TechLetters #172 EU/NATO/Germany condemns Russian cyberattacks, inwardly. Deception operations against open source software. Breaking of post-quantum ciphers postponed.
Security
Official attributions of Russian cyber operations. Made by Germany, Czech Republic, USA, UK. Political parties and government institutions targeted by Russian military intelligence. Previously, Poland, Lithuania, Slovakia and Sweden were affected. I classify it as level 2 impact in my 4-level impact on States. This IS a violation of cyber norms. "behaviour is contrary to the UN norms of responsible state behaviour in cyberspace, such as impairing the use and operation of critical infrastructure". Further from EU statement (you may safely omit all the others). "European Union and its Member States, together with international partners, strongly condemn the malicious cyber campaign conducted by the Russia-controlled Advanced Persistent Threat Actor 28 (APT28) against Germany and Czechia". "irresponsible behaviour in cyberspace, by targeting democratic institutions, government entities and critical infrastructure providers across the European Union and beyond". Czech Republic statement. "Czech institutions have also been the target of cyber attacks exploiting a previously unknown vulnerability in Microsoft Outlook from 2023". German statement. "targeted the Executive Committee of the Social Democratic Party of Germany. The Federal Government’s national attribution procedure regarding this campaign has concluded that, for a relatively long period, the cyber actor APT28 used a critical vulnerability in Microsoft Outlook that remained unidentified at the time to compromise numerous email accounts. Based on reliable information provided by our intelligence services, the actor APT28 has been attributed to the Russian Federation, and more specifically to the Russian military intelligence service GRU. What is more, this actor’s campaign also targeted various government authorities and companies in the spheres of logistics, armaments, the air and space industry, and IT services, as well as foundations and associations”. US statement. "blatantly disregards the Framework for Responsible State Behavior in Cyberspace, as affirmed by all United Nations Member States". UK statement.
Open source software community calling all open source maintainers to be alert. For social engineering takeover attempts. Following XZ/backdoor deception operation. OpenSSF advises being careful about:
Friendly yet aggressive and persistent pursuit of maintainer or their hosted entity (foundation or company) by relatively unknown members of the community.
Request to be elevated to maintainer status by new or unknown persons.
Endorsement coming from other unknown members of the community who may also be using false identities, also known as “sock puppets.”
PRs containing blobs as artifacts.
For example, the XZ backdoor was a cleverly crafted file as part of the test suite that wasn’t human readable, as opposed to source code.
Intentionally obfuscated or difficult to understand source code.
Gradually escalating security issues.
For example, the XZ issue started off with a relatively innocuous replacement of safe_fprintf() with fprintf() to see who would notice.
Deviation from typical project compile, build, and deployment practices that could allow the insertion of external malicious payloads into blobs, zips, or other binary artifacts.
A false sense of urgency, especially if the implied urgency forces a maintainer to reduce the thoroughness of a review or bypass a control.
European Commission opened investigation over Meta's alleged violation of DigitalServicesAct. It says that Meta is not adequately tackling the issue of deceptive political advertisements and disinformation. Some of them are really egregious, indeed. Those are real problems. However, the DSA tools should not be misused and let's hope that the negligence flagged is tangible because triggering this process without merit would deteriorate the trust in DSA. That said, I've seen first-hand some real issues, and plenty of others did so, too. You’ll be able to read more about the issue in my upcoming book.
Post-quantum break farther than anticipated. The author of a paper on breaking quantum-safe cryptography retracted some claims after finding an error. This caused ripples in the security community, as the learning-with-errors (LWE) method was seen as a future replacement for current systems due to quantum computing risks, intended to replace current systems due to quantum risks, might be vulnerable. If a quantum algorithm can break LWE, migration would be questionable. I expect there will be more work in this domain, still. The retraction message: “Now the claim of showing a polynomial time quantum algorithm for solving LWE with polynomial modulus-noise ratios does not hold. I leave the rest of the paper as it is (added a clarification of an operation in Step 8) as a hope that ideas like Complex Gaussian and windowed QFT may find other applications in quantum computation, or tackle LWE in other ways.”
My short summary about the quantum non-solving of lattice problems story. What awaits there? How about in the next 20 years?
Pro-Russia hacktivists conducting malicious cyber activity against operational technology devices. “…compromising small-scale OT systems in North American and European Water and Wastewater Systems (WWS), dams, energy, and food and agriculture sectors". Report informs about basic stuff: check passwords, use multi-factor authentication, update, etc., etc. and so on.
In case you feel it's worth it to forward this content further:
Subscribed
If you’d like to share: