The U.S. Federal Communications Commission (FCC) today levied fines totaling nearly $200 million against the four major carriers — including AT&T, Sprint, T-Mobile and Verizon — for illegally sharing access to customers’ location information without consent.
The fines mark the culmination of a more than four-year investigation into the actions of the major carriers. In February 2020, the FCC put all four wireless providers on notice that their practices of sharing access to customer location data were likely violating the law.
The FCC said it found the carriers each sold access to its customers’ location information to ‘aggregators,’ who then resold access to the information to third-party location-based service providers.
“In doing so, each carrier attempted to offload its obligations to obtain customer consent onto downstream recipients of location information, which in many instances meant that no valid customer consent was obtained,” an FCC statement on the action reads. “This initial failure was compounded when, after becoming aware that their safeguards were ineffective, the carriers continued to sell access to location information without taking reasonable measures to protect it from unauthorized access.”
The FCC’s findings against AT&T, for example, show that AT&T sold customer location data directly or indirectly to at least 88 third-party entities. The FCC found Verizon sold access to customer location data (indirectly or directly) to 67 third-party entities. Location data for Sprint customers found its way to 86 third-party entities, and to 75 third-parties in the case of T-Mobile customers.
The commission said it took action after Sen. Ron Wyden (D-Ore.) sent a letter to the FCC detailing how a company called Securus Technologies had been selling location data on customers of virtually any major mobile provider to law enforcement officials.
That same month, KrebsOnSecurity broke the news that LocationSmart — a data aggregation firm working with the major wireless carriers — had a free, unsecured demo of its service online that anyone could abuse to find the near-exact location of virtually any mobile phone in North America.
The carriers promised to “wind down” location data sharing agreements with third-party companies. But in 2019, reporting at Vice.com showed that little had changed, detailing how reporters were able to locate a test phone after paying $300 to a bounty hunter who simply bought the data through a little-known third-party service.
Sen. Wyden said no one who signed up for a cell plan thought they were giving permission for their phone company to sell a detailed record of their movements to anyone with a credit card.
“I applaud the FCC for following through on my investigation and holding these companies accountable for putting customers’ lives and privacy at risk,” Wyden said in a statement today.
The FCC fined Sprint and T-Mobile $12 million and $80 million respectively. AT&T was fined more than $57 million, while Verizon received a $47 million penalty. Still, these fines represent a tiny fraction of each carrier’s annual revenues. For example, $47 million is less than one percent of Verizon’s total wireless service revenue in 2023, which was nearly $77 billion.
The fine amounts vary because they were calculated based in part on the number of days that the carriers continued sharing customer location data after being notified that doing so was illegal (the agency also considered the number of active third-party location data sharing agreements). The FCC notes that AT&T and Verizon each took more than 320 days from the publication of the Times story to wind down their data sharing agreements; T-Mobile took 275 days; Sprint kept sharing customer location data for 386 days.
Update, 6:25 p.m. ET: Clarified that the FCC launched its investigation at the request of Sen. Wyden.
https://phxtechsol.com/wp-content/uploads/2017/02/PTS-Horiz-logo-1-1200-300x53.jpg00Phoenix Technologyhttps://phxtechsol.com/wp-content/uploads/2017/02/PTS-Horiz-logo-1-1200-300x53.jpgPhoenix Technology2024-04-30 09:46:502024-04-30 09:46:51FCC Fines Major U.S. Wireless Carriers for Selling Customer Location Data
A 26-year-old Finnish man was sentenced to more than six years in prison today after being convicted of hacking into an online psychotherapy clinic, leaking tens of thousands of patient therapy records, and attempting to extort the clinic and patients.
On October 21, 2020, the Vastaamo Psychotherapy Center in Finland became the target of blackmail when a tormentor identified as “ransom_man” demanded payment of 40 bitcoins (~450,000 euros at the time) in return for a promise not to publish highly sensitive therapy session notes Vastaamo had exposed online.
Ransom_man announced on the dark web that he would start publishing 100 patient profiles every 24 hours. When Vastaamo declined to pay, ransom_man shifted to extorting individual patients. According to Finnish police, some 22,000 victims reported extortion attempts targeting them personally, targeted emails that threatened to publish their therapy notes online unless paid a 500 euro ransom.
Finnish prosecutors quickly zeroed in on a suspect: Julius “Zeekill” Kivimäki, a notorious criminal hacker convicted of committing tens of thousands of cybercrimes before he became an adult. After being charged with the attack in October 2022, Kivimäki fled the country. He was arrested four months later in France, hiding out under an assumed name and passport.
Antti Kurittu is a former criminal investigator who worked on an investigation involving Kivimäki’s use of the Zbot botnet, among other activities Kivimäki engaged in as a member of the hacker group Hack the Planet (HTP).
Kurittu said the prosecution had demanded at least seven years in jail, and that the sentence handed down was six years and three months. Kurittu said prosecutors knocked a few months off of Kivimäki’s sentence because he agreed to pay compensation to his victims, and that Kivimäki will remain in prison during any appeal process.
“I think the sentencing was as expected, knowing the Finnish judicial system,” Kurittu told KrebsOnSecurity. “As Kivimäki has not been sentenced to a non-suspended prison sentence during the last five years, he will be treated as a first-timer, his previous convictions notwithstanding.”
But because juvenile convictions in Finland don’t count towards determining whether somebody is a first-time offender, Kivimäki will end up serving approximately half of his sentence.
“This seems like a short sentence when taking into account the gravity of his actions and the life-altering consequences to thousands of people, but it’s almost the maximum the law allows for,” Kurittu said.
Kivimäki initially gained notoriety as a self-professed member of the Lizard Squad, a mainly low-skilled hacker group that specialized in DDoS attacks. But American and Finnish investigators say Kivimäki’s involvement in cybercrime dates back to at least 2008, when he was introduced to a founding member of what would soon become HTP.
Finnish police said Kivimäki also used the nicknames “Ryan”, “RyanC” and “Ryan Cleary” (Ryan Cleary was actually a member of a rival hacker group — LulzSec — who was sentenced to prison for hacking).
Kivimäki and other HTP members were involved in mass-compromising web servers using known vulnerabilities, and by 2012 Kivimäki’s alias Ryan Cleary was selling access to those servers in the form of a DDoS-for-hire service. Kivimäki was 15 years old at the time.
In 2013, investigators going through devices seized from Kivimäki found computer code that had been used to crack more than 60,000 web servers using a previously unknown vulnerability in Adobe’s ColdFusion software. KrebsOnSecurity detailed the work of HTP in September 2013, after the group compromised servers inside data brokers LexisNexis, Kroll, and Dun & Bradstreet.
As KrebsOnSecurity reported at the time, this small ColdFusion botnet of data broker servers was being controlled by the same cybercriminals who’d assumed control over SSNDOB, which operated one of the underground’s most reliable services for obtaining Social Security Number, dates of birth and credit file information on U.S. residents.
Kivimäki was responsible for making an August 2014 bomb threat against former Sony Online Entertainment President John Smedley that grounded an American Airlines plane. Kivimäki also was involved in calling in multiple fake bomb threats and “swatting” incidents — reporting fake hostage situations at an address to prompt a heavily armed police response to that location.
