The New Snake Keylogger variant targets Windows users via phishing emails, using AutoIt for stealth. Learn how it…

The New Snake Keylogger variant targets Windows users via phishing emails, using AutoIt for stealth. Learn how it steals credentials and evades detection.

Cybersecurity researchers at FortiGuard Labs have discovered a new variant of the Snake Keylogger, also known as the 404 Keylogger, targeting Windows users. As per their research, shared with Hackread.com, this malware is designated AutoIt/Injector.GTY!tr, and has been linked to over 280 million blocked infection attempts globally, primarily concentrated in China, Turkey, Indonesia, Taiwan, and Spain. 

Researchers note that this Snake Keylogger variant typically spreads through phishing emails containing malicious attachments or links. It targets popular web browsers like Chrome, Edge, and Firefox, stealing sensitive information such as credentials and data by logging keystrokes, capturing credentials, and monitoring the clipboard. The stolen data is then exfiltrated to its command-and-control (C2) server via email (SMTP) and Telegram bots. 

According to FortiGuard Labs’ technical report, the malware employs AutoIt, a scripting language frequently used for Windows automation, to deliver and execute its malicious payload. AutoIt can create standalone executables that can bypass standard antivirus solutions whereas AutoIt-compiled binary adds a layer of obfuscation, making detection and analysis more challenging.  

Malware Activity -Source Fortinet

The graph shows the fluctuating activity levels of AutoIt/Injector.GTY detections, suggesting potential campaigns between 1 Jan-12 Feb 2025. It is important to note that this graph represents detected instances, and the actual number of infections could be higher. 

During the attack, the malware drops a copy of itself as “ageless.exe” in the %Local\_AppData%\\supergroup folder with hidden attributes and places “ageless.vbs” in the %Startup% folder. This script uses WScript.Shell() to run “ageless.exe” upon system startup, ensuring persistence.  This method is commonly used because the Windows Startup folder allows scripts to run without administrative privileges.  

After executing “ageless.exe,” the malware injects its malicious payload into a legitimate .NET process, “RegSvcs.exe,” using process hollowing, which involves suspending “RegSvcs.exe,” deallocating its original code, allocating new memory, and injecting the malicious payload. Upon resuming, the process executes the injected code, allowing the malware to hide within a trusted process, evading detection.  

Snake Keylogger retrieves the victim’s geolocation using websites like checkipdyndnsorg and exfiltrates stolen credentials via SMTP and Telegram bots using HTTP Post requests.  Moreover, the malware can detect access to folders containing browser login credentials and other sensitive data. It uses modules to steal data from browser autofill systems, including credit card details and captures keystrokes using the SetWindowsHookEx API with the WH\_KEYBOARD\_LL flag, allowing it to log sensitive input.  

The image shows the various techniques Snake Keylogger employs during the attack, including Collection, Credential Access, Defense Evasion, Exfiltration, Lateral Movement, Privilege Escalation, Reconnaissance, and Resource Development, etc. providing a concise overview of the diverse malicious capabilities of the Snake Keylogger.

Snake Keylogger MITRE ATT&CK Matrix – Source Fortinet

This is a sophisticated, feature-rich variant, and a threat to Windows users worldwide. Organizations and individuals use a combination of advanced threat protection and proactive security measures to defend against this and other emerging keylogger threats.

Snake Keylogger Variant Hits Windows, Steals Data via Telegram Bots

The Chinese state-sponsored threat actor known as Mustang Panda has been observed employing a novel technique to evade detection and maintain control over infected systems.
This involves the use of a legitimate Microsoft Windows utility called Microsoft Application Virtualization Injector (MAVInject.exe) to inject the threat actor's malicious payload into an external process, waitfor.exe,

Chinese Hackers Exploit MAVInject.exe to Evade Detection in Targeted Cyber Attacks

Microsoft warns Apple developers about a new XCSSET malware variant targeting macOS, posing security risks through stealthy infections…

Microsoft warns Apple developers about a new XCSSET malware variant targeting macOS, posing security risks through stealthy infections and data theft.

Cybersecurity researchers at Microsoft Threat Intelligence have identified a new strain of the XCSSET malware targeting macOS users. This modular malware focuses on attacking Apple developers by infecting Xcode projects, tools necessary for building applications on the macOS platform.

