Information Technology

Image: Getty Images/iStockphoto
Cybersecurity firm FireEye has released today a report detailing the techniques used by the SolarWinds hackers inside the networks of companies they breached.

Together with the report, FireEye researchers have also released a free tool on GitHub named Azure AD Investigator that they say can help companies determine if the SolarWinds hackers (also known as UNC2452) used any of these techniques inside their networks.
Also: Best VPNs • Best security keys
Today’s FireEye report comes as the security firm has spearheaded investigations into the SolarWinds supply chain compromise, together with Microsoft and CrowdStrike.
The SolarWinds hack came to light on December 13, 2020, when FireEye and Microsoft confirmed that a threat actor broke into the network of IT software provider SolarWinds and poisoned updates for the Orion app with malware.
The malware, known as Sunburst (or Solorigate), was used to gather info on infected companies. Most of the 18,000 SolarWinds customers who installed a trojanized version of the Orion app were ignored, but for some selected targets, the hackers deployed a second strain of malware known as Teardrop and then used several techniques to escalate access inside the local network and to the company’s cloud resources, with a special focus on breaching Microsoft 365 infrastructure.
In its 35-page report today, FireEye has detailed in great detail and depth these post initial compromise techniques, along with detection, remediation, and hardening strategies that companies can apply.

Summarized, they are as follows:
Steal the Active Directory Federation Services (AD FS) token-signing certificate and use it to forge tokens for arbitrary users (sometimes described as Golden SAML). This would allow the attacker to authenticate into a federated resource provider (such as Microsoft 365) as any user, without the need for that user’s password or their corresponding multi-factor authentication (MFA) mechanism.
Modify or add trusted domains in Azure AD to add a new federated Identity Provider (IdP) that the attacker controls. This would allow the attacker to forge tokens for arbitrary users and has been described as an Azure AD backdoor.
Compromise the credentials of on-premises user accounts that are synchronized to Microsoft 365 that have high privileged directory roles, such as Global Administrator or Application Administrator.
Highjack an existing Microsoft 365 application by adding a rogue credential to it in order to use the legitimate permissions assigned to the application, such as the ability to read email, send email as an arbitrary user, access user calendars, etc., while bypassing MFA.
“While UNC2452 has demonstrated a level of sophistication and evasiveness, the observed techniques are both detectable and defensible,” FireEye said today.
In fact, it was FireEye’s ability to detect these techniques inside its own network that led to the company investigating an internal breach and then discovering the broader SolarWinds incident.
Similar tools to the one FireEye released today have also been released by the US Cybersecurity and Infrastructure Security Agency (called Sparrow) and CrowdStrike (called CRT).

SolarWinds Updates More

If your online life revolves around Gmail, Chrome, and other Google software and services, your Google account is one of your most precious online resources. That’s especially true if you use the Gmail address associated with that account as your primary email address.

An online criminal who gets hold of those credentials can cause chaos and do catastrophic damage to your online life, which is why it’s important to protect your Google account from being compromised.
Also: Best VPNs • Best security keys  
In this post, I list seven steps you can take to help you lock that account down so it’s safe from online attacks. If this sounds familiar, it’s a mirror of the recommendations I published earlier for Microsoft accounts: “How to lock down your Microsoft account and keep it safe from outside attackers.” Although there are similarities between the two companies’ security tools, there are also some important differences.
As with all things security-related, making your online assets safer from outside attack involves trade-offs with convenience. To help with that balancing act between convenience and security, I’ve divided the steps into three groups, based on how tightly you want to lock down your Google account.
(And please note that the steps described in this article are about personal accounts associated with free Gmail addresses. Google’s paid business services, including Google Workspace, are managed by domain administrators. Although some user configuration steps are the same, administrators can set policies that affect security settings. If your Gmail account is provided by your employer, check with them about best practices for securing that account.)
Baseline security
This level is sufficient for most ordinary PC users, especially those who don’t use their Gmail address as a primary factor for signing in to other sites. If you’re helping a friend or relative who’s technically unsophisticated and intimidated by passwords, this is a good option.

