Security vendors, businesses, and US government agencies need to work together to fight ransomware and protect critical infrastructure.

Cyber threats have a long reach. What seems like a low-level cyber incident can have a larger ripple effect, impacting millions of innocent people. A password breach that occurs in a private company, such as Colonial Pipeline, can end up taking down sections of the critical infrastructure, for example. The line between attacks on the public sector and private interests are blurring, and now, with new directives and initiatives from the Biden administration — along with new departments within federal agencies — the government seems committed to collaborating with companies to address emerging cyber threats.

Both government agencies and private vendors already see the value in building partnerships.

"Partnering with the private sector is critical for advancing our mission of accelerating commercial adoption of technology across many sectors, especially in cybersecurity," says Pat Gould, director of the Defense Innovation Unit (DIU) Cyber Portfolio.

The private-sector view is similar — the need to collaborate is critical, and it is about time that efforts are being made to facilitate such a partnership. Initiatives like the National Cybersecurity Strategy, for example, are bringing in private-sector security vendors to share threat information or provide solutions and tools that are beyond government scope.

Mick Baccio, global security advisor with Splunk, admits the ability to work together has been hindered by the private sector's inherent distrust of government, especially as administrations and congressional leadership change.

"Building credibility is tough to do in this atmosphere," says Baccio, "but thanks to a push by the current administration, the continuity that cybersecurity and the private-public partnership needed is finally in place."

Executive orders with guidelines to facilitate improved security across the supply chain, for example, can be canceled the moment a new president takes office. The Cybersecurity and Infrastructure Security Agency (CISA) is one of the government agency's attempts to bake public-private cybersecurity efforts into its mission.

**Government's Role in Collaboration**

A few agencies are uniquely set up to focus on collaboration with the private sector. Beyond its high-profile work in keeping voting systems safe, CISA is responsible for securing critical infrastructure in cooperation with companies.

The FBI has worked closely with both public and private entities for years, but as cybercrime — particularly ransomware — ramps up, so too has the outreach from the FBI to the private sector.

Many other agencies also have similar security-related outreach built in, like the Department of Energy. Because many areas of the energy critical infrastructure are owned and operated by corporations, the department needs to build partnerships not only to keep the infrastructure safe but also to prevent disinformation and misinformation that could cause a national panic. (The Colonial Pipeline cyber incident is a prime example, when poor communication led to gas shortages on the East Coast two years ago.)

The Cybersecurity Collaboration Center (CCC), part of the National Security Agency, was established three years ago, and it signifies a shift in how the government works with private-sector vendors to share information and expertise to scale mitigations, according to the center's chief, Morgan Adamski.

"We're looking at the quality of our relationships over the quantity," Adamski said during a 2023 RSA Conference panel on public-private partnerships. She said CCC will share threat analytics with cybersecurity companies that have the broadest outreach, which could provide protection for billions of customers.

However, some argue that this trickle-down information sharing hampers security efforts.

"The argument is that working with fewer but larger vendors will minimize the chance of leaks while protecting the most people because they'll have more threat intel to share," wrote Mike Wiacek, founder and CEO of Stairwell, in a Dark Reading article. "But I would argue that making the research collaborations more inclusive would not only level the playing field among vendors but also increase the diversity of threat intel sources and apply more human expert intelligence to the problems."

**What Private Vendors Bring**

Innovation comes from small companies, which file more than 14 times more patents in the US than larger businesses and universities do. Government and large enterprises rely on strategic partnerships with smaller security vendors to build out their cybersecurity programs.

Government is more than federal agencies, says Merlin Cyber CEO David Phelps. States, counties, and especially municipalities don't have large budgets or staffing to manage cybersecurity needs.

"They need the outreach to the private sector to help address cybersecurity concerns," Phelps says.

Vendors may have a better — or at least different — view into the threat landscape and can work quickly to come up with the right tools or solution for a government entity at a more affordable rate than is charged to the private sector. Not only can community governments take advantage of the lower cost, but because they are using an approved government vendor, they now have federal oversight.

Having similar tools, knowledge base, threat landscape, and product behavior as businesses gives CISA a broader view of what's happening across a larger swath of the critical infrastructure.

"By actually having government entities of all sizes using the same platforms, threats will be a lot more visible as an ecosystem," says Phelps.

The value of having partnerships like this is having a private sector that has the flexibility and funding to investigate threats in ways that the government can't. Larger businesses within the private sector can invest in startups that are developing cutting-edge technologies. This agility and scalability are among the most important contributions the private sector provides.

**United Against Ransomware**

The fight against ransomware is a good example of a public-private collaboration. The FBI actively works with private vendors to not only identify ransomware, but also to defend against ransomware crime rings and nation-state actors. Partnering on this type of attack works well because ransomware attacks tend to have a lot of similarities.

"Because all of the actors use the same tools and services, all of our options increase," explained Cynthia Kaiser, deputy assistant director with the FBI, during the RSA panel.

For example, in 2019 government agencies learned that a global Russian-distributed botnet was using a US company to implant malware in millions of devices. The FBI worked closely with that company and different government agencies to find a solution to counter this malicious activity and cut off the command-and-control infrastructure of the global botnet before it could do any more damage.

When an incident occurs, the most vital pieces of information come from the victimized organization. The victims become partners with government agencies, sharing details about what happened and what they continue to see happening in their networks. The government agencies gather that information and help the companies put the threats into context.

"A key part of collaboration is that it is bidirectional, and it's critical that people come early and often to that trusted relationship to have the \[cybersecurity\] conversation," CCC's Adamski said.

Improving Cybersecurity Requires Building Better Public-Private Cooperation

By Habiba Rashid
DarkBERT is based on the RoBERTa architecture and leverages the power of AI to navigate the dark web.
This is a post from HackRead.com Read the original post: DarkBERT: Enhancing Cybersecurity Efforts on the Dark Web

DarkBERT has been fed approximately 6.1 million pages found on the dark web as part of its large-scale pretraining on texts in English.

The emergence of Large Language Models (LLMs) has revolutionized the field of artificial intelligence (AI) and opened up new avenues for application development. With the release of models like ChatGPT, AI’s potential for both positive and negative uses has become evident.

Expanding on this trend, a team of Researchers at the Korea Advanced Institute of Science and Technology (KAIST) and data intelligence company S2W has developed DarkBERT, an AI language model specifically trained on data from the elusive and often nefarious Dark Web. This groundbreaking development aims to enhance cybersecurity efforts and combat cybercrime in the hidden corners of the internet.

The Dark Web, a clandestine section of the internet, has gained notoriety for harbouring anonymous websites and marketplaces that facilitate illicit activities such as the trade of drugs, weapons, and stolen data. It is inaccessible through conventional web browsers and requires specialized software like Tor (The Onion Router) to gain entry. Tor anonymizes users’ IP addresses, making it challenging to trace their online activities.