While the current spread of this updated version appears limited, experts are urging developers and organizations to implement precautionary measures to safeguard their systems.

****What is XCSSET?****

XCSSET was first identified by Trend Micro in 2020. It has since gained a reputation as a sneaky piece of malware. This latest version builds upon its predecessor’s capabilities with major improvements in its design, making it even harder to detect and defend against.

According to Microsoft’s findings, the new variant comes equipped with advanced obfuscation techniques, more sophisticated persistence mechanisms, and updated methods for infecting systems. These upgrades make XCSSET a persistent and stealthy threat that can carry out a mix of different malicious activities, including targeting digital wallets, stealing data from the Notes app, stealing sensitive system information, and exfiltrating files.

****Harder to Detect****

One of the main capabilities of this new XCSSET variant is its focus on evasion. To avoid detection by anti-virus and other security tools, the malware generates its payloads in a highly randomized manner. It randomizes both the encoding process and the number of iterations used, creating challenges for researchers attempting to analyze the code.

What’s more, older versions of XCSSET relied on a single tool, xxd (hexdump), for encoding its payloads. The latest version, however, adds Base64 encoding to its arsenal, further complicating analysis efforts. Even the names of the malware’s modules have been obfuscated, making it difficult to discern their purpose or function within the code.

****Harder to Remove****

The new XCSSET variant employs two innovative methods to ensure it remains active on infected systems, even after a reboot or user logout.

1.  **“zshrc” Method**: This tactic involves creating a hidden file called ~/.zshrc_aliases to house the malicious payload. The malware then manipulates the ~/.zshrc configuration file, adding a command that automatically loads the malicious file whenever a new shell session starts. This means that every time a user opens their terminal, the malware activates in the background.
2.  **“Dock” Method**: This approach hijacks the macOS Dock. The malware downloads a signed utility called “dockutil” from a remote command-and-control server to modify Dock items. It replaces the legitimate “Launchpad” app with a malicious version, ensuring that the malware executes every time the user interacts with the Dock.

****Targeting Xcode Projects****

As its name suggests, XCSSET primarily targets Xcode, Apple’s powerful integrated development environment (IDE) for macOS. The malware infiltrates Xcode projects using one of three placement strategies: **TARGET**, **RULE**, or **FORCED\_STRATEGY**. These strategies determine how and where the malicious payload is embedded within the project files.

Additionally, the malware can target the TARGET_DEVICE_FAMILY key within the project’s build settings. By inserting its code here, XCSSET ensures that the payload only activates when the app is built and run on specific devices, evading detection during development or testing phases.

> Microsoft Threat Intelligence has uncovered a new variant of XCSSET, a sophisticated modular macOS malware that targets users by infecting Xcode projects, in the wild. While we’re only seeing this new XCSSET variant in limited attacks at this time, we’re sharing this information… pic.twitter.com/oWfsIKxBzB
> 
> — Microsoft Threat Intelligence (@MsftSecIntel) February 17, 2025

****How to Protect Yourself****

If you are an Apple developer or a macOS user in general, here are some simple yet vital tips to protect your devices from XCSSET malware:

*   **Inspect Xcode Projects**: Always review and verify Xcode projects, especially if they are downloaded from external repositories or shared by third parties.
*   **Stick to Trusted Sources**: Download apps and tools exclusively from official Apple channels or reputable software platforms. Avoid third-party app stores or unofficial downloads.
*   **Keep Up with the Updates**: Keep up-to-date with the latest security advisories from Microsoft, Apple, and other cybersecurity organizations.

New XCSSET Malware Variant Targeting macOS Notes App and Wallets

PRESS RELEASE

AUSTIN, Texas, Feb. 13, 2025 /PRNewswire/ -- enQase, a groundbreaking quantum-safe security solution, launches today to safeguard the most sensitive information against the threat of quantum attacks. This innovative solution addresses the urgent calls from leading business technology analyst, cybersecurity experts, and governments worldwide who are stressing the importance to fortify digital defenses against quantum computing threats.

The urgency to act is because the stakes are high, as malicious hackers who acquire highly sensitive encrypted data today could decrypt soon with quantum computers – thus the term "harvest now, decrypt later".

Why enQase exists 

In August 2024, the National Institute of Standards and Technology (NIST) released its recommendations for PQC urging all sectors to urgently begin transitioning to higher levels of cryptographic protection.

Experts, including the World Economic Forum, recommend combining PQC with Quantum Random Number Generation (QRNG) to provide organizations with the strongest protection against future quantum computing threats. While PQC is anticipated to offer good data security, the integration of both technologies is considered the most comprehensive approach to safeguarding sensitive information in the post-quantum era.

Certain limitations that have prompted organizations and sectors to explore more comprehensive security solutions for their most highly sensitive information include:

*   Theoretical foundations: PQC standards are grounded on theoretical analyses and projections of quantum computer capabilities. The security of these algorithms relies on mathematical assumptions that may be challenged as quantum technology advances.
    
*   Deterministic Algorithms: PQC utilizes deterministic algorithms, which could potentially be vulnerable to unforeseen weaknesses or breakthroughs in quantum computing.
    
*   Reliance on PRNGs: PQC implementations often depend on Pseudo-Random Number Generators (PRNGs) for key generation and other random values. The security of these systems could be compromised if the PRNGs are found to be predictable or vulnerable to quantum attacks.
    

In comparison, enQase takes quantum-safe security beyond conventional standards by harnessing the power of quantum mechanics to fortify and 'enQase' NIST's PQC standards. This innovative approach provides organizations with unparalleled assurance that their information will remain secure today, against "Harvest now, Decrypt later" attacks, and well into the future.

How enQase ensures future-proof security

In an era where traditional encryption methods are increasingly vulnerable, enQase stands as a beacon of innovation. Our quantum-enhanced security platform doesn't just meet today's standards—it defines tomorrow's.

The comprehensive platform leverages PQC, Quantum Random Number Generator (QRNG), digital Quantum Key Distribution (dQKD), and Quantum Key Distribution (QKD). At the forefront of innovation, enQase offers an industry-first hybrid key distribution system that uniquely combines both QKD and dQKD technologies.

enQase offers unparalleled deployment flexibility, with options ranging from Software-as-a-Service (SaaS), Platform-as-a-Service (PaaS), perpetual licensing and on-premises hardware solutions. The platform seamlessly integrates with existing infrastructure while ensuring full-stack interoperability and scalability to meet evolving security needs.

"enQase counters this threat with a robust data security solution that leverages quantum mechanics to enhance NIST Post-Quantum Cryptography (PQC) protection. The platform offers unique deployment flexibility and scalability demanded by Global 500 companies and government organizations to protect their entire information lifecycle."  
     -Mike Kramer, co-founder and CEO of enQase.

enQase solutions are fully compliant with NIST and ETSI guidelines, positioning clients at the forefront of secure networks. enQase simplifies quantum security management through an intuitive central console, reducing the need for specialized expertise while delivering practical, business-centric solutions.

As global quantum security pioneers with 15 patents, enQase continuously innovates and develops next-generation solutions, including advanced QKD implementations for terrestrial and space-based networks.

About enQase

enQase offers security beyond PQC; the only comprehensive, flexible, scalable solution that utilizes enhanced quantum technologies to protect data against current and future quantum threats without compromising operational performance.

The company's technology addresses critical shortcomings in existing cybersecurity measures, particularly in the face of emerging quantum computing threats. By offering a truly future-proof solution, enQase enables businesses to stay ahead of sophisticated quantum and AI-driven hacking attempts.

enQase offers versatile solutions spanning various deployment options, including SaaS, Cloud, PaaS, on-premises, and hardware-based implementations. Recognizing that every organization safeguards sensitive data —and for certain industries the stakes are far higher— enQase ensures that critical sectors such as finance, healthcare, government, critical infrastructure, and defense, are equipped to shield their most sensitive information with unwavering vigilance.

For more information about how enQase can secure an organization's future, visit www.enqase.com.

Introducing enQase for Quantum-Safe Security

Researchers earned a $50,500 Bug Bounty after uncovering a critical supply chain flaw in a newly acquired firm,…

Researchers earned a $50,500 **Bug Bounty** after uncovering a critical supply chain flaw in a newly acquired firm, highlighting security risks in business acquisitions.

