Cyber
The Next Frontier

Become part of a critical layer of cyber defense. Cybersecurity positions will make up 45% of all US tech job openings.

View Full Curriculum

The National Security Agency designated the University of Arizona's Cyber Operations program as a Center of Academic Excellence in Cyber Operations (CAE-CO). With this designation, UA joins an extremely exclusive group of only 24 cyber programs in the nation. The NSA's CAE-CO designation demonstrates that UA's Cyber Operations program meets the most demanding academic and technical requirements.

Learn More

 

The Bachelor of Applied Science in Cyber Operations prepares graduates for cyber-related occupations in defense, law enforcement, and private industry.

Our curriculum includes both offensive and defensive cyber security content delivered within our state-of-the-art Virtual Learning Environment to ensure our students have extensive hands-on experiences to develop the knowledge, skills, and abilities necessary to succeed after they graduate.

 

Program News

DoD Cyber Scholarship Program (CySP)

The DoD CySP is a yearly scholarship program aimed at Juniors and Seniors pursuing a bachelor’s degree in cyber-related academic disciplines. The CySP is a 1-year scholarship, which grants selected Cyber Scholars tuition and mandatory fees (including health care), funding for books, a $25K annual stipend, and guaranteed employment with a DoD agency upon graduation.

Cyber News

Tuesday, July 16, 2024 - 09:30
CDK hack shows SEC disclosure standards are unsettled

As the damage from the ransomware attack on automotive software provider CDK Global has become clear over recent weeks, numerous auto dealers felt compelled to notify the Securities and Exchange Commission that the breach had harmed their operations.

CDK’s parent company, Brookfield Business Partners, which apparently paid nearly $25 million in ransom to attackers, does not feel the same way.  In a press release issued July 3, the company said “we do not expect this incident to have a material impact on Brookfield Business Partners.”

Despite the attack’s downstream effect on the U.S. auto industry, CDK and its parent company did not file with the SEC under its new rules for reporting breaches.

Attorneys and cybersecurity experts whom CyberScoop spoke to found that dichotomy between how the victim company approached its disclosures  compared to its indirect victims somewhere between inevitable and absurd. The differing approaches straddle the perceived ambiguity of SEC rules that kicked into effect late last year governing when publicly traded companies must report a cyber incident to the regulator.

At issue is the definition of what counts as “material,” the threshold under which companies must report an attack to the commission — a term that relies on a firm’s assessment of whether a “reasonable investor” would want to know about it before deciding to invest in a company.

“I certainly am sympathetic to the argument that what is material for one entity is not material for another entity,” said Bob Kolasky, a former top official at the Cybersecurity and Infrastructure Security Agency and now a nonresident scholar in the technology and international affairs program at the Carnegie Endowment for International Peace.

On the other hand, “based on my understanding of the ransomware attack on CDK, yes, I believe a reasonable investor would want to know about it because of the nature of the attention it has gotten and the tail that will happen because of that attention,” said Kolasky, who’s also senior vice president of critical infrastructure at Exiger, a supply chain risk management company. “It creates a ton of uncertainty about the kind of scrutiny that’s going to follow from this.”

Allan Liska, a threat intelligence analyst at Recorded Future, said he found Brookfield Business Partners’ assessment that the CDK Global hack wouldn’t have a material impact to “complete bulls–t,” adding, “it has to be [material], given the scope and the level of disruption that it caused.” 

But if a business is sufficiently dominant, Liska pointed out, companies can easily absorb the financial pain of even a major breach.  “Maybe it’s not going to affect their bottom line, and part of that, of course, is that CDK, as far as I can tell, has a pretty big market share and there aren’t many alternatives,” he said.

Brookfield Business Partners didn’t respond to questions about how it determined the materiality of the CDK Global breach. The attack, which impacted software used by nearly 15,000 auto dealerships, crippled sales operations in the U.S. auto industry for several weeks.

Some of the affected auto dealerships commented on the disruption in their filings to the SEC, but included caveats about materiality. “While this incident has had, and is likely to continue to have, a negative impact on the Company’s business operations until the relevant systems are fully restored, the Company has not yet determined whether the incident is reasonably likely to materially impact the Company’s financial condition or results of operations,” wrote Lithia Motors.

Fort Lauderdale, Florida-based AutoNation, one of the country’s biggest car dealership chains announced Monday in an SEC filing that the attack lowered its second-quarter profit by about $1.50 a share. Despite the loss, the company said it doesn’t expect the incident to have a material impact on its overall financial condition or ongoing results.