DarkBERT, based on the RoBERTa architecture, leverages the power of AI to navigate the Dark Web. To train DarkBERT, the researchers meticulously crawled the Dark Web using the Tor network and curated a database of dark web content.

This database served as the training data to refine the DarkBERT model’s ability to comprehend and extract meaningful information from the intricately coded and dialect-rich content found on the Dark Web. DarkBERT has been fed approximately 6.1 million pages found on the dark web as part of its large-scale pretraining on texts in English.

The researchers’ objective with DarkBERT was to surpass the capabilities of existing language models and create an AI tool that could aid cybersecurity professionals, law enforcement agencies, and threat researchers in combating cybercrime on the Dark Web.

DarkBERT distinguishes itself from other language models by its unparalleled ability to comprehend the unique dialects and heavily coded messages prevalent on the Dark Web. In various cybersecurity-related use cases, DarkBERT consistently outperformed established language models such as BERT and RoBERTa.

The full extent of DarkBERT’s uses remains to be documented but the researchers tested it in three key cybersecurity-related use cases:

**Ransomware Leak Site Detection:**

1.  DarkBERT proves its mettle in identifying and classifying ransomware leak sites on the Dark Web. Ransomware gangs often utilize the Dark Web to publish confidential data stolen from organizations that refuse to pay the ransom. By surpassing the performance of other language models, DarkBERT enhances the detection and classification process, empowering cybersecurity professionals to mitigate the risks associated with such leaks effectively.

Illustration of the DarkBERT pretraining process and the various use case scenarios for evaluation.

**Noteworthy Thread Detection:**

2.  Monitoring dark web forums for noteworthy threads is a critical task for security researchers. DarkBERT’s ability to understand the specialized language used in these forums enables automated discovery and evaluation of noteworthy threads. Although further improvements are necessary, DarkBERT’s superiority over other language models in this domain shows promise for reducing the researchers’ workload.

**Threat Keyword Inference:**

3.  DarkBERT employs the fill-mask function, a feature of BERT-family language models, to identify keywords related to threats and illicit activities like drug sales on the Dark Web. By accurately capturing keywords indicative of potential threats, DarkBERT assists in tracking and addressing emerging cyber threats.

The development of AI tools for the Dark Web raises important ethical considerations. While DarkBERT empowers cybersecurity efforts, responsible use and strict adherence to privacy and legal frameworks are imperative. Collaboration between researchers, law enforcement agencies, and ethical hackers will be crucial in ensuring DarkBERT’s deployment aligns with societal interests and safeguards individual privacy.

To conclude, DarkBERT represents a significant breakthrough in leveraging AI language models to tackle the challenges posed by the Dark Web. Its superior performance and specialized training on Dark Web data hold great potential for enhancing cybersecurity efforts, enabling efficient threat detection, and supporting investigations in the dark web domain.

As researchers continue to fine-tune DarkBERT and explore more advanced architectures, the possibilities for its application in the cyber threat industry expand further. 

**RELATED ARTICLES**

1.  ARMO integrates ChatGPT to secure Kubernetes
2.  AI-based Model to Predict Extreme Wildfire Danger
3.  Google offers Dark Web monitoring for US Gmail users
4.  This AI Can Generate Unique and Free Bored Ape NFTs
5.  Emergency service use AI to detect signs of heart attack

I’m a student and cybersecurity writer. On a random Sunday, I am likely to be figuring out life and reading Kafka.

DarkBERT: Enhancing Cybersecurity Efforts on the Dark Web

Facebook's parent company Meta has been fined a record $1.3 billion by European Union data protection regulators for transferring the personal data of users in the region to the U.S.
In a binding decision taken by the European Data Protection Board (EDPB), the social media giant has been ordered to bring its data transfers into compliance with the GDPR and delete unlawfully stored and processed

Data Protection / Privacy

Facebook's parent company Meta has been fined a record $1.3 billion by European Union data protection regulators for transferring the personal data of users in the region to the U.S.

In a binding decision taken by the European Data Protection Board (EDPB), the social media giant has been ordered to bring its data transfers into compliance with the GDPR and delete unlawfully stored and processed data within six months.

Additionally, Meta has been given five months to suspend any future transfer of Facebook users' data to the U.S. Instagram and WhatsApp, which are also owned by the company, are not subject to the order.

"The EDPB found that Meta IE's infringement is very serious since it concerns transfers that are systematic, repetitive, and continuous," Andrea Jelinek, EDPB Chair, said in a statement.

"Facebook has millions of users in Europe, so the volume of personal data transferred is massive. The unprecedented fine is a strong signal to organizations that serious infringements have far-reaching consequences."

European data protection authorities have repeatedly emphasized the lack of equivalent privacy protections as that of GDPR in the U.S., potentially allowing American intelligence services to access data belonging to Europeans by virtue of them being shipped to servers located in the U.S.

The ruling stems from a legal complaint filed by Austrian privacy activist Maximilian Schrems, the founder of NOYB, almost a decade ago in June 2013 over concerns that E.U. user data is not sufficiently protected from U.S. intelligence agencies when transferred across the Atlantic.

"The simplest fix would be reasonable limitations in U.S. surveillance law," Schrems said. "There is an understanding on both sides of the Atlantic that we need probable cause and judicial approval of surveillance.

"It would be time to grant these basic protections to E.U. customers of U.S. cloud providers. Any other big U.S. cloud provider, such as Amazon, Google or Microsoft could be hit with a similar decision under EU law."

"Meta plans to rely on the new deal for transfers going forward, but this is likely not a permanent fix," Schrems further added. "In my view, the new deal has maybe a ten percent chance of not being killed by the CJEU. Unless U.S. surveillance laws get fixed, Meta will likely have to keep E.U. data in the EU."

Schrems also accused the Irish Data Protection Commission (DPC) of consistently attempting to block the case from going forward and trying to shield Meta from being slapped with a fine and having to delete the data that has been already transferred, the latter two of which have been overturned by the EDPB.

Meta, in response, said it intends to appeal the ruling, calling the fine "unjustified and unnecessary" and that there is a "fundamental conflict of law" between the U.S. government's rules on access to data and European privacy rights.

UPCOMING WEBINAR

Zero Trust + Deception: Learn How to Outsmart Attackers!

Discover how Deception can detect advanced threats, stop lateral movement, and enhance your Zero Trust strategy. Join our insightful webinar!

Save My Seat!

"Without the ability to transfer data across borders, the internet risks being carved up into national and regional silos, restricting the global economy and leaving citizens in different countries unable to access many of the shared services we have come to rely on," Meta's Nick Clegg and Jennifer Newstead said.

