Public Urged to Use Encryption for Mobile Phone Messaging and Calls

On December 4, 2024, four of the five members of the Five Eyes intelligence-sharing group (the United States, Australia, Canada, and New Zealand) law enforcement and cyber security agencies (Agencies) published a joint guide for network engineers, defenders of communications infrastructure and organizations with on-premises enterprise equipment (the Guide). The Agencies strongly encourage applying the Guide’s best practices to strengthen visibility and strengthen network devices against exploitation by reported hackers, including those hackers affiliated with the People’s Republic of China (PRC). The fifth group member, the United Kingdom, released a statement supportive of the joint guide but stated it had alternate methods of mitigating cyber risks for its telecom providers.

In November 2024, the Federal Bureau of Investigation (FBI) and the U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued a joint statement to update the public on its investigation into the previously reported PRC-affiliated hacks on multiple telecommunications companies’ networks. The FBI and CISA reported that these hacks appeared to focus on cell phone activity of individuals involved in political or government activity and copies of law enforcement informational requests subject to court orders. However, at the time of the update, these U.S. agencies and members of Congress have underscored the broad and significant nature of this breach. At least one elected official stated that the hacks potentially expose unencrypted cell phone conversations with someone in America to the hackers.

In particular, the Guide recommends adopting actions that quickly identify anomalous behavior, vulnerabilities, and threats and respond to a cyber incident. It also guides telecoms and businesses to reduce existing vulnerabilities, improve secure configuration habits, and limit potential entry points. One of the Guide’s recommended best practices attracting media attention is ensuring that mobile phone messaging and call traffic is fully end-to-end encrypted to the maximum extent possible. Without fully end-to-end encrypted messaging and calls, the content of calls and messages always has the potential to be intercepted. Android to Android messaging and iPhone to iPhone messaging is fully end-to-end encrypted but messaging from an Android to an iPhone is not currently end-to-end encrypted. Google and Apple recommend using a fully encrypted messaging app to better protect the content of messages from hackers.

The FBI and CISA are continuing to investigate the hacks and will update the public as the investigation permits. In the interim, telecom providers and companies are encouraged to adopt the Guide’s best practices and to report any suspicious activity to their local FBI field office or the FBI’s Internet Crime Complaint Center. Cyber incidents may also be reported to CISA.

Tenth Circuit Declares No Remedy for Hemp Farmer Whose Federally Legal Plants Were Seized

In January, the United States Court of Appeals for the Tenth Circuit issued a published opinion in Serna v. Denver Police Department, No. 21-1446 (10th Cir. Jan. 24, 2023), upholding the dismissal of a hemp farmer’s lawsuit against local government officials in Colorado who confiscated his plants.

The farmer – Francisco Serna – brought suit under the Agriculture Improvement Act of 2018 (the “2018 Farm Bill”) which legalized hemp across the country and included limitations on states’ ability to prohibit the transportation of certain hemp plants and products across state lines. However, the three-judge panel concluded that no provision within the law allows for a private right of action by an individual to challenge instances of perceived unlawful governmental interference.

Serna grew hemp in Texas and intended to bring several plants home with him from Colorado. But when he attempted to get the plants – consisting of “plant clones or rooted clippings” – through Denver’s airport, a police officer confiscated them under a departmental policy to seize plants containing any discernible level of THC. Even though Serna had documentation showing that the plants’ THC level was beneath the limit authorized by the 2018 Farm Bill – and therefore compliant under federal law –  the officer took the plants anyway.

Serna’s Legal Proceedings

Serna sued the Denver Police Department and the confiscating officer under Section 10114(b) of the 2018 Farm Bill, which prohibits states from interfering with interstate transport of hemp and products that comply with the law. Serna asserted that because his plants were complaint, the defendants violated the provision. However, a federal magistrate judge granted the defendants’ motion to dismiss, which the district court adopted.[1] Serna then appealed to the Tenth Circuit.

The Tenth Circuit also held that no private right of action existed for Serna to employ. The court’s conclusion rests on the determination that Congress did not intend that hemp farmers, like Serna, should constitute a protected class under the 2018 Farm Bill. Without that status, they cannot sue. The court focused on the plain language of Section 10114(b), reasoning that it “makes no mention of [a] purported class of licensed [hemp] farmers” and merely provides that “no state…shall prohibit the transportation or shipment of hemp” across its borders. Thus, the provision pertains only to “the person regulated rather than the individuals protected,” which is fatal to the private right of action inquiry. The court compared Section 10114(b) with other federal statutes that do create private rights of action, such as Title VI of the 1964 Civil Rights Act, which specifies that “[n]o person…shall…be subjected to discrimination.” 42 U.S.C. § 2000d.

Takeaways

The unfortunate result of this decision is that individuals who comply with the provisions of the 2018 Farm Bill during the course of their business operations cannot seek recourse from improper government meddling. As a result, the law is significantly less protective than anticipated. Rather than suing to protect their interests, entrepreneurs like Serna must instead depend upon other actors – perhaps state attorneys general – to pursue these types of cases. However, those non-stakeholders generally have less incentive to pursue lawsuits, particularly against peer law enforcement agencies, leaving hemp operators with no remedy to enforce their rights under the 2018 Farm Bill.

In a broader sense, the Serna case is a cautionary tale for those who expect federal descheduling of marijuana to resolve the regulatory complexities currently faced throughout the cannabis industry. If hemp operators working with products that are federally legal are unable to utilize the courts to challenge unlawful seizure of their products, then the effectiveness of federal legalization of cannabis may require an express private right of action.

Going forward, Serna has a limited period of time to request that the case be re-heard by the Tenth Circuit en banc (i.e., by the entire eleven-judge court) – otherwise, the three-judge panel’s opinion will remain the operative, binding outcome.


[1] The magistrate judge and the district judge differed on their bases for concluding that Serna could not sue under the 2018 Farm Bill. Specifically, the magistrate judge determined that Section 10114(b) neither created a private right of action nor a private remedy. The district judge, on the other hand, concluded that Congress did authorize a private right of action but no private remedy to enforce it was evident. This additional divergence is another example of how the 2018 Farm Bill is susceptible to conflicting interpretations, which will likely only increase going forward as other courts consider the issue.

© 2023 ArentFox Schiff LLP

Ankura Cyber Threat Intelligence Bulletin: August – September 2022

Over the past sixty days, Ankura’s Cyber Threat Investigations & Expert Services (CTIX) Team of analysts has compiled key learnings about the latest global threats and current cyber trends into an in-depth report: The Cyber Threat Intelligence Bulletin. This report provides high-level executives, technical analysts, and everyday readers with the latest intel and insights from our expert analysts.

Download the report for an in-depth look at the key cyber trends to watch and help safeguard your organization from constantly evolving cyber threats with the latest cyber intelligence, ransomware, and threat insights.

 Our latest report explains the following observations in detail:

Law Enforcement Works with Threat Intelligence to Prosecute Human Traffickers

In the age of high-speed internet and social media, criminals have evolved to use information technology to bolster their criminal enterprises and human traffickers are no different. Whether it be through the clearnet or dark web, human traffickers have leveraged the internet to scale their operations, forcing law enforcement to reevaluate how to best combat this problem. In response to the changes in trafficker tactics, techniques, and procedures (TTPs), governments across the world have responded with legislation and policies in an attempt to better thwart the efforts of these criminals. Researchers from Recorded Future’s Insikt Group have published compelling reports as a proof-of-concept (PoC) for a methodology on how law enforcement agencies and investigators can utilize real-time threat intelligence to leverage sources of data in order to aid in tracking, mitigating, and potentially prosecuting human sex traffickers. Download the full report for additional details on law enforcement efforts to prosecute human traffickers and more on the Insikt Group’s findings.

Emerging Threat Organization “MONTI”: Sister Organization or Imposter Threat Group?

Over the past several weeks a new, potentially imposter, threat organization has mimicked the tactics, techniques, procedures (TTPs), and infrastructure of the Conti Ransomware Group. Tracked as MONTI, this doppelganger organization emerged in the threat landscape in July 2022 after compromising a company and encrypting approximately twenty (20) hosting devices and a multi-host VMWare ESXi instance tied to over twenty (20) additional servers. While the July attack pushed the group into the limelight, analysts believe that attacks from the doppelganger organization go back even further into the early summer of 2022. Similarities discovered between Conti Ransomware and the alleged spinoff Monti Ransomware include attack TTPs alongside the reuse of Conti-attributed malicious payloads, deployed tools, and ransom notes. Additionally, the encrypted files exfiltrated by Monti contain nearly identical encryption, which could indicate code re-usage. Read the full report to find out what CTIX analysts expect to see from this group in the future.

Figure 1: Conti Ransom Note

Figure 2: Monti Ransom Note

Iranian State-Sponsored Threat Organization’s Attack Timeline Targeting the Albanian Government

In July 2022, nation-state Iranian threat actors, identified by the FBI as “Homeland Justice”, launched a “destructive cyber-attack” against the Government of NATO-member Albania in which the group acquired initial access to the victim network approximately fourteen (14) months before (May of 2021). During this period, the threat actors continuously accessed and exfiltrated email content. The peak activity was observed between May and June of 2022, where actors conducted lateral movements, network reconnaissance, and credential harvesting.

This attack and eventual data dumps were targeted against the Albania-based Iranian dissident group Mujahideen E-Khalq (MEK), otherwise known as the People’s Mojahedin Organization of Iran. MEK is a “controversial Iranian resistance group” that was exiled to Albania and once listed by the United States as a Foreign Terrorist Organization for activity in the 1970s but was later removed in late 2012. Albania eventually severed diplomatic ties with Iran on September 7, 2022, and is suspected to be the first country to ever have done so due to cyber-related attacks. For a more detailed analysis of this attack and its ramifications, download our full report.

 Figure: Homeland Justice Ransom Note Image

Banning Ransomware Payments Becomes Hot-Button Issue in State Legislature

There is a debate occurring in courtrooms across the United States regarding the ethics and impacts of allowing businesses to make ransomware payments. North Carolina and Florida have broken new ground earlier this year passing laws that prohibit state agencies from paying cyber extortion ransom demands. While these two (2) states have been leading the way in ransomware laws, at least twelve (12) other states have addressed ransomware in some way, adding criminal penalties for those involved and requiring public entities to report ransomware incidents. Download the full report to discover what experts think of government ransomware payment bans and the potential effects they could have on ransomware incidents.

Threat Actor of the Month: Worok

ESET researchers discovered a new cluster of the long-active TA428 identified as “Worok.” TA428 is a Chinese advanced persistence threat (APT) group first identified by Proofpoint researchers in July 2019 during “Operation LagTime IT”, a malicious attack campaign targeted against government IT agencies in East Asia. Download the full report for an in-depth look at Worok’s tactics and objectives, and insights from our analysts about the anticipated future impact of this group.

New List of Trending Indicators of Compromise (IOCs)

IOCs can be utilized by organizations to detect security incidents more quickly as indicators may not have otherwise been flagged as suspicious or malicious. Explore our latest list of technical indicators of compromise within the past sixty (60) days that are associated with monitored threat groups and/or campaigns of interest.

Copyright © 2022 Ankura Consulting Group, LLC. All rights reserved.

Riot-Related Damage and Income Losses are Covered under Most Business Owners’ Policies

Following the deaths of George Floyd, Breonna Taylor, Ahmaud Arbery, Tony McDade, and Rayshard Brooks, protests against systematic racism in general, and police brutality in particular, have swept the globe. These protests have largely been peaceful, but a small, fractious group of individuals has used the protests as cover to incite violence, damage property, and loot businesses. While it might be cold comfort to the affected business owners to hear that property damage is not the norm, most have insurance that protects their pecuniary interest.[1]

 First-party property insurance policies generally include riot and civil commotion as covered causes of loss, unless there is a specific exclusion in the policy. Although courts have acknowledged that defining a “riot” can be difficult because they can vary in size, courts have identified at least four elements:

  1. unlawful assembly of three or more people (or lawful assembly that due to its violence and tumult becomes unlawful);
  2. acts of violence;
  3. intent to mutually assist against lawful authority where “lawful authority” is not limited to official law enforcement, but extends to those whose rights are or may be injured and who seek to protect those rights; and
  4. some degree of public terror (i.e., any minor public disturbance does not rise to the level of “riot”).

