Week in Review: Flax Typhoon sanctioned, French military ransomware, ICAO breach claims

Host Name

From the CISO series, it's cybersecurity headlines. US Sanctions China's integrity technology for role in Flax typhoon attacks. French military contractor ATOS dismisses ransomware attack claims and aviation agency investigates breach claims. These are some of the stories that my colleagues and I have selected from this past week's cybersecurity headlines. And now we're ready for some insight about opinion and expertise from our returning guest making his second appearance, Bill Harmer, operating partner and CISO over at Craft Ventures. You're on over the summer. Bill, thanks for coming back in the frigid waste of winter. I have to ask before we jump into the news, how was your week in cybersecurity?

Bill Harmer

Week's been great. You know, you come back after the holidays and you just pray everything's okay.

Host Name

Yeah, I mean overall, like I again don't want to jinx anything, but like there wasn't cybersecurity wise, nothing too catastrophic. Share some airlines stuff. Potato, potato. But yes, I agree. A fine new year for some cybersecurity news and a fine year to thank our sponsor for today. Nudge security brings SaaS security risks out of the shadows. And it's a fine year for you to join us on YouTube live. Now, you may be asking, how do I do this? It's simple. You go to cisoseries.com, look for the events page and click on the cybersecurity headlines Week in Review. That'll take you to our livestream. It's happening. You can see when going to be having these. Join us in there. We got ccl, we've got David Cross in there already contributing, getting involved in the chat. I love to see it. Let us know what you think about the show in real time. We hope you can join us each and every week. Before we jump into the news, just a quick disclaimer that all the opinions that Bill is going to present here are his own and not necessarily those of any employer, staff, affiliates, family, friends, even enemies. Just, just Bill's opinions. We've got about 20 minutes so let's jump into the news. First up here we US Sanctions China's Integrity Technology for role in Flax Typhoon attacks. Following up on a story we covered last September, US Officials are now confirming that the Beijing based Integrity Technology Group provided China's Ministry of State Security and several Chinese state backed hacking groups with infrastructure that allowed them to attack multiple victims based in the US Integrity Technology, known to the private sector as Flax Typhoon, successfully targeted universities, government agencies, telecommunications providers and media organizations in The US and elsewhere. Elsewhere. State Department spokesperson Matthew Miller said on Friday the sanctions freeze all US assets of the company and limit the amount of interaction financial institutions can have with it. So Bill, I'm curious, what do you make of these sanctions? It's something at least taking action on threat actors seems like a good thing. But given the power of China as the backer of these types of groups, do you think they'll have any impact? Especially considering what the these apts are capable of?

Bill Harmer

Yeah, it's, it's just a game of whack a mole. Right. You know you can find the company, it's called Integrity this week, sanction them, freeze their accounts. That company will spring up as another name funded by China behind it. They will comp them for any lost profits. It's, it's part of the game that and it's, it's interesting because there's a lot of that theme that I think we're seeing in this week's headlines around state sponsored military tie ins. How are these organizations? Do we bring these all back into a single military organization? You know, how does this happen? So yeah, sanctions have to happen. They've got to be there. You just got to keep playing whack a mole until we can get our arms around it.

Host Name

Yeah. And we see like over time this particular round of sanctions, we don't know the efficacy of those long term but as part of a concerted effort where we're doing operations to take down infrastructure and that kind of stuff, all of these things play a role in, in at least making it harder to do this type of stuff. Right. Like these are the, these speed bumps that need to happen to, to make the cost of doing these kind of things regardless of whether it's you know, private organizations or state sponsored actors, just, just increase that cost, make it a little bit harder.

Bill Harmer

Yeah, you want to make it as prohibitive as possible from a cost perspective because right now a lot of these attacks are starting to reach or approach zero cost or very, very, very minimal cost and be able to operate at scale in which case it just, it just launching them is why not? You know, it's, it's only a couple bucks versus it used to be a couple thousand but before that it was like 10 grand to go find something and build it. So yeah, you just got to keep at it.

