Iranian Cyber-Attacks and the End of Support for Windows 7 and Windows Server 2008

After the killing of Qassem Soleimani on January 3, 2020, by the U.S. government, the cybersecurity news industry has been abuzz about whether Iran will engage in cyber terrorism, and if so, to what degree, as part of its pledge to strike back at the U.S. On January 5, Forbes reported that the first instance of Iranian cyber terrorism took place the day before. Hackers claiming to be associated with Iran defaced the home page of the Federal Depository Library Program website. The website was quickly taken down, but what do all this chatter and the possible increases of Iranian cyber espionage mean for U.S. businesses?

The general consensus across multiple cybersecurity news outlets is that while Iran certainly has the capability to execute denial of service, malware and phishing attacks, these types of attacks won’t garner the press response and spectacle the Iranians might desire. However, notably absent from any of the reports I have read so far is the imminent end of security patching for both the Windows 7 and Windows Server 2008 operating systems by Microsoft on January 14.  While most of the news reports anticipate an increase in ‘noisy’ cyber activity from Iranian and proxy hackers, there is little mention of how those hackers might exploit that upcoming end of support. Is it possible that the Iranians could leverage an ultimately unpatched vulnerability in Windows 7 or Server 2008 to achieve a disruption on a massive enough scale to garner the press attention they desire?

What is your organization doing to protect itself against such attacks? If you have not finished migrating from Windows 7 or Server 2008, extended security support is available from Microsoft for a fee. Are you considering geofencing Iranian and other Middle Eastern nation states’ internet address space from your network? Most modern ‘nextgen’ firewalls have such capabilities with updatable databases of a nation state’s address space. Finally, are you educating your users and alerting them to be vigilant about suspicious emails and other phishing campaigns?

States and Municipalities on High Alert for Iranian Originated Cyber-Attacks

The Department of Homeland Security (DHS) is warning critical infrastructure operators to be on high alert for Iranian backed cyber-attacks because of the vulnerability of state and municipal computer systems, they are at high risk for attack from Iranian-based hackers.

We have seen states and municipalities get hammered with ransomware in the past year. Now with the increase in the tensions between the United States and Iran, the direct threat from Iranian-backed hackers is real and imminent.

To illustrate the risk, according to Texas officials, in the past several days, the state has experienced more than 10,000 probes a minute originating from Iran, attempting to intrude its state systems.

Following the DHS warning, the State increased its monitoring for cyber-attacks from Iran and has confirmed that there has been an increase in activity from Iran. The state does not believe that any of them were successful, but noted the increase.

States’ and municipalities’ systems are known to be vulnerable and an easy target for hackers. Following Texas’ lead, in this time of increased tension with Iran, which is well-known for its cyber-attack capabilities, states and municipalities may consider monitoring their systems specifically for attacks from Iran, and harden their security measures to reduce the risk. In addition, warning employees about the risk of an increase in phishing campaigns and attacks through social media is being recommended by security experts.

FAA’s Proposed Rule for Drone Remote Identification

The Federal Aviation Administration (FAA) released its unmanned aircraft system (UAS or drone) remote identification Notice of Proposed Rulemaking (Proposed Rule) on December 31, 2019. This is a huge step toward the integration of drones into the national airspace and an effective unmanned traffic management system. There is a 60-day public comment period; if you have a stake in the unmanned industry, you must submit comments before February 29, 2020.

The Proposed Rule includes new operating requirements for drone operators, including a requirement to operate only UAS that meet the remote identification design and production standards set out in the Proposed Rule. These new operating requirements would apply to ALL drone operators who are currently required to register (under the small UAS rule, Part 107). Specifically, the Proposed Rule would require drone operators to transmit remote identification within three (3) years of the effective date of the final rule. The three (3) remote identification classifications proposed by the FAA include the following:

  1. Standard Remote Identification: Requires the UAS to transmit identification and location information to an FAA-contracted UAS Service Supplier (USS) and locally broadcast that information in unrestricted, unprotected Bluetooth signals. The FAA plans to leverage the Low Altitude Authorization and Notification Capability (LAANC) system that it is currently using to provide authorization for drones to fly in restricted airspace. 
  1. Limited Remote Identification: Requires the UAS to transmit identification and location to an FAA-contracted USS only, but is applicable only to visual-line-of-sight operations occurring within 400 feet of the operator.
  1. No Remote Identification: Drones would not be required to transmit remote identification when operating within an FAA-Recognized Identification area (FRIA), the designation of which can be requested by community-based organizations, such as model aircraft clubs and associations. This would be effective one (1) year after the effective date of the final rule.

Of course, a UAS operator’s compliance with this Proposed Rule depends on the availability of the UAS (the device itself) to meet any final design and production standards. What does that mean for drone manufacturers? The FAA is also proposing to require that covered drones be manufactured in compliance with the final rule, beginning two (2) years after the effective date. To read the full Proposed Rule in the Federal Register, click here.

Privacy Tip #221 – How Do We Personally Prepare for a Cyber-Attack on Critical Infrastructure?