At a minimum, you should create a strong password for your Google account. That password should be one that’s not used by any other account.
In addition, you should turn on 2-step verification (Google’s term for multi-factor authentication) to protect yourself from phishing and other forms of password theft. When that feature is enabled, you have to supply an additional proof of your identity when you sign in for the first time on a new device or when you perform a high-risk activity, such as paying for an online purchase. The additional verification typically consists of a code sent as an SMS text message to a trusted device or a prompt sent to a smartphone.
Also: Better than the best password: How to use 2FA to improve your security 
Better security
Those baseline precautions are adequate, but you can tighten security significantly with a couple extra steps.
First, set up your smartphone as an authentication factor, using an app such as Google Authenticator. You can also sign in on a smartphone using your Google account, which automatically enables it to receive prompts for use as a sign-in and verification option. Then remove the option for using SMS text messages to verify your identity.
With that configuration, you can still use your mobile phone as an authentication factor, but a would-be attacker won’t be able to intercept text messages or spoof your phone number.
Also: Microsoft urges users to stop using phone-based multi-factor authentication 
Maximum security
For the most extreme security, add at least one physical hardware key along with the Google Authenticator app and, optionally, remove personal email addresses as a backup verification factor. That configuration places significant roadblocks in the way of even the most determined attacker.
This configuration requires an extra investment in hardware and it definitely adds some friction to the sign-in process, but it’s by far the most effective way to secure your Google account.
Also: Best security keys in 2020: Hardware-based two-factor authentication 
STEP 1: CREATE A NEW, STRONG PASSWORD
First things first: You need a strong, unique password for your Google account. The best way to ensure that you’ve nailed this requirement is to use your password manager’s tools to generate a brand-new password.
(No password manager? Try an online option like the 1Password Strong Password Generator or the LastPass Password Generator Tool.)
Generating a new password ensures that your account credentials are not shared with any other account; it also guarantees that an older password that you might have inadvertently reused isn’t part of a password breach.
To change your password, go to the Google Account Security page at https://myaccount.google.com/security. Sign in, if necessary, then click Password (under the Signing In To Google heading) and follow the prompts to change your password.
Also: The best password managers for business: 1Password, Keeper, LastPass, and more 

Make sure the password you enter here is strong and isn’t used for any other online account.
Follow the instructions to save the new password using your password manager. Feel free to write it down, if you prefer a physical backup. Just make sure to store the paper in a secure location, such as a locked file drawer or a safe.
STEP 2: TURN ON TWO-STEP VERIFICATION
Don’t leave the Google Account Security page just yet. Instead, scroll up to the Two-Step Verification section and make sure this option is turned on. Use the default option to receive codes via text message on a mobile phone you personally own. (You can set up other, more advanced forms of verification as well, but we’ll get to those later.)
The setup process is a fairly straightforward wizard that confirms you are able to receive verification messages. After it’s complete, stay on that page for the next step.

Basic 2-step verification uses SMS text messages, which are adequate for low-risk accounts.
STEP 3: PRINT OUT RECOVERY CODES
Next step is to save a set of recovery codes. Having access to one of these codes will allow you to sign in to your account if you’ve forgotten the password or if you’ve lost your phone. Without this backup, you risk being permanently locked out.
On the Google Account Security page, find the Backup Codes option and click Set Up. That opens a pop-up dialog box like the one shown here, containing 10 codes that you can use when you’re prompted for a second verification factor. Print out that page and file it away in the same locked file cabinet or safe where you put your password.

  Print out a set of recovery codes and store them in a safe place where you can find them quickly if you lose access to your account.
Note that you can return to this page at any time to see your list of backup codes and print a fresh copy. Codes can only be used one time, and will be indicated as “Already used” if you reprint the list. Generating a new batch of codes renders the old batch invalid.
And now for some more advanced security options.
STEP 4: ADD A RECOVERY EMAIL ADDRESS
Registering a recovery email address is an important security precaution. In the event that Google detects suspicious activity on your account, you’ll receive a notification at this address.
Having a recovery email is also helpful if you forget your password. When two-step verification is enabled, resetting your password requires at least two forms of verification, such as a printed backup code and a code from an email message sent to a registered email account. You’ll need to supply both of those forms of identification or you risk being permanently locked out.
Go back to the Google Account Security page and click Recovery Email (under the Ways We Can Verify It’s You heading). Enter or change the recovery email address. You’ll receive a notification at that address to confirm that it’s available for recovery,
Which address should you use here? A free backup email address, such as a Microsoft Outlook.com account, is acceptable if your security needs are minimal. A better option is a business email address, which is under the control of an administrator and is more difficult to hack into than a personal account.
Also: Best email hosting services in 2020: G Suite, Microsoft 365, and more options 
STEP 5: SET UP YOUR SMARTPHONE AS AN AUTHENTICATOR
When you register your smartphone as a trusted device, Google gives you two ways to use it for authentication purposes.
If you use an Android device that’s signed in using your Google account, you can sign in to any Google service by responding to prompts from Google. This option doesn’t require any extra setup.
On an iPhone or iPad, you need to download the Google or Gmail app, sign in with your Google account, and turn on push notifications. (Full instructions are on this Google Support page: “Sign in with Google prompts.”)
In addition, you can use Google Authenticator or another smartphone app that generates Time-based One-time Password Algorithm (TOTP) codes for multi-factor authentication. I highly recommend using one of these apps for any service that supports them. (For more on these options, see “Protect yourself: How to choose the right two-factor authenticator app.”)
To set up Google Authenticator (or another authenticator app) for use with a Google account, go to the Google Account 2-Step Verification page. Under the Authenticator App heading, click Set Up. (If you’re replacing your phone, click Change Phone). Install the app, if necessary, and then follow the prompts to add your account using the bar code that the authenticator app displays.