Ville Tapio, the former CEO of Vastaamo, was fired and also prosecuted following the breach. Ransom_man bragged about Vastaamo’s sloppy security, noting the company had used the laughably weak username and password “root/root” to protect sensitive patient records.
Investigators later found Vastaamo had originally been hacked in 2018 and again in 2019, but that Tapio never told anyone about the intrusions until ransom_man began his extortion spree. In April 2023, a Finnish court handed down a three-month sentence for Tapio, but that sentence was suspended because he had no previous criminal record.
https://phxtechsol.com/wp-content/uploads/2017/02/PTS-Horiz-logo-1-1200-300x53.jpg00Phoenix Technologyhttps://phxtechsol.com/wp-content/uploads/2017/02/PTS-Horiz-logo-1-1200-300x53.jpgPhoenix Technology2024-04-30 09:46:442024-04-30 09:46:49Man Who Mass-Extorted Psychotherapy Patients Gets Six Years
This week, we boost our view into orbit and dive into the intersection of cybersecurity and geopolitical risk facing the rapidly expanding space economy.
Please subscribe to read future issues — and forward this newsletter to interested colleagues.
Insight Focus: Commercial Industry in Contested “Space”
In early April, the United States Space Force (USSF) released their first Commercial Space Strategy, embarking on a major shift in its approach to space operations, one that recognizes the pivotal role of the private sector in driving innovation. This USSF move to integrate commercial space solutions into “hybrid architectures” will raise critical issues of “dual-use capabilities” facing cyber and counterspace threats from China and Russia across peacetime, crisis, and conflict.
This strategic shift is not just about leveraging commercial space capabilities, but also about managing the inherent cyber and interdependent risks that come with relying on private sector systems. The specter of cyberattacks on commercial space systems, with the potential for cascading impacts on military operations and the broader economy, looms large in this equation, even as the space economy is projected to reach $1.8T in value in the next 10 years.
Rapid innovations like SpaceX’s Starlink and Starshield, and other advanced orbital systems servicing an emerging commercial space economy present a double-edged sword for the USSF:
Opportunities to enhance capabilities and resilience in peacetime, while
Ensuring security and interoperability in crisis or conflict.
Investments by the U.S. and China in intelligence, tactical, and strategic platforms will drive most of the state-directed activity, but commercial and scientific activity will also accelerate as more nations get into the space game. Just in the last decade, the United Arab Emirates, for example, created a space agency, put an astronaut on the International Space Station (as did Saudi Arabia), sent a probe to Mars, and is collaborating with NASA on the lunar Artemis program.
Security Implications of Dual-Use Commercial Space Capabilities
One of the most significant challenges lies in the inherent ambiguity of dual-use space tech: capabilities developed for benign purposes (e.g., on-orbit satellite rendezvous) could also be used for military operations (e.g., tactical recon in a crisis or offensive operations in conflict). This blurs the lines between commercial and military applications and creates legal and ethical quandaries in a fast growing strategic industry mixed with large legacy government contractors and “deep tech” commercial startups desperate for product-market fit and sustainable business models.
The evolving risks in the space domain, starkly illustrated by Russia’s nuclear ASAT system and China’s growing space capabilities, underscore the paramount importance of robust Space Domain Awareness (SDA) and resilient architectures that give the U.S. warfighter an advantage in a contested environment. Chinese or Russian cyberattacks on US commercial satellites could disrupt military operations in crisis or conflict, with broad-scale and cascading commercial and economic effects on the ground.
The USSF’s approach to hardening immature startups is key, given the latter’s tight budget constraints and financial imperative to grow first, secure later. Space assets are of high value (to both their owners, customers, AND their attackers) but are deployed by businesses that require high capital investment and run on thin margins. This combination presents a real problem for DoD’s Commercial Space Strategy. This issue is of critical importance not only to firms in the space industry but also to those in cybersecurity and the vast array of businesses and sectors that depend on both – which, in today’s interconnected world, is essentially everyone.
The DoD has had ongoing challenges rolling out updated cybersecurity requirements for contractors, announcing plans for a revised “Cybersecurity Maturity Model Certification 2.0” program more than two years after it delayed an initial CMMC rule in late 2020. It may finally finalize the rule by the end of 2024 and requirements will waterfall down to all defense contractors soon after. Meanwhile, the USSF has already pushed out cybersecurity requirements that go beyond what CMMC requires, so space force contractors will have to comply with both.
Crisis and Conflict in Space
In a conflict scenario, the risk of kinetic or cyber attacks on U.S. commercial satellites is magnified. Balancing risk-sharing between USSF and the industry in peacetime is critical for resilience in war, as is the expectation setting for reciprocity, indemnification, and restitution.
In fact, the Space Force expected to begin identifying members of its newly formed Commercial Augmentation Space Reserve (CASR) by 2025 (the equivalent of DoD’s Civil Reserve Air Fleet for aviation and the Maritime Administration’s National Defense Reserve Fleet), focusing on space domain awareness, satellite communications and intelligence, surveillance and reconnaissance.
However, a critical distinction from the aviation and maritime domains is that, in the space domain, the second it’s known that a commercial platform is supporting a military mission, they become a target. Even membership of such a Reserve program will likely raise the risk profile for participating firms, given the pervasiveness of the threat environment in space. For example, PinnacleOne has advised participants in the CRAF that they are likely a target of Chinese military hacking groups tasked with executing disruptive or destructive attacks in a crisis or conflict.
The Space Force is moving quickly to embed strong contractual requirements for cybersecurity and operational reliability, but has yet to issue a formal construct for sharing relevant threat information with CASR members. Also, it is an open question if and how US Space Command (SPACECOM) would protect and defend commercial space assets if attacked.
Commercial Risk Management in Space
The USSF’s strategic principles provide a guiding framework for its peacetime efforts:
Balance
Interoperability
Resilience
Responsibility
However, significant obstacles remain in the face of near-peer competitor threats that could emerge in a crisis. The ambiguity of crisis conditions will stretch gaps in existing doctrine and operational collaboration. The lines of effort outlined in the strategy serve as important signposts in peacetime:
Transparency
Integration
Risk management
Securing the future
The true test, though, will come in addressing the counterspace and cyber capabilities of China and Russia in a conflict scenario, particularly for priority missions. This is already a challenge in terrestrial cyber operational collaboration between the public and private sectors, with issues relating to information sharing, overclassification, and tactical coordination and deconfliction.
The USSF faces a daunting challenge in leveraging commercial technologies in peacetime while managing the risks inherent in relying on private systems in a contested domain during conflict. Wargaming exercises that integrate commercial partners and red team simulations – at both the level of operational/tactical peers and government and enterprise leadership – will be vital in preparing for these eventualities.
A Strategic Shift
The shift to a model of consuming commercial solutions represents a seismic philosophical change for the USSF, given its history of using legacy primes developing cost-plus platforms “behind the Green Door” of special access program secrecy. Navigating the complexities of great power competition in peacetime while mitigating the risks of over-dependence on potentially vulnerable systems in conflict will require a delicate balancing act.
The integration of commercial solutions into hybrid architectures offers the promise of enhanced resilience in peacetime. However, it also expands the potential attack surface in a crisis or conflict scenario. The USSF’s approach to setting robust cybersecurity standards and collaborating closely with commercial partners to secure networks will be critical to managing these risks.
