Iranian hackers moonlight their expertise

Welcome to The Cybersecurity 202! Is it Friday yet? No, no it's not. But soon.

Below: There's a development in the investigation of breached voting machines in Colorado, and TikTok goes back and forth with the Senate. But first:

Nation-state hacker, cybercriminal, government employee or freelance contractor? Lines are blurry

Yesterday the Justice Department unsealed an indictment alleging that three Iranian men encrypted hundreds of systems around the world and demanded ransoms to unlock them.

But the unsealed indictment said the men did so independently of the Iranian government, while the Treasury Department said they were linked to Iran’s Islamic Revolutionary Guard Corps (IRGC). That called attention to how — for some of the United States’ top adversaries in cyberspace — the lines between nation-state hacker and cybercriminal, between government employee and freelance contractor, aren’t always clear.

“This is not just a ransomware issue. These are Iranian contractors who moonlight their skills but are ultimately associated with a dangerous state security organization,” John Hultquist, vice president of intelligence for the cybersecurity firm Mandiant, said in a story by my colleagues Perry Stein and Ellen Nakashima. “The access they’re gaining is being used for crime, but the IRGC will likely also try to use it for its own interests, perhaps for disruptive attack.”

U.S. officials usually list China, Russia, Iran and North Korea as the nations that pose the most severe cyberthreat to the United States. Researchers and others have pointed to instances of Chinese government hackers moonlighting for profit. The same goes for Russia. And the same apparently goes for North Korea.

And in Iran? Iran’s IRGC and its Ministry of Intelligence and Security are “heavily reliant on third-party contractors,” BAE Systems’ principal threat intelligence analyst Saher Naumaan told CNN’s Sean Lyngaas.

This week’s action

The indictment said the hackers’ victims ranged from a Pennsylvania-based domestic violence shelter to targets in Iran — the latter being one sign that they were working for themselves.

Also Wednesday, U.S. federal agencies and international partners released an advisory about how IRGC-affiliated attackers exploit certain vulnerabilities in their operations; the State Department offered a reward for information on the culprits; and the Treasury Department sanctioned 10 people and two entities for their role in the ransomware intrusions.

REWARD! 💰Up to $10M 💰for information on Iranian malicious #cyber actors AHMADI, KHATIBI & NICKAEIN. They targeted U.S. critical infrastructure and compromised hundreds of computer networks across the U.S. and abroad. GOT A TIP? Contact RFJ today! https://t.co/jA8oZs6D2o pic.twitter.com/26isfc8fqx
— Rewards for Justice (@RFJ_USA) September 14, 2022

Treasury said the indicted Iranians “do not directly align with a named advanced persistent threat group, some of their malicious cyber activity can be partially attributable to several named intrusion sets, such as ‘APT 35,’ ‘Charming Kitten,’ “Nemesis Kitten,’ ‘Phosphorus,’ and ‘Tunnel Vision.’” (The term “advanced persistent threat” usually refers to government-backed hackers.)

Wednesday’s action followed a peculiar pattern involving cyber contractors, Reuters’ Chris Bing tweeted:

this is a very niche tweet. But the Iranian indictments today follow a pattern of weird unidentified twitter personalities publicly doxing a cyber intelligence contractor and then DOJ indicting those same dudes within about a year
— Chris Bing (@Bing_Chris) September 14, 2022

The joint action comes just days after the Biden administration slapped another set of sanctions on Iran, which followed U.S. ally Albania cutting off diplomatic relations with Tehran due to a July ransomware attack. That attack, though, appeared both targeted and politically motivated, and designed to disrupt rather than reap payouts.

Here’s where the issue of “targeting” becomes informative.

The list of the indicted hackers’ victims is all over the place. That’s because they are likely scanning the internet broadly for vulnerabilities then attacking, rather than picking a target then trying to find a way in. Nation-state cyberespionage operations do, in fact, tend to go after a narrower set of targets that have the information they’re trying to obtain.

Cybersecurity firm Secureworks recently took a look at a group it calls Cobalt Mirage that overlaps with Wednesday’s indictments.

(Humorous aside: One of the indicted hackers, Ahmad Khatibi, apparently sloppily left his real name in the metadata listing him as the author of a PDF ransom note, SecureWorks found.)

While some of the group’s work was espionage-focused, “the ransomware attacks could be another source of revenue that they can pursue without fear of prosecution by Iranian law enforcement,” Secureworks wrote.

“They weren’t necessarily going after targets that had any strategic relevance to Iran,” Rafe Pilling, senior security researcher at Secureworks, told me. “They were going after a broad range of organizations that became more clearly financial over time." Some Iranian groups, he said, instead use ransomware to harass or embarrass targets in places like Israel.

Why it matters whether they’re contractors or not

“I think it’s pretty critical and pretty important that there’s a host of cyber actors that are also involved with the IRGC — sometimes, people colloquially call them contractors — and that function as the long arm of Iranian cyber power,” Behnam Ben Taleblu, a senior fellow at the Foundation for Defense of Democracies think tank, told me. “If you’re interested in curbing Iran’s long arm in cyberspace, going after these contractors has to be priority number one.”

