The Cherry Blossoms of DC have come and gone and, somehow, so has the month of March. The month kicked off with the much-anticipated National Cyber Strategy, spurring a flurry of activity in the cyber world. In addition to our coverage of what YOU need to know as a business leader about the NCS, this edition of the Consortium Networks Monthly Newsletter provides an overview of the cybersecurity landscape in higher education and lessons everyone can pull from the sector, the new EPA regulations and what they mean for the rest of the critical infrastructure industry, and much more.
Be sure to sign up for the newsletter here to join our mailing list so you never miss an edition.
What the New National Cyber Strategy Means for Your Business
On March 2nd, the Biden Administration released the much-anticipated National Cyber Strategy (NCS). The NCS outlines and defines the White House’s goals in cyber policy making and giving us insight into what the regulatory and political landscape will look like for at least the next two years.
Strategic plans can often be largely ignored by the private sector as a grand top-down plan that will take years to impact them, if ever. This is not the case with this new strategy. In fact, multiple departments have already come out with regulations or guidelines for their respective industries in-step with this document including the EPA, CISA, and TSA. For this reason, organizations of all sizes and across every industry need to be aware of the strategy and understand what it means for their business.
The State of Cybersecurity in Higher Education
The Catalyst: Students at six different institutions of higher learning in Louisiana missed days to weeks of class this month because of cyberattacks. At one university, Southeastern University of Louisiana, many students turned to TikTok to raise concerns and complaints about not being able to access their emails, Google Drives, or Moodle for almost two full weeks following a ransomware attack on the school. Classes at the nearby Nunez Community College were suspended from the 24th to the 29th when the Louisiana State Police (LSP) notified the school of an “indicator of compromise” on its network. Four other institutions of higher education in Louisiana were also notified by LSP that their networks were compromised to varying degrees on March 24th including the Louisiana State University Agricultural Center, the University of New Orleans, River Parishes Community College, and Southern University at Shreveport.
New EPA Mandatory Requirement Shows What’s to Come for Critical Infrastructure Cybersecurity Regulation
The Environmental Protection Agency (EPA) released mandatory regulations aimed at the cybersecurity of U.S. water filtration systems by requiring states to survey the networks governing drinking water filtration operations. The EPA has provided guidance to help state governments take its first steps on this project and will continue to provide resources to help states evaluate their water systems’ security.
Driving the Headlines: 3CX Supply Chain Attack
Supply chain attacks are an effective vector for attackers to get a big bang for their buck. Once a bad actor is in the network of a software or other supply chain organization, it can gain access to a large swath of the victim’s clients.
The recent 3CX attack demonstrates the broad impact these kinds of attacks have and demonstrates the different uses supply chain attacks have.
Driving the Headlines: Ransomware Attacks hit Louisiana and Tennessee
Ransomware attacks on colleges in Tennessee and Louisiana over the past two months have been swift and efficient. At least two colleges in Tennessee and at least five universities in Louisiana were hit with ransomware that have disrupted daily life on their campuses. Trends of attacks like this highlight the significant risk supply chain attacks pose.
Driving the Headlines: The Vulkan Files
At the tail-end of March, Mandiant released a report detailing a number of leaked contracts from Vulkan, an IT contracting firm in Moscow. The contracts outline project requirements for engagements between Vulkan and the Russian Ministry of Defense and GRU Unit 74455 (aka Sandworm).
In Other News
Ferrari hit by ransomware attack: Ferrari fell victim to a ransomware attack on March 20. The Italian company reiterated its policy of not paying ransom demands and stated that it will inform clients and customers of the potential data exposure.
MKS Instruments Loses $200 Million in Revenue Following Ransomware Attack: Following a February ransomware attack, MKS Instruments has announced it expects a 20% loss (around $200 million) in Q1 revenue because of the material impact of the attack.
DC Health Link Insurance Breach: The sensitive data of lawmakers and staffers of the U.S. House of Representatives was compromised in a cyberattack on the DC Health Link insurance company. According to a letter from the House Chief Administrative Office, the legislators and staff did not appear to be the targets of the attack, but attacks like these reinforce the need for strong security programs in the insurance field and other sectors that hold mass amounts of sensitive health data.
