Security researchers have discovered a novel piece of Android malware that uses the VNC technology to record and broadcast a victim's smartphone activity, allowing threat actors to collect keyboard presses and app passwords. From a report: First spotted in March 2021 by Dutch security firm ThreatFabric, this new piece of malware, named Vultur, is a departure from other Android malware strains that usually rely on fake login screens floating on top of legitimate apps to collect a victim's credentials. Instead, Vultur opens a VNC server on the infected phone, and broadcasts screen captures to an attacker command and control server, where the Vultur operator extracts passwords for desired apps.

An anonymous reader quotes a report from Ars Technica: A security update will be applied to Drive," Google's weird new email reads. If you visit drive.google.com, you'll also see a message saying, "On September 13, 2021, a security update will be applied to some of your files." You can even see a list of the affected files, which have all gotten an unspecified "security update." So what is this all about? Google is changing the way content sharing works on Drive. Drive files have two sharing options: a single-person allow list (where you share a Google Doc with specific Google accounts) and a "get link" option (where anyone with the link can access the file). The "get link" option works the same way as unlisted YouTube videos -- it's not really private but, theoretically, not quite public, either, since the link needs to be publicized somewhere. The secret sharing links are really just security through obscurity, and it turns out the links are actually guessable.

Google knew about the problem of guessable secret links for a while and changed the way link generation works back in 2017 (presumably for Drive, too?). Of course, that doesn't affect links you've shared in the past, and soon Google is going to require your old links to change, which can break them. Google's new link scheme adds a "resourcekey" to the end of any shared Drive links, making them harder to guess. So a link that used to look like "https://drive.google.com/file/d/0BxI1YpjkbX0OZ0prTHYyQ1U2djQ/" will now look like "https://drive.google.com/file/d/0BxI1YpjkbX0OZ0prTHYyQ1U2djQ/view?resourcekey=0-OsOHHiQFk1QEw6vIyh8v_w." The resource key makes it harder to guess. If you head to drive.google.com/drive/update-drives in a browser, you should be able to see a list of your impacted files, and if you mouse over them you'll see a button on the right to remove or apply the security update. "Applied" means the resourcekey will be required after September 13, 2021, and will (mostly) break the old link, while "removed" means the resourcekey isn't required and any links out there should keep working. YouTube is also making similar changes. "In 2017, we rolled out an update to the system that generates new YouTube Unlisted links, which included security enhancements that make the links for your Unlisted videos even harder for someone to discover if you haven't shared the link with them," says YouTube in a support page.

YouTube creators can decide to opt out of this change. They also have the option of making Unlisted pre-2017 videos public or re-uploading as a new Unlisted video at the expense of stats.

Israeli government officials visited the offices of the hacking company NSO Group on Wednesday to investigate allegations that the firm's spyware has been used to target activists, politicians, business executives, and journalists, the country's Ministry of Defense said in a statement today. From a report: An investigation published last week by 17 global media organizations, claims that phone numbers belonging to notable figures have been targeted by Pegasus, the notorious spyware that is NSO's best-selling product. The Israeli Ministry of Defense did not specify which government agencies were involved in the investigation, but Israeli media previously reported that the Foreign Ministry, Justice Ministry, Mossad, and Military Intelligence were also looking into the company following the publication of the Pegasus Project. NSO Group CEO Shalev Hulio confirmed to MIT Technology Review that the visit had taken place, but continued the company's denials that the list published by reporters was linked to Pegasus.

"That's true," he said. "I believe it's very good that they are checking, since we know the truth and we know that the list never existed and is not related to NSO." The reports focused largely on the successful hacking of 37 smartphones of business leaders, journalists, and human rights activists. But they also pointed to a leaked list of over 50,000 more phone numbers of interest in countries that are reportedly clients of NSO Group. The company has repeatedly denied the reporting. At this point, both the source of and meaning of the list remain unclear, but numerous phones on the list were hacked according to technical analysis by Amnesty International's Security Lab. When asked if the government's investigation process will continue, Hulio said he hopes it will be ongoing. "We want them to check everything and make sure that the allegations are wrong," he added.

