Global Weekly Executive Summary, 02 November 2018

China Telecom and BGP Hijacking

In an article in Military Cyber Affairs, researchers claim to have uncovered evidence that China Telecom has been deliberately using Border Gateway Protocol (BGP) hijacking to selectively divert internet traffic originating in the US and Canada through China.


Source: Military Cyber Affairs, China’s Maxim – Leave No Access Point Unexploited: The Hidden Story of China Telecom’s BGP Hijacking

  • In their article in Military Cyber Affairs, The Journal of the Military Cyber Professionals Association, Dr. Chris Demcheck, Director of the Center of Cyber Conflict Studies at the US Naval War College, and Dr. Yuval Shavitt, Professor of Electrical Engineering at Tel Aviv University, suggest that China has found a way to gather valuable information from US organizations while still technically adhering to the 2015 US-China Cyber Agreement.
  • In the voluntary 2015 US-China Cyber Agreement, China’s President Xi Jinping agreed that Chinese military forces would cease hacking US commercial organizations for financial gain.
  • Demcheck & Shavitt’s article describes how the researchers used a special route tracing system for monitoring BGP announcements to identify “unusual and systemic hijacking patterns associated with China Telecom.” They say their findings show the China Telecom “has already relatively seamlessly hijacked domestic US and cross-US traffic and redirected it to China over days, weeks, and months.”
  • The route tracing system, based at Tel Aviv University, was built for DIMES, a project to study and map the structure and topology of the internet.


  • Border Gateway Protocol (BGP) is an internet routing protocol that requires using the shortest route to move data traffic between the source and the destination IP addresses. “Forwarding tables,” built by servers hosting BGP, are used to determine the shortest route and the path that packets should travel between the smaller autonomous networks (AS) by passing through internet points-of-presences (PoPs).
  • A ZDnet article explains it simply, “PoPs are data centers that do nothing more than re-route traffic between all the smaller networks that make up the larger internet.” “Traffic travels between these AS networks with the help of the Border Gateway Protocol (BGP),” a protocol created in the early 1980s and lacking in security controls.
  • BGP misconfiguration errors can happen easily, and traffic can sometimes be rerouted in ways that can have, what Demcheck & Shavitt describe as, “almost global effects.”
    • As an example, the researchers describe the 2008 Pakistan Telecom error that “accidentally hijacked all Youtube traffic for several hours as administrators make mistakes in using routing to censor a clip considered non-Islamic.”

BGP Hijacking

  • BGP hijacking occurs when false BGP announcements are made intentionally with malicious intent.
  • BGP hijack attacks are a type of man-in-the-middle attack and are difficult to distinguish from accidental router misconfigurations, but Demcheck & Shavitt say that the route tracing system they used allowed them to identify what a Sophos article described as “a series of unusual routing events that they believe were too consistent in their duration and scale to be dismissed as accidents.”
  • BGP hijack attacks are also difficult to detect and protect against because, “it is not a hack of the endpoint but of the critical exchanges carrying information between end points.” Users do not need to click on a bad link, and network administrators cannot see any changes in data transfer patterns. Sensitive and valuable data could rerouted, copied and collected, and forwarded to the correct destination with only a brief delay.
  • According to Demcheck & Shavitt, “most BGP hijacks are the work of government agencies or large transnational criminal organizations with access to, leverage over, or control of strategically placed ISPs.”

China Telecom

  • China Telecom is a large telecommunications company based in China but with ten Chinese-controlled internet “points of presence” (PoPs) across North America, eight in the US, two in Canada. According to the China Telecom Americas website, their PoPs were first established in the US in 2000.
  • According to Demcheck & Shavitt, in 2010 China Telecom hijacked 15% of the Internet traffic for 18 minutes in what is believed to be both a large-scale experiment and a demonstration of Chinese capabilities in controlling the flows of the internet.
  • Feb- Aug 2016 “routes from Canada to Korean government sites were hijacked by China Telecom and routed through China.”
  • October 2016, traffic from several locations in the USA to a large bank headquartered in Milan, Italy was hijacked by China Telecom to China.
  • April/May 2017, Traffic from Sweden and Norway to the Japanese network of a large American news organization was hijacked to China
  • April, May, and July 2017, Traffic to the mail server (and other IP addresses) of a large financial company in Thailand was

hijacked several times

Source: Military Cyber Affairs, China’s Maxim – Leave No Access Point Unexploited: The Hidden Story of China Telecom’s BGP Hijacking

Significance and Analysis

This article shows that internet communications can be vulnerable in ways that cannot be easily detected and cannot be prevented. The researchers, Demcheck & Shavitt, highlight the possible impact that China’s use of BGP hijacking can have on data confidentiality and availability, but the problem could be much larger than the instance described. Data integrity could also be affected, and China may not the only country attempting to use BGP hijacking to snoop on data sent across the internet.