Pretty much the only time I don’t feel like I am Chicken Little predicting a massive cyber-attack is when I am with my colleagues at the FBI, Secret Service, NSA and my students in the Brown Executive Masters of Cybersecurity who are members of the military. They don’t respond to my thoughts and fears of cyber-attacks with a cocked head or raised eyebrow like everyone else in my life.

I am concerned that at some point in the future, we will experience a massive cyber-attack that may affect critical infrastructure that we depend on every day. It will not be total and complete. There won’t be a large loss of lives. It will not affect us for a long period of time. But when it happens, it will be effective in disrupting our lives and causing chaos like we have never before experienced. It will be chaotic because we are completely dependent on technology. If our technology is disrupted, our lives will be in massive disorder.

This scenario became more real this week with the increased tensions between the United States and Iran. Iran has had sophisticated cyber capabilities for years and has been behind many cyber-attacks around the world. Sanctions have not had an impact on the effectiveness of Iranian-backed hackers, much the same as those imposed on North Korea.

I am not Chicken Little. The Department of Homeland Security warned this week of the heightened risk of Iranian-backed cyber-attacks on critical infrastructure in the United States. The New York Department of Financial Services (DFS) warned banks of the increased risk of an Iranian backed cyber-attack on the financial services industry. Other such attacks also could affect power, electricity, water, financial services, hospitals, chemical plants, schools, manufacturing facilities—you name it. How do we personally prepare for an attack that may affect those systems and services?

Preparing for a cyber-attack on critical infrastructure is much the same as preparing for a natural disaster in the face of Mother Nature. Think about what you would need if you were not able to have access to electricity or water, or not able to pay for things through your credit card or debit card or even get access to your online bank account. What would you need if cell service were not available? I often think of what I would have needed following Hurricane Katrina. But in a cyber-attack, you can’t get in your car and drive to another city or state to avoid the disaster.

Some things to consider in this time of increased threat from Iran and the warning from DHS and DFS would be to have on hand extra water, cash, non-perishable food, candles, a generator, prescription medication, a flashlight and other basic daily necessities that will help get you through a week or two of disruption. Just picture not having access to your online bank account, or the ability to use your credit or debit card or your cell phone. What do you need if the electricity is out? How would you survive “Naked and Afraid?”

Heed the warnings from DHS and DFS – examine your daily routine to determine what you would need and prepare now. That way, whether it is a cyber-attack from Iran, or a threat from Mother Nature, you will be prepared.

Department of Homeland Security Warns of Cyber-Attacks by Iran

The Department of Homeland Security (DHS) issued a grave warning to U.S. businesses and critical infrastructure operators on January 6, 2020, alerting the public that Iran poses a cyber terrorism threat to the United States following the death of Iranian Quds Force commander Gen. Qassem Soleimani.

The bulletin explains that Iran’s previous plots against the U.S. were in the form of, “among other things, scouting and planning against infrastructure targets and cyber enabled attacks against a range of U.S.-based targets,” including critical infrastructure. DHS stated that “Iran maintains a robust cyber program and can execute cyber-attacks against the United States. Iran is capable, at a minimum, of carrying out attacks with temporary disruptive effects against critical infrastructure in the United States.”

In addition, it is widely predicted that Iran will redouble its efforts to hit the financial sector in the U.S., prompting the New York Department of Financial Services to issue a warning to the financial services industry earlier this week. It is also predicted that Iran may use the timing of Microsoft’s termination of support of older Windows products on January 14, 2020, to its advantage in its cyber terrorism plans against U.S. companies [view related post].

Finally, cybersecurity experts are warning U.S. companies that Iran has repeatedly targeted employees in U.S. companies with phishing attacks and fake social media requests in order to gain access to company systems and data. Companies are urged to warn their employees about being particularly vigilant about a possible increase in phishing campaigns through email requests following this incident and the escalation of tensions with Iran. Another high risk is Iranian-based and nation state hackers posing as recruiters on social media and professional social media sites, enticing employees to connect with them on social media, then obtaining personal information from the potential recruits.

Cybersecurity hygiene is always important, but because of the heightened tension with Iran, companies should think about hardening their security, warning their employees about being extra vigilant and combatting stepped-up efforts on the part of Iranian-backed hackers. We all need to be on high alert for a cyber-attack from Iran.

New York DFS Issues Risk Alert Concerning Possible Iran Cyber-Attacks

In view of Iran’s vows to retaliate against the United States for the death of Quassem Soleimani, the NYDFS has issued an industry letter to all regulated entities regarding the need for heightened cybersecurity precautions.

The letter notes that it “is particularly concerning that Iran has a history of launching cyber-attacks against the U.S. and the financial services industry,” citing 2012-2013 Iranian-sponsored cyber-attacks against several major U.S. banks. The letter also cites a June 2019 U.S. government advisory observing “a recent rise in malicious cyber activity directed at United States industries and government agencies by Iranian regime actors and proxies” using highly destructive attacks that delete or encrypt data.

