A royal mess in the U.K. points to the risks of cyberattacks on mail delivery

Below: FTX says hackers stole more than $400 million after it declared bankruptcy, and an apparent Russian cyberattack disrupted a Ukrainian news conference on Russian cyberattacks. First:

U.K. Royal Mail incident demonstrates how harmful cyberattacks can be on the industry

A cyberattack on the United Kingdom’s largest mail delivery service that has snarled international parcel exports for a week is illustrating the cyber risks for mail services.

The incident was first confirmed as a cyberattack on Tuesday by Royal Mail CEO Simon Thompson. There are no signs of when the disruption will end, and U.K. businesses say it is hitting them in their pocketbooks.

“For export parcels and letters through our postal services … we are no longer able to provide that service,” Thompson told a parliamentary committee Tuesday. “The team have been working on workarounds so that we can get the service up and running again.”

Mail delivery services in the United States are no stranger to cyber incidents. Ransomware twice struck a FedEx subsidiary in 2017, slowing services and costing the company hundreds of millions of dollars — although that primarily affected customers overseas. The U.S. Postal Service suffered a breach in 2014 that it said potentially affected sensitive personal data of more than 800,000 employees, as well as call center data on potentially 2.9 million customers, although that customer data was less sensitive.

To get a sense of what a major, successful cyberattack on the U.S. Postal Service might look like, observe how mail delivery suffered during the peak of the covid-19 crisis, said Gary Barlet, who served as chief information officer at the agency’s inspector general office for 10 years before leaving in May.

“An attack like that has huge ramifications for every U.S. citizen, basically, because in some way, shape or form, they’re touched by the U.S. Postal Service,” Barlet, now federal chief technology office for the cybersecurity company Illumio, told me.

The United Kingdom is still sorting through what has happened in the Royal Mail incident. The first signs of it popped up on Jan. 10.

The ransomware gang LockBit, which is widely believed to be based in Russia, was behind the attack, Jasper Jolly reported last week for the Guardian. LockBit’s response to this has been muddled, and ransomware gangs are well-known for fibbing for who they have or haven’t hacked.

The U.S. Postal Service picture

After the 2014 U.S. Postal Service breach, the agency turned to Greg Crabb, naming him chief information security in 2015. He said the information security staff grew from perhaps 40 at the time to several hundred, including contractors, by the time he left in 2021.

“It was a matter of really taking a step back, getting a lot of expert opinion as to the things that needed to be improved and setting out a very significant security investment road map in order to be able to address those opportunities for investment,” Crabb, who since has founded the cyber firm 10-8, told me of the turnaround from the 2014 incident. 

The agency said in 2018 that it had patched a vulnerability that exposed data on 60 million customers, albeit one year after a security researcher identified it. The Postal Service said there was no evidence to believe hackers exploited the flaw.

Recent inspector general audits are mixed, although it’s hard to know exactly what the agency did well or poorly as the documents are heavily redacted.

• “The Postal Service generally has an effective security posture and security awareness program to protect its IT infrastructure from external cyberattacks,” reads a 2021 audit. Many of the recommendations for improvement are redacted, but the report suggests that auditors found problems when conducting “penetration tests” looking for flaws, and with how the Postal Service managed vulnerabilities.
• In 2022, the inspector general report said that “[t]he Postal Service has made positive strides in implementing improvements to its risk management program, cybersecurity strategy, and organizational structure. However, its state of cybersecurity lacks maturity, which limits its ability to fully understand its risk exposure and protect the agency from cyberattack.” Redactions again made it difficult to figure out what specific recommendations auditors made.

Although some agencies’ cybersecurity audits have redactions, or even are substantially withheld unless someone files a Freedom of Information Act request, the blacked-out sections of the Postal Service inspector general reports appear more extensive.

“Our redactions in public reports are due to the sharing of sensitive information or information that could cause the USPS to become a target for threat actors,” Postal Service spokesperson Jim McKean said. “All redactions are made in coordination with our FOIA and legal departments.”

