MY TAKE: US cyber adversaries take cue from shutdown to accelerate malware deployment

One profound consequence of Donald Trump’s shutdown of the federal government, now in day 33, is what a boon it is to US cyber adversaries. And moving forward, the long run ramifications are likely to be dire, indeed.

Related: Welcome to the ‘golden age’ of cyber espionage

With skeleton IT crews manning government networks, America’s adversaries — China, Russia, North Korea, Iran and others in Eastern Europe and the Middle East —  have seized the opportunity to dramatically step up both development and deployment of sophisticated cyberweapons targeting at federal systems, says Jeremy Samide, CEO of Stealthcare, supplier of a threat intelligence platform that tracks and predicts attack patterns.

For a full drill down on the stunning intelligence Samide shared with Last Watchdog, please listen to the accompanying podcast. In a nutshell, Trump’s government shutdown has lit a fire under nation-state backed cyber spies to accelerate the development and deployment of high-end cyberweapons designed to be slipped deep inside of hacked networks and stealthily exfiltrate sensitive data and/or remain at the ready to cripple control systems.

This spike in activity has been very methodical, Samide told Last Watchdog. Operatives are stepping up probes of vulnerable access points on the assumption that no one is guarding the playground, Samide says.  At the same time, they are also accelerating development of the latest iterations of weaponry of the class of Eternal Blue, the NSA’s top-shelf cyberweapon that was stolen, leaked and subsequently used to launch the highly invasive WannaCry and NotPetya worms.

The longer the Trump government shut down continues, the more time US cyber adversaries will have to design and deploy heavily-cloaked malware —  and embed this digital weaponry far and wide in federal business networks and in critical infrastructure systems, Samide says.

What’s more, the longer the government closure continues, the more likely it is that key IT staffers with cybersecuritiy experience will choose to move to the private sector where there is an acute skills shortage. Last Watchdog invited Greg Touhill President of Cyxtera Federal, and Bryson Bort, CEO of SCYTHE and Fellow at the National Security Institute, to join Samide in a roundtable discussion of the cybersecurity ramifications of the government shutdown. Here are excerpts of their observations edited for clarity and length:

Jeremy Samide, CEO of Stealthcare

“We are starting to see a significant increase in counter intelligence surveillance and reconnaissance efforts by primarily state-sponsored organizations.  It’s an opportunity test the tolerance, and make digital inquiries into these systems to see how far they can get because the reaction time is slower.

Samide

The agencies that are of interest would be some of your more logical agencies that are holding either national security information, or other personally identifiable information. But, really, anything is on the table for state sponsored activities. What we’re seeing is more commercial-grade, state-sponsored-grade malware being developed whose purpose is to be surreptitiously dropped into a system to exfiltrate data. We’re seeing more of that type of malware being developed — and being deployed.

The long-term effects are going to be serious. There’s going to be some attrition of government employees not coming back in key positions because they’ve taken positions elsewhere. And it’s going to be very difficult for whomever does come back to get on top of this. It’s going to be a daunting challenge to try go back 45 days or 60 days to actually figure out what happened and then open investigations and take remedial action. I highly doubt that will be done in a way that’s thorough enough.”

Greg Touhill, President of Cyxtera Federal

“Nation state actors represent the most dangerous threats and they remain persistent during government shutdowns. I expect there to be an increase in activity as threat actors look for vulnerabilities that are unmitigated during the shutdowns. I’m also concerned that criminal organizations will step up their reconnaissance and probes into sensitive government data stores given the impact the shutdown has on the Department of Justice and courts.

Touhill

Any department could be victim of an attack whether they are currently unfunded or not. That’s because many rely on shared services. So negative effects would be felt across departments and agencies. In addition, critical infrastructure operators work closely with the government. So an attack on critical infrastructure could result in serious impacts that affect every American citizen and business.

The short-term ramifications include a lack of skilled personnel, both government employees and contractors, in place to manage essential cyber defense activities like security operations, patching and incident response. In addition, vital planned system upgrades and the implementation of new security technologies will be delayed, which further weakens cyber defenses.

Despite the fielding of Security Event and Incident Management tools fielded by the government’s Continuous Diagnostics and Mitigation (CDM) program to fortify the cybersecurity of government networks and detect threats, if an alarm goes off and you don’t have skilled people on hand to respond immediately, then you expose data to high risk.

Long term, I am very concerned that the highly skilled cyber workforce supporting the US government (both government employees as well as the contractors that support them) is increasingly frustrated by this — and previous government shutdowns — and will migrate to private sector jobs in order to better provide for their families. Both government employees as well as the highly skilled contractors who support them are attracted to and dedicated to the mission.

While government employees have been ‘teased’ by earnest political leadership that they will receive back pay, government contractors are painfully aware that during the work stoppage, their companies will not be drawing revenue. Companies operating in the federal market are suffering huge losses trying to keep their highly-skilled cyber personnel on staff during this shutdown.

I suspect the long-run impact of this shutdown will be seen as more and more of the best highly-skilled cyber professionals will leave the public sector and take their mission expertise to the private sector.

Bryson Bort, CEO of SCYTHE

“The results will be invisible, but additive as this prolongs. For now, it’s simple things like NIST, who provides best practice guidance on cybersecurity, has their webpages down that host those documents. Patching is certainly going to be slower so if there are any serious and up patch requirements, then there could be a greater window than normal. The NCICC, the DHS watchfloor, is operating despite funding. But, in general, monitoring is probably not happening at 100 percent of usual operations which means that there is an increased chance that malicious activity may not be spotted.

Bort

The usual operators are likely involved: China, Iran, Russia and North Korea. But, I don’t think they will ‘attack.’ I do think this is a good opportunity to step up iterative campaigns to compromise, gather intelligence, and place something quiet for the future.

The biggest risk would be the IRS. The timing of the shutdown right as we move into tax season. In the past, there have been significant issues with fraud: there are several key entities who have figured out that there is a lot of money to be made.

Long run, morale, staffing, and recruiting just took a significant step back. When this finally ends, hopefully soon, there will be some number of staff who will have jumped to the private sector and they are not coming back.



*** This is a Security Bloggers Network syndicated blog from The Last Watchdog authored by bacohido. Read the original post at: https://www.lastwatchdog.com/my-take-us-cyber-adversaries-take-cue-from-shutdown-to-accelerate-malware-deployment/