Last year, the company warned that if ordered to suspend transfers to the U.S., it may have to stop offering "a number of our most significant products and services" in the E.U. According to the Wall Street Journal, a new trans-Atlantic data transfer deal is expected to be finalized as a replacement for the Privacy Shield later this year.

The fine constitutes the largest ever imposed under the E.U.'s GDPR privacy laws, eclipsing the €746 million ($886.6 million at the time) fine previously doled out to Amazon in July 2021 for similar privacy violations.

The development also marks the third monetary penalty issued by the DPC this year alone. In January, the watchdog levied a fine of €390 million over its mishandling of user information to serve ads in Facebook and Instagram.

Two weeks later, it was fined €5.5 million for violating data protection laws by compelling its users to "consent to the processing of their personal data for service improvement and security" and "making the accessibility of its services conditional on users accepting the updated Terms of Service."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

EU Regulators Hit Meta with Record $1.3 Billion Fine for Data Transfer Violations

W3 Eden Download Manager versions 3.2.70 and below suffer from a persistent cross site scripting vulnerability via ShortCode.

    W3 Eden recently patched an Authenticated Stored Cross-Site Scripting vulnerability in Download Manager.On April 25, 2023, our Wordfence Threat Intelligence team identified and began the responsible disclosure process for a stored Cross-Site Scripting (XSS) vulnerability in W3 Eden’s Download Manager plugin, which is actively installed on more than 100,000 WordPress websites, making it one of the most popular download management plugins. The vulnerability enables threat actors with contributor-level permissions or higher to inject malicious web scripts into pages using the plugin’s shortcode.All Wordfence Premium, Wordfence Care, and Wordfence Response customers, as well as those still using the free version of our plugin, are protected against any exploits targeting this vulnerability by the Wordfence firewall’s built-in Cross-Site Scripting protection.We contacted W3 Eden on April 25, 2023, and promptly received a response. After providing full disclosure details, the developer released a patch on May 1, 2023. We would like to commend the W3 Eden development team for their prompt response and timely patch.We urge users to update their sites with the latest patched version of Download Manager, version 3.2.71 at the time of this writing, as soon as possible.READ THIS POST ON THE BLOGVulnerability Summary from Wordfence IntelligenceDescription: Download Manager <= 3.2.70 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Affected Plugin: Download ManagerPlugin Slug: download-managerAffected Versions: <= 3.2.70CVE ID: CVE-2023-2305CVSS Score: 6.4 (Medium)CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:NResearcher/s: Lana CodesFully Patched Version: 3.2.71The Download Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘wpdm_members’, ‘wpdm_login_form’, ‘wpdm_reg_form’ shortcodes in versions up to, and including, 3.2.70 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.Technical AnalysisDownload Manager is a plugin designed to allow WordPress users to manage, track and control file downloads. It provides a shortcode ([wpdm_members]) that lists the authors and the number of files they have added when added to a WordPress page. However, insecure implementation of the plugin’s shortcode functionality allows for the injection of arbitrary web scripts into these pages. Examining the code reveals that the members method in the User class did not adequately sanitize the user-supplied ‘sid’ input, and then loads the members.php view file, where it also did not adequately escape ‘sid’ output. This makes it possible to inject attribute-based Cross-Site Scripting payloads via the ‘sid’ attribute.[View the Code Snippets on the Blog]  There are two other shortcodes, a login form shortcode ([wpdm_login_form]) and a registration form shortcode ([wpdm_reg_form]), that add forms to a WordPress site. However, the insecure implementation of these two shortcode functions, similar to the previous example, also allows arbitrary web scripts to be inserted into these pages. Examining the code reveals that the functions of both forms do not adequately sanitize the user-supplied ‘logo’ input, and in the view files these ‘logo’ outputs are not adequately escaped.[View the Code Snippets on the Blog]  These make it possible for threat actors to carry out stored XSS attacks. Once a script is injected into a page or post, it will execute each time a user accesses the affected page. While this vulnerability does require that a trusted contributor account is compromised, or a user be able to register as a contributor, successful threat actors could steal sensitive information, manipulate site content, inject administrative users, edit files, or redirect users to malicious websites which are all severe consequences.Disclosure TimelineApril 25, 2023 – Wordfence Threat Intelligence team discovers the stored XSS vulnerability in Download Manager and initiates responsible disclosure.April 27, 2023 – We get in touch with the development team at W3 Eden and send full disclosure details.May 1, 2023 – The fully patched version, 3.2.71, is released.May 3, 2023 – The vendor notified Wordfence that they released the patch.May 3, 2023 – Wordfence confirms the fix addresses the vulnerability.ConclusionIn this blog post, we have detailed a stored XSS vulnerability within the Download Manager plugin affecting versions 3.2.70 and earlier. This vulnerability allows authenticated threat actors with contributor-level permissions or higher to inject malicious web scripts into pages that execute when a user accesses an affected page. The vulnerability has been fully addressed in version 3.2.71 of the plugin.We encourage WordPress users to verify that their sites are updated to the latest patched version of Download Manager.All Wordfence users, including those running Wordfence Premium, Wordfence Care, and Wordfence Response, as well as sites still running the free version of Wordfence, are fully protected against this vulnerability.If you know someone who uses this plugin on their site, we recommend sharing this advisory with them to ensure their site remains secure, as this vulnerability poses a significant risk.For security researchers looking to disclose vulnerabilities responsibly and obtain a CVE ID, you can submit your findings to Wordfence Intelligence and potentially earn a spot on our leaderboard.

W3 Eden Download Manager 3.2.70 Cross Site Scripting

The purchase gives IBM access to a new category of products called "data security posture management" for security data in cloud and SaaS repositories.

IBM's purchase of Polar Security for an undisclosed sum on May 16 has focused attention on an emerging market space that, until recently, didn't even have a formal name associated with it.

Polar is among an increasing number of startups — many based in Israel — that offer a new class of tools, built to accomplish "data security posture management (DSPM)." They help organizations discover, monitor, and secure sensitive data across hybrid and multi-cloud environments. To that end, IBM will integrate Polar's technology with its Guardium portfolio of data security products. 

The Polar acquisition is the company's fifth so far this year.

**Data Classification in the Cloud**

The key selling point of products from Polar and companies like it, is their ability to automatically classify discovered data in these environments (in addition to monitoring user access and discovering threats to the data) — so security teams can protect it better. Many of the technologies, including Polar Security's DSPM platforms, are agentless and have the claimed ability to automatically discover sensitive data in minutes and to classify them into categories such as PII, PHI, and PCI.

Gartner, which gave the category its name last year, describes DSPM products as enabling organizations to discover shadow data — structured and unstructured — in repositories across cloud service providers, data lakes, and SaaS environments. The analyst firm has predicted that more than 20% of organizations will deploy a DSPM capability by 2026 because of "urgent requirements to identify and locate previously unknown data repositories and to mitigate associated security and privacy risks.”