The White House is signaling to U.S. critical infrastructure companies, such as energy providers that they must improve their cyber defenses because additional potential regulation is on the horizon. From a report: U.S. President Joseph Biden signed a national security memorandum on Wednesday, launching a new public-private initiative that creates "performance controls" for cybersecurity at America's most critical companies, including water treatment and electrical power plants. The recommendations are voluntary in nature, but the administration hopes it will cause companies to improve their cybersecurity ahead of other policy efforts, said a senior administration official. The announcement comes after multiple high profile cyberattacks this year crippled American companies and government agencies, including a ransomware incident which disrupted gasoline supplies. "These are the thresholds that we expect responsible owners and operators to go," said the official. "The absence of mandated cybersecurity requirements for critical infrastructure is what in many ways has brought us to the level of vulnerability that we have today."

Two U.S. senators on Wednesday said they are introducing a measure to prohibit funds in a $1.9 trillion government funding measure from being used to purchase Chinese telecommunications equipment from Huawei and ZTE and others deemed U.S. security threats. From a report: Senators Tom Cotton, a Republican, and Mark Warner, a Democrat, said the funds that were approved in March in a law known as the American Rescue Plan should not be used to potentially undermine U.S. telecommunications networks.

China ordered Tencent Holdings and 13 other developers to rectify problems related to pop-ups within their apps, adding to a wide-ranging crackdown on the country's tech sector. From a report: The companies must address the "harassing" pop-up windows, which could contain misleading information or divert users away from the apps, the Ministry of Industry and Information Technology said in a statement on Wednesday. The 14 services, including an e-books app by Tencent's QQ and a video platform by Le.com, will have to fix the problems by Aug. 3. "Failure to abide by regulations" will not be tolerated and will be "penalized" accordingly, said the ministry.

Pop-ups, often used for advertising, are just the latest targets in a series of government crackdowns that have ranged from antitrust to data security, as Beijing seeks to rein in the tech giants' influence over most of everyday life. The crackdown has stepped into high gear in recent days after regulators announced their toughest-ever curbs on the online education sector and issued edicts governing food delivery, fueling a rout in Chinese tech stocks. The statement by MIIT comes days after the regulator announced a six-month crackdown on illegal online activities. The ministry on Monday said it will take steps to root out violations involving pop-ups, data collection and storage as well as the blocking of external links. Other regulators including the Cyberspace Administration of China have also pledged to tighten restrictions on misleading and explicit content used for marketing purposes. The watchdog said such material will be subject to harsher oversight, issuing fines against companies like Tencent, Kuaishou Technology and Alibaba Group Holding Ltd. for offensive content.

The Electronic Frontier Foundation (EFF) filed a Freedom of Information Act (FOIA) lawsuit against the U.S. Postal Service and its inspection agency seeking records about a covert program to secretly comb through online posts of social media users before street protests, raising concerns about chilling the privacy and expressive activity of internet users. From the press release: Under an initiative called Internet Covert Operations Program, analysts at the U.S. Postal Inspection Service (USPIS), the Postal Service's law enforcement arm, sorted through massive amounts of data created by social media users to surveil what they were saying and sharing, according to media reports. Internet users' posts on Facebook, Twitter, Parler, and Telegraph were likely swept up in the surveillance program. USPIS has not disclosed details about the program or any records responding to EFF's FOIA request asking for information about the creation and operation of the surveillance initiative. In addition to those records, EFF is also seeking records on the program's policies and analysis of the information collected, and communications with other federal agencies, including the Department of Homeland Security (DHS), about the use of social media content gathered under the program.

