Cyber
The Next Frontier
Become part of a critical layer of cyber defense. Cybersecurity positions will make up 45% of all US tech job openings.
The National Security Agency designated the University of Arizona's Cyber Operations program as a Center of Academic Excellence in Cyber Operations (CAE-CO). With this designation, UA joins an extremely exclusive group of only 24 cyber programs in the nation. The NSA's CAE-CO designation demonstrates that UA's Cyber Operations program meets the most demanding academic and technical requirements.
The Bachelor of Applied Science in Cyber Operations prepares graduates for cyber-related occupations in defense, law enforcement, and private industry.
Our curriculum includes both offensive and defensive cyber security content delivered within our state-of-the-art Virtual Learning Environment to ensure our students have extensive hands-on experiences to develop the knowledge, skills, and abilities necessary to succeed after they graduate.
Cyber
Engineering
Defense
& Forensics
Cyber Law
& Policy
Program News
DoD Cyber Scholarship Program (CySP)
The DoD CySP is a yearly scholarship program aimed at Juniors and Seniors pursuing a bachelor’s degree in cyber-related academic disciplines. The CySP is a 1-year scholarship, which grants selected Cyber Scholars tuition and mandatory fees (including health care), funding for books, a $25K annual stipend, and guaranteed employment with a DoD agency upon graduation.Cyber News
‘Large volume’ of data stolen from UN agency after ransomware attack
A large volume of United Nations Development Programme data related to staffers and other internal operations was stolen and posted to a ransomware website in late March, the agency announced this week.
The UNDP issued a statement Tuesday saying that “local IT infrastructure in UN City, Copenhagen, was targeted,” and that a “data extortion actor had stolen data which included certain human resources and procurement information.”
The statement did not detail the kind of data that was stolen from the UN’s lead agency on international development. But notifications shared with affected parties and viewed by CyberScoop said attackers were able to “access a number of servers” and steal “a large volume of data.”
The data could include dates of birth, social security numbers, bank account information, passport details, and information related to former and current staffers’ family members, as well as information related to contractors, according to notification information shared with CyberScoop.
The agency’s statement did not identify the group behind the attack. But a post on the ransomware extortion site for a group called “8Base” claimed credit for the attack on March 27, the same date flagged in the Tuesday UNDP announcement. The data was published April 3, according to the 8Base post, but a link to the data has since expired.
8Base is a ransomware operation dating to at least March 2022, according to a June 2023 analysis from VMWare.
Various units of the sprawling United Nations apparatus have suffered cyberattacks in recent years. A January 2020 report in The New Humanitarian exposed a previously unreported 2019 attack that “resulted in a compromise of core infrastructure components,” UN spokesperson Stéphane Dujarric told the publication at the time. In September 2021, the UN acknowledged that multiple successful attacks on the organization took place after login credentials for credential software used to manage internal projects were sold on the dark web, CNN reported at the time.
The UN did not immediately respond to a request for additional information Thursday.
The post ‘Large volume’ of data stolen from UN agency after ransomware attack appeared first on CyberScoop.
House passes bill to limit personal data purchases by law enforcement,...
The House passed the “Fourth Amendment Is Not For Sale Act” on Wednesday, buoying the spirits of digital privacy advocates at the same time the Senate is gearing up for a fight over a broader extension of Section 702 of the Foreign Intelligence Surveillance Act.
The bill, introduced by Rep. Warren Davidson, R-Ohio, and a group of seven bipartisan co-sponsors, passed 219-199. It would prohibit law enforcement and intelligence agencies from purchasing personal information about customers or subscribers of electronic and remote computing service providers — such as social media, cell phone, email and cloud computing companies — without first obtaining a court order.
The measure saw a coalition of 123 Republicans join forces with 93 Democrats, including both House Speaker Mike Johnson, R-La., and Minority Leader Hakeem Jeffries, D-N.Y., to push the measure through to the Senate.
Privacy advocates cheered the bill’s passage, after arguing that the government’s purchase of large quantities of personal information via commercial companies and third-party data collectors represented an end-around the U.S. Constitution’s Fourth Amendment.
“The bipartisan passage of this bill is a flashing warning sign to the government that if it wants our data, it must get a warrant,” Kia Hamadanchy, senior federal policy counsel at the American Civil Liberties Union, said in a statement. “We hope this vote puts a fire under the Senate to protect their constituents and rein in the government’s warrantless surveillance of Americans, once and for all.”
