Weekly podcast: Operation BugDrop, Georgia-Pacific and the DHS

This week, we discuss a large-scale cyber-reconnaissance operation, a former system administrator who caused $1 million of damage, and access problems at the US Department of Homeland Security

Hello and welcome to the IT Governance podcast for Friday, 24 February 2017. Storm Doris is blowing outside, so my apologies for any windy background noises. Here are this week’s stories.

A “large-scale cyber-reconnaissance operation” that has exfiltrated gigabytes of data from 70 victims “in a range of sectors including critical infrastructure, media, and scientific research” has been discovered by CyberX Labs. Most targets are in Ukraine, but some are in Russia, Saudi Arabia and Austria. Dubbed ‘Operation BugDrop’, the malware remotely controls microphones to eavesdrop on and record sensitive conversations, and captures information including “screen shots, documents and passwords”. The malware is spread via spear-phishing emails that come with Microsoft Word attachments embedded with malicious macros. As CyberX notes, this “is a well-organized operation that employs sophisticated malware and appears to be backed by an organization with substantial resources” – which suggests a state-sponsored attack. There is, however, “no forensic evidence that links BugDrop to a specific nation-state or group”, nor is there any indication that “any damage or harm has occurred from this operation” – its sole purpose appears to be intelligence-gathering.

Talking of unauthorised access to industrial systems, a former systems administrator in Baton Rouge, Louisiana, has been jailed for 34 months for “hacking into the computer system of an industrial facility to disrupt and damage its operations”, according to the United States Attorney’s Office for the Middle District of Louisiana. Brian P Johnson, 44, caused paper, packaging and building materials manufacturer Georgia-Pacific more than $1 million of damage, which he has been ordered to repay.

Johnson wasn’t an opportunistic criminal hacker, though. In fact, he didn’t actually hack the company at all. He was a disgruntled former employee of Georgia-Pacific whose access privileges weren’t removed when his employment was terminated on Valentine’s day 2014. He simply logged in remotely “and intentionally transmitted harmful code and commands to the system”.

The lesson here is that current employees are not the only type of insider threat – anyone who has ever had legitimate access to networks or information, be they former employees or contractors, associates or clients, can cause damage, whether maliciously or unintentionally. That’s why it’s critical to control who has access to what and to ensure that access rights are revoked when employees change jobs. In short: HR and IT need to talk to each other. The best way of ensuring they do that is to implement an information security management system across the entire organisation.

Of course, problems can also arise when those who should have access can’t log in, as the US Department of Homeland Security discovered this week. According to Reuters, DHS “employees in the Washington area and Philadelphia were unable to access some agency computer networks” because of expired security certificates. Staff apparently started experiencing problems logging into networks on Tuesday when domain controllers – the servers that process authentication requests – “could not validate personal identity verification cards used by federal workers and contractors to access certain information systems”. A DHS spokesperson said: “We are working to track all device certificate issuance and expirations to ensure future lapses of service do not occur.”

A couple of quick updates before we end.

First, I talked about Yahoo last week, and said that Verizon was renegotiating the terms of its acquisition in the wake of data breaches that saw 1.5 billion customer records compromised. It’s now been confirmed that the price of the $4.8 billion deal has been reduced by $350 million.

Secondly, Reuters reports that the National Crime Agency has arrested a 29-year-old Briton in connection with the cyber attack that knocked around 900,000 Deutsche Telekom routers offline last year, an attack that, at the time, was ascribed to an attempted expansion of the Mirai Internet of Things botnet. According to City AM, an extradition hearing is expected to take place at Westminster magistrates court before the end of the week.

Well, that’s it for this week. Until next time you can keep up with the latest information security news on our blog.

And don’t forget that IT Governance’s February book of the month is The Psychology of Information Security – Resolving conflicts between security compliance and human behaviour. Drawing on the experience of industry experts and academic research, this book considers information security both from end users’ and from security professionals’ perspectives, providing valuable insight into security issues relating to human behaviour, and explaining how a security culture that puts risk into context promotes compliance. Save 10% if you order by the end of the month.

Whatever your cyber security needs – whether regulatory compliance, stakeholder reassurance or just greater business efficiency – IT Governance can help your organisation to protect, comply and thrive. Visit our website for more information: itgovernance.co.uk.