- The Strategist - https://www.aspistrategist.org.au -

Cyber wrap

Posted By on May 25, 2016 @ 10:59

Following costly compromises in Bangladesh [1], Vietnam [2] and Ecuador [3], Gottfried Leibbrandt, CEO of international bank settlement company Swift has told a conference in Brussels [4] that cyber threats are his main source of anxiety. In his speech Leibbrandt outlined the organisation’s response to the cyber security breaches that have seen millions of dollars stolen. According to Leibbrandt, Swift plans to harden its security requirements, require certification for third party providers, assist members to identify suspicious behaviour, and develop security audit frameworks to ensure new security controls are properly implemented.

Swift has also criticised some members [5] for being slow to report cyber security incidents affecting the network. Internationally, data breach notification requirements are inconsistent and there is disagreement about whether mandatory breach reporting has value. In The Wall Street Journal [6], Denise Zheng from CSIS and Andrea Castillo from George Mason University have discussed the case for and against mandatory data breach notifications. Zheng says that requiring companies to disclose breaches improves collective cyber security responses, but Castillo believes that regulating breach disclosure could weaken the ability of companies to properly investigate and respond to cyber threats. In Australia, the Privacy Amendment (Notifications of Serious Data Breaches) Bill [7] is expected to be introduced into Parliament later this year [8]. The Bill includes mandatory data breach disclosures and notifications for customers whose data is lost in cyber security incidents.

James Clapper, the US Director of National Intelligence, told Congress back in 2015 [9] that Russia had surpassed China as the US’s principal cyber threat, even though Russian hackers have been notoriously hard to detect [10]. This week Switzerland’s CERT.ch has revealed [11] that one of the country’s top defence, aerospace and technology firms, Ruag [12], had been compromised for at least two years by an APT [13], most likely linked to the Russian Turla APT [14]. CERT.ch was apparently monitoring the breach for some time to gather evidence about the APT’s tactics and techniques, but this was cut short after a media leak earlier this month [15]. CERT.ch characterised the actor responsible [16] as extremely patient and deliberate, moving carefully through the company’s network and identifying individuals so that they could specifically target only those with valuable information. System logs revealed at least five occasions last year when significant amounts of Ruag’s data was exfiltrated using proxy servers [17].

Not to be outdone, a Chinese APT dubbed ‘Ke3chang’ by FireEye [18] has reappeared two and a half years after it was first detected targeting European foreign ministries just before the G20 summit. [19] Palo Alto’s Unit42 [20] has found evidence [21] that Ke3chang has reengineered a remote access tool into a new tool called TidePool in order to target 30 Indian embassies around the world. Ke3chang distributes TidePool by spoofing emails [22] from other embassy employees to induce their targets to open infected attachments. The vulnerability used (CVE-2015-2545 [23]) has also recently been used by another hacker group against anti-China protesters in Hong Kong [24].

Moving across the ditch, Andrew Hampton, the new head of New Zealand’s signals intelligence organisation GCSB, has told stuff.co.nz [25] that one of the ‘more disturbing revelations’ of his first month at the helm was the scale of the cyber threat that his agency deals with. Hampton revealed that GCSB detects an average of seven serious cyber incidents per month, in addition to about 12 reports from other agencies of less serious incidents. He characterised the actors responsible as ‘foreign sourced, complex and persistent’. Hampton is a career public servant, but unusually for his role [26] has no previous experience in intelligence or security.

And finally, the status of the US Cyber Command is again under examination [27], as Congress debates a measure in the National Defense Authorisation Act (NDAA) that would elevate Cyber Command to the status of Unified Combatant Command [28], equivalent to Pacific Command or Central Command. The measure was passed by the House [29], but is absent from the Senate’s version of the Bill [30], and the White House has opposed [31] its inclusion in the NDAA. Cyber Command is currently a Sub-unified Command of Strategic Command, while its commander Admiral Mike Rogers is dual-hatted as Director of the NSA. Rogers has lobbied for Cyber Command to be taken out of Strategic Command as it would allow more control over its strategic priorities and budget measures which he believes [32]  will allow it to better respond to cyber threats.



