Ransomware Attacks on Critical Infrastructure Fund DPRK Espionage Activities

CISA, the National Security Agency (NSA), the Federal Bureau of Investigation (FBI), the Department of Health and Human Services (HHS), and Republic of Korea’s Defense Security Agency and National Intelligence Service have released a joint Cybersecurity Advisory (CSA), Ransomware Attacks on Critical Infrastructure Fund DPRK Espionage Activities, to provide information on ransomware activity used by North Korean state-sponsored cyber to target various critical infrastructure sectors, especially Healthcare and Public Health (HPH) Sector organizations.

The authoring agencies urge network defenders to examine their current cybersecurity posture and apply the recommended mitigations in this joint CSA, which include:

- Train users to recognize and report phishing attempts.
- Enable and enforce phishing-resistant multifactor authentication.
- Install and regularly update antivirus and antimalware software on all hosts.

See Ransomware Attacks on Critical Infrastructure Fund DPRK Espionage Activities for ransomware actor’s tactics, techniques, and procedures, indicators of compromise, and recommended mitigations. Additionally, review StopRansomware.gov for more guidance on ransomware protection, detection, and response.

GAO Wants Time Frames to Complete DHS Efforts on Critical Infrastructure Security

Protecting critical infrastructure—like water supplies, electricity grids, and food production—is a national priority. Events like natural disasters or cyberattacks can disrupt services that Americans need for daily life.

Many federal agencies are tasked with protecting the nation's critical infrastructure and look to the Cybersecurity and Infrastructure Security Agency for leadership on how to do it.

A 2021 law expanded these agencies' responsibilities and added some new ones. CISA is working on guidance and more to help agencies implement these responsibilities. We recommended that CISA set timelines for completing this work.

GAO found that the William M. (Mac) Thornberry National Defense Authorization Act for Fiscal Year 2021 expanded and added responsibilities for sector risk management agencies. These agencies engage with their public and private sector partners to promote security and resilience within their designated critical infrastructure sectors. Some officials from these agencies described new activities to address the responsibilities set forth in the act, and many reported having already conducted related activities. For example, the act added risk assessment and emergency preparedness as responsibilities not previously included in a key directive for sector risk management agencies. New activities officials described to address these responsibilities included developing a risk analysis capability and updating emergency preparedness products.

The Department of Homeland Security's (DHS) Cybersecurity and Infrastructure Security Agency (CISA) has identified and undertaken efforts to help sector risk management agencies implement their statutory responsibilities. For example, CISA officials stated they are updating key guidance documents, including the 2013 National Infrastructure Protection Plan and templates for revising sector-specific guidance documents. CISA officials also described efforts underway to improve coordination with sector partners, such as reconvening a leadership council. Sector risk management agency officials for a majority of critical infrastructure sectors reported that additional guidance and improved coordination from CISA would help them implement their statutory responsibilities. However, CISA has not developed milestones and timelines to complete its efforts. Establishing milestones and timelines would help ensure CISA does so in a timely manner.

Why GAO Did This Study

Critical infrastructure provides essential functions––such as supplying water, generating energy, and producing food––that underpin American society. Disruption or destruction of the nation's critical infrastructure could have debilitating effects. CISA is the national coordinator for infrastructure protection.

The William M. (Mac) Thornberry National Defense Authorization Act for Fiscal Year 2021 includes a provision for GAO to report on the effectiveness of sector risk management agencies in carrying out responsibilities set forth in the act. This report addresses (1) how the act changed agencies' responsibilities, and the actions agencies have reported taking to address them; and (2) the extent to which CISA has identified and undertaken efforts to help agencies implement their responsibilities set forth in the act.

GAO analyzed the act and relevant policy directives, collected written responses from all 16 sectors using a standardized information collection tool, reviewed other DHS documents, and interviewed CISA officials.

Recommendations

The Director of CISA should establish milestones and timelines to complete its efforts to help sector risk management agencies carry out their responsibilities. DHS concurred with the recommendation. Additionally, GAO has made over 80 recommendations which, when fully implemented, could help agencies address their statutory responsibilities.