Ultimately, the success of the USSF Commercial Space Strategy will hinge on the ability to artfully manage the intricacies of commercial-military integration in peacetime while being prepared to counter the multi-dimensional threats posed by China and Russia in a crisis or conflict situation. The stakes could not be higher, as the outcome will have far-reaching implications for U.S. space superiority in an increasingly contested domain.
High Risk, High Reward
As the USSF navigates this uncharted territory, it will need to be agile, adaptive, and proactive in its approach. Balancing the imperatives of leveraging commercial innovation, ensuring security and resilience, and maintaining a decisive edge over near-peer competitors will require a level of strategic finesse unprecedented in the history of military space operations.
The Commercial Space Strategy represents a bold vision for the future of the USSF. Its success will depend on the ability to harness the immense potential of the private sector while mitigating the inherent risks and challenges. As the USSF embarks on this journey, it will need to be guided by a clear-eyed understanding of the strategic landscape and an unwavering commitment to maintaining U.S. space superiority in the face of an uncertain and contested future.
https://phxtechsol.com/wp-content/uploads/2024/04/Commercial-Industry-in-Contested-Space.jpg6271200Phoenix Technologyhttps://phxtechsol.com/wp-content/uploads/2017/02/PTS-Horiz-logo-1-1200-300x53.jpgPhoenix Technology2024-04-29 10:00:342024-04-29 10:00:39PinnacleOne ExecBrief | Commercial Industry in Contested “Space”
The Good | U.S. Govt Sends Spyware Abusers, Cybercriminals, and Crypto Launderers to Court
The U.S. government this week took three decisive actions against cyber criminals: a visa ban on thirteen spyware makers and sellers, sanctions against four Iranian nationals for their roles in recent cyberattacks, and an official charge for two cryptomixers.
Following the February announcement to set visa restrictions on commercial spyware developers and vendors, the Department of State has cracked down on the first thirteen individuals and their families. Excluding visa applications in this case effectively bans those who are linked to such operations from entering the U.S. The abuse of spyware has been a rising issue in recent years as adversaries use it to target persons of interest such as journalists, human rights advocates, academics, and government employees.
Two front companies and four individuals were sanctioned by the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) for their association to cyber activities supporting the Iranian Islamic Revolutionary Guard Corps Cyber Electronic Command (IRGC-CEC) over the span of five years. Collectively, the identified threat actors have targeted over a dozen U.S. organizations, including the U.S. government and defense contractors through spear phishing and malware attacks, compromising over 200,000 employee accounts.
Up to $10 Million Reward & Possible Relocation
These individuals conducted malicious cyber ops against U.S. firms and government agencies on behalf of Iran’s IRGC.
If you have info on them, contact us. Your tip could be worth millions of $ and a plane ticket to somewhere new. pic.twitter.com/EjOGLXDeJl
Responsible for processing more than $2 billion in ill-got funds for various criminal enterprises over nine years, two individuals have been charged by the Department of Justice for money laundering and operating an unlicensed money-transmitting business. Their services ‘Samourai’ and ‘Ricochet’ allowed criminals to sidestep law enforcement and hinder crypto exchanges from tracking the illegal source of the funds. Such services often provide a haven for criminals who require large-scale laundering efforts and evasion from sanctions.
The Bad | Nation-State Actors Breach MITRE Research Center via Ivanti Zero-Days
MITRE Corporation disclosed a breach of their systems this week after threat actors chained two Ivanti zero-day vulnerabilities together in the attack. The breach was discovered in January when suspicious activity was found on MITRE’s unclassified prototyping network, Network Experimentation Research and Virtualization Environment (NERVE). MITRE’s research and development centers employ the nation’s leading scientists and engineers, building digital solutions for military, security, and intelligence organizations across the U.S.
After containing the incident, MITRE stated that affected parties were properly informed and relevant authorities engaged, with current efforts focused on restoring operations. Ongoing investigations show that the core network and partner systems were unaffected by the intrusion.
The threat actors compromised the non-profit’s VPNs by exploiting two Ivanti Connect Secure zero-days: an authentication bypass flaw tracked as CVE-2023-46805 (CVSS 8.2) and CVE-2024-21887 (CVSS 9.1), a command injection flaw. Together, they allowed the attacker to use session hijacking to bypass multi-factor authentication (MFA) measures and move laterally through the network’s VMware infrastructure with an administrative account. Forensics also show the actors employing a combination of webshells and backdoors to establish persistence and harvest credentials.
The breach is suspected to be the work of state-sponsored threat actors and serves as a striking reminder that even cutting edge and highly-funded organizations are not immune from cyber threats. Targets on the level of NERVE, which in this case houses invaluable information on experimental methodologies and technologies, continue to be extremely lucrative for nation-state adversaries looking to either potentially steal or sabotage sensitive resources.
MITRE has released tactics, techniques, and procedures (TTPs) related to the breach in effort to spread lessons learned within the infosec community. CISA has also shared technical details and IoCs in a recent advisory.
The Ugly | GRU-Based APT Exploits Old Windows Flaw with New GooseEgg Tool to Target Government Entities
Despite being patched back in October 2022, a Windows Print Spooler vulnerability tracked as CVE-2022-38028 (CVSS 7.8) has made its way back into headlines this week. This time weaponized by GRU-linked threat group APT28 (aka Forest Blizzard or Strontium), the flaw delivers a previously unknown custom malware dubbed ‘GooseEgg’ to perform a slew of post-compromise activities.
GooseEgg has been leveraged possibly as early as April 2019 and has now been observed in attacks targeting North American, Western European, and Ukrainian governments, non-profit organizations, educational institutions, and transportation entities.
Typically, GooseEgg is deployed with a batch script named either execute.bat and doit.bat, which triggers the executable and sets up persistence in the form of a scheduled task designed to run servtask.bat. The malware tool works by enabling the deployment of a malicious DLL (usually containing wayzgoose) capable of spawning other applications with SYSTEM-level permissions that allow attackers to perform remote code execution (RCE), backdoor installations, and lateral movement.
APT28 is often known to use publicly available exploits alongside this Windows Print Spooler flaw, including CVE-2023-23397 and the PrintNightmare vulnerabilities tracked as CVE-2021-34527 and CVE-2021-1675. Researchers note that APT28 deploys GooseEgg to enable checking exploit success, customer version identification, and privilege escalation – all in support of their main objective to steal credentials and maintain access on the compromised target.
Advanced and well-resourced threat groups like APT28 continually refine their approach, testing new and custom malware and techniques to avoid attribution. CISA has since added CVE-2022-38028 to its KEV catalog and urged federal agencies to identify any systems vulnerable to the flaw and apply the available patch.
https://phxtechsol.com/wp-content/uploads/2024/04/mitre_iocs.jpg9321376Phoenix Technologyhttps://phxtechsol.com/wp-content/uploads/2017/02/PTS-Horiz-logo-1-1200-300x53.jpgPhoenix Technology2024-04-26 09:32:482024-04-26 09:32:52The Good, the Bad and the Ugly in Cybersecurity – Week 17
Threat actors consistently alter and develop their schemes in order to further escalate their payoffs. In a new trend, ransomware affiliates are actively re-monetizing stolen data outside of their original RaaS agreements, especially as financial squabbles between threat actors emerge in the ransomware economy. The affiliates in such instances are starting to work with third-parties or external data leak services in order to re-extort victims who have already paid the ransom to the original attackers.