An earlier House Judiciary Committee-approved version of a Section 702 reauthorization measure included the data broker legislation in its text. Johnson opted to advance a House Intelligence Committee-approved version of a Section 702 reauthorization bill that excluded it, and made it so the “Fourth Amendment is Not for Sale Act” could not be attached to the legislation by amendment on the floor. When lawmakers revolted against the 702 bill, Johnson was able to restart the debate with a promise that the “Fourth Amendment is Not for Sale Act” would get a standalone floor vote.
Sen. Ron Wyden, D-Ore., who has sponsored a companion bill in the Senate, immediately urged his colleagues to swiftly pass the measure.
“This is a huge win for privacy. Now it’s time for the Senate to follow suit,” Wyden said on X.
Despite the revelry, the bill faces an uncertain future in the chamber and with a White House that has strenuously objected to the legislation.
In a call with reporters this week, a senior administration official called the bill “unworkable” and “devastating” to homeland security. Among the criticisms were that the definition of third parties was overly broad, that agencies wouldn’t be able to confirm whether covered data was in a purchased dataset before buying it, and that it would inhibit the government’s ability to “detect and defeat adversary cyberattacks” and takedown malicious botnets.
“In practice, these standards make it impossible for the [intelligence community] or law enforcement to acquire a whole host of readily available information that they currently rely on,” the official said.
Tim Starks contributed to this article.
The post House passes bill to limit personal data purchases by law enforcement, intelligence agencies appeared first on CyberScoop.
Mandiant: Notorious Russian hacking unit linked to breach of Texas water...
The potent and enduring Russian military intelligence hacking operation known as Sandworm was likely responsible for attacks on water utilities in the United States, Poland and a small water mill in France, researchers with Google’s Mandiant said Wednesday.
Wednesday’s report concludes that Sandworm is behind a set of online personas — including Xaknet, Cyber Army of Russia Reborn and Solntsepek — that have been linked to a string of recent attacks on critical infrastructure, including a water system in Texas. The personas claim the attacks as their own and often exaggerate their impact, while attempting to put distance between the incidents and one of Russia’s most notorious hacking crews.
Sandworm is suspected of controlling the work of a pro-Russian hacktivist group that calls itself the CyberArmyofRussia_Reborn (CARR) that has targeted U.S. water utilities, according to Mandiant. On January 18, the hacktivist group posted a splashy video to Telegram that targeted water tanks in Muleshoe, Texas, appearing to use the human-machine interface (HMI) to turn on the pumps, causing the tank water level to overflow.
Muleshoe city officials confirmed the overflow in February while noting that it did not cause any service disruptions.
It is unclear whether Sandworm, a Russian military intelligence unit, is directing the work of CARR or whether the group informs its contacts within Russian intelligence after it has carried out an operation, Mandiant cautioned. CARR’s exact membership is unknown and may include individuals who are not members of Russian intelligence.
Mandiant has observed links between Sandworm and CARR, including a YouTube channel created by the hacktivist group linked to infrastructure that, in turn, is linked to Sandworm. “These patterns of interaction align with TAG’s assessment that CyberArmyofRussia_Reborn is created and controlled by APT44,” Mandiant argues.
Russia’s attack using a persona controlled by Sandworm represents a significant escalation of the Kremlin’s attacks on U.S. critical infrastructure. Russian ransomware gangs have operated with impunity and have attacked U.S. critical infrastructure for years, causing major disruptions such as the Colonial Pipeline hack, but nation-state groups like Sandworm have to date not carried out disruptive attacks on U.S. soil.
Mandiant previously believed that the CyberArmyofRussia_Reborn was linked to the Russian hacking group APT28, also known as Fancy Bear. Mandiant said that after re-analyzing the data, it was able to attribute the suspected activity to Sandworm “with high confidence.”
CyberArmyofRussia_Reborn joins a small but growing group of hacktivist personas linked to nation-linked hackers that target U.S. critical infrastructure. The CyberAv3ngers, a group run by the Iranian Government Islamic Revolutionary Guard Corps, last year hit water facilities in Aliquippa, Pennsylvania., and others that were using devices made by the Israeli firm Unitronics.
Other attacks on critical infrastructure carried out by personas under Sandworm’s control include a March incident in which the group calling itself Solntsepek claimed credit for an attack on multiple Ukrainian telecommunications providers. Ukrainian officials told CyberScoop at the time that the attack was likely carried out by Sandworm.
Wednesday’s findings are part of a comprehensive analysis in which Mandiant upgraded Sandworm as a fully fledged advanced persistent threat group. The group it now refers to as APT 44 is considered to be among the most capable, dangerous state-backed hacking groups.
