Overnight Cybersecurity

Hillicon Valley: Lawmakers zero in on Twitter after massive hack | US, UK, Canada allege Russian hackers targeted COVID-19 vaccine researchers | Top EU court rules data transfer deal with the US is illegal

Welcome to Hillicon Valley, The Hill’s newsletter detailing all you need to know about the tech and cyber news from Capitol Hill to Silicon Valley. If you don’t already, be sure to sign up for our newsletter with this LINK.

Welcome! Follow our cyber reporter, Maggie Miller (@magmill95), and tech reporter, Chris Mills Rodrigo (@chrisismills), for more coverage.

TWITTER FACES THE MUSIC: The sweeping hack of verified Twitter accounts Wednesday night was one of the largest security lapses in the platform’s history and led to thousands of users being partially locked out for hours.

But the social media giant, and its users, may have gotten off easy. 

Now lawmakers and top officials are mulling how to ensure Twitter is not hacked by groups with more malicious intentions and how to protect other potential cyber targets from the same fate. The conversation has taken on a particular urgency as geopolitical tensions increase during the COVID-19 pandemic with only months left until a presidential election.

“This hack bodes ill for November balloting,” Sen. Richard Blumenthal (D-Conn.), a member of the tech-focused Senate Commerce Committee, said in a statement Thursday.

“Count this incident as a near miss or shot across the bow,” he added. “It could have been much worse with different targets. So many security red flags are raised by this criminal attack that the culprits should be tracked down as quickly as possible.”

The hacking incident occurred Wednesday night, when accounts of verified Twitter users including former President Barack Obama, former Vice President Joe Biden, Amazon CEO Jeff Bezos, Tesla CEO Elon Musk, and Microsoft co-founder Bill Gates tweeted out messages asking followers to send them money in the form of bitcoin.  

The posts, which were quickly taken down by Twitter, gave an address to a bitcoin wallet, and promised to double any amount sent. The individuals behind the attack quickly raised the equivalent of more than $115,000. 

In response, Twitter temporarily restricted the use of verified accounts as it began its investigation into the incident. In at least one troubling case involving the National Weather Service, this decision prevented critical safety information from reaching the community for hours.

Committees ask for briefings: Both Senate Commerce Committee Chairman Roger Wicker (R-Miss.) and House Oversight and Reform Committee ranking member James Comer (R-Ky.) sent Twitter letters asking the company to brief the panels on the hacking incident, with Wicker writing it was “of great concern” to his committee.  

Spokespersons for Sens. Ron Johnson (R-Wis.) and Gary Peters (D-Mich.), the leaders of the Senate Homeland Security and Governmental Affairs Committee, told The Hill that committee staff were also “requesting a bipartisan staff-level briefing to understand how this happened and what we can do to prevent it from happening in the future.”

Read more about Capitol Hill reactions here.

FBI ON THE CASE: The FBI has initiated an inquiry into the hacking of several prominent Twitter accounts in what appeared to be a bitcoin scam, the agency confirmed to The Hill on Thursday.

“The FBI is investigating the incident involving several Twitter accounts belonging to high profile individuals that occurred on July 15, 2020,”  the bureau’s San Francisco division said in a statement. “At this time, the accounts appear to have been compromised in order to perpetuate cryptocurrency fraud.”

Read more.

 

RUSSIA ALLEGEDLY HACKING COVID-19 RESEARCH: The U.S., Great Britain and Canada are alleging that Russia is attempting to steal information about a coronavirus vaccine from researchers and organizations in the three countries through cyberattacks.

The three allied countries allege that the hacking group known as APT29, or “Cozy Bear,” which is largely believed to operate as part of Russia’s security services, is conducting an “ongoing” cyber campaign to steal intellectual property about a possible COVID-19 vaccine.

“Russian cyber actors are targeting organisations involved in coronavirus vaccine development, UK security officials have revealed,” the United Kingdom’s National Cyber Security Centre (NCSC) said Thursday in an online post.

The NCSC said this assessment was made along with partners at the Department of Homeland Security and National Security Agency (NSA), as well as Canadian intelligence.

