The I-SOON Leaks: Don’t Be Distracted
2–26–2024 (Monday)
Hello and welcome to The Intentional Brief - your weekly video update on the one big thing in cybersecurity for growth stage companies, investors, and management teams.
I’m your host, Shay Colson, Managing Partner at Intentional Cybersecurity, and you can find us online at intentionalcyber.com.
Today is Monday, February 26, 2024, and it feels like we’re getting back to something that resembles normal the days.
Unfortunately, normal means we’re dealing with more on both nation-state Advanced Persistent Threats and fractured ransomware gangs. Let’s dive in.
I-SOON Leaks: Don’t Get Distracted
The big news of the past week in the security community has revolved around a cache of documents and other information anonymously posted on GitHub over the weekend of February 16.
The leak contains a wide range of what purport to be internal documentation on a private company that contracts with the People’s Republic of China’s Ministry of Public Security, Ministry of State Security, and People’s Liberation Army.
Security researchers like the team at SentinelOne and Brian Krebs have good write-ups of the early reviews of the content, but it seems that the “leaked documents provide indicators–such as command-and-control infrastructure, malware, and victimology–which relate to suspected Chinese cyberespionage activities previously observed by the threat intelligence community. Initial observations point to activities spanning a variety of targeted industry sectors and organizations as well as APT groups and intrusion sets, which the threat intelligence community tracks, or has been tracking, as distinct clusters.”
Ironically, Politico is reporting that the documents have since been removed from GitHub “citing violations of its policies “on doxing and invasion of privacy,” the company shared in a statement to Morning Cyber.
But - instead of digging deeper into these documents and what they might reveal in terms of Chinese intelligence operations or novel tactics, techniques, & procedures (TTPs), I’m going to encourage all of us to not get distracted here and instead stay focused.
Why?
Because very few of us are going to make different defensive decisions based on what’s contained in these documents. In fact, making defensive decisions based on attacker tactics is an anti-pattern that we should seek to avoid, particularly when these threats aren’t the most pressing.
What’s more pressing? For one - ensuring that we have a robust vulnerability management program in place so that we don’t fall victim to new ransomware threats like this one exploiting a ConnectWise ScreenConnect vulnerability.
Indeed, it’s a leading candidate for the breach of United Health Group’s Change Healthcare subsidiary. As a reminder, UHG - who also owns Optum here in the US, had acquired Change Healthcare for $13B, nearly 3x what it paid for Optum in 2011. The combined company is ranked 10th on last year’s Fortune Global 500 list, just behind Shell and Apple.
In their 8-K filing with the SEC, UHG noted that “a suspected nation-state associated cyber security threat actor had gained access to some of the Change Healthcare information technology systems.”
Their update page for this incident has posted the same update message 15 times in a row over the last 3 days, but does note that there are more than 120 different products or components that are affected - and we’ve seen real world consequences of pharmacies and other providers being unable to complete their patient care due to this event.
_THIS_ is why we need to not get distracted by the I-SOON leaks, or any of the other shiny things that come across our desks every week. Attackers are exploiting weaknesses at astonishing speed. We’re not “on the clock” - the clock has run out and we don’t have the time for distraction at the sake of building defensible cybersecurity programs.
Fundraising
A quieter week for fundraising, with only (“only”) $11.5B in newly committed capital across about a dozen funds, led by CVC’s $6.8B raise for its sixth Asia fund.
IPO news was dominated by Reddit’s filing, which also included very tactful framing of the fact that they’re 18 years old, do not pay anything for content creation, and still can’t turn a profit. What a world.
You can find links to all the articles we covered below, find back issues of these videos and the written transcripts at intentionalcyber.com, and we’ll see you next week for another edition of the Intentional Brief.
Links
https://www.sentinelone.com/labs/unmasking-i-soon-the-leak-that-revealed-chinas-cyber-operations/
https://krebsonsecurity.com/2024/02/new-leak-shows-business-side-of-chinas-apt-menace/
https://www.cybersecuritydive.com/news/connectwise-screenconnect-lockbit-ransomware/708371/
https://www.theregister.com/2024/02/22/change_healthcare_outage/