Press "Enter" to skip to content

The hackers are back — USAID hit by the same group, with fallout across the government

The hackers who hit SolarWinds are back.  This time, the Nobelium group has targeted about 3000 email accounts at more than 150 organizations across 24 countries with phishing attacks.      Leveraging the branding of USAID via a compromised Constant Contact account, this move is the end result of a coordinated effort this entire year.    The deployed payload allows persistent access to compromised systems.   Microsoft reported the issue in a blog post, and indicated they “are not seeing evidence of any significant number of compromised organizations at this time.”

In this context, the Defense Secretary told CNN that the US has “offensive options” to respond to cyberattacks.  

The FBI is stepping up their game too.   They are going to share compromised passwords with the Have I Been Pwned service.     The FBI is also warning of a breach via a Fortigate appliance to access a US Municipal government.     Yes, this vulnerability had been warned about.    

Over in the Justice Department more broadly, the DoJ, FBI and the intelligence community have launched an effort to investigate supply chain threats by Russian companies.    That information will be shared with Commerce, which will then decide about possibly prohibiting the use of those technologies.  No timeline has been released.

In information sharing, the Defense department is expanding its cybersecurity information sharing program, including allowing small and medium sized contractors access to information, and the NSA is now running pilots around information sharing as well.     The NSA is also offering a free and secure DNS system for those contractors. 

The departments also issued an update on the Cybersecurity Maturity Model Certification (CMMC) program.  These rules should be in place by the end of this calendar year.     Don’t know CMMC?  This is a standards and best practices set of guidance within the Defense Department. 

All this damage – research from the Ponemon Institute tells us that compromised accounts cost companies an average of $6.2 million dollars each year.     Microsoft 365 and Google Workspace accounts have been heavily targeted using either brute force or phishing attacks, according to 57% of respondents. Fifty-one percent of respondents said phishing is the most heavily used method of attack.

TechAisle has their data too63% of US SMBs report that they experienced one or more cyberattacks in the last year, contributing to an average of 3.6% of revenue loss attributable to security incidents. For 46% of SMBs, preventing cyber-attacks is one the most pressing and critical IT issues. Yet, 59% of SMBs are very confident that their firms could recover from a cybersecurity incident.

In case you thought this would result in less headlines – JBS USA, the world’s largest meat supplier, was also the victim of ransomware.   The company is now aware that any customer, supplier or employee data has been compromised… although it’s unclear if consumers may be affected.

Why do we care?

You want to get consumer attention, first hit them at the gas pump, then make the cost of hamburger go up. 

The hackers never went away.    Why would they?  This was very successful, and so far they haven’t paid a price.    Consequences and incentives are my theme lately, and the hackers have plenty of incentive to continue and not a lot of downside.   

For small providers, remember that phishing attacks are your number one entry point.   User training and investment IS our best weapon here – combined with basic patch management and two factor authentication.     If you heard my editorial on the weekend, you need to link your own incentives and your customers with the solutions you adopt.   If the solutions you use aren’t tied to that success, consider other options.

On the positive side, there is SO much information out there.  Basic guidance from every possible source.   On the downside, that’s all the data to indicate that customers and providers should know better, and the evidence to be pointed to when someone is breached that will tie to my prediction of criminal negligence.