After installing an authenticator app, use this barcode to set up your Google account to generate TOTP codes.
STEP 6: REMOVE SMS TEXT MESSAGES AS A FORM OF VERIFICATION
By this point, you should have more than enough secure ways to authenticate yourself and verify your identity. That means it’s time to remove the weakest link in the chain: SMS text messages.
What makes SMS text messages so problematic from a security point of view is the reality that an attacker can hijack your mobile account. It happened to my ZDNet colleague Matthew Miller a few years ago, and I wouldn’t wish that nightmare on anyone. (For details and some additional security advice, see “Protect your online identity now: Fight hackers with these 5 security safeguards.”)
Before you change this setting, confirm that you have at least two alternative forms of verification (a secure email address and the Google Authenticator app, for example) and that you’ve saved backup codes for the account. Then, from the Google Account 2-Step Verification page, go to the Voice Or Text Message section. There, you’ll find entries for each of the phone numbers registered as 2FA factors for your account.
Click the pencil icon to the right of a number to open its properties and click Remove Phone to eliminate its entry. Repeat for other numbers you want to remove.
STEP 7: USE A HARDWARE SECURITY KEY FOR AUTHENTICATION

  Using a hardware key, you can sign in to your Google account with a tap.
This step is the most advanced of all. It requires an investment in extra hardware, but the requirement to insert a device into a USB port or make a connection via Bluetooth or NFC adds the highest level of security.
For an overview of how this type of hardware works, see “YubiKey hands-on: Hardware-based 2FA is more secure, but watch out for these gotchas.”
To configure a hardware key, go to the Google Account 2-Step Verification page, click Add Security Key, and then follow the prompts.
You’ll need to enter the PIN for your hardware key, then touch to activate it. When that setup is complete, you’ve got a powerful way to sign in to any service powered by your Google account without having to fuss with passwords.
As I mentioned at the start of this article, most people don’t need this level of advanced protection. But if your Google Drive account includes valuable documents like tax returns and bank statements, you’ll want to lock it down as tightly as possible. More

Remote working has put people at risk of being targeted by cyber criminals because home networks are rarely set up with enterprise-level security in mind. But a new tool could give home workers the same protections against cyberattacks as they’re used to in the office.
The UK’s National Cyber Security Centre’s (NCSC) Protective Domain Name Service (PDNS) has been active since 2017, helping to keep public sector workers as safe as possible from cyberattacks – and now there’s a version for remote workers.

More on privacy

PDNS is designed to stop the use of DNS for spreading and operating malware, ransomware and other cyber threats by preventing the browser from finding websites that have been identified as malicious – ultimately, if you’re working from a public sector building, your computer is protected by PDNS.
SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic)
However, the COVID-19 pandemic forced many employers to send their their employees to work from home and the public sector is no different in that regard, with remote working suddenly becoming the new norm.
That meant that government employees suddenly found themselves outside of protected networks and more vulnerable to hackers and malware because they’re not protected by PDNS at home – so their networks could find and connect to malicious sites if the user was exposed to one.
With this in mind, the NCSC – in partnership with Nominet – released a free tool that enables remote workers across the public sector to stay safe with PDNS from home.

