Breaches by Iran-affiliated hackers spanned multiple U.S. states, federal agencies say
HARRISBURG, Pa. — A small western Pennsylvania water authority was just one of multiple organizations breached in the United States by Iran-affiliated hackers who targeted a specific industrial control device because it is Israeli-made, U.S. and Israeli authorities say.
“The victims span multiple U.S. states,” the FBI, the Environmental Protection Agency, the Cybersecurity and Infrastructure Security Agency, known as CISA, as well as Israel’s National Cyber Directorate said in an advisory emailed to The Associated Press late Friday.
They did not say how many organizations were hacked or otherwise describe them.
Matthew Mottes, the chairman of the Municipal Water Authority of Aliquippa, which discovered it had been hacked on Nov. 25, said Thursday that federal officials had told him the same group also breached four other utilities and an aquarium.
Cybersecurity experts say that while there is no evidence of Iranian involvement in the Oct. 7 attack into Israel by Hamas that triggered the war in Gaza they expected state-backed Iranian hackers and pro-Palestinian hacktivists to step up cyberattacks on Israeli and its allies in its aftermath. And indeed that has happened.
The multiagency advisory explained what CISA had not when it confirmed the Pennsylvania hack on Wednesday — that other industries outside water and water-treatment facilities use the same equipment — Vision Series programmable logic controllers made by Unitronics — and were also potentially vulnerable.
Those industries include “energy, food and beverage manufacturing and healthcare,” the advisory says. The devices regulate processes including pressure, temperature and fluid flow.
The Aliquippa hack promoted workers to temporarily halt pumping in a remote station that regulates water pressure for two nearby towns, leading crews to switch to manual operation. The hackers left a digital calling card on the compromised device saying all Israeli-made equipment is “a legal target.”
The multiagency advisory said it was not known if the hackers had tried to penetrate deeper into breached networks. The access they did get enabled “more profound cyber physical effects on processes and equipment,” it said.
Source…
Election security threats require more federal resources, officials say
State and local election officials warned during a Senate Rules and Administration Committee hearing on Wednesday that nefarious uses of emerging technologies, hacking attempts and the harassment of election workers risk undermining the public’s faith in the accuracy of U.S. elections without more federal intervention.
Since the 2020 presidential election, Arizona Secretary of State Adrian Fontes said his state has live-streamed equipment certifications to promote transparency and worked with the National Association of Secretaries of State and federal agencies to instill trust in the voting process. But he added that “there’s still more that can be done” at the federal level, including providing local jurisdictions with more election-related funding and guidance to safeguard their systems and personnel.
He said artificial intelligence, for instance, “has the potential to confuse voters and wreak havoc on the administration of elections,” including allowing deepfakes of election officials to spread misinformation on social media.
“If I were to go on TV afterwards, or even Instagram Live, to debunk these deepfakes, who would know which was the real me?” he added. “Foreign actors from hostile states such as Iran, China, Russia and North Korea appear ready to take advantage of this nightmare scenario.”
Lingering conspiracies about the accuracy of U.S. elections are also resulting in new challenges for election officials. Some jurisdictions are being overwhelmed with what Fontes called “analog” distributed denial-of-service — or DDoS — attacks, which he said “comes in overly voluminous and unnecessary public records requests that have absolutely nothing at their end.”
“We hear of a DDoS attack against an electronic system where hackers will come in and absolutely flood a system with digital attacks,” Fontes said, adding that he supports rigorous transparency but that these types of constant requests often represent “a coordinated effort to undermine the democracy that upholds our republic.”
While not all officials at the hearing voiced support for more federal involvement in the voting process or expressed concerns about the intimidation of election…
No federal privacy law? After the 23andMe hack, it’s time to take action
This is a guest post by Kate Krauss, a digital rights advocate based in Philadelphia.
On Oct. 6, 23andMe announced the loss of customer data to hackers who targeted Ashkenazi Jews. The data of as many as a million people was reportedly stolen and is currently being sold anonymously on the Internet. The hack exploited customers who reused passwords and the platform’s feature called “DNA Relatives,” linking one person to another.
We won’t easily forget this awful hack — but every year, tens of millions of Americans become victims of information leaks, so many that they have begun to blur together. Microsoft, for one, has been hacked at least 10 times since 2018.
Victims range from ordinary people, like those in the 23andMe hack, to the most politically sensitive: the State Department’s China diplomats; the Secretary of Commerce. Hackers access people’s email and steal their social security numbers or their home addresses, and in one case, in-depth psychological profiles needed for top security clearances.
If we use the frog-in-hot-water analogy for Americans and their information privacy, this frog is dead.
Weak laws let companies get away with weak security.
Current US privacy laws are so ineffective that Europeans are afraid to send their data here lest it be hacked, leaked, or surveilled. This fear was the basis of the tensely negotiated “Data Privacy Framework” between the EU and the US over whether and how to allow the personal data of European citizens to be sent to this country.
Without the risk of a giant fine or, say, jail time, many tech giants can and do get away with managing their data security badly. They fail to update security keys, encrypt users’ credit card numbers or enforce multi-factor authentication.
Weak laws let companies get away with weak security. For instance, 23andMe didn’t require users to use two-factor authentication or warn users about the dangers of enabling “DNA Relatives.” If they have to pay a small fine — small to them — that’s the cost of doing business.
In 2019, the year that the Cambridge Analytica scandal caught up with Facebook, the company paid $5 billion to the FTC for illegally sharing…
Alabama-based Sentar gets federal grant to boost cybersecurity for nuclear plants
Federal grant money will help a business in Alabama build up the capability to address cybersecurity threats against U.S. nuclear power plants. File Photo by John Angelillo/UPI
Aug. 17 (UPI) — A federal grant will help with the development of a proof-of-concept study targeting potential cybersecurity threats at the nation’s nuclear power plants, Alabama-based Sentar said Thursday.
Sentar, which is geared toward cyber intelligence, said it secured a small-business research grant from its latest client, the Department of Energy.
Advertising
“Cyber resilience and reliability must become an operational imperative for critical infrastructure,” said Gary Mayes, the company’s senior research director. “It is essential to have the ability to mitigate damage once subjected to a cyber-attack and continue to maintain operations when systems or data have been compromised.”
The grant follows an early-year report from defense consultant Booz-Allen warning of cybersecurity threats from China. The Communist government, the report warned, uses cyberattacks “below the threshold of war” to target critical infrastructure in the United States.
Two years ago, the Port of Houston, among the largest in the country, was the target of a cyberattack that the Cybersecurity and Infrastructure Security Agency Director said was likely from an unidentified “nation-state actor.”
The White House released a national strategy to address the issue. The National Cybersecurity Strategy seeks to make two fundamental changes in the government’s digital security protocols, including a plan to enlist more help from the private sector to mitigate cyber risks, and a program to boost federal incentives to companies that make long-term investments in cybersecurity.
Sentar offered no details about its federal grant, though it did say that work on the project would begin immediately at its headquarters in Alabama.