Two cybersecurity researchers have walked away with a $50,500 bug bounty after finding a critical vulnerability in a major company’s software supply chain. The exploit targeted a recently acquired company, exposing a flaw that could have widespread ramifications.

The duo, Lupin (Roni Carta) and Snorlhax, have a history of collaboration; recently turned their focus to the often-overlooked area of business acquisitions. They noticed that these integrations frequently present security gaps as newly acquired entities may not always uphold the same rigorous security standards as their parent companies. This insight guided their hunt for a “game-changing” vulnerability.

Their approach began with a detailed examination of the acquired company’s online presence, including its code repositories and package registries. The researchers employed advanced techniques, transforming JavaScript files into Abstract Syntax Trees (ASTs) and Docker image analysis to identify dependencies and uncover possible flaws. This investigation led them to a DockerHub organization linked to the acquisition.

The real breakthrough occurred after the researchers downloaded and examined a Docker image. Inside, they discovered the complete source code for the company’s backend systems. But the story did not end there, as the researchers unearthed even more sensitive information.

According to Lupin’s technical blog post, the duo discovered that a “.git” folder was still included in the image. Within the folder, they found an authorization token for GitHub Actions (GHS). This token, if exploited, could have given the attacker the capability to manipulate the company’s build pipelines. The token could have allowed them to inject malicious code, tamper with software releases, or even gain access to additional repositories.

Further investigation revealed that the Docker image had removed the .npmrc configuration file, but the researchers recognized that earlier layers of the image could still hold traces of it. They leveraged tools like Dive and Dlayer to explore these layers, ultimately locating a private npm token. This token provided read-and-write access to the target company’s private packages.

The team realized they now had a path to insert malicious code into one of the private packages, which the company’s developers, pipelines, and production systems would then automatically fetch. Since these were private packages, the attack would bypass security scans, enabling them to compromise systems at every level leading to large-scale data theft and data breaches.

Software supply chain vulnerabilities have affected thousands of businesses in recent months. Cyberattacks targeting companies like Snowflake Inc., Blue Yonder, and MOVEit Transfer continue to be exploited, impacting organizations worldwide.

The good news is that the duo documented their findings and demonstrated the vulnerability’s impact to the impacted company’s security team. Their report outlined how attackers could use a poisoned npm package to harvest secrets, infiltrate into internal systems, and compromise CI/CD pipelines. As a result, the company awarded the researchers a $50,500 bug bounty, recognizing the severity of the vulnerability.

This incident shows how attacks can succeed when multiple overlooked flaws come together. In this case, the issue originated from software supply chain gaps and security flaws in a newly acquired company. The team pointed out the importance of securing every part of the build process, from the code itself to the components and external packages involved. It’s an example of how protecting a software development pipeline isn’t simple; it requires careful attention to every detail.

1.  Multichain hack: Hacker returns $1m, keeps $150k as bug bounty
2.  Apple Launches ‘Apple Intelligence’ – $1M Bug Bounty for Security
3.  Google Launches $250,000 kvmCTF Bug Bounty for KVM Exploits

Duo Wins $50K Bug Bounty for Supply Chain Flaw in Newly Acquired Firm

People around the world learned about the latest advancements in the American space industry! This was made possible…

People around the world learned about the latest advancements in the American space industry! This was made possible by Holiverse, a decentralized digital platform built on the Polygon blockchain, which organized a live broadcast on February 8 from NASA’s Kennedy Space Center (Florida, USA), covering the event dedicated to the launch of the memory capsule to the Moon alongside the privately developed Peregrine lunar lander.

This compact lunar “cargo carrier” embarked on its journey carrying scientific instruments, NASA’s equipment, and cultural artefacts including a digital copy of the U.S. Constitution.

****The Historical Significance of the Lunar Mission****

The mission was launched in January from Cape Canaveral, Florida, aboard a SpaceX Falcon 9 rocket. The initiative to send a digital copy of the U.S. Constitution to the Moon was led by Copernic Space co-founder Grant Blaisdell. In collaboration with Spacebit founder Pavlo Tanasyuk, they later plan to send a physical copy of the key American legal document to Earth’s natural satellite.

