By Joseph Gedeon

— POLITICO is learning about how hacker groups took aim at the NATO summit in Vilnius this summer, and is first to obtain a new report that shows attackers posting alleged internal government documents and spreading fake NATO press releases.

HAPPY MONDAY, and welcome to MORNING CYBERSECURITY! I spent my formative years in Los Angeles, and let me tell you I know what to do during an earthquake, a heat wave and a mudslide. But a tropical storm? We didn’t learn about that one. Stay safe, West Coast.

Have any tips or secrets to share with MC? Or thoughts on what we should be covering? Email Joseph at [email protected]. You can also follow @POLITICOPro and @MorningCybersec on X. Full team contact info is below. Let’s dive in.

The Senate Homeland Committee’s subcommittee on emerging threats and spending oversight is taking to the road for a hearing in New Hampshire on protecting K-12 schools from cyberattacks. 11 a.m.

DOWNLOAD THE POLITICO APP: Stay in the know with the POLITICO mobile app, featuring timely political news, insights and analysis from the best journalists in the business. The sleek and navigable design offers a convenient way to access POLITICO's scoops and groundbreaking reporting. Don’t miss out on the app you can rely on for the news you need. DOWNLOAD FOR iOS – DOWNLOAD FOR ANDROID.

Want to receive this newsletter every weekday? Subscribe to POLITICO Pro. You’ll also receive daily policy news and other intelligence you need to act on the day’s biggest stories.

HACKERS TAKE AIM — While some of the world’s most powerful leaders were assembling at the Vilnius NATO summit in July against the backdrop of Russia’s continued war in Ukraine, suspected Russian hackers were plotting something sinister behind the scenes.

Two hacker groups were engaging in a disinformation campaign aimed at the NATO summit, with one spreading fake NATO press releases mimicking the alliance’s website, and the other posting documents about the summit’s internal security measures — claiming they were obtained from the Lithuanian government.

That’s according to a new report from Graphika, shared with our Maggie and Laurens Cerulus, about the latest in a pulsing series of campaigns by likely Russia-linked groups to target European countries with disinformation campaigns to sow discord among the allies.

— Whodunit?: While researchers can’t say with full confidence, the style and similarities harks back to earlier pro-Russian influence campaigns from Doppelganger and Secondary Infektion — the latter which is linked to disinformation campaigns in the 2016 U.S. presidential election.

— What was in it: The misinformation campaign included forged announcements that NATO was doubling its defense budget and that the alliance was considering the idea of supporting deploying Ukrainian troops to France to respond to the protests earlier in the summer.

— Remember: France is a hot topic for Russian-based attacks. A June DFRLabs report on Russian disinformation in West Africa — which includes Niger — showed that the Wagner group has been framing Western colonization, particularly from France, as the root of regional instability.

It was also an example of how “different [hackers] both conduct hard cyberattacks as well as hack-and-leak operations using what they've collected through their hard cyberattacks,” Graphika director of investigations Tyler Williams said.

— Chinks in the armor: Williams says the campaign’s reach on social media was “very limited.” And while it found the most engagement in pro-Russia Telegram groups, there was also “an interesting wrinkle” since members of those same channels were calling out the fake NATO domains, Williams added.

— Keep an eye out: Governments are “paying a little more attention to [influence campaigns] and actually treating it as part of this cyberthreat landscape,” Williams told Maggie and Laurens. “To me it's two sides of the same coin, and I think the closer the influence operations community can work with the actual cyber threat community, I think we all benefit from that.”

— Not the only attack: We told you in an earlier MC about cyberattackers impersonating the Ukrainian World Congress to target NATO Summit guests in Lithuania through a spear-phishing technique linked to the RomCom group with IP addresses traced back to Hungary, based on a BlackBerry Threat Research and Intelligence report.

Get the full scoop from Maggie and Laurens.

A (COMPUTER) WORM IN TEACHER’S APPLE — Although class is still out for Congress, a Senate Homeland Security subcommittee is taking a field trip Monday to New Hampshire to discuss cyberattacks hitting K-12 schools.

It’s a travel panel led by emerging threats and spending oversight subcommittee Chair Maggie Hassan (D-N.H.), who is being joined by New Hampshire, CISA and U.S. Secret Service officials, as well as representatives from the state’s schools.

— What to watch for: Expect the cyber-focused senator to throw weight behind the Department of Education’s recently announced plan to beef up K-12 cyber defense systems by establishing a government council to coordinate communications and policy between the federal government and schools nationwide. The council plan and a state and local cybersecurity grant program in 2021 are some of the senator’s recent mechanisms to be adopted into wider cyber policy.

“The panelists will discuss innovative and collaborative cybersecurity efforts among the offices and agencies charged with protecting our schools, as well as how we can continue to work together to address remaining cybersecurity challenges,” reads an excerpt of Hassan’s opening remarks shared with MC.