Demcheck & Shavitt discussed how BGP hijacking could cause network traffic to be rerouted so that it could be intercepted, copied, and sent on without either sender or receiver noticing, but they also described one instance of traffic being rerouted and never reaching the intended recipient. Data from US companies or from anyone could conceivably be intercepted, copied, and held so that the recipient never received it, all without the original sender or the intended recipient knowing anything is amiss.

A Sophos blog post on this subject offers the following advice, “One defence against BGP hijacking is TLS encryption. It doesn’t stop the rerouting but if someone diverts web, email or DNS traffic encrypted with TLS through their POP it should be unreadable.”


The White House, FACT SHEET: President Xi Jinping’s State Visit to the United States

Military Cyber Affairs, China’s Maxim – Leave No Access Point Unexploited: The Hidden Story of China Telecom’s BGP Hijacking

Sophos, Naked Security Blog, China hijacking internet traffic using BGP, claim researchers

Yuval Shavitt and Eran Shir, DIMES: Let the Internet Measure Itself (PDF)

ZDnet, China has been ‘hijacking the vital internet backbone of western countries’

China Telecom Americas, History

Global Cybersecurity Resources

Cybersecurity Event/Threatgroup Trackers


Real-Time Cyber Attack Maps


The CyberWar Map and Other Cybersecurity Trackers

Featured Cybersecurity Tracker: The CyberWar Map, National Security Archive

(The CyberWar Map Note: Please access this resource through the link on the Cyber Vault Project home page. Since each edition will have a new URL, bookmarking the CyberWar Map will not incorporate running updates.)

The CyberWar Map is associated with the Cyber Vault Project, an online repository of declassified or unclassified primary-source documents “obtained under the Freedom of Information Act and from other sources” documenting cyber activities of the U.S. and foreign governments. The Cyber Vault Project, funded by The Hewlett Foundation, is part of George Washington University’s National Security Archive.

The CyberWar Map, launched in June 2018, is an interactive map that uses data visualization to help users track global cybersecurity events, actors, government/organizational affiliations, targets, connections, affiliation, or attribution. The CyberWar Map also connects to supporting documents found in the Cyber Vault Library and publications from cybersecurity researchers and news organizations. The map is especially useful for identifying APT aliases, learning about unfamiliar cybersecurity events, and tracking what the creators call “state-to-state cyberconflict.”

Clicking on a flag, dot, or line causes the side panel to load relevant information including links to related documents. The sidebar default shows a list of links for “Nations” which includes groups that operate beyond a country’s borders, for example, Al Qaeda, and ISIS. The “Focus” option allows users to see only information related to a specific node.

The CyberWar Map is based on a mindmap and is not meant to resemble a geographical map. This abstraction of dots and lines can help users identify surprising connections that might be overlooked when reading an article or consulting a spreadsheet or database.  

Although the map connects to some declassified US government Cyber Vault documents, the majority of the documents offered for specific cyber events come from news organizations or security researchers. Often there is only a single source listed for a cyber event. The CyberWar map also deals with more recent cyber events. The earliest event article found was dated 2010. This map also seems to lag slightly behind the documents made available in the Cyber Vault which seems to be extremely timely and current to the day of document release.


More Cybersecurity Trackers

Cyber Operations Tracker

Digital and Cyberspace Policy Program

Council on Foreign Relations

“The cyber operations tracker categorizes all instances of publicly known state-sponsored cyber activity since 2005. The tracker only contains data in which the perpetrator, also known as the threat actor, is suspected to be affiliated with a nation-state.”


APT Groups and Operations spreadsheet

Florian Roth

“Cyber security companies and Antivirus vendors use different names for the same threat actors and often refer to the reports and group names of each other. However, it is a difficult task to keep track of the different names and naming schemes. I wanted to create a reference that answers questions like “I read a report about the ‘Tsar Team’, is there another name for that group?” or “Attackers used ‘China Chopper’ webshell, which of the APT groups did use that shell too?” or “Did he just say ‘NetTraveler’? So, does he talk about Chinese or Russian attackers?””


Significant Cyber Incidents

Center for Strategic and International Studies (CSIS)

“This timeline records significant cyber incidents since 2006. We focus on cyber attacks on government agencies, defense and high tech companies, or economic crimes with losses of more than a million dollars.”


Targeted Cyberattacks Logbook

Kaspersky Securelist!/threats/

“Kaspersky Lab’s Targeted Cyberattack Logbook chronicles all of these ground-breaking malicious cybercampaigns that have been investigated by GReAT.”

Global Weekly Executive Summary, 3 August 2018


In July 2018, the VPNFilter malware reportedly tied to a Russian military intelligence agency infected a chlorine station connected to Ukrainian water treatment and sewage plants. This intrusion is the latest in a string of disruptive Russian cyberattacks to target critical infrastructure in the past three years.

VPNFilter also made news in the US in May 2018 when 500,000 routers and other devices for small office/home office use were discovered to be infected by the malware.