Without being privy to all the details of the CDK attack, Elizabeth Wharton — who worked as an attorney for the city of Atlanta and now serves as founder of Silver Key Strategies — said that after breaches, companies’ stock prices often bounce back. And some of CDK Global’s customers might decide that even when dealing with the fallout of a cyberattack, switching to its competitors isn’t worth the trouble, which could minimize the impact on the company’s anticipated bottom line.

“It’s not like every car dealership, car loan financial company or supplier can just pivot on a dime and pick up a new vendor to use,” she said. “If you’ve ever tried switching between SalesForce and HubSpot, I feel like every sales and marketing head would just start weeping. It’s not easy and it sets you back a couple months just to get used to the new system.”

SEC guidelines say the size of a ransomware payment is not solely determinative of whether a cyber incident is material. Its guidance also has provided further answers about the conditions under which a ransomware attack would meet the materiality threshold. 

The very first standard for determining materiality is whether a company is subject to reporting cyber incidents is whether it is publicly traded or privately held, noted Brian Finch, a lawyer and partner at Pillsbury Public Policy. (Brookfield is a client of Pillsbury, so its attorneys wouldn’t comment directly on the breach or the companies involved.)

CDK is a privately owned company and thus not subject to the SEC regulations, but its publicly traded parent company, Brookfield is. 

Brookfield Business Partners managed nearly $16 billion in assets last year, according to its annual report, and the Brookfield Corporation, of which Brookfield Business Partners is a part, reported revenues of nearly $96 billion for 2023, its annual report states.

For businesses of this size, $25 million — the reported size of the CDK ransom payment — represents a drop in the bucket for its bottom line, Finch said.

To be sure, if the SEC decides a company should have disclosed something as material, “having the SEC investigate you is a really big deal, and it’s a big deal for any number of reasons, including their ferocious investigators,” Finch said. “They have a lot of power, they have a lot of expertise, and they can impose really significant fines.” 

As a result, “companies seem to be erring on the side of over-disclosure,” said David Oliweinstein, also a partner at Pillsbury who once worked in the SEC’s enforcement division.

But because the rules are so new, it might take SEC action and case law to settle the precise boundaries of how materiality applies to a cyber incident reporting threshold, the experts said.

Right now, situations like the CDK Global hack are causing a different kind of divide, Liska said.

“My first interpretation, and what I think a lot of cybersecurity people’s first impression of the SEC guidelines are, are very, very different than what the lawyers for these companies are interpreting the guidelines to mean,” he said.

The post CDK hack shows SEC disclosure standards are unsettled appeared first on CyberScoop.

Friday, July 12, 2024 - 08:05
Wallets tied to CDK ransom group received $25 million two days after attack 

The ransomware group linked to a June cyberattack against auto industry software provider CDK Global received a payment of more than $25 million two days after the attack that hobbled software used by roughly 15,000 car dealerships in the U.S. became public, researchers told CyberScoop. 

A cryptocurrency wallet likely controlled by BlackSuit — the ransomware group believed to be responsible for the attack — received approximately 387 bitcoin on June 21, worth roughly $25 million, researchers with blockchain intelligence firm TRM Labs told CyberScoop. 

The evidence uncovered by TRM Labs is firmest evidence yet to indicate that CDK Global paid a ransom in order to resolve the attack on its systems, though TRM’s findings do not conclusively prove that the payment came from CDK.

Representatives for the company and its parent firm, Brookfield Business Partners, have refused to answer questions about whether CDK or a representative made a ransom payment. 

If confirmed, the $25 million payment would be the second-largest ransom payment on record, trailing only the $40 million paid by CNA Financial Corp. in 2021. It would be the second known ransom payment to cross $20 million this year, after UnitedHealth Group paid attackers tied to the now defunct ALPHV ransomware operation $22 million to resolve an attack on its Change Healthcare subsidiary. 

After the $25 payment was made to the wallet controlled by BlackSuit, roughly $15 million of the funds “moved through a complex set of nearly 200 transactions following a common money laundering typology, then was distributed across more than 20 addresses at five different global exchanges,” the firm told CyberScoop in an email.

A little more than $6 million in funds were also moved from the initial wallet and deposited across more than 15 addresses across four global exchanges, with movements continuing through Tuesday, TRM Labs said. 

One of the wallets that received a deposit appears to belong to an active BlackSuit affiliate, the researchers added. That address had previously received funds from “several known BlackSuit and Wizard Spider victim payments,” the researchers said. 

Wizard Spider is a name used to track a separate set of longrunning financially-motivated cybercriminal activity with ties to the Russian cybercrime ecosystem, industry and government researchers have said.

