Information Technology

TikTok has agreed to pay a proposed $92 million to settle a class-action lawsuit alleging the company invaded user privacy.  

The settlement, if approved, would lay to rest claims that the video content-sharing app, owned by Beijing-headquartered ByteDance, wrongfully collected the private and biometric data of users including teenagers and minors. 
The class-action lawsuit originated from 21 separate class-action lawsuits filed in California and Illinois last year. 
If accepted, the settlement — filed in the US District Court for the Northern District of Illinois — would require the creation of a compensation fund for TikTok users. In addition, TikTok would be required to launch a new “privacy compliance” training program and would need to take further measures to protect user data. 
According to the proposed settlement (via NPR), TikTok was accused of using a “complex system of artificial intelligence (AI)” to recognize facial features in user videos, as well as to recommend stickers and filters. Algorithms are also cited as a means to identify a user’s age, gender, and ethnicity. 
The lawsuit also alleged that user data was sent to China, and shared with third-parties, without consent. 
TikTok has denied any wrongdoing. However, in a statement, the social media giant said:

“While we disagree with the assertions, rather than go through lengthy litigation, we’d like to focus our efforts on building a safe and joyful experience for the TikTok community.”

TikTok announced tighter controls for young users in January, including default privacy settings and restricting Duet and Stitch to users aged 16 and over. 
A judge is required to approve the $92 million settlement. Under the terms of the deal, it is possible that class members in Illinois could receive a larger share as the only US state that has laws in place to allow residents to seek compensation when their biometric data is collected or used without consent through the Illinois Biometric Information Privacy Act (BIPA).
“Biometric information is among the most sensitive of private information because it’s unique and it’s permanent,” commented co-lead counsel Beth Fegan. “Users’ data follows them everywhere, and potentially for a lifetime. It’s critical that their privacy and identity is protected by stalwart governance to guard against underhanded attempts at theft.”
FeganScott and Carlson Lynch LLP are among the legal firms involved in the class-action lawsuit. 
Last year, Facebook agreed to pay $550 million to settle BIPA violation claims in Illinois. Complainants argued that the company’s “Tag Suggestions” feature scraped and stored biometric markers without the consent of users. 
Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

The Attorney-General has been asked by Australia’s COVID-19 Senate Select Committee to produce documentation pertaining to legal advice received on the COVIDSafe app’s Bill — the Privacy Amendment (Public Health Contact Information) Bill 2020 — in relation to the United States Clarifying Lawful Overseas Use of Data Act (CLOUD Act).
Amazon Web Services (AWS) was handed the data storage contract for Australia’s COVID-19 contact tracing app in April. With AWS headquartered in the United States, concerns over the security of the data had been raised, with fears the data could be accessed by US law enforcement.
The committee has, since May, been seeking access to the legal advice provided to the Attorney-General’s Department (AGD) on the matter. So far, the committee has not been convinced that the public interest immunity claims made by the department were sufficient to exempt it from producing such documentation.
The committee sought the AGD’s assurance that the data collected by COVIDSafe could not be accessed by a US law enforcement agency under the provisions of the CLOUD Act.
See also: New Bill to prepare Australian law enforcement for the US CLOUD Act
While AGD confirmed it had received legal advice on the interaction of the two laws, it would not discuss the content of that advice on the basis of legal professional privilege. The committee then received a letter from AGD, further refusing to provide the information.
In a rebuttal, the committee has said it emphasised the importance of receiving the information.