The Aulska Chlorine Station

On July 11th 2018, the Security Service of Ukraine (SBU) released a statement that they detected the VPNFilter malware on the systems of the Aulska chlorine station in central Ukraine. The SBU says that “within a few minutes,” the technological processes and safety systems at the station were affected by the “computer virus VPNFilter from the territory of the Russian Federation.” The statement went on to say, “the continuation of the cyberattack could have led to a breakdown of technological processes and possible crash.”

According to the statement, the goal of the cyberattack was to block the functioning of the overflow station “which provides liquid chlorine to clean water from water supply and sewerage enterprises throughout the territory of Ukraine.”

VPNFilter in the US

In May 2018, alerts and news releases from US-CERT, the US Department of Justice, and the Federal Bureau of Investigations warned that the VPNFilter malware had infected 500,000 routers and other devices in 54 countries.

A US-CERT technical alert warned that infected devices like routers and network-attached storage (NAS) devices were vulnerable to network traffic collection, the monitoring of Modbus supervisory control and data acquisition (SCADA) protocols, and that the malware included “a destructive capability that can make the affected device unusable.”

This means that many of the most popular routers and data storage devices often used in homes or small office settings were vulnerable to infection by malware that allowed for snooping. VPNFilter also had a “kill function” that would render these infected devices inoperable. A kill command sent out to all infected devices could have led to half a million homes or small offices losing internet access or saved files. It is also notable that VPNFilter was so modular and adaptable that malware perhaps originally used to monitor network traffic and steal the website sign in information of home users also had the capability to monitor Modbus packets which are used in industrial settings and not in homes or small offices.

A May 2018 blog post by Talos suggested that because of a spike in VPNFilter victims located in Ukraine and code similarities between VPNFilter and the BlackEnergy malware responsible for power outages in Ukraine in 2015, they suspected that devices infected by VPNFilter might be used as a botnet for a future cyberattack against Ukraine.

In a May 2018 press release, the US Department of Justice (DOJ) announced that they had seized control of a command and control server used to support VPNFilter and attributed the malware to Sofacy Group, also known as APT28 or Fancy Bear. This group is believed to be tied to the Russian foreign military intelligence agency, called the Main Intelligence Directorate or GRU. In July 2018, the US Department of Justice announced indictments for twelve GRU officers “for hacking offenses related to the 2016 [US presidential] election.”

Connections to Previous Cyberattacks

Ukraine and its critical infrastructure has been targeted by cyberattacks in the past.

The NotPetya and Bad Rabbit ransomware attacks in June and October of 2017 affected critical infrastructure organizations in energy, communications, transportation, manufacturing, banks, and the Chernobyl radiation monitoring system. The BlackEnergy attack in December 2015 and the CrashOverride/ Industroyer attack December 2016 both targeted the power grid, leading to power outages. Russia is suspected of being the source of the cyberattacks targeting or affecting Ukraine’s critical infrastructure that have occured since the 2014 Russian annexation of Crimea.

The US government warned of ongoing critical infrastructure attacks in the US as recently as March 2018. The Department of Homeland Security (DHS) and the Federal Bureau of Investigations (FBI) issued a joint Technical Alert “on Russian government actions targeting U.S. Government entities as well as organizations in the energy, nuclear, commercial facilities, water, aviation, and critical manufacturing sectors.” During a DHS Awareness Briefing in July 2018, Jonathan Homer of the DHS’s National Cybersecurity & Communications Integration Center (NCCIC) stated that although there was no evidence of efforts to shut down the electrical grid, “They got access into systems. They did not push the button.” The activity was described as an “ongoing campaign.”



We have reached a new stage in which nation-state cyber operations no longer only affect powerful, high level targets like government agencies, the military, political leaders, and huge corporations. Nation-state sponsored cyber operations are now affecting the safety of regular people.

With VPNFilter, home users and small business owners and the devices in our homes were the target. Critical Infrastructure providers that offer water treatment, electricity, and other critical services to the general public are now targets.

In the case of the Aulska Chlorine Station, the goal of this cyber intrusion appears to have been to affect the functioning of the station which would in turn affect the water and sewage treatment facilities across Ukraine. If this attack had not been averted, a cyberattack launched by one country would have, in effect, tampered with the water supply of a neighboring country.

As nation-state sponsored cyber activity moves beyond espionage and cyberattacks begin to have physical results that affect human safety, events like the targeting of the Aulska Chlorine Station should rouse governments around the world to come together and decide which types of cyberattacks might be considered an act of war comparable to a physical armed attack that would warrant exercising the rights of self-defense in response (as discussed in the United Nations Charter, Chapter VII, Article 51).

For a more in-depth technical discussion, please see the article by our Vulnerabilities Analyst.

For more information on how to prevent and mitigate VPNFilter infections, please see the article by our Best Practices Analyst.



US Critical Infrastructure Sectors

as defined by the Department of Homeland Security

“There are 16 critical infrastructure sectors whose assets, systems, and networks, whether physical or virtual, are considered so vital to the United States that their incapacitation or destruction would have a debilitating effect on security, national economic security, national public health or safety, or any combination thereof.”

