Cyber Week in Review: June 30, 2022

Iranian Steel Facilities Targeted in Destructive Cyberattacks 

The latest in a string of hacktivist attacks hit Iranian critical infrastructure earlier this week, when three steel companies were hit by apparent cyberattacks. The hacktivists group responsible, who call themselves Gonjeshke Darande, posted a video on their Twitter account purporting to show physical damage to one of the facilities. Cybersecurity researchers connected the malware used in the attack, known as MeteorExpress, to another attack last year that paralyzed train service around the country. Iran has been the target of several major cyberattacks over the past year, including an attack which crippled the country’s gas subsidy system for several hours in October 2021, and another in which attackers leaked a series of videos from Iran’s Evin prison showing abuse of prisoners. Iran and Israel have been engaged in an escalating cyber conflict over the past year, and the latest attack may represent another phase in Israel’s campaign. 

Spyware Targets Users in Italy and Kazakhstan  

Google’s Threat Analysis Group (TAG) discovered RCS Labs, an Italian spyware vendor, has been targeting mobile users on iOS and Android in Italy and Kazakhstan. These attacks sent a unique link to the target which if clicked would install a malicious application onto the device. In some cases, the attacker worked with the target’s internet service provider (ISP) to disable the target’s mobile data connectivity. The user would then be sent a text message to download an application to restore connectivity. Alternatively, if ISPs are not involved, the applications are disguised as messaging platforms like WhatsApp. Google notes that the commercial spyware industry is rapidly expanding, threatening the privacy of all internet users. Spyware is increasingly being used to target dissidents, journalists, human rights workers, and opposition party politicians.  

Italy’s Privacy Authority Warns Against the Use of Google Analytics 

The Italian data protection authority (DPA) has ruled that a local web publisher, Caffeina Media Srl’s, use of Google Analytics is in violation of the European Union’s (EU) data privacy legislation since it transfers user data to the United States, which lacks adequate data protection laws. Italy has joined a growing list of countries in the EU that have concluded Google Analytics violates the bloc's data export rules and that Google’s data protections are insufficient. To address this issue, Italy’s DPA has given the web publisher ninety days to stop the data flowing to the United States. These strikes against the service are linked to a landmark ruling from the EU’s top court in July 2020 that deemed Privacy Shield, a data transfer agreement between the EU and the United States invalid. A replacement for Privacy Shield was announced by President Biden and European Commission President Ursula von der Leyen in March 2022, and European officials are confident the new agreement will withstand legal challenges. Others have argued the negotiated arrangement is unlikely to be robust enough to surpass mounting legal challenges. 

Hackers Exploit Harmony Blockchain and Steal $100M in Cryptocurrency 

The blockchain company Harmony announced that hackers had stolen nearly $100 million from the network. Harmony runs a service which allows people to transfer cryptocurrencies between different blockchains. Harmony identified the wallet the attackers transferred the stolen funds to, but the hackers appear to have already filtered at least a quarter of the stolen cryptocurrency through Tornado Cash, a cryptocurrency mixing platform which can obfuscate transactions. There have been several large cryptocurrency thefts this year, including the theft of over $625 million from the Axie Infinity video game in April. 

China Posed as Texans on Social Media to Attack Rare Earths Rival 

The cybersecurity firm Mandiant uncovered a Chinese influence operation designed to mobilize protests against Lynas Rare Earths Ltd., a rare earth mining company. These social media attacks began after Lynas signed a $120 million contract with the Department of Defense to build a processing facility in Texas which threatened China’s global dominance in the mining and processing of rare earth elements. The campaign was traced back to Dragonbridge, a group that has been posting content across seven different platforms against the rare earth facility in Texas since 2019. Dragonbridge deployed numerous social media accounts posing as Texas natives criticizing the facility for the potential environmental damage it would cause. While this operation gained far less traction than previous influence campaigns from China, it was better at micro-targeting audiences to leverage authentic criticism, according to researchers at Mandiant.