“The legal advice is significant evidence to the committee’s inquiry,” it wrote [PDF].
“Serious concerns have been raised by the technology industry and peak legal bodies in relation to the safety of COVIDSafe data, which require scrutiny.”
The committee said the provision of the legal advice would permit it to independently assess whether the CLOUD Act could allow US authorities to compel AWS to hand over COVIDSafe data under a warrant.
As a result, the committee has asked AGD, no later than 12:00pm on 17 March 2021, to produce an unredacted copy of the legal advice that the department received regarding the interaction of the Privacy Amendment (Public Health Contact Information) Bill with the United States’ CLOUD Act.
“In the event that the Attorney-General fails to provide the unredacted document, the Senate requires that the Minister representing the Attorney-General attend the Senate at the conclusion of question time on 17 March 2021 to provide an explanation, of no more than 10 minutes, of the Minister’s failure to provide the document,” it wrote.
The Second interim report: Public interest immunity claims document detailed further claims of public interest immunity received during the course of its COVID-19 hearings.
This comprised of two claims made on behalf of the Minister for Health by Senator Michaelia Cash, then-Minister who represented the Minister for Health in the Senate; two claims made on behalf of the treasurer, one by former Senator Mathias Cormann and one by Senator Simon Birmingham; a claim made by Senator Richard Colbeck, then-Minister for Aged Care and Senior Australians; and a claim made by Minister for Families and Social Services Anne Ruston.
“The committee has resolved not to accept these claims on the grounds provided,” it wrote.
“Taken together, these claims have compromised the committee’s ability to scrutinise government decisions with a profound impact on lives of Australians.”
It said it was concerned the claims reflect a pattern of conduct in which the government has “wilfully obstructed access to information that is crucial for the committee’s inquiry”.
“The committee believes the government’s repeated misuse of public interest immunity claims as a basis for withholding key information from the committee is at best lazy and at worst a deliberate abuse of the public interest immunity process. Such an approach undermines the Senate and cannot be left to go on unchallenged,” the report states.
“If we do not stand up for the Senate’s powers and reject this government’s secretive agenda designed simply to protect the executive, then the Senate will become a toothless tiger that gets spoon fed only the information that the government wants to feed it. That is not how our system is meant to operate.”
RELATED COVERAGE More

The Office of the Australian Information Commissioner (OAIC) has asked that the powers given to the minister responsible under the pending Critical Infrastructure Bill, which would allow them to step in when a cybersecurity incident has occurred, be further defined to take into account the impact on individuals’ privacy.
The Security Legislation Amendment (Critical Infrastructure) Bill 2020 introduces a government assistance regime that provides powers to protect assets during or following a significant cyber attack. This includes the power to authorise information gathering directions, action directions, and intervention requests.
The Bill proposes that where an appropriate ministerial authorisation is in force, the Department of Home Affairs secretary can compel relevant entities to produce any information that may assist with determining whether power should be exercised in relation to the incident and asset in question.
“The secretary may also direct an entity ‘to do, or refrain from doing, a specified act or thing’,” the OAIC highlighted in its submission [PDF] to the Parliamentary Joint Committee on Intelligence and Security (PJCIS) and its review into the Bill.
“This broad power should be balanced with appropriate safeguards, oversight, and accountability to ensure it is proportionate.”
The OAIC recommended that, in deciding whether or not to give the necessary authorisation, the minister responsible should be required to consider the privacy impacts of the exercise of these powers insofar as they apply to “business critical data” or other data that may include personal information.
“In our view, this would help to build both industry and community trust and confidence in the proposed framework,” the OAIC wrote.

“This requirement to consider privacy could be included in the matters that the Minister must have regard to when determining whether a direction or request is a proportionate response to a cybersecurity incident, as under ss 35AB (8) and (11).”
The OAIC said there is precedent for this approach in the Telecommunications (Interception and Access) Act 1979.
It also recommended the committee consider an amendment to ensure disclosure of protected information is permitted for the purposes of giving effect to the exercise of the information commissioner’s privacy functions.
“The OAIC wishes to ensure that the restrictions on an entity making a record of, using or disclosing protected information under [parts of the] Act do not limit the ability of the OAIC to exercise its privacy functions, or prevent entities from disclosing information required for compliance with and the administration of the Privacy Act,” it said.
The OAIC has also asked for an amendment to the Australian Information Commissioner Act 2010 to permit information sharing between regulatory agencies. The last recommendation is that the explanatory memorandum makes reference to the commissioner’s guidance function to indicate that it is intended that the OAIC is consulted in relation to any guidance on the personal information-handling obligations that would apply to the scheme.
HERE’S MORE More

Image: Proofpoint
Chinese state-sponsored hackers have gone after Tibetan organizations across the world using a malicious Firefox add-on that was configured to steal Gmail and Firefox browser data and then download malware on infected systems.