FedEx’s ransomware attacks came back-to-back in 2017. The infamous, worldwide ransomware outbreaks of WannaCry and NotPetya both hit TNT Express, a FedEx subsidiary.

• NotPetya affected company computer systems in Asia, Europe and the United States; TNT Express operated in more than 200 countries at the time.
• In one 2017 quarterly earnings report, FedEx estimated it lost $300 million, mostly due to NotPetya.
• The impact of WannaCry doesn’t appear to have been as severe on TNT Express, with FedEx saying at the time it was “experiencing interference with some of our Windows-based systems caused by malware.”
• The U.S. government has blamed Russia for NotPetya, and North Korea for WannaCry.

Also in 2014, UPS said it suffered a cyberattack that exposed data on more than 100,000 transactions, but that it didn’t see evidence that cybercriminals had used any of the information for fraud. 

The company said it found out about the hack after reading a U.S. government bulletin outlining a “broad-based malware intrusion not identified by current anti-virus software.”

Hackers stole more than $400 million from FTX since it declared bankruptcy, company says

FTX CEO John Ray said hackers took around $323 million from its international exchange and $90 million from its U.S. exchange since the company declared bankruptcy two months ago, Reuters’s Dietrich Knauth reports. The firm collapsed in November and U.S. prosecutors have accused its founder, Sam Bankman-Fried, with breaking the law. Bankman-Fried has pleaded not guilty.

“We are making progress in our efforts to maximize recoveries, and it has taken a herculean investigative effort from our team to uncover this preliminary information,” Ray said in a statement.

Russian cyberattack disrupts news conference about Russian cyberattacks, hosts say

Ukrainian media collective Media Center Ukraine said Russian hackers briefly delayed its news conference on Russian cyberattacks affecting the country, Axios’s Sam Sabin reports. Ukrainian cybersecurity chief Yurii Shchyhol, spoke at the event.

“We just faced a cyberattack on our information platform committed by Russia,” a host said at the event. “We understand they don't like to hear the truth about this war, but we're not to be stopped, we are online, we are broadcasting.”

In the 11 months since Russia invaded Ukraine, “Russian hackers have mostly focused on low-level attacks, such as overloading government websites with bot traffic and deploying malware wipers against Ukrainian organizations,” Sabin writes. “Some of these attacks have also targeted organizations in NATO countries, researchers have said, but nothing has reached the level of Russia's worldwide 2017 NotPetya incident.”

China proposes ban on spreading false information in U.N. cyber treaty, but it will probably face opposition

Chinese diplomats proposed that a U.N. cybercrime convention direct its signatories to criminalize the “dissemination of false information,” the Record’s Alexander Martin reports. It comes as countries jockey to change the shape of the treaty under negotiation.

Western governments will probably challenge the Chinese proposal over its human rights implications, Martin reports.

“The new proposal will now be negotiated as part of the ongoing discussions that will run until January 20,” Martin writes. “There will be several more sessions in Vienna before a final negotiation held in New York at the end of August, after which a draft treaty will be introduced to the General Assembly.”

State legislators aren't waiting for Congress to regulate children's online privacy (CyberScoop)

Malaysian Armed Forces foils four hacking attempts on national defense network, cybersecurity official says (Malay Mail)

Hackers turn to Google search ads to push info-stealing malware (Bleeping Computer)

Nissan North America data breach caused by vendor-exposed database (Bleeping Computer)

• Steven Frid is the new executive director of the U.S. Election Assistance Commission. Frid was previously Federal Student Aid’s security director.
• Daniel Bernard and Raj Rajaman have joined CrowdStrike as chief business officer and chief product officer for data, identity, cloud and endpoint. They previously worked at SentinelOne.

• Deputy national security adviser Anne Neuberger speaks at the 91st Winter Meeting of The United States Conference of Mayors today at 2:30 p.m. 
• The ShmooCon hacking conference runs from Friday through Sunday in D.C.

Thanks for reading. See you tomorrow.