Article printed from The Strategist: https://www.aspistrategist.org.au

URL to article: https://www.aspistrategist.org.au/cyber-wrap-121/

URLs in this post:

[1] Bangladesh: http://www.reuters.com/article/us-usa-nyfed-bangladesh-malware-exclusiv-idUSKCN0XM0DR

[2] Vietnam: http://arstechnica.com/information-technology/2016/05/1b-bangladesh-hackers-implicated-in-attack-on-vietnamese-bank-sony-hack/

[3] Ecuador: http://www.wsj.com/articles/lawsuit-claims-another-global-banking-hack-1463695820?mg=id-wsj

[4] has told a conference in Brussels: http://www.ft.com/intl/cms/s/0/3dd3713c-210b-11e6-aa98-db1e01fabc0c.html#axzz49Yxie7jK

[5] criticised some members: http://www.ft.com/cms/s/0/3ef881ea-1e83-11e6-b286-cddde55ca122.html#axzz49V7SlQFE

[6] The Wall Street Journal: http://www.wsj.com/articles/should-companies-be-required-to-share-information-about-cyberattacks-1463968801?mg=id-wsj

[7] Privacy Amendment (Notifications of Serious Data Breaches) Bill: https://www.ag.gov.au/consultations/pages/serious-data-breach-notification.aspx

[8] later this year: http://www.theaustralian.com.au/business/technology/cybersecurity-bill-a-wakeup-call-james-north/news-story/211b0d25ee412bf608fd32e5a0b35eba

[9] told Congress back in 2015: http://www.techtimes.com/articles/35965/20150227/cyber-attack-bigger-threat-than-isis-says-u-s-spy-chief.htm

[10] hackers have been notoriously hard to detect: http://freebeacon.com/national-security/obamas-diplomacy-dominated-policy-ignores-growing-russian-cyber-danger/

[11] has revealed: http://news.softpedia.com/news/swiss-cert-reveals-two-year-old-cyber-espionage-campaign-against-army-contractor-504385.shtml

[12] Ruag: http://www.ruag.com/

[13] APT: https://en.wikipedia.org/wiki/Advanced_persistent_threat

[14] Turla APT: http://news.softpedia.com/news/russian-hacking-group-uses-satellites-to-hide-c-c-servers-491352.shtml

[15] media leak earlier this month: http://www.swissinfo.ch/eng/ruag-affair_sensitive-personal-information-likely-hacked/42140796

[16] characterised the actor responsible: https://www.govcert.admin.ch/blog/

[17] using proxy servers: https://securelist.com/blog/research/72081/satellite-turla-apt-command-and-control-in-the-sky/

[18] dubbed ‘Ke3chang’ by FireEye: https://www.fireeye.com/blog/executive-perspective/2013/12/operation-ke3chang-targeted-attacks-against-ministries-of-foreign-affairs.html

[19] targeting European foreign ministries just before the G20 summit.: http://news.softpedia.com/news/Five-European-Countries-Targeted-by-Chinese-Hackers-Before-G20-Summit-Reuters-407855.shtml

[20] Palo Alto’s Unit42: http://researchcenter.paloaltonetworks.com/2016/05/operation-ke3chang-resurfaces-with-new-tidepool-malware/

[21] found evidence: http://news.softpedia.com/news/ke3chang-is-back-and-it-s-targeting-indian-embassies-around-the-globe-504372.shtml

[22] spoofing emails: https://en.wikipedia.org/wiki/Email_spoofing

[23] CVE-2015-2545: https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-2545

[24] anti-China protesters in Hong Kong: http://researchcenter.paloaltonetworks.com/2016/04/unit42-new-poison-ivy-rat-variant-targets-hong-kong-pro-democracy-activists/

[25] stuff.co.nz: http://www.stuff.co.nz/national/politics/80305653/Cyber-attacks-a-constant-threat-says-GCSB-boss

[26] unusually for his role: http://www.stuff.co.nz/national/politics/80303385/new-gcsb-director--a-consummate-public-servant

[27] under examination: http://www.nationaldefensemagazine.org/blog/Lists/Posts/Post.aspx?ID=2000

[28] that would elevate Cyber Command to the status of Unified Combatant Command: http://thehill.com/policy/cybersecurity/280711-week-ahead-cyber-command-in-the-spotlight

[29] House: http://www.scmagazine.com/us-cyber-command-elevated-to-unified-command-unit-white-house-objects/article/497490/

[30] Senate’s version of the Bill: https://fcw.com/articles/2016/05/23/congress-ndaa-cyber.aspx

[31] White House has opposed: https://fcw.com/articles/2016/05/17/white-house-ndaa.aspx

[32] he believes: http://www.baltimoresun.com/news/maryland/politics/bs-md-cyber-command-combatant-command-20160522-story.html

Copyright © 2020 The Strategist. All rights reserved.