SEC vs SolarWinds 2: This Time it's Personal

Your weekly dose of Seriously Risky Business news is written by Tom Uren, edited by Patrick Gray with help from Catalin Cimpanu. It's supported by the Cyber Initiative at the Hewlett Foundation and this week's edition is brought to you by application allowlisting software maker Airlock Digital.

Listen to Patrick Gray and Tom Uren discuss this edition of the newsletter in the Seriously Risky Business podcast:

SolarWinds executives have been formally warned by the US Securities and Exchange Commission that it plans to bring enforcement actions against them over the 2020 supply chain attack that involved compromise of the company's Orion software platform.

In its SEC filing this week, SolarWinds announced that "certain current and former executive officers and employees of the Company, including the Company’s Chief Financial Officer and Chief Information Security Officer received 'Wells Notices'". A Wells Notice indicates that SEC staff have recommended the commission pursue a civil enforcement action against the recipients because the SEC believes they may have broken US federal securities laws.

The filing doesn't make it exactly clear what the executives are thought to have done wrong, but SolarWinds' last quarterly report provides some clues. Back in October 2022, the company as a whole received its own Wells Notice, which alleged "violations of certain provisions of the U.S. federal securities laws with respect to our cybersecurity disclosures and public statements, as well as our internal controls and disclosure controls and procedures".

The SEC has previously launched a small number of cyber-related enforcement actions focused on inadequate disclosure, but this targeting of individuals rather than the companies themselves is new. Potential actions against the executives range from formally telling them to do better in future, civil penalties such as fines, or even barring them from serving as officers or directors of public companies. Even at the light end, the reputational hit will be significant.

This reminds us a bit of Uber Chief Security Officer Joe Sullivan's legal troubles in that they stemmed from a failure to appropriately disclose an incident. In that case, Sullivan was assisting a Federal Trade Commission (FTC) investigation into a breach at Uber that occurred prior to him joining the company. When a new breach occurred, rather than informing the FTC, Sullivan kept the breach secret and paid the hackers USD$100k worth of bitcoin to secure their silence.

In the Department of Justice's press release announcing the conviction, US Attorney Stephanie Hinds said that "Sullivan affirmatively worked to hide the data breach from the Federal Trade Commission and took steps to prevent the hackers from being caught".

So there's a spectrum here which runs from actively hiding breaches (Sullivan) to not quite disclosing as much as you should (the SEC's position on SolarWinds). And there is good evidence that there is widespread underreporting of cyber incidents. In a roundabout way the SolarWinds incident may have highlighted this uncomfortable truth to the SEC. In the wake of the incident, the SEC asked hundreds of potentially affected companies to turn over records related to "any other" data breach or ransomware incident. The SEC wanted to discover other breaches relevant to the SolarWinds incident, but an unnamed consultant told Reuters that companies were worried about how the SEC would use that information given that "most companies have had unreported breaches since then".

It's not just the SEC that would like firms to be more open about cyber incidents and other parts of the US government are also pushing that barrow. For example, CISA Director Jen Easterly bemoaned firms reluctance to report cyber incidents in a Foreign Policy article earlier this year:

When most companies detect a cyber-intrusion, too often their default response is: call the lawyers, bring in an incident response firm, and share information only to the minimum extent required. They often neglect to report cyber-intrusions to the government for fear of regulatory liability and reputational damage.

We wonder about the SEC's motivations here. Was the behaviour of SolarWinds' executives so egregious that they deserve to be singled out for punishment? Or is SolarWinds a convenient high-profile case that the SEC would like to make an example out of to set a standard?

A SolarWinds' spokesperson told Cybersecurity Dive the company had "acted properly at all times by following long-established best practices for both cyber controls and disclosure". The statement also said that "any potential [enforcement] action will make the entire industry less secure by having a chilling effect on cyber incident disclosure".

We have to wait to see the details here, but we disagree that individual accountability — when meted out appropriately — will have a chilling effect. Focussing on individuals is a more effective way to drive cultural change than holding firms responsible as a whole.

