Newsletters

To be clear, Iran has been subject to destructive cyber attacks, but the context surrounding these attacks is very different.

Jason Brodsky, policy director at United Against Nuclear Iran told Seriously Risky Business that the Stuxnet attack was justified because the Iranian nuclear program had "advanced to such a state… beyond any plausible civilian justification". Brodsky agreed that there had been attacks on Iranian rail and fuel infrastructure in the case of the (likely) Israeli-led Predatory Sparrow campaign, "but viewing these operations in the context of the chain of attacks which triggered them is important". In other words, you reap what you sow.

"Iran has also been actively seeking to harm civilians in its cyberattacks — with the attempted operation against Boston Children's Hospital, which the FBI director called one of the most despicable he had ever seen in June 2021. That is not to mention attacks on Israel's water infrastructure which could have poisoned innocent Israelis. The cyberattacks targeting Iran do not even come close to those operations."

Philippine Airlines data breach: Philippine Airlines, the country's state-owned airline travel company, said this week that data of some of its past travelers has been stolen after a ransomware attack on Accelya, a third-party IT provider that PAL uses its frequent flyer program. PAL travelers who joined its frequent flyer program between 2015 to 2017, the company told CNN Philippines.

U-Haul data breach: Moving and rental space company U-Haul disclosed a security breach last week after the company said it found that hackers compromised a customer contract search tool and used it to access customers' names and driver's license information. This marks the company's second breach after a first one disclosed back in 2017 [PDF].

Cisco data breach: After it disclosed a security breach last month on August 10, Cisco said in an update this week that the incident was the result of "an initial access broker (IAB) with ties to the UNC2447 cybercrime gang, Lapsus$ threat actor group, and Yanluowang ransomware operators." The company posted this update after the Yanluowang gang took credit for the attack and added Cisco-related data on its leak site.

The second attack not only comes after Albania cut diplomatic ties with Iran and expunged its embassy officials from the country but also after NATO and its individual members also issued stern statements condemning Iran's actions as a violation of international cyber norms since the attack also impacted civilian infrastructure.

The stern statements were also followed on Friday by economic sanctions imposed by the US Treasury against Iran's Ministry of Intelligence and Security (MOIS) and its leader Esmail Khatib, Iran's minister of intelligence, who US officials said ordered the operation.

In a statement published on Twitter, Iran's Mission to the EU accused NATO and its members of hypocrisy because they remained silent when Iran was the victim of cyberattacks against its infrastructure and nuclear facilities (most likely referring to the Predatory Sparrow and Stuxnet attacks). In addition, Iran accused NATO of harboring terrorists, referring to Albania hosting members of MEK, an Iranian political opposition party that was moved to a camp in Albania at the request of the US government after the Tehran regime proclaimed it a terrorist organization and started hunting and imprisoning its members. As Mandiant and Microsoft explained in their reports, Albania hosting MEK members was the main reason Iran carried out its July attack.

Rama gave Iranian diplomats 24 hours to close the embassy and leave the country. While the Iranian government denied being involved in the attack, NATO, the White House, and the UK government published statements in support of the Albanian government and its attribution of the attack to the Tehran regime.

The US called Iran's attack on its NATO ally a "troubling precedent" and promised to "take further action to hold Iran accountable."

But while Iranian officials might deny any involvement, the proof is in the pudding, and, in this case, the pudding is the malware used in the July 15 attack, which both Mandiant and Microsoft have linked back to multiple past instances of Iranian cyber-espionage operations and tooling.

Your weekly dose of Seriously Risky Business news is written by Tom Uren, edited by Patrick Gray and supported by the Cyber Initiative at the Hewlett Foundation and founding corporate sponsor Proofpoint.

After significant community pressure, Cloudflare has dropped Kiwi Farms, a decade-old website notorious for planning and executing harassment campaigns targeting transgender and other marginalised people.

Kiwi Farms is a terrible website. NBC reporter Ben Collins has done some excellent reporting on the site, which he says "extremist researchers warned me not to cover because publicising it would be dangerous".