Recommendations for Executive Action
Agency Affected
Cybersecurity and Infrastructure Security Agency

Recommendation
The Director of CISA should establish milestones and timelines for its efforts to provide guidance and improve coordination and information sharing that would help SRMAs implement their FY21 NDAA responsibilities, and ensure the milestones and timelines are updated through completion. (Recommendation 1)

Actions to satisfy the intent of the recommendation have not been taken or are being planned.

Ransomware Attacks on Critical Infrastructure Fund DPRK Malicious Cyber Activities

The Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA), the Federal Bureau of Investigation (FBI), the Department of Health and Human Services (HHS), and Republic of Korea’s Defense Security Agency and National Intelligence Service have released a joint Cybersecurity Advisory (CSA), Ransomware Attacks on Critical Infrastructure Fund Democratic People’s Republic of Korea (DPRK) Espionage Activities, to warn network defenders of malicious activity targeting U.S. and South Korean Healthcare and Public Health (HPH) Sector organizations as well as other critical infrastructure sectors.

In addition to other tactics, these malicious cyber actors have been exploiting vulnerabilities, such as Log4Shell CVE-2021-44228, SMA100 Apache CVE-2021-20038, and/or TerraMaster OS CVE-2022-24990, to gain access and escalate privileges on victim’s networks. After initial access, DPRK actors use staged payloads with customized malware to perform malicious movements, use various ransomware tools and demand ransom in cryptocurrency.

This advisory is a supplement to a July 2022 joint advisory on North Korean state-sponsored cyber actors using Maui ransomware to target HPH sector.

All organizations are encouraged to review the CSA for complete details on this threat and recommended mitigations, which also includes specific mitigations that HPH organizations should implement. This advisory is available on stopransomware.gov, the USG one-stop resource for advisories on the ransomware threat and available no-cost resources.

Cybersecurity High-Risk Series: Challenges in Protecting Cyber Critical Infrastructure

Federal systems are vulnerable to cyberattacks. High Risk report identified 10 critical actions for addressing federal cybersecurity challenges.

In this report, the third in a series of four, GAO covers the action related to protecting cyber critical infrastructure—specifically, strengthening the federal role in cybersecurity for critical infrastructure. For example, the Department of Energy needs to address cybersecurity risks to the U.S. power grid.

The GAO made 106 public recommendations in this area since 2010. Nearly 57% of those recommendations had not been implemented as of December 2022.

Strengthen the Federal Role in Protecting Cyber Critical Infrastructure

The U.S. grid’s distribution systems—which carry electricity from transmission systems to consumers and are regulated primarily by states—are increasingly at risk from cyberattacks. Distribution systems are growing more vulnerable, in part because of industrial control systems’ increasing connectivity. As a result, threat actors can use multiple techniques to access those systems and potentially disrupt operations.

Examples of Techniques for Gaining Initial Access to Industrial Control Systems

GAO reported in March 2021 that DOE, as the lead federal agency for the energy sector, developed plans to help combat these threats and implement the national cybersecurity strategy for the grid. However, DOE’s plans do not address distribution systems’ vulnerabilities related to supply chains. By not having plans that address the improvement to grid distribution systems’ cybersecurity, DOE’s plans will likely be of limited use in prioritizing federal support to states and industry.

➢ GAO recommended that, in developing plans to implement the national cybersecurity strategy for the grid, DOE coordinate with DHS, states, and industry to more fully address risks to the grid’s distribution systems from cyberattacks.

The communications sector is an integral component of the U.S. economy and faces serious physical, cyber-related, and human threats that could affect the operations of local, regional, and national level networks, according to CISA and sector stakeholders. In addition to managing federal coordination during incidents impacting the communications sector, CISA shares information with sector stakeholders to enhance their cybersecurity and improve interoperability, situational awareness, and preparedness for responding to and managing incidents.

Examples of Potential Security Threats to the Communications Sector

In November 2021, we reported that CISA had not assessed the effectiveness of its programs and services supporting the security and resilience of the communications sector. By completing such an assessment, CISA would be better positioned to determine which programs and services are most useful or relevant in supporting the sector’s security and resilience. We also reported that CISA had not updated its 2015 Communications Sector-Specific Plan. Developing and issuing a revised plan would help CISA to address emerging threats and risks to the communications sector.