If you are a CISO, the message here should be crystal clear: disclose cyber incidents early, completely and often. If your firm decides not to disclose an incident, make damn sure that someone — preferably not you — is clearly responsible for making that decision.

The EncroChat Takedown Was Wildly, Wildly Successful

Europol has published a mind boggling overview of the outcomes (so far) of the law enforcement takedown of the EncroChat encrypted phone network.

These include:

• 6,558 arrests, including of 197 "high value" targets, and convictions that have resulted in cumulative sentences of 7,134 years.
• €740m of cash seized and €150m of assets frozen.
• 103 tonnes of cocaine, 163 tonnes of cannabis, and 3.3 tonnes of heroin seized.
• 971 vehicles, 271 homes or estates, 923 weapons, 83 boats and 40 planes seized.

It also helped to prevent "violent attacks, attempted murders, corruption and large-scale drug transports, as well as obtain large-scale information on organised crime".

These outcomes come from just a few months of access to EncroChat messages. EncroChat claimed its servers were located in a secure offshore location, but they were actually located in France and weren't at all secure from law enforcement.

Police gained access to Encrochat devices by compromising the system's servers and pushing malicious updates to the devices connected to it. The interception operation started in April 2020 and eventually resulted in police reading criminals' messages in real time. But within months the company realised its system had been compromised, and by June 2020 they were advising their clients to throw their devices away.

EncroChat was an encrypted smartphone messaging system that used the Signal protocol and was built on the Android OS. Messages disappeared after a week and the phones held two operating systems, one a normal version of Android and the other hosting the Encrochat messaging app.

If you're interested in some history about crimephones and the police actions against them, check out our piece "Crimephones Are a Cop's Best Friend" from May.

Three Reasons to be Cheerful this Week:

1. Another BreachForums spin off site seized: The FBI seized a cybercrime forum, Breached[.]vc which was created after an earlier iteration, RaidForums, was taken down earlier this year. In a nice touch, the FBI's domain seizure image included the admin's avatar in handcuffs. Cyberint has a history of the rolling seizures and arrests of the varied RaidForums and BreachForums sites.
2. USD$20m for cyber security clinics: Google.org has pledged USD$20m to support clinics at 20 higher education institutions in collaboration with the Consortium of Cybersecurity Clinics. The clinics will provide free cyber security services to their communities and also give students practical experience in developing cyber security skills.
3. Delete on request Bill: US lawmakers introduced a bipartisan bill to require data brokers to delete private information on request. We don't think that on its own the bill goes far enough, but it seems like one sensible part of what we hope will be broader reform.

Sponsor Section

In this sponsored Soap Box podcast Patrick Gray talks to Airlock Digital co-founders Daniel Schell and David Cottingham about living off the land.

The recent Volt Typhoon report from Microsoft chronicled the adventures of a Chinese APT crew in US critical infrastructure. But one of the most fascinating aspects of the Volt Typhoon campaign was that the attackers almost exclusively used so-called living off the land techniques.

So the question becomes – what can you do about an attacker in your environment who has privilege and isn’t using malware?

Shorts

Lawyers Make Fine Targets

The UK's NCSC and France's ANSSI have released cyber threat reports for the legal sector, warning that lawyers make great targets but are not well equipped to defend themselves. They're attractive targets for criminals because they handle large amounts of money that need to be moved under time pressure. They're also attractive targets to states and mercenary hackers because of the sensitive information they hold.

It's not a happy place, but the NCSC has some practical advice.

Sandworm World View

German newspaper Der Speigel has published an analysis of a master's thesis by Evgenii Serebriakov, head of the GRU's Sandworm cyber espionage group. You can read a Twitter thread summary here. The thesis itself is not that interesting, but we find it fascinating that it popped up on VirusTotal shortly after Wired revealed that Serebriakov was the new head of the group. There must be an interesting story behind that, but we have no idea what it is.

Senate Push For Cyber Force Study

The draft 2024 US National Defence Authorisation Act contains provisions that require an independent study of the merits of establishing a separate "Cyber Force" as a separate branch of the armed forces.