Chemical Sector

Commercial Facilities Sector

Communications Sector

Critical Manufacturing Sector

Dams Sector

Defense Industrial Base Sector

Emergency Services Sector

Energy Sector

Financial Services Sector

Food and Agriculture Sector

Government Facilities Sector

Healthcare and Public Health Sector

Information Technology Sector

Nuclear Reactors, Materials, and Waste Sector

Sector-Specific Agencies

Transportation Systems Sector

Water and Wastewater Systems Sector


Security Service of Ukraine, In the Dnipropetrovsk region, the SBU warned the cyberattack of Russian special services on the critical infrastructure object, 11 July 2018

Interfax Ukraine, SBU thwarts cyber attack from Russia against chlorine station in Dnipropetrovsk region, 11 July 2018

SecurityWeek, VPNFilter Malware Hits Critical Infrastructure in Ukraine,13 July 2018

Cyberscoop, Researchers uncover sophisticated botnet aimed at possible attack inside Ukraine, 23 May 2018


Washington Post, Why the FBI says rebooting your router can weaken a global malware attack, 30 May 2018

Reuters, German intelligence sees Russia behind hack of energy firms: media report, 20 June 2018

Securityweek, Hackers Target Control Systems in U.S. Energy Firms: Symantec

Technical Reports

Cisco, Talos, New VPNFilter malware targets at least 500K networking devices worldwide, 23 May 2018

Cisco, Talos, VPNFilter Update – VPNFilter exploits endpoints, targets new devices, 6 June 2018

US/Federal Alerts

US-CERT, VPNFilter Destructive Malware, 23 May 2018

US Department of Justice, Justice Department Announces Actions to Disrupt Advanced Persistent Threat 28 Botnet of Infected Routers and Network Storage Devices, 23 May 2018

Internet Crime Complaint Center (IC3), Public Service Announcement, FOREIGN CYBER ACTORS TARGET HOME AND OFFICE ROUTERS AND NETWORKED DEVICES WORLDWIDE, 25 May 2018

US-CERT, Alert (TA18-074A), Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors,15 March 2018


Cyber Threat Alliance, CTA ACTIONS AROUND VPNFILTER, Presidential Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure, 11 May 2017

Department of Homeland Security, Critical Infrastructure Resources

Lawfare, Cyber Strategy & Policy: International Law Dimensions, 1 March 2017



Schmitt, M. N., & Vihul, L. (2017). Tallinn manual 2.0 on the international law applicable to cyber operations: Prepared by the International Group of Experts at the invitation of the NATO Cooperative Cyber Defence Centre of Excellence. Cambridge: Cambridge University Press.

Shakacon 2018 Highlights

The Shakacon X IT Security Conference was held at the Prince Waikiki on July 11-12, 2018.

Stealth Mango & Tangelo: Selling your fruits to state actors

Andrew Blaich and Michael Flossman, Lookout

Blaich and Flossman trace the path of spouseware that is being adapted, sold, and used by nation state actors. Spouseware is surveillance software generally used to spy on a spouse or partner. Legitimate spouseware apps available in the Google Play store share code and C2 infrastructure with surveillance software being used by nation state actors because the same developers work on both. Adapting spouseware to nation state surveillance is easy because both have the same goals and need to have the same capabilities: device info and tracking, call logs, screen capture, audio recording, photo and file stealing.

Lookout, Stealth Mango and Tangelo: Nation state mobile surveillanceware stealing data from military & government officials


The Rise of the Middle East- Blue vs Red

Mukund Hirani and Dan Caban, Mandiant

Hirani and Caban provide an overview of Iranian threat actors APT 33, APT 34, APT 35 and others. The explored the targets and TTPs of each group, described similarities and differences between them, and discussed the process that they as researchers used to gather information and study the groups.

FireEye, Iranian Threat Group Updates Tactics, Techniques and Procedures in Spear Phishing Campaign

FireEye, Advanced Persistent Threat Groups

How to Rob a Bank Over the Phone

Joshua Crumbaugh, Naga Security

Crumbach talks the audience through one social engineering operation that occurred while performing a pen test on a bank. Into his story of how a phone conversation led to physical access of a bank vault full of money, he weaves in in tips for social engineering success.


Hell of Attribution: Olympic Destroyer is here to Trick the Industry

Seongsu Park, Kaspersky Lab GReAT

Park describes his team’s experiences with tracking Olympic Destroyer and the cyberattack on the Pyeongchang 2018 Winter Olympics. He discusses malware characteristics including the false flag tactics used to make Olympic Destroyer appear to be the work of Bluenoroff, a subgroup of the North Korea affiliated group Lazarus, who was initially suspected as the culprit. The threat group Kaspersky calls Hades is thought to be responsible. Olympic Destroyer infections did not cease after the 2018 Winter Olympics. They have continued with new targets on financial institutions in Russia and biological and chemical threat prevention laboratories in Europe. Although Park did not discuss a location or country affiliation for the Hades threat group, Kaspersky Labs’s Securelist APT Trends Report for Q2 2018 notes similarities between Olympic Destroyer activity and the Sofacy Group associated with the Russian military intelligence agency GRU.

