October 06, 2023

😎 TGIF, everyone. Welcome back to Codebook.

Today's newsletter is 1,627 words, a 6-minute read.

1 big thing: Cyber espionage surge by U.S. adversaries

Illustration: Aïda Amer/Axios

U.S. adversaries are trading in their recent series of disruptive cyberattacks for good old-fashioned espionage, Microsoft noted in a report this week.

The big picture: Nation-state hacking teams have made headlines in the last couple of years with an increasing number of destructive breaches — from North Korea tapping crypto companies for funds to Russian hackers attacking Ukrainian organizations during the war.

  • While U.S. adversaries haven't completely ditched those tactics, they've also started doubling down, again, on espionage ploys to steal other countries' top secrets, Microsoft said Thursday in its Digital Defense Report.

Why it matters: While the impact of a destructive cyberattack is often immediate and apparent, espionage campaigns pose a long-term, existential risk to governments.

  • Spies typically are trying to gain access to a government or critical organization's network for months or even years before they're discovered — in the hope of gaining unfettered access to the adversary's confidential materials.

Between the lines: Countries are no strangers to espionage, but adversaries' digital spying skills have reached a new level of sophistication that makes them harder to detect, Microsoft found.

  • Many espionage teams have learned how to obfuscate their activity through security vulnerabilities in routers and "live off the land" to abuse an organization's internal tools to further advance their access to the organization's systems, said Tom Burt, corporate vice president of customer security and trust at Microsoft.
  • Governments have also expanded which countries they target: Microsoft's researchers saw adversaries increasingly trying to spy on countries across Latin America and sub-Saharan Africa, according to the report.

What they're saying: "It's a different world of security defense than it was a year or two years ago just because of these constant evolutions," Burt told Axios.

Details: Each of the U.S.' cyber adversaries has its own geopolitical motivations for advancing its espionage techniques.

  • China has been seen carrying out more sophisticated espionage campaigns against U.S. defense and critical infrastructure organizations, as well as organizations in nations bordering the South China Sea, as the world prepares for the possibility of a Chinese invasion of Taiwan.
  • Russia has shifted from the heavy focus on destructive attacks seen during the early days of the war in Ukraine to influence and espionage campaigns against Ukraine's allies with the hopes of discouraging continued Western support.
  • Iran, which is typically known for its heavy-handed distributed denial-of-service attacks and wiper attacks, is increasingly hacking cloud environments and spying on its Middle Eastern neighbors.
  • And North Korea — which is typically known for spying on South Korea and its allies — is capitalizing on a new opportunity to also spy on Russia's nuclear, defense and government entities while the country is distracted by the ongoing war.

The intrigue: Foreign governments don't spy just on government entities — they also target critical infrastructure organizations for key information about a targeted country's systems.

  • 41% of the threat notifications Microsoft sent about nation-state activity between July 2022 and June 2023 went to critical infrastructure organizations, or those in IT, finance, defense and similar sectors.
  • For comparison: 16% of notifications went to education organizations, 12% went to government entities and 11% went to think tanks.

Zoom in: A prime example of the stealthier, more difficult-to-detect espionage campaigns was the July breach of U.S. government Microsoft accounts.

Yes, but: Although Microsoft didn't detail the U.S.' own cyber espionage, the U.S. is certainly engaging in its fair share of spying.

2. Clorox details attack's steep financial toll

Illustration: Aïda Amer/Axios

The Clorox Co. — the global manufacturer of popular cleaning products Pine-Sol, Clorox and more — warned that it's expecting significant sales and earnings losses due to an August cyberattack.

Why it matters: Clorox's financial statements provide a rare look at a cyberattack's potential financial impact on a victim.

Details: Clorox said Wednesday in a filing with the Securities and Exchange Commission that it's expecting a 23% to 28% decline in net sales for the quarter ending Sept. 30.

Catch up quick: Clorox has been responding to a cyberattack since August that's forced the company to manually process some orders and warn of potential product shortages.

  • Now, the company believes the "cybersecurity attack has been contained" and it's "making progress" to fully restore its operations, per the most recent SEC filing.

The intrigue: Bloomberg reported this week that the same group of young adult hackers who reportedly breached MGM Resorts and Caesars Entertainment last month are believed to have been behind the Clorox attack.

  • The group, known as Scattered Spider, is known for using social engineering to trick employees into handing over login credentials so they can break into systems.

What's next: Clorox has not yet scheduled its first-quarter earnings release, but the company is widely expected to share those numbers at the end of the month or in early November.

