SEC sues SolarWinds’ CISO | Cyber Intelligence Briefing: 7 November

Top news stories this week

1. Legal eclipse. SEC sues SolarWinds’ CISO for hiding cyber security weaknesses. 
2. Hacking spree. Boeing confirms hack while LockBit attacks cycling giant Shimano and Querétaro International Airport. 
3. The bottom line. US Federal Trade Commission mandates financial firms to report data breaches.
4. Ransom restraint. 50 governments pledge to stop paying ransoms at ICRI summit in the US.
5. Under attack. South African and German municipalities hacked by ransomware gangs.
   
6. Sanctions and rewards. US sanctions Russian cyber launderer and offers reward for Iranian cyber criminals.
   
   

1. SEC files lawsuit against SolarWinds over pre-attack security lapses

The US Securities and Exchange (SEC) has filed a lawsuit against software company SolarWinds and its CISO Timothy G. Brown. SEC alleged that the company defrauded investors by concealing cyber security weaknesses. SolarWinds was at the centre of a major supply chain attack in 2020 which impacted the US government. 

So what?

The personal charges against SolarWinds’ CISO will have a ripple effect throughout corporate offices, and will prompt greater scrutiny of and accountability for cyber security infrastructure.

2. Boeing confirms incident while LockBit continues hacking spree

Boeing has confirmed it is experiencing a cyber incident, a week after the ransomware group LockBit claimed an attack on the American aerospace giant. Boeing has also been removed from LockBit’s leak site, fostering speculation that the company is negotiating with the ransomware gang.

Separately, LockBit has also hacked the Querétaro Intercontinental Airport in Mexico and Japanese cycling manufacturer Shimano.

So what?

In addition to legal and ethical considerations, there are several other factors to take into account when deciding to negotiate with a ransomware group, including the costs of business interruption, the reputational impact of a data leak, and the potential reputational impact amongst clients and employees of negotiating with or paying a criminal group.

3. Non-banking financial firms to report data breaches within 30 days 

The US Federal Trade Commission (FTC) has mandated non-banking financial firms to report data breaches within 30 days of discovery. The notification applies to data breaches that involve the compromise of more than 500 plaintext consumer records and is set to come into effect in April 2024.

So what?

Organisations need well defined policies that outline data storage, protection, retention periods, and secure data disposal procedures. Communication plans should also be updated with this requirement.

4. 50 governments pledge to stop paying ransoms at ICRI summit  

Members of the International Counter Ransomware Initiative (ICRI), a US-led group of 50 governments, have signed a pledge to stop paying ransoms following cyber-attacks. The CRI pledge is not a legal prohibition but reaffirms the position that public bodies should lead by example in not paying ransoms in a move aiming to starve ransomware gangs of funding.

So what?

While a ransomware attack can pose an existential threat for an organisation, it is important to carefully consider the ethical and reputational implications of paying.

5. Municipalities in South Africa and Germany suffer ransomware attacks

South Africa's Mangaung Metro municipality has experienced severe disruptions due to a ransomware attack on its IT system. The attack disabled critical applications, including the financial system, human resources system, telephones, email, and internet access.

Separately, another ransomware attack severely affected Südwestfalen IT, a municipal service provider in Germany. This attack left critical services inoperative across more than 70 municipalities in western Germany.

So what?

Organisations must create a disaster recovery plan that identifies all business critical systems and associated recovery procedures, as well as mandating regular testing that measures whether critical systems are restored in line with pre-defined recovery objectives.

6. US sanctions Russian Ryuk launderer and offers reward for Iranian cyber criminals 

The US Treasury Department of Foreign Assets Control has sanctioned Russian national Ekaterina Zhdanova for laundering virtual currency on behalf of Russian elites and ransomware gangs, including over USD 2.3 million for an affiliate of Russian ransomware gang, Ryuk.

Separately, the US Diplomatic Security Service agency has offered USD 10 million to anyone who gives information on three Iranian malicious threat actors. The agency said the trio had compromised hundreds of computer networks across the US including critical infrastructure.

So what?

As the US ramps up actions to apprehend and disrupt cybercrime operations, organisations should remain focused on identifying their own security weaknesses and the required measures to reduce risk to a tolerable level.