Kaspersky, SecureList, OlympicDestroyer is here to trick the industry

Kaspersky, SecureList, Olympic Destroyer is still alive


Keynote: What is the hacker community?

Johnny Long, Hackers for Charity

Johnny Long, author of Google Hacking for Penetration Testing and twelve other infosec books, talked about how the hacker community came together to support work he has done to further technology education around the world, including: setting up computer learning centers, vocational training, and hackerspaces in Uganda, offline education stations and robotics programs in Kenya, disaster response technology support in Puerto Rico after Hurricane Maria, and creating community security awareness training classes and makerspaces in Louisville and other cities in the US.

Hackers for Charity


Honorable Mentions:

Lockpicking Village run by Lady Merlin and TOOOL

IOT Village and CTF run by Independent Security Evaluators

Shakacon Drive-by Conference Check-in

Global Weekly Executive Summary, 21 MAY 2018

Tennessee County Elections Targeted by Cyberattacks

A Tennessee county elections website was the target of a cyberattack that crashed the site on primary election night while a network intrusion was quietly taking place at the same time.

A vote total reporting website in Knox County was targeted by a distributed denial of service (DDoS) attack that brought down the website for an hour after the polls closed during a recent primary election, but this DDoS attack acted as a distraction while a second more sophisticated attack, a network intrusion, occurred simultaneously.

A Knox News article reports that Knox County IT director Dick Moran and deputy director David Ball and Moran believe that “all of the disruption… was an effort to distract the county while another, simultaneous attack was happening behind the scenes accessing county information.”

Ball say that the intrusion affected a county server that contained only publicly available information. No personal or confidential information was present on the server. “It was not an attempt to actually change any data or put anything onto our servers; it was an attempt to take things off of our servers, to read what was there … they were looking to get things, not give things,” Ball said.

An Associated Press article quotes Ball as writing “there was a proven malicious attack from a foreign source occurring simultaneously with an apparent deliberate DOS attack.” Ball concluded that “given the circumstantial evidence[,] especially the simultaneous proven malicious intrusion from a Ukraine IP address[,] I think it is reasonable to at least hypothesize that it was an intended event.”

A Knox News article reports that Moran as said that “the [DDos] cyberattack had no effect on vote tallies. It only prevented officials from displaying election results to the public through the Knox County Election Commission’s website.” Ball added that their voting machines are “not networked in any way.”

The cybersecurity company hired to investigate the attack, Sword & Shield, stated in their report that IP address from 65 countries were involved in the DDoS attack, including a Ukraine IP address that was involved in the server intrusion.

In the AP article dated May 12th, a spokesperson for the FBI in Knoxville said that the county had not reached out to the FBI for assistance in the investigation, nearly two weeks after the attack took place. A more recent May 17th Knox News article says that both the FBI and the Department of Homeland Security are now assisting in the investigation.


Cyberattacks targeting elections could be used by foreign state actors to disrupt the democratic process and damage public confidence in their results.

This event was a small scale cyberattack that did not affect vote tallies and caused no lasting damage, but it is significant because it highlights the important role that local elections officials and local IT workers play in US election security. Smaller county elections are now targets for cyberattacks, and we must be prepared to defend the election process starting at the local level.

Local, state, and federal officials and policy makers will have to work closely with IT administrators and workers and the information security community to secure elections. Local and state officials should be aware of the resources and assistance that can be provided by federal organizations. The federal government, federal organizations, and policy-makers can, in turn, provide clear guidance, sufficient funding, and timely, effective assistance to the local officials and IT workers who are also working toward the same goal of securing our US elections.


Associated Press, Ukraine computer involved in Tennessee elections attack, 12 May 2018

Knox News, Cyberattack crashes Knox County election website; votes unaffected, 1 May 2018

Knox News, Knox County election night cyberattack was smokescreen for another attack, 17 May 2018

Global Weekly Executive Summary, 22 June 2018

A cyberattack on a US Navy contractor resulted in the theft of sensitive military plans in this latest incident of Chinese industrial espionage targeting military contractors.

Government hackers working for China’s Ministry of State Security have stolen 614 gigabytes of “highly sensitive” from a US Navy contractor.

According to a Washington Post article, the data accessed included information on an anti-ship missile project under development, “signals and sensor data, submarine radio room information relating to cryptographic systems, and the Navy submarine development unit’s electronic warfare library.” The article also stated that “details on hundreds of mechanical and software systems were compromised.”

A BBC article reported that the stolen data was housed on the contractor’s unclassified network despite being described as sensitive “due to the nature of the technology being developed and links to other military projects.” The Washington Post article reported a US official as saying that “the material, when aggregated, could be considered classified.”

The unnamed contractor was employed by the Naval Undersea Warfare Center, an organization that conducts research and development for submarines and underwater weaponry.

