Missile Agency Director Describes Threat, Countermeasures

In recent years, threats from new missile systems against the homeland, deployed forces and friends and allies have arisen from Russia, China, North Korea and Iran, the director of the Missile Defense Agency said.


In recent years, threats from new missile systems against the homeland, deployed forces and friends and allies have arisen from Russia, China, North Korea and Iran, the director of the Missile Defense Agency said.

Navy Vice Adm. Jon A. Hill spoke yesterday at the Space and Missile Defense Symposium in Washington.

“At one time, the MDA focused on the ballistic missile threat. However, adversaries have designed extremely fast and maneuverable advanced cruise missiles and hyper-sonic weapons that make for “a very tough environment for defense,” Hill said. “The Missile Defense Review addressed these new threats, laying out a path to follow in developing new offensive and defensive measures, he added.”

Though defense is a key part of deterrence, Hill said, “you can’t shoot what you don’t see.” Providing that sights are sensors and radars aboard ships, on the ground and in space.

Space-based sensors are the ultimate, Hill said, because they can provide global coverage. Space tracking and surveillance systems collect data, intelligence and real-world missile testing, he said, but that capability is nowhere near where it needs to be.

Sensors start the kill chain by sending out a warning, the admiral explained. Then, radars track the missile, and fire control launches a defensive projectile.

This projectile can come from a Patriot system or Terminal High Altitude Area Defense system, all operated by the Army, or the Standard Missile 3 Block IIA or the Aegis Ballistic Missile Defense System, both operated by the Navy. Besides those defenses, ground-based interceptors, operated by the Army, are deployed at Fort Greely, Alaska, and at Vandenberg Air Force Base, California.

The command and control and battle management system, fully protected with cybersecurity measures, ties these systems together with the operators.

Many missile defense components are in the research, science and technology and demonstration phase, Hill said. For example, work is being done on the next-generation interceptor and long-range discrimination radar, as well as space-based sensors.

“Where we live today is we don’t have everything we want deployed in space, nor do we have the terrestrial or mobile sea-based sensors where we want, where we need them at the right time,” the missile agency Director said.

Besides new, cutting-edge systems, Hill noted that current systems such as Aegis and command and control are receiving important upgrades as they become available.

MDA is working with the Army to integrate the THAAD and Patriot systems so operators can communicate with both and shoot with either, depending on the scenario, the admiral said.

Allies and partners are developing their own missile defense systems or buying them from the United States through the foreign military sales system, Hill said. These systems used by friends and partners furthers global security, he pointed out, and the Defense Department is working to better integrate those systems so they’re even more effective.

Though the COVID-19 pandemic has presented challenges, Hill said, that hasn’t affected MDA’s ability to perform its mission: “If you ask me where we took risk during the global pandemic, we never took any risk in supporting the warfighter,” he said. “We continue to deliver capability, we continue to support major movements around the globe.” Delivery of systems caused some delay, he acknowledged, because assembly lines require people in confined and enclosed places.

Hill termed his MDA team and those in the services as stellar, and he said there’s no nobler calling than defending America.

Blogs to Follow:

Defense.gov (August 2020) Missile Agency Director Describes Threat, Countermeasures

CISA Releases Guide for America’s Election Administrators

The Cybersecurity and Infrastructure Security Agency (CISA) released the Guide to Vulnerability Reporting for America’s Election Administrators. The guide walks election officials through the steps of establishing a vulnerability disclosure program.


Federal authorities say one of the gravest threats to the November election is a well-timed ransomware attack that could paralyze voting operations. The threat isn’t just from foreign governments, but any fortune-seeking criminal.

As a result, the Cybersecurity and Infrastructure Security Agency (CISA) released the Guide to Vulnerability Reporting for America’s Election Administrators. The guide walks election officials through the steps of establishing a vulnerability disclosure program. 

Vulnerability disclosures can be an effective way for organizations to benefit from cybersecurity expertise without having it resident to their organization.  

CISA released two new assessments and infographics on Election Infrastructure Cyber Risk and Mail-in Voting in 2020 Infrastructure Risk.

Each method of voting carries risk that you, as election officials, manage.

These assessments and infographics are voluntary resources intended to help the Federal Government and election officials understand and manage risks to election infrastructure and operations.

