As Congress winds up its work in the first session of the 117th Congress, government and private sector interests are hard at work to carve a shared path on cybersecurity. It seems that over the past year, every committee in Congress shone a spotlight on the cybersecurity issues that fell into their respective jurisdictions.
For its part, the U.S. House of Representatives Small Business Committee invited ACT | The App Association to testify in a hearing on the cybersecurity posture of American small businesses in July. The Committee then promptly forwarded a raft of bipartisan bills to enhance resources for the private sector and improve the Small Business Administration’s (SBA’s) readiness, and those bills passed the full House in November. In that hearing, we reminded the Committee that small firms often leverage the capabilities of larger cloud providers, which include real-time updates and patches to system vulnerabilities, and access to the relevant indicators of compromise and threat indicators. But their scale also enabled larger cloud providers like Microsoft to anticipate the activities of cybercriminals and hit them where it hurts most.
In an example announced earlier this week, a federal court granted an order to Microsoft enabling it to seize fraudulent websites China-based criminal network NICKEL was using to infect victims’ devices. This capability is a crucial ingredient to a winning formula to close off key avenues for cybercriminals, including those with implicit or explicit backing by foreign governments.
NICKEL is an especially pernicious network. Microsoft’s Threat Intelligence Center (MSTIC) tracks NICKEL’s activity and estimates that it enjoyed a staggering 90 percent success rate. That is more than double the rate of the other surgical / targeted campaigns MSTIC tracked, including HAFNIUM—which succeeded 43 percent of the time. With MSTIC’s intelligence, Microsoft’s Digital Crimes Unit (DCU) filed pleadings with the Eastern District of Virginia to seize websites NICKEL was using to carry out its attacks on think tanks, human rights organizations, and government entities in the United States and 28 other countries. The tactics NICKEL used to break into victims’ devices and networks varied, but their goal was singular: to “insert hard-to-detect malware that facilitates intrusion, surveillance and data theft.” NICKEL even compromised some virtual private network (VPN) suppliers, thus enabling surveillance of users of those VPNs, and relied on more conventional—but sophisticated—targeted spear phishing campaigns to access credentials.
Last but not least, NICKEL also exploited unpatched on-premises Exchange Server and SharePoint systems, an issue small companies (many of which still use on-premises systems they have to update manually) face in particular. The ability for Microsoft to compile the evidence it did in the case of NICKEL in order to convince a court to allow it to seize its domains, thus enabling it to receive incoming traffic from compromised devices and networks and redirect it away from NICKEL, is central to security. It is another example of why the scale of some cloud companies gives all of us—in the app economy and beyond—an important advantage in cyber readiness.