DNC – SurfWatch Labs, Inc.

Weekly Cyber Risk Roundup: Spain-Catalonia Conflict Goes Digital, Russian Hacking Revealed

The Spanish government was the week’s top trending cybercrime target due to a series of distributed denial-of-service (DDoS) and other attacks that were orchestrated by the hacktivist group Anonymous.

The Anonymous’ campaign against the Spanish government comes on the heels of Catalonia’s recent referendum on independence. As Miguel-Anxo Murado wrote in The New York Review last month, the multi-year independence movement finally came to a head in October as secessionists ignored both a ban placed on the vote by the Spanish Constitutional Court as well as the threat of police action and voted for independence.

That vote led to “mayhem,” Murado wrote, resulting in almost nine hundred people being injured throughout Catalonia as Spanish police confronted protesters and stormed polling stations in order to seize the ballot boxes. On Sunday, Reuters reported that Spain had issued arrest warrants for ex-Catalonia leader Carles Puigdemont and four associates due to rebellion and sedition charges related to the push for recession.

The independence movement has also been accompanied by what one Washington Post editorial described as “The great Catalonian cyberwar of 2017.” According to the Post, Spanish courts and authorities have in the past few months ordered telecom companies to shut down websites pertaining to the vote and forced Google Play to remove an app related to the referendum.

Scattered cyber-attacks have occurred as the issue unfolded over the past couple months; however, attacks ramped up towards the end of October as Anonymous groups on Twitter and elsewhere urged others to join the #FreeCatalonia campaign, which resulted in numerous organizations being targeted with DDoS attacks, website defacements, and other low-level malicious activity.

Other trending cybercrime events from the week include:

Extortion attacks: TheDarkOverlord said it hacked the customer database of Hollywood production studio Line 204, and the group is threatening to leak the company’s internal client data, which includes contracts, files, invoices, and more. The group told media outlets that it will leak the data if it does not receive an unspecified ransom, a threat the group has made to numerous other hacked organizations. A malicious actor has released the personal information of 29 University of the Fraser Valley students and is threatening to release more data if the school does not pay a $30,000 ransom.
Data leaked: Information related to 46.2 million Malaysian mobile phone numbers that was taken from Malaysian telephone companies and mobile virtual network operators in 2014 has leaked, and the data appears to have been traded among multiple malicious actors. An unnamed third party contractor for government agencies, a bank, and a utility exposed the details of 48,270 Australian employees due to a publicly accessible Amazon S3 bucket.
Third-party-related breaches: Malicious actors used information apparently stolen in another breach to create Iowa Public Employees Retirement Systems accounts for individuals who had never created one, and they used those accounts to steal pension checks by redirecting them to different bank accounts. Kimberly-Clark is notifying a “small number” of customers that their personal information may have been compromised due to attacks that targeted registered accounts using a list of credentials leaked in other data breaches not related to the company. Midland County in Texas said a third-party payment system used to pay fines may have been compromised resulting in an undisclosed number of individuals having their payment card information stolen.
Other data breaches: North Korean hackers were likely behind an April 2016 hack of Daewoo Shipbuilding & Marine Engineering that led to the theft of sensitive documents. Catholic Charities for the Diocese of Albany said that the personal information of clients and some employees was compromised due to hackers gaining access to a server. The certified public accountants Chiorini, Hunt & Jacobs are notifying customers that their personal information may have been compromised due to three email accounts being accessed. The Union Labor Life Insurance Company is notifying customers that their information may have been compromised when an unauthorized third-party briefly gained access to an employee’s email account and used that account to send spam messages that contained PDF documents with links to malicious sites.
Other notable incidents: Numerous art galleries confirmed they were targeted by business email compromise scams that hijacked email communications and requested payment details be changed in order to steal amounts up to £1 million. T-Mobile said it has called all of the few hundred customers targeted by malicious actors with attempts to “swap” the victims’ SIM cards and impersonate them. An unspecified cyber attack at the Oklahoma Corporate Commission led to its network being shut down for a week. A former University of Iowa student used keyloggers to steal credentials, access 250 student and faculty accounts, and then change his grades and access his exams early.

SurfWatch Labs collected data on many different companies tied to cybercrime over the past week. Some of those “newly seen” targets, meaning they either appeared in SurfWatch Labs’ data for the first time or else reappeared after being absent for several weeks, are shown in the chart below.

Cyber Risk Trends From the Past Week

The investigation into Russia’s alleged election-related hacking brought several new developments this past week.

For starters, the Wall Street Journal reported that the Justice department has identified at least six members of the Russian government connected to the Democratic National Committee (DNC) hack, and evidence is being assembled to potentially bring official charges against those individuals next year. The WSJ said that dozens of others may have played a role in the hack; however, it is possible prosecutors may wait to identify some or all of those involved until Special Counsel Robert Mueller’s ongoing investigation into alleged Russian hacking is complete.

The Mueller investigation has already resulted in several indictments as well as a guilty plea for lying to the FBI from George Papadopoulos, who served as a foreign policy advisor for the Trump campaign. The guilty plea has some overlap with the hacked emails, as court documents state that an overseas professor Papadopoulos met with multiple times “told him about the Russians possessing ‘dirt’ on then-candidate Hillary Clinton in the form of ‘thousands of emails.’”

A Sunday report from the Associated Press lays out the timeline of Russia’s hacking attempts, and that campaign appears to have begun with phishing emails sent to a list of email addresses tied to staffers of Hillary Clinton’s 2008 campaign. Most of those emails bounced back, but one of those staffers who had also joined the 2016 campaign ended up clicking on multiple phishing links — possibly providing the attackers with a fresh batch of email addresses to target. More than a dozen democrats were ultimately hacked, including John Podesta. One of Podesta’s hacked emails was the first document published by Guccifer 2.0, although it was altered. Guccifer 2.0 airbrushed the word “CONFIDENTIAL” onto the document and claimed the document came from the DNC rather than Podesta in order to entice reporters.

APT28, the group tied to the hacks, had wide-reaching targets far beyond the U.S. election, the AP reported. The group targeted the gmail accounts of 4,700 users spread across 116 countries, including Ukrainian officers, Russian opposition figures, U.S. defense contractors, and thousands of others of interest to the Kremlin. In the U.S. the targets included diplomatic and military officials; defense contractors such as Boeing, Raytheon, and Lockheed Martin, some republicans, and more than 130 democratic party workers.

Weekly Cyber Risk Roundup: More POS Breaches and the Rise of Destructive Attacks

Massive distributed denial-of-service attacks and data breaches remained front and center in SurfWatch Labs’ cybercrime data this week as old attacks against Brian Krebs, OVH, Yahoo and others continued to be heavily discussed. But looking beyond those headline-grabbing stories, the data also reflects a surge in reports of stolen payment card information.

On Tuesday, University of Central Florida police announced they were able to tie a recent surge in fraud reports to malware on the systems of AD Food Services, which operates Asian Chao, Huey Magoo’s and the Corner Café in the Student Union.

On Wednesday, luggage and handbag company Vera Bradley announced a breach affecting retail stores. Law enforcement notified the company of a potential issue on September 15, and it was discovered that payment cards used at store locations between July 25, 2016, and September 23, 2016, may have been affected.

On Thursday, it was reported that Dutch developer Willem de Groot discovered skimming scripts on more than 6,000 online stores running vulnerable versions of the Magneto ecommerce platform. The active operation is adding 85 stores each day, and de Groot estimates that the number of stolen cards is in the hundreds of thousands.

In addition, American 1 Credit Union in Michigan announced last week that it is temporarily blocking payments to all Wendy’s franchise locations due to ongoing fraud issues. Community members are reporting fraudulent activity on newly issued payment cards used at Wendy’s, suggesting that the malware issue may be ongoing for the fast-food chain. Like other credit unions, American 1 Credit Union reported its total losses related to the Wendy’s data breach are growing beyond the losses incurred from the 2014 Home Depot breach.

Other trending cybercrime events from the week include:

TheDarkOverlord extortion demands continue: Peachtree Orthopedic Clinic in Atlanta is notifying patients of a data breach after discovering unauthorized access into its computer system. After the clinic’s announcement, the actor known as TheDarkOverlord leaked documents allegedly stolen from the clinic and announced they had another 543,879 records containing personal and health information. Athens Orthopedic Clinic, another victim of TheDarkOverlord, confirmed that TheDarkOverlord demanded nearly $400,000 in ransom for the stolen patient data and threatened to call patients and publicly name the company if the clinic didn’t comply with the extortion demands.

Another massive breach reported: A hacker going by the name “0x2Taylor” has released 58 million records claiming to be stolen from Modern Business Systems (MBS), which offers in-house data management and monetization solutions to companies. MBS has not publicly confirmed the data breach, but researchers have confirmed that MBS was running an unsecured MongoDB database as the hacker suggested. The hacker also shared a screenshot indicating he or she has another database containing 258 million rows of data.

Beware of social engineering: An employee that clicked on a link that appeared to be for a Dropbox file led to a hacker targeting a customer of garden furniture company Gaze Burvill and requesting payment of £7,148 to a fraudulent bank account. Australian not-for-profit health fund CBHS said an unnamed third party has been breached and is warning customers to be on the lookout for phishing emails. The Clinton Foundation is warning that donors are being targeted with phishing messages. Indian police are investigating about 700 people over a scam where workers posed as IRS officials and duped U.S. citizens out of tens of millions of dollars. A Connecticut man has been charged with stealing login credentials from users of Dark Web marketplaces using a combination phishing pages and port forwarding and then using those credentials to steal bitcoins.

Effective backups thwart ransomware: Hutchinson Community Foundation was infected with ransomware on September 19, but it was able to fully recover the data from backups without paying a ransom. Nevertheless, the foundation is notifying donors, vendors and other stakeholders that information may have been compromised during the attack.

Hackers continue to target U.S. political figures: The Twitter account of Hillary Clinton’s campaign chief, John Podesta, was hijacked and used to urge followers to vote for Donald Trump. In addition, screenshots circulating online suggest that Podesta’s iCloud account may have been compromised. Users on 4chan claimed that Podesta’s iCloud password, which was published by WikiLeaks, was still working; however, WikiLeaks said that it made sure the credentials were changed.

Cyber Risk Trends From the Past Week

SurfWatch Labs industry risk scores remained fairly stable. Other Organizations (+0.8%) – which includes groups such as education, advocacy and political parties – was the only sector to see a noticeable increase in risk score compared to the previous week.

Nation-state hacking remains one of the most talked about cyber risks, and that discussion grew more intense as the U.S. presidential elections moved into the final month. On Friday, the U.S. formally accused the Russian government of orchestrating the recent attacks against the Democratic National Committee and others in an effort “to interfere with the U.S. election process.” A statement from director of national intelligence James Clapper and the Department of Homeland Security said that they believe only Russia’s senior-most officials could have authorized the hacking efforts. That public accusation was followed by promises of a “proportional” response against Russia; however, White House Press Secretary Josh Earnest added that ““it is unlikely that our response would be announced in advance.”

The U.S. isn’t the only country facing nation-state espionage. A Wednesday report from the Australian Cyber Security Centre said the 2015 hacking of the Australian Bureau of Meteorology’s network was carried out by foreign adversaries. That attack compromised government systems and led to the theft of sensitive documents, and after the attack officials estimated it would cost millions of dollars to plug the related security holes. The report also said that the attacks demonstrate a willingness of actors to use disruptive and destructive measures when targeting organizations.

That destructive nature is demonstrated by the April 2015 attack on France’s TV5Monde. A recent investigation linked the incident to the Russian hacking group APT 28 and revealed that the attack, which knocked 12 channels off the air, was designed to destroy the TV network. The attack turned out to be more sophisticated than initially reported, with the network first being infiltrated in January 2015 in order to conduct reconnaissance on the way TV5Monde broadcast TV signals. Seven points of entry were used, including a Netherlands-based company that supplied the remote-controlled cameras used in the network’s studios. According to the BBC, the attackers then fabricated malware designed to corrupt and destroy the Internet-connected hardware that controlled the TV station’s operations.

“It’s the worst thing that can happen to you in television,” Yves Bigot, the director-general of TV5Monde told the BBC. “We were a couple of hours from having the whole station gone for good.”

These attacks, ranging from influencing elections to destroying TV networks, are believed to be carried out by nation-states or other advanced actors who are increasingly using those disruptive and destructive tactics to achieve their goals – and with the U.S. promising retaliatory attacks, we can expect to see more such attacks in the near future.

WADA, Presidential Election Highlight Threat of Data Being Altered

Last week the World Anti-Doping Agency (WADA) released an update about its investigation into the recent hack and subsequent leaks of Olympic Athletes’ confidential information, and one of the more interesting revelations was that some of the stolen data may have been manipulated prior to being leaked.

“WADA has determined that not all data released by Fancy Bear (in its PDF documents) accurately reflects ADAMS [Anti-Doping Administration and Management System] data,” the agency wrote in a blog post. “However, we are continuing to examine the extent of this as a priority and we would encourage any affected parties to contact WADA should they become aware of any inaccuracies in the data that has been released.”