➢ GAO recommended that CISA assess the effectiveness of its programs and services to support the communications sector and, in coordination with public and private communications sector stakeholders, produce a revised Communications Sector-Specific Plan.

Ransomware is a form of malicious software that threat actors use in a multistage attack to encrypt files on a device and render data and systems unusable. These threat actors then demand ransom payments in exchange for restoring access to the locked data and systems.

Four Stages of a Common Ransomware Attack

In September 2022, we reported that CISA, FBI, and Secret Service provide assistance in preventing and responding to ransomware attacks on tribal, state, local, and territorial government organizations. However, the agencies could improve their efforts by fully addressing six of seven key practices for interagency collaboration in their ransomware assistance to state, local, tribal, and territorial governments. For instance, existing interagency collaboration on ransomware assistance to tribal, state, local, and territorial governments was informal and lacked detailed procedures.

➢ GAO recommendeds that DHS and the Department of Justice address identified challenges and incorporate key collaboration practices in delivering services to state, local, tribal, and territorial governments.

GAO have made 106 recommendations in public reports since 2010 with respect to protecting cyber critical infrastructure. Until these are fully implemented, federal agencies will be more limited in their ability to protect private and sensitive data entrusted to them. For more information on this report, visit https://www.gao.gov/cybersecurity.

IRC warns damaged infrastructure is hampering critical aid supply to catastrophic disaster as it launches emergency response

As the full scale of the disaster in Syria and Turkey following the 7.8 magnitude earthquake becomes apparent, the International Rescue Committee (IRC) is warning of catastrophic humanitarian needs in both countries. Unfettered humanitarian access to those affected is now absolutely critical. As humanitarian needs soar during freezing temperatures, in both Turkey and Syria, the IRC is launching an integrated response to affected populations in both countries.

Tanya Evans, Syria Country Director for IRC said:

“The scale of the disaster is catastrophic. We are still in the first 36 hours of one of the largest earthquakes to hit the region this century. Multiple earthquakes and aftershocks yesterday and today have damaged roads, border crossings, and critical infrastructure, severely hampering aid efforts.

“IRC’s main priority is finding safe spaces for our staff to operate from in Gaziantep and across northwest Syria. Many buildings have been severely damaged in the earthquake, including at least one of our field offices in northwest Syria. It is almost impossible to know the full extent of the disaster right now but everything we are hearing from our teams suggests it is truly devastating.

“Electricity across the affected area remains intermittent. In Turkey we have seen improvements since the earthquake but in northern Syria there are still so many areas off the grid. This also includes mobile and internet outages making the response and coordination even more difficult. It is not just electricity and phone lines affected. Gas supplies, for which many rely on to heat their homes, have also been severely impacted meaning that even if people are able to return to their homes they will have to endure freezing temperatures.

“With the response in its infancy the need for humanitarian aid is stark. Roads and infrastructure, like bridges, have been damaged meaning it will likely prove challenging to get supplies to those who need it most. Even before the earthquake, humanitarian access was constrained in northwest Syria, with most aid coming in via one crossing point with Turkey. In this time of increased need it is critical that the levels of aid crossing also increase at pace too.”

The IRC’s response to the earthquake will be in both Turkey and northern Syria, and will include the provision of immediate cash, basic items such as household kits, dignity kits for women and girls and hygiene supplies. Through partners, the IRC will support essential health services in earthquake-affected areas, and set up safe spaces for women and children affected by the crisis.

In light of the catastrophic humanitarian needs emerging, the IRC is calling on the international community to urgently increase critical funding to both Syria and Turkey to ensure that those affected by this emergency get the lifesaving support they need before it is too late.

[image: DENIZ TEKIN/EPA-EFE/Shutterstock]

Cybersecurity High-Risk Series: Challenges in Securing Federal Systems and Information

Federal systems are vulnerable to cyberattacks. Our High Risk report identified 10 critical actions for addressing federal cybersecurity challenges.

