previous years.
“It’s better than it was in the commercial space,” Williams told me. “It’s not fixed by any stretch of the imagination. But we’re having fire drill after fire drill. We’re used to doing fire drills at this point.”
But still
A lot of damage has already been done.
- Hackers penetrated Belgium’s defense ministry using the log4j bug.
- A Chinese hacking group used the bug to go after at least one large academic institution, the cyber firm CrowdStrike reported.
- The bug was exploited by numerous ransomware hacking gangs, including one that hit a Vietnamese cryptocurrency platform and demanded $5 million in payment. Other hackers used the bug to steal computing power to mine cryptocurrency.
Log4j is especially dangerous because it affects an incredibly common piece of software code. That code helps software systems keep logs of past activities.
Here’s how my colleagues Tatum Hunter and Gerrit De Vynck described it: “Hackers who try to break into digital spaces to steal information or plant malicious software suddenly have a massive new opportunity to try to get into nearly anywhere they want. That doesn’t mean everything will be hacked, but it just got a lot easier to do so — just as if the locks on half of the homes and businesses in a city suddenly stopped working all at once.”
Most vulnerable computer systems at prominent organizations that face the public Internet have probably been patched at this point, Williams estimated. Those that aren’t patched have almost certainly been penetrated by hackers looking to steal data, steal computing power to mine cryptocurrency or for other nefarious purposes.
The log4j code is so ubiquitous, however, that it’s likely embedded in many thousands of computer systems that operate internally at companies and where company tech workers have no idea it’s there or how to find it. That means hackers will likely still be exploiting the bug many years into the future.
The keys
China monitors criticism on Western social media sites
Chinese government agencies are using new and sophisticated systems for monitoring social media sites including Twitter and Facebook, Cate Cadell reports. A Post review of procurement documents for more than 300 Chinese government projects since 2020 included orders for software designed to collect information on foreign targets from several Western sites.
The projects represent an expansion of traditional Chinese state surveillance, which focused its Internet monitoring inward. “They are now reorienting part of that effort outward, and I think that’s frankly terrifying, looking at the sheer numbers and sheer scale that this has taken inside China,” said Mareike Ohlberg, a senior fellow at the German Marshall Fund who has researched China’s domestic public opinion network.
The systems used by state media, propaganda departments, cyber regulators, police and military agencies include:
- “A $320,000 Chinese state media software program that mines Twitter and Facebook to create a database of foreign journalists and academics;”
- “A $216,000 Beijing police intelligence program that analyzes Western chatter on Hong Kong and Taiwan;”
- “A cybercenter in Xinjiang, home to most of China’s Uyghur population, that catalogues the mainly Muslim minority group’s language content abroad."
Twitter spokesperson Katie Rosborough said the company doesn’t allow developers to use its data sets of public tweets for surveillance purposes. Facebook didn’t respond to requests for comment about whether it is aware of the monitoring or has authorized the contractors to collect data.
Chinese police are also using advanced software, databases and public records to track critics overseas, the New York Times’s Muyi Xiao and Paul Mozur report. Contractors have used hacked databases on the dark web and other resources to find the authors of posts that get the attention of Chinese authorities, a contractor who spoke with The Times said.
Missouri's governor is doubling down on dubious claims a newspaper reporter hacked a state agency
Gov. Mike Parson (R) expects prosecutors to charge the reporter with breaking state hacking laws, the St. Louis Post-Dispatch’s Jack Suntrup reports. In October, Parson called the reporter a “hacker” after he reported on a vulnerability in publicly visible source code for a state website that exposed the Social Security numbers of 100,000 school employees. The reporter alerted the state education agency about the vulnerability and held off publishing until it was fixed — a common best practice in cybersecurity research that reduces chances malicious hackers will steal the information.
The Missouri Highway Patrol recently completed its investigation into the matter, which was turned over to a prosecutor, Suntrup reports.
Missouri’s Department of Elementary and Secondary Education (DESE) initially planned to thank the reporter for finding the vulnerability, according to emails obtained by the Post-Dispatch. The FBI told the state that the incident was “not an actual network intrusion” and that it was caused by a “misconfigured” database, the outlet reported.
The Post-Dispatch has blasted Parson’s assertion that its reporter hacked a government site. “Here, there was no breach of any firewall or security and certainly no malicious intent,” Post-Dispatch attorney Joe Martineau previously told journalist Brian Krebs. “For DESE to deflect its failures by referring to this as ‘hacking’ is unfounded. Thankfully, these failures were discovered.”
NSO Group’s Pegasus spyware was put on devices belonging to murdered journalist's wife and Polish opposition politicians
Researchers found evidence of an attempt to install Pegasus on a phone belonging to murdered Washington Post columnist Jamal Khashoggi’s widow Hanan Elatr, Dana Priest reports. They linked the attempted infection to a United Arab Emirates customer of NSO.
The revelation challenges NSO Group’s assertion that Elatr wasn’t targeted with Pegasus. NSO denied the latest report. NSO attorney Thomas Clare said “The Post’s continued efforts to falsely connect NSO Group to the heinous murder of Mr. Khashoggi are baffling.”
Researchers also found that three Polish opposition figures were hacked with Pegasus. The victims blamed the hacks on Poland’s government, the Associated Press’s Vanessa Gera and Frank Bajak report. The revelations are “unprecedented” and represent the “biggest and deepest crisis of democracy after 1989,” when the country transitioned from communism to democracy, said Donald Tusk, the leader of Poland’s main opposition party. Tusk called for a parliamentary commission to investigate the NSO revelations.
The odds of such a move succeeding seem slim because the country’s ruling party has a parliamentary majority. Polish Prime Minister Mateusz Morawiecki called the accusations “fake news,” and prosecutors have declined to investigate, Reuters reported.
The U.S. government has blacklisted NSO, finding that its spyware was used to “maliciously target” government officials, activists and journalists. Check out The Post’s extensive coverage of Pegasus here.
Chat room
Hollywood icon Betty White, who died last week at the age of 99, advocated for cybersecurity protections in public service announcements tied to National Password Day:
Here's a slightly racier PSA:
Global cyberspace
National security watch
Cyber insecurity
Daybook
- The Atlantic Council hosts an event on the next National Defense Strategy on Wednesday at 2 p.m.
Secure log off
Today’s second @washingtonpost TikTok features Celine Dion kind of. https://t.co/hhIXFZPn5Q pic.twitter.com/c4UgN40XWw
— Washington Post TikTok Guy 2022 (@davejorgenson) December 28, 2021
Thanks for reading. See you tomorrow.