According to the innovators, this mission is essential for preserving humanity’s legacy. “Our project represents a symbolic bridge between America’s past and its promising future, ensuring that the principles of freedom and democracy remain unchanged, even beyond Earth,” says Pavlo Tanasyuk.

****The U.S. Constitution on the Moon: Holiverse Made the Presentation Accessible to a Global Audience****

On February 8, 2025, Holiverse partnered with Spacebit to present a specially crafted physical copy of the U.S. Constitution at Cape Canaveral, prepared for its upcoming lunar mission. To ensure that this milestone was seen by more than just the event’s invited guests, Holiverse hosted a live video broadcast on its platform. Thanks to modern technology, people from around the world could take part in this historic moment, regardless of their location.

The celebratory evening was dedicated to showcasing the collaborative efforts behind this groundbreaking mission. The audience was also introduced to the next steps in lunar and space exploration.

****Future Prospects and Plans****

Scientists and engineers continue to advance their work. By the end of 2025, a team of space industry partners plans to send a physical copy of the U.S. Constitution to the Moon as part of an upcoming mission. Active preparations are underway, with the document being placed in a capsule made from high-strength materials capable of withstanding the extreme conditions of space.

This scientific mission is taking on profound historical significance by preserving cultural heritage beyond Earth. The memory capsule, an extraordinary “lunar archive,” also contains photographs, children’s messages from multiple countries, and drawings.

Holiverse Makes NASA’s Latest Achievements Accessible to Everyone

The new Golang backdoor uses Telegram for command and control. Netskope discovers malware that exploits Telegram’s API for…

The new Golang backdoor uses Telegram for command and control. Netskope discovers malware that exploits Telegram’s API for malicious purposes. Learn how this threat works and how to protect yourself.  

Cybersecurity researchers at Netskope have discovered a new, functional, but possibly still-in-development, Golang-based backdoor that uses Telegram for command and control (C2).

This malware (Trojan.Generic.37477095), apparently of Russian origin, takes advantage of cloud services like Telegram, which are easy for attackers to use and difficult for researchers to monitor. This method of C2 communication avoids the need for dedicated attacker infrastructure. Other cloud platforms like OneDrive, GitHub, and Dropbox could also be misused in this way.

Upon execution, the malware, compiled in Go, initiates an “installSelf” function. This function checks if the malware is running from the designated location and filename: “C:\\Windows\\Temp\\svchost.exe”. If it does not, the malware copies itself to that location, creates a new process to launch the copy, and then terminates the original instance. This process, executed in an initialization function, ensures the malware runs from the intended location before proceeding. 

Detect It Easy tool used by researchers shows malware acting like a backdoor upon execution (Screenshot via Netskope)

For C2 communication, the backdoor employs an open-source Go package to interact with Telegram. It establishes a bot instance using the Telegram BotFather feature and a specific token (8069094157:AAEyzkW\_3R3C-tshfLwgdTYHEluwBxQnBuk in the analysed sample). The malware then monitors a designated Telegram chat for new commands.

The malware supports four commands, but only three are currently implemented. It validates the length and content of received messages before execution. The “/cmd” command requires two messages: the command itself, followed by a PowerShell command to be executed.

In the next phase, the malware sends a Russian-language prompt (“Enter the command:”) to the chat after receiving the initial command and then waits for the subsequent PowerShell command. This command is then executed in a hidden PowerShell window. 

The “/persist” command replicates the initial installation check and process, relaunching the malware and exiting. The “/screenshot” command, while not fully implemented, still sends a “Screenshot captured” message to the Telegram channel. 

The “/selfdestruct” command deletes the malware file (C:\\Windows\\Temp\\svchost.exe) and terminates the process, notifying the Telegram channel with a “Self-destruct initiated” message. All command outputs are transmitted back to the Telegram channel via the “sendEncrypted” function.

This exploitation of cloud applications for malicious purposes highlights the challenges faced by defenders.

“Although the use of cloud apps as C2 channels is not something we see every day, it’s a very effective method used by attackers not only because there’s no need to implement a whole infrastructure for it, making attackers’ lives easier, but also because it’s very difficult, from a defender perspective, to differentiate what is a normal user using an API and what is a C2 communication,” researchers noted in their technical blog post.