This blog post examines how affiliate attackers are embracing this new third-party extortion method, illustrated most recently by the ostensibly back-to-back cyberattacks on Change Healthcare and the emergence of services like RansomHub and Dispossessor.
ALPHV Exit Scam & Re-Extortion by RansomHub
In February 2024, a subsidiary of healthcare giant UnitedHealth Group (UHG) was forced to take down its IT systems and various services. The root of the disruption was a cyberattack by a BlackCat (aka ALPHV) affiliate on Change Healthcare, a healthcare technology platform used by the subsidiary.
Post-attack, ALPHV ransomware operators reportedly took down their data leak blog, servers, and operation negotiation sites, and failed to pay the affiliate their agreed share of the ransom.
Purportedly, Change Healthcare paid out the $22 million ransom demand, only to be targeted a second time just weeks after recovering from the initial attack. This time around, the ransomware attack was claimed by a threat actor working in conjunction with RansomHub, a new extortion group claiming to hold 4 terabytes of the victim’s sensitive data including personally identifiable information (PII) of active U.S. military personnel, patient records, and payment information.
It is believed that after ALPHV reneged on their payment, the affiliate partnered with RansomHub and re-used the data stolen from the initial attack in order to secure a pay off. At the time of writing, Change Healthcare has been removed from RansomHub’s DLS on April, 20, 2024, presumably due to payment and cooperation with the threat actors.
RansomHub RaaS
RansomHub emerged in early February 2024 with a simple data leak site (DLS). Their focus mirrors other historically well-known operations such as REvil, ALPHV, and Play with regards to their core values and overall mission statements.
RansomHub operates as a ransomware-as-a-service (RaaS), partnering with affiliates that work with a variety of ransomware families, including ALPHV and LockBit. Notably, RansomHub works with other threat actors and groups to republish and rebroadcast the availability of victim data. There are multiple, revolving Telegram groups dedicated to amplifying the reach of RansomHub’s leaks. An example of this is the “R3dd1sh_34_E4gl3_D4t4l34ks” channel (aka Reddish Eagle Dataleaks).
This development means that the data leak sites (DLSs) usually associated with a particular threat actor are no longer the only avenue of exposure for ransomware victims. Downstream amplification of these leaks is now common and generally open to all non-private Telegram or Discord groups.
Interestingly, according to RansomHub’s own “rules”, it does not allow:
Affiliates to attack entities in the Commonwealth of Independent States (CIS), Cuba, China, Romania, or North Korea,
Re-attacks for targeted companies that have already made payment, nor
Attacks against non-profit organizations.
However, given the current situation faced by Change Healthcare, the second bullet in the list above appears to be a gray area, especially if re-extorting ransomware victims constitutes an attack.
Our research indicates that multiple affiliates are now partnering with RansomHub in an effort to regain profitability following the apparent collapse of ALPHV.
Dispossessor Data Leak Blog
Dispossessor emerged in February of 2024, advertising the availability of previously-leaked data for download and potential sale. These announcements were placed across multiple forums and markets, including BreachForums and XSS.
The X account @ransomfeednews recently posted regarding this new group, presenting their findings that indicated how Dispossessor “is not ransomware, but a group of scoundrels trying to monetize (on nothing) using the claims of other groups.” The group is also active in Telegram, posting similar announcements across well-trafficked Telegram channels.
Dispossessor initially announced the renewed availability of the data from some 330 LockBit victims. This was claimed to be reposted data from previously available LockBit victims, now hosted on Dispossessor’s network and thus not subject to LockBit’s availability restrictions.
Dispossessor appears to be reposting data previously associated with other operations with examples ranging from Cl0p, Hunters International, and 8base. We are aware of at least a dozen victims listed on Dispossessor that have also been previously listed by other groups.
In addition, there are apparent links to other aggregate-style operators like Snatch.
In many cases, the Dispossessor page links to the Dispossessor-Cloud repository. One victim was originally on CL0P’s data leak site in early 2023. Dispossessor’s data is identical to that hosted in the original CL0P magnet links for this and other victims.
Rabbit Hole Data Leak Site (DLS)
A third emerging service with potential to contribute to the expansion of monetization of previously leaked victim data is Rabbit Hole DLS, first observed on March 13, 2024. In an English translation of the site’s About Page, Rabbit Hole is described as a leaks “blog for small and medium-sized teams that do not have their own website”. The site is currently promoted in forums and dark markets.
Original Postings (RU): блог для малых и средних команд у которых нет своего сайта
кроличья нора не является рансом группой, это общий блог для малых и средних команд. данный блог создан в целях оказания давления на корпорации, за счет большого количества публикаций разных команд — кроличья нора предлагает вам пристанище, где вы можете опубликовать любую утечку [гос учреждения и больницы являются исключением]
Original Postings (EN): blog for small and medium-sized teams that do not have their own website
rabbit hole is not a ransom group, it is a general blog for small to medium sized teams. this blog was created in order to put pressure on corporations, due to the large number of publications from different teams – the rabbit hole offers you a haven where you can publish any leak [government institutions and hospitals are an exception]
Once a threat actor creates a Rabbit Hole account, victim leaks can be added, updated, and managed through its web portal. Each account manages their leaks through what is referred to as a ‘cabinet’ within the Rabbit Hole blog interface.
When posting leak data, the user is able to supply information including who they are and who the victim is such as the name of the company, URL, company description, publish date/deadline, any associated images, and additional text to be included with the public leak description upon publication. The download URL for associated leaked data is also supplied via this interface.
Once all details have been provided, they are submitted to higher level owners and managers of the Rabbit Hole blog. Moderators are then responsible for the ultimate public posting of the leak. The Rabbit Hole platform, ideal for emerging cybercriminals with little to no infrastructure or resources, could easily accommodate multiple small-time actors looking to monetize the same data leaks. We continue to monitor how this site develops.
Conclusion
As larger, established threat groups fold or re-brand, we can expect to see many affiliates cut out of pending payments. Since threat actors will hold onto exfiltrated data, the likelihood of that data being used to re-extort the victims is high and will continue to grow. While it may seem like common sense not to trust threat actors to hold up their end of a deal, the infosec community may continue to witness the fallout that happens when in-fighting and disagreements happen between cybercriminals as well as threat service providers and their affiliates.
The trust model upon which these RaaS agreements are created does not scale well, as most recently highlighted by security researchers monitoring the relationships between threat actors and affiliates in the ecosystem:
“Additionally, we saw a continuation of long-tailed data exfiltration defaults by threat actors in Q1, i.e., posting of information on a leak site after payment or “hostage trading” with other groups or individuals, which adds further evidence to the file on the lack of benefits to pay for suppressing a data leak or any confidence in a criminal actor keeping their word.”