9 Million Customers Exposed in AT&T Breach: AT&T announced this week that a January cyberattack exposed around 9 million customers’ data, however, no credit card information, social security numbers, account passwords, or other sensitive information was breached.
Half a Million Exposed in Debt-Buying Giant Cyberattack: Nearly 500,000 people’s sensitive information was leaked following a cyberattack on NCB Management Services, a large debt-purchasing company. Information leaked includes credit card and other financial information. Bank of America, which sold past due accounts to NCB Management Services, is providing free identity theft protection for victims.
Latitude Financial Says 14 Million Customers’ Data Stolen by Hackers: Australian consumer credit business Latitude Financial has adjusted its estimate of how many customers were affected by a recent cyberattack from 300,000 to 14 million.
Pro-Russian Winter Vivern Group Targeting Telecommunications and Government Agencies in Ukraine, India, and Europe: Winter Vivern, a pro-Russian hacking group with suspected ties to the Kremlin, is carrying out a new espionage campaign targeting government agencies and telecommunications companies in Ukraine, India, and Europe (especially Poland and Italy).
Killnet Continues Escalating Trend of DDoS Campaigns Against Healthcare: Pro-Russia hacking group Killnet continues to increase its DDoS activity against healthcare organizations around the world. Since mid-November when Killnet’s campaign began, attacks have become more and more frequent.
APT 29 Targets European Critical Infrastructure: Russian GRU hacking group APT 29 have targeted and successfully infiltrated the networks of a number of private-sector European military, energy, and transportation organizations by exploiting a vulnerability in Microsoft’s email software.
Mandiant Names New North Korean APT: Mandiant released a report this month profiling a newly named advanced persistent threat (APT) they are calling APT 43. This North Korean Reconnaissance General Bureau (RGB) hacking group is known for stealing and laundering cryptocurrencies to fund operational infrastructure for the central government.
APT 43 Targeting Korea Experts Through Spearphishing Campaign: Both German and South Korean government agencies put out warnings this month about a spearphishing campaign from the APT 43 hacking group (aka Kimsuky, TA406, Thallium) targeting experts in Korean studies.
Blackbaud to Pay SEC $3 Million for Misleading Ransomware Disclosure: Blackbaud, a South Carolina based cloud computing provider, reached a $3 million settlement with the SEC over charges that it misled investors following a ransomware attack in 2020. Originally, Blackbaud said that the attackers did not have access to the donor bank account information or SSNs which was later found to be untrue.
Cancer Patient Sues Medical Provider after Ransomware Group Leaks Photos: A patient at the Lehigh Valley Health Network being treated for cancer is suing the hospital after the ransomware group who attacked the network in early February posted nude photos of her online as proof it had access to sensitive patient data. This lawsuit demonstrates the increasing risk of not paying a ransomware payment as groups become more and more brazen in their extortion tactics.
New York Law Firm Fined $200,000 for Poor Cybersecurity Practices: The New York Attorney General has levied a $200,000 fine on a New York City-based law firm representing a number of hospitals whose sensitive information was accessed in a 2021 ransomware attack. The NY AG argues that the law firm’s poor cybersecurity practices are to blame for the breach of the hospitals’ data and believes the firm should be held responsible for that.
Hackers Learning to Breach Cloud Systems: According to a recent Crowdstrike report, the number of groups that can infiltrate the cloud has tripled in the last year, despite perceptions that the technology is impenetrable.
Telecom Cybersecurity is Extremely Weak: On the heels of high-profile attacks on AT&T and T-Mobile, a report from Cyble estimates that over 74 million U.S. peoples’ data has leaked to the dark web because of cyberattacks on telecom providers. The large number of third-party vendors and subpar cybersecurity programs make telecom providers uniquely vulnerable, something bad actors have and will continue to exploit.