The PDNS Digital Roaming application for Windows 10 detects when a device is being used outside of an enterprise network and redirects DNS traffic to PDNS using an encrypted DNS over HTTPS (DoH) protocol. It offers users the same protections against malware and other cyber threats as they’d have when connecting from the corporate network.
SEE: How do we stop cyber weapons from getting out of control?
PDNS Digital Roaming is available to all public sector staff, even if they weren’t using it on enterprise networks previously. The NCSC notes that PDNS isn’t a VPN but a “lightweight application” that encrypts and redirects DNS traffic to keep users safe.
“By installing it on their device, staff can ensure that their DNS traffic is being directed to the PDNS and is thus protected by this innovative service,” said David Carroll, MD of Nominet’s NTX Cyber division.
“Solutions like the PDNS help to secure the critical infrastructure that our nation relies on, the organisations that house our most personal records, and the institutions that we turn to in our hours of most need,” he added.
MORE ON CYBERSECURITY More

Livecoin has announced its closure following a cyberattack that allegedly compromised the firm’s infrastructure and exchange rate setup. 

As previously reported by ZDNet, the Russian cryptocurrency exchange claimed it had been hacked roughly around Christmas, with the alleged cyberattackers seizing control of Livecoin systems in order to tamper with exchange rate values. 
Bitcoin (BTC) exchange rates were changed from $23,000 at the time to over $450,000, and Ethereum grew from $600 to $15,000. Smaller cryptocurrency rates were also impacted. 
As Livecoin asked users to stop all activity, the threat actors began cashing out, reaping profit in the process. 
Livecoin claimed to have lost control of its “servers, backend, and nodes,” and was unable to stop the attack from occurring. The cryptocurrency exchange said law enforcement had been notified of the security incident. 
It has not yet been a full month since the alleged cyberattack and Livecoin is closing its doors permanently, citing damage in “technical and financial way[s]” for the decision. 
In an announcement posted to livecoin.news, the organization said there is “no way” to continue operations and any “remaining funds” will be paid to customers. 

Fund recovery plans or amounts are not yet public, beyond claimants being required to email the cryptocurrency exchange directly with their usernames and registration dates. Livecoin says that claims can be filed until March 17, 2021. 
As noted by Coin Telegraph, one apparent user of the service has posted what is claimed to be an extensive list of documentation and personal information to verify claimant identities, including passport/ID scans, selfies, places of residence, primary device data for logging in to Livecoin, and video footage. On Twitter, the request for this vast array of personal data has prompted speculation around its legitimacy.
“We apologize for an existing situation and ask you to keep calm, including your conversation with support officers,” Livecoin added. “Our service and team bear hard losses as well as our clients. In case of abuse and threats in conversation, the claim can be declined.”
Livecoin’s old website domain displays the message below, but no comment has been made concerning any potential ransomware attack.

Livecoin’s Telegram chat is currently alight with speculation. Some have suggested that an exit scam is in play, which is a popular method for cryptocurrency exchange operators to vanish with user funds while claiming external cyberattackers have stolen cryptocurrencies held by a victim organization.
Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Image via Ben Maguire
Cyber-security firm Symantec said it identified another malware strain that was used during the SolarWinds supply chain attack, bringing the total number to four, after the likes of Sunspot, Sunburst (Solorigate), and Teardrop.

SolarWinds Updates

Named Raindrop, Symantec said the malware was used only during the very last stages of an intrusion, deployed only on the networks of very few selected targets.
Symantec said it encountered only four Raindrop samples in the cases it investigated until today.
Also: Best VPNs • Best security keys • Best antivirus 
Timeline of the SolarWinds supply chain attack
But to understand Raindrop’s role and position in these attacks, we must first go over the timeline of the entire SolarWinds incident.
Based on reports and information published by Microsoft, FireEye, CrowdStrike, and others, the SolarWinds intrusion is believed to have taken place in mid-2019 when hackers, believed to be linked to the Russian government, breached the internal network of SolarWinds, a Texas-based software maker.
The intruders first deployed the Sunspot malware, which they used exclusively inside SolarWinds’ own network. CrowdStrike said the attackers used the malware to modify the build process of the SolarWinds Orion app and insert the Sunburst (Solorigate) malware inside new versions of Orion, an IT inventory management system.

