With help from Martin Matishak

Editor’s Note: Morning Cybersecurity is a free version of POLITICO Pro Cybersecurity’s morning newsletter, which is delivered to our subscribers each morning at 6 a.m. The POLITICO Pro platform combines the news you need with tools you can use to take action on the day’s biggest stories. Act on the news with POLITICO Pro.

Advertisement

— Electric grid security advocates praised new recommendations from the Cyberspace Solarium Commission aimed at applying the lessons of the coronavirus pandemic.

— Google added a new way for iOS users to sign into their devices, expanding the range of security tokens that its Advanced Protection Program supports.

— New research shined a light on Chinese hackers’ custom malware, including a tool that can exfiltrate data on and spread through USB drives.

HAPPY THURSDAY and welcome to Morning Cybersecurity! You can’t spell “infectious” without “C,” “E” and “S.” Send your thoughts, feedback and especially tips to [email protected]. Be sure to follow @POLITICOPro and @MorningCybersec. Full team info below.

Calling all China watchers: The trajectory of the U.S.-China relationship will determine whether this century is judged a bright or a dismal one. POLITICO's David Wertime is launching a new China newsletter that will be worth the read. Sign up.

Covid-19 has triggered an abundance of disparate, rapidly changing policies at the federal and state levels. Stay up-to-speed with our Covid-19 Coverage Roundup, a daily summary of top Covid-19 news and analysis from across POLITICO Pro's policy coverage teams. We're also sharing premium content related to Covid-19 here. To receive the roundup directly to your inbox every weekday afternoon, please sign up on your settings page.

BANKING ON THEM FALLING FOR IT — Hackers are spreading malware that steals banking credentials and other personal data through phishing emails purporting to share résumés, the security firm Check Point said in a report out today. The proportion of infected documents posing as CVs has doubled in the past two months, according to the company’s research, with one out of every 450 malicious files adopting that guise. Check Point said it recently uncovered a campaign that uses these lures to spread the Zloader banking malware, which is often aimed at financial institutions whose employees have access to large sums. The campaign delivered Excel spreadsheets posing as résumés that directed victims to enable macros; doing so would allow the document to download the final piece of malware.

Medical leave forms have also become a popular lure, according to the new report, especially in light of the coronavirus pandemic. Infected documents often pose as requests to take the leave allowed under the 1993 Family and Medical Leave Act, according to Check Point research. The company observed one such campaign delivering the IcedID malware, another banking Trojan. Speaking of the coronavirus, Check Point said its data showed that the worldwide easing of lockdowns has reversed a downward trend in the total number of cyberattacks, which dropped 30 percent between January and March but ticked upward 16 percent from March to April.

BREAK THE CYCL — The Chinese-linked hacker group known as “Cycldek” and “Goblin Panda” hits its targets with “an extensive toolset for lateral movement and information stealing” that includes custom, previously unknown malware such as a tool that infects USB flash drives, researchers at Kaspersky Lab said in a report published Wednesday. The report shared several new details about Cycldek, a well-known group whose targets have included government agencies in Vietnam, Laos and Thailand. Kaspersky said that while previous research on Cycldek has described it as “a marginal group with sub-par capabilities,” its diverse toolset and operational longevity “show that the group has an extensive foothold inside the networks of high-profile targets in Southeast Asia.”

The newly uncovered USB-based malware, which Kaspersky calls USBCulprit, is one of several custom-made tools in Cycldek’s arsenal. The software, which the group has used since at least 2014, automates the copying of victims’ documents onto USB drives, offering a way around the air gaps that commonly protect sensitive facilities. “It can also selectively copy itself to a removable drive in the presence of a particular file,” Kaspersky said, “suggesting it can be spread laterally by having designated drives infected and the executable in them opened manually.” Other newly reported Cycldek tools steal cookies and passwords from Chromium-based browsers. Kaspersky also concluded that Cycldek hackers belong to a bifurcated organization: “Our analysis shows two distinct patterns of activity, indicating the group consists of two operational entities that are active under a mutual quartermaster.”

GRID MINDS THINK ALIKE — The Cyberspace Solarium Commission’s new coronavirus-focused recommendations have drawn the support of a grid security advocacy group that has pushed for more robust cybersecurity rules. In a letter sent Wednesday to the commission’s co-chairs, Protect Our Power said Congress should enact the recommended internet of things security law and encourage interagency and public-private planning before a cyber catastrophe hits. “We also agree that responding to complex emergencies ‘requires a balance between agility and institutional resilience across each sector of the economy, focusing particularly on critical infrastructure,’ especially, in our opinion, the electric grid, upon which all other elements of critical infrastructure depend to provide power,” Jim Cunningham, the group’s executive director, told Sen. Angus King (I-Maine) and Rep. Mike Gallagher (R-Wis.).

“It is not an exaggeration to suggest that the well-being of our nation and the full recovery of our economy from the coronavirus pandemic depend on swift and decisive action by Congress and relevant federal agencies,” Cunningham added. “The CSC has provided a detailed roadmap for making our nation far more secure and resilient, and the time for action is now.”

UPDATES, GET YOUR UPDATES HERE — Google will now allow account owners to use USB-C, NFC, or Lightning security keys when signing into a Google account or utilizing the Advanced Protection program, the company announced on Wednesday. Previously the tech giant only allowed for a Bluetooth security key that had to be used in tandem with Google’s Smart Lock app. The latest update enables Google users to utilize a wider range of physical security keys to secure their work or personal accounts on their iOS devices.

DETAILS TO COME? — CISA on Thursday created another organizational entity in an attempt to improve its collaboration with critical infrastructure partners. The agency described the new “CISA Central” as “the simplest, most centralized way” for the owners and operators of vital national assets, such as power plants and hospitals, to share and receive timely information “to understand the constantly evolving risk landscape.” CISA’s brief statement offered no details about what this meant in practice, or what form “CISA Central” would take, though it did say that existing “specialized engagements” and agency alerts would “continue unaffected.”

TWEET OF THE DAY — Useful advice here.

RECENTLY ON PRO CYBERSECURITY — The European Union is preparing to sanction Russian hackers after the pandemic delayed earlier plans to do so.

— CyberScoop talked to cybersecurity practitioners about confronting systemic racism in their industry.

— Cisco disclosed two Zoom vulnerabilities, one of which the company fixed.

— The Center for Long-Term Cybersecurity explored how to digitally protect civil society organizations in a way that matches their threat models.

That’s all for today.

Stay in touch with the whole team: Eric Geller ([email protected], @ericgeller); Bob King ([email protected], @bkingdc); Martin Matishak ([email protected], @martinmatishak); Tim Starks ([email protected], @timstarks); and Heidi Vogt ([email protected], @heidivogt).

Comments are closed.