We don't think a Cyber Force is a good idea, but we could be wrong?

The cyber domain is all-pervasive and cyber operations are relevant to all branches — so our gut says corralling all the cyber skillz into one new service would weaken the others.

But! A reasonable counterargument is that the Department of Defense underinvests in cyber capabilities because vested interests in the various branches prioritise planes, ships and tanks, so cyber is essentially the red-headed step-child of the armed forces.

A detailed study will obviously be more enlightening than our feelpinions, though, and we'll keep you posted on what it says if it ever gets published.

Further coverage at The Record and DefenseScoop.

North Korea by the Numbers

Recorded Future has published an analysis of North Korea's cyber activity based on 273 cyberattacks attributed to groups sponsored by the country. Although its cryptocurrency and financial hijinks receive the most attention, the report finds that (at least by volume) North Korea focuses mostly on conducting espionage against Asian targets.

We don't know that the number of incidents tells us all that much about the relative priorities of North Korea's cyberespionage and cryptocurrency theft activities so much as it reflects different approaches.

The country's cyber espionage approach seems to cast a wide net, but when it comes to financial crime it seems to focus on a relatively small number of operations where it hopes for big payoffs.

Romania Is Coming to Get You, Nerds

Catalin Cimpanu at Risky Business News reports the Romanian government will hack back to disrupt foreign APT groups targeting the country. It's interesting to see a smaller country have the confidence to publicly commit to essentially the same strategy that the US, UK and other larger cyber powers have adopted in recent years.

Things Are Worse Than We Think

A new American Enterprise Institute report assembled a 20+ year dataset of cyber incidents affecting US firms and found that things are worse than we think.

More important firms, as measured in a number of different ways — such as being very profitable, having valuable intellectual property, or working with the government or defence sector — are more likely to be hurt by cyber incidents than are other firms.

Economic costs caused by cyber incidents also ripple out from directly affected firms. Overall costs to the economy are "substantially larger" than the sum of costs incurred by directly affected companies.

Firms also tend to underreport incidents. The report finds that the more scrutiny a company faces the more likely it is to report incidents, the corollary being that firms don't report if they think they can get away with it.

In sum, we don't know enough, and things are worse than we realise. Hooray!

Risky Biz Talks

You can find the audio edition of this newsletter and other fine podcasts and interviews in the Risky Biz News feed (RSS, iTunes or Spotify).

In our last "Between Two Nerds" discussion Tom Uren and The Grugq look at three different state operations that have recently been outed and what these operations tell us about how these states are behaving.

From Risky Biz News:

Australia's National Cyber Security Coordinator: The Australian government has named its inaugural National Cyber Security Coordinator. Air Marshal Darren Goldie will lead the government's national cyber security policy and coordinate responses to major cyber incidents. He is named to a new position established in February this year by the Australian government in response to the Optus and Medibank incidents last year.

Russia goes after web hosts: Russian telecommunications watchdog Roskomnadzor has ordered 12 foreign web hosting companies to open offices in Russia or risk fines or even access blocked to their infrastructure. The list includes the world's largest web and cloud hosting companies, such as AWS, DigitalOcean, GoDaddy, HostGator, DreamHost, Bluehost, Hetzner, WPEngine, Network Solutions, Ionos, FastComet, and Kamatera.

This is all about giving the Russian government more leverage over these companies by both physically placing them in Russian jurisdiction and also raising the possibility of arresting local staff aka "hostage-taking".

LetMeSpy hack: Polish stalkerware company LetMeSpy has been hacked, and its data published online. The company makes an Android app that can be side-loaded on modern smartphones and track calls, SMS messages, and the phone's location and movement. The incident exposed information on all LetMeSpy customers, such as names and email addresses. It also exposed data each customer had collected from infected devices. The contents of the dumped SMS messages reveals the typical spying in abusive relationships, but also drug trades and credentials for various online accounts. Based on the leaked data, the company had more than 26,000 paying customers. [Additional coverage in Niebezpiecznik/English coverage in TechCrunch]