AboutDFIR.com – The Definitive Compendium Project
Digital Forensics & Incident Response

Blog Post

InfoSec News Nuggets 12/21/2020

Nuclear weapons agency breached amid massive cyber onslaught

The Energy Department and National Nuclear Security Administration, which maintains the U.S. nuclear weapons stockpile, have evidence that hackers accessed their networks as part of an extensive espionage operation that has affected at least half a dozen federal agencies, officials directly familiar with the matter said. On Thursday, DOE and NNSA officials began coordinating notifications about the breach to their congressional oversight bodies after being briefed by Rocky Campione, the chief information officer at DOE. They found suspicious activity in networks belonging to the Federal Energy Regulatory Commission (FERC), Sandia and Los Alamos national laboratories in New Mexico and Washington, the Office of Secure Transportation at NNSA, and the Richland Field Office of the DOE. The hackers have been able to do more damage at FERC than the other agencies, and officials there have evidence of highly malicious activity, the officials said, but did not elaborate.


How the US military used a creepy island to test cyberattacks on the grid — in the middle of a pandemic

The U.S. government officials trying to test the country’s ability to respond to a major cyberattack thought they had pulled out all the stops. Engineers had planned to simulate the kind of security incident that would cause an electrical blackout, after all, and had even planned to hold the event on an isolated island off the coast of New York. Even with all that preparation, a once-in-a-century pandemic still wasn’t in the script. Until this year, National Guard personnel, Pentagon contractors and engineers at big U.S. utilities would typically gather in person to run through exercises involving dire scenarios, from a weeks-long power outage to a mock attack on utility computers that appeared to delete data. In October, though, COVID-19 forced planners from the departments of Defense and Energy to figure out how to run the event virtually, with participants plugged in from around the country.


Chinese drone developer DJI added to Commerce Department ‘Entity List’

The US Commerce Department announced Friday that Chinese chipmaker SMIC and a bevy of other Chinese-based technology companies have been added to its Entity List, which includes vendors banned from trading with US companies on the grounds of national security. According to reports, drone developer DJI Technology is among the companies that were just added to the list, presumably for its role in providing drones to the Chinese government. Commerce Secretary Wilbur Ross said the Entity List restrictions are “a necessary measure to ensure that China, through its national champion SMIC, is not able to leverage US technologies to enable indigenous advanced technology levels to support its destabilizing military activities.”


Microsoft Confirms Its Network Was Breached With Tainted SolarWinds Updates

Microsoft confirmed on Friday that its network was among the thousands infected with tainted software updates from SolarWinds, even as new data the company has released suggest the likely Russian actors behind the campaign were focused on a smaller set of targets than originally thought. Microsoft on Friday said that it had detected malicious SolarWinds binaries in its environment, which the company isolated and removed. However, the software giant denied a Reuters report on Thursday that claimed Microsoft’s own products were then used to distribute malware to other organizations in much the same way SolarWinds’ Orion network product management technology was abused. “We have not found evidence of access to production services or customer data,” a Microsoft spokesman says. “Our investigations, which are ongoing, have found absolutely no indications that our systems were used to attack others.” The spokesman says the sources for the Reuters report were likely misinformed or were misinterpreting their information.


Cisco Latest Victim of Russian Cyber-Attack Using SolarWinds

Cisco Systems Inc. was compromised as part of a suspected Russian campaign that has roiled the U.S. government and private sector and left security experts across the country racing to assess the extent of the damage. Some internal machines used by Cisco researchers were targeted, the networking equipment maker said. The company said its security team moved quickly to address the issue and that the “affected software” has been “mitigated.” “At this time, there is no known impact to Cisco offers or products,” the company said in a statement. “We continue to investigate all aspects of this evolving situation with the highest priority.” Cisco used a popular software internally from Texas-based SolarWinds Corp. that has been at the center of the attacks so far. Hackers inserted a malicious backdoor into SolarWinds’s Orion software that they then used as a staging ground for later attacks. SolarWinds customers who accessed updates between March and June were infected with the backdoor — as many as 18,000 customers, according to the company.


Ledger users threaten legal action after hacker dumps personal data

The hacker that breached hardware wallet provider Ledger’s marketing database earlier this year has released personal data for thousands of users, prompting many to threaten the firm with a class-action lawsuit. According to a tweet from network security firm Hudson Rock’s Alon Gal, a hacker allegedly behind the breach of personal data from hardware wallet Ledger in June has made all the information they obtained available online. This reportedly includes 1,075,382 email addresses from users subscribed to the Ledger newsletter, and 272,853 hardware wallet orders with information including email addresses, physical addresses, and phone numbers.

Related Posts