Media reports revealed that a government bulletin dated March 16 was distributed across DHS's state-run security threat centers, alerting law enforcement agencies that USPIS analysts monitored "significant activity regarding planned protests occurring internationally and domestically on March 20, 2021." Protests around the country were planned for that day, and locations and times were being shared on Parler, Telegram, Twitter, and Facebook, the bulletin said. "We're filing this FOIA lawsuit to shine a light on why and how the Postal Service is monitoring online speech. This lawsuit aims to protect the right to protest," said Houston Davidson, EFF public interest legal fellow. "The government has never explained the legal justifications for this surveillance. We're asking a court to order the USPIS to disclose details about this speech-monitoring program, which threatens constitutional guarantees of free expression and privacy."

A former security supervisor at eBay received an 18-month federal prison sentence Tuesday for his role in a bizarre campaign of cyberstalking aimed at a Natick couple that ran an online newsletter often critical of the e-commerce giant, authorities said. The Boston Globe: The ex-supervisor, Philip Cooke, 56, of San Jose, Cali., had pleaded guilty in US District Court in Boston in October 2020 to conspiracy to commit cyberstalking and conspiracy to tamper with a witness, legal filings show. On Tuesday, prosecutors said, he was sentenced to 18 months in prison, as well as three years of supervised release including a 12-month period of home detention. He was also ordered to pay a $15,000 fine and perform 100 hours of community service, according to the US attorney's office.

Cooke was one of seven former eBay employees charged in connection with the stalking, which authorities said targeted Ina and David Steiner, a Natick couple who recently filed a federal lawsuit against the company and other parties linked to the harrassment. Rosemary Scapicchio, a prominent Boston attorney representing the couple in their civil suit, said via phone after Monday's hearing that her clients "were relieved" that Cooke received time behind bars, calling it "the first step in their pursuit of accountability" for all those involved. "There needs to be corporate accountability" as well, Scapicchio said.

Google has announced a new platform and community designed to host all its Vulnerability Rewards Programs (VRP) under the same roof. From a report: Since launching its first VRP more than ten years ago, the company has rewarded 2,022 security researchers from 84 different countries worldwide for reporting over 11,000 bugs. [...] "To celebrate our anniversary and ensure the next 10 years are just as (or even more) successful and collaborative, we are excited to announce the launch of our new platform, bughunters.google.com," Google said.

"This new site brings all of our VRPs (Google, Android, Abuse, Chrome and Play) closer together and provides a single intake form that makes it easier for bug hunters to submit issues." The new VRP platform should provide researchers with per-country leaderboards, healthier competition via gamification, awards/badges for specific bugs, and more opportunities for interaction. Google also launched a new Bug Hunter University, which would allow bug hunters to brush up on their skills or start a hunting learning streak.

Tencent's WeChat has temporarily suspended registration of new users in mainland China as it undergoes a technical upgrade "to align with relevant laws and regulations," China's dominant instant messaging platform said on Tuesday. From a report: "We are currently upgrading our security technology to align with all relevant laws and regulations," the company said in a statement to Reuters. "During this time, registration of new Weixin personal and official accounts has been temporarily suspended. Registration services will be restored after the upgrade is complete, which is expected in early August," it added. Weixin is the Chinese name for WeChat. [...] China is in the process of tightening policies towards privacy and data security. It is readying a Personal Information Protection Law, which calls for tech platforms to impose stricter measures to ensure secure storage of user data.

Fossbytes has an article detailing how you can check to see if your mobile device is infected with the "Pegasus" spyware. What's Pegasus you ask? It's phone-penetrating spy software developed by NSO Group and sold to governments to target journalists and activists around the world. The CEO of NSO Group says law-abiding citizens have "nothing to be afraid of," but that doesn't help us sleep any better. Here's how to check if your device has been compromised (heads up: it's a bit of a technical and lengthy process): First off, you'll need to create an encrypted backup and transfer it to either a Mac or PC. You can also do this on Linux instead, but you'll have to install libimobiledevice beforehand for that. Once the phone backup is transferred, you need to download Python 3.6 (or newer) on your system -- if you don't have it already. Here's how you can install the same for Windows, macOS, and Linux. After that, go through Amnesty's manual to install MVT correctly on your system. Installing MVT will give you new utilities (mvt-ios and mvt-android) that you can use in the Python command line. Now, let's go through the steps for detecting Pegasus on an iPhone backup using MVT.