In this report, the second in a series of four, we cover the 3 actions related to Securing Federal Systems and Information:

- Improve implementation of government-wide cybersecurity initiatives
- Address weaknesses in federal agency information security programs
- Enhance the federal response to cyber incidents to better protect federal systems and information

GAO has made about 712 recommendations in public reports since 2010 with respect to securing federal systems and information. Until these are fully implemented, federal agencies will be more limited in their ability to protect private and sensitive data entrusted to them. For more information on this report, visit https://www.gao.gov/cybersecurity.

Improve Implementation of Government-Wide Cybersecurity Initiatives

Federal law assigned five key cybersecurity responsibilities to the Cybersecurity and Infrastructure Security Agency (CISA), including securing federal information and systems, and coordinating federal efforts to secure and protect against critical infrastructure risk. To implement these responsibilities, CISA undertook an organizational transformation initiative aimed at unifying the agency, improving mission effectiveness, and enhancing the workplace experience. In March 2021, we reported that CISA had only completed 37 of 94 planned implementation tasks. Critical transformation tasks such as finalizing the mission-essential functions of CISA’s divisions and defining incident management roles and responsibilities across the agency had not yet been completed.

- We recommended that CISA establish expected completion dates, plans for developing performance measures, and an overall deadline for the completion of the transformation initiative, as well as develop a strategy for comprehensive workforce planning.

Address Weaknesses in Federal Agency Information Security Programs

To protect federal information and systems, the Federal Information Security Modernization Act of 2014 (FISMA) requires federal agencies to develop, document, and implement information security programs. Congress included a provision in FISMA for GAO to periodically report on agencies’ implementation of the act. In March 2022, we reported on the information security programs of 23 federal civilian agencies, including annually required program reviews to be conducted by agency inspectors general (IG). Among other things, we noted that IGs determined that 16 (or 70 percent) of the 23 agencies had ineffective programs for fiscal year 2020.

We found that OMB’s guidance to IGs on conducting agency evaluations was not always clear, leading to inconsistent application and reporting by IGs. Further, we reported that the binary effective/not effective scale resulted in imprecise ratings that did not clearly distinguish among the differing levels of agencies’ performance. By clarifying its guidance and enhancing its rating scale, OMB could help ensure more a more consistent approach and nuanced picture of agencies’ cybersecurity programs.

- GAO recommended that OMB, in consultation with others, clarify its guidance to IGs and create a more precise overall rating scale.

Enhance the Federal Response to Cyber Incidents

DOD and our nation's defense industrial base (DIB) are dependent on information systems to carry out their operations. These systems continue to be the target of cyberattacks, as demonstrated by over 12,000 cyber incidents DOD has experienced since 2015.

In November 2022, we reported DOD has taken steps to combat these attacks and the number of cyber incidents had declined in recent years. However, we found that the department (1) had not fully implemented its processes for managing cyber incidents, (2) did not have complete data on cyber incidents that staff report, and (3) did not document whether it notifies individuals whose personal data is compromised in a cyber incident.

In addition, according to officials, DOD has not yet decided whether DIB cyber incidents detected by cybersecurity service providers should be shared with all relevant stakeholders. Until DOD examines whether this information should be shared with all relevant parties, opportunities could be lost to identify system threats and improve system weaknesses.

- GAO recommended the Department of Defense improve the sharing of DIB-related cyber incident information and document when affected individuals are notified of a PII breach of their data.

NSA, CISA, and MS-ISAC Release Guidance for Securing Remote Monitoring and Management Software

The Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), and Multi-State Information Sharing and Analysis Center (MS-ISAC) released the “Protecting Against Malicious Use of Remote Monitoring and Management Software” Cybersecurity Advisory (CSA) today to help network defenders protect against the malicious use of legitimate remote monitoring and management (RMM) software.

RMM software is commonly used by managed service providers (MSPs) and help desks to provide security and/or technical support. The software is intended to enable network management, endpoint monitoring, and remote interaction with hosts for IT-support functions. Malicious use of RMM software allows cybercriminals and advanced persistent threat (APT) actors to bypass anti-virus/anti-malware defenses.