The keys

FBI seizes Lindell’s phone as it investigates Colorado voting machine breach

MyPillow chief executive Mike Lindell said he was served with a search warrant and grand jury subpoena in the drive-through of a Hardee’s in Mankato, Minn., and agents asked him about Mesa County Clerk Tina Peters, Jon Swaine and Emma Brown report. Peters was indicted in March, when prosecutors accused her of helping an outsider copy data from county election systems last year.

The FBI acknowledged that it served a warrant but declined to elaborate. “Without commenting on this specific matter, I can confirm that the FBI was at that location executing a search warrant authorized by a federal judge,” a spokesperson for the FBI’s Denver field office said in an email.

Lindell told The Post that he wasn’t involved in copying the Mesa County election system and didn't meet Peters until she attended his August 2021 “cyber symposium” in South Dakota. “I have no idea what went on then,” Lindell said. “I have nothing to do with it.”

On his show, Lindell displayed what he said was a copy of the search warrant. It said the FBI was seeking information on tampering of Dominion Voting Systems equipment. The company is suing Lindell, Fox News and other election deniers, arguing that they defamed the company.

“The FBI’s action against Lindell, who has used his multimillion-dollar pillow fortune to finance high-profile films, conferences and other media promoting disinformation about elections, points to a widening of the federal investigation into the alleged breach in Mesa County,” my colleagues write. “The probe is one of multiple investigations underway into alleged security breaches of local elections offices in states also including Michigan and Georgia.”

TikTok declines to restrict access to U.S. data for Chinese employees, says it’s working with U.S. government

Sen. Rob Portman (Ohio), the top Republican on the Senate Homeland Security Committee, pressed TikTok chief operating officer Vanessa Pappas to commit to cutting off its Chinese employees’ access to U.S. user data, but Pappas declined, instead telling Portman that it continues to work with the U.S. government on a deal to protect U.S. user data, Bloomberg News’s Alex Barinka, Emily Birnbaum, and Maria Curi report. Executives from YouTube, Twitter and Facebook parent Meta also testified at the hearing.

The exchange came nearly three months after BuzzFeed News reported that recordings indicated that Chinese engineers had access to U.S. user data. Pappas said at the hearing that the allegations in the report had not been “found.” But she acknowledged that the company has employees in China. Pappas also said TikTok has “very strict access controls” for the data its Chinese employees can access and where that data is stored, in the United States. “Under no circumstances would we give that data to China,” Pappas said.

Lawmakers have zeroed in on TikTok as a potential national security threat. The House Chief Administrative Office last month warned congressional staff of security and privacy risks associated with the app, and said it didn’t recommend downloading or using TikTok, Politico reported.

Companies should automate their cybersecurity tests, U.S. agencies say

In an alert focusing on Iranian cyberthreats, the five U.S. agencies and three foreign partners recommended “continually testing your security program, at scale,” Bloomberg News’s Katrina Manson reports. Too few firms analyze whether they can defend against hackers’ most commonly used tactics and procedures, a CISA official said.

“Automated threat testing is still not very widespread, according to the official, who added that organizations sometimes don’t really follow through after deploying expensive tools on their network and instead just assume they’re doing the job,” Manson writes. “Automating security controls will make it easier to stop attackers from relying on established tactics. The top threat actors are still going back and leveraging vulnerabilities that are up to 10 years and older, warned the CISA official.”

Daybook

Deputy national security adviser Anne Neuberger speaks at a DefenseScoop event today at 9 a.m.
The House Homeland Security Committee holds a hearing on the cybersecurity of industrial control systems today at 10 a.m.
A House Oversight and Reform Committee panel holds a hearing on federal IT on Friday at 9 a.m.
Rep. Michael R. Turner (Ohio), the top Republican on the House Intelligence Committee, speaks at a Heritage Foundation event on countering foreign misinformation and disinformation while protecting civil liberties Monday at 1 p.m.
Juliane Gallina, the associate deputy director of the CIA’s digital innovation directorate, speaks at an INSA event on Tuesday at 9 a.m.
The RH-ISAC hosts its cyber intelligence summit Tuesday and Wednesday in Plano, Tex.
Your newsletter host moderates a discussion with Sen. Angus King (I-Maine) and Rep. Mike Gallagher (R-Wis.), the co-chairs of Cyberspace Solarium Commission 2.0, at a Foundation for Defense of Democracies event Wednesday at 8:30 a.m.

Secure log off

Today’s second @washingtonpost TikTok features the changing algorithm https://t.co/ESLf2DW0ab pic.twitter.com/6ktqD1bXao
— Washington Post TikTok Guy 🎃 (@davejorgenson) September 14, 2022

Thanks for reading. See you tomorrow.