First of all, you have to decrypt your data backup. To do that, you'll need to enter the following instruction format while replacing the placeholder text (marked with a forward slash) with your custom path: "mvt-ios decrypt-backup -p password -d /decrypted /backup". Note: Replace "/decrypted" with the directory where you want to store the decrypted backup and "/backup" with the directory where your encrypted backup is located.

Now, we will run a scan on the decrypted backup, referencing it with the latest IOCs (possible signs of Pegasus spyware), and store the result in an output folder. To do this, first, download the newest IOCs from here (use the folder with the latest timestamp). Then, enter the instruction format as given below with your custom directory path: "mvt-ios check-backup -o /output -i /pegasus.stix2 /backup". Note: Replace "/output" with the directory where you want to store the scan result, "/backup" with the path where your decrypted backup is stored, and "/pegasus.stix2" with the path where you downloaded the latest IOCs.

After the scan completion, MVT will generate JSON files in the specified output folder. If there is a JSON file with the suffix "_detected," then that means your iPhone data is most likely Pegasus-infected. However, the IOCs are regularly updated by Amnesty's team as they develop a better understanding of how Pegasus operates. So, you might want to keep running scans as the IOCs are updated to make sure there are no false positives.

In what is, at least so far, the biggest cybersecurity blunder of the Tokyo Olympics, an Italian TV announcer did not realize he was on air when he asked the password for his computer. Motherboard reports: "Do you know the password for the computer in this commentator booth?" he asked during the broadcast of the Turkey-China volleyball game, apparently not realizing he was still on air. "It was too hard to call the password Pippo? Pippo, Pluto or Topolino?" he complained, referring to the Italian names for Goofy, Pluto and Mickey Mouse. The snafu was immortalized in a video posted on Twitter by cybersecurity associate professor Stefano Zanero, who works at the Polytechnic University of Milan. A source who works at Eurosport, the channel which was broadcasting the volleyball game, confirmed that the video is authentic.

A colleague of the announcer can be heard in the background saying the password depends on the Olympics organizers, and asking the announcer if it's on a paper or post it close-by. Turns out the password was "Booth.03" after the number of the commentator's booth. "Even the dot to make it more complicated, as if it was NASA's computer," he said on the air. "Next time they will even put a semicolon." "Ma porca miseria," he concluded, using a popular italian swearing that literally means "pork's misery" but is more accurately translated to "for god's sake."

Food delivery platforms in China will be required to guarantee riders' income above minimum pay, insurance and a relaxation in deadlines for deliveries, under reforms announced on Monday by China's market regulator. From a report: The guidelines were issued by the State Administration for Market Regulation along with six other administrative departments, including the National Development and Reform Commission, the Cyberspace Administration of China and the Ministry of Public Security. Food delivery platforms in China, including Meituan and Alibaba's Ele.me, have drawn severe criticism on social media for their treatment of delivery riders, most of whom are not covered by basic social and medical insurance.

Both, Meituan and Alibaba's Ele.me did not immediately respond to Reuters' requests for comment. Meituan has been working with the government to purchase employment injury insurance for its delivery drivers, the company's chief executive, Wang Xing, said on a conference call in May.

Sunday the BBC reported YouTube influencers were offered money to spread vaccine misinformation.

But according to the New York Times, that's just the tip of the iceberg. "The scheme appears to be part of a secretive industry that security analysts and American officials say is exploding in scale: disinformation for hire: Private firms, straddling traditional marketing and the shadow world of geopolitical influence operations, are selling services once conducted principally by intelligence agencies. They sow discord, meddle in elections, seed false narratives and push viral conspiracies, mostly on social media. And they offer clients something precious: deniability. "Disinfo-for-hire actors being employed by government or government-adjacent actors is growing and serious," said Graham Brookie, director of the Atlantic Council's Digital Forensic Research Lab, calling it "a boom industry."