3. Getting around FBI takedowns

Illustration: Sarah Grillo/Axios

Some of the Qakbot malware group's operations have remained intact despite the FBI's lauded takedown in August, researchers at Cisco Talos have found.

What's happening: Cisco released a report Thursday unveiling that the Qakbot group is still deploying ransomware via phishing emails as part of a scheme that was unaffected by the FBI takedown.

  • The phishing-based campaign started a few weeks before the FBI seized some of Qakbot's infrastructure in late August, and it's been going on ever since.
  • Notably, researchers believe Qakbot's affiliates — or freelance groups that carry out attacks for larger malware distributors — are the ones running the ongoing phishing scheme.

Why it matters: The newly discovered Qakbot operation highlights the limits law enforcement faces when trying to squash cybercriminal gangs.

  • While the FBI was able to cut off the Qakbot operators' access to their thousands of malware-infected computers, the group has still been able to function.

Catch up quick: In August, the FBI announced it had infiltrated and redirected traffic going to and from the Qakbot botnet — the network of malware-infected computers that hackers had used to launch their attacks.

  • The FBI also seized the group's cryptocurrency assets and downloaded a malware uninstaller file onto the thousands of computers it salvaged, making it impossible for Qakbot to regain access to the same devices.

The big picture: U.S. law enforcement faces a long list of problems when trying to shut down international cybercrime syndicates.

  • Many members operate in countries like Russia that are unlikely to deport them to Western nations.
  • The digital identities of members are often obfuscated and only shared with a small group of trusted people, if anyone, making them difficult to identify.
  • Cybercriminal syndicates are also constantly rebranding and restructuring themselves to shake off law enforcement.

Between the lines: Cybercriminal syndicates' ability to quickly restructure and hide the full extent of their operations can stymie infrastructure takedowns like the one that targeted Qakbot.

The intrigue: In their new scheme, Qakbot's affiliates are distributing the Cyclops, or Ransom Knight, ransomware strain, rather than the group's own malware, according to Cisco's researchers.

  • But they still suspect that Qakbot could decide to "rebuild Qakbot infrastructure to fully resume their pre-takedown activity," per the report.

4. Catch up quick

@ D.C.

🪪 Intelligence officials have concluded that a rule requiring visa applicants to disclose their social media accounts has added "no value" to the screening process. (New York Times)

🌐 The Cybersecurity and Infrastructure Security Agency has launched a "Secure Our World" campaign to encourage better cybersecurity hygiene during Cybersecurity Awareness Month. (Nextgov/FCW)

⚠️ CISA and the NSA detail the 10 most common cybersecurity misconfigurations their teams come across during vulnerability hunting and incident response — including leaving default settings in place and poor patch management. (CISA)

@ Industry

🎰 MGM Resorts reportedly refused to pay the ransom during last month's cyberattack, and the company warned that service disruptions from the incident likely cost it more than $100 million. (Wall Street Journal)

📲 Google plans to provide security updates for the new Pixel 8 phone series for seven years, up from the company's previous five-year default. (The Verge)

🍎 Apple has issued yet another emergency security update for iPhone and iPad users to patch a recently discovered zero-day vulnerability. (BleepingComputer)

@ Hackers and hacks

🪖 NATO says it's responding to claims that hackers stole numerous strategic planning and research documents from the organization. (CNN)

⛑️ The International Committee of the Red Cross published its first-ever ethical guidelines for hacktivists engaged in armed conflicts — but not all hacktivists are supporting its suggestions. (The Record)

💻 Qualcomm warned that hackers are actively targeting three zero-day vulnerabilities in its GPU and Compute DSP drivers. (BleepingComputer)

5. 1 fun thing

Illustration: Tiffany Herring/Axios

A Veterans Affairs medical center in Missouri learned last month just how much of an insider threat cats can be:

  • "On a mid-September call, one of the participants explained that while a technician was reviewing the configuration of a server cluster, their cat jumped on the keyboard and deleted it. Or at least that's their story," The Register's Thomas Claburn writes.
  • The story continues: "Kurt DelBene, assistant secretary for information and technology and CIO at the Department of Veterans Affairs, is said to have responded on the call with words to the effect that: 'This is why I have a dog.' There was laughter and not much more — it was a short incident report."
  • 😸 Consider this your reminder to keep your cat happy and entertained while working from home! There's more than just the occasional typo at stake.

☀️ See y'all Tuesday!

Thanks to Scott Rosenberg and Megan Morrone for editing and Khalid Adad for copy editing this newsletter.

If you like Axios Codebook, spread the word.