China’s Ministry of State Security, the perpetrator of the data theft, is described by the Washington Post as “a civilian spy agency responsible for counterintelligence, foreign intelligence and domestic political security“ which includes a foreign hacking department.


This incident is the latest in a long string of similar industrial espionage efforts by China to target and collect US intellectual property by technological means or through business partnerships. In the past ten years, China has stolen US military aircraft, ship, and weapons system designs and plans.

Earlier this year, Director of National Intelligence Daniel Coates testified before congress that “Most detected Chinese cyber operations against US private industry are focused on cleared defense contractors or IT and communications firms whose products and services support government and private sector networks worldwide” and that China would “continue to use cyber espionage and bolster cyber attack capabilities to support national security priorities.”

On the subject of technology acquisitions, Coates testified that “China… has acquired proprietary technology and early-stage ideas through cyber enabled means. At the same time, some actors use largely legitimate, legal transfers and relationships to gain access to research fields, experts, and key enabling industrial processes that could, over time, erode America’s long-term competitive advantages.”


Washington Post, China hacked a Navy contractor and secured a trove of highly sensitive data on submarine warfare, 8 June 2018

CBS News, Chinese government hacked U.S. Navy contractor, officials say, 8 June 2018


BBC, China hackers steal data from US Navy contractor – reports, 9 June 2018

ExecutiveGov, Report: China Compromised Submarine Warfare Data Stored in Navy Contractor’s Computers, 11 June 2018

New York Times, Chinese Hackers Steal Unclassified Data From Navy Contractor, 8 June 2018

Washington Post, Confidential report lists U.S. weapons system designs compromised by Chinese cyberspies, 27 May 2013

This Week in CyberSec Headlines, 21 May 2018

US News

Tennessee Election Security

Tennessee County Elections Targeted by Cyberattacks, CSCC article

Alaska Election Website Hacked in 2016

CyberScoop, Alaska election website was hacked on Election Day in 2016: report, 8 May 2018

“On Election Day 2016, a hacker successfully penetrated a server hosting Alaska’s main election website, the Anchorage Daily News reported on Monday night, citing documents obtained through a public records request.”

Anchorage Daily News, Hackers broke partway into Alaska’s election system in 2016. Officials say no damage was done., 8 May 2018

Alaska Division of Administrative Services, Document re: Alaska Division of Elections Reporting System Compromise (pdf), 8 November 2016

“This morning at 5:37am we were notified via an alert that an unknown individual… had posted a screen shot from what appeared to be a compromised Alaska Division of Elections reporting system.

Senate Report on Russian Election Interference

Fifth Domain, The 7 takeaways from the Senate report on Russia’s election interference, 9 May 2018

“The Senate Intelligence Committee provided a narrative of Russia’s efforts to disrupt the 2016 presidential election and offered six recommendations for the government to improve its security”

Securus Breach, LocationSmart Data Leaks, and Mobile Tracking

Motherboard, Hacker Breaches Securus, the Company That Helps Cops Track Phones Across the US, 16 May 2018

Krebs On Security, Tracking Firm LocationSmart Leaked Location Data for Customers of All Major U.S. Mobile Carriers Without Consent in Real Time Via Its Web Site, 18 May 2018

“LocationSmart, a U.S. based company that acts as an aggregator of real-time data about the precise location of mobile phone devices, has been leaking this information to anyone via a buggy component of its Web site — without the need for any password or other form of authentication or authorization” “…It could be used to reveal the location of any AT&T, Sprint, T-Mobile or Verizon phone in the United States to an accuracy of within a few hundred yards.”

ZDnet, US cell carriers are selling access to your real-time phone location data, 14 May 2018

“Securus, a prison technology company, can track any phone “within seconds” by using data obtained from the country’s largest cell giants, including AT&T, Verizon, T-Mobile, and Sprint, through an intermediary, LocationSmart.”

New York Times, Service Meant to Monitor Inmates’ Calls Could Track You, Too, 10 May 2018

Mortherbord, Cops Can Find the Location of Any Phone in the Country in Seconds, and a Senator Wants to Know Why

United States Senate, Letter from Senator Ron Wyden, 8 May 2018

Chili’s Data Breach

Threatpost, Chili’s Doesn’t Leave Data Breach on the Back Burner

“Chili’s has become the latest victim of a data breach involving the heist of point-of-sale information from payment cards”

Cybersecurity Tech Accord

Cybersecurity Tech Accord, Signing pledge to fight cyberattacks, 34 leading companies promise equal protection for customers worldwide, 17 April 2018

“34 global technology and security companies signed a Cybersecurity Tech Accord, a watershed agreement among the largest-ever group of companies agreeing to defend all customers everywhere from malicious attacks by cybercriminal enterprises and nation-states. The 34 companies include ABB, Arm, Cisco, Facebook, HP, HPE, Microsoft, Nokia, Oracle, and Trend Micro”

Cybersecurity Tech Accord

Vault7 CIA Data Breach Suspect Charged

New York Times, Suspect Identified in C.I.A. Leak Was Charged, but Not for the Breach

Department of Homeland Security, U.S. Department of Homeland Security Cybersecurity Strategy (pdf), 15 May 2018
White House Cybersecurity Coordinator Role Eliminated

SecurityWeek, White House Cuts Cybersecurity Coordinator Role

“The White House has eliminated the role of cybersecurity coordinator following the departure of Rob Joyce, and many lawmakers and cybersecurity experts are not happy with the decision.” “…the decision is part of an effort to “streamline authority” and the duties of the cybersecurity coordinator will be performed by the two other senior directors on the NSC cyber team.”