“Election officials have spent years beefing up security to their systems and closing these vulnerability gaps to keep our elections safe and secure,” said CISA Director Christopher Krebs. “Cybersecurity researchers can be great and responsible partners in this effort and we are creating this guide as a way to help state and local election officials understand the support they can offer and how to work with them in our collective, whole of nation effort to protect our elections.”  

The guide aims to help election officials understand the role that the cybersecurity research community can play in helping officials keep systems secure so that the American public’s voice can be clearly heard.

The guide includes a number of best practices for improving and addressing vulnerabilities within election systems, and offers a step-by-step guide for election administrators who seek to establish a successful vulnerability disclosure program.  

Accordingly, an electoral process that is both secure and resilient is a vital national interest and one of CISA’s highest priorities.

CISA is committed to working collaboratively with those on the front lines of elections—state and local governments, election officials, federal partners, and vendors—to manage risks to the Nation’s election infrastructure. CISA will remain transparent and agile in its vigorous efforts to secure America’s election infrastructure from new and evolving threats.

While ultimate responsibility for administering the Nation’s elections rests with state and local governments, CISA offers a variety of free services to help states ensure both the physical security and cybersecurity of their elections infrastructure.

Additionally, election infrastructure’s critical infrastructure designation enables CISA to provide services on a prioritized basis at the request of state and local elections officials.

Blogs to Follow:

CISA.gov (August 2020) CISA RELEASES GUIDE TO VULNERABILITY REPORTING FOR AMERICA’S ELECTION ADMINISTRATORS; ELECTION INFRASTRUCTURE SECURITY

Iran Poses Greatest Threat to Region, Centcom Commander Says

Iran poses the greatest threat to regional security and stability, the commander of U.S. Central Command said.


Iran poses the greatest threat to regional security and stability, the commander of U.S. Central Command said.

Marine Corps Gen. Kenneth F. McKenzie Jr. spoke last week at a Middle East Institute webinar titled, “Centcom and the Shifting Sands of the Middle East.”

McKenzie enumerated various threats from Iran:

  • Funding and arming terrorist organizations;
  • Propping up the “murderous regime” of Syrian President Bashar al-Assad;
  • Providing advanced weapons to the Houthi rebels in Yemen;
  • Direct attack on oil tankers in the Strait of Hormuz;
  • Direct attack on oil refineries in Saudi Arabia; and 
  • Attacking U.S. troops in Iraq. 

“Iran actively stokes instability and is intent on degrading security all over the region,” McKenzie said. “They use proxies and violence to push other nations in the region to their agenda.”

The State Department is leading the effort to pressure Iranian leaders diplomatically and, through sanctions, to make them renounce their nuclear ambitions, cease work on ballistic missiles and cease exporting terrorism against their neighbors, he said, noting that this effort is a whole-of-government approach that includes allies and partners.

The Defense Department’s role regarding Iran is to deter it from taking direct or indirect military actions against the United States and its allies and partners in the region, he said.

McKenzie noted that the Iranians were surprised by the U.S. killing of Iranian Maj. Gen. Qasem Soleimani of Iran’s Islamic Revolutionary Guard Corps in January, and have had to recalculate where their red line is drawn with the United States. “They see we have the will to act,” he said.

Beyond Iran, terrorist organizations such as ISIS and al-Qaida still aspire to attack the United States, its allies and even the U.S. homeland, the general said. Vigorous pressure on them prevents them from doing so, he added.

China and Russia also have become involved in the region, trying to use economic leverage to make their influence felt, the general said. Russia, he added, is propping up Assad, who they see as a valued ally with a warm-water port.

The U.S. response has been to have close relationships with nations in the region, McKenzie said, helping them build up their security forces and encouraging them to purchase U.S. foreign military materiel.

An over-the-horizon threat to coalition and partner forces in the region will most likely come from swarms of small unmanned aerial systems that can carry weapons, McKenzie said, noting that the Army is taking the lead on developing counter-UAS measures.

McKenzie noted that the United States is less dependent on Middle East oil than it ever was, but wants to ensure freedom of navigation for partners and allies. He specifically mentioned the importance of ensuring safe passage through the Red Sea, Strait of Hormuz and the Bab al-Mandab Strait.

