Mobile network operators who sold their customers’ real-time location data violated US law and the Federal Communications Commission will try to punish carriers that did so, FCC Chairman Ajit Pai wrote today.
“[T]he FCC’s Enforcement Bureau has completed its extensive investigation and… it has concluded that one or more wireless carriers apparently violated federal law,” Pai wrote in a letter today to Democratic members of Congress who asked for an update on the probe.
“I am committed to ensuring that all entities subject to our jurisdiction comply with the Communications Act and the FCC’s rules, including those that protect consumers’ sensitive information, such as real-time location data,” Pai’s letter continued. “Accordingly, in the coming days, I intend to circulate to my fellow Commissioners for their consideration one or more Notice(s) of Apparent Liability for Forfeiture in connection with the apparent violation(s).”
The carriers could fight such notices in an attempt to avoid punishment. AT&T has claimed that selling location data wasn’t illegal.
Democratic FCC Commissioner Jessica Rosenworcel has repeatedly urged Pai to reveal details of the investigation. In a statement released today, Rosenworcel said:
For more than a year, the FCC was silent after news reports alerted us that for just a few hundred dollars, shady middlemen could sell your location within a few hundred meters based on your wireless phone data. It’s chilling to consider what a black market could do with this data. It puts the safety and privacy of every American with a wireless phone at risk.
Today this agency finally announced that this was a violation of the law. Millions and millions of Americans use a wireless device every day and didn’t sign up for or consent to this surveillance. It’s a shame that it took so long for the FCC to reach a conclusion that was so obvious.
House Commerce Committee Chairman Frank Pallone, Jr. (D-N.J.) said that Pai’s response to lawmakers “is a step in the right direction, but I’ll be watching to make sure the FCC doesn’t just let these lawbreakers off the hook with a slap on the wrist.”
Sen. Ron Wyden (D-Ore.) said that he is “eager to see whether the FCC will truly hold wireless companies accountable or let them off with a slap on the wrist.”
Carriers sold data after promise to stop
The controversy over location-data sales ramped up in 2018 when a security problem leaked the real-time locations of US cell phone customers on all four major carriers. Verizon, AT&T, T-Mobile, and Sprint subsequently pledged to stop selling their mobile customers’ location information to third-party data brokers.
However, an investigation by Motherboard in January 2019 found that “T-Mobile, Sprint, and AT&T are [still] selling access to their customers’ location data and that data is ending up in the hands of bounty hunters and others not authorized to possess it, letting them track most phones in the country.”
The carriers made further promises to stop selling the data and later confirmed to the FCC that they had phased out the data-selling programs.
Pai’s letter today did not say exactly which federal law the carriers broke, but Section 222 of the Communications Act says that carriers may not use or disclose location information “without the express prior authorization of the customer.” Carriers have also been accused of violating rules on the usage of 911 location data.
For all the nation-state hacker groups that have targeted the United States power grid—and even successfully breached American electric utilities—only the Russian military intelligence group known as Sandworm has been brazen enough to trigger actual blackouts, shutting the lights off in Ukraine in 2015 and 2016. Now one grid-focused security firm is warning that a group with ties to Sandworm’s uniquely dangerous hackers has also been actively targeting the US energy system for years.
On Wednesday, industrial cybersecurity firm Dragos published its annual report on the state of industrial control systems security, which names four new foreign hacker groups focused on those critical infrastructure systems. Three of those newly named groups have targeted industrial control systems in the US, according to Dragos. But most noteworthy, perhaps, is a group that Dragos calls Kamacite, which the security firm describes as having worked in cooperation with the GRU’s Sandworm. Kamacite has in the past served as Sandworm’s “access” team, the Dragos researchers write, focused on gaining a foothold in a target network before handing off that access to a different group of Sandworm hackers, who have then sometimes carried out disruptive effects. Dragos says Kamacite has repeatedly targeted US electric utilities, oil and gas, and other industrial firms since as early as 2017.
“They are continuously operating against US electric entities to try to maintain some semblance of persistence” inside their IT networks, says Dragos vice president of threat intelligence and former NSA analyst Sergio Caltagirone. In a handful of cases over those four years, Caltagirone says, the group’s attempts to breach those US targets’ networks have been successful, leading to access to those utilities that’s been intermittent, if not quite persistent.
Caltagirone says Dragos has only confirmed successful Kamacite breaches of US networks prior, however, and has never seen those intrusions in the US lead to disruptive payloads. But because Kamacite’s history includes working as part of Sandworm’s operations that triggered blackouts in Ukraine not once, but twice—turning off the power to a quarter million Ukrainians in late 2015 and then to a fraction of the capital of Kyiv in late 2016—its targeting of the US grid should raise alarms. “If you see Kamacite in an industrial network or targeting industrial entities, you clearly can’t be confident they’re just gathering information. You have to assume something else follows,” Caltagirone says. “Kamacite is dangerous to industrial control facilities because when they attack them, they have a connection to entities who know how to do destructive operations.”