Host Name

All right, well next up here, French military contractor Addos dismisses ransomware attack claims. This is a follow up to a story we covered last April. April we are Busy Little Bees. The France based company that secures communications for France's military and intelligence services. Last week dismissed as unfounded a ransomware group's claims to have compromised its internal company database. A group called Space Bears promised to publish the stolen data on January 8th. As of today, it appears the ransom was paid, according to a German IT news outlet. And we don't want to impugn the honor of the group Space Bears. So Bill, lots to unpack here. Primarily a military contractor first compromised by threat actors, then allegedly paying up, all while denying that anything was wrong. This is certainly not a unique situation to France, but should also be noted that Edo's is already in the midst of financial collapse with plans of selling its computing division back to the French government. When a country's military contractors are compromised in such a way, regardless of country, it must be a cause of concern. What's your take on this? Put this into context for us.

Bill Harmer

Well, I think first and foremost the fact that they're denying it is acceptable. It's normal. I would expect them to deny it and I expect transparency to the customers. That is there better be transparency from ATOs to the French military and the government. And maybe it's warranting some better oversight if they're financially not doing that well, if they've run themselves in a manner that is not conducive to supporting their, one of, I guess probably their largest customer. For them to deny it publicly, that makes total sense to me because you just, when you get into these things where you're now dealing with national security, transparency to the public is not necessary during the incident, possibly afterwards, there might be, you know, an inquiry by the French government that would then lay out what happened in its entirety. But I think at the moment I would, I, I, I'm not surprised. Like I was on their website and as of three days ago, they're still denying it. They're saying nothing happened. And honestly, I could care less. It does make me wonder though, in the grander scheme of things, as we move forward, especially US government and our contractors, our military contractors, how are we going to manage this? What kind of oversight do you put? Because if you put checkbox security on it, if you're basically doing the equivalent of a, of a military sock too, you're in for a world of hurt. But if they actually start finding ways to, I don't know, almost drop representatives into the organizations, if they are specific as a military contractor or the division at least, is that they have oversight on the day to day and know how it's going, can help plan for things like this because who knows, maybe this happened because they cut budgets, because they were doing financially wrong or poorly and they made some bad decisions. There's, there's, there's a really, there is a lot to unpack in this one.

Host Name

Yeah. The whole idea of trying to, as a security organization, right. Like within, within a larger organization when the business is failing, but you are still have customers that you are responsible to when they're the government like that. That is almost like an Impossible catch 22, I'm sure for, for a lot of people in that organization too.

Bill Harmer

Yeah.

Host Name

All right, next up here, aviation agency investigating breach claims. In a post on Breach Forums 2 Electric Boogaloo. The account NATOHub claimed it compromised 42,000 documents from the UN's International Civil Aviation Organization, I'm going to call it ICAO. Supposedly containing personal records of staff and other workers within the agency. ICAO eventually confirmed the attack. The stolen records come from its recruitment database. And that data stolen includes names, email addresses, dates of birth and employment history, although it didn't include any financial information or passwords, at least according to icao. And they're saying no other systems were impacted. So Bill, back in September we covered a story about a threat actor who was able to bypass airport security screenings, gain access to aircraft cockpits using SQL. Using SQL to access then third party web based services called flycast, which stands for Cockpit Access Security System. News of breaches in the aviation organizations. It makes it hard to sit back, relax and enjoy the flight. I mean, you know, these are recruitment records. Maybe not the most those pressing things, but cause for concern for you, honestly. Yeah.

Bill Harmer

And I flip it around because there are recruitment records. I get really worried when organizations, especially organizations like UN based ones that are multinational representatives from 129 different countries are trying to hire people. And the recruiting information, it's like the OPM hack years ago. That data never popped anywhere. Right. That was, that was deep research. So now what is it that somebody's interested in? In finding deep research on the people that are going be hired or potentially hired or were not hired because of. Because typically with these, the background checks will include things like personal issues like alcoholism, drug use, infidelity, gambling problems, all those things. So that is now leverage on every one of those people. Right. And that, that concerns me more than that. This is in the aviation industry because the recruiting records against aviation don't really line up the, the cockpit stuff. That's terrifying. That's. Yeah, like thanks, I got to get on a plane on Monday.

Host Name

Sorry.

Bill Harmer

But yeah, I, I'm I'd be really interested. I'm going to keep an eye on this one just to find out where this might show up and if it doesn't show up, that's even I think more telling.

Host Name

Bill, thank you for taking something that at first I was thinking was more of a day to day like personal safety concern and now is more of an existential gloom for this entire industry. So that way. No, I honestly though like that I hadn't kind of thought about like that that deeper. But yeah, if it's a state based actor, you know, there you have records of all sorts of potential ways to hit people. Gets nasty really quick with a long tail that's hard to track. So yeah, ical, come on, help us out here. Before we move on to our next story, a few moments with our sponsor for today, Nudge Security. What do identity risks, data security risks and third party risks all have in common? They're all exacerbated dramatically by SaaS sprawl. Nudge Security helps you mitigate these risks by delivering an inventory of every SaaS account ever created by anyone in your org within minutes of starting a free trial. But discovery is just the first step. With Nudge, you can automate ongoing governance tasks like security posture checks, user access reviews, employee offboarding, and more. Visit nudgesecurity.com headlines to start a free trial. That's N U D G E S e c u R-I-T-Y.com Headlines Next up here, 2000 attacks launched against critical infrastructure. Temple University's Department of Criminal justice maintains the Critical Infrastructure Ransomware attacks database or Kira, that's been operating since 2013. And the database now holds over 2,000 different attacks. For some context about how those have added over time, 45% of that 2,000 have been added since February 2022. Looking at the most commonly targeted types of organizations, we have government facilities, healthcare, public health, education. Not too surprising giving a lot of the stories we cover on this show over the last two years. While attacks on water infrastructure have definitely gotten a lot of attention, we've given them some time on this show. They were among the least targeted, at least as a catego. The database also shows ransom amounts increasing with the tax, resulting in a $5 million or more ransom, up 42% over the last two years. So Bill, almost every week we have an infrastructure story as part of our lineup, either because of their direct connection to human welfare or the fact that we often take infrastructure for granted and kind of just trying to shine a light on that. I'm curious, do you feel that the increase in attacks and ransomware demand. Demand, excuse me. Do you feel like the increase in attacks and ransomware demands is a cause for concern, or is this just the cost of doing business? And business is good?

Bill Harmer

I think. Yeah, I think it is the cost of doing business. I think the increase is primarily due to the ease with which it's happening. You can now build ransomware, deploy it, let it run almost at zero cost, as I mentioned earlier. And I think if you look at this, there is a certain amount of coordination in here because you're going after governments facilities, health care, and education, all of which will pay. And they are. If you, if you dig into it, you can see that they're staying away from nukes, chemical waste, and water, because those are an act of war. You launch against those. You are, you are upping the ante in the game here. And this is no longer a financial decision. This is what is going to be done in retaliation. So it looks like they're skirting a line and hitting the ones that they know don't necessarily have to cover or carry cyber insurance, but actually will simply pay well.

Host Name

And especially with health care where it's, you know, the, the, the failed state of health care is like, people get harmed. Right. Like, like with these. Extremely vulnerable, but, you know, not necessarily have the most capabilities to protect themselves. And I also think, you know, we, we saw the PowerSchool hack this week, and especially in education, a lot of shared software as well. So you can have a big impact by breaching one system. You could, you know, hit a whole bunch of different school districts or. And it's not just particular to education. Government's the same way.

Bill Harmer

Yeah, it's like hitting mssps. Right. If I, if you're going to hit somebody, hit an MSSP, and you can hit 100 clients at once.

Host Name

Threat actors, please don't take bills. Sorry, that was advice. Theoretically.

Bill Harmer

Theoretically, yes.

Host Name

All right, next up here, lawmakers expected to revive attempts for a new cyber force study. House lawmakers continue researching whether a cyber force should be added to the US Military. Representative Morgan Luttrell of Texas says an independent assessment is still very warranted. He's a lead figure in trying to create this as a seventh military branch that would be dedicated to digital warfare. It seems to have been kicked down the road a little bit, at least politically, meaning that now he intends to start speaking to future Vice President Advance. So, bill digital warfare, a different animal from cyber defense. And the US Seems to be doing well at this or at least advancing its capabilities, certainly over the last decade. Definitely more of a concerted effort. As we've seen these types of attacks increase. You see the creation of a cyber force as a new branch of the military, something that will allow us to focus more intently on the cyber war front as compared to our existing services. I'm thinking of cisa, and along those.

Bill Harmer

Lines, I'm honestly surprised we don't have one. And quite honestly, I think if you look at the fact that the decision makers historically are politicians, it shows exactly how little they understand about this. The future is AI versus AI. That is the future of warfare. The fact that we do not have a branch of the military that is dedicated to it, trained in it, bringing up the new recruits to understand and be steeped in it, and creating a culture around it that is, you know, as much as I wish it wasn't coming, it is coming. There is no doubt about it. And the first to the finish line is the one that will control the most. So if you look globally at, you know, Israel with Unit 81 and Unit 8200, they have brought talent out of that that is not only fantastic for their military and help them in those areas, but has helped fund or build that economy of cyber tools that come out of it. And that is the future. That's. That's simply where we're going. Plus, I get to call it cyber force. Like, it's just cyber force. I want one of those patches on a backpack.

Host Name

Well, so it was very interesting. I believe it was cyberscoop a couple of months ago, kind of broke down the arguments against this. Right. And it's not to say that the US Military doesn't have any cyber war capabilities, but they're within the individual services. And the issue with that is a lot of people that want to get into cyber don't want to join the Army. Like, that's a. That's a. Like. So you still have to do all of the regular things about joining the army as opposed to focusing, like, very specifically on that cyber mission. And same thing with the Navy. And I believe, I'm assuming the Marines also have a branch like that. But, like, each service branch has its own cyber divisions, and that's a much bigger barrier to entry, to bring in talent. When you're talking about, again, someone that. There is a. There was a lot more that goes with being in the army or any of the other branches than necessarily being in cyber war. So, yeah, it's. It's kind of remarkable that we are. We are here. I Also think the idea of like, like a cyber version of the National Guard to deploy when, I don't know, like a water system gets hit. Yeah, like, I could definitely see the appeal of that where it's like we all have a collective interest in having this defended against. I think that would also be a pretty good idea too.

Bill Harmer

I think, I think if you, if they went down that path and looked at it and they started to make exceptions for it, like, you know, honestly, if you try to get into the military and join the Marines, there is a weight requirement, a height requirement, a physicality that's necess necessary. If they're demanding those types of things to join cyber force, that's the wrong mentality. Right. You don't need the, necessarily the physical aspects of it. You need the mental or the, the, the, the curiosity or the, whatever it is that would drive somebody to be able to do those types of things. And I think you like, you know, same with Air Force. Air Force, you have to be able to swim, you have to get yourself out of the plane underwater, things like that. I'm failing that. I'm horrible at that stuff. I panic, you put me upside down in water. But I make, I think I'd make a decent person in a cyber force somewhere. At least I hope I would.

Host Name

And sharpen uniform.

Bill Harmer

I'd look good in a uniform, working out. I think we need to mature the things. There are traditions that need to be adhered to. There's certain pieces that need to stay. But I think the world needs to move and it needs to move faster than we move right now.

Host Name

All right. And speaking of things that move fast, our last story for today. European Commission, There's a little bit of sarcasm there. Receives its first GDPR fine. The European General Court ruled recently that the European Commission violated the General Data Privacy Regulation. We all know it as good old gdpr. By transmitting a German citizen's data to the US the brought the case after the European Commission used a Facebook sign in option on an event site. The signup sent device, browser and IP address information to Amazon and Meta. Although GDPR allows for hefty fines for violations, the Court ruled the EC must pay the person bringing the suit €400. But Bill, like the first drop of rain before a storm, this has the potential to become a major financial issue, not just for Facebook, but for everyone else whose websites can be seen all over the world. And for anyone else that signed that, if it's $400 per click, that might add up quickly for the EC. I'm curious. Which way do you see this going?

Bill Harmer

They set precedent and that, you know, bringing the first one in and setting that precedent is going to unleash, I think a torrent. I, I, I've been a proponent of GDPR simply because it was a single methodology or a single set of laws as opposed to the old EU privacy directive interpreted by 28 member states and depending on what jurisdiction you're in. But this, this is like, I mean, you can DDoS people with this, right? You know, you can just start launching these, you know, start launching the complaints and then they have to investigate, they have to track, they have to, you know, and yeah, okay, there's an ip, there was some, some other pieces. You got to start looking at some of it. We even got to the point where at certain points you have to stop as a company, stop tracking IP address usage after 5pm because it's considered personal time and not work time. I think we're starting to get bogged down into minutia that is just going to render it useless. But yeah, you know, lines are drawn. Now we get to see where it goes. You know, was that one person or was that 10,000 at 400 bucks, right. Or €400?

Host Name

Yeah, well, and remarkably, this was, I don't believe this was Max Schrems that brought this suit, who's the privacy advocate who sues to bring down every single data sharing agreement that's ever been existed between the US and the eu. Another German, it turns out they, they're just, they're fans of privacy. Who knew? Before we get finish up the show here, just a shout out to our chat, kind of going over the, the ideas of a cyber force here. David Cross in there saying do we need local cyber militias ccl saying we have the Ohio Cyber Reserve. And I know there's been some. Oh, who was it? The guy? Craig? Newmark foundation is trying to organize like more local cyber response organizations. Trying to do that local kind of coordination layer to kind of bridge the national and the local stuff. So I think that's really, really an interesting, that's an interesting thought. Obviously we need some rigor, we need some, some organization for that. But all, all the cyber would probably be yes, the answer. Before we get out of here, Bill, is there any story that was a thumbs up or an eye roller for you today?

Bill Harmer

Cyber force? Definitely a thumbs up. It needs to be addressed. We need to, we've just got to step forward into the future and you know, no longer working for a dedicated cybersecurity company. I get to I get to make some more broad reaching statements which is kind of fun. And I'm currently working on a presentation on the future of cyber security and it steps way into the future, which is going to be really interesting.

Host Name

Oh, I can't wait to see that. Will you be sharing that on LinkedIn? Yeah.

Bill Harmer

Is that where people be recording it? Yeah. Presenting next week at the SIGS conference in Zurich next Thursday.

Host Name

Excellent, excellent. And then your travels continue after that, right?

Bill Harmer

They do, yeah. I'm actually in Toronto on February 4th. I'll be emceeing the Canadian CISO forum. We've moved it from a two day event to a one day event, moved it downtown and we're hosting it at the Ritz Carlton. It's going to be an amazing show.

Host Name

Fantastic. So make sure you are Following Bill on LinkedIn to stay up to date on all the travels, all of the fantastic prognostication and kind of looking into the future. Always, always a voice of sage wisdom. Thank you so much. Bill Harmer, operating partner and CISO at Kraft Ventures. Forgot to ask you, is Kraft Ventures hiring right now?

Bill Harmer

Kraft ourselves. We're not hiring but all of our portfolios are. So if you go to the craft website there is a careers page and we list all openings for our portfolio companies.

Host Name

Fantastic. Make sure you check that all out. Also check out our sponsor for today, nudge security. Bring SaaS, security risks out of the shadows. Big thanks to our audience today having a lively discussion about cyber force. I love the creativity and kind of the thinking outside the box a little bit there. Can always get every comment up on the screen but I see some new names like Hand Sanitizer and Big Dumb Bape I don't know is in there. I love the name. Thanks so much everybody for coming in, joining the chat and helping, making it a lot of fun. Just a reminder that there will be no Super Cyber Friday next week but do come back for another episode of the week in Review that starts at 3:30pm Eastern. If you're listening to this later. If you're watching now, you know what time it starts. I would hope to register to get on in to join the comments live. Remember to go to the events page@cisoseries.com and subscribe to our YouTube channel. In the meantime, you still get your daily news fix every single day through cybersecurity headlines. Give us about six minutes, we'll get you all caught up until the next time we meet. For myself, for Bill, for our producer Steve, for all of us here on the CISO series team. I'm reminding you and yours to have a super sparkly day. Cybersecurity headlines are available every weekday. Head to cisoseries.com for the full stories behind the headlines.