These trojanized Orion versions went undetected and were active on the official SolarWinds update servers between March and June 2020. Companies who applied Orion updates also unwittingly installed the Sunburst malware on their systems.
But the Sunburst malware wasn’t particularly complex and didn’t do much except gather info about the infected network and send the data to a remote server.
Even if around 18,000 SolarWinds customers got themselves infected with the Sunburst malware, the Russian hacking group carefully selected its targets and opted to escalate attacks only in a handful of cases, for the likes of high-profile targets such as US government agencies, Microsoft, or security firm FireEye.
When hackers decided to “escalate their access,” they used Sunburst to download and install the Teardrop malware [see past reports from Symantec and Check Point].
Raindrop — Teardrop’s sibling
But Symantec says that in some cases, the hackers chose to deploy the Raindrop malware strain instead of the more widely used Teardrop.
Despite being different strains, Symantec said the two backdoors had similar functionality, which the company described as being “a loader for [the] Cobalt Strike Beacon,” which the intruders later used to escalate and broaden their access inside a hacked IT network.
But while both Raindrop and Teardrop were used for the same purpose, Symantec said that some differences also exist between the two, most being under the hood, at the code level, best described in the table below:

Image: Symantec
The other major difference is how the two malware strains were deployed. 
Symantec said that the more widely used Teardrop was installed directly by the Sunburst malware, while Raindrop mysteriously appeared on systems where Sunburst was also found, with no direct evidence that Sunburst triggered its installation.
The US security firm said it’s currently investigating how Raindrop was installed.
The most obvious avenue is found in previous reports on the SolarWinds hacks that mentioned that hackers also used the Sunburst malware to run various fileless PowerShell payloads, many of which would leave minimal forensic evidence on infected hosts. While unconfirmed, it may be possible that Raindrop is the result of these operations.
But the lesson here is that security teams investigating SolarWinds incidents inside their networks now also need to scan for the presence of another malware strain — Raindrop.
The Symantec report released today includes indicators of compromise (IOCs) that the security firm has seen in the cases it investigated. More

Microsoft says it is stepping up security for users of Microsoft Defender for Endpoint by changing a key setting, switching the default from optional automatic malware fixes to fully automatic remediation. 
The change means that when Microsoft Defender for Endpoint detects malware on PCs on a network, the antivirus will automatically start analyzing all threats that are related to the alert, poring over files, processes, services, registry keys and all other areas where a threat could reside. 

More on privacy

“The result of an automated investigation started by an alert is a list of related entities found on a device and their verdicts (malicious, suspicious, or clean),” Microsoft explains on a blogpost. 
SEE: Security Awareness and Training policy (TechRepublic Premium)
“For any malicious entity, the investigation will create a remediation action, an action that, when approved, will remove or contain a malicious entity that was found in the investigation. These actions are defined, managed, and executed by Microsoft Defender for Endpoint without the security operations team having to remotely connect to the device.”
The actions taken depend on what level of device automation has been configured. Previously, Microsoft Defender for Endpoint customers that opted into public previews were put on “Semi”, which required approval for any remediation. Soon, they’ll be moved to the “Full” configuration, which allows for Windows 10 to remediate threats automatically. 
With the setting at Semi, administrators might have more control, but as Microsoft points out, admins may lose valuable time to halt the malware from causing further damage, such as affecting other PCs. 

Microsoft has made some improvements to its automated malware detection since first releasing it. First, it’s boosted malware detection accuracy, so there should be fewer infections and false-positives. Additionally, it’s now got better automated investigation capabilities. 
“We have seen thousands of cases where organizations with fully automated tenants have successfully contained and remediated threats, while other companies, left with the default ‘semi’ level, have remained at high risk due to lengthy pending time for approval of actions,” the blog warned.
SEE: Windows 10 toolbar: Here’s how Microsoft is adding news, weather and traffic
According to Microsoft, customers using full automation have had “40% more high-confidence malware samples removed than customers using lower levels of automation.” 
This should leave security operations centers with more free time to deal with malware threats that require human intervention. 
From February 16, 2021, Microsoft will automatically upgrade organizations that opted for public previews in the Microsoft Defender for Endpoint to “Full-remediate threats automatically”. More

A newly identified botnet is targeting unpatched applications running on top of Linux systems, Check Point security researchers said in a report today.
First seen in November 2020, the FreakOut botnet has surfaced again in a new series of attacks this month.

