From Capitol Hill, the Wall Street Journal reports that “the Senate Homeland Security Committee took a step forward on Wednesday October 6], advancing a bill that would require hospitals and oil and natural-gas pipeline companies, among other critical infrastructure operators, to report cyberattacks and ransom payments within 72 hours. Chairman Gary Peters said he wants the bill tacked onto the broader annual defense authorization package.” More details on this Senate committee meeting is available on Nextgov.
On the regulatory front, the U.S. Justice Department announced on Wednesday October 6 a new Civil Cyber- Fraud Initiative that
will utilize the False Claims Act to pursue cybersecurity related fraud by government contractors and grant recipients. The False Claims Act is the government’s primary civil tool to redress false claims for federal funds and property involving government programs and operations. The act includes a unique whistleblower provision, which allows private parties to assist the government in identifying and pursing fraudulent conduct and to share in any recovery and protects whistleblowers who bring these violations and failures from retaliation.
The initiative will hold accountable entities or individuals that put U.S. information or systems at risk by knowingly providing deficient cybersecurity products or services, knowingly misrepresenting their cybersecurity practices or protocols, or knowingly violating obligations to monitor and report cybersecurity incidents and breaches.
Cyberscoop adds that “The focus comes after suspected Russian hackers breached the federal contractor SolarWinds in 2020, using the federal contractor as a foothold into nine U.S. agencies.”
Because the False Claims Act is applicable to FEHB carriers and many FEHB subcontractors, it’s worth adding that the False Claims Act defines “knowingly” as having “actual knowledge” or acting “in deliberate ignorance” or “reckless disregard of the truth or falsity of the information.” 31 U.S.C § 3729(b)(1)(A). Courts have recognized that this is more than a mere negligence standard. E.g. United States v. Sci. Applications Int’l Corp., 626 F.3d 1257, 1274-75 (D.C. Cir. 2010) (quoting S. Rep. No. 99-345, at 6, 19 (1986)).
It strikes the FEHBlog as unusual that the Justice Department laid out its policy without bringing a test lawsuit. However, because the False Claims Act authorizes private parties to bring False Claims Act lawsuits on behalf of the federal government (“qui tam” actions), the Justice Department may have taken this approach to alert the active qui tam bar of the Department’s support for these kinds of False Claim Act lawsuits.
From the ransomware front, Bleeping Computer reports
While most ransomware actors spend time on the victim network looking for important data to steal, one group favors quick malware deployment against sensitive, high-value targets. It can take less than two days for the FIN12 gang to execute on the target network a file-encrypting payload – most of the time Ryuk ransomware.
The group is a close partner of the TrickBot gang and targets high-revenue victims (above $300 million) from various activity sectors and regions on the globe.
FIN12 is characterized by skipping the data exfiltration step that most ransomware gangs have adopted to increase their chances of getting paid. This attribute allows the group to execute attacks at a much faster rate than other ransomware operations, taking them less than two days from the initial compromise to the file encryption stage.
According to data collected from investigations, most ransomware gangs that also steal data have a median dwell time of five days and the average value is 12.4 days.
With FIN12, the average time spent on the victim network dropped each year, getting to less than three days in the first half of 2021. After getting initial access, the group did not waste any time hitting their victims and in most cases they started activity on the same day. * * *
In a profile of the group published today [October 7] by cybersecurity company Mandiant, researchers note that many FIN12 victims are in the healthcare sector.
And here’s a link to Bleeping Computer’s The Week in Ransomware report. What’s more here’s a link to Unit 42’s first supplement to the ransomware report that issued earlier this year. This supplement focuses on ransomware families, like FIN12.