WADA did not elaborate on which athletes’ data may have been altered or provide any other explanations for the discrepancies, but it does highlight a unique cybersecurity concern that has surfaced recently: threat actors manipulating stolen data in order to increase the fallout from a breach.

A History of Fake and Exaggerated Breaches

Hackers have a long history of re-purposing data in order to claim new attacks.

Just last week the actor known as Guccifer 2.0 posted a dump of data allegedly stolen from the Clinton Foundation, claiming that “it was just a matter of time to gain access to the Clinton Foundation server.” However, a variety of news outlets have since reported the data appears to be from a previous hack of the Democratic Congressional Campaign Committee and the Democratic National Committee — not the Clinton Foundation. Prior to that there was a Pastebin post alleging a “full database leak” at cryptocurrency exchange Poloniex. Once again, the company was quick to dispute the claim, posting on social media that the data was actually from another company’s breach a year prior.

Claims of fake or exaggerated data breaches are troublesome for organizations, but they’re not as insidious as the manipulation of legitimate data.

“Imagine trying to explain to the press, eager to publish the worst of the details in [leaked] documents, that everything is accurate except this particular email. Or that particular memo,” security blogger Bruce Schneier wrote last month. “It would be impossible. Who would believe you? No one.”

WikiLeaks, Sputnik News and Donald Trump

An example of this potential issue was highlighted yesterday through a combination of WikiLeaks, Russia’s Sputnik News, and Donald Trump. On Monday morning, WikiLeaks released 2,000 emails that appear to be from the account of Hillary Clinton’s campaign chairman, John Podesta. One of those emails was from Clinton ally Sidney Blumenthal and contained a Newsweek article about the Benghazi hearings. Sputnik News then incorrectly reported on the email — either intentionally or as a result of sloppy journalism — quoting the Newsweek article email as if it were Blumenthal’s own thoughts on the subject. Hours later, Donald Trump quoted that false Sputnik News article at a rally in Wilkes Barre, Pennsylvania, telling the crowd that Blumenthal said the “attack was almost certainly preventable” and that Blumenthal was “now admitting they could have done something about Benghazi.”

That falsehood could be the result of the miscommunication inherent in a game of telephone — from Podesta’s email to WikiLeaks to Sputnik News to Donald Trump to the booing crowd — or it could be, as the author of the original Newsweek article suggested, an intentional effort from Russia.

This is not funny. It is terrifying. The Russians engage in a sloppy disinformation effort and, before the day is out, the Republican nominee for president is standing on a stage reciting the manufactured story as truth. How did this happen? …

The Russians have been obtaining American emails and now are presenting complete misrepresentations of them—falsifying them—in hopes of setting off a cascade of events that might change the outcome of the presidential election.

It was just last week that Congressman Adam Schiff put forth this very idea in The New York Times. Russia could take already-stolen emails, alter them, and give the impression that one of the presidential candidates had done something outrageous or illegal, potentially altering the election.

The Blumenthal story was quickly corrected by viewing the source email on WikiLeaks, but what if the source itself had been altered? In a dump of 2000 legitimate-looking emails, who would believe that one email or one line within an email was altered.

As Schneier wrote: “No one.”

Tactic Beyond Nation-States?

The examples cited above have been extremely high-profile events. Leaked data tied to the Olympics or a presidential race faces a far higher level of journalistic scrutiny than an ordinary dump of company documents, communications or other internal data. For those breached organizations, proving that leaked data was altered may be more difficult, and it may prove harder still to spread news of that proof without a media echo chamber to amplify that message.

While altering data may not be the most profitable avenue for cybercriminal groups, not all threat actors are concerned about profits. Hacktivists could alter data to create a scandal for political purposes. Malicious insiders may manipulate leaked communications to embarrass an executive or otherwise harm their organization. Competitors may tweak stolen documents to damage their rivals’ reputation and steal customers.

Even those motivated by profit may find ways to incorporate data alteration into their toolset. Data destruction has quickly become a common tag in SurfWatch Labs’ cyber threat intelligence data due to the surge in ransomware infections in recent years, and actors who are demanding tens or hundreds of thousand of dollars in extortion are likely to use every tool available to them to push organizations towards paying ransoms.

Many of the stories related to altered data currently revolve around nation-states, but like everything in cybersecurity, copycats can be expected if it proves to be a successful tactic. It’s just one more cyber risk facing organizations — and one more reason to prioritize keeping your organization’s data safe from malicious actors.