In October, CISA identified a widespread cyber campaign in which cybercriminal actors leveraged RMM software to gain command and control of devices and accounts. Malicious cyber actors could leverage these same techniques to target National Security Systems (NSS), Department of Defense (DoD), and Defense Industrial Base (DIB) networks and use legitimate RMM software on both work and home devices and accounts. Other RMM software solutions could be abused to similar effect.

CISA, NSA, and MS-ISAC encourage network defenders to apply mitigations such as the following:

- Audit installed remote access tools to identify RMM software.
- Implement application controls to prevent execution of unauthorized RMM software.
- Use only authorized RMM software on your network over approved remote access solutions, such as VPN or VDI.
- Block both inbound and outbound connections on common RMM ports and protocols.

Read full report at www.media.defense.gov/2023/Jan/25/2003149873/-1/-1/0/JOINT_CSA_RMM.PDF

Bitzlato: senior management arrested

An operation led by French and US authorities, and strongly supported by Europol, has targeted the crypto exchange platform Bitzlato. The globally operating Hong Kong-registered cryptocurrency exchange is suspected of facilitating the laundering of large amounts of criminal proceeds and converting them into roubles. Law enforcement authorities took down the digital infrastructure of the service, based in France, and interrogated leading members of the platform’s management. The operation also involved law enforcement and judicial authorities from Belgium, Cyprus, Portugal, Spain and the Netherlands.

Targeting crucial crime facilitators such as crypto exchanges is becoming a key priority in the battle against cybercrime. Bitzlato allowed the rapid conversion of various crypto-assets such as bitcoin, ethereum, litecoin, bitcoin cash, dash, dogecoin and USDT into Russian roubles. It is estimated that the crypto exchange platform has received a total of assets worth EUR 2.1 billion (BTC 119 000).

While the conversions of crypto-assets into fiat currencies is not illegal, investigations into the cybercriminal operators indicated that large volumes of criminal assets were going through the platform. The analysis indicated that about 46 % of the assets exchanged through Bitzlato, worth roughly EUR 1 billion, had links to criminal activities.

Cryptanalysis uncovered that the majority of suspicious transactions are linked to entities sanctioned by the Office of Foreign Assets Control (OFAC), with others linked to cyber scams, money laundering, ransomware and child abuse material. For example, investigations showed that 1.5 million BTC transactions have been made directly between Bitzlato users and the Hydramarket, taken down in April 2022.

This exchange platform, available both in Russian and English language, rented dedicated servers from a hosting company in France. The coordinated action of the judicial and law enforcement authorities from the different involved countries led to the takedown of the platform, seizures of present financial assets, and further technical analysis.

Cryptoanalysis and international coordination to uncover links

During the first phases of the investigative activities, Europol facilitated the information exchange, provided analytical support linking available data to various criminal cases within and outside the EU, and supported the investigation through the analysis of millions of cryptocurrency transactions.

On the action day, Europol deployed 13 of its experts on the spot (10 in France, 1 in Cyprus, 1 in Spain and 1 in Portugal) and supported the deployment of national investigators in other countries taking part in the operational activities. Europol supported the law enforcement authorities involved with coordination related to cryptocurrency analysis, cross checking of operational information against Europol’s databases, and operational analysis. At this moment, already over 3 500 bitcoin addresses and over a 1 000 Bitzlato user details showed links with various criminal cases reported in Europol’s systems. Analysis of this data and other related cases is expected to trigger further investigative activities.

Space for Maritime Task Force Launched

The “Space for Maritime Task Force” was recently launched by the European Space Agency (ESA) together with maritime stakeholders at the Italian Coast Guard Headquarters in Rome. The initiative acts on ESA’s vision to boost digital and green solutions, reducing emissions and enabling sustainable innovation.

In recent years, ESA Space Solutions has been cooperating with key stakeholders in the maritime sector via the Business Applications and Space Solutions (BASS) programme. These include a wide range of user communities and classes such as fisheries, coast guards, port authorities, military bodies, shipping companies, commercial operators, and international, national and European institutions. Through this cooperation, ESA has built strategic partnerships and supported several initiatives addressing domains such as maritime sustainability, ship tracking via satellite-based automatic identification systems (AIS), smart routing, autonomous vessels, water quality monitoring, the reduction of marine pollution and the green transition of ports’ eco-systems.