To stay protected, ensure you have up-to-date and reputable antivirus and anti-malware software installed on all your devices. These solutions should be capable of detecting and blocking malicious files, including Go-based executables.

Hackers Exploit Telegram API to Spread New Golang Backdoor

Two Estonian nationals plead guilty to a $577M cryptocurrency Ponzi scheme through HashFlare, defrauding hundreds of thousands globally.…

Two Estonian nationals plead guilty to a $577M cryptocurrency Ponzi scheme through HashFlare, defrauding hundreds of thousands globally. They face 20 years in prison and forfeit $400M in assets.

The US Department of Justice (DoJ) has confirmed that two Estonian nationals have admitted guilt in a large-scale cryptocurrency fraud case that impacted numerous victims worldwide. The perpetrators, identified as Sergei Potapenko and Ivan Turõgin, both 40 years old, were originally arrested in November 2022 and extradited to the US in May 2024. 

They, reportedly, ran a cryptocurrency fraud scheme that amassed over $577 million between 2015 and 2019. This substantial sum was obtained by misleading investors about the capabilities of their purported cryptocurrency mining service, HashFlare.io.

HashFlare’s homepage (Screenshot credit: Hackread.com)

According to the DoJ’s press release, Potapenko and Turõgin operated a complex Ponzi scheme (a scam where insanely high returns are offered with minimal effort) involving cryptocurrency mining services. They marketed contracts to investors, promising a portion of the cryptocurrency generated by HashFlare. 

Over the four-year period, this operation amassed a substantial sum of money, exceeding half a billion dollars. The scheme victimized hundreds of thousands of individuals across the globe, including those in the United States.

The perpetrators employed sophisticated methods to deceive investors. The fraudulent activity involved a discrepancy between the promised mining capacity and the actual resources available. HashFlare lacked the necessary computing power to conduct extensive mining for clients. Operators, therefore, fabricated data on a web platform to show investors their supposed profits, misappropriating funds for their own benefit. 

This means, they not only misrepresented their mining capacity but also created a false impression of profitability through fabricated data. They used the illicitly gained funds to acquire luxury items, including real estate and high-end vehicles and also invested in cryptocurrency and other assets.  

While the figure of $577 million represents the total sales generated by the fraudulent scheme, it is important to note that the defendants agreed to forfeit assets worth over $400 million as part of their plea deal. This indicates the scale of the financial gains they acquired through the scheme. These recovered funds will be used to reimburse those who were harmed by the fraudulent scheme, and the process will be revealed by the DoJ at a later date.

Potapenko and Turõgin have pleaded guilty to conspiracy to commit wire fraud, which involves a maximum sentence of 20 years. They will be sentenced on May 8 and their sentencing depends on various factors, including federal guidelines and other relevant legal considerations. 

The DoJ commended Estonia’s Cybercrime Bureau, the Estonian Prosecutor General, and the Ministry of Justice and Digital Affairs for their assistance in the investigation and extradition process. The FBI is actively urging victims of the HashFlare fraud to come forward.

Featured Image via: PixaBay/Sergei Tokmakov

HashFlare Fraud: Two Estonians Admit to Running $577M Crypto Scam

A list of topics we covered in the week of February 10 to February 16 of 2025

February 14, 2025 - A cybercriminal stole a reported 12 million data records on Zacks’ customers and clients.

February 13, 2025 - Scammers are once again using AI to take over Gmail accounts.

February 12, 2025 - Etsy sellers are being targeted by scammers that use a legitimate Etsy domain to host their dodgy PDFs.

February 11, 2025 - Apple has released an out-of-band security update for a vulnerability which it says may have been exploited in an "extremely sophisticated attack against specific targeted individuals.”

February 11, 2025 - Android phishing apps are the latest, critical threat for Android users, putting their passwords in danger of new, sneaky tricks of theft.

 A week in security (February 10 &#8211; February 16) 

The US Cybersecurity and Infrastructure Security Agency has frozen efforts to aid states in securing elections, according to an internal memo viewed by WIRED.

The Cybersecurity and Infrastructure Security Agency has frozen all of its election security work and is reviewing everything it has done to help state and local officials secure their elections for the past eight years, WIRED has learned. The move represents the first major example of the country’s cyberdefense agency accommodating President Donald Trump’s false claims of election fraud and online censorship.