— Background: In early August, the White House held a cyber summit for K-12 schools to show its commitment to addressing the problem. CISA is now offering cyber training to 300 new K-12 “entities” over the incoming school year, but administration officials stopped short of promising new federal regulations to address the problems.

— Area schools hit hard: New England-area schools have not been spared by proliferating cyberattacks. Grades for a New Hampshire school district were just released this month following an attack in June, while officials in a Connecticut district weeks later announced the loss of more than $6 million in a flurry of cyberattacks.

— No money, more problems: Despite becoming an increasingly visible target for ransomware groups, school systems still receive woefully low funding to protect against attacks. The latest State EdTech Trends report found 70 percent of school officials reported at least one district in their state was the victim of a cyberattack, while 57 percent said their state provided very little funding for cybersecurity.

— Nothing new: There were 1,619 reported cyberattacks targeting K-12 schools between 2016 and 2022, according to K12 Security Information Exchange.

CYBER TEAM ASSEMBLE — A new working group to combat North Korean cyberattacks from the U.S., Japan and South Korea is expected to hit the ground running next month.

The cyber group is just one of the agreements to come out of the three-way Camp David summit between President Joe Biden, Korean President Yook Suk Yeol and Japanese Prime Minister Fumio Kishida on Friday.

The goal of the new team is to dig deeper into how the reclusive authoritarian state generates financial resources to fund and improve its missile activity, Japan’s foreign affairs spokesperson Hikariko Ono told reporters last week, and to coordinate on ways to counter that revenue.

The working group will focus on sharing intelligence on North Korea’s cryptocurrency use, theft and laundering, and its use of IT workers for revenue generation, while seeking to disrupt its cyber activities.

— Riding the wave: North Korean state-affiliated hackers were to blame for a crypto hack last month against U.S. based JumpCloud, with Mandiant researchers saying they had “high confidence” the country’s Reconnaissance General Bureau was involved.

Mandiant told Morning Cyber at the time “this is a cryptocurrency-focused element” within the RGB that targets companies taking aim at “cryptocurrency verticals to obtain credentials and reconnaissance data.”

The RGB is widely considered to be Kim Jong-un’s primary spy agency that carries out covert operations, typically targeting Japan, South Korea and the United States.

HUSH-HUSH — A company that sells phone hacking technology to Law Enforcement is asking its customers to keep the use of its products secret as part of a deal with government agencies, according to a leaked training video.

In the video for law enforcement customers obtained by TechCrunch, a senior employee for Israel-based Cellebrite says “ultimately, you’ve extracted the data, it’s the data that solves the crime, how you got in, let’s try to keep that as hush-hush as possible.”

The employee also says that disclosing the use of Cellebrite’s technology to “bad guys” could “harm the entire law enforcement community globally.” In response to TechCrunch’s reporting, Cellebrite spokesperson Victor Cooper said in an email the company “is committed to support ethical law enforcement.”

— The not-so-secret secret: Other government contractors who shared cellphone surveillance tools with law enforcement agencies, like Harris Corporation, had users sign non-disclosure agreements.

— By the numbers: It’s unclear how many law enforcement agencies use the Cellebrite technology. But on its website, Cellebrite claims its product is being used by more than 100 North American federal accounts, 14 of 15 U.S. Cabinet executive departments and police departments in the 20 largest cities in the country.

Also why no ’80s kid who has seen this movie lives in Las Vegas or Seattle.

CYBERCRIME SHUT DOWN — A five-month joint operation between Interpol and Afripol has ended with the arrests of 14 suspected cyber criminals linked to $40 million in heists and the shuttering of 20,000 computer networks spanning 25 countries in Africa, reports Dark Reading.

IT’S STILL OFFLINE — Some computer systems are yet to come back online two weeks after a cyberattack against Prospect Medical Holdings, which runs 16 hospitals and dozens of medical facilities across the United States, reports Pat Eaton-Robb for The Associated Press.

ICYMI — Brokers in the Bay Area are dealing with a housing listing setback for a second straight week following a ransomware attack against its Multiple Listing Service. Agents aren’t able to add new property listings, make price adjustments or access the latest property information for showings, writes Ted Andersen for the San Francisco Business Times.

Chat soon. 

Stay in touch with the whole team: Joseph Gedeon ([email protected]); John Sakellariadis ([email protected]); Maggie Miller ([email protected]); and Heidi Vogt ([email protected]).

Enter the “room where it happens”, where global power players shape policy and politics, with Power Play. POLITICO’s brand-new podcast will host conversations with the leaders and power players shaping the biggest ideas and driving the global conversations, moderated by award-winning journalist Anne McElvoy. Sign up today to be notified of the first episodes in September – click here.

Follow us on Twitter

Follow us

To change your alert settings, please log in at https://www.politico.com/_login?base=https%3A%2F%2Fwww.politico.com/settings

This email was sent to [email protected] by: POLITICO, LLC 1000 Wilson Blvd. Arlington, VA, 22209, USA

Please click here and follow the steps to unsubscribe.