ZDnet, White House eliminates cybersecurity coordinator role

Executive Order Elevates CIO Role

FedScoop, Trump signs executive order to elevate the role of agency CIOs

“President Donald Trump has signed an executive order that will elevate the role of agency CIOs. The order, issued Tuesday afternoon, will require that agency CIOs report directly to the agency head. It will also make CIOs voting members of bureau-level IT governance boards in a bid to increase their enterprise awareness, and give them increased hiring powers.”

White House, Executive Order Enhancing the Effectiveness of Agency Chief Information Officers

International News

Rail Europe Data Breach

Rail Europe, Notice of Data Breach (pdf)

“We discovered that beginning on November 29, 2017, through February 16, 2018, unauthorized persons gained unauthorized access to our ecommerce websites’ IT platform.”

Bitdefender, Hot For Security blog, Rail Europe data breach lasted almost three months, 16 May 2018

Real Europe North America Inc (RENA) is writing to customers to inform them that it has discovered evidence that hackers gained unauthorised access to its ecommerce website used to book tickets, and might have stolen a significant amount of sensitive data.”

Syrian Electronic Army Indictments

Bitdefender, Hot For Security blog, Suspected Syrian Electronic Army hackers indicted for conspiracy and identity theft, 18 May 2018

Dark Reading, Syrian Electronic Army Members Indicted for Conspiracy, 18 May 2018

“A federal grand jury has returned an 11-count indictment against two Syrian men, who have been charged with multiple counts of aggravated identity theft and their involvement in a conspiracy to commit computer hacking as members of the Syrian Electronic Army (SEA).”

“The indictment alleges that Ahmad ‘Umar Agha… conducted spearphishing attacks on the US government, military, international organizations, and several private-sector entities including the US Marine Corps, Executive Office of the President, NASA, The New York Times, USA Today, Time, Human Rights Watch, National Public Radio, and several other organizations and individuals.”

Dark Overlord Arrests in Serbia

Bitdefender, Hot For Security blog, The Dark Overlord: Suspected hacking group member arrested in Serbia, 17 May 2018

“Serbian police have arrested a man suspected of being a member of the notorious and high profile hacking and extortion group…Past victims of The Dark Overlord “hack-then-extort” group include Hollywood studios, investment banks, Gorilla Glue, a celebrity plastic surgery clinic, and healthcare organisations.”

CyberScoop, ‘TheDarkOverlord’ shrugs shoulders over Serbian man’s arrest, 18 May 2018

“The group is famous for a noisy two-year cybercrime spree including hacking, extorting and then leaking episodes from the Netflix series “Orange is the New Black,” as well as hacking U.S. school systems and sending death threats to U.S. students.”

Japan Data Breach

SecurityWeek, 200 Million Sets of Japanese PII Emerge on Underground Forums

“A dataset allegedly containing 200 million unique sets of personally identifiable information (PII) exfiltrated from several popular Japanese website databases emerged on underground forums.”

Mexican Bank Thefts

Reuters, Mexico central bank says hackers siphoned $15 million from five companies, 16 May 2018

“Mexico’s central bank said on Wednesday that a cyber attack had sucked around 300 million pesos ($15.33 million) in fraudulent transfers from five companies, but it was unclear how much thieves had managed to pull out in cash.”

Tripwire, The State of Security blog, Hackers siphon hundreds of millions of pesos out of Mexican banks through shadow transactions, 17 May 2018

“A software vulnerability is suspected of being to blame for a hack through which criminals transfer more than 300 million pesos (over US $15 million) out of Mexican banks.”

Global Cyber Analyst Intern

Position Description

The Global Cyber Environment section covers significant or large-scale cybersecurity events with global, regional, or local impact that may influence security and business strategies. The Global Analyst position delivers weekly executive summaries about current cybersecurity events to inform and strengthen Hawaii’s community.