“APT44 is a uniquely dynamic threat actor that is actively engaged in the full spectrum of cyber espionage, attack, and influence operations,” Mandiant researchers wrote in the report.
“APT44 is the most brazen threat actor there is, in the midst of one of the most intense campaigns of cyber activity we’ve ever seen, in full-blown support of Russia’s war of territorial aggression,” Dan Black, a lead author of the report and manager of cyber espionage analysis for Mandiant, said in a statement. “There is no other threat actor today that is more worthy of our collective attention, and the threat APT44 poses is evolving rapidly.”
APT44 is believed to operate as Unit 74455. It is part of the Main Centre for Special Technologies, within the Main Directorate of the General Staff of the Armed Forces of the Russian Federation, which is commonly known as the Main Intelligence Directorate, or GRU, according to Mandiant.
The group primarily targets government, defense, transportation, energy, media and civil society organizations in Russia’s near abroad, the researchers said. It has repeatedly targeted Western electoral systems and institutions, including in NATO member countries. On three separate occasions, the group has succeeded in using a cyberattack to disrupt electricity distribution in Ukraine.
The Russian embassy in Washington, D.C., did not respond to a request for comment.
Sandworm’s operations targeting U.S. water facilities come as the White House has been sounding the alarm that the water sector needs to improve its cybersecurity defenses. With many of the nation’s water utilities strapped for resources, cybersecurity investments have fallen by the wayside.
The White House has tried to put in place more stringent cybersecurity rules for the sector but has failed to find an effective mechanism by which to do so. The Environmental Protection Agency issued a directive last year for water utilities to beef up their defenses but withdrew that rule after several states and industry trade groups sued.
The post Mandiant: Notorious Russian hacking unit linked to breach of Texas water facility appeared first on CyberScoop.
After a sleepy primary season, Russia enters 2024 U.S. election fray
Russian influence operations targeting the 2024 U.S. elections have ramped up in the past 45 days, using Telegram as a primary distribution channel to spread propaganda to influence debate over Ukraine policy, according to new research from Microsoft’s Threat Analysis Center.
The rise in observed activity represents a late start for Moscow compared to efforts in 2020 and 2016, something Microsoft attributed to an uncompetitive presidential primary season that saw Donald Trump and Joe Biden cruise to their respective nominations with minimal resistance. Unlike in 2016 and 2020, when one or both parties were ensconced in heavily contested and contentious intraparty primaries, this cycle presented little motivation and fewer opportunities for foreign nations to move the needle with meddling.
That dynamic has changed as the race shifts to the general election, and Microsoft has tracked multiple groups targeting the U.S. elections and 70 different Russian-associated “activity sets” worldwide pushing content and messaging in English, Spanish, French, Arabic, Finnish and other languages designed to degrade international support for Ukraine, portray President Volodymyr Zelenskyy as the head of a corrupt state and diminish the appetite of Western governments to further fund the Ukrainian war cause.
“Oftentimes when we’re watching the activity that comes out of these actor sets, some people characterize it as they want to make chaos in the U.S. or they want to create problems for democracies. … With their messaging in regards to election 2024, it is absolutely about Ukraine policy,” said Clint Watts, general manager of Microsoft’s Threat Analysis Center.
Much of the content, including fake videos, news articles or explosive claims from sources identifying as whistleblowers or citizen journalists, is initially seeded on Telegram, which Watts said has become a primary distribution channel for Russian propaganda efforts since the start of the Ukraine invasion.
Two groups in particular, tracked by Microsoft as Storm 1516 and Storm 1099, have relied on this approach, posting anti-Ukraine content on purpose-built Telegram channels that are then picked up by seemingly unaffiliated news outlets and websites with names like “DC Weekly” and “Miami Chronicle” that pose as local sources but are actually Russian cut-outs.
Storm 1099 — otherwise known as Doppelganger — uses outlets that specifically target the United States, with names like “Election Watch” and “50 States of Lie.” These sites play up internal domestic divisions in U.S. society and politics, warning that “American elections have long since lost their democratic character” and that the nation faces an “unprecedented number of rebellions that could split the country in two.”
Watts said these Telegram channels function as “a bridge by which [content] gets pushed into and reposted and amplified in social media, such that it moves from one social media platform to another.”
That’s a marked change from eight years ago, when platforms like Facebook and Twitter had built up mass general audiences that allowed for direct targeting in influence campaigns. Today, audiences are far more fragmented across different social media, something that has led to Russian groups using Telegram as a staging ground for content that can be micro-targeted to different audiences on different platforms.