IBMs purchase of Polar gives the company immediate access to technology that will help it compete in the market segment with a growing number of pureplay vendors, and vendors expanding into the space from other markets such as cloud security posture management and cloud DLP. Examples of pureplay DSPM vendors include Laminar, Cyera, and Dig, while Wiz, Varonis, Orca — and now IBM — are all vendors that have added DSPM to their technology portfolio over the past year.

**A Vibrant DSPM Market**

Richard Stiennon, chief research analyst at IT-Harvest, says his firm currently tracks over a dozen vendors in the market. "DSPM is a vibrant space with at least 16 players," Stiennon says. 

Polar, which launched in 2021, was in the middle of the pack with about 30 employees at time of purchase he notes, adding, "IBM Tech Fund had participated in the $8 million seed funding, so they have had visibility into Polar for at least 16 months." Among the larger vendors in the space are Wiz, Laminar with about 95 employees, and Cyera with a headcount of some 75, Stiennon says.

A lot of the enterprise interest in the space stems from growing concerns over data exposure in cloud and SaaS environments. Just like shadow IT is a problem, shadow data — or sensitive data in cloud databases, AWS S3 buckets, and other repositories stored across multiple environments — has become a real and pressing problem for many organizations.

"Sensitive data discovery and classification has become a top priority \[for organizations\]," says Justin Lam, an analyst with S&P Global Market Intelligence. A recent survey of technology decision makers that the analyst firm conducted showed that for many organizations, DSPM has become a top technology priority for 2023, he adds. 

"A lot of enterprises are waking up to the fact they need to find out what data they have in the cloud," Lam says. "How do I find out what it is, how risky it is, what kind of non-public info is out there in the cloud. These are all huge concerns."

**IBM's Cloud Security Investment: Triggering a Landgrab?**

Analyst firm Omdia expects the IBM acquisition of Polar to push other technology heavyweights into the space as well. As has often been the case with new technologies, a lot of the initial proponents of DSPM are startups. But that could change quickly as bigger players move into the space. 

"We have seen such landgrabs before — in data leak prevention in the mid-2000's, cloud access security brokers in the mid-2101's, and cloud security posture management later in the last decade," says Rik Turner, analyst with Omdia.

Turner describes the DSPM market as still largely immature or moving just beyond that phase. To date, it has been all about startups, many of them from Israel, raising early rounds of venture capital money and starting to evangelize about DSPM. Until Gartner came up with a name for the category, many of the players in the space were positioning themselves as providing cloud data posture management and DSPM together, he says.

IBM's purchase has raised the profile of DSPM as a technology and potentially puts other cyber industry majors in the market to buy one of Polar's competitors. Already, there are some rumors that Laminar is in talks with a potential buyer or two, Turner says. 

"Now, alongside the startups, we have not only Big Blue jumping in but also CSP vendors like Orca and Wiz, both of whom are adding some DSPM capabilities," Turner notes. "It may be too early to see IBM's acquisition of Polar as the tipping point, but if Laminar does indeed go to one of the bigger beasts, the land grab really will have begun."

IBM's Polar Buy Creates Focus on a New 'Shadow Data' Cloud Security Area

The record-breaking GDPR penalty for data transfers to the US could upend Meta's business and spur regulators to finalize a new data-sharing agreement.

Europe’s GDPR has just dealt its biggest hammer blow yet. Almost exactly five years since the continent’s strict data rules came into force, Meta has been hit with a colossal €1.2 billion fine ($1.3 billion) for sending data about hundreds of millions of Europeans to the United States, where weaker privacy rules open it up to US snooping.

Ireland’s Data Protection Commission (DPC), the lead regulator for Meta in Europe, issued the fine after years of dispute about how data is transferred across the Atlantic. The decision says a complex legal mechanism, used by thousands of businesses for transferring data between the regions, was not lawful.

The fine is the biggest GDPR penalty ever issued, eclipsing Luxembourg's $833 million fine against Amazon. It brings the total amount of fines under the legislation to around €4 billion. However, it’s small change for Meta, which made $28 billion in the first three months of this year.

In addition to the fine, the DPC’s ruling gives Meta five months to stop sending data from Europe to the US and six months to stop handling data it previously collected, which could mean deleting photos, videos, and Facebook posts or moving them back to Europe. The decision is likely to bring into focus other GDPR powers, which can impact how companies handle data and arguably cut to the heart of Big Tech’s surveillance capitalism.

Meta says it is “disappointed” by the decision and will appeal. The decision is also likely to heap extra pressure on US and European negotiators who are scrambling to finalize a long-awaited new data-sharing agreement between the two regions that will limit what information US intelligence agencies can get their hands on. A draft decision was agreed to at the end of 2022, with a potential deal being finalized later this year.

“The entire commercial and trade relationship between the EU and the US underpinned by data exchanges may be affected,” says Gabriela Zanfir-Fortuna, vice president of global privacy at Future of Privacy Forum, a nonprofit think tank. “While this decision is addressed to Meta, it is about facts and situations that are identical for all American companies doing business in Europe offering online services, from payments, to cloud, to social media, to electronic communications, or software used in schools and public administrations.”

**‘Bittersweet Decision’**

The billion-euro fine against Meta has a long history. It stems back to 2013, long before GDPR was in place, when lawyer and privacy activist Max Schrems complained about US intelligence agencies’ ability to access data following the Edward Snowden revelations about the National Security Agency (NSA). Twice since then, Europe’s top courts have struck down US–EU data-sharing systems. The second of these rulings, in 2020, made the Privacy Shield agreement ineffective and also tightened rules around “standard contractual clauses (SSCs).”

The use of SCCs, a legal mechanism for transferring data, is at the center of the Meta case. In 2020, Schrems complained about Meta’s use of them to send data to the US. Today’s Irish decision, which is supported by other European regulators, found Meta’s use of the legal tool “did not address the risks to the fundamental rights and freedoms of data subjects.” In short, they were unlawful.

Ireland first decided the tool fell foul of GDPR in July 2022 and since then, the case has been wrapped up in European bureaucracy, with other countries having a say on the decision and deciding the penalties that should apply. Ultimately, through the European Data Protection Board (EDPB), other countries overruled the Irish regulator, which had argued Meta shouldn’t be fined.

“This is an absolutely significant fine and yet, the penalties may be inconsequential for people's rights as Meta can hold on to data it has moved unlawfully,” says Estelle Masse, the global data protection lead at European NGO Access Now. “It's a bittersweet decision.” Since GDPR came into force in May 2018, it has been criticized for not effectively curtailing the worst data practices of Big Tech. Masse argues that Meta should have been made to delete the data it collected unlawfully, and that GDPR enforcement needs to change companies business practices. (In the US, the Federal Trade Commission fined Meta $5 billion in 2019 and has previously ordered companies to delete algorithms created with improperly collected data.)

The new ruling stops short of forcing Meta to delete the data but says it should ensure that all stored data from Europeans be lawfully handled within six months. This could include deletion or moving the data back to Europe, the EDPB says, but could also include Meta using “other technical solutions.”

“One potential option moving forward would be a 'federated' social network, where European data stays in their data centers in Europe, unless users chat with a US friend, for example,” Schrems said in a statement. Zanfir-Fortuna says that data localization can be “very difficult to obtain in practice.”

It is likely, if Meta decides to move data back to Europe, that untangling it all from within its internal systems will be tricky, if not impossible. Previous reports have indicated that Meta doesn’t know where all its data goes, and court documents obtained by the Irish Council for Civil Liberties are said to show “data anarchy at Meta.”

Meta’s president of global affairs, Nick Clegg, said in a statement that the company is appealing the decisions with courts that will be able to “​​pause the implementation deadlines.” Clegg characterized the decision as a threat to the global internet: “Without the ability to transfer data across borders, the internet risks being carved up into national and regional silos, restricting the global economy and leaving citizens in different countries unable to access many of the shared services we have come to rely on.”

**The Simplest Fix**

Lurking behind the colossal fine is the underlying issue of how data is shared between the EU and the US. Europe’s GDPR sets out how companies and other organizations should collect, use, and store people’s data and also increases the rights given to individuals. People can ask what data is held about them or request that information be deleted, for instance.

The rules are stricter than protections put in place in the US, particularly against data collected about non-US citizens, which can be intercepted by intelligence agencies under Section 702 of the Foreign Intelligence Surveillance Act. In October 2022, US president Joe Biden signed an executive order that would introduce limits to what data security agencies can access under a proposed new EU–US Data Privacy Framework.

In Meta’s response to the GDPR decision, Clegg referenced the new international agreement and said that if it comes into force before the Irish deadlines, “our services can continue as they do today without any disruption or impact on users.”

The executive order would, among other things, create a Data Protection Review Court within the US Department of Justice that allows Europeans to challenge how American intelligence agencies use their data. Gloria González Fuster, a professor at the Vrije Universiteit Brussel, says there are “multiple tensions” between the proposed plans. “The very limited information given to complainants by the Data Protection Review Court (DPRC) is one of the major problems,” Fuster says, adding the approach doesn’t match those of Europe’s courts.

Since two previous data-sharing agreements have been struck down by Europe’s courts, it is likely that the new agreement, which could come into force before Meta has to deal with Ireland’s orders, may be challenged. “The framework from the get-go is an improvement from the two previous, but we don't think it gets us to a point where it would stand a legal challenge in the court,” Masse says.

Schrems, who made the original complaint against Meta and was responsible for the cases that destroyed the previous US–EU data-sharing agreements, believes there’s a 10 percent chance Europe’s courts will find the new agreement to be lawful. “The simplest fix,” Schrems said, “would be reasonable limitations in US surveillance law.”

Meta’s $1.3 Billion Fine Is a Strike Against Surveillance Capitalism

Techniques used in cyber warfare can be sold to anyone — irrespective of borders, authorities, or affiliations. We need to develop strategies to respond at scale.

The Russia-Ukraine war has taught us a lot about cyber warfare. After all, it's the first time ever that a world-class cyber power is simultaneously engaged in a kinetic war. But before we can fully grasp the lessons that have surfaced over the past year, we first have to understand what role cyber plays as part of active kinetic warfare, as well as the criteria that determines its effectiveness.

**Breaking Down Cyber in Warfare**

The main roles of cyber in warfare include: 1) espionage, 2) sabotage, 3) propaganda, and 4) disruptions usually caused by distributed denial-of-service (DDoS) attacks targeting government, electrical, and economic/financial institutions. I believe cyber warfare is two parts information warfare using cyber tactics and techniques and one part cyber warfare with actual destruction.

Cyberattacks with strategic or military implications can include the manipulation of software, data, knowledge, and opinion to degrade performance and produce political or psychological effects. Introducing uncertainty into the minds of opposing commanders or political leaders is a calculatable military objective. Manipulating public opinion to damage an opponent's legitimacy and authority in both domestic and international audiences also is valuable. Some actions may provide only symbolic effect aimed at a domestic audience, but this too is valuable for a nation at war.

So, how can we judge the effectiveness of cyber warfare attacks? My more than two decades of experience serving as an FBI agent taught me that the criteria for success in deploying cyber offensive tactics lies across five areas:

*   Creating chaos
*   Collecting intelligence
*   Driving narratives to shape opinions (disinformation)
*   Inflicting damage to data or ecosystems
*   Stealing/exfiltrating victim data for extortion and/or sale to criminal data brokers

**Cyber Warfare in the Russia-Ukraine Conflict**

Russia has largely been cited as an "aggressor" in its conflict with Ukraine. But it is important to remember that because cyber knows no boundaries, any country or hacktivist group can join the battle with impunity — it is one of the ways cyber is fundamentally different from traditional warfare, and a dynamic that both sides have benefited from and been victimized by.

Russia holds a broad definitional concept of information warfare, which includes intelligence, counterintelligence, deceit, disinformation, electronic warfare, debilitation of communications, degradation of navigation support, psychological pressure, degradation of information systems, and propaganda.

As used by the Russian military, cyber power is a key facet of hybrid warfare and is an important enabler in the Russian political strategy to oppose NATO's expansion and cohesion. Cyberattacks can be targeted specifically toward and with the purpose of eliminating key networks but also can be used as a tool to intensify the fog of war by sowing confusion within command-and-control networks. If local political and military leaders can't get ahead of and develop an accurate estimate of quickly developing events, critical hours or even days can be gained with which an adversary can create facts on the ground that cannot easily be reversed. As part of its military campaign, Russia used myriad cyberattacks against computers in Kyiv, Poland, the European Parliament, and the European Commission prior to rolling tanks across the Ukraine border.

Here are just a few examples of cyber warfare tactics used in the Russia-Ukraine conflict:

*   The Russians targeted Viasat, a US satellite communications company that provided support to the Ukrainian military, with malware designed to erase its data before disabling it. The Russians did not limit the malware's scope, and it affected other ground satellite components, causing hundreds of thousands of people outside of Ukraine to lose electrical power and Internet connection.
*   A cyberattack against the City Council of Odessa, a major Ukrainian port city situated on the Black Sea, was timed to coincide with a cruise missile attack that was meant to disrupt Ukraine's response to Russian forces attacking in the south.
*   Cyberattacks also have been launched against many parts of Ukraine's infrastructure and government and civilian networks, including hospitals.
*   Ukrainian military units have created bogus dating websites for Russian soldiers, coupled with social media platforms, to lure Russian troops to use their personal mobile devices — at which point Ukrainian troops triangulate their location so they can use a drone to drop a bomb on their geolocated positions.