NSA Cybersecurity Director Anne Neuberger warned about APT29’s efforts and called for those being targeted to take the threat “seriously” and to take mitigation measures.

“The National Security Agency (NSA), along with our partners, remains steadfast in its commitment to protecting national security by collectively issuing this critical cybersecurity advisory as foreign actors continue to take advantage of the ongoing COVID-19 pandemic,” Neuberger said in a statement.

“APT29 has a long history of targeting governmental, diplomatic, think-tank, healthcare and energy organizations for intelligence gain so we encourage everyone to take this threat seriously and apply the mitigations issued in the advisory.”

British Foreign Secretary Dominic Raab, meanwhile, said in a statement, that it is “completely unacceptable that the Russian Intelligence Services are targeting those working to combat the coronavirus pandemic.” 

“While others pursue their selfish interests with reckless behaviour, the UK and its allies are getting on with the hard work of finding a vaccine and protecting global health. The UK will continue to counter those conducting such cyber attacks, and work with our allies to hold perpetrators to account,” he continued.

According to the NCSC, APT29 has targeted research and development organizations in the U.K., U.S. and Canada using a variety of tools, including spear-phishing techniques and custom malware known as “WellMess” and “WellMail” to help in their hacking attempts.

The center warns that the targets include government, the health care sector, energy sector, think tanks and others. 

The NCSC said that APT29 “almost certainly” is part of Russian Intelligence Services, with Raab’s office putting the confidence level of the link at 95 percent.  

Read more.

 

EU COURT INVALIDATES PRIVACY SHIELD: The European Union’s top court has ruled that a data transfer deal between EU nations and the United States is invalid because of concerns about America’s surveillance practices. 

The court wrote in a press release announcing the decision that U.S. “limitations on the protection” of personal data transferred from the E.U. “are not circumscribed in a way that satisfies requirements that are essentially equivalent to those required under E.U. law.”

The decision effectively blocks the privileged access to personal data from Europe that many U.S. companies, including tech giants like Facebook, received thanks to an agreement reached in 2016, according to Reuters. The ruling cannot be appealed.

The agreement, known as the EU-US Privacy Shield, was set up in 2016 to create a framework that protected personal data when it was transferred to U.S. companies for commercial use. Invalidating the framework could impact some 5,000 businesses that had signed onto to the agreement. 

The Court of Justice of the EU reached the ruling due to worries that the U.S. could demand access to user data on national security grounds. 

The Associated Press noted that the court’s ruling could force regulators to evaluate transatlantic data transfers to ensure Europeans’ personal data is protected according to EU standards. 

“It is clear that the U.S. will have to seriously change their surveillance laws, if U.S. companies want to continue to play a major role on the EU market,” Max Schrems, an Austrian activist whose concerns about Facebook’s handling of data helped spur the case, told the AP. 

Commerce Secretary Wilbur Ross added to Reuters that the Trump administration would remain in contact with the European Commission about the effects of the ruling. 

“While the Department of Commerce is deeply disappointed that the court appears to have invalidated the European Commission’s adequacy decision underlying the EU-U.S. Privacy Shield, we are still studying the decision to fully understand its practical impacts,” Ross said.

The EU court’s decision zeroed in on fears over how personal data is being stored, which has become a chief concern of many governments around the world. 

While the court invalidated the transatlantic agreement, it upheld a data transfer mechanism known as standard contractual clauses. The clauses are used by many companies to transfer Europeans’ data around the world for services like cloud infrastructure and data hosting. 

Read more here.

 

CYBER CZAR: Bipartisan calls to put in place a national cybersecurity director in the White House are gaining steam on Capitol Hill two years after a similar position was eliminated. 

The support comes after months of increasing cyberattacks against everything from hospitals to research groups to federal agencies during the COVID-19 pandemic, and as lawmakers look to bolster federal cybersecurity as more Americans move online. 

In the latest high-profile incident, several prominent Twitter accounts, including those of former Vice President Joe Biden and former President Obama, were compromised Wednesday in what appeared to be a bitcoin scam.

