Cyber Week in Review: September 23, 2022

Iran restricts internet access in wake of protests 

Iran has been rocked by protests in over eighty cities for the past week following the killing of a 22 year old woman, Mahsa Amini, in the custody of Iran’s morality police. Iran’s regime has responded forcefully, arresting protestors and shutting down cellphone service and the internet in some regions of the country. Iran has also blocked several popular internet applications completely, including Instagram and WhatsApp. The restrictions are some of the most severe seen in Iran since a series of protests in November and December 2019 over the price of fuel, which led Iran to shut down the internet almost entirely within the country. 

Uber hacked by Lapsu$ 

Uber announced last week that it had suffered what it called “a cybersecurity incident,” which led the company to shut down several internal systems until it could identify the extent of the breach. The attacker apparently gained access to the company’s networks through a technique known as multifactor authentication (MFA) fatigue, in which an attacker sends a stream of login requests to a target until the target approves one. Once inside, the attacker gained access to an administrator account, which likely gave them system-wide access, and left taunting messages on internal message boards. The attacker claimed he is an eighteen year old who breached the company without any accomplices. Uber claimed that the attacker was a member of the Lapsu$ hacking group, which conducted several high-profile hacks earlier this year before the core members were arrested. 

Biden administration launches $1 billion cybersecurity grant program 

The Biden administration launched a new cybersecurity grant program which will distribute over $1 billion to various state and local governments over the next four years. The money was originally allocated as part of the $1.2 trillion infrastructure bill passed last year and will be distributed by the Cybersecurity and Infrastructure Security Agency (CISA) and states will be required to apply for the funds, with 80 percent of funds earmarked for local and tribal governments. Local governments are a particular concern as they have struggled to keep up with ransomware attacks. Los Angeles Unified School District was recently struck by a ransomware attack which took down systems used by students, administrators, and teachers and took weeks to resolve.  

Chinese authorities launch investigation into another executive of semiconductor “Big Fund” 

For the sixth time since July, Chinese authorities have placed an executive of China’s National Integrated Circuit Industry Investment Fund (or “Big Fund”) under investigation. Caixin reported on September 16 that Ren Kai, vice president of the Big Fund’s managing firm Sino IC Capital, has been "taken away by relevant departments for investigation” for alleged “serious violations of discipline and law”—a common euphemism for corruption. Notably, Ren also serves as a nonexecutive director at China’s top chipmaker, Semiconductor Manufacturing International Corp (SMIC). In a statement issued to the Hong Kong Stock Exchange, SMIC downplayed Ren’s involvement in the company and said it would continue to monitor the situation. Chinese authorities' investigations into Ren and other executives follow a pattern of regulatory scrutiny over the Big Fund and semiconductor companies that began in September 2021. 

China’s Cybersecurity Law may be amended to impose harsher penalties 

The Cyberspace Administration of China (CAC) released a draft amendment proposing to update China’s 2017 Cybersecurity Law. The internet regulator’s suggestions propose to restructure “legal responsibility system(s)” concerning cybersecurity and personal information protection. The amendment increases maximum fines for various violations by critical information infrastructure operators (CIIO) and enterprises from 100,000 yuan to one million yuan. “Extremely serious” violators—those who have failed to go through or pass security reviews—would be subject to fines up to 50 million yuan or five percent of previous years’ revenue. According to Wang Sixin, a law professor at Communication University of China, the regulator’s use of revenue-related fines echoes similar provisions of the EU’s General Data Protection Regulation (GDPR) and is meant to “tell [enterprises] to pay greater attention to cybersecurity.”