The Italian General Command of the Port Authority Corps - Coast Guard has, for some months, been working on a collaboration with ESA to foresee and enhance the use of space applications aimed at promoting sustainable innovation and transport in the maritime ecosystem. This collaboration has resulted in the creation of a standing committee, called the Space for Maritime Task Force (SMTF).

The Task Force aims to contribute to sustainability and maritime safety by increasing the use of innovative integrated solutions that exploit digital and space technologies, such as communications, navigation, and earth observation. This initiative will leverage active involvement of national institutions, Industry and research entities in the digital transformation of port and maritime services (e-Navigation), with a view to enhancing the sustainability of maritime transport. It will foster the innovative use of space technologies for supporting the shipping sector, for example in its transition to uncrewed shipping, as well as the implementation of a safe integration of uncrewed vessels within maritime transport provision, the monitoring of coastal areas and infrastructures, and maritime surveillance activity (in the domains of safety, security, fishing and the environment). The work will be divided into sub-topics of interest, which for the moment include "maritime sustainability", "green and smart ports" and "safety at sea and maritime security".

The results from the Task Force will be presented to international (International Maritime Organization - IMO) and European bodies, in order to contribute to the development and standardisation of requirements and innovative technologies aimed at improving maritime services. This will allow sustainable economic growth for all players involved. Rita Rinaldo, Head of the Projects & Studies Implementation Division at ESA Space Solutions commented “Collaboration with maritime stakeholders is key for ESA to support innovative solutions that exploit digital and space technologies, and to enable European space and downstream companies to contribute to sustainability and maritime safety.”

Partners in the Task Force include: the General Command of the Port Authority Corps - Coast Guard; European Space Agency (ESA); Italian Space Agency (ASI); National Inter-University Consortium for Telecommunications (CNIT); and the Directorate General for the Supervision of Port System Authorities, Maritime Transport and Inland Waterways.

IOM joins Making Cities Resilient 2030 as supporting entity

The International Organization for Migration’s (IOM) Regional Office for the Middle East and North Africa (MENA) has joined the MCR2030 initiative as a supporting entity. MCR2030 is UNDRR’s flagship program, building on the achievement of the Making Cities Resilient Campaign that began in 2010. It welcomes cities, local governments, and all parties who wish to support cities along the resilience roadmap.

The IOM Regional Office for the MENA region has developed the Urban Diagnostic Toolkit to map gaps in migrants’ integration in urban settings, aimed at increasing urban resilience of migrants, refugees, displaced persons, host societies and local governments by strengthening migrants’ social cohesion in the spatial, institutional, economic, climate and resilience city systems.

Increasingly, IOM and UNDRR collaborate across a range of workstreams from high level policy engagement related to the Sendai Framework for DRR’s Midterm Review process, the Global Platform for DRR and Regional DRR Platforms, and more recently on the Early Warning for All Initiative, COP27 and the Center of Excellence for Disaster and Climate Resilience, which IOM recently joined as a member of the Steering Committee. Partnership also extends to technical cooperation on the implementation of the annual workplan of the Senior Leadership Group for DRR for Resilience inclusive of work to mainstream DRR into humanitarian action. IOM is also supporting UNDRR’s leadership on the development and roll out of Risk Information Exchange and the creation of a second-generation disaster loss accounting platform to replace DesInventar. The latter was recently dialogued under the leadership of UNDRR-UNDP-WMO at the Bonn Technical Expert Forum meeting in late November.

This is the beginning of a new collaboration between the two UN agencies. UNDRR warmly welcomes the new MCR partner to work jointly on paving the road for increasing migrants’ resilience in urban contexts.

MRC2030 is a unique cross-stakeholder initiative for improving local resilience through advocacy, sharing knowledge and experiences, establishing mutually reinforcing city-to-city learning networks, injecting technical expertise, connecting multiple layers of government, and building partnerships. Through delivering a clear roadmap to urban resilience, providing tools, access to knowledge, and monitoring and reporting tools, MCR2030 will support cities on their journey to reduce risk and build resilience.

1 2 3 4 5 6 30