Even though Russia is considered one of the most dangerous cyber-nation-state actors, the use of cyber warfare tactics against Ukraine leading up to and currently during their one-year-old unprovoked war shows that offensive cyber techniques, when used as a separate warfighting domain, does not necessarily offer magic solutions and miraculous shortcuts to achieving strategic military goals. Similar to when the Russian Army deployed cyberattacks against Georgia in 2008 and Syria after that armed conflict, when the Russia-Ukraine war ends, we will have another example for history to judge the effectiveness of Russian cyber-enabled warfare.

**Lessons Learned So Far**

Cyber warfare is real, and it is playing out in various theaters across the world — some visible, as in the Russia-Ukraine conflict, and others behind-the-scenes. There will be many lessons learned from these actions, but here are a few takeaways we have so far:

*   The effects of cyberattacks are difficult to contain when not coupled with kinetic military activity. The effects most always extend far beyond the intended target and can be used more as a strategic weapon as opposed to a tactical or precision weapon.
*   Attribution of cyberattacks is difficult and more easily denied. Cyber warfare sits in a gray zone, as it can be used by state and non-state actors, with fewer inhibitions than kinetic strikes.
*   With the use of non-state or patriotic proxies, cyberattacks are less manpower-intensive than kinetic attacks but certainly require more skills to prepare and execute and can be just as devastating to the victim's infrastructure.

There is no question that cyber power is being wielded as a strategic weapon alongside the use of kinetic force in the Russia-Ukraine conflict. And cyber warfare allows power and force to be democratized and sold on the Dark Web, available to anyone with technical skills — irrespective of borders, authorities, or affiliations. Because of this, we must start to think ahead of the threat and develop strategies to respond to these challenges at scale.

Cyber Warfare Lessons From the Russia-Ukraine Conflict

Categories: Business
There are a lot of benefits to ChatGPT, but many in the security community have concerns about it. Malwarebytes' CEO Marcin Kleczynski takes a deep dive into the topic.



(Read more...)




The post ChatGPT: Cybersecurity friend or foe? appeared first on Malwarebytes Labs.

ChatGPT: Cybersecurity friend or foe?

Plus: The FBI gets busted abusing a spy tool, an ex-Apple engineer is charged with corporate espionage, and collection of airborne DNA raises new privacy risks.

OpenAI’s new ChatGPT app for iOS couldn’t have arrived soon enough. Its absence left open a void in Google Play and Apple’s App Store, which have been quietly filling with scam apps that sucker users into paying for weekly or monthly subscriptions, according to research from security firm Sophos. The official ChatGPT app, meanwhile, is free, and an Android version is arriving soon.

But just because something is free doesn’t make it good. Telly TV is offering 55-inch televisions for $0 to the first 500,000 people who join its reservation list. Of course, “free” comes with a catch: The company reserves the right to collect heaps of data about your viewing habits, and the TV includes a built-in camera that can track your movements. Oh, and it has a second screen primarily for bombarding you with ads. But hey, nothing beats free, right?

Elsewhere in the world of tech that has people freaked out, Montana this week became the first state in the US to ban TikTok. The ban, which goes into effect in 2024, is already facing legal challenges on the grounds that it violates TikTok users’ First Amendment rights. Even if the ban remains, getting around it is trivial—just use a VPN.

The families of four people killed in a racism-fueled mass shooting at a grocery store in Buffalo, New York, are suing a slew of companies the plaintiffs say bear some responsibility for the massacre. The companies include Meta, Alphabet, Amazon, Snap, Reddit, and 4chan. Also on the list of defendants is Good Smile, a Japanese toy company that in 2015 purchased a 30 percent stake in 4chan, where the gunman sought advice on how to carry out his attack.

The United States Postal Service doesn’t just deliver mail—it also carries out warrantless mass surveillance. A bipartisan group of US senators this week launched an effort to curb the use of so-called mail covers, which USPS investigators use to gather the information on the outside of letters and packages. The senators say the practice, which does not require a court order, “threatens both our privacy and First Amendment rights.” 

In the UK, the government is working to expand a controversial surveillance program that collects web histories and other “internet connection records” on millions of people. The program began after the 2016 passage of the Investigatory Powers Act, often called the Snooper’s Charter by privacy advocates and other critics. Records show that the program appears to be moving out of its trial phase and may be rolled out nationally. 

Meanwhile, researchers at security firm Kaspersky released new details about a mysterious hacker group that has carried out operations in Ukraine for far longer than people realized. Dubbed Red Stinger by researchers at Malwarebytes, the group has targeted both pro-Ukraine and pro-Russian figures as part of apparent espionage operations. Initially linked to hacks dating back to 2020, researchers now believe Red Stinger has been active for at least 15 years.

But wait, there’s more. Each week we round up the security stories we didn’t cover in depth ourselves. Click on the headlines to read the full stories. And stay safe out there.

Most TikTok challenges you hear about are fake. This one, however, is deadly serious. Automaker Huyandai this week agreed to pay around $200 million to customers whose vehicles were stolen following a viral TikTok challenge that exposed a major security flaw in some Hyundai and Kia vehicles. 

The challenge began after the user “Kia Boys” posted a video to TikTok showing that it was possible to hot-wire the vulnerable vehicles using a USB cable. According to Engadget, at least 14 crashes and eight deaths have been linked to the challenge. Hyundai will pay affected customers up to $6,125 for stolen vehicles and up to $3,375 to cover the cost of damage caused by those who took advantage of the flaw. The company also has an “anti-theft update” available for affected vehicles. Check to see if your vehicle is impacted here.

The US Foreign Intelligence Surveillance Court yesterday unsealed an April 2022 opinion that exposes rampant FBI misuse of the so-called Section 702 database, a vast trove of electronic communication records used by the bureau and the National Security Agency. The court found that the FBI improperly queried the database, established under Section 702 of the Foreign Intelligence Surveillance Act, more than 287,000 times in 2020 and 2021. Targets of the FBI’s searches include January 6 demonstrators, people arrested while protesting the police murder of George Floyd in Minneapolis, and some 19,000 American political donors to an unidentified US congressional campaign. 

