Thoughts, Musings, and Other Items from the Worlds of Infosec, ICS, and Beyond

There But for the Grace of God Go I

08 December 2020 will be remembered as a significant day in information security history. On that day, information security giant and, through its Mandiant division, pioneer FireEye disclosed that they were compromised by a likely state-sponsored entity. (Specific attribution is lacking at this time, although there are rumors APT29/Cozy Bear may be responsible – more to come on this in the future.) Within the insular (and at times catty and vindictive) security community, there were Read more…

By Joe, ago

The Enigmatic Energetic Bear

“Energetic Bear” (also known as Dragonfly, Crouching Yeti, etc. etc.) has been in the news lately given a recent series of intrusions targeting local government and critical infrastructure entities in the United States. While the group has gained attention recently, its activities go back at least a decade with the widespread Havex campaign. Despite the group’s longevity and consistent targeting of critical infrastructure, including the electric and oil and gas sectors, the group has not Read more…

By Joe, ago

Willful Ignorance and Misunderstanding of Threat Intelligence

Few arguments are more frustrating to deal with than those which include compelling, accurate observations to plaster over selective examples and willful misrepresentation. Such is the case with a recent video posted by Ralph Langner concerning ICS-specific cyber threat intelligence (CTI). Langner makes some astute observations concerning the industrial threat landscape that are worth repeating and recognizing, but then uses these items in conjunction with selective representation of publicly available observations to push a specific, Read more…

By Joe, ago

Trickbot and the Context of Cyber Warfare

TrickBot was in the news quite a bit in early October 2020. Starting with reports of TrickBot disruption in late September 2020 subsequently linked to United States Cyber Command (USCC), events ramped up with an independent coordinated infrastructure take-down organized by Microsoft coming shortly thereafter. There are many avenues of analysis into this event and very interesting questions raised, including items such as election security concerns and public-private coordination (or in this instance, lack thereof). Read more…

By Joe, ago

Cyber Threat Intelligence and the Concept of the Political

A common social media refrain in technology circles is the complaint of becoming “too political” – that content producers should focus on technical or professional subjects while avoiding charged, politically-tinged areas. This sentiment has always rung somewhat hollow to me as the concept of the political can be viewed as any public conflict which creates a distinction of “friend” and “enemy”. This concept can be as implicitly violent as a Hegelian dialectic or classically liberal Read more…

By Joe, ago

Responsibly Reporting Wretched Ransomware

Note: This post was edited in response to feedback concerning Tyler Technologies and the fundamental claims of the original article. With respect to Tyler, while the company certainly provides extensive support and software products to local governments, a review of the company’s offerings shows nothing specific to election reporting or other functions, at least to the extent indicated by other reporting. Thank you to Kim Zetter, one of the best in the business of information Read more…

By Joe, ago

Understanding Uncertainty while Undermining Democracy

Several US government agencies shared a warning on 22 September 2020 with respect to foreign entities using disinformation to sow confusion and discord around the US 2020 election. While evaluating this alert, Thomas Rid highlighted two key passages: and: The central thesis of the document and the two highlighted passages above is that underlying election integrity may be unaltered and safe, but communications about such activity may be modified, obscured, or perverted for malicious purposes. Read more…

By Joe, ago

Causality, Culpability, and Critical Infrastructure Resiliency

Media, social feeds, and other sources of news are awash with stories of the “first death linked to ransomware” following an incident in Düsseldorf on 09 September 2020. Since the event, authorities in Nordrhein Westphalen have launched an investigation treating the death as “negligent homicide”. At the time of this writing, I was unable to identify precisely what crimes are under investigation, but the term “negligent homicide” indicates a lower-tier offense (including lack of intentionality) Read more…

By Joe, ago

That Crazy Cozy Bear

On 16 July 2020, the United Kingdom’s National Cyber Security Centre (NCSC), with support and contributions from the Canadian Communications Security Establishment (CSE) and the United State’s National Security Agency (NSA), released a report tying recent intrusions in vaccine research organizations (as well as other industries) to Russian-linked adversary APT29. Also known as Cozy Bear, the group is associated with activities ranging from political to economic espionage over the past several years.  Notably, while other Read more…

By Joe, ago

CVE-2020-5902 In Perspective

F5 released a patch on 30 June 2020 tied to a doozy of a vulnerability discovered by Positive Technologies. The vulnerability didn’t get much attention until Positive Technology’s blog on the matter was released on 02 July 2020, right before a holiday weekend in the United States. The criticality of the remote code execution (RCE) combined with the significance of the F5 BIG-IP product in many major networks set off a race for an exploit. Read more…

By Joe, ago