Microsoft’s assessment that Russian operatives are laser focused on influencing Ukraine policy is backed up by several other sources, including Mandiant, which found a Russian hacking group targeting political parties in Germany in an effort to gain insights into policymaking on Ukraine. Rob Joyce, the former director of cybersecurity at NSA, told reporters in March that “Russia is very motivated to make sure that the focus on support to Ukraine is disrupted.”
Russia has been by far the most prolific actor in the election interference space this cycle, with Microsoft also tracking activity from China, Iran and other countries, but not at nearly the same cadence or intensity.
Moscow’s disinformation operations continue to leverage both online and offline methods to spread damaging narratives. A campaign collectively known as the NABU leaks was carried out by Andrii Derkach, a former Ukrainian member of Parliament, in the lead-up to the 2020 elections. Those efforts were meant to discredit the Ukrainian National Anticorruption Bureau and spread rumors of current and former U.S. officials engaged in corruption, money laundering and political influence in Ukrainian politics.
Derkach, who was sanctioned by the U.S. Treasury Department for the NABU leaks campaign, indicted in 2022 for efforts to covertly influence the 2020 election and stripped of his Ukrainian citizenship in 2023, had gone quiet since the start of the Ukraine invasion.
However, he reemerged in January in an interview with a Belarusian media personality, reviving claims from the NABU leaks and seeking to implicate Biden in Ukrainian corruption at the same time that House Republicans were pursuing an impeachment inquiry against the president under the auspices of similar corruption claims.
A key witness in that inquiry, an American-Israeli citizen named Alexander Smirnov who had previously served as a confidential human source for the FBI, was indicted in February on charges of lying to the FBI about contacts between the Biden family and Ukrainian energy company Burisma. According to the indictment, Smirnov said in interviews with the FBI that the new information was gleaned from conversations with high-level Russian government officials.
There doesn’t yet appear to be solid evidence of Russian activity setting up the kind of hack-and-leak campaign that upended the 2016 U.S. presidential race. But Watts said in order to properly prepare such a campaign, Russian hackers “need to be hitting targets in the next 60 days” to leave enough time to leak content ahead of November.
AI becomes another tool in the influence toolboxBoth Russia and China have been observed leveraging AI-generated media in their influence campaigns over the past year. Most notably, a Chinese group known as Spamouflage used the tools to pump out a steady stream of AI-generated memes and deepfake audio and video targeting different candidates and parties in the lead-up to elections in Taiwan.
However, while there is evidence that foreign influence groups continue to experiment with incorporating the technology into their campaigns, so far the fear that fully generated deepfake videos will cause mass deception among voters “has not borne out,” according to Microsoft’s findings.
In many cases, “audiences gravitate toward and share disinformation” that “involve simple digital forgeries consistent with what influence actors over the last decade have regularly employed,” the report stated, and such cheapfake content still regularly outpaces fully synthetic generative AI videos in terms of views and shares.
One area that does show promise is voice cloning — either to generate fake audio phone calls and messages or to overlay with authentic video footage. This tactic was used in the U.S., when a Democratic operative tied to the Dean Phillips presidential campaign used deepfake technology in January to impersonate Biden and target his supporters with messages urging them to stay away from the polls in the New Hampshire primary. Similar incidents have been observed in Slovakia and Taiwan.
Not surprisingly, Microsoft’s research has found that the more familiar a person is to the general public, the less effective deepfakes tend to be. One scenario where such audio could be particularly effective is in personal or private settings, such as a phone call or direct message, where the target is isolated and more vulnerable to deception.
That echoes what several state election officials and election security experts have told CyberScoop in previous interviews.
Corrected April 17, 2024: An earlier version of this article reported that Alexander Smirnov was indicted on charges of being a Russian agent, when he was in fact indicted for lying to the FBI.
The post After a sleepy primary season, Russia enters 2024 U.S. election fray appeared first on CyberScoop.
With a mysterious surveillance target identified, calls for Congress to change...
When the House of Representatives voted to extend a controversial surveillance law last week, lawmakers tacked on a vaguely written amendment that expanded the scope of Section 702 of the Foreign Intelligence Surveillance Act. Its vague language served a purpose — to avoid tipping off U.S. adversaries about systems the American intelligence agencies planned to target.
But on Tuesday, a press report revealed the amendment’s goal — to give spy agencies the ability to target cloud computing data centers under the law — and that has civil liberties advocates arguing that Congress can now move to narrow the measure.