The push also comes ahead of the elections in November as the country continues to deal with the fallout from Russian meddling in 2016, which included hacking emails from Democratic nominee Hillary Clinton‘s campaign.

“A national cyber director would better protect the country in cyberspace, and we must make sure we are prepared for and can respond effectively to cybersecurity incidents of national consequence,” Rep. Jim Langevin (D-R.I.) told The Hill on Wednesday.

Langevin is among a group of bipartisan House members who introduced legislation last month to create a Senate-confirmed position of national cybersecurity director at the White House. The director would serve as the president’s advisor on cybersecurity and other emerging technology issues, and the official would work to coordinate cybersecurity issues between agencies.

The position of White House cybersecurity coordinator, previously held by Rob Joyce, was cut in 2018 by former national security adviser John Bolton in an effort to decrease bureaucracy after the position was first created under Obama.

The decision led to bipartisan pushback on Capitol Hill, with members of Congress expressing extreme concern over the lack of a central figure to coordinate federal cybersecurity priorities.

The push to reestablish the position comes as cybersecurity concerns have intensified. The 2019 Worldwide Threat Assessment compiled by former Director of National Intelligence Daniel Coats listed cybersecurity as the top global threat, noting that every U.S. foreign adversary would likely seek to undermine American policies through cyberattacks and influence operations.

Congress is considering reinstating the position with greater authority to ensure federal coordination in responding to a similarly disruptive nationwide cyberattack.

Read more.

 

FCC DESIGNATES 988 AS SUICIDE LINE: The Federal Communications Commission (FCC) unanimously voted Thursday to finalize 988 as the new number for Americans to call to reach the National Suicide Prevention Lifeline.

The rule approved by the commissioners will require all phone service providers to direct 988 calls to the line by July 16, 2022.

In the interim, Americans seeking help should continue to call 1-800-273-TALK.

“Establishing the easy-to-remember 988 as the ‘911’ for suicide prevention and mental health services will make it easier for Americans in crisis to access the help they need and decrease the stigma surrounding suicide and mental health issues,” the FCC said in a statement.

The suicide rate in the U.S. has been climbing for decades, ranking as the 10th leading cause of death since 2018.

Read more here.

 

CRITICAL PATCH: The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) on Thursday issued a directive requiring all federal agencies to update a major vulnerability within the Microsoft Windows Server program in the next 24 hours. 

CISA Director Christopher Krebs wrote in a blog post announcing the emergency directive that while the agency had not seen any evidence of the vulnerability being exploited, the vulnerability, if not patched, could allow a remote attacker to take control of a system. 

“Due to the wide prevalence of Windows Server in civilian Executive Branch agencies, I’ve determined that immediate action is necessary, and federal departments and agencies need to take this remote code execution vulnerability in Windows Server’s Domain Name System particularly seriously,” Krebs wrote. 

Microsoft released a patch for the “wormable” vulnerability on Tuesday, warning that the vulnerability could potentially spread dangerous malware between computers.

“While this vulnerability is not currently known to be used in active attacks, it is essential that customers apply Windows updates to address this vulnerability as soon as possible,” Mechele Gruhn, principal security PM manager at the Microsoft Security Response Center, wrote in a blog post. 

Agencies have until Friday afternoon to ensure the security update is applied to all Windows Servers, and until July 24 to put in place new technical and management controls and to submit a report to CISA detailing the patch completion. 

Read more about the vulnerability here.

Lighter click: Fauci really making his case as America’s grandpa

An op-ed to chew on: Why America needs a national innovation plan right now

NOTABLE LINKS FROM AROUND THE WEB: 

Hackers Convinced Twitter Employee to Help Them Hijack Accounts (Motherboard / Joseph Cox)

TikTok Enlists Army of Lobbyists as Suspicions Over China Ties Grow (New York Times / Cecilia Kang, Lara Jakes, Ana Swanson and David McCabe)

GOPers Are Trying to Recruit QAnon Voters And Using This YouTube Show to Do It (Daily Beast / Will Sommer)

Silicon Valley, Clubhouse, and the cult of VC victimhood (Verge / Zoe Schiffer and Megan Farokhmanesh)