One of the biggest problems Khoury is confronting, he told me in an interview last week, is convincing businesses to report when they suffer cybersecurity incidents to his agency, the Canadian Centre for Cyber Security (CCCS).
Over the course of 2021 and 2022, the CCCS received an average of 300 reports on ransomware incidents annually, Khoury said. The recent report on cybercrime, led by CCCS, labeled ransomware the most “disruptive” cybercrime threat.
“I’m pretty confident that the real number is way bigger than that,” he said. “I’m using every opportunity possible to talk about the positive impact of a company being able to share those details with us in a timely way so that we can turn it around and protect Canada and Canadians.”
That desire to accumulate data on major attacks is an issue for the U.S. government, too. There’s plenty of overlap between the threats to the United States and Canada, and some similar approaches — and even some coordinated work — but there are differences, too.
Part of Khoury’s work is about sending a message to the business community. The idea is to collect and discretely reshare so-called tactics, techniques and procedures (TTPs) — in other words, how hackers carry out their attacks.
- “We reiterate that we hold these things in strict self-confidence. We’re not looking for headlines, we’re not going to go talk publicly about, you know, ‘Company A called us and they have ransomware’” he said. “You have rights and we want to learn about what happened.”
- “We want to update our advice and guidance,” he continued. “We want to see if we can connect some dots and figure out if maybe there’s a campaign going, we may understand what the TPP is of certain actors that are either being modified or being updated. So there is value in sharing that information with us but also an asset turning that information in in an anonymous way to protect sectors if there is a campaign.”
- “It’s a bit challenging at times,” he concluded.
But there’s also a legislative push to, among other things, direct certain organizations to report incidents to the CCCS. That should sound familiar to U.S. cyber watchers after President Biden signed into law a bill requiring critical infrastructure owners and operators to report major cyber events, including some details on ransomware payments, to the Cybersecurity and Infrastructure Security Agency.
Khoury’s agency doesn’t have regulatory authority, but he said the CCCS will work with Canadian regulatory agencies on the right time frame for those reports, hopefully to keep them in harmony with the United States. For instance, critical infrastructure owners would have 72 hours to report incidents to CISA under last year’s law, once the rulemaking is finalized.
Another area of collaboration between the CCCS and the United States’ CISA is on ransomware alerts. Khoury said his agency has been identifying ransomware precursors and turning them into pre-ransomware notifications to CISA to help spread the word to U.S. organizations. Since the initiative began in the spring, Khoury said they’ve sent 400 notifications to CISA.
“Ransomware is costly to the economy, it’s costly to businesses, and we want to bring attention to the problem so that people can defend themselves and protect themselves from the risks of ransomware,” he said.
One area where Canada and the United States overlap a great deal is in the nature of the threats to each country.
An October report from CCCS talked about cyberthreats to critical infrastructure, as well as from state-sponsored attackers in China, Russia, Iran and North Korea. U.S. cyber leaders talk a bunch about those same threats. Also familiar, then, are the other “key judgments” from the report about ransomware, influence operations.
Of late, Khoury said, Canada has been dealing with a wave of distributed denial-of-service attacks that are geared toward knocking websites offline.
Other headline-making cyber issues of late include an attack that hampered purchases at gas stations, and reports from the Discord leaks about Russian hackers claiming they’d breached a Canadian pipeline — the latter of which both Khoury and Prime Minister Justin Trudeau dismissed as not as serious as claimed.
The difference on threats between the two countries, such as they are, is the number of targets in the United States, Khoury said.
“The threat surface on the U.S. might be way bigger than the threat surface in Canada,” he said.
Lithuania was the third country that helped run FBI encrypted phone operation
Lithuania is the third nation that helped carry out a secretly run FBI operation that used encrypted phones to target criminals around the world, 404 Media’s Joseph Cox reports, citing a source briefed on the operation who did not work on it on the U.S. side.
- The FBI secretly ran a phone company, Anom, that allowed the agency to track criminals’ communications under the radar. The Justice Department has previously said the network grew to around 12,000 devices in over 100 countries and impacted over 300 criminal organizations.
- U.S. and Australian intelligence agencies began publicly unveiling the Anom operation about two years ago, though it also enlisted an unnamed “third country” in the E.U. that collected Anom messages and relayed them back to the United States.