Similar campaigns have been recently found promoting India's ruling party, Egyptian foreign policy aims and political figures in Bolivia and Venezuela. Mr. Brookie's organization tracked one operating amid a mayoral race in Serra, a small city in Brazil. An ideologically promiscuous Ukrainian firm boosted several competing political parties. In the Central African Republic, two separate operations flooded social media with dueling pro-French and pro-Russian disinformation. Both powers are vying for influence in the country. A wave of anti-American posts in Iraq, seemingly organic, were tracked to a public relations company that was separately accused of faking anti-government sentiment in Israel.

Most trace to back-alley firms whose legitimate services resemble those of a bottom-rate marketer or email spammer... For-hire disinformation, though only sometimes effective, is growing more sophisticated as practitioners iterate and learn. Experts say it is becoming more common in every part of the world, outpacing operations conducted directly by governments. The result is an accelerating rise in polarizing conspiracies, phony citizen groups and fabricated public sentiment, deteriorating our shared reality beyond even the depths of recent years... Commercial firms conducted for-hire disinformation in at least 48 countries last year — nearly double from the year before, according to an Oxford University study. The researchers identified 65 companies offering such services...

Platforms have stepped up efforts to root out coordinated disinformation. Analysts especially credit Facebook, which publishes detailed reports on campaigns it disrupts. Still, some argue that social media companies also play a role in worsening the threat. Engagement-boosting algorithms and design elements, research finds, often privilege divisive and conspiratorial content.
The article also notes "a generation" of populist political leaders around the world who have risen "in part through social media manipulation.

"Once in office, many institutionalize those methods as tools of governance and foreign relations."

The threat intelligence team for Microsoft's 365 Defender security suite recently focused on an example of "modern mining malware infrastructure," describing how "Anything that can gain access to machines — even so-called commodity malware — can bring in more dangerous threats."

Specifically, it offered a case study of LemonDuck. The blog post's title? "When coin miners evolve..." Today, beyond using resources for its traditional bot and mining activities, LemonDuck steals credentials, removes security controls, spreads via emails, moves laterally, and ultimately drops more tools for human-operated activity.

LemonDuck's threat to enterprises is also in the fact that it's a cross-platform threat. It's one of a few documented bot malware families that targets Linux systems as well as Windows devices. It uses a wide range of spreading mechanisms — phishing emails, exploits, USB devices, brute force, among others — and it has shown that it can quickly take advantage of news, events, or the release of new exploits to run effective campaigns... Notably, LemonDuck removes other attackers from a compromised device by getting rid of competing malware and preventing any new infections by patching the same vulnerabilities it used to gain access... LemonDuck spreads in a variety of ways, but the two main methods are (1) compromises that are either edge-initiated or facilitated by bot implants moving laterally within an organization, or (2) bot-initiated email campaigns.

LemonDuck acts as a loader for many other follow-on activities, but one if its main functions is to spread by compromising other systems. Since its first appearance, the LemonDuck operators have leveraged scans against both Windows and Linux devices for open or weakly authenticated SMB, Exchange, SQL, Hadoop, REDIS, RDP, or other edge devices that might be vulnerable to password spray or application vulnerabilities... Other common methods of infection include movement within the compromised environment, as well as through USB and connected drives. These processes are often kicked off automatically and have occurred consistently throughout the entirety of LemonDuck's operation.

storagedude writes: Alan Paller, founder of the cybersecurity training SANS Technology Institute, has launched an initiative aimed at finding and developing cybersecurity talent at the community college and high school level — through a game developed by their CTO James Lyne. A similar game was already the basis of a UK government program that has reached 250,000 students, and Paller hopes the U.S. will adopt a similar model to help ease the chronic shortage of cybersecurity talent. And Paller's own Cyber Talent Institute (or CTI) has already reached 29,000 students, largely through state-level partnerships.