As the ransomware and extortion landscape evolves, criminals will do what they need to do to protect their investments and paydays. Since affiliates carrying out a ransomware attack hold the actual data, they have the option to go elsewhere to monetize the data to collect payment. Organizations continue to be discouraged by global law enforcement agencies from paying ransoms when dealing with a cyberattack and to file a report with the IC3, contributing to greater cyber resilience to potential attacks.
https://phxtechsol.com/wp-content/uploads/2024/04/Ransomware_Evolution_soc.jpg6271200Phoenix Technologyhttps://phxtechsol.com/wp-content/uploads/2017/02/PTS-Horiz-logo-1-1200-300x53.jpgPhoenix Technology2024-04-24 09:14:042024-04-24 09:14:26Ransomware Evolution | How Cheated Affiliates Are Recycling Victim Data for Profit
The head of counterintelligence for a division of the Russian Federal Security Service (FSB) was sentenced last week to nine years in a penal colony for accepting a USD $1.7 million bribe to ignore the activities of a prolific Russian cybercrime group that hacked thousands of e-commerce websites. The protection scheme was exposed in 2022 when Russian authorities arrested six members of the group, which sold millions of stolen payment cards at flashy online shops like Trump’s Dumps.
A now-defunct carding shop that sold stolen credit cards and invoked 45’s likeness and name.
As reported by The Record, a Russian court last week sentenced former FSB officer Grigory Tsaregorodtsev for taking a $1.7 million bribe from a cybercriminal group that was seeking a “roof,” a well-placed, corrupt law enforcement official who could be counted on to both disregard their illegal hacking activities and run interference with authorities in the event of their arrest.
Tsaregorodtsev was head of the counterintelligence department for a division of the FSB based in Perm, Russia. In February 2022, Russian authorities arrested six men in the Perm region accused of selling stolen payment card data. They also seized multiple carding shops run by the gang, including Ferum Shop, Sky-Fraud, and Trump’s Dumps, a popular fraud store that invoked the 45th president’s likeness and promised to “make credit card fraud great again.”
All of the domains seized in that raid were registered by an IT consulting company in Perm called Get-net LLC, which was owned in part by Artem Zaitsev — one of the six men arrested. Zaitsev reportedly was a well-known programmer whose company supplied services and leasing to the local FSB field office.
The message for Trump’s Dumps users left behind by Russian authorities that seized the domain in 2022.
Russian news sites report that Internal Affairs officials with the FSB grew suspicious when Tsaregorodtsev became a little too interested in the case following the hacking group’s arrests. The former FSB agent had reportedly assured the hackers he could have their case transferred and that they would soon be free.
But when that promised freedom didn’t materialize, four the of the defendants pulled the walls down on the scheme and brought down their own roof. The FSB arrested Tsaregorodtsev, and seized $154,000 in cash, 100 gold bars, real estate and expensive cars.
At Tsaregorodtsev’s trial, his lawyers argued that their client wasn’t guilty of bribery per se, but that he did admit to fraud because he was ultimately unable to fully perform the services for which he’d been hired.
The Russian news outlet Kommersant reports that all four of those who cooperated were released with probation or correctional labor. Zaitsev received a sentence of 3.5 years in prison, and defendant Alexander Kovalev got four years.
In 2017, KrebsOnSecurity profiled Trump’s Dumps, and found the contact address listed on the site was tied to an email address used to register more than a dozen domains that were made to look like legitimate Javascript calls many e-commerce sites routinely make to process transactions — such as “js-link[dot]su,” “js-stat[dot]su,” and “js-mod[dot]su.”
Searching on those malicious domains revealed a 2016 report from RiskIQ, which shows the domains featured prominently in a series of hacking campaigns against e-commerce websites. According to RiskIQ, the attacks targeted online stores running outdated and unpatched versions of shopping cart software from Magento, Powerfront and OpenCart.
Those shopping cart flaws allowed the crooks to install “web skimmers,” malicious Javascript used to steal credit card details and other information from payment forms on the checkout pages of vulnerable e-commerce sites. The stolen customer payment card details were then sold on sites like Trump’s Dumps and Sky-Fraud.
https://phxtechsol.com/wp-content/uploads/2017/02/PTS-Horiz-logo-1-1200-300x53.jpg00Phoenix Technologyhttps://phxtechsol.com/wp-content/uploads/2017/02/PTS-Horiz-logo-1-1200-300x53.jpgPhoenix Technology2024-04-23 08:38:162024-04-23 08:38:23Russian FSB Counterintelligence Chief Gets 9 Years in Cybercrime Bribery Scheme
The aviation sector continues to face a complex and evolving cybersecurity threat landscape with nation-state actors, cybercriminal groups, and hacktivists targeting critical infrastructure. Last week, the FAA issued a ground stop order on Alaska Airlines for one hour due to an “upgrade issue with flight software that calculates weight and balance.” This follows a similar hour-long nationwide ground stop last year caused by a software update at United Airlines, a network-wide outage at WestJet caused by a service provider, and a ransomware breach at Sabre.
Most concerningly, on Friday, the Department of Homeland Security (DHS) published an official notice stating that the Transportation Security Oversight Board (TSOB) has recommended to the Transportation Security Administration (TSA) that a cybersecurity emergency exists, warranting the expedited implementation of critical cyber mitigation measures through emergency regulatory authority.
The TSOB – including the Secretaries of Homeland Security, Transportation, Defense, and the Treasury, the Attorney General, the Director of National Intelligence, and a National Security Council representative — convened a meeting to review TSA’s transportation security plans for cybersecurity in the aviation sector and provide a recommendation regarding TSA’s emergency determination to issue Joint Emergency Amendment (EA) 23-01.
During the classified briefing, the TSOB was presented with sensitive security information and intelligence regarding the severe cyber threat to the aviation transportation system. The board discussed the circumstances leading to TSA’s issuance of Joint EA 23-01, which requires performance-based cybersecurity measures to prevent the disruption and degradation of critical systems. The TSOB’s recommendation endorsed the need for TSA to proceed with these critical mitigation measures on an emergency basis.
This development came in the context of a September 2023 advisory from the Cybersecurity and Infrastructure Security Agency (CISA), which identified indicators of compromise at an Aeronautical Sector organization as early as January 2023. Nation-state advanced persistent threat (APT) actors exploited vulnerabilities in a public-facing application (Zoho ManageEngine ServiceDesk Plus) and a firewall device to gain unauthorized access, establish persistence, and move laterally through the network. CISA warned that “additional APT actors were also observed exploiting CVE-2022-42475 to establish presence on the organization’s firewall device.” APT interest in critical infrastructure means that such exploitation happens on other devices and software, too, not just the Zoho product in this particular alert.
Aviation Cybersecurity Risks
Leaks of intelligence documents in 2023 from Russia indicated a specific interest in targeting operational aviation systems. Further, Chinese threat actors are known to be targeting US critical infrastructure firms (including the aviation sector) given their military doctrine that sees disrupting civilian systems as a means of deterring or coercing US political decision-makers in a time of conflict.
Participants in the USAF Civil Reserve Air Fleet should also expect to be targeted for their role supporting contingency airlift requirements for the Department of Defense, something likely to be activated in a Taiwan crisis situation.