Dragos ties Kamacite to electric grid intrusions not just in the US, but also to European targets well beyond the well-publicized attacks in Ukraine. That includes a hacking campaign against Germany’s electric sector in 2017. Caltagirone adds that there have been “a couple of successful intrusions between 2017 and 2018 by Kamacite of industrial environments in Western Europe.”
Dragos warns that Kamacite’s main intrusion tools have been spear-phishing emails with malware payloads and brute-forcing the cloud-based logins of Microsoft services like Office 365 and Active Directory as well as virtual private networks. Once the group gains an initial foothold, it exploits valid user accounts to maintain access, and has used the credential-stealing tool Mimikatz to spread further into victims’ networks.
Kamacite’s relationship to the hackers known as Sandworm—which has been identified by the NSA and US Justice Department as Unit 74455 of the GRU—isn’t exactly clear. Threat intelligence companies’ attempts to define distinct hacker groups within shadowy intelligence agencies like the GRU have always been murky. By naming Kamacite as a distinct group, Dragos is seeking to break down Sandworm’s activities differently from others who have publicly reported on it, separating Kamacite as an access-focused team from another Sandworm-related group it calls Electrum. Dragos describes Electrum as an “effects” team, responsible for destructive payloads like the malware known as Crash Override or Industroyer, which triggered the 2016 Kyiv blackout and may have been intended to disable safety systems and destroy grid equipment.
Together, in other words, the groups Dragos call Kamacite and Electrum make up what other researchers and government agencies collectively call Sandworm. “One group gets in, the other group knows what to do when they get in,” says Caltagirone. “And when they operate separately, which we also watch them do, we clearly see that neither is very good at the other’s job.”
When WIRED reached out to other threat-intelligence firms including FireEye and CrowdStrike, none could confirm seeing a Sandworm-related intrusion campaign targeting US utilities as reported by Dragos. But FireEye has previously confirmed seeing a widespread US-targeted intrusion campaign tied to another GRU group known as APT28 or Fancy Bear, which WIRED revealed last year after obtaining an FBI notification email sent to targets of that campaign. Dragos pointed out at the time that the APT28 campaign shared command-and-control infrastructure with another intrusion attempt that had targeted a US “energy entity” in 2019, according to an advisory from the US Department of Energy. Given that APT28 and Sandworm have worked hand-in-hand in the past, Dragos now pins that 2019 energy-sector targeting on Kamacite as part of its larger multiyear US-targeted hacking spree.
Dragos’ report goes on to name two other new groups targeting US industrial control systems. The first, which it calls Vanadinite, appears to be have connections to the broad group of Chinese hackers known as Winnti. Dragos blames Vanadinite for attacks that used the ransomware known as ColdLock to disrupt Taiwanese victim organizations, including state-owned energy firms. But it also points to Vanadinite targeting energy, manufacturing, and transportation targets around the world, including in Europe, North America, and Australia, in some cases by exploiting vulnerabilities in VPNs.
The second newly named group, which Dragos calls Talonite, appears to have targeted North American electric utilities, too, using malware-laced spear phishing emails. It ties that targeting to previous phishing attempts using malware known as Lookback identified by Proofpoint in 2019. Yet another group Dragos has dubbed Stibnite has targeted Azerbaijani electric utilities and wind farms using phishing websites and malicious email attachments, but has not hit the US to the security firm’s knowledge.
While none among the ever-growing list of hacker groups targeting industrial control systems around the world appears to have used those control systems to trigger actual disruptive effects in 2020, Dragos warns that the sheer number of those groups represents a disturbing trend. Caltagirone points to a rare but relatively crude intrusion targeting a small water treatment plant in Oldsmar, Florida earlier this month, in which a still-unidentified hacker attempted to vastly increase the levels of caustic lye in the 15,000-person city’s water. Given the lack of protections on those sorts of small infrastructure targets, a group like Kamacite, Caltagirone argues, could easily trigger widespread, harmful effects even without the industrial-control system expertise of a partner group like Electrum.
That means the rise in even relatively unskilled groups poses a real threat, Caltagirone says. The number of groups targeting industrial control systems has been continually growing, he adds, ever since Stuxnet showed at the beginning of the last decade that industrial hacking with physical effects is possible. “A lot of groups are appearing, and there are not a lot going away,” says Caltagirone. “In three to four years, I feel like we’re going to reach a peak, and it will be an absolute catastrophe.”
Nearly six years after buying DirecTV for $48.5 billion, AT&T today announced a deal to sell a minority stake in the business unit and spin it out into a new subsidiary.
AT&T said its deal with private equity firm TPG Capital values the TV business at $16.25 billion. A press release said that AT&T and TPG “will establish a new company named DirecTV that will own and operate AT&T’s US video business unit consisting of the DirecTV, AT&T TV, and U-verse video services.”
AT&T will own 70 percent of the spun-off DirecTV company’s common equity while TPG will own 30 percent. DirecTV in its new form “will be jointly governed by a board with two representatives from each of AT&T and TPG, as well as a fifth seat for the CEO, which at closing will be Bill Morrow, CEO of AT&T’s US video unit,” the announcement said.
AT&T acknowledged that its DirecTV purchase didn’t work out as planned.