But playing the game isn't the same as becoming a career-ready cybersecurity pro. By tapping high schools and community colleges, the group hopes to "discover and train a diverse new generation of 25,000 cyber stars by the year 2025," Paller told eSecurity Planet. "SANS is an organization that finds people who are already in the field and makes them better. What CTI is doing is going down a step in the pipeline, to the students, to find the talent earlier, so that we don't lose them. Because the way the education system works, only a few people seem to go into cybersecurity. We wanted to change that.

"You did an article earlier this month about looking in different places for talent, looking for people who are already working. That's the purpose of CTI. To reach out to students. It's to go beyond the pipeline that we automatically come into cybersecurity through math, computer science, and networking and open the funnel much wider. Find people who have not already found technology, but who have three characteristics that seem to make superstars — tenacity, curiosity, and love of learning new things. They don't mind being faced with new problems. They like them. And what the game does is find those people. So CTI is just moving to earlier in the pipeline."

The owner of the EZ Mart gas station is suing Colonial Pipeline, accusing it of lax security, reports the Washington Post: He and his lawyers are hoping to also represent the hundreds of other small gas stations that were hurt by the hack. It's just one of several class-action lawsuits that are popping up in the wake of high-profile ransomware attacks. Another lawsuit filed against Colonial in Georgia in May seeks to get damages for regular consumers who had to pay higher gas prices. A third is in the works, with law firm Chimicles Schwartz Kriner & Donaldson-Smith LLP seeking to mount a similar effort.

Colonial isn't the only company that's been targeted. Another suit was launched in June against the San Diego based hospital system Scripps Health after it was hit by a ransomware attack...

In the case of Colonial Pipeline, hundreds of gas stations were shut down, leading to huge lines of cars waiting for what little fuel remained. The rise in suits may mean companies and organizations that are hacked are no longer just on the hook for reimbursing people who had their data stolen. They could now be liable for all kinds of damages that go well beyond a heightened risk of identity theft or credit card fraud...

The potential for lawsuits will keep growing as ransomware attacks do. And if lawyers can reasonably show that a company made some kind of mistake in protecting its system, victims will have an avenue to sue.

A cloud company's CTO argues on CTO that the "hypocrite commits" controversy "is symptomatic, on every side, of related trends that threaten the entire extended open-source ecosystem and its users." That ecosystem has long wrestled with problems of scale, complexity and free and open-source software's (FOSS) increasingly critical importance to every kind of human undertaking. Let's look at that complex of problems:

- The biggest open-source projects now present big targets.

- Their complexity and pace have grown beyond the scale where traditional "commons" approaches or even more evolved governance models can cope.

- They are evolving to commodify each other. For example, it's becoming increasingly hard to state, categorically, whether "Linux" or "Kubernetes" should be treated as the "operating system" for distributed applications. For-profit organizations have taken note of this and have begun reorganizing around "full-stack" portfolios and narratives.

- In so doing, some for-profit organizations have begun distorting traditional patterns of FOSS participation. Many experiments are underway. Meanwhile, funding, headcount commitments to FOSS and other metrics seem in decline.

- OSS projects and ecosystems are adapting in diverse ways, sometimes making it difficult for for-profit organizations to feel at home or see benefit from participation.

Meanwhile, the threat landscape keeps evolving:

- Attackers are bigger, smarter, faster and more patient, leading to long games, supply-chain subversion and so on.

- Attacks are more financially, economically and politically profitable than ever.

- Users are more vulnerable, exposed to more vectors than ever before.

- The increasing use of public clouds creates new layers of technical and organizational monocultures that may enable and justify attacks.

- Complex commercial off-the-shelf solutions assembled partly or wholly from open-source software create elaborate attack surfaces whose components (and interactions) are accessible and well understood by bad actors.

