The alleged LockBit ransomware leader is identified, and the gang makes false claims of new victims.
Welcome to Cyber Security Today. It’s Wednesday, May 8, 2024. I’m Howard Solomon, contributing reporter on cybersecurity for TechNewsday.com.
 |
 |
 |
The LockBit ransomware gang may be up to some mischief in response to a promised police announcement. You may recall that in February, American and U.K. law authorities seized and closed the gang’s stolen data leak site. On Sunday the authorities revived the site, promising interesting news would be coming on Tuesday. Apparently in response the LockBit gang posted a supposed new list of victims on a website it controls. One on the list is a Canadian government agency, the Canada Development Investment Corporation. I contacted the agency for comment. It said it has NOT been the subject of a cyber attack. Brett Callow, a Canadian-based threat analyst for Emsisoft, told me the alleged new list of LockBit victims is likely a “desperate measure” aimed at convincing the gang’s affiliates that all is well. It’s possible the new list of victims is a bluff, or LockBit has data that it got from other gangs’ thefts.
As for the promised law enforcement announcement, the U.S. Justice Department unsealed charges against a Russian citizen for allegedly being the creator, developer and administrator of LockBit. Dimitry Khoroshev was indicted by a New Jersey grand jury. It is alleged that over the years he received at least US$100 million as his cut of ransomware payments from victims. The U.S. is offering a US$10 million reward for information leading to Khoroshev’s arrest. So far six people have been charged by the U.S. with being part of the LockBit gang. One is in U.S. custody awaiting trial. Another pleaded guilty this year to charges here in Canada and is waiting extradition to the U.S.
The personal information of an unknown number of current and former members of the U.K. military was copied when a payroll system run by an outside firm was hacked. The BBC says the information included names and bank details. The BBC also said the government suspects threat actors from China were involved. In response, China called the allegation “fabricated and malicious slander.”
The annual RSA cybersecurity conference is going on this week in San Francisco. During one keynote the chief information security officer of Trellix, Harold Rivas, outlined three qualities the CISOs need to be successful: First, the ability to be an architect, which means not only having deep technology knowledge but also the ability to fuse business and technology priorities; second, the ability to be an effective operator, which means understanding business operations as well as what’s going on in the world; and third, to be a connector, which means being able to effectively communicate risks to the C-suite. Rivas also mentioned the importance of building a network with other senior IT security leaders to ask for advice when needed.
At another session Behnam Dayanim, partner at a San Francisco law firm, urged organizations to prepare now for the possible passage of artificial intelligence laws and regulations. Why now? Because your staff may already be using AI tools. So, create a cross-discipline team to develop and oversee the proper use of AI, such as making sure staff don’t use confidential corporate information and that any AI recommendations are free from bias.
By coincidence this week the IT governance association called ISACA released a poll of IT audit, trust, governance, privacy and cybersecurity pros about AI. Forty-two per cent of respondents said their firm allows staff to use generative AI systems like ChatGPT. However, only 15 per cent of respondents said their organization has a formal AI use policy.
One of the first things lawyers tell management and IT leaders after a cyber incident is to copy all documentation through a law firm. That way solicitor-client privilege can be claimed for everything. If the organization is involved in legal matters then details on possible mistakes might be shielded from coming out. However, a Canadian court recently ruled that doesn’t work all the time. The case involved a huge data breach in 2019 at a medical laboratory called LifeLabs. Two provincial privacy commissioners demanded reports by LifeLabs’ IT consultants on the breach. The privacy commissioners rejected LifeLabs claim of lawyer privilege and got the documents. The commissioners issued a summary report finding LifeLabs failed to take reasonable steps to safeguard personal information and personal health information. LifeLabs then went to court to fight the decision and block the release of the privacy commissioners’ full report into the data theft. That was four years ago. Last month a panel of Ontario Superior Court judges rejected the claim of solicitor-client privilege for privacy regulator report requests. Privilege is for protecting documents in preparation for lawsuits, the court ruled. It doesn’t apply to facts that may be useful to lawyers in preparation for litigation, or facts that an organization has to produce under the orders of a privacy regulator. Unless a higher court overrules, this decision is the law in Ontario. Courts in other Canadian provinces and territories may make reach a different conclusion. I asked LifeLabs if it will appeal the court decision. No response had been received by the time this podcast was recorded on Tuesday afternoon.
Follow Cyber Security Today on Apple Podcasts, Spotify or add us to your Flash Briefing on your smart speaker.