Another source familiar with the matter confirmed that an approximately $25 million payment was made to a BlackSuit-linked wallet.

The payment came the same day Bloomberg reported that the CDK Global attackers were demanding “tens of millions of dollars in ransom” and that the company was planning to make the payment. CNN was the first to report the $25 million transaction.

CDK Global, which is owned by Canada-based Brookfield Business Partners, began investigating a “cyber incident” the morning of June 19 and shut down “most” of its systems that day “out of an abundance of caution,” followed by a second incident that day, CDK Senior Manager of External Communications Lisa Finney told CyberScoop June 20. Tony Macrito, CDK Global’s senior director of communications, told CyberScoop Friday that all of the company’s major applications are now available.

The incident led to widespread disruption at auto dealerships across the country. At least six publicly traded auto dealership firms said in filings with the Securities and Exchange Commission that the incident had affected their business operations.

Brookfield Business Partners said in a July 3 press release that the company did not expect the incident to have a material impact on its business. Companies are required by the SEC to “make a materiality determination” following a ransomware attack and, if it determines an incident is material, disclose it within four days of the determination.

The post Wallets tied to CDK ransom group received $25 million two days after attack  appeared first on CyberScoop.

Friday, July 12, 2024 - 07:32
Phone, text message records of ‘nearly all’ AT&T customers stolen

Telecommunications giant AT&T announced Friday that hackers obtained six months of phone and text message records of “nearly all” of the company’s customers. 

An AT&T spokesperson confirmed the data was pulled from Snowflake, making this incident one of the most significant data exfiltration attacks tied to the cloud platform’s recent security woes. AT&T said that they believe at least one person linked to the breach is under federal custody, per the company’s SEC filing describing the incident.

AT&T said that hackers were able to exfiltrate the sensitive information ranging from May 2, 2022 to October 31, 2022, as well as information from January 2, 2023. The data includes phone numbers that an AT&T mobile phone communicated with, including AT&T landline users. In some cases, the data also contains specific cell site ID numbers linked to these interactions. The data does not include content, the timestamps of any calls or texts, social security numbers, dates of birth or other personally identifiable information.

AT&T learned of the incident on April 19 and believes that the hackers accessed the Snowflake workspace between April 14 and April 25, 2024.

AT&T is the latest in a string of major firms to suffer a data breach via the cloud storage platform Snowflake, most of which are believed to have occurred due to a lack of multi-factor authentication. Asked for comment, a Snowflake representative pointed to a blog post by CEO Brad Jones that claims the company has “not identified evidence suggesting this activity was caused by a vulnerability, misconfiguration, or breach of Snowflake’s platform,” citing investigations by the incident response firms Mandiant and Crowdstrike.

The company announced on Thursday that administrators can now enforce mandatory multi-factor authentication for Snowflake users. 

The stolen data will be a goldmine for scammers, financially-motivated hackers, pig butchers, and nation-backed threats alike. AT&T says they do not believe the data has been made public.

The Federal Communications Commission said it is investigating the breach.

A spokesperson for the Cybersecurity and Infrastructure Security Agency said in a statement that the agency is working to assess the impact of the breach.

Updated July 12, 2024: This article has been updated to include a statement from the Federal Communications Commission.

The post Phone, text message records of ‘nearly all’ AT&T customers stolen appeared first on CyberScoop.

Thursday, July 11, 2024 - 08:28
White House wants to boost cyber funds for fiscal 2026

The White House wants federal agencies to ask for more money that would be used to improve the nation’s cyber defenses, per a memo sent to agency heads Wednesday.

In the document, Office of Management and Budget Director Shalanda Young and National Cyber Director Harry Coker Jr. directed agencies to review and align incoming budget requests to fit the Biden administration’s national cyber strategy and implementation plan.

The White House’s ask fits with its directive that federal agencies move toward fully mature zero-trust architectures. Agencies will submit an updated zero-trust implementation plan to the OMB and ONCD within 120 days following the memo’s release, and be on target by the end of fiscal 2026, the memo states.

“Agencies with federated networks should prioritize investments in department-wide, enterprise solutions to the greatest extent practicable in order to further align cybersecurity efforts, ensure consistency across mission areas, and enable information sharing,” the memo said.

Additionally, federal agencies should also update budgets to reflect the critical infrastructure national security memorandum issued this year by President Joe Biden. The memo requires that agencies charged with overseeing a critical infrastructure sector prioritize resources and responsibilities.