Special feature

Cyberwar and the Future of Cybersecurity
Today’s security threats have expanded in scope and seriousness. There can now be millions — or even billions — of dollars at risk when information security isn’t handled properly.
Read More

The attacks, discovered by cybersecurity firm Proofpoint this month, have been linked to a group the company tracks under the codename of TA413.
Only Firefox users were targeted
Proofpoint said the attackers targeted Tibetan organizations with spear-phishing emails that lured members on websites where they’d be prompted to install a Flash update to view the site’s content.
These websites contained code that separated users. Only Firefox users with an active Gmail session were prompted to install the malicious add-on.
The Proofpoint team said that while the extension was named “Flash update components,” it was actually a version of the legitimate “Gmail notifier (restartless)” add-on, with additional malicious code. Per the research team, this code could abuse the following functions on infected browsers:
Gmail:
Search emails  
Archive emails  
Receive Gmail notifications  
Read emails  
Alter Firefox browser audio and visual alert features
Label emails  
Marks emails as spam  
Delete messages  
Refresh inbox  
Forward emails  
Perform function searches  
Delete messages from Gmail trash  
Send mail from the compromised account  
Firefox (based on granted browser permissions):
Access user data for all websites
Display notifications
Read and modify privacy settings
Access browser tabs
Firefox add-on also installed malware

But the attack didn’t stop here. Proofpoint said the extension also downloaded and installed the ScanBox malware on infected systems.
A PHP and JavaScript-based reconnaissance framework, this malware is an old tool seen in previous attacks carried out by Chinese cyber-espionage groups.
“Scanbox has been used in numerous campaigns since 2014 to target the Tibetan Diaspora along with other ethnic minorities often targeted by groups aligned with the Chinese state interests,” Proofpoint said in a report today.
The last recorded case of a ScanBox attack dates back to 2019 when Recorded Future reported attacks against visitors of Pakistani and Tibetan websites.
As for its capabilities, Proofpoint says ScanBox is “capable of tracking visitors to specific websites, performing keylogging, and collecting user data that can be leveraged in future intrusion attempts,” making this a dangerous threat to have installed on your systems.
Flash EOL might have helped attackers
In this particular campaign, which Proofpoint codenamed FriarFox, attacks began in January 2021 and continued throughout February.
Although hackers have been using fake Flash update themes for years and most users know to stay away from websites offering Flash updates out of the blue, these attacks are believed to have worked much better than previous ones.
The reason is that Adobe retired Flash Player at the end of 2020, and all Flash content stopped playing inside browsers on January 12, 2021, when Proofpoint also saw the first TA413 FriarFox campaigns targeting Tibetan organizations. More

The UK’s GCHQ has revealed how AI is set be used to boost national security.
Getty Images/iStockphoto
The UK’s top intelligence and security body, GCHQ, is betting big on artificial intelligence: the organization has revealed how it wants to use AI to boost national security.
In a new paper titled “Pioneering a New National Security,” GCHQ’s analysts went to lengths to explain why AI holds the key to better protection of the nation. The volumes of data that the organization deals with, argued GCHQ, places security agencies and law enforcement bodies under huge pressure; AI could ease that burden, improving not only the speed, but also the quality of experts’ decision-making. 
“AI, like so many technologies, offers great promise for society, prosperity and security. It’s impact on GCHQ is equally profound,” said Jeremy Fleming, the director of GCHQ. “AI is already invaluable in many of our missions as we protect the country, its people and way of life. It allows our brilliant analysts to manage vast volumes of complex data and improves decision-making in the face of increasingly complex threats – from protecting children to improving cyber security.” 

Artificial Intelligence

GCHQ is already heavily involved in AI-related projects. Although the organization will not disclose the exact details of its use of the technology, Fleming pointed to various partnerships with AI-related start-ups located around the country, as well as a strategic collaboration with the Alan Turing Institute, which was founded to advance research in AI and data science.  
It is no news, therefore, that the intelligence body has a strong interest in using AI; but the newly published paper suggests that GCHQ is prepared to further ramp up its algorithmic arsenal in the years to come. The threats to the nation are increasing, argued Fleming, and they are coming from hostile states that are themselves armed with AI tools – and the UK should be prepared to face modern-day risk. 
“The nation’s security, prosperity and way of life faces new threats from hostile states, terrorists and serious criminals, often enabled by the global internet. An ever-growing number of those threats are to the UK’s digital homeland – the vital infrastructure and online services that underpin every part of modern life,” said Fleming. 
Almost half of UK businesses have reported a cyberattack in the past 12 months, with a fifth of those leading to a significant loss of money or data, says GCHQ’s paper. AI could help the agency better identify malicious software, and continually update its dictionary of known patterns to anticipate future attacks. The technology could also be used to fight online disinformation and deepfakes, by automatically fact-checking content, but also weeding out botnets and troll farms on social media. 