Against this geopolitical backdrop, aviation CISOs face a complex technology and cybersecurity risk environment, resulting from:
Growing integration of new tech into legacy systems, including new connectivity interfaces and e-Enabled aircraft;
Increasing federal cyber regulations and compliance requirements;
Constrained security budgets that limit focus to catastrophic risks and compliance;
Security cultures that often silo cyber/IT from the broader organization and create obstacles to effective enterprise engagement and operational collaboration;
Tactically oriented people, processes, and tooling aimed at immediate triage, not strategic risk;
Complex global supply chains that increase upstream risk exposure; and
Increasing third-party risks from the economy-wide move to, and dependency on, cloud-enabled services and the associated shift in risk management responsibilities.
While the geopolitical threats to aviation cybersecurity grow, aviation faces the technical difficulty of defending complex legacy and modern systems. The industry must protect a uniquely broad range of vulnerable elements from its airport and online systems and data to vendor supply chains and airplane electronics. Despite all this, aviation cybersecurity’s resources and incentives lag the threat environment.
Corporate executives must recognize that the aviation industry remains at the frontlines of emerging geopolitical risk, and cybersecurity threats have the potential to cause significant operational, financial, and reputational damage. The TSOB’s recommendation and the CISA advisory underscore the urgency of the situation and the need for high-level, enterprise-wide engagement to address these risks effectively.
Investing in a comprehensive cybersecurity strategy, aligning technical and security stacks, and fostering collaboration between corporate and cybersecurity leadership is essential to mitigate the risk of a catastrophic event. As the DHS notice and CISA advisory demonstrate, the stakes are high, and failure to act decisively could result in severe consequences for the aviation industry and national security.
The aviation sector must consider modern, more expansive risk models to navigate a strategic environment at the nexus of emerging cyber and geopolitical threats. Even when the risks are clear and the gaps manifest, tight budgets and other business priorities can get in the way of building an effective security organization. This requires high-level, executive engagement across the enterprise to help leadership understand how these risks impact operational reliability, customer relations, corporate liability, shareholder value, passenger safety, and national security.
The combination of legacy IT/OT with new connectivity interfaces, sprawling third-party dependencies and digital supply chains, strained corporate balance sheets and infosec budgets, increasing regulatory mandates, highly visible industry stumbles, and aggressive nation-state threats indicate major turbulence ahead.
The Good | DoJ Indicts Cryptojacking Criminal and Botnet Operator Supporting Ransomware Actors
The DoJ doled out two indictments this week: the first announcing the arrest of Charles O. Parks III for his role in an elaborate cryptojacking scheme, the second, charging Alexander Lefterov, owner and operator of a major botnet.
Parks was charged with wire fraud, money laundering, and illegal transactions, tallying up to a maximum of 30 years in prison. According to the DoJ, the basis of Parks’ scheme was renting $3.5 million worth of cloud servers through a number of fake LLCs in order to mine nearly $1 million in cryptocurrency.
After tricking the cloud service providers (CSPs) into escalating his privileges, Parks was given access to services equipped with powerful graphics cards that were then used to mine Monero, Litecoin, and Ether. The mined funds were laundered through purchasing NFTs and converting them through traditional banks and various crypto exchanges to fund a lavish lifestyle.
Lefterov was indicted by a federal grand jury for aggravated identity theft, computer fraud, and conspiracy to commit wire fraud. Through the large-scale botnet he maintained, the Moldovan national and his associates have been linked to thousands of compromised computers across the U.S.
Using credentials harvested from the infected computers, Lefterov and his co-conspirators targeted victims’ financial accounts across banking, payment processing, and retail platforms to steal money. In tandem, Lefterov allegedly leased his botnet to other cybercriminals for ransomware distribution, later receiving a share of the profits from successful attacks.
Following both of these indictments, U.S. law enforcement reiterates their commitment to cyber defense, stating that the FBI and its partners will continue to investigate and pursue those involved in malicious activities both domestically and internationally.
The Bad | Researchers Link Russian-Based Sandworm APT to Attacks on Water Supply Systems
GRU-linked APT known as Sandworm has recently taken a behind-the-scenes approach, conducting covert attacks through various online personas and posing as hacktivist groups to mask their activities. In a new report, cybersecurity researchers identified Sandworm’s presence in at least three Telegram channels created to conduct disruptive operations and amplify pro-Russian narratives.
Sandworm has operated since 2009 under Unit 74455 of the Main Intelligence Directorate of the Russian Federation (GRU). Known to employ adaptive and diverse methods for initial access and exploit supply chain vulnerabilities, Sandworm is thought by researchers to be one of Russia’s foremost “cyber sabotage units” as well as a “formidable” threat globally.
Most recently, Sandworm has begun using online personas to execute disruptive operations and enhance the image of the GRU’s cyber capabilities. The report tracks the APT groups’ activity across three Telegram channels: XakNet Team, CyberArmyofRussia_Reborn, and Solntsepek. While most of the activity centers around targeting Ukrainian entities, one of the channels this week claimed attacks on critical water supply centers in the U.S. and Poland, and a hydroelectric facility in France. The posted videos showed fake images of attackers manipulating the controls of water suppliers in Texas.
Cyber Army of Russia claims to be targeting US water facilities
The group announced the latest campaign against the US and have provided a video showing them allegedly manipulating settings at two water supply organisations in two cities of Texas – Abernathy and Muleshoe.… pic.twitter.com/wzixXdw3Sv
While Sandworm’s focus has shifted towards espionage and influence operations, it continues to conduct disruptive attacks, targeting electoral systems, conducting intelligence gathering, stealing credentials, and retaliating against perceived adversaries. Cyber defenders continue to warn of potential interference in upcoming national elections and political events across the world, with Ukraine remaining a primary target amid ongoing conflict.
The Ugly | Suspected Nation-State Actors Exploit Zero-Day Flaw in Palo Alto Network Firewalls
Over the weekend, state-sponsored threat actors were suspected of exploiting a zero-day vulnerability in Palo Alto Networks’ PAN-OS firewall software. Though the vulnerability was quickly disclosed and patched by the Californian cybersecurity company, exploit code has since emerged this week and is already being used in attacks. Despite earlier mitigations provided during initial discovery, Palo Alto Networks is now urging users to upgrade their software immediately as the most reliable solution.
Tracked as CVE-2024-3400, the maximum severity flaw enables unauthenticated remote code execution (RCE) via command injection in low-complexity attacks that do not require user interaction. It affects PAN-OS 10.2, PAN-OS 11.0, and PAN-OS 11.1 firewalls configured with GlobalProtect, both gateway or portal. Palo Alto Networks’ advisory confirms that Cloud NGFW, Panorama appliances, and Prisma Access are not impacted by this vulnerability.
Researchers that initially detected the flaw found that the threat actor was focused on exporting configuration data from compromised devices before leveraging them to move laterally into victim organizations. Noting the level of tradecraft and speed of the attacks, the report suggests that the threat actor is highly capable with a clear playbook – indications of a state-backed attack. Along with warnings to secure vulnerable devices, CISA has added the vulnerability to its Known Exploited Vulnerabilities catalog.
