[co-author: Michael Bevel]

Before we jump into February developments — trigger warning if you are a Russian hacker — for those keeping track of breach notification requirements, the National Credit Union Administration (NCUA) Board approved a final rule, requiring a federally insured credit union to notify the NCUA within 72 hours after reasonably believing that a reportable cyber incident occurred. The notice does not need to provide a full incident assessment within 72 hours, but only an early alert for the NCUA. Effective Date: September 1, 2023.

CONSIDER THIS

1. Whose Watching Whom Now? On February 6, the New York attorney general’s office ordered the owner of 16 mobile spyware companies to alert all device owners affected by the spyware software about the types of information the spyware collected, while also fining the owner $410,000 for using deceptive practices to sell the mobile applications promised to spy on the phones of spouses and children. Once installed on victim devices, the spyware collects and removes data, such as call logs, text messages, photos, videos, emails, browser data, location, and data from messaging and social media applications.
2. Telecommunication Companies’ Calls to FCC Unanswered. On February 15, several large telecommunications companies urged the FCC to develop a “strike force” of experts to minimize cybersecurity threats to the internet backbone — the Border Gateway Protocol (BGP). The BGP exchanges reachability information among independently managed internet networks, making it critical to resilience after attacks or natural disasters. BGP insecurity continued to “pose real, systemic vulnerabilities that can be exploited by foreign nation-state and criminal actors” to conduct malicious activity that threatens the integrity of U.S. telecom networks and the personal data of those living in the country.
3. The Latest Viral Trend: Banning. On February 23, The European Union’s executive branch announced that it temporarily banned a video clip-sharing app from phones used by employees as a cybersecurity measure. The EU’s action followed similar moves in the U.S., where more than half of the states and Congress banned the app from official government devices. The social media company now faces intensifying scrutiny from Europe and the U.S. over security and data privacy amid worries that the hugely popular app could be used to promote pro-Beijing views or sweep up users’ information. It comes as China and the West are locked in a wider tug-of-war over technology, ranging from spy balloons to computer chips.

   ---

    

NOT SO FAST

1. “Watch Me Pull This Malware Out of My Hat!” On February 9, the U.S. Treasury sanctioned seven Russians accused of running the Trickbot cybercrime group. Trickbot began as malware first identified in 2016 that conducted online bank robberies in Russia. The malware evolved to launch ransomware attacks. The Trickbot group often targeted hospitals and health care centers across the U.S. Because of the sanctions, the Group’s U.S. and UK assets will be frozen, and any payments to the Trickbot group will be banned.
2. Lock Him Up. On February 18, a Spanish court agreed to extradite British citizen Joseph James O'Connor for allegedly hacking prominent social media accounts, including those of President Biden, Barack Obama, and Bill Gates. In addition to hacking social media accounts, Mr. O’Connor is also wanted for allegedly hacking the accounts of a public figure and for multiple “swatting” cases — prank calls to emergency services intended to send large numbers of police to different locations.
3. Attack Aftermath. On February 24, the U.S. Department of the Treasury imposed sanctions on 83 entities and 22 individuals for their involvement in Russia-backed cyberattacks. See if your fave made the list!
4. Who Should Be Left Holding the Bag? On February 27, CISA Director Jen Easterly discussed the propriety of allowing tech manufacturers to avoid liability for their products, while also blaming product users for failing to timely patch vulnerabilities. Easterly further said the government could “play a role in shifting liability onto those entities that fail to live up to the duty of care they owe their customers," calling for legislation to bar tech manufacturers from passing on liability for cyberattacks to their customers in contracts. Such a law could establish a “safe harbor framework to shield from liability companies that securely develop and maintain their software products and services.”

   ---

    

AS THE WORLD TURNS

1. Times Are Hard for Even the Worst. A Chainalysis study revealed that “dark web” marketplace revenue dropped to $1.3 billion in 2022, down 50% from 2021 due to the April 2022 shutdown of the Hydra “dark web” market.
2. Being Robbed With Your Best Interests at Heart. The HardBit 2.0 ransomware group encourages its victims to disclose their cyber insurance policy, so HardBit’s ransom demands fall thoughtfully within those limits. You can get hacked by anyone, but does it make it better to get hacked by a group so committed to making the whole experience quick and efficient?
3. NSA Entering the "Home Security" Market? The NSA issued a series of suggestions to help remote workers secure their home network. According to the NSA: “At a minimum, you should schedule weekly reboots of your routing device, smartphones, and computers. Regular reboots help to remove implants and ensure security.”