AI will also help identify grooming behavior in the text of messages in chat rooms to prevent child sexual abuse; it will run across content and metadata to find illegal images that are being exchanged, preventing at the same time human experts from watching traumatically disturbing material. Using similar methods, the technology will assist the fight against drugs, weapons or human trafficking – analyzing large-scale chains of financial transactions to help dismantle some of the 4,772 groups in the UK that are estimated to be involved in serious organized crime.  
But as with any other application of AI, using algorithms for national security purposes doesn’t come without raising ethical questions – in fact, when the stakes are so high, so are concerns with transparency, fairness or trust. At the same time, the nature of intelligence and security services means that it is difficult to reveal all the details of GCHQ’s operations. In other words, compromise will be necessary. 
“In the case of national security, intelligence agencies traditionally operate behind a veil of secrecy and are not inclined to share information about their activities. It’s basically true by definition that their activities need not be explicable,” Robert Farrow, senior research fellow at the Open University, tells ZDNet. 
“However, we know that machine learning can result in biased decision making if it is trained on biased data. If a biased algorithm is used for, say, profiling of potential terrorists by mining data from social networks, decisions might be made about people’s lives with no way for the public to check or evaluate whether the actions taken were ethical.” 
When it comes to transparency, GCHQ’s track-record is questionable at best. The organization has come under public scrutiny numerous times since Edward Snowden, a former contractor at the US National Security Agency, shed light on the agency’s mass surveillance practices. GCHQ’s secretive bulk data collection program was ruled unlawful by independent judicial body the Investigatory Powers Tribunal (IPT).  
Since then, surveillance laws have changed, but the UK’s Investigatory Powers Act (IPA), also known as Snoopers’ Charter, still makes it legal for government agencies like GCHQ to collect and retain some citizen data in bulk.  
GCHQ’s latest paper, perhaps in an attempt to reassure the public on the use of their data, has a strong ethical focus. The agency committed to a fair and transparent use of AI, recognizing that the nature of GCHQ’s operations might impact privacy rights “to some degree”, and pledging adherence to an AI ethical code of practice, which is yet to be established. 
“We need honest, mature conversations about the impact that new technologies could have on society. This needs to happen while systems are being developed, not afterwards. And in doing so we must ensure that we protect our [citizens’] right to privacy and maximize the tremendous upsides inherent in the digital revolution,” said Fleming. 
Many experts welcomed the agency’s renewed focus on ethical considerations, which will ultimately boost public trust and contribute the uptake of a technology that could effectively be a game-changer in protecting the UK’s national security interests. Andrew Dwyer, researcher in computational security at Durham University, explains that AI could even help ease concerns about mass surveillance, by helping GCHQ identify and target the right individuals in the fight against terrorism or trafficking. 
“Of course it is a good thing that GCHQ uses these systems,” Dwyer tells ZDNet. “In this example, it could actually focus surveillance away from mass surveillance as such. This paper is a first step into thinking about the role of AI being applied in national security.” 
But while many will agree that GCHQ’s use of AI is justified and necessary, the deployment of the technology is likely to trigger much debate. Farrow, for instance, believes that an ethical framework is not sufficient: even intelligence agencies should required to provide an account of how algorithms influence decision-making. “What is really needed is for the law to catch up with technological developments and effectively regulate the use of AI,” he argues. 
One thing is certain: privacy groups and digital rights activists will have all eyes on GCHQ’s upcoming ethical code of practice. More

SolarWinds said it spent more than $3 million on cybersecurity costs in the fourth quarter due to its recent breach and sees security-related expenses of $20 million to $25 million in 2021. 