Internet-connected network devices are often running on outdated, unpatched firmware which makes them vulnerable to exploitation. This, along with the key role they play in network infrastructure, means such devices are considered low-hanging fruit to attackers looking for a way in. To mitigate risks, companies should prioritize regular patches, enforce robust access controls, and practice network segmentation to safeguard their networks against intrusion.
https://phxtechsol.com/wp-content/uploads/2024/04/Alexander_Lefterov.jpg13021630Phoenix Technologyhttps://phxtechsol.com/wp-content/uploads/2017/02/PTS-Horiz-logo-1-1200-300x53.jpgPhoenix Technology2024-04-20 08:32:042024-04-20 08:32:11The Good, the Bad and the Ugly in Cybersecurity – Week 16
In an expanding collaboration between Chubb, one of the largest publicly traded property and casualty insurance companies, and SentinelOne, a cybersecurity leader, clients of SentinelOne who are also Chubb policyholders can now share their enterprise cyber health assessment data with Chubb. This facilitates a more efficient and precise underwriting process.
With the increasing emphasis on cybersecurity investment, insurance carriers are seeking greater transparency into their insureds’ cybersecurity health. The collaboration not only offers policyholders streamlined access to SentinelOne’s cybersecurity solutions, but also enhances transparency into policyholders’ cyber health investments through SentinelOne’s Vital Signs Report.
This post captures a Q&A between Craig Guiliano, SVP of Threat Intelligence and Policyholder Services at Chubb, and Bridget Mead, Senior Manager of IR Cyber Risk at SentinelOne, as they address some frequently asked questions about the Vital Signs Report.
Q: What is the Vital Signs Report?
Chubb/Guiliano: The Vital Signs Report (VSR) is an assessment of our policyholders’ cybersecurity posture. This report is going to be a game changer for not only how we, as the carrier, assess our individual policyholder’s cybersecurity health, but for our ability to assess our portfolio exposure as one of the world’s largest insurance companies. Our underwriters are quickly moving away from checkboxes on a questionnaire and moving towards data-driven policy renewal decisions.
SentinelOne/Mead:The VSR is based on a collection of internal signals that we mapped to the Center for Internet Security’s (CIS) Critical Security Controls (CIS Controls) CIS18 framework. We make the report available to all SentinelOne clients at no charge. It displays the strength of a client’s digital environment in areas important to cyber security and the cyber insurance underwriting process. The graphic below shows the major categories included.
Q: How do clients access this report?
SentinelOne/Mead: We’ve made it easy for Chubb policyholders to share this report with Chubb. It’s just a few clicks away. Clients can access the VSR report by going to the Singularity Marketplace page and selecting the Cyber Insurance menu item. From the Cyber Insurance menu, they can select Chubb and consent to the sharing via an End-User License Agreement (EULA). Chubb will be notified on their end that the report has been shared.
Chubb/Guiliano: Once we receive the VSR on our end, our policyholders will be able to view the report with their insurance brokers and Chubb underwriters. We’re expecting more transparent and robust conversations around loss control strategies with our policyholders that share this data with us. In addition, participating policyholders may enjoy incentivized policy pricing, subject to applicable insurance laws and regulations, and more efficient underwriting.
Q: What happens after the SentinelOne client clicks through the EULA?
SentinelOne/Mead: From a technical perspective, once the SentinelOne client does the EULA click through, the VSR examines the client’s SentinelOne console, collects the appropriate data signals, and populates the report.
Chubb/Guiliano: The VSR will be available to view by Chubb in near real-time, allowing efficient and timely feedback to policyholders, brokers, and underwriters. Chubb and SentinelOne have also worked to minimize the sensitivity of the data being shared with Chubb. We omit any sensitive information, including IP addresses associated with identified vulnerabilities.
Q: How can the VSR help organizations with risk transfer?
Chubb/Guiliano: Traditionally, our underwriters use a series of questions and attack surface information to evaluate a policyholder’s risk. They might also pull historical data from claims that the policyholder has submitted. However, this kind of risk assessment doesn’t give us the full picture and could include false positives. The VSR provides a clearer and more accurate and efficient mechanism for our policyholder’s Security Teams to communicate information and controls to our underwriting teams.
The report will reduce the time and overhead that our policyholder’s spend. Additionally, it gives the policyholder a chance to think critically about their cybersecurity through access to Chubb’s expertise on risk of loss indicators, such as known vulnerabilities and common attack vectors – expertise that is based on 20+ years of actual loss data.
SentinelOne/Mead: The VSR helps organizations with their risk transfer by bringing visibility to their telemetry. SentinelOne has configured and crafted the VSR to identify vulnerabilities, configurations, and asset management controls with Chubb’s review to help policyholders proactively identify exposures. The information provided by the VSR will enable the policyholders to remedy elements that may need improvement, enhance their cybersecurity posture, and ultimately lower risk profiles. The VSR allows policyholders to discuss renewals more confidently with Chubb and brings more transparency to those conversations.
Q: What benefits may accrue from participating in the VSR Program?
SentinelOne/Mead: From a technical perspective, the VSR is an accurate and efficient way to assess a company’s cyber security posture. Current SentinelOne clients can look at the VSR and craft clear action items to enhance their use of our tools.
Chubb/Guiliano: Any benefit to our policyholder’s risk profile is a benefit to Chubb at-large and we’re eager to see our policyholders develop greater insight into their cyber risk profile and thus gain more informed negotiating power within the cyber insurance marketplace and possible premium savings.
Learn More
On May 2, 2024 at 1:00PM ET, join SentinelOne, Chubb, Aon, and CyberAcuView for a webinar discussion on data-driven underwriting. Panelists will discuss how data has transformed underwriting and insurability assessments as businesses work with their carriers and brokers to improve their risk profiles.
Data Sharing in Cyber Insurance
Having the right telemetry streamlines underwriting and renewals, leading to benefits for the policyholders.
Chubb Disclosure: Chubb is the marketing name used to refer to subsidiaries of Chubb Limited providing insurance and related services. For a list of these subsidiaries, please visit our website at www.chubb.com. Insurance provided by ACE American Insurance Company and its U.S. based Chubb underwriting company affiliates. All products may not be available in all states. This material contains product summaries only. Coverage is subject to the language of the policies as actually issued. Surplus lines insurance sold only through licensed surplus lines producers. The material presented herein is advisory in nature and is offered as a resource to be used together with your professional insurance advisors in maintaining a loss prevention program. It is not intended as a substitute for legal, insurance, or other professional advice, but rather is presented for general information only. You should consult knowledgeable legal counsel or other knowledgeable experts as to any legal or technical questions you may have. Chubb, 202 Hall’s Mill Road, Whitehouse Station, NJ 08889-1600
https://phxtechsol.com/wp-content/uploads/2024/04/Chubbs-Insight-via-SentinelOne-Telemetry.jpg6271200Phoenix Technologyhttps://phxtechsol.com/wp-content/uploads/2017/02/PTS-Horiz-logo-1-1200-300x53.jpgPhoenix Technology2024-04-17 08:01:492024-04-17 08:01:54Insuring Cyber Health | Chubb’s Insight via SentinelOne Telemetry
Insight Focus | Navigating International Conflict and Escalation Dynamics
Summary of Recent Events
Conflict between Israel and Iran simmered for decades before the most recent spike in tensions. The proximate cause for Iran’s assault on Israel this weekend was the result of that country violating well-established norms. Israel bombed an Iranian diplomatic facility adjacent to the main embassy in Syria killing senior Iranian generals. Embassies and their compounds are considered the sovereign land of the country that they represent – in the U.S., law enforcement agencies (like local police) are prohibited from stepping foot within their walls.