In a memo sent Friday to all CISA employees and obtained by WIRED, CISA’s acting director, Bridget Bean, said she was ordering “a review and assessment” of every position at the agency related to election security and countering mis- and disinformation, “as well as every election security and \[mis-, dis-, and malinformation\] product, activity, service, and program that has been carried out” since the federal government designated election systems as critical infrastructure in 2017.

“CISA will pause all elections security activities until the completion of this review,” Bean added. The agency is also cutting off funding for these activities at the Elections Infrastructure Information Sharing & Analysis Center, a group funded by the Department of Homeland Security (DHS) that has served as a coordinating body for the elections community.

In her memo, Bean confirmed that CISA had, as first reported by Politico, placed employees “initially identified to be associated with the elections security activities and the MDM program” on administrative leave on February 7.

“It is necessary to rescope the agency's election security activities to ensure CISA is focused exclusively on executing its cyber and physical security mission,” she told employees in the memo.

While Bean is temporarily leading CISA, she is officially the agency’s executive director, its top career position. CISA’s first director created the executive-director role to provide continuity during political transitions. Previously, Bean was a Trump appointee at the Federal Emergency Management Agency during his first term.

In justifying CISA’s internal review, which will conclude on March 6, Bean pointed to Trump’s January 20 executive order on “ending federal censorship.” Conservatives have argued that CISA censored their speech by coordinating with tech companies to identify online misinformation in 2020, during the final year of Trump’s first term. CISA has denied conducting any censorship, and the US Supreme Court dismissed a lawsuit over the government’s work. But in the wake of the backlash, CISA halted most conversations with tech platforms about online mis- and disinformation.

CISA and DHS did not immediately respond to requests for comment.

Since 2017, state and local election officials have relied on CISA’s expertise and resources—as well as its partnerships with other agencies—to improve their physical and digital security. Through on-site consultations and online guidance, CISA has helped election administrators secure voting infrastructure against hackers, harden polling places against active shooters, and create polling-place backup plans to deal with ballot shortages or power outages.

Election supervisors have always struggled to overcome serious funding challenges, but in recent years, their jobs have become even more stressful as intense voter scrutiny has given way to harassment and even death threats. Election officials of both parties have repeatedly praised CISA for its apolitical support of their work, saying the agency’s recommendations and free security services have been critical in boosting their own efforts.

But that bipartisan accord began fraying after the 2020 election, as some conservative election officials started criticizing the agency for its focus on mis- and disinformation. Congressional Republicans joined the fray as well, calling CISA “the nerve center of the federal government’s domestic surveillance and censorship operations on social media.” Their rhetoric echoed Trump’s own history of election denialism, which involved false claims of rigged voting machines and mass voter fraud and culminated in Trump supporters’ January 6, 2021, attack on the US Capitol.

With conservatives pushing to axe CISA’s election security mission, Trump’s election last November virtually guaranteed an end to that program, and employees have been bracing for retaliation against the people who participated in that work.

Bean’s memo indicates that CISA’s internal review will cover every agency position related to election security, as well as performance plans for employees involved in that work; all support services provided to the election community; and all election security guidance and publications. Bean wrote that CISA will describe any steps necessary to “correct any activities identified as past misconduct by the Federal Government related to censorship of protected speech,” including eliminating programs or roles.

After CISA completes its review, the agency will submit a report to the White House addressing how it plans to “deliver a more focused provision of services for elections security activities,” Bean told employees. The report will focus on three goals: streamlining the election security services that CISA offers to state and local governments, ensuring that its activities align with its new “mandate to refocus” on its core mission, and removing “all personnel, contracts, grants, programs, products, services, and activities” that conflict with Trump’s anti-censorship directive or exceed CISA’s authorities.

It is unclear if White House officials or DHS secretary Kristi Noem directly ordered Bean to launch the election security investigation or if she independently determined that Trump’s executive order necessitated it. The January 20 directive does instruct the attorney general to work with other agency leaders to investigate Biden-administration activities that are “inconsistent” with Trump’s vow to end online censorship, but it makes no mention of activities prior to Biden’s term, including CISA’s 2020 election work.

Tag

#git