ZDNet Recommends

The $20 million to $25 million security-related expenses include initiatives to bolster product defense, remediation, and consulting fees and insurance costs. 
The company reported its fourth quarter results and had to address its cybersecurity troubles during the three months ended Dec. 31. SolarWinds said that it would face future cybersecurity costs. The company makes IT, network, systems, and database management software.
SolarWinds’ earnings report has cybersecurity costs broken out a few ways. Under generally accepted accounting, “cyber incident costs” were $3.48 million. Those expenses are also listed at $3.16 million depending on the non-GAAP to GAAP reconciliation. 
Recent headlines include:
SolarWinds CEO Sudhakar Ramakrishna said:

The sophisticated cyberattack on us and our customers at the end of the fourth quarter has taught us a great deal about the resiliency of our business, the commitment of our employees, and the support we can expect from our customers and partners.

He added that the investigation into the cybersecurity issues continues and the company will emerge stronger. “We have a strong foundation from which to grow, and to establish a model for the future of the software industry by delivering powerful, affordable, and secure solutions,” he said.

On a conference call with analysts, Ramakrishna said:

The vast majority of the customers that I have spoken to understand that the cyber incident that affected us and others could have happened to any vendor, and especially a broadly deployed vendor like SolarWinds. Equally, they’re eager to see us address the issue and share our learnings which we are doing. The other opportunity that keeps coming up in these discussions is our ability to provide guidance and input to protect the entire environment of our customers as opposed to just focusing on our products, making us a more strategic partner. The majority of our customers that downloaded a version of the affected code have upgraded to our latest version and continue to renew their contracts with us. While the first priority continues to be ensure the safety and security of our customers our conversations with customers and partners have also given us the opportunity to discuss the strength of our entire portfolio and of our future plans.

Ramakrishna added that through Feb. 17, nine federal agencies and about 100 private sector companies were compromised. “While our attitude will always be that one impacted customer is one too many, we currently believe the total number of customers will be significantly lower than what was originally feared,” he said. “We are applying our learnings from this event and sharing our work more broadly. Internally, we are referring to our work as secure by design. And it’s premised on zero trust principles and developing a best-in-class secure software development model to ensure our customers can have the utmost confidence in our solutions.”
As for the fourth quarter results and outlook, it’s clear SolarWinds will take a hit from cybersecurity expenses. SolarWinds reported fourth quarter net income of $132.7 million on revenue of $265.3 million, up 7.2% from a year ago.
For the first quarter, SolarWinds said sales will be between $247 million and $252 million with non-GAAP earnings between 19 cents a share and 20 cents a share. Wall Street was expecting non-GAAP earnings of 21 cents a share on revenue of $252.7 million.
“We expect to incur significant legal and other professional services expenses associated with the Cyber Incident in future periods,” the company said. 
Overall, SolarWinds executives said that there will be headwinds due to COVID-19 and the cybersecurity incident, but they are confident in the products and demand in the future. 
“We’ve added a level of security and review through tools, processes, automation and where necessary, manual checks around our product development processes that we believe goes well beyond industry norms to ensure the integrity and security of all of our products. We firmly believe that the Orion software platform and related products as well as all of our other products can be used by our customers without risk of the Sunburst malicious code,” Ramakrishna.   More

Cybersecurity reports often talk about threat actors and their malware/hacking operations as self-standing events, but, in reality, the cybercrime ecosystem is much smaller and far more interconnected than the layperson might realize.
Cybercrime groups often have complex supply chains, like real software companies, and they regularly develop relationships within the rest of the e-crime ecosystem to acquire access to essential technology that enables their operations or maximizes their profits.