Section 702 gives the US government the authority to collect communications of targets overseas. Communications of Americans can get swept into the database when they communicate with someone outside the US. An audit released by the Office of the Director of National Intelligence late last year found several similar instances of the FBI misusing the Section 702 database to perform searches on American citizens, including US congressman Darin LaHood. Following both the ODNI audit and this week’s release of the court’s opinion, the FBI says the abuse was the result of a “misunderstanding” and vowed that it has fixed the problem. Regardless, Section 702 will expire at the end of the year without reauthorization from Congress, which the FBI’s repeated and widespread misuse could jeopardize.

The US Department of Justice on Tuesday announced charges against a former Apple engineer accused of stealing the company’s source code related to its self-driving-car technology. Weibao Wang allegedly stole the “sensitive” documents in the final days of his employment at Apple in April 2018. Wang left Apple five months after he signed an agreement to work for a US-based subsidiary of a company headquartered in China, according to the Justice Department. After US law enforcement searched his Mountain View, California, home in June 2018, 35-year-old Wang fled to China, the Justice Department says. If convicted, Wang faces up to 10 years in prison plus fines.

Everyone knows how much data can be collected about you anytime you’re online. But a bigger concern may be what someone can collect about you anytime you’re anywhere. That’s the warning in a new research paper, which found that it’s possible to collect “environmental DNA”—traces of genetic material floating in the air or liquids, also called eDNA—that can be linked to a person’s medical or ancestral details. Legal experts who spoke to the _The New York Times_ warn that if police or other government authorities begin collecting eDNA, as scientists studying animals have done for a decade, it could create widespread privacy and civil liberties abuses.

A TikTok ‘Car Theft’ Challenge Is Costing Hyundai $200 Million

From USB worms to satellite-based hacking, Russia’s FSB hackers, known as Turla, have spent 25 years distinguishing themselves as “adversary number one.”

Ask Western cybersecurity intelligence analysts who their "favorite" group of foreign state-sponsored hackers is—the adversary they can't help but grudgingly admire and obsessively study—and most won't name any of the multitudes of hacking groups working on behalf of China or North Korea. Not China's APT41, with its brazen sprees of supply chain attacks, nor the North Korean Lazarus hackers who pull off massive cryptocurrency heists. Most won't even point to Russia's notorious Sandworm hacker group, despite the military unit's unprecedented blackout cyberattacks against power grids or destructive self-replicating code.

Instead, connoisseurs of computer intrusion tend to name a far more subtle team of cyberspies that, in various forms, has silently penetrated networks across the West for far longer than any other: a group known as Turla.

Last week, the US Justice Department and the FBI announced that they had dismantled an operation by Turla—also known by names like Venomous Bear and Waterbug—that had infected computers in more than 50 countries with a piece of malware known as Snake, which the US agencies described as the "premiere espionage tool" of Russia's FSB intelligence agency. By infiltrating Turla's network of hacked machines and sending the malware a command to delete itself, the US government dealt a serious setback to Turla's global spying campaigns.

But in its announcement—and in court documents filed to carry out the operation—the FBI and DOJ went further, and officially confirmed for the first time the reporting from a group of German journalists last year which revealed that Turla works for the FSB's Center 16 group in Ryazan, outside Moscow. It also hinted at Turla's incredible longevity as a top cyberspying outfit: An affidavit filed by the FBI states that Turla's Snake malware had been in use for nearly 20 years.

In fact, Turla has arguably been operating for at least 25 years, says Thomas Rid, a professor of strategic studies and cybersecurity historian at Johns Hopkins University. He points to evidence that it was Turla—or at least a kind of proto-Turla that would become the group we know today—that carried out the first-ever cyberspying operation by an intelligence agency targeting the US, a multiyear hacking campaign known as Moonlight Maze.

Given that history, the group will absolutely be back, says Rid, even after the FBI's latest disruption of its toolkit. “Turla is really the quintessential APT,” says Rid, using the abbreviation for “advanced persistent threat,” a term the cybersecurity industry uses for elite state-sponsored hacking groups. “Its tooling is very sophisticated, it’s stealthy, and it’s persistent. A quarter-century speaks for itself. Really, it’s adversary number one.”

Throughout its history, Turla has repeatedly disappeared into the shadows for years, only to reappear inside well-protected networks including those of the US Pentagon, defense contractors, and European government agencies. But even more than its longevity, it's Turla's constantly evolving technical ingenuity—from USB worms, to satellite-based hacking, to hijacking other hackers' infrastructure—that's distinguished it over those 25 years, says Juan Andres Guerrero-Saade, a principal threat researcher at the security firm SentinelOne. “You look at Turla, and there are multiple phases where, oh my god, they did this amazing thing, they pioneered this other thing, they tried some clever technique that no one had done before and scaled it and implemented it,” says Guerrero-Saade. “They're both innovative and pragmatic, and it makes them a very special APT group to track.”

Here's a brief history of Turla's two-and-a-half decades of elite digital spying, stretching back to the very beginning of the state-sponsored espionage arms race.

1996: Moonlight Maze

By the time the Pentagon began investigating a series of intrusions of US government systems as a single, sprawling espionage operation, it had been going on for at least two years and was siphoning American secrets on a massive scale. In 1998, federal investigators discovered that a mysterious group of hackers had been prowling the networked computers of the US Navy and Air Force, as well as those of NASA, the Department of Energy, the Environment Protection Agency, the National Oceanic and Atmospheric Administration, a handful of US universities, and many others. One estimate would compare the hackers' total haul to a stack of papers three times the height of the Washington Monument.

From early on, counterintelligence analysts believed that the hackers were Russian in origin, based on their real-time monitoring of the hacking campaign and the types of documents they targeted, says Bob Gourley, a former US Defense Department intelligence officer who worked on the investigation. Gourley says that it was the hackers’ apparent organization and persistence that made the most lasting impression on him. “They’d reach a wall, and then someone with different skills and patterns would take over and break through that wall,” Gourley says. “This was not just a couple of kids. This was a well-resourced, state-sponsored organization. It was the first time, really, where a nation-state was doing this.”

Investigators found that when the Moonlight Maze hackers—a codename given to them by the FBI—exfiltrated data from their victims' systems, they used a customized version of a tool called Loki2, and would continually tweak that piece of code over the years. In 2016, a team of researchers including Rid and Guerrero-Saade would cite that tool and its evolution as evidence that Moonlight Maze was in fact the work of an ancestor of Turla: They pointed to cases where Turla's hackers had used a unique, similarly customized version of Loki2 in its targeting of Linux-based systems fully two decades later.

2008: Agent.btz

Ten years after Moonlight Maze, Turla shocked the Defense Department again. The NSA discovered in 2008 that a piece of malware was beaconing out from inside the classified network of the DOD's US Central Command. That network was “air-gapped”—physically isolated such that it had no connections to internet-connected networks. And yet someone had infected it with a piece of self-spreading malicious code, which had already copied itself to an untold number of machines. Nothing like it had ever been seen before on US systems.