Is the Chinese government also trying to pay back the US for doxing some of its operators? Because they've missed the entire point, and by a mile. The US has doxed and criminally indicted Chinese APT members for engaging in theft of intellectual property from private entities, for their own profits, outside the realm of normal espionage collection activities. That IP has often been forwarded to private or state-owned Chinese companies, who later entered markets they had no business being in, with practically zero investment in R&D.

What is the Chinese government saying with these silly reports? That the US is hacking targets of legitimate military and surveillance interest? Yeah! No s***, Sherlock! That's how cyber-espionage works. It would be a dereliction of duty if the US (or the cybersecurity agency of any other country) didn't keep an eye on China, the world's largest economy that has been heavily investing in its military while also showing signs of growing aggression towards neighboring states like Taiwan and India.

If this is the best the Chinese government can do in terms of attribution and exposing foreign APTs, this says a lot about the state of its defensive cybersecurity capabilities and the health of its cybersecurity market.

IRS website snafu: The US Internal Revenue Service said on Friday that it accidentally leaked confidential information for 120,000 taxpayers who filed a form 990-T in the past. According to a data breach notification letter [PDF] obtained by the WSJ, the breach occurred due to a website error; after an XML file containing the affected taxpayers' data was left freely accessible via the IRS' official website. The file and subsequent leak were discovered by an IRS research employee.

Samsung breach: And just like any respectable company, Samsung sat on a security breach for more than a month to disclose it on the Friday right before the extended Labor Day weekend in the US. In a short message, the company said it was hacked in late July, found out about the breach on August 4, and disclosed the incident on September 2. The good news is that no SS or financial data was impacted and that hackers only took names, DOBs, and "contact and demographic information" (whatever that means). Samsung didn't say how many users were impacted.

New Desorden leaks: Hacking group Desorden Group has leaked new data last week containing information from hundreds of Indonesian and Malaysian restaurants. More than 400,000 customer records and 16,000 employee records were leaked by Desorden, according to DataBreaches.net.

Since its launch, iCloud Private Relay has been viewed as a major win for consumer privacy but has also seen criticism from major telecommunication providers.

While not a secret, very few consumers know that their ISPs are tracking their web browsing history and then reselling it to advertising companies as a secondary source of revenue.

Being blocked from seeing a user's full traffic path by something like iCloud Private Relay—when this goes live—would more than likely put quite a hole in the pockets of these companies and explains why several of them had tried to lobby EU regulators and get the technology banned even before it was going to be released. Looking at you, Vodafone, Telefonica, Orange, and T-Mobile! Some UK ISPs also pointed out that blocking CSAM content may be impossible and prevents them from blocking malicious traffic; hence Private Relay needs to go, similarly to how they opposed to the rollout of DNS-over-HTTPS a few years back.

Last week we wrote about a phishing campaign targeting Twilio that was leveraged to hijack a journalist's Signal account. The entirety of the campaign is coming into view and it has targeted, with limited success, hundreds of organisations. Brian Krebs has an excellent account of the affair.

The message is pretty clear — One Time Password-based MFA is not particularly effective any more. Cloudflare, one of the organisations targeted, was unaffected because it uses hardware security keys.

Recorded Future analyst and product manager Dmitry Smilyanets has an interview with prolific cybercriminal Mikhail Matveev (aka Wazawaka) at The Record.

Since the scandal has picked up steam in Greece, ruling officials, and especially Prime Minister Kyriakos Mitsotakis, whom Androulakis accused directly of ordering and orchestrating the surveillance operation, have been trying to downplay the incident as much as possible. Mitsotakis and his party have accused journalists Alexander Clapp and Nektaria Stamouli of working for the Greek opposition parties after they wrote scathing articles about government corruption and the degradation of press freedom in Greece in the New York Times and Politico Europe, respectively.

As of last week, Mitsotakis and his office switched to the narrative that it's actually "foreign forces are attempting to destabilize the nation" and not his government's abuse of power.

With pressure mounting from their own parliamentary investigation and the EU's newly established PEGA—a committee to investigate the use of Pegasus and equivalent surveillance spyware across Europe—the current Greek ruling regime has taken to attacking the EU itself.