Budgets should also reflect the potential development of “minimum cybersecurity requirements for each sector for security and resilience” and the improvements of open-source software security and sustainability. Agencies should both ensure that they’re using open-source software securely while also contributing to maintenance and upkeep, according to the memo.

Developing and harmonizing standards across critical infrastructure has continued to run into obstacles from industry lawyers. A bid by the Environmental Protection Agency to add cybersecurity requirements to sanitary surveys led to lawsuits and ultimately the retraction of the rule. Additionally, a recent Supreme Court decision on the so-called Chevron doctrine can also put existing and potential new mandates at risk, like the incoming cyber incident reporting rule, experts noted.

The administration is also calling on federal agencies to address the government’s cyber workforce issue, an area of focus for Coker since he took office in late 2023.

“Budget submissions should demonstrate how agencies invest in adopting skills-based best practices including skills-based and competency-based assessments and the removal of 4-year college degrees as minimum requirements when appropriate to remove barriers for joining the Federal cyber workforce,” the memo stated.

The post White House wants to boost cyber funds for fiscal 2026 appeared first on CyberScoop.

Tuesday, July 9, 2024 - 15:59
US intel officials: Kremlin once again prefers Trump

U.S. officials tracking efforts to meddle in American politics say that Russia continues to be the most active foreign power trying to influence voters, with the Kremlin once again preferring Donald Trump over his Democratic rival in November’s election.

In a briefing with reporters on Tuesday, U.S. intelligence officials speaking on condition of anonymity said the Kremlin is actively trying to shape American politics. While Russia hasn’t been observed trying to hack voting machines or voter registration systems, Moscow is engaged in a “whole-of-government approach to influence the election, including the presidential race, Congress and public opinion,” an official at the Office of the Director of National Intelligence said.

In 2016, U.S. intelligence agencies concluded that Russia’s efforts were designed to boost the electoral chances of Trump, the Republican nominee. When asked if that continued to be true about Moscow’s efforts today, the ODNI official said “we have not observed a shift in Russia’s preferences for the presidential race from past elections.”

Separately on Tuesday, American prosecutors said they had seized a pair of domains used by a Russian influence operation that relied on AI tools to generate content and personas that attempted to shape social media conversations about U.S. politics. 

Officials at Tuesday’s briefing said China appears to be mostly refraining from carrying out influence operations targeting American politics, as it perceives little gain from more robust influence operations. 

Iran, by contrast, was described by one official as a “chaos agent” more interested in exploiting U.S. political and social tensions than it is in fostering a specific electoral outcome.

In a statement on Tuesday, Director of National Intelligence Avril Haines accused Iran of  seeking to amplify U.S. protests regarding Israel’s military operation in Gaza.

“We have observed actors tied to Iran’s government posing as activists online, seeking to encourage protests and even providing financial support to protestors,” said Haines, who noted that despite Iranian interference that she believed protesters are expressing their beliefs in good faith and exercising their free speech rights.

U.S. national security officials have described the current foreign influence landscape as both more complex and less intense than previous election cycles.

Officials at Tuesday’s briefing said they had no evidence that any country is attempting to directly interfere with this year’s voting or election process. “We have not observed any country plan or undertake efforts to degrade or disrupt the U.S.’ ability to hold an election,” the ODNI official said. 

 ODNI officials have said they view election “influence” activity, such as disinformation campaigns that seek to sway public opinion, as separate and distinct from “interference” that seeks to directly meddle with election infrastructure.

 Tuesday’s briefing tracks with public reports released this year by Microsoft and Meta identifying Russia as the top purveyor of influence operations to directly target U.S. elections. Groups linked to the Russian government, like Doppelganger and CopyCop, have pumped out massive amounts of propaganda and fake content on Telegram and other platforms over the past year, though much of it appears to have failed to catch on with the broader public.

In contrast, officials described Iran and China as having far more muted roles.

While China is conducting influence activity on most social media platforms this cycle, they are moving “more cautiously” than Russia because officials see “little gain in choosing between two parties that are perceived as both seeking to contain Beijing,” one official said.

Intelligence officials said the Chinese government is seeking to expand its ability to collect and monitor data on social media platforms, something that could be deployed in later efforts to sway public opinion.

Chinese-linked disinformation actors have been heavily involved in other elections, like in Taiwan, where they deployed generative AI and mirrored Russian hack-and-leak tactics in an attempt to dampen the electoral prospects of the pro-independence Democratic Progressive Party. Those efforts, while extensive, largely failed as the DPP won its third consecutive presidential term and a majority of seats in the legislature this past January.

The post US intel officials: Kremlin once again prefers Trump appeared first on CyberScoop.