Cyber
The Next Frontier

Become part of a critical layer of cyber defense. Cybersecurity positions will make up 45% of all US tech job openings.

View Full Curriculum

The National Security Agency designated the University of Arizona's Cyber Operations program as a Center of Academic Excellence in Cyber Operations (CAE-CO). With this designation, UA joins an extremely exclusive group of only 24 cyber programs in the nation. The NSA's CAE-CO designation demonstrates that UA's Cyber Operations program meets the most demanding academic and technical requirements.

Learn More

 

The Bachelor of Applied Science in Cyber Operations prepares graduates for cyber-related occupations in defense, law enforcement, and private industry.

Our curriculum includes both offensive and defensive cyber security content delivered within our state-of-the-art Virtual Learning Environment to ensure our students have extensive hands-on experiences to develop the knowledge, skills, and abilities necessary to succeed after they graduate.

 

Program News

DoD Cyber Scholarship Program (CySP)

The DoD CySP is a yearly scholarship program aimed at Juniors and Seniors pursuing a bachelor’s degree in cyber-related academic disciplines. The CySP is a 1-year scholarship, which grants selected Cyber Scholars tuition and mandatory fees (including health care), funding for books, a $25K annual stipend, and guaranteed employment with a DoD agency upon graduation.

Cyber News

Tuesday, February 27, 2024 - 19:00
Iran hacking group impersonates defense firms, hostage campaigners

An Iranian-sponsored cyberespionage unit is impersonating major brands like Boeing and the Chinese drone manufacturer DJI as part of a social engineering and phishing campaign targeting the aerospace, aviation and defense industries across the Middle East, researchers with Mandiant said late Tuesday.

The Iranian hacking group has also been observed employing a fake website playing on the Israel-Hamas war, using the “Bring Them Home Now!” slogan associated with a campaign to free hostages held by Hamas. The website is the latest example of the way in which Iranian hacking groups are using the conflict between Israel and Hamas to carry out opportunistic attacks linked to the fighting.

The Iranian campaign relies on phony job offers from major international companies and the fake hostage-themed website to funnel targets to compromised websites designed to either harvest credentials or deliver one of two previously unreported and unique backdoors dubbed “MINIBUS” and “MINIBIKE,” the researchers said.

Fake website deployed by Iranian-sponsored cyberespionage group (Mandiant).

The current campaign dates to at least June 2022 and remains active. It has mostly targeted Israel, the United Arab Emirates and, potentially Turkey, India and Albania, the researchers said.

The unit behind the campaign is tracked as UNC1549 by Mandiant and the infrastructure described by Mandiant overlaps with the hacking groups dubbed Tortoiseshell and Imperial Kitten. The unit is likely linked to the Islamic Revolutionary Guard Corps and has a history of using fake job offers and similar lures in social engineering campaigns going back years.

In July 2021, for instance, Facebook announced the disruption of one of the group’s campaigns that used accounts on the social media platform to pose as recruiters to target U.S. military members. An October 2023 PwC analysis noted that the group is known to employ both custom and off-the-shelf malware to achieve its espionage goals, which includes credential harvesting and data exfiltration.

The current campaign uses Microsoft Azure cloud infrastructure for command and control and hosting functions, “making it difficult to discern the activity from legitimate network traffic,” the researchers said.

The post Iran hacking group impersonates defense firms, hostage campaigners appeared first on CyberScoop.

Tuesday, February 27, 2024 - 13:05
Feds say AI favors defenders over attackers in cyberspace — so far 

As large language models and other artificial intelligence tools have proliferated more widely, researchers remain divided on whether highly capable AI tools will provide an advantage to attackers or defenders in cyberspace. 

According to two U.S. officials on the frontlines of securing American computer systems, so far AI is giving an advantage to the defender — for now. 

“Right now, there are probably more cybersecurity benefits from using AI than there are threats from our adversaries using it. But that’s a precarious balance, and something we at the FBI are not taking for granted,” Cynthia Kaiser, deputy assistant director for the FBI’s cyber division, said Tuesday during a speech at the Trellix Cybersecurity Summit.

Researchers have warned that generative AI might be useful for malicious hackers to discover vulnerabilities and automatically write code exploiting them, But Kaiser highlighted a number of ways that the technology is being used by defenders to become more efficient, including by detecting malicious activity on victim networks, hunting and incident response, software development and other activities.  

Rob Silvers, the undersecretary for strategy, policy and plans at the Department of Homeland Security, echoed that sentiment Tuesday. Silvers said that thus far he’s witnessed cybersecurity practitioners make better use of generative AI than attackers.  

Silvers cautioned that “the jury’s still out” on whether AI will be “a net benefit to attackers or defenders.” But for now, defenders retain the advantage in his view. “ At this moment in time, I have seen deployed in the wild more defensive promising uses for AI than I have offensive actual uses,” Silvers said.

Highly capable hacking groups appear to be experimenting with using AI, but researchers have seen little evidence that they are delivering major benefits. 

A report this month from Microsoft and OpenAI found that while advanced hacking groups from China, Russia, Iran and North Korea are all experimenting with large language models in their hacking operations, thus far they have derived only modest uses for it.

Make attribution hard again

Kaiser and Silvers both cautioned that this status quo might not hold over the long term and that defenders in the federal government and industry can’t afford to rest on their laurels.

For years, “attribution is hard” was a running theme in cybersecurity, reflecting the complexity involved when attempting to tie a specific cyber operation or piece of malware back to its owner. But in recent years, government and industry have been able to make significant strides in this area, as intelligence agencies learned to pair their own non-public intelligence with superior threat intelligence from a bustling private sector to unmask and expose hacks carried out by foreign nations and other malicious actors.

According to Kaiser, the pendulum is again starting to swing back to an environment in which it’s getting easier for foreign hacking groups to hide their presence in victim networks and obfuscate their origins.

As an example, she cited the activities of Volt Typhoon, a hacking group linked to China that has extensively targeted U.S. critical infrastructure. Kaiser noted that Chinese actors have used “living off the land” techniques and obfuscation to “remain undetected, and continue to lurk in our systems, waiting for the right moment to cause devastating impacts.”

Generative AI may not be completely upending the cybersecurity landscape right now, but Kaiser indicated that it is making it easier and more efficient for hackers working on behalf of foreign governments like China, Russia, Iran and North Korea to target and compromise victims. 

The post Feds say AI favors defenders over attackers in cyberspace — so far  appeared first on CyberScoop.

Tuesday, February 27, 2024 - 10:11
Sen. Warner: U.S. is less prepared to secure the 2024 election than 2020

The U.S. is less prepared to mitigate misinformation ahead of the 2024 election than it was during the 2020 cycle, the chair of the Senate Select Committee on Intelligence said Tuesday.

Citing the expected deluge of misinformation powered by artificial intelligence and some “cautious” choices by Biden administration lawyers, Sen. Mark Warner, D-Va., said he is concerned that this election cycle — which includes more than half of the global population — will face more threats than the last presidential election.

“I am worried that we are less prepared for foreign intervention in our elections in 2024 than we were in 2020,” Warner said during a Trellix and Scoop News Group cybersecurity summit in Washington, D.C.

Warner also noted that during the 2020 election, officials fighting foreign intervention at the Trump administration were “better geared, the team was better placed than I unfortunately believe [we are] right now.” 

Warner pointed to a court case that directed CISA to cease alerting social media companies of posts that are spreading misinformation about the election, following outrage from right-wing provocateurs. Warner also laid blame on the lawyers in the Biden administration more so than CISA.

“I think the administration’s lawyers, frankly, are being way too cautious,” Warner said. “NSA, CISA, ODNI, FBI literally had no communication with any of the social media platforms on election interference since July. And that ought to scare the hell out of all of us.”

Warner said that there are more Americans who have “less faith in our system” such that they might fall for misinformation, disinformation and malinformation. He pointed to a recent case of an AI-generated robocall imitating President Joe Biden that urged Democratic primary voters in New Hampshire to stay away from polls. Authorities have traced the call to the Texas-based telecommunications firm Life Corporation.

Warner said the 2016 election interference campaign by the Kremlin will look like “child’s play” compared to 2024, largely due to the impact of AI increasing the scale and speed of these operations. State and local officials have been sounding the alarm on lax funding and resources to deal with the election amid increasing physical threats and the looming threat of AI.

The post Sen. Warner: U.S. is less prepared to secure the 2024 election than 2020 appeared first on CyberScoop.

Monday, February 26, 2024 - 17:08
Updated NIST cybersecurity framework adds core function, focuses on supply...
Monday, February 26, 2024 - 17:01
LockBit claims a comeback less than a week after major disruption

A website associated with the LockBit ransomware operation appeared online Saturday less than a week after a law enforcement operation disrupted dozens of servers associated with the group, underscoring the whack-a-mole nature of combatting high-profile ransomware operators.

The new LockBit website includes a list of alleged victims whose data the criminal group is threatening to leak if they don’t pay a ransom. That list includes mix of new and old targets, including government systems in Fulton County, Ga., where authorities earlier this month acknowledged dealing with a serious cybersecurity issue.

In a dubious, rambling message posted Saturday, LockBit administrators claimed that the Fulton County data was the reason the FBI pulled the trigger on the operation, given that the “stolen documents contain a lot of interesting things and Donald Trump’s court cases that could affect the upcoming US election.”

“Had it not been for the election situation, the FBI would have continued to sit on my server waiting for any leads to arrest me and my associates,” the statement said, adding that LockBit was set to release the Fulton County documents the day law enforcement took the servers down.

Authorities in Fulton County are prosecuting former President Donald Trump on charges that he sought to overturn the results of the 2020 presidential election in Georgia.

It’s not clear whether LockBit, which until last week’s law enforcement operation ranked as the world’s most prolific ransomware group, is in possession of Trump-related files, and British authorities — who played a leading role in the takedown operation — said last week that the takedown operation began in 2022.

In their message on Saturday, LockBit administrators listed more than two dozen servers they claim contain victim data, as well as more than a dozen mirrors and half a dozen domains associated with the new blog.

The message added that the group believes its site was likely taken down utilizing a vulnerability in the server software PHP. The vulnerable version of the software had not been updated because “for 5 years of swimming in money I became very lazy,” the message read.

Neither the FBI nor the U.K.’s National Crime Agency responded to questions from CyberScoop on Monday. But in a statement given to the Guardian, the NCA said LockBit remains “completely compromised” and noted that the group would “attempt to regroup” even as law enforcement efforts continue.

LockBitSupp, the point of contact for public questions to the group, did not respond to a series of questions sent Monday afternoon.

The banner atop the new website as it appeared late Monday, Feb. 26, 2024 (CyberScoop).

The exact extent to which LockBit’s services are once more available to criminal hackers remained unclear as of Monday, but researchers who study ransomware communities said the attempt by LockBit to resuscitate its operations came as no surprise.

“Nobody would let a multi-million dollar business go down without a fight,” Brett Callow, a threat analyst with Emsisoft, told CyberScoop Monday. Callow cautioned that LockBit’s “claims seem implausible and reek of desperation” and added that “in all likelihood the Lockbit brand is dead.”

“No smart affiliate will want to work with an operation that was so completely compromised and, for that matter, is quite probably still completely compromised,” he said.

Callow said that LockBit’s comeback shows “the whack-a-mole nature of the fight against ransomware.” In December, the FBI seized some servers associated with the ransomware gang ALPHV, only to have the group claim hours later to have “unseized” them and resumed operations.

“Unless arrests are made, groups will not stay down,” Callow said. “We saw this with ALPHV, and we’re seeing it now with LockBit.”

As part of last week’s operation against LockBit, authorities arrested three men, one in Poland and a father and son in Ukraine, for their alleged roles in LockBit activities.

The primary administrator of the group, known online as LockBitSupp, appears to remain at large. Law enforcement authorities had said they would reveal LockBitSupp’s identity on Friday but instead posted a message saying they knew where he was, the car he drove, and how much money he has. The authorities also said that LockBitSupp had “engaged with Law Enforcement,” perhaps as a means to undermine the group’s reputation in the cybercrime ecosystem.

The U.S. State Department has offered up to $15 million in rewards for information leading to the identification and/or arrest of LockBit leadership or people engaging in LockBit-related attacks.

Adam Hickey, the former deputy assistant attorney general with the Department of Justice’s National Security Division, told CyberScoop last week that while takedowns are valuable, law enforcement operations alone won’t eliminate the ransomware phenomenon.

“You have certain nations unwilling to apply fairly uncontroversial, neutral rules about what is criminal behavior on the internet to their own citizens if it suits their purpose,” Hickey said. “If the people who do this aren’t ultimately arrested and held accountable by their government or ours, there will continue to be a market for this.”

The post LockBit claims a comeback less than a week after major disruption appeared first on CyberScoop.