The DFS letter calls for heightened vigilance against cyber-attacks and strongly recommends that regulated entities “ensure that all vulnerabilities are patched/remediated (especially publicly disclosed vulnerabilities), ensure that employees are adequately to deal with phishing attacks, fully implement multi-factor authentication, review and update disaster recovery plans, and respond quickly to further alerts from the government or other reliable sources. It is particularly important to make sure that any alerts or incidents are responded to promptly even outside of regular business hours – Iranian hackers are known to prefer attacking over the weekends and at night precisely because they know that weekday staff may not be available to respond immediately.”

Regulated entities are also directed to promptly notify DFS of any “significant or noteworthy cyber-attack,” noting that DFS’s cyber regulation requires notification as soon as possible but in no event later than 72 hours after a “material cybersecurity event.”

CCPA Recap for the New Year

After much anticipation and trepidation, the California Consumer Privacy Act (CCPA) went into effect on January 1, 2020. Many companies are understandably still grappling with the details of the law, the amendments, and the proposed regulations and how to comply with them.

If you have not determined whether the CCPA applies to your company, and if it does, the measures you need to take to comply with its requirements, now is the time. Ignoring it is not the answer or the right strategy.

To assist you in putting CCPA compliance on the top of your new year’s to-do list, we are sharing with you some of our CCPA-related posts from the past year to give you incentive to think about addressing compliance, and offer some tips to help jump start your efforts.

LifeLabs Pays Ransom to Retrieve Patient Data

It is being reported that LifeLabs, a Canadian lab company that is the largest provider of laboratory diagnostics and lab testing services in Canada, recently paid an undisclosed ransom to hackers who compromised its computer system that housed patient lab data. The hackers apparently compromised the system, exfiltrated data and demanded that the company pay the ransom to obtain access to the data.

According to FierceHeatlhcare, the compromised database included personal and health information of over 15 million customers, who primarily reside in Ontario and British Columbia. The information the hackers accessed included patient names, addresses, dates of birth, email addresses, login and password information health insurance card numbers and laboratory test results. LifeLabs has confirmed that the information was exfiltrated by the intruders.

LifeLabs notified the Privacy Commissioners in Ontario and British Columbia that the breach occurred on November 1, 2019. Those regulators are investigating the incident.

OCR Announces Second $85,000 Settlement for Alleged Violations of the Individual Right of Access under HIPAA

On December 12, 2019, the U.S. Department of Health and Human Services Office for Civil Rights (OCR) announced its second “HIPAA Right of Access Initiative” settlement of alleged HIPAA violations.

The HIPAA Right of Access Initiative is a new effort in 2019 by OCR to monitor compliance with HIPAA requirements addressing patient rights to promptly access medical records, in a readily producible format, without being subject to excessive fees. OCR announced its first settlement under the Right of Access Initiative in September 2019 (see our analysis of that settlement here), and this settlement indicates a continued focus by OCR on HIPAA compliance by providers when responding to patient requests for records.

In this case, OCR entered into an $85,000 settlement with Korunda Medical, LLC (Korunda), a Florida-based primary care and pain management provider, after conducting an investigation which indicated that Korunda failed to provide a patient with timely access to protected health information in accordance with the Privacy Rule. According to the resolution agreement, Korunda’s alleged failure to comply with HIPAA’s right of access for individuals came after OCR had received a prior complaint and provided “technical assistance” to Korunda regarding the individual right of access under HIPAA. In addition to the monetary payment, OCR and Korunda entered into a one-year corrective action plan, under which Korunda is obligated review and revise its policies concerning access to medical records, provide workforce training on individual access rights, and submit a list of medical record access requests received by Korunda from individuals every 90 days to OCR after approval of its updated access policies.

This settlement reiterates the importance for covered entities and business associates to review their policies and procedures governing production of medical records in response to patient requests, and the importance of responding to patients in a timely manner. This settlement is also a warning to entities that receive technical assistance from OCR that the government is unlikely to overlook subsequent allegations of non-compliance following such assistance. Finally, it is interesting to note that the monetary settlement here – $85,000 – for alleged violations of HIPAA’s right of access is the same amount extracted by OCR in its first Right of Access Initiative settlement (despite the defendant in that case being a larger entity), suggesting that OCR may view that amount as a “floor” for resolution of potential violations under the HIPAA Right of Access Initiative.

British Member of “The Dark Overlord” Hacking Organization Extradited to Face Conspiracy and Identify Theft Charges in the United States

Beginning in 2016, the computer hacking organization known as “The Dark Overlord,” began to target victims in the St. Louis, Missouri area, including various health care providers, several accounting firms, and a medical records company.  By remotely accessing these victims’ computer networks without authorization, The Dark Overlord was able to obtain sensitive records and information, which it then threatened to release unless the companies paid a ransom in bitcoin.

Following a lengthy investigation conducted by the Federal Bureau of Investigation and British authorities, United Kingdom national Nathan Wyatt was extradited to the United States and appeared before a federal district court in eastern Missouri on Wednesday, December 18, 2019, to face charges of aggravated identity theft, threatening damage to a protected computer, and conspiracy.  While Wyatt is the first member of The Dark Overlord to face prosecution, government officials have expressed a hope that this will signal to other cyber hackers targeting American companies that they will not be able to use territorial borders to evade justice and prosecution by the United States.