Its current targets include TerraMaster data storage units, web applications built on top of the Zend PHP Framework, and websites running the Liferay Portal content management system.
Check Point says the FreakOut operator is mass-scanning the internet for these applications and then utilizing exploits for three vulnerabilities in order to gain control of the underlying Linux system.
All three vulnerabilities (listed below) are fairly recent, which means there’s a high chance that FreakOut exploitation attempts are succeeding as many systems could still be lagging behind on their patches.
CVE-2020-28188 – RCE in TerraMaster management panel (disclosed on December 24, 2020)
CVE-2021-3007 – deserialization bug in the Zend Framework (disclosed on January 3, 2021)
CVE-2020-7961 – deserialization bug in the Liferay Portal (disclosed on March 20, 2020)
Once the FreakOut bot gains access to a system, it’s immediate step is to download and run a Python script that connects the infected devices to a remote IRC channel where the attacker can send commands and orchestrate a varied list of attacks using the enslaved devices.
According to a Check Point technical report published today, the list of commands that FreakOut bots can run includes the likes of:
Gathering info on the infected system;
Creating and sending UDP and TCP packets;
Executing Telnet brute-force attacks using a list of hardcoded credentials;
Running a port scan;
Executing an ARP poisoning attack on the device’s local network;
Opening a reverse shell on the infected host;
Killing local processes; and more.

Check Point argues that these functions can be combined to perform various operations, like launching DDoS attacks, installing cryptocurrency miners, turning infected bots into a proxy network, or launching attacks on the internal network of an infected device.

Image: Check Point
However, right now, Check Point says the botnet appears to be in its infancy. Researchers said they were able to reverse engineer the malware and then access the IRC channel through which the operator controlled the entire botnet.
Stats shown in the IRC panel suggest the botnet is only controlling around 180 infected systems, but past figures showed it merely peaked at around 300.
Both are low numbers for a botnet but more than enough to launch very capable DDoS attacks.

Image: Check Point
Furthermore, Check Point said it also found several clues in the malware’s code that allowed it tracked down its creator, a person who goes online by the nickname of Freak.
Some clever sleuthing later, researchers said they were able to link this nickname to an older hacker acronym of Fl0urite, which was the creator of the now-defunct N3Cr0m0rPh, a similar botnet malware strain that was sold on hacking forums and targeted Windows devices.
According to a screenshot of past N3Cr0m0rPh ads, many of the older botnet’s features are identical to the ones found in the current FreakOut malware targeting Linux systems.

Image: Check Point More

US President Trump has signed an executive order demanding a security assessment of drones sourced from China and countries considered to be “foreign adversaries.”

As reported by Reuters, just before he steps down to be replaced by President-elect Joe Biden, Trump has ordered US agencies to perform a security assessment of drones involved in federal activities. 
Drones can be used by government agencies for a variety of purposes including mapping, disaster assistance, surveillance, infrastructure inspections, and for military functions.
The new executive order, signed on Monday, will require agencies to perform security risk assessments on drones made in any country considered a “foreign adversary,” which could include China, Russia, Iran, and North Korea. 
As noted by the news agency, the executive order also requires risk assessments to include any “potential steps” to mitigate risk; such as, “if warranted,” removing them entirely from federal service. 
Last year, the US Department of the Interior (DOI) grounded its entire drone fleet — except for use in emergency situations, such as rescue missions — while a national security risk assessment took place. 
In a similar fashion to Trump’s decree, US Secretary of the Interior David Bernhardt signed an order (.PDF) to encourage the use of locally-produced drones instead of any that are foreign-made. The reason cited in the order is that data collected and produced by the drones could be of value to “foreign entities, organizations, and governments.”

It is estimated that roughly 800 drones belonging to the DOI are either sourced from China or contain Chinese components. 
At the time, DJI, headquartered in Shenzhen, China, said the decision was “disappointing” as the order “treats a technology’s country of origin as a litmus test for its performance, security, and reliability.”
Last month, DJI was added to the US Commerce Department’s “Entity List” which bans trading with companies on the grounds of national security.
US agencies have displayed concerns over the use of drones since 2015. As drones began to carve a place into the consumer hobbyist sector, the US Department of Homeland Security (DHS) warned that adversaries could also adopt the technology to launch attacks. 
In 2019, with drones having been adopted for widespread governmental use, DHS alerts then pivoted to worries that drones were stealing sensitive data. The agency warned that drones “contain components that can compromise your data and share your information on a server accessed beyond the company itself.”
However, not every form of drone is created equally. In the same year, Trump revoked an executive order signed by Barack Obama in 2016 which required US intelligence chiefs to publish data on civilians killed by drone strikes outside of war zones. 
Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More