The NSA came to believe that the code, which would later be dubbed Agent.btz by researchers at the Finnish cybersecurity firm F-Secure, had spread from USB thumb drives that someone had plugged into PCs on the air-gapped network. Exactly how the infected USB sticks got into the hands of DOD employees and penetrated the US military's digital inner sanctum has never been discovered, though some analysts speculated they may have simply been scattered in a parking lot and picked up by unsuspecting staffers.

The Agent.btz breach of Pentagon networks was pervasive enough that it sparked a multiyear initiative to revamp US military cybersecurity, a project called Buckshot Yankee. It also led to the creation of US Cyber Command, a sister organization of the NSA tasked with protecting DOD networks that today also serves as the home of the country's most cyberwar-oriented hackers.

Years later, in 2014, researchers at the Russian cybersecurity firm Kaspersky would point to technical connections between Agent.btz and Turla's malware that would come to be known as Snake. The espionage malware—which Kaspersky at the time called Uroburos, or simply Turla—used the same file names for its log files and some of the same private keys for encryption as Agent.btz, the first clues that the notorious USB worm had in fact been a Turla creation.

2015: Satellite Command-and-Control

By the mid-2010s, Turla was already known to have hacked into computer networks in dozens of countries around the world, often leaving a version of its Snake malware on victims' machines. It was revealed in 2014 to be using “watering-hole” attacks, which plant malware on websites with the goal of infecting their visitors. But in 2015, researchers at Kaspersky uncovered a Turla technique that would go much further toward cementing the group's reputation for sophistication and stealth: hijacking satellite communications to essentially steal victims' data via outer space.

In September of that year, Kaspersky researcher Stefan Tanase revealed that Turla's malware communicated with its command-and-control servers—the machines that send commands to infected computers and receive their stolen data—via hijacked satellite internet connections. As Tanase described it, Turla's hackers would spoof the IP address for a real satellite internet subscriber on a command-and-control server set up somewhere in the same region as that subscriber. Then they would send their stolen data from hacked computers to that IP so that it would be sent via satellite to the subscriber, but in a way that would cause it to be blocked by the recipient's firewall.

Because the satellite was broadcasting the data from the sky to the entire region, however, an antenna connected to Turla's command-and-control server would also be able to pick it up—and no one tracking Turla would have any way of knowing where in the region that computer might be located. The entire, brilliantly tough-to-trace system cost less than $1,000 a year to run, according to Tanase. He described it in a blog post as “exquisite.”

2019: Piggybacking on Iran

Plenty of hackers use “false flags,” deploying the tools or techniques of another hacker group to throw investigators off their trail. In 2019, the NSA, the Cybersecurity and Infrastructure Security Agency (CISA), and the UK's National Cybersecurity Center warned that Turla had gone much further: It had silently taken over another hacker group's infrastructure to commandeer their entire spying operation.

In a joint advisory, the US and UK agencies revealed that they'd seen Turla not only deploy malware used by an Iranian group known as APT34 (or Oilrig) to sow confusion, but that Turla had also managed to hijack the command-and-control of the Iranians in some cases, gaining the ability to intercept data that the Iranian hackers had been stealing and even sending their own commands to the victim computers the Iranians had hacked.

Those tricks significantly raised the bar for analysts seeking to pin any intrusion on a particular group of hackers, when in fact Turla or a similarly devious group might have been secretly pulling puppet strings from the shadows. “Avoid possible misattribution by being vigilant when examining activity that appears to originate from the Iranian APT,” the CISA advisory warned at the time. “It may be the Turla group in disguise.”

2022: Hijacking a Botnet

Cybersecurity firm Mandiant reported earlier this year that it had spotted Turla carrying out a different variant of that hacker-hijacking trick, this time taking over a cybercriminal botnet to sift through its victims.

In September 2022, Mandiant found that a user on a network in Ukraine had plugged a USB drive into their machine and infected it with the malware known as Andromeda, a decade-old banking trojan. But when Mandiant looked more closely, they found that that malware had subsequently downloaded and installed two tools Mandiant had previously tied to Turla. The Russian spies, Mandiant discovered, had registered expired domains that Andromeda's original cybercriminal administrators had used to control its malware, gaining the ability to control those infections, and then searched through hundreds of them for ones that might be of interest for espionage.

That clever hack had all the hallmarks of Turla: the use of USB drives to infect victims, as it had done with Agent.btz in 2008, but now combined with the trick of hijacking a different hacker group's USB malware to commandeer their control, as Turla had done with Iranian hackers a few years earlier. But researchers at Kaspersky nonetheless warned that the two tools found on the Ukrainian network that Mandiant had used to tie the operation to Turla may actually be signs of a different group it calls Tomiris—perhaps a sign that Turla shares tooling with another Russian state group, or that it's now evolving into multiple teams of hackers.

2023: Beheaded By Perseus

Last week, the FBI announced that it had struck back against Turla. By exploiting a weakness in the encryption used in Turla's Snake malware and remnants of code that the FBI had studied from infected machines, the bureau announced it had learned to not only identify computers infected with Snake, but also send a command to those machines that the malware would interpret as an instruction to delete itself. Using a tool it had developed, called Perseus, it had purged Snake from victims' machines around the world. Along with CISA, the FBI also released an advisory that details how Turla's Snake sends data through its own versions of the HTTP and TCP protocols to hide its communications with other Snake-infected machines and Turla's command-and-control servers.

That disruption will no doubt undo years of work for Turla's hackers, who have been using Snake to steal data from victims around the world since as early as 2003, even before the Pentagon discovered Agent.btz. The malware's ability to send well-concealed data covertly between victims in a peer-to-peer network made it a key tool for Turla's espionage operations.

But no one should deceive themselves that dismantling the Snake network—even if the malware could be wholly eradicated—would mean the end of one of Russia's most resilient hacker groups. “This is one of the best actors out there, and there’s no doubt in my mind that the cat-and-mouse game continues,” says Rid, of Johns Hopkins. “More than anyone else, they have a history of evolving. When you shine a light on their operations and tactics and techniques, they evolve and retool and try to become more stealthy again. That’s the historical pattern that began in the 1990s.”

“For them, those gaps in your timeline are a feature,” Rid adds, pointing to the sometimes-yearslong stretches when Turla's hacking techniques largely stayed out of news stories and security researchers' papers.

As for Gourley, who hunted Turla 25 years ago as an intelligence officer in the midst of Moonlight Maze, he applauds the FBI’s operation. But he also warns that killing some Snake infections is very different from defeating Russia’s oldest cyberspying team. “This is an infinite game. If they’re not already back in those systems, they will be soon,” Gourley says. “They’re not going away. This is not the end of cyberespionage history. They will definitely, definitely be back.”

Tag

#intel