Lloyd’s Insurance Clarifies War-Exclusions: The cyber insurance market has undergone many changes lately especially regarding war exclusions and state-backed cyberattacks. With the incredibly blurry lines that exist between state-conducted, state-sponsored, and state-permitted cyberattacks, war exclusions in cyber insurance policies have become increasingly confusing. Lloyd’s market bulletin released this month seeks to clarify this issue for its underwriters and brokers.
Marsh Launches Cyber Insurance Pathways Program: Marsh’s Brokerage has launched a program for organizations traditionally unable or unwilling to purchase cyber insurance based on a lack of sufficient controls or prohibitive cost. Four insurance companies have partnered with March for the Cyber Pathways program including Coalition, Resilience, Beazley, and Chubb.
Microsoft Launches Copilot Program: Microsoft announced its AI powered cybersecurity defense tool, Security Copilot, which will use Microsoft’s extensive threat intelligence research along with open-source information to assist security teams in decision making.
FDA Can Now Reject Medical Devices Over Cybersecurity Concerns: The Food and Drug Administration (FDA) clarified this month that medical device manufacturers must prioritize the cybersecurity of their devices by expanding justification for rejecting medical devices to include poor cybersecurity.
Policy and Politics
White House: The Biden Administration’s 2024 proposed budget includes significant cybersecurity investments to implement the recently released cyber strategy. The changes would add $145 million to CISA’s budget, $63 million for the FBI, and over $1 billion to modernize the federal cybersecurity stature.
CISA: The recently launched Ransomware Vulnerability Warning Program (RVWP), which allows CISA to preemptively work with private sector critical infrastructure companies to notify them of vulnerabilities that may be exploited by cybercriminal groups, is already seeing promising results. In these 2 months, CISA notified 60 organizations across various critical infrastructure sectors of pre-ransomware intrusions which were remediated before encryption or exfiltration began.
This month, CISA revised its cybersecurity performance goals originally released in October to better align with the NIST framework. The voluntary guidelines for critical infrastructure providers were altered to include guidance on phishing-resistant MFA, aid in organizations’ recovery planning, and modify the glossary to reflect industry changes.
CISA and the NSA released the Identity and Access Management (IAM) Recommended Best Practices Guide for Administrators to help system administrators counter threats related to identity governance, environment hardening, identity federation (single sign-on), MFA, IAM auditing and monitoring.
The TSA released emergency cybersecurity requirements for the aviation industry. Airports and aircraft monitors must develop a resiliency-improvement plan and assess the effectiveness of these measures, regulated aviation organizations must develop network segmentation controls and policies to protect their OT systems, and covered organizations need to create access control mechanisms, implement incident detection and response policies and procedures, and ensure systems are patched.
The SEC proposed a new rule tightening incident reporting requirements and requiring the implementation of certain cybersecurity policies. Under the proposed rule, incidents would need to be reported within 48 hours and policies such as annual testing and review of cybersecurity policies would be made mandatory. The new rule would cover broker-dealers, clearing agencies, major security-based swap participants/dealers/repositories, national securities exchanges, national securities associations, the Municipal Securities Rulemaking Board, and transfer agents.
The NTIA Policy and Cybersecurity Coordination Act (H.R.145) was introduced by Rep. John Curtis (R-UT) to establish the Office of Policy Development and Cybersecurty within the National Telecommunications and Information Administration (NTIA) to analyze and develop policies related to internet and communication technologies. The bill has made it out of subcommittee and was unanimously approved by the Committee on Energy and Commerce.
Rep. Jay Obernolte (R-CA) introduced the American Cybersecurity Literacy Act (H.R.1360) to require the NTIA to develop and launch a cybersecurity literacy campaign. The bill was ordered unanimously by the Committee on Energy and Commerce to be reported by the Yeas and Nays.
United Kingdom: The United Kingdom launched a new agency and new cyber strategy this month. The newly minted National Protective Security Authority (NPSA) will live under MI5, the UK’s domestic-focused intelligence service, to work with the private sector and advise businesses on state-sponsored cyber espionage and exfiltration operations. At the same time, the British government released its cybersecurity strategy for the National Health Service as attacks on the healthcare sector continue to rise. The new strategy focuses heavily on ransomware and specifically, supply chain attacks used by all malicious cyber actors.