Cyber Week in Review: October 22, 2021

Iranian Malware Identified Across the Middle East 

Microsoft has warned that a group linked to Iran has been targeting U.S., European Union, and Israeli defense companies. The group, currently designated DEV-0343, has also targeted geographic information systems and maritime firms throughout the Middle East. The attacks utilized a technique known as “password spraying,” in which hackers attempt to log into an account using a dictionary of thousands of potential passwords. The attack appears to have compromised around 20 of the 250 targeted organizations. The attack comes on the heels of another, more sophisticated attack by an Iranian threat actor known as MalKamak. Cybersecurity firm Cyberreason announced that they had identified a major cyberespionage campaign conducted by MalKamak dubbed Operation GhostShell. Lior Div, the CEO of Cyberreason, called MalKamak a “highly sophisticated” threat actor. The espionage operations appear aimed at aerospace and telecommunications companies across Europe, the Middle East, and North America. MalKamak was able to route its activities through Dropbox accounts, which allowed it to exfiltrate data for over two years before the campaign was detected. 

The Reemergence of DarkSide  

The U.S. Cybersecurity and Infrastructure Security Agency identified a new ransomware-as-a-service group known as BlackMatter in September. Researchers believe BlackMatter is an offshoot of the disbanded DarkSide hacking group, which came to prominence with the hack of the Colonial Pipeline Company in May of 2021. DarkSide disappeared in May 2021 following the Colonial Pipeline hack after it lost access to its servers and cryptocurrency it used to pay its affiliates. BlackMatter’s hacking toolkit carries a number of similarities with the malware deployed by DarkSide, leading researchers to believe the two groups are closely related. BlackMatter appears to have picked up right where DarkSide left off, with an Iowa-based farm service provider targeted by a $5.9 million ransomware attack in September.  

Counter-Ransomware Initiative and Billions of Dollars in Ransomware Payments  

The Biden administration hosted a major summit this past week with thirty other countries in an effort to combat the growing problem of ransomware attacks. The summit notably excluded one of the largest sources of ransomware, Russia. The summit follows a report that companies paid out over $590 million in ransomware payments over the first half of 2021. Treasury Department investigators believe the actual number may be much higher, with over $5.2 billion in Bitcoin transactions being flagged as potential ransomware payments in 2021. This large discrepancy between reported and actual payments may soon be a cause for concern among companies as the Office of Foreign Assets Control (OFAC) recently announced it would tighten enforcement of bans on ransomware payments to groups or nations under sanction. Companies risk running afoul of OFAC’s Specially Designated Nationals and Blocked Person’s List (SDNBP List) if they are found to have made a ransomware payment to a group or individual already on that list. Moreover, if the company paying the ransom does not report the incident to the U.S. government, it risks being added to the SDBNP List itself. 

LinkedIn Shuts Down Localized Platform in China 

Last Thursday, Microsoft-owned professional social media site LinkedIn announced the withdrawal of its localized version in China. In an official LinkedIn corporate blog post, board member Mohak Shroff cited “[a] significantly more challenging operating environment and greater compliance requirements in China” as the primary motivation for the closure of the site  in China. Although the company stated it would continue to provide job search functions for LinkedIn’s 54 million Chinese users, the ending of the social media component reflects the growing pressure from China on the company to censor content and personal profiles as well as increased scrutiny from U.S. policy makers of the company’s compliance with Beijing’s demands. The NBA is also finding itself caught between the two countries as Chinese streaming services pulled the Boston Celtics’ games from the air following player Enes Kanter’s criticism of Xi Jinping and China’s Tibet policy. This looks to be a replay of the 2019 ban of Houston Rockets games after then-General Manager Daryl Morey’s tweet in support of the Hong Kong Anti-Extradition Law protests. American businesses are finding it increasingly difficult to stay out of the political fray between Washington and Beijing. 

Klobuchar and Grassley Push Antitrust Bill 

Senators Amy Klobuchar (D-MN) and Chuck Grassley (R-IA) introduced an antitrust bill to the Senate earlier this week which is aimed at restoring “competition online,” and curtailing the power of dominant technology companies. The bill is sponsored by several other senators on both sides of the aisle. A comparable version of the bill passed the House Judiciary Committee before Klobuchar and Grassley introduced their proposal to the Senate. The legislation would prohibit predatory behavior by large technology corporations and prevent them from using their power to disadvantage smaller companies. The bill was at least partly spurred by the recent testimony of Facebook whistleblower Francis Haugen, whose allegations against the company were published in a series of Wall Street Journal articles. House lawmakers have reportedly met with Haugen and discussed antitrust legislation with her. Klobuchar has argued that social media companies “are broadcasting [harmful] content, and... making money off of it,” and that companies amplify harmful disinformation in a negligent way. The bill is not the first attempt at expanding antitrust legislation, but the revelations of Francis Haugen appear to have re-energized the process.