ZDNet Recommends

According to cybersecurity firm CrowdStrike, these third-party technologies can be classified into three categories: services, distribution, and monetization.
Breaking down each, the services category usually includes:
Access brokers – threat actors who breach corporate networks and sell access into a company’s internal network to other gangs.
DDoS attack tools – also known as DDoS booters or DDoS-for-hire, these groups provide access to web-based panels from where anyone can launch a DDoS attack against a target.
Anonymity and encryption – threat actors who sell access to private proxy and VPN networks, so hackers can disguise their location and origin of their attacks.
Phishing kits – threat actors who create and maintain phishing kits, web-based tools used to automate phishing attacks, and the collection of phished credentials.
Hardware for sale – threat actors who sell custom-made hardware, such as ATM skimmers, network sniffing devices, and more.
Ransomware – also known as Ransomware-as-a-Service, or RaaS, these groups sell access to ransomware strains or a web-based panel where other gangs can build their own custom ransomware.
Crime-as-a-Service – similar to RaaS, but these groups provide access to banking trojans or other forms of malware.
Loaders – also known as “bot installs,” these are threat actors who already infected computers, smartphones, and servers with their own malware and offer to “load/install” another group’s malware on the same system, so the other group can monetize it through ransomware, banking trojans, info-stealers, etc.
Counter antivirus service/checkers – these are private web portals where malware devs can upload their samples and have them tested against the engines of modern antivirus systems without the fear of the malware’s detection being shared with the AV maker.
Malware packing services – these are web-based or desktop-based tools that malware developers use to scramble their malware strain’s code and make it harder to detect by antivirus software.
Credit/debit card testing services – these are tools that hackers use to test if the payment card numbers they acquired are in a valid format and if the card is (still) valid.
Webinject kits – these are specialized tools, usually used together with banking trojans, to allow a banking trojan gang to insert malicious code inside a victim’s browser while they visit an e-banking (or any other) site.
Hosting & infrastructure – also known as bulletproof hosting providers, their name is self-evident as they provide private web hosting infrastructure specifically tailored for criminal gangs.
Recruiting for criminal purposes – these are specialized groups that recruit, bribe, or trick normal citizens into participating in a cybercrime operation (e.g., someone who travels to the US in an attempt to bribe a Tesla employee to run a malicious tool inside the company’s internal network).
On the other hand, distribution services include the likes of:
Groups that run spam campaigns on social networks or instant messaging apps.
Groups specialized in email spam distribution.
Groups who develop and sell exploit kits.
Groups who purchase traffic from hacked sites and distribute it to malicious web pages that usually host exploit kits, tech support scams, financial scams, phishing kits, and others.
As for monetization services, Crowdstrike says this category usually includes:
Money mule services – groups who offer to physically show up and pick up money from hacked ATMs, receive money in their bank accounts, and then redirected to the hackers, their preferred money laundering or reshipping fraud service.
Money laundering – groups who often operate networks of shell companies through which they move funds from hacked bank accounts, ATM cash-outs, or cryptocurrency heists. Some money laundering services also operate on the dark web as Bitcoin mixing services.
Reshipping fraud networks – groups that take stolen funds, purchase real products, ship the products to another country. The products, usually luxury goods like cars, electronics, or jewelry, are then resold and converted into clean fiat currency that’s transferred to the hackers who contracted their services.
Dump shops – groups that sell data from hacked companies via specialized websites and social media channels.
Ransom payments & extortion – groups specialized in extorting victims, and which can be contracted by other gangs in possession of stolen data.
Collection and sale of payment card information – also known as carding shops, these are typically forums where cybercrime groups go to sell stolen payment card data.
Cryptocurrency services – a form of money laundering, these services offer to “mix” stolen funds and help hackers lose the trail of stolen funds.
Wire fraud – as the name says, groups that are specialized in performing wire fraud, such as BEC scams.
Image: CrowdStrike
Tracking all the connections between groups and their suppliers and who works with who is almost impossible today due to the broad use of encrypted communication channels between parties.

However, in the realm of malware attacks, some signs of cooperation can be observed by the way the malware moves from attackers to infected hosts.
Although these connections can never be fully verified, it’s also pretty obvious that when the Emotet malware is downloading the TrickBot malware that the two gangs are cooperating as part of a “loader” mechanism provided by the Emotet crew for the TrickBot gang.
In its 2021 Global Threat Report, released on Monday, security firm CrowdStrike has, for the first time, summarized some of the connections that currently exist on the cybercrime underground between various e-crime operators.
The company uses its own nomenclature for e-crime groups, so some group names might sound different from what we’ve seen before. However, CrowdStrike also provides an interactive index so anyone can learn more about each group and link it to the names used by other companies.