  • International, US, and Hawaii cybersecurity news
  • Major ransomware, DDoS, or critical infrastructure sector attacks
  • Major data breaches affecting the general public, the US government, or the state of Hawaii.
  • APT activity, cyberespionage, and national security news
  • New US or Hawaii legislation relating to cybersecurity

Duties and Responsibilities

  1. Monitor news about the current global cyber environment
  2. Write and post products for the UHWO CSCC website about global cybersecurity events
    1. The Global Weekly Executive Summary: timely coverage and analysis of significant cybersecurity events
    2. This Week in CyberSec Headlines: a brief summary of current cybersecurity not covered in the Global Weekly Executive Summary
  3. Assign appropriate geographical and keyword tags to articles so that they can be sorted by region or subject
  4. Maintain the Global section and subsections on the CSCC website

Global Sections and Subsections

  • Global Weekly Executive Summaries
  • This Week in CyberSec Headlines
  • US Cybersecurity News
    • United States
    • Spotlight: Hawaii
  • World Cybersecurity News (Geographic regions defined by the CIA World Factbook)
    • Africa
    • Asia
    • Central America & the Caribbean
    • Europe
    • Middle East
    • North America
    • Oceania
    • South America
  • Legislation
    • US Federal
    • Hawaii State

Global Weekly Executive Summary, 13 April 2018

State of Hawaii Targeted in Iranian Data Theft

The U.S. Department of Justice’s recent indictment of nine Iranians accused of conducting cyberattacks contained a list of targeted organizations that included the State of Hawaii. This announcement coincided with “unusual activity” noted in dozens of State of Hawaii email accounts.

On March 23rd, the U.S. Department of Justice (DOJ) announced indictments charging nine Iranian nationals working for the Mabna Institute with malicious cyber-enabled activity and the theft of intellectual property and academic and proprietary data on the behalf of Iran’s Islamic Revolutionary Guard Corps (IRGC), an intelligence-gathering government entity.

The DOJ indictment announcement states that 31 terabytes of documents and data was taken from American and foreign universities, American and foreign companies, and U.S. government agencies in a campaign that spanned from 2013 to December of 2017.

The news release lists targets of the Mabna Institute, including the state of Hawaii, the state of Indiana, the U.S. Department of Labor, the Federal Energy Regulatory Commission, and the United Nations. Thousands of professors at hundreds of universities across 21 countries as well as 47 private sector companies were also targeted.

According to the DOJ press release, “The Mabna Institute… targeted more than 100,000 accounts of professors around the world.  They successfully compromised approximately 8,000 professor email accounts across 144 U.S.-based universities, and 176 universities located in foreign countries, including Australia, Canada, China, Denmark, Finland, Germany, Ireland, Israel, Italy, Japan, Malaysia, Netherlands, Norway, Poland, Singapore, South Korea, Spain, Sweden, Switzerland, Turkey and the United Kingdom.”

Hawaii Phishing Attempts and the ETS Response

The State of Hawaii Office of Enterprise Technology Services (ETS) released a statement on March 23rd, the same day the DOJ indictment announcement, describing “unusual activity involving thirty-seven email accounts.”

A Hawaii News Now article describes a timeline of events, saying the first phishing emails targeting the state of Hawaii arrived on Saturday, March 21 when an employee at the state Department of Agriculture clicked on a malicious link. On Monday, March 23, an employee at the state Department of Human Services also clicked on the link.

The statement from State Chief Information Officer (CIO) Todd Nacapuy and Chief Information Security Officer (CISO) Vincent Hoang says that the situation was resolved quickly, the emails did not contain confidential information, and “the State’s computer systems where confidential information is stored was not breached.” The Hawaii News Now article quotes Hoang as saying “the two attacks did not penetrate the state’s internal system so no resident information was compromised.”

ETS believes that the two phishing attempts are connected and the emails come from the same source. After the first user clicked on a malicious link, “a warning from the state’s IT office was sent out to workers reminding them not to open links without investigating first,” State CISO Vincent Hoang was quoted as saying.

User Education is the Best Defense

“We can throw a lot of technology at it but at the end of the day, the best defense is relying on our users by educating them.” Hoang described one element of this user education and training when he mentioned conducting “mock cyber attacks sending out fake links to see how many state workers click on them”.  

Hoang says they have had positive results with these training exercises, but when faced with a genuine phishing email, at least two state of Hawaii employees still clicked on those malicious links.

The most vulnerable point in any information security scenario continues to be the human user, and this weakness can only be solved by effective and continual user education that works when tested by real-world situations.

Connection to UH Data Breach?

Although there has been no mention of the Mabna Institute cyberattacks being connected to the University of Hawaii data breach that took place in September 2017, we know that the systems of hundreds of unnamed universities and the accounts of over 100,000 professors both in the U.S. and abroad were targeted by the Mabna Institute. The date of the UH data breach falls within the active dates of this campaign.


The United States Department of Justice, Nine Iranians Charged With Conducting Massive Cyber Theft Campaign on Behalf of the Islamic Revolutionary Guard Corps. 23 March 2018.

State of Hawaii, Office of Enterprise Technology Services, Response to the Department of Justice’s Indictment Charging Nine Iranian Nationals Regarding Cyber Intrusion. 23 March 2018.

Hawaii News Now, State on high alert after hackers target 2 agencies in ‘phishing’ attack. 27 March 2018.US-CERT, Alert (TA18-086A), Brute Force Attacks Conducted by Cyber Actors. 27 March 2018.

UHWO CSCC article, University of Hawaii Data Breach. 26 JAN 2018.