Consortium Networks Monthly Newsletter: March

Happy Women's History Month! Consortium Networks is proud of its Story Behind the Story: Women in Cybersecurity interview series and is thrilled to feature an interview with Theresa Payton, the first female White House CIO, in this edition of our monthly newsletter.

This edition of the Consortium Networks Monthly Newsletter covers the state of cybersecurity in K-12 education, Twitter's 2FA policy change, an ever-changing liability landscape, and much more. 

Be sure to sign up for the newsletter here to join our mailing list so you never miss an edition.

Story Behind the Story: An Interview with Theresa Payton

In this interview with Abby Sonnier, policy analyst at Consortium Networks, Theresa discusses her career in cybersecurity, from being a leader in the banking industry to becoming the first female White House CIO, along with practical tips on finding mentorship in the workplace as a woman in a male-dominated field.

The State of Cybersecurity in K-12 Education

Though the majority of us lament it, we all see that K-12 schools are chronically underfunded. Cleveland School District in the Mississippi Delta kicked off the new school year in August without air conditioning, a ceiling collapsed last fall in a Memphis-Shelby County School library, students in Baltimore public schools have to layer coats, scarves, and mittens to get through class in an unheated classroom in the middle of winter, and Oklahoma students make-do with unqualified teachers holding only emergency certifications in the midst of a teacher shortage. The effects of growing costs and shrinking budgets are easy to see with one glance toward the public education system in the United States.

An increasingly visible consequence of the lack of funding in schools is that the education sector is an easy and bountiful target for cyber attackers. A 2022 nationwide cybersecurity risk assessment review discovered that though “the K-12 sector is improving in its cybersecurity capabilities over time, the sector lags behind other sectors when comparing cybersecurity program maturity.”

Driving the Headlines: Twitter 2-Factor Authentication Changes

This month, Twitter announced that as of March 20, text-based two-factor authentication will only be available for Twitter Blue subscribers. Twitter noted that SMS 2FA is very popular, but is the most likely to be abused by nefarious actors. The change was also a business decision as Twitter was losing $60 million a year on scam SMS.

Driving the Headlines: A Shifting Liability Landscape

As things stand now, when a company falls victim to a cyberattack, it is held liable for that incident. Vendors and manufacturers are able to push out products riddled with vulnerabilities without fear of significant repercussions, should one of its clients fall victim to a cyberattack because of those vulnerabilities.

CISA and the White House want to change this structure of liability. CISA Director Jen Easterly outlined CISA’s view on this issue of “dangerous-by-design” technology products in a speech at Carnegie Mellon University, saying that it is time for a “fundamental shift” to “value safety over other market incentives like cost, features, and speed to market.”

In Other News

Trends in Hacking

State Actors: February saw a number of state-sponsored or state-adjacent groups explicitly called out for their operations. 

• China: The European Union Agency for Cybersecurity (ENISA) and CERT-EU published a joint report warning of increased threat to EU governments and businesses by a number of Chinese groups including APT 27, APT 30, APT 31, Ke3chang, GALLIUM, and Mustang Panda. The groups are primarily focused on information theft and establishing persistent footholds in strategically relevant organizations.

• Russia: The group known as “Anonymous Sudan” that has conducted a number of DDoS attacks on European targets this month is very likely a persona being used by APT 28, a Russian GRU unit. APT 28 has conducted many operations under “Anonymous” personas and other fake identities. True Sec published a report  that further supports and explains the Anonymous Sudan operation.
• On the non-state actor but state-permitted side, experts are warning that KillNet, a pro-Russian hacktivist group, is becoming increasingly prevalent. As of now, the group is known for carrying out low-impact DDoS attacks, but there is concern among the experts that it will soon pivot to more destructive/disruptive attacks. Either way, this is a group healthcare organizations in the US need to be aware of and keep an eye on. 
• Another Russian sponsored group known as Gamaredon has and will continue to use information-stealing malware on Ukrainian security and government services. Recently, Gamaredon has expanded to attacking Ukrainian allies as well, such as Latvia, so organizations operating in the security sector in Ukrainian-allied states should be aware of the group.

• Iran: Microsoft reported that the Iranian group NEPTUNIUM was behind the January cyberattack on Charlie Hebdo, a French satirical magazine. The attack was in response to the magazine’s announcement that it would be holding an international competition for cartoons ridiculing the Iranian Supreme Leader on the 8th anniversary of an al-Qaeda attack on the magazine’s offices. This attack serves as a reminder of the security precautions organizations should expect to take when directly criticizing or angering Iranian leadership.

• India: The Indian APT Rattlesnake was found by security research firm Weibu targeting Chinese universities and Pakistani defense and governmental organizations. 

• North Korea: The North Korean military hacking groups collectively known as the Lazarus Group was found targeting the private and public Indian healthcare and energy sectors. 

• Other: The Blind Eagle APT, a financially-motivated group operating somewhere out of South America, recently conducted a phishing campaign posing as Columbian tax agency officials to target government agencies and financial institutions in Columbia and Ecuador. The group has been around since at least 2018, but Check Point Research recently published a report saying the group has moved from “simple phishing techniques'' to “a more advanced toolset.”

Targets: In addition to the sectors and organizations specifically targeted by the APTs listed above, a few sector-specific targets are worth noting.

• Healthcare: The Healthcare sector is seeing an explicit DDoS campaign against their systems by the Russian KillNet group alongside an extortion campaign out of North Korea.

• Education: A number of schools across the country responded to ransomware attacks that canceled classes over the last month. K-12 schools in Nantucket, Tucson, West Virginia, and Minneapolis fell victim to attacks. At the post-secondary education level, Mount Saint Mary College confirmed a December attack this month while a number of international universities were hit as well.

Policy and Politics

United States: In addition to the newly released National Cyber Strategy previously discussed, a number of bills in Congress were introduced in February. The bill in Congress with the most traction is HR 302, a bill directing the Secretary of Energy to provide funding for universities pursuing cybersecurity research for the energy sector, which passed the House of Representatives and is now headed to the Senate. Other bills include the Cyber Defense National Guard Act (HR 278), the Building Resilient Supply Chains Act (HR 762), the Supply Chains Mapping and Monitoring Act (HR 796), the Protecting Against Compromised IoT Technology Act (HR 942), the Digital Citizenship and Media Literacy Act (S 394), the Insure Cybersecurity Act (S 513), the Understanding Cybersecurity of Mobile Networks Act (HR 1123), and a number of other related bills were all introduced but have so far not made any progress.

The White House gave the Department of Commerce approval to renew a Trump-era Executive Order that directs the Secretary of Commerce to implement regulations to be used to deter foreign malicious cyber actors’ abuse of US cloud services. 

Global: Belgium launched a new legal framework for reporting IT vulnerabilities that requires anyone “with no fraudulent intent or intention to cause harm” to report existing vulnerabilities in networks and information systems in Belgium. The United Kingdom opened a consultation period for reviewing the Computer Misuse Act of 1990 that will end in early April, 2023, to understand if the UK’s legal framework continues to provide adequate protections and seeks public comment on three legislative proposals the government is considering. Australia is establishing a new Coordinator for Cyber Security with powers necessary to protect Australians from mass cyberattacks.