“With our acquisition of DirecTV, we invested approximately $60 billion in the US video business,” AT&T said in materials distributed to reporters. “It’s fair to say that some aspects of the transaction have not played out as we had planned, such as pay TV households in the US declining at a faster pace across the industry than anticipated when we announced the deal back in 2014. In fact, we took a $15.5 billion impairment on the business in 4Q20.”
Focus on 5G, fiber, and HBO Max
Separating DirecTV into a new unit will help AT&T focus on its key “strategic” areas of 5G mobile service, fiber Internet, and HBO Max, AT&T said.
“As the pay-TV industry continues to evolve, forming a new entity with TPG to operate the US video business separately provides the flexibility and dedicated management focus needed to continue meeting the needs of a high-quality customer base and managing the business for profitability,” AT&T CEO John Stankey said. “TPG is the right partner for this transaction and creating a new entity is the right way to structure and manage the video business for optimum value creation.”
The companies said they expect to close their transaction in the second half of 2021 and that it “is subject to customary closing conditions and to regulatory reviews.” AT&T said it expects to receive $7.6 billion in cash from the partial sale and that it will use the money to reduce its debt.
8 million TV customers fled AT&T
AT&T has lost over 8 million customers since early 2017 from its Premium TV services, which include DirecTV satellite, U-verse wireline video, and the newer AT&T TV online service. Total customers in that category decreased from over 25 million in early 2017 to 16.5 million at the end of 2020.
“Since AT&T closed the DirecTV acquisition in 2015, the business has generated cash flows of more than $4 billion per year, and the company expects this to continue in 2021,” today’s announcement said.
DirecTV’s deal with NFL Sunday Ticket apparently will not be disrupted, as AT&T said it will continue to “fund NFL Sunday Ticket for 2021 and 2022 (up to a $2.5B cumulative cap).”
Current video customers should not expect major changes, AT&T said.
“Existing AT&T video customers will become DirecTV customers at close and will be able to keep their video service and any bundled wireless or broadband services as well as associated discounts,” AT&T said. “AT&T and TPG are committed to a smooth transition and seamless customer experience and will work to further improve customer service and bring new features to DirecTV’s video services.”
Hackers are mass scanning the Internet in search of VMware servers with a newly disclosed code-execution vulnerability that has a severity rating of 9.8 out of a possible 10.
CVE-2021-21974, as the security flaw is tracked, is a remote code-execution vulnerability in VMware vCenter server, an application for Windows or Linux that administrators use to enable and manage virtualization of large networks. Within a day of VMware issuing a patch, proof-of-concept exploits appeared from at least six different sources. The severity of the vulnerability, combined with the availability of working exploits for both Windows and Linux machines, sent hackers scrambling to actively find vulnerable servers.
“We’ve detected mass scanning activity targeting vulnerable VMware vCenter servers (https://vmware.com/security/advisories/VMSA-2021-0002.html),” researcher Troy Mursch of Bad Packets wrote.
Mursch said that the BinaryEdge search engine found almost 15,000 vCenter servers exposed to the Internet, while Shodan searches revealed about 6,700. The mass scanning is aiming to identify servers that have not yet installed the patch, which VMware released on Tuesday.
Unfettered code execution, no authorization required
CVE-2021-21972 allows hacker with no authorization to upload files to vulnerable vCenter servers that are publicly accessible over port 443, researchers from security firm Tenable said. Successful exploits will result in hackers gaining unfettered remote code-execution privileges in the underlying operating system. The vulnerability stems from a lack of authentication in the vRealize Operations plugin, which is installed by default.
The flaw has received a severity score of 9.8 out of 10.0 on the Common Vulnerability Scoring System Version 3.0. Mikhail Klyuchnikov, the Positive Technologies researcher who discovered the vulnerability and privately reported it to VMware, compared the risk posed by CVE-2021-21972 to that of CVE-2019-19781, a critical vulnerability in the Citrix Application Delivery Controller.
The Citrix flaw came under active attack last year in ransomware attacks on hospitals and, according to a criminal indictment filed by the US Justice Department, in intrusions into game and software makers by hackers backed by the Chinese government.
In a blog post earlier this week, Klyuchnikov wrote:
In our opinion, the RCE vulnerability in the vCenter Server can pose no less a threat than the infamous vulnerability in Citrix (CVE-2019-19781). The error allows an unauthorized user to send a specially crafted request, which will later give them the opportunity to execute arbitrary commands on the server. After receiving such an opportunity, the attacker can develop this attack, successfully move through the corporate network, and gain access to the data stored in the attacked system (such as information about virtual machines and system users). If the vulnerable software can be accessed from the Internet, this will allow an external attacker to penetrate the company’s external perimeter and also gain access to sensitive data. Once again, I would like to note that this vulnerability is dangerous, as it can be used by any unauthorized user.
The researcher provided technical details here.
CVE-2021-21972 affects vCenter Server versions 6.5, 6.7, and 7.01. People running one of these versions should update to 6.5 U3n, 6.7 U3l, or 7.0 U1c as soon as possible. Those who can’t immediately install a patch should implement these workarounds, which involve changing a compatibility matrix file and setting the vRealize plugin to incompatible.