Cybersecurity Firm Says Chinese Hackers Breached Six US State Agencies (cnn.com) 19
An anonymous reader quotes a report from CNN: A Chinese government-backed hacking group has breached local government agencies in at least six US states in the last 10 months as part of a persistent information-gathering operation, investigators at cybersecurity firm Mandiant said Tuesday. The wide range of state agencies targeted include "health, transportation, labor (including unemployment benefit systems), higher education, agriculture, and court networks and systems," the FBI and US Cybersecurity and Infrastructure Security Agency (CISA) said in a separate, private advisory to state governments obtained by CNN. For agencies in two states, the hackers broke into networks using a critical software flaw that was revealed in December just as the Biden administration was scrambling to respond to the flaw's discovery, according to Mandiant.
The hackers' motives aren't clear, but their victims are "consistent with an espionage operation," the firm said. The list of state agencies affected by the hacking could grow as the investigation continues. CISA on December 10 publicly warned that Log4J -- software used by big tech firms around the world -- had a vulnerability that hackers could easily exploit to gain further access to computer systems. Hundreds of millions of computers around the world ran the vulnerable software, US officials later estimated. For weeks, US officials urged companies to update their software; the White House hosted a meeting in January with tech executives to try to address the root problem of software that is not secure by design. Within hours of the CISA advisory, the Chinese hackers had begun using the Log4J flaw to break into the two US state agencies, according to Mandiant.
Agencies in four other states were hacked via other means. In one state, Mandiant said, the hackers accessed personal data on some Americans, including names, email addresses and mobile phone numbers. Mandiant declined to name the US states or agencies affected. While the hackers' ultimate objectives are unclear, state agencies could provide a wealth of useful information to foreign spies, whether data related to elections or government contracting. Mandiant blamed the hacking campaign on a group that the Justice Department has linked with China's civilian intelligence agency. That hacking group, according to a US indictment unsealed in September 2020, has been linked to attempts to breach hundreds of organizations around the world, from hardware makers to pro-democracy politicians in Hong Kong.
The hackers' motives aren't clear, but their victims are "consistent with an espionage operation," the firm said. The list of state agencies affected by the hacking could grow as the investigation continues. CISA on December 10 publicly warned that Log4J -- software used by big tech firms around the world -- had a vulnerability that hackers could easily exploit to gain further access to computer systems. Hundreds of millions of computers around the world ran the vulnerable software, US officials later estimated. For weeks, US officials urged companies to update their software; the White House hosted a meeting in January with tech executives to try to address the root problem of software that is not secure by design. Within hours of the CISA advisory, the Chinese hackers had begun using the Log4J flaw to break into the two US state agencies, according to Mandiant.
Agencies in four other states were hacked via other means. In one state, Mandiant said, the hackers accessed personal data on some Americans, including names, email addresses and mobile phone numbers. Mandiant declined to name the US states or agencies affected. While the hackers' ultimate objectives are unclear, state agencies could provide a wealth of useful information to foreign spies, whether data related to elections or government contracting. Mandiant blamed the hacking campaign on a group that the Justice Department has linked with China's civilian intelligence agency. That hacking group, according to a US indictment unsealed in September 2020, has been linked to attempts to breach hundreds of organizations around the world, from hardware makers to pro-democracy politicians in Hong Kong.
in no position to wage war (Score:2)
The US has Abysmal cyber security. As long as our nation lacks the ability to defend itself, we probably shouldn't be thinking about how to wage war, expand NATO, or defend the South China Sea. Because we're wide open to a counter-attack.
Re: (Score:2)
If they hadn't spent $6T in the Middle East recently we could have decent cybersecurity and solar panels on every household in America.
Oh, but then we wouldn't need the energy wars, so nah?
Re: in no position to wage war (Score:2)
Free colleg would cost $2.2 trillion over 10 years. And pay back in having a new generation of educated citizens able to drive further economic growth.
Unlike our spending on pointless wars which is worse than simply piling up money and setting it on fire.
Re: (Score:2)
college*
I've gotten old and I should put my (recently acquired) reading glasses on and proofread my posts. You can see typos all over my comment history. I'm finding the default sans serif fonts to be far less readable than some old-fashioned times new roman.
Re: (Score:2)
You do know that you can change the default font in your browser to something that is easier for you to read, right? You can also zoom in using Ctrl-+. (I usually read at 120% zoom). You can even override some CSS settings if that helps.
Re: (Score:2)
Slashdot's dinosaur HTML does weird formatting things when I zoom in. Where everything wraps around into narrow columns and weirdly the text input box remains with the same font while the elements around it are huge.
Sometimes spell check works and sometimes it does nothing. That seems to be a browser issue and kind of comes and goes. I've given up trying to debug all this shit software on my computer.
I could also just put on my glasses instead of assuming I'm 100% accurate when I'm blindly touch typing.
Re: (Score:2)
"Free colleg" -- yeah, THAT makes a lot of sense. Stupid pig.
Root cause analysis. The only reason "free college" even has value today, is because millions of college debtors demand you endure the same punishment they did. Has fuck all to do with the actual job, and should be dropped from 90% of job requirements.
Re: (Score:2)
The US has Abysmal cyber security. As long as our nation lacks the ability to defend itself, we probably shouldn't be thinking about how to wage war, expand NATO, or defend the South China Sea. Because we're wide open to a counter-attack.
There are obviously many security vulnerabilities throughout the US. However, these vulnerabilities are not uniform across organizations or in terms of severity. Some of these vulnerabilities might be significant in a war or in preparation for war, but many of those are low severity. Perhaps the more interesting question is how widespread these vulnerabilities are in potential opponents. Slashdot has no idea of Chinese or Russian security vulnerability, and hopefully US intelligence has a better idea.
Th
Re: (Score:2)
I think it is fairly safe to say that civilian society, finance, and energy in in the US is more dependent on software and networking than in Russia.
Another scenario is that maybe China's software is less secure, at least the important stuff, but the US's middle-important stuff still represents a very viable target.
I think waging a conventional war while all your citizens are at home safe in their beds with food in their belly is one thing. It's another if you're waging a war while markets are shut down, tr
Re: (Score:2)
The really interesting question is how two large countries, both with vulnerabilities and capabilities to exploit those vulnerabilities, would fare in a real war. Hopefully, we stay in the cold war phase and don't find the answer via a hot war.
Uh, I'd say the actual interesting question, is how the world will define CyberWar.
Is that a "cold" war, or a "hot" war? Guess it depends on the impact. Rather scary thinking about the pathetically undefined that could lead to actual war.
What bugs will we fix today? (Score:2)
6 agencies down. Many more to go (Score:2)
6 agencies down. Many more to go, fortunately :
https://de.wikipedia.org/wiki/... [wikipedia.org]
Re: (Score:2)
Ah, your prescription for the U.S. is to retreat into a second-string nation too timid to defend its interests. How revealing of you.
Re: (Score:1)
You're the lead programmer of Log4J, aren't you, you smug little shit? Good thing you shackled your shitty trojan horse software to systemd, or this might have actually hurt people who deserved it.
Re: (Score:2)
Actually, those exploits were in MS software. They are frantically patching now.
Learning from the USA (Score:2)
Active Exploit in Mozilla Browser (Score:1)