Blackledge v. Omega Ins. Co., 740 So. 2d 295, 299 (Miss. 1999).

Civil commotion likewise is undefined in most property policies. As a starting point, the term necessarily means something other than “riot,” since each term in an insurance policy is presumed to have its own meaning. See, e.g., Portland Sch. Dist. No. 1J v. Great Am. Ins. Co., 241 Or. App. 161, 171 (2011). Thus, while “civil commotion” may be similar to a riot, courts have construed the term more broadly, finding that civil commotion entails “either a more serious disturbance or one that is a part of a broader series of disturbances.” Pan Am. World Airways, Inc. v. Aetna Cas. & Sur. Co., 368 F. Supp. 1098, 1138 (S.D.N.Y. 1973), aff’d, 505 F.2d 989 (2d Cir. 1974). In fact, most property policies contain no limitation on the breadth of commotion or the type of harm that it might pose to person or property.

In many policies, riot, civil commotion, vandalism, and malicious mischief are “specified causes of loss.” The practical effect of this designation is that numerous exclusions will contain exceptions for loss caused by these situations. For example, while damage to a business’s electronic data may be excluded, the exclusion may contain an exception for damage to electronic data resulting from specified causes of loss, such as riot or civil commotion. Similarly, even where the policy contains a pollution exclusion – purportedly excluding loss, damage, cost, or expense caused by or contributed to or made worse by the release of “pollutants,” which could include tear gas – that exclusion may not apply to loss or damage caused by riot, civil commotion, or vandalism.

If a policy covers riot or civil commotion, covered losses may include property damage to the building and its contents, and lost income while the building is under repair or subject to government orders affecting the business’s operations (e.g., curfews limiting hours of operation) where the order is the result of property damage elsewhere. Business insurance policies may also cover costs incurred in protecting insured property from future, imminent harm or continued damage. These costs might include hiring (or increasing) security personnel, boarding up windows and doors, securing inventory in place or moving inventory and operations off-site.

Prior to the riots in Minneapolis, Minnesota, the costliest U.S. civil disorder occurred after the acquittal of police officers involved with the arrest and beating of a black American, Rodney King, from April 29 through May 4, 1992, causing $775 million in insured losses.[2] More recently, there were approximately $24 million in insured losses following the death of Freddie Gray, a black American who died in police custody after suffering a spinal cord injury.[3] Insured losses are not yet available for the riots in Minneapolis, but the Property Claims Services (“PCS”) unit of Verisk Analytics designated the event as a catastrophe. On June 4, 2020, PCS included over 20 other states, making the civil unrest that started in Minnesota a multi-state catastrophic event.[4]

If your business has experienced or may experience a loss because of civil unrest or riots, you should begin keeping track of these losses – and costs incurred to avoid them – immediately. Save receipts and inventory damages. Contact your insurance company as soon as you experience a loss to report your claim and diligently log your interactions with your insurer and its representatives. If you feel your insurer wrongfully denied your claim or delayed payment, contact experienced insurance coverage counsel.


[1] The authors by no means intend to equate property damage and a lost life. Quite the opposite. One is recoverable (and insurable); the other is irreplaceable.

[2]  https://www.iii.org/fact-statistic/facts-statistics-civil-disorders (last viewed June 15, 2020).

[3] Id.

[4] Id. By June 4, 2020, at least 40 cities in 23 states had imposed curfews. National Guard were called in Washington, D.C. and at least 21 states.

Copyright © 2020, Hunton Andrews Kurth LLP. All Rights Reserved.
For more on property insurance amid protests, see the National Law Review Insurance, Reinsurance and Surety law page.