Axios Codebook

The would-be mass poisoning that a small town in Florida dodged last week is a chilling reminder that cybersecurity — often conceived in the popular imagination as purely an abstract province of ones and zeroes — can be a matter of life or death.

Why it matters: The fact that attackers were (if only briefly) able to access the control system for a municipal water supply should be a wake-up call for U.S. officials regarding the digital insecurity of many key pieces of infrastructure.

Driving the news: Hackers used TeamViewer, a remote-access software program, to tamper with a water-treatment facility in Oldsmar, Florida, a town of roughly 15,000 people outside Tampa, officials said Monday.

• They briefly gained access to system controls for the plant and tried to massively raise the levels of lye in the water supply from 100 parts per million to more than 11,000. (Lye, commonly used to treat drinking water, is nontoxic when diluted but poisonous at higher concentrations.)
• Plant operators quickly discovered the tampering attempt, prevented the alteration of lye levels, and shut out the hackers from their systems.

What they’re saying: “At no time was there a significant adverse effect on the water being treated,” said Bob Gualtieri, Pinellas County sheriff. “Importantly, the public was never in danger.”

Yes, but: The incident still underscores the potential for enormous damage that lies dormant within many pieces of internet-connected infrastructure in the country.

• It's a real concern, particularly as more critical infrastructure comes online and more international crime and nation-state conflict moves into the cyber realm.

In this case, while the FBI and Secret Service are investigating the breach, we don't know if the incident was an attempted terrorist attack, unsophisticated but malicious nation-state activity, or “merely” the work of a deranged individual.

• There is a chasm between a serious operation to poison an entire town’s water supply as an act of either state-sponsored sabotage or non-state terrorism and a half-baked, foolish — if malign and potentially deadly — gambit by some group of individuals who may not have even fully conceived of the seriousness of their actions.
• The continuum is broad, and we don’t know precisely where this event fits yet.

Of note: The “noisy” and haphazard nature of the hackers' work and the ease with which they got in — a worrying data point on its own — seem to point to something less than a well-thought-out operation conducted by a determined, top-tier nation-state adversary, say experts.

• While incidents like Oldsmar “are concerning given adversary brazenness ... they also are incredibly unsophisticated in nature — representing a burglar opening an unlocked door more than a thief penetrating a well-resourced security system,” writes Joe Slowik, a senior threat researcher at DomainTools.
• Slowik suggested the incident may more than anything else echo a series of seemingly simplistic breaches by hackers of water infrastructure in Israel last year, “where insecure systems were remotely accessible and entities simply took advantage of circumstances.”

The catch: Crude as the operation may have been, the hackers appeared to be trying to sicken or even kill Oldsmar residents — a rare instance of a known cyberattack targeting an industrial control system within the U.S. where the aim of the operation seemed to be lethal in intent.

An Iranian cyber spying group nicknamed Domestic Kitten has “targeted over 1,200 individuals with more than 600 successful infections” since 2017, according to new research by Check Point, an Israeli-U.S. security firm.

Why it matters: Repressive regimes around the world, including Iran, devote significant resources to targeting individuals and organizations they view as potential challengers to their rule or internal stability. Revelations about campaigns like these can help show who precisely these regimes believe are their greatest threats.

Details: The campaign, while mostly compromising individuals within Iran, has been global in scope, with victims in the U.S., U.K., Pakistan, Afghanistan, Turkey and other countries, says Check Point.

• The Iranian cyber operators tricked victims into following links to install “a malicious application” using “multiple vectors, including an Iranian blog site, Telegram channels, and even by SMS,” reports Check Point.
• In addition to focusing on Iranian dissidents at home and abroad, Domestic Kitten also targeted ISIS supporters and members of Iran’s Kurdish minority, among other groups.

Go deeper: In an earlier investigation into Domestic Kitten, Check Point described how the group created a fake “updated” version of an app from a real Kurdish news service to infect victims’ devices. It also created a fake pro-ISIS app that allowed users to select pictures to use as their wallpaper for electronic devices.

Researchers have discovered new “highly malleable, highly sophisticated” malware from a state-backed Chinese hacker group, according to Palo Alto Network’s Unit 42 threat intelligence team.

Why it matters: The malware “stands in a class of its own in terms of being one of the most sophisticated, well-engineered and difficult-to-detect samples of shellcode employed by an Advanced Persistent Threat (APT),” according to Unit 42.

• The malware, which Unit 42 has dubbed “BendyBear,” bears some resemblance to the “WaterBear malware family” (hence the bear in the name), which has been associated with BlackTech, a state-linked Chinese cyber spy group, writes Unit 42.

Background: BlackTech has been active since at least 2013, according to Symantec researchers.

• BlackTech has historically focused chiefly on intelligence targets in Taiwan, as well as some in Japan and Hong Kong.
• The group has targeted both foreign government and private-sector entities, including in “consumer electronics, computer, healthcare, and financial industries,” said researchers with Trend Micro.
• Trend Micro also previously assessed that BlackTech’s “campaigns are likely designed to steal their target’s technology.”

Go deeper: According to Symantec researchers, a BlackTech-initiated espionage campaign that began in 2019 also targeted “organizations in the media, construction, engineering, electronics, and finance sectors” with targets in Taiwan, Japan, the U.S. and China.

Hackers claiming to be part of an Israeli antifascist group breached the website of a U.S.-based KKK group, releasing personal information about the KKK members online, according to the Jerusalem Post.

Why it matters: The move represents a new digital front in the battle between far-right extremists and the loose, decentralized groups who call themselves “antifa,” short for anti-fascists.

Driving the news: The Israeli group, which calls itself Hayalim Almonim, or “Anonymous Soldiers,” defaced the KKK website with text reading "SHABBAT SHALOM! GOODNIGHT WHITE PRIDE ;)" as well as phrases like "JEWISH SOLIDARITY WITH ALL OPPRESSED PEOPLES" and "NEVER AGAIN" — a reference to preventing another Holocaust.

• The group also doxxed the KKK, releasing a trove of information related to the KKK group’s leader, including his name, home address, email addresses, date of birth, phone number and registration as a sex offender.

What they’re saying: “Our objective is to strike terror into the hearts of the enemies of humanity,” a representative of the group told the Jerusalem Post.

• “Neo-Nazi and other white supremacist groups believe that Jews have an all-seeing eye. Our desire is to make their fantasies a reality, and exploit their conspiracy theories as a form of psychological warfare. We want them to know, wherever they are in the world that will find them and expose them,” said the group’s representative.

Go deeper: Hayalim Almonim has even set up a Twitter account and a website.

• China censored popular chat platform Clubhouse, which had briefly turned into a hotbed for open discussion on sensitive subjects. (New York Times)
• Rival “COVID diplomacy” strategies pitting China against India have migrated online. (APSI)
• Browser "favicons" are acting as stealthy trackers online. (Vice)
• Hackers posted tens of thousands of hospital records to the dark web in an extortion attempt. (NBC News)
• A Serbian man was extradited to the U.S. for his alleged role in an illegal cryptocurrency scheme. (CyberScoop News)