Hacking the Presidency: Will Data Breaches Help Decide the 2016 Presidential Election?

The 2016 presidential election hasn’t been without controversy. Both candidates have blemishes on their records that have left many Americans with a bitter pill to swallow when voting comes in November, and cybersecurity has been put front and center in a way never before seen in a U.S. election. Email hacks, data breaches, cybersecurity ineptitude — they’re not just conversation topics among infosec wonks; but major campaign talking points.

Cybercrime has already infiltrated many facets of our everyday lives. Account information, payment card information, trade secrets, and more are regularly obtained and sold like merchandise on underground markets. Cyber-espionage also remains a huge threat as organizations and governments attempt to secure their precious secrets. With such a divided nation over who will become our next president, could the recent data breach of Democratic National Committee (DNC) data be a sign of what’s to come in this election?

More importantly, could this be the first presidential campaign ultimately swung by leaked information obtained in a data breach?

The information released by WikiLeaks from the DNC email breach caused an uproar from American citizens as the emails released showed a clear bias for Hillary Clinton over Bernie Sanders — a claim made by the Sanders campaign months before the DNC data breach. While none of the DNC information shows correspondence from Hillary Clinton directly, the DNC breach– along with other related cybersecurity issues — has had a big impact in Clinton’s polling numbers. However, the latest polls show Clinton above Trump by a favorable margin.

Clinton isn’t out of hot water yet. WikiLeaks founder Julian Assange told PBS’s Judy WoodRuff in a recent interview there would be more information released that will negatively affect Clinton’s campaign:

It’s a wide range of material. It covers a number of important issues. There’s a variety of natural batches and some thematic constellations that we’re working on.

It’s interesting material. We have done enough work now that we are comfortable with the material’s authenticity. And so now it’s a matter of completing the format, layout to make it easy and accessible and so that journalists can easily extract material from it, extract stories from it, and also the general public.

DNC Fallout from Breach

DNC chairwoman Debbie Wasserman Schultz announced her resignation as national party chair following the leak of the stolen DNC emails. Since the Democratic National Convention has wrapped up, more high-profile DNC officials have announced their resignation as well.

Chief Executive Amy Dacey, Chief Financial Officer Brad Marshall, and Communications Director Luis Miranda have all resigned just days after a new chair took over for Schultz. Luis Miranda was one of the key figures whose email account was breached and leaked by WikiLeaks.

The rest of the DNC members whose accounts were hacked have not resigned, including National Finance Director Jordon Kaplan, Finance Chief of Staff Scott Comer, Finance Director of Data & Strategic Initiatives Daniel Parrish, Finance Director Allen Zachary, Senior Advisor Andrew Wright, and Northern California Finance Director Robert Stowe.

Donald Trump in the Mix

During the DNC breach investigation, evidence was discovered linking Russia to the cyber-attack. Based off of this information, Trump called for Russia to conduct cyber-espionage against Hillary Clinton:

“Russia, if you’re listening, I hope you’re able to find the 30,000 emails that are missing,” Trump said referencing Clinton’s email scandal. “I think you will probably be rewarded mightily by our press.”

Trump later said he was kidding about his comment.

Not every politician found his remarks funny. Democratic Senators Chris Coons of Delaware and Sheldon Whitehouse of Rhode Island recently petitioned Senator and former Presidential candidate Ted Cruz to conduct an investigation into Trump’s support of involvement from Russia in U.S. elections. The Senators wrote the letter to Cruz because he chairs the Senate Judiciary Subcommittee on Oversight, which potentially could have jurisdiction in the matter. Cruz has not responded to the letter and his involvement in the matter is not likely.

Still, the damage has been done to Trump as the Clinton campaign is alleging him of having ties with Russian President Vladimir Putin, which makes his “joke” no laughing matter.

The data breach of the DNC, the controversy surrounding Clinton’s emails, accusations that Russia is trying to directly influence the election — this is the first time a presidential election cycle has been so heavily dominated by cybersecurity events.

The effects, at least for the candidates, have been relatively mild so far, but with WikiLeaks promising more leaks painting Hillary Clinton in a bad light, there is the potential that a close election in November could ultimately be decided based on cybersecurity.

No matter the outcome, cybersecurity has gained a national stage and everyone should take notice. Understanding cyber threats and the potential consequences of those threats is vital, whether you’re an employee, an executive, or a presidential candidate.