NATO.int (June 2020) Iran Poses Greatest Threat to Region, Centcom Commander Says

APT Groups Target Healthcare and Essential Services


This is a joint alert from the United States Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) and the United Kingdom’s National Cyber Security Centre (NCSC)

CISA and NCSC continue to see indications that advanced persistent threat Advanced Persistent Threats (APT) groups are exploiting the Coronavirus Disease 2019 (COVID-19) pandemic as part of their cyber operations.

This joint alert highlights ongoing activity by APT groups against organizations involved in both national and international COVID-19 responses. It describes some of the methods these actors are using to target organizations and provides mitigation advice.

The joint CISA-NCSC Alert: (AA20-099A) COVID-19 Exploited by Malicious Cyber Actors from April 8, 2020, previously detailed the exploitation of the COVID-19 pandemic by cybercriminals and APT groups.

This joint CISA-NCSC Alert provides an update to ongoing malicious cyber activity relating to COVID-19.

For a graphical summary of CISA’s joint COVID-19 Alerts with NCSC, see the following guide.

COVID-19-related targeting

APT actors are actively targeting organizations involved in both national and international COVID-19 responses. These organizations include healthcare bodies, pharmaceutical companies, academia, medical research organizations, and local governments.

APT actors frequently target organizations in order to collect bulk personal information, intellectual property, and intelligence that align with national priorities.

The pandemic has likely raised additional interest for APT actors to gather information related to COVID-19. For example, actors may seek to obtain intelligence on national and international healthcare policy, or acquire sensitive data on COVID-19-related research.

Targeting of pharmaceutical and research organizations

CISA and NCSC are currently investigating a number of incidents in which threat actors are targeting pharmaceutical companies, medical research organizations, and universities. APT groups frequently target such organizations in order to steal sensitive research data and intellectual property for commercial and state benefit.

Organizations involved in COVID-19-related research are attractive targets for APT actors looking to obtain information for their domestic research efforts into COVID-19-related medicine.

These organizations’ global reach and international supply chains increase exposure to malicious cyber actors. Actors view supply chains as a weak link that they can exploit to obtain access to better-protected targets.

Many supply chain elements have also been affected by the shift to remote working and the new vulnerabilities that have resulted.

Recently CISA and NCSC have seen APT actors scanning the external websites of targeted companies and looking for vulnerabilities in unpatched software. Actors are known to take advantage of Citrix vulnerability CVE-2019-19781[1],[2] and vulnerabilities in virtual private network (VPN) products from Pulse Secure, Fortinet, and Palo Alto.[3],[4]

COVID-19-related password spraying activity

CISA and NCSC are actively investigating large-scale password spraying campaigns conducted by APT groups. These actors are using this type of attack to target healthcare entities in a number of countries—including the United Kingdom and the United States—as well as international healthcare organizations.

Previously, APT groups have used password spraying to target a range of organizations and companies across sectors—including government, emergency services, law enforcement, academia and research organizations, financial institutions, and telecommunications and retail companies.

Technical Details

Password spraying is a commonly used style of brute force attack in which the attacker tries a single and commonly used password against many accounts before moving on to try a second password, and so on. This technique allows the attacker to remain undetected by avoiding rapid or frequent account lockouts. These attacks are successful because, for any given large set of users, there will likely be some with common passwords.

Malicious cyber actors, including APT groups, collate names from various online sources that provide organizational details and use this information to identify possible accounts for targeted institutions. The actors will then “spray” the identified accounts with lists of commonly used passwords.

Once the malicious cyber actor compromises a single account, they will use it to access other accounts where the credentials are reused. Additionally, the actor could attempt to move laterally across the network to steal additional data and implement further attacks against other accounts within the network.

In previous incidents investigated by CISA and NCSC, malicious cyber actors used password spraying to compromise email accounts in an organization and then, in turn, used these accounts to download the victim organization’s Global Address List (GAL).

The actors then used the GAL to password spray further accounts.

NCSC has previously provided examples of frequently found passwords, which attackers are known to use in password spray attacks to attempt to gain access to corporate accounts and networks. In these attacks, malicious cyber actors often use passwords based on the month of the year, seasons, and the name of the company or organization.

CISA and NCSC continue to investigate activity linked to large-scale password spraying campaigns.

APT actors will continue to exploit COVID-19 as they seek to answer additional intelligence questions relating to the pandemic. CISA and NCSC advise organizations to follow the mitigation advice below in view of this heightened activity.

Mitigations

CISA and NCSC have previously published information for organizations on password spraying and improving password policy. Putting this into practice will significantly reduce the chance of compromise from this kind of attack.

CISA’s Cyber Essentials for small organizations provides guiding principles for leaders to develop a culture of security and specific actions for IT professionals to put that culture into action.

Additionally, the UK government’s Cyber Aware campaign provides useful advice for individuals on how to stay secure online during the coronavirus pandemic. This includes advice on protecting passwords, accounts, and devices.

A number of other mitigations will be of use in defending against the campaigns detailed in this report:

Contact Information

CISA encourages U.S. users and organizations to contribute any additional information that may relate to this threat by emailing CISAServiceDesk@cisa.dhs.gov.

The NCSC encourages UK organizations to report any suspicious activity to the NCSC via their website: https://report.ncsc.gov.uk/.

Disclaimers

This report draws on information derived from CISA, NCSC, and industry sources. Any findings and recommendations made have not been provided with the intention of avoiding all risks and following the recommendations will not remove all such risk. Ownership of information risks remains with the relevant system owner at all times.

CISA does not endorse any commercial product or service, including any subjects of analysis. Any reference to specific commercial products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply their endorsement, recommendation, or favoring by CISA.

References

[1] CISA Alert: Detecting Citrix CVE-2019-19781

[2] NCSC Alert: Actors exploiting Citrix products vulnerability

[3] CISA Alert: Continued Exploitation of Pulse Secure VPN Vulnerability

[4] NCSC Alert: Vulnerabilities exploited in VPN products used worldwide

US-Cert.gov (May 2020) APT Groups Target Healthcare and Essential Services

US Issues an Advisory on North Korean Cyber Threats

On Wednesday, April 15, the U.S. Departments of State, Homeland Security, and Treasury, and the Federal Bureau of Investigation issued an advisory to raise the awareness of the cyber threat posed by North Korea.


On Wednesday, April 15, the U.S. Departments of State, Homeland Security, and Treasury, and the Federal Bureau of Investigation issued an advisory to raise the awareness of the cyber threat posed by North Korea. 

The advisory highlights North Korea’s malicious cyber activities around the world, identifies U.S. government resources that provide technical and threat information, and includes recommended measures to counter the cyber threat.

North Korea’s malicious cyber activities threaten the United States and countries around the world and, in particular, pose a significant threat to the integrity and stability of the international financial system.  The United States works closely with like-minded countries to focus attention on and condemn disruptive, destructive, or otherwise destabilizing behavior in cyberspace.  

It is vital for foreign governments, network defenders, and the public to stay vigilant and to work together to mitigate the cyber threat posed by North Korea.

The DPRK’s malicious cyber activities threaten the United States and the broader international community and, in particular, pose a significant threat to the integrity and stability of the international financial system. Under the pressure of robust U.S. and UN sanctions, the DPRK has increasingly relied on illicit activities – including cybercrime – to generate revenue for its weapons of mass destruction and ballistic missile programs.

In particular, the United States is deeply concerned about North Korea’s malicious cyber activities, which the U.S. government refers to as HIDDEN COBRA. The DPRK has the capability to conduct disruptive or destructive cyber activities affecting U.S. critical infrastructure. The DPRK also uses cyber capabilities to steal from financial institutions, and has demonstrated a pattern of disruptive and harmful cyber activity that is wholly inconsistent with the growing international consensus on what constitutes responsible State behavior in cyberspace. 

The United States works closely with like-minded countries to focus attention on and condemn the DPRK’s disruptive, destructive, or otherwise destabilizing behavior in cyberspace. For example, in December 2017, Australia, Canada, New Zealand, the United States, and the United Kingdom publicly attributed the WannaCry 2.0 ransomware attack to the DPRK and denounced the DPRK’s harmful and irresponsible cyber activity. Denmark and Japan issued supporting statements for the joint denunciation of the destructive WannaCry 2.0 ransomware attack, which affected hundreds of thousands of computers around the world in May 2017. 

It is vital for the international community, network defenders, and the public to stay vigilant and to work together to mitigate the cyber threat posed by North Korea. 

The North Korean Cyber Threat Advisory can be viewed at: https://www.us-cert.gov/ncas/alerts/aa20-106a.

State.gov (April 2020) The United States Issues an Advisory on North Korean Cyber Threats