- The third nation was needed to overcome a legal hurdle that would allow the FBI to read intercepted Anom messages. It “hosted the Anom interception server for the FBI, and then provided Anom’s messages to American authorities every Monday, Wednesday, and Friday,” Cox writes. He previously noted that the country “requested its participation be kept confidential,” according to a document he obtained.
“The revelation provides important clarity on the complex technological and legal arrangements that facilitated the largest law enforcement sting operation in history, where more than 9,000 law enforcement officers sprung into action on June 7, 2021 as part of the globally coordinated arrests of many of Anom’s criminal users,” the 404 report says.
A group of defense lawyers in July asked a judge to unveil the name of the nation that aided the FBI. They argued that complete understanding of the entities involved in the message transfers is essential for crafting legal defenses and determining the authenticity of the exchanges received.
MGM Resorts hack said to have widespread impact on properties, operations
MGM Resorts on Monday disclosed a major cybersecurity issue that may have impacted its hospitality, gaming and entertainment properties across the United States, Dennis Romero reports for NBC News.
Some of the company’s sites were down Monday, and customers were encouraged to book rooms via phonecall, the report said.
- Romero adds: “Its full impact on reservation systems and casino floors in Las Vegas, the company’s base, as well as at properties in Maryland, Massachusetts, Michigan, Mississippi, New Jersey, New York and Ohio, was unknown, spokesperson Brian Ahern said.”
- The hospitality and entertainment giant also said law enforcement was notified of the incident.
Slot machines were reportedly offline up and down the Las Vegas Strip, and the FBI has stepped in to investigate, according to NBC’s local Las Vegas affiliate KSNV. Notably, MGM Resorts’ statement about the cyber incident “was sent from an executive’s Gmail account since their email systems were also affected by the outages,” KSNV’s Brett Forrest writes.
An MGM employee who spoke to Forrest on the condition of anonymity to provide the outlet with more information said company systems began shutting down around 5 a.m. Sunday.
“As the day progressed, more and more of the people that were working that day just lost access to everything,” the employee said. “It was like, ‘Oh, phone lines are down. Okay, scheduling is down. Okay, now Workday is down. Now everything is down.’ And just as the day went on, it just got progressively less and less access. And then we couldn’t even use messaging systems anymore,” the employee added.
- MGM was the subject of a 2019 data breach that affected some 10 million people. Last year, a sports betting partnership that MGM participates in was hit in a hack.
Nevada’s gaming board last year greenlit a directive requiring that cyber incidents be reported by gaming operators within three days (a similar federal measure for publicly traded companies like MGM does not take effect until December).
Goldstein: Information technology sector cyber performance goals will be tied to CISA secure-by-design principles (Inside Cybersecurity)
Trump seeks removal of federal judge from D.C. election case (CNBC)
How Barstool built an empire by swiping sports highlights (The Daily Beast)
E-Scooter hackers risk their lives chasing a need for speed (Wall Street Journal)
‘Redfly’ hackers infiltrated power supplier’s network for 6 months (Bleeping Computer)
Ransomware thrives as cyber security remains lax, says UK report (Financial Times)
Chinese warnings on iPhones tap deep strain of security concerns (New York Times)
Record number of cyberattacks targeting critical IT infrastructure reported to UK gov’t this year (The Record)
Hackers scammed $500K in crypto from Twitter users in just 20 minutes (Motherboard)
WhatsApp is working on cross-platform messaging (The Verge)
Dutch groups sue Google over alleged privacy violations (Reuters)
The Justice Department’s National Security Division announced two appointments:
- Ian C. Richardson to be first chief counsel for corporate enforcement. He previously served as assistant U.S. attorney for the Eastern District of New York.
- Christian J. Nauvel to be deputy chief counsel for corporate enforcement. He previously served as senior counsel to the assistant attorney general in the department’s criminal division.
- The House Homeland Security Committee holds a field hearing on emerging national security threats in New York City at 9:15 a.m.
- Our Early 202 colleague Leigh Ann Caldwell interviews Senate AI Caucus leaders Martin Heinrich (D-N.M.) and Mike Rounds (R-S.D.) for a Washington Post Live event on congressional AI regulation efforts at noon.
- The Center for Strategic and International Studies convenes a discussion on cybersecurity preparedness exercises at 1 p.m.
- The Hudson Institute holds a discussion on quantum computing and U.S.-Japan relations at 3 p.m.
Thanks for reading. See you tomorrow.