Image: CrowdStrike
What the chart above shows is that enablers play just as important a role in cyber-intrusions as the groups executing the intrusion.
As Chainalysis pointed out in a separate report last month, law enforcement agencies are most likely to achieve better results in disrupting cybercrime operations when targeting these shared service suppliers, as they could end up disrupting the activities of multiple cybercrime groups at once.
Furthermore, there are also other benefits. For example, while top-tier cybercrime gangs often have top-notch operational security (OpSec) and don’t reveal any details about their operations, targeting lower-tier enablers, who don’t always protect their identities, could providing law enforcement agencies with data that could help them unmask and track down the bigger groups. More

More hacking groups than ever before are targeting industrial environments as cyber attackers attempt to infiltrate the networks of companies providing vital services, including electric power, water, oil and gas, and manufacturing.
Threats include cyber-criminal groups looking to steal information or encrypt systems with ransomware, as well as nation-state-backed hacking operations attempting to determine the potential disruption they could cause with cyberattacks against operational technology (OT).

More on privacy

According to cybersecurity researchers at Dragos, four new hacking groups targeting industrial systems have been detected over the past year – and there’s an increased amount of investment from cyber attackers targeting industry and industrial control systems.
SEE: Security Awareness and Training policy (TechRepublic Premium)
The four new groups identified over the course of the past year – named by researchers as Stibnite, Talonite, Kamacite, and Vanadinite – come in addition to 11 previously identified hacking groups targeting industrial control systems.
Some of these new groups have very specific targets – for example, Stibnite focuses on wind turbine companies that generate electric power in Azerbaijan, while Talonite almost exclusively focuses on attempting to gain access to electricity providers in the US.
The remainder of the new hacking groups are more generalised in their targeting; Kamacite – which Dragos links to the Sandworm group – has targeted industrial operations of energy companies across North America and Europe.

Meanwhile, Vanadinite conducts operations against energy, manufacturing and transport across North America, Europe, Australia and Asia, with a focus on information gathering and ICS compromise.
The discovery of four additional hacking operations targeting industrial systems does represent a cause for concern – but their discovery also indicates that there’s increasing visibility of threats to industrial systems. These threats might have been missed in previous years.
“The more visibility we build in the OT space, the greater understanding of its threat landscape and the adversaries active there we can identify,” Sergio Caltagirone, vice president of threat intelligence at Dragos, told ZDNet.
“OT network attacks requires a different approach than traditional IT security. IT incidents see high frequency, relatively low-impact incidents and effects when compared to OT attacks that are lower frequency, but have potentially very high impacts and effects”.
However, according to the research paper, visibility remains an issue for industrial networks, with 90% of organisations examined by Dragos not having a full grasp of their own OT network, something that could help cyber attackers remain undetected.
In many cases, hackers are able to combine this lack of visibility with the ability to hide in plain sight by abusing legitimate login credentials to help move around the network.
Often, campaigns targeting industrial systems involve phishing attacks or the exploitation of remote services, allowing the attackers to use real accounts to perform malicious activity while helping to avoid being detected as suspicious.
“The lack of visibility raises risks significantly because it allows adversaries freedom to conduct operations unimpeded, time to understand the victim environment to locate their objectives, achieve their desired effects and satisfy the intent for conducting a compromise,” said Caltagirone.
This activity could have physical effects away from a network environment, as recently demonstrated when a malicious hacker was able to modify the chemical properties of drinking water after compromising the network of the water treatment facility for the city of Oldsmar, Florida.
There’s also examples where cyber attackers have gained access to electrical power grids to the extent that they were able to shut down power.
SEE: Phishing: These are the most common techniques used to attack your PC
However, there are cybersecurity procedures that industrial organisations can undertake in order to boost visibility of their own networks and help protect systems from cyber intrusions.
These include identifying which assets exercise control over critical operations and prioritizing security in order to help make them more difficult for attackers to gain access to – and setting up procedures that make attacks easier to identify.
Organisations should also attempt to apply network segmentation, separating operational technology from information technology, so that in the event of attackers compromising the IT network, it’s not simple for them to move laterally to OT controls on the same network.
Login credentials should also be properly secured via the use of multi-factor authentication, while organisations should attempt to avoid the use of default login credentials to help provide additional barriers to remote attackers.

MORE ON CYBERSECURITY More