- Software componentization enables new kinds of supply-chain attacks. Meanwhile, all this is happening as organizations seek to shed nonstrategic expertise, shift capital expenditures to operating expenses and evolve to depend on cloud vendors and other entities to do the hard work of security. The net result is that projects of the scale and utter criticality of the Linux kernel aren't prepared to contend with game-changing, hyperscale threat models.
Among other things, the article ultimately calls for a reevaluation of project governance/organization and funding "with an eye toward mitigating complete reliance on the human factor, as well as incentivizing for-profit companies to contribute their expertise and other resources." (With whatever culture changes this may require.) It also suggests "simplifying the stack" (and verifying its components), while pushing "appropriate" responsibility for security up to the application layer.

Slashdot reader joshuark argues this would be not so much the end of Open Source as "more turning the page to the next chapter in open-source: the issues of contributing, reviewing, and integrating into an open-source code base."

"Amazon is tired of ringing doorbells," reports the Associated Press. "The online shopping giant is pushing landlords around the country — sometimes with financial incentives — to give its drivers the ability to unlock apartment-building doors themselves with a mobile device." The service, dubbed Key for Business, is pitched as a way to cut down on stolen packages by making it easy to leave them in lobbies and not outside. Amazon benefits because it enables delivery workers to make their rounds faster. And fewer stolen packages reduce costs and could give Amazon an edge over competitors. Those who have installed the device say it reduces the constant buzzing by delivery people and is a safer alternative to giving out codes to scores of delivery people.

But the Amazon program, first announced in 2018, may stir security and privacy concerns as it gains traction. The company said that it does background checks on delivery people and that they can unlock doors only when they have a package in hand to scan. But tenants may not know that Amazon drivers have access to their building's front doors, since Amazon leaves it up to the building to notify them...

Amazon didn't respond to questions about potential hacking. The company has already installed the device in thousands of U.S. apartment buildings but declined to give a specific number... Amazon salespeople have been fanning out to cities across the country to knock on doors, make cold calls or approach building managers on the street to urge them to install the device. The company has even partnered with local locksmiths to push it on building managers while they fix locks. Amazon installs the device for free and sometimes throws in a $100 Amazon gift card to whoever lets them in.

"Hackers working for the Chinese government compromised more than a dozen U.S. pipeline operators nearly a decade ago, the Biden administration revealed Tuesday while also issuing first-of-its-kind cybersecurity requirements on the pipeline industry," reports the Wall Street Journal. The disclosure of previously classified information about the aggressive Chinese hacking campaign, though dated, underscored the severity of foreign cyber threats to the nation's infrastructure, current and former officials said. In some cases, the hackers possessed the ability to physically damage or disrupt compromised pipelines, a new cybersecurity alert said, though it doesn't appear they did so. Previously, senior administration officials had warned that China, Russia and others were capable of such cyber intrusions. But rarely has so much information been released about a specific and apparently successful campaign.

Chinese state-sponsored hackers between 2011 and 2013 had targeted nearly two dozen U.S. oil and natural gas pipeline operators with the specific goal of "holding U.S. pipeline infrastructure at risk," the Federal Bureau of Investigation and the Department of Homeland Security said in Tuesday's joint alert. Of the known targets, 13 were successfully compromised and an additional eight suffered an "unknown depth of intrusion," which officials couldn't fully assess because the victims lacked complete computer log data, the alert said. Another three targets were described as "near misses" of the Chinese campaign, which relied heavily on spear phishing attacks.
Newsweek adds that the same day the U.S. Department of Homeland Security "announced new requirements for U.S. pipeline operators to bolster cybersecurity following a May ransomware attack that disrupted gas delivery across the East Coast." In a statement, DHS said it would require operators of federally designated critical pipelines to implement "specific mitigation measures" to prevent ransomware attacks and other cyber intrusions. Operators must also implement contingency plans and conduct what the department calls a "cybersecurity architecture design review."