Israel’s decision to strike (without prior notice to the U.S.) Iran’s diplomatic facilities in Syria to kill multiple important Iranian military officers crossed that established red line. In response, Iran crossed a line in its relationship with Israel not seen in the last four decades. Missiles and swarms of drones from Iraq, Yemen, Syria, and Iran attacked Israel over the weekend.
The Iranian attack echoes the combined drone, cruise missile, and ballistic missile barrages that Russia uses against Ukraine. The attack even used the same Iranian drones and missiles. An Israeli military spokesman reported that the weekend attack involved more than 170 drones, 30 cruise missiles, and at least 110 ballistic missiles.
However, U.S. officials reported that about half of these ballistic missiles were successfully intercepted (by combined U.S., Israeli, French, British, and even Jordanian systems), and most of the remaining failed to launch or crashed – only a handful reached their targets, causing mostly cosmetic damage to Israeli military bases. This failure may be attributed to a combination of joint air defense systems, which were prepositioned in theater given strong intelligence on the telegraphed Iranian attack.
While a bit of a sideshow, the night of the attack an Iranian affiliated hacking group known as the “CyberAv3ngers” claimed to have disrupted power infrastructure in Tel Aviv. While this was quickly disputed and no evidence of such a disruption materialized, a number of high profile accounts on X amplified the claims, which served to inject uncertainty into the already unsettled information environment.
It should be noted that the U.S. and Israeli governments last year attributed to the IRGC-affiliated CyberAv3ngers persona compromises of Unitronics Vision Series programmable logic controls used in water and wastewater and other industries. While no critical infrastructure was compromised in this weekend’s attack, that shouldn’t induce false confidence that Iranian threat actors lack the intent or capability to do so in the future.
U.S. Urges Restraint
The U.S. is reportedly urging Israel to not respond in-kind and has stated that the US military would not support offensive operations against Iranian territory. Analysts point to the defensibility, and frankly – widely telegraphed response that Iran’s assault constituted – as reason to not escalate further. Iran’s attacks were aimed at Israeli government facilities, overnight and on a weekend, to minimize the potential for significant casualties. Multiple U.S. and British assets engaged incoming Iranian missiles and drones, alongside Israeli defensive equipment. On the whole, Iran’s actions could have been more damaging and more deadly. After concluding their attacks, Iran’s mission to the United Nations stated that the matter had been resolved.
Domestic Politics and Escalation Pathways
Unfortunately, domestic politics in Israel offer potential incentives for escalation. The current Prime Minister Benjamin Netanyahu is unpopular and, before the Hamas attacks that led to the current conflict, was facing mass protests, government resignations, and opposition by other political parties. Owing to ongoing legal issues and based on his past strategies to benefit politically from conflict with Hamas, the current PM may decide that escalating further with Iran is likely to extend his time in power. Opposition politicians are calling for early elections in the fall of this year as the governing coalition is falling apart.
Netanyahu has strong incentives to hold onto power as long as possible, however. He is the defendant in an ongoing, long-delayed, and widespread corruption case. The current conflict has slowed down the prosecution. Netanyahu hopes that he cannot be convicted or sentenced while he is still in office. Extending the war and escalating with Iran into protracted conflict may be in his political interest. However, as the Israeli War Cabinet meets to deliberate on a response, Netanyahu is now facing intense pressure by G7 leaders to refrain or tightly calibrate any reaction, warning publicly that it could provoke an “uncontrollable regional escalation” and likely privately threatening to withhold financial and political support.
Israeli sources told CNN that plans to conduct a ground offensive in Rafah this week are on hold pending a decision on Iran: “Among the military options that are being considered, the war cabinet is considering an attack on an Iranian facility that would send a message, but would avoid causing casualties, one Israeli official said.”
Security Posture Recommendations
There are two key scenarios enterprises need to consider: 1) de-escalation to status quo ante and 2) tit-for-tat escalation.
In the first scenario, executives should maintain a heightened state of alert, with a tight loop between risk professionals and organization leaders in the region. In particular, executives should know that staff in Israel are well-acquainted with the realities of war. Many participated in mandatory military service in their youth and some may have been recently deployed for operations in Gaza. As a result, local staff are best equipped to determine their own safety protocols.
During the coming weeks, the company should exercise work from home flexibility as requested by employees.
Non-Israeli citizens in the country should be afforded the opportunity to leave if they have not already been offered such accommodations.
The company should closely monitor Israel’s announcements and changes in diplomatic security posture.
In the second scenario, the prospects for a more intense and destructive regional conflict (e.g., involving direct and large-scale Hezbollah-IDF engagements) become a primary concern. To prepare for this, executives with staff and/or business interests in the region should:
Expect significant disruptions to their workforce (e.g., call-up, family support, loss of life) and in-country operations (e.g., cascading impacts from attacks on Israeli infrastructure).
Re-examine business continuity plans and crisis response playbooks.
Prepare for large commercial spillovers to regional trade and energy markets.
Our current assessment is that the former scenario is more likely than the latter, but prudent executives should ask their teams: What is the plan if the situation deteriorates?
https://phxtechsol.com/wp-content/uploads/2024/04/Navigating-International-Conflict-and-Escalation-Dynamics.jpg6271200Phoenix Technologyhttps://phxtechsol.com/wp-content/uploads/2017/02/PTS-Horiz-logo-1-1200-300x53.jpgPhoenix Technology2024-04-16 07:51:592024-04-16 07:52:03PinnacleOne ExecBrief | Navigating International Conflict and Escalation Dynamics
We may request cookies to be set on your device. We use cookies to let us know when you visit our websites, how you interact with us, to enrich your user experience, and to customize your relationship with our website.
Click on the different category headings to find out more. You can also change some of your preferences. Note that blocking some types of cookies may impact your experience on our websites and the services we are able to offer.
Essential Website Cookies
These cookies are strictly necessary to provide you with services available through our website and to use some of its features.
Because these cookies are strictly necessary to deliver the website, refusing them will have impact how our site functions. You always can block or delete cookies by changing your browser settings and force blocking all cookies on this website. But this will always prompt you to accept/refuse cookies when revisiting our site.
We fully respect if you want to refuse cookies but to avoid asking you again and again kindly allow us to store a cookie for that. You are free to opt out any time or opt in for other cookies to get a better experience. If you refuse cookies we will remove all set cookies in our domain.
We provide you with a list of stored cookies on your computer in our domain so you can check what we stored. Due to security reasons we are not able to show or modify cookies from other domains. You can check these in your browser security settings.
Google Analytics Cookies
These cookies collect information that is used either in aggregate form to help us understand how our website is being used or how effective our marketing campaigns are, or to help us customize our website and application for you in order to enhance your experience.
If you do not want that we track your visit to our site you can disable tracking in your browser here:
Other external services
We also use different external services like Google Webfonts, Google Maps, and external Video providers. Since these providers may collect personal data like your IP address we allow you to block them here. Please be aware that this might heavily reduce the functionality and appearance of our site. Changes will take effect once you reload the page.
Google Webfont Settings:
Google Map Settings:
Google reCaptcha Settings:
Vimeo and Youtube video embeds:
Other cookies
The following cookies are also needed - You can choose if you want to allow them: