Weekly Threat Intelligence Brief: November 9, 2017

Posted November 9, 2017

This weekly brief highlights the latest threat intelligence news to provide insight into the latest threats to various industries.

Defense

“The hackers who disrupted the U.S. presidential election last year had ambitions that stretched across the globe, targeting the emails of Ukrainian officers, Russian opposition figures, U.S. defense contractors and thousands of others of interest to the Kremlin, according to a previously unpublished digital hit list compiled by cybersecurity firm Secureworks and obtained by The Associated Press.

In the United States, Fancy Bear (it accidentally exposed part of its phishing operation to the internet) tried to pry open at least 573 inboxes belonging to those in the top echelons of the country’s diplomatic and security services: then-Secretary of State John Kerry, former Secretary of State Colin Powell, then-NATO Supreme Commander, U.S. Air Force Gen. Philip Breedlove, and one of his predecessors, U.S. Army Gen. Wesley Clark.

The list skewed toward workers for defense contractors such as Boeing, Raytheon and Lockheed Martin or senior intelligence figures, prominent Russia watchers and Democrats. More than 130 party workers, campaign staffers and supporters of the party were targeted, including Podesta and other members of Clinton’s inner circle.”

– Associated Press

Energy

“The U.S government issued a rare public warning that sophisticated hackers are targeting energy and industrial firms, the latest sign that cyber attacks present an increasing threat to the power industry and other public infrastructure.

The Department of Homeland Security and Federal Bureau of Investigation warned in a report distributed by email late on Friday that the nuclear, energy, aviation, water and critical manufacturing industries have been targeted along with government entities in attacks dating back to at least May.

The agencies warned that hackers had succeeded in compromising some targeted networks, but did not identify specific victims or describe any cases of sabotage.

The objective of the attackers is to compromise organizational networks with malicious emails and tainted websites to obtain credentials for accessing computer networks of their targets, the report said.

The report said that hackers have succeeded in infiltrating some targets, including at least one energy generator, and conducting reconnaissance on their networks. It was accompanied by six technical documents describing malware used in the attacks.”

Information Security

“A Chinese hacking operation is back with new malware attack techniques and has switched its focus to conducting espionage on western corporations, having previously targeted organizations and individuals in Taiwan, Tibet, and the Philippines.

Dubbed KeyBoy, the advanced persistent threat actor has been operating out of China since at least 2013 and in that time, has mainly focused its campaigns against targets in the South-East Asia region.

But now the group has reemerged and is targeting western organizations with malware which allow them to secretly perform malicious activities on infected computers. They include taking screenshots, key-logging, browsing and downloading files, gathering extended system information, and shutting down the infected machine.”

– ZDNet

Insurance + Healthcare

“The protected health information (PHI) of 932 members of the Texas Children’s Health Plan has been discovered to have been emailed to the personal email account of a former employee.

The incident was discovered on September 21 but the former employee emailed the data late last year. The emails were discovered during a routine review.

Texas Children’s Health Plan responded to the breach promptly and took action to mitigate risk. While the reason for the PHI being emailed to the personal email account has not been disclosed, the breach report uploaded to the insurance plan website explains no evidence has been uncovered to suggest any plan member information has been used inappropriately.

However, the incident has been reported to law enforcement. The types of data included in the emails varied for each patient, but typically included: names, telephone numbers, addresses, dates of birth, Medicaid numbers, and waiver types. This type of incident is relatively common, and several HIPAA-covered entities have discovered similar incidents in recent months.”

– HIPAA Journal