The amendment adopted last week would, if passed into law, broaden the definition of “electronic communication service providers” required to furnish data under Section 702, prompting privacy groups and some lawmakers to warn that it could force a much wider swath of organizations to assist U.S. government surveillance. Critics argue that, as written, it could require everyone from building landlords to delivery personnel to comply.
But debate around the measure has been limited because lawmakers have only been able to discuss its details behind closed doors for classification reasons, and it wasn’t until The New York Times reported Tuesday that the amendment’s goal was to clarify whether cloud computing data centers have to cooperate with Section 702 that its intended purpose became a matter of public record.
The provision has spurred at least one senator, Democrat Ron Wyden of Oregon, to threaten to do everything in his power to prevent the bill from becoming law. But with congressional authorization for the Section 702 surveillance tools currently set to expire Friday, the Biden administration is pushing the Senate to act quickly.
“They didn’t want people to know what they were going after,” said Elizabeth Goitein, senior director of the Brennan Center for Justice’s Liberty & National Security Program, so lawmakers wrote it in “enigmatic terms” that led to the provision amounting to a “kitchen sink” of affected organizations.
“The practical effect is that this allows the government to compel assistance from an enormous swath of U.S. businesses,” Goitein said. “It is staggeringly irresponsible to write something this broad, such a massive expansion of surveillance power, just to avoid tipping people off.”
“Now that everybody knows we’re talking about” adding data centers to the list of entities that have to turn over data under Section 702, “if the administration wants to add data centers for cloud computing, that’s what they should attempt to do” in Congress, she argued.
Advocates for the amendment have said it wouldn’t permit a wide expansion, but they’ve not been able to give a detailed answer on the problem it’s meant to address.
A senior Justice Department official told CyberScoop on Monday that the classified nature of the matter made it hard to discuss, but said the amendment stems from a court decision last year.
“There have been significant changes in communications technology that have taken place since the law passed in 2008,” the official said. “The intent of the amendment is to update the definition of an [electronic communication service provider] to encompass new types of services offered by electronic communication providers that do not fall within the current ECSP definition.”
The official said that a ruling by the Foreign Intelligence Surveillance Court last year involving an ECSP “well within the existing definition” had “concluded that a specific type of service it was offering was not covered by the definition and that only Congress could change that.”
“Increasingly, we’ve seen adversaries most concerned about routing their communications outside of the existing backbone communication service providers using service providers inside the United States that transmit and store communications in a way that doesn’t rely on traditional ECSPs that were contemplated when the statute was first enacted,” the official said.
Authored by the heads of the House Intelligence Committee — Reps. Mike Turner, R-Ohio, and Jim Himes, D-Conn. — the amendment, as adopted, did carve out exceptions for restaurants, hotels and some other facilities. A senior administration official said Tuesday that other “far-fetched examples” wouldn’t be allowed under the law’s targeting procedures.
A group that represents top tech companies is nonetheless worried about whom it could impact. The Information Technology Industry Council’s John Miller wrote on Tuesday that the expanded definition of electronic communication service provider must be removed.
“Although the effects of this amendment may be unintentional, its impacts would be very real,” wrote Miller, the senior vice president of policy, trust, data, and technology and the general counsel for the group. “The language in the amendment vastly expands the U.S. government’s warrantless surveillance capabilities, damaging the competitiveness of U.S. technology companies large and small, and arguably imperiling the continued global free flow of data between the U.S. and its allies.”
Wyden’s office suggested that as written, the provision could be stretched to affect the communication of journalists.
“The government suspects that Journalist X communicates with Foreign Official Y, perhaps because Y is quoted in X’s story,” a Wyden aide said via email, outlining the hypothetical. “The government uses the Turner provision to conscript someone who can get access to X’s laptop to extract all communications with Y.”
“It’s not reverse targeting under the current definition because the government has an interest in Y,” the aide said, referencing Section 702’s prohibition on targeting people overseas as a way of actually conducting surveillance on U.S. persons. “It’s not a search requiring a FISA warrant because 702 is the exception to the warrant requirement.”
The DOJ official said not getting a renewed law in place by Friday could cause problems for the program, despite the FISA court’s one-year certification last week.
“We know from experience that we would be facing an uncertain legal environment if the authority would lapse,” the official said. “As what happened in 2008 when a predecessor statute to 702 lapsed, we may see that providers, the private sector companies that are subject to receiving directives, might challenge whether they’re still covered. The consequence is that we lose collection.”
Senate Majority Leader Chuck Schumer, D-N.Y., took a procedural step on Tuesday to set the gears in motion for the chamber to take action on the Section 702 legislation.
The post With a mysterious surveillance target identified, calls for Congress to change course appeared first on CyberScoop.