Cyber
The Next Frontier

Become part of a critical layer of cyber defense. Cybersecurity positions will make up 45% of all US tech job openings.

View Full Curriculum

The National Security Agency designated the University of Arizona's Cyber Operations program as a Center of Academic Excellence in Cyber Operations (CAE-CO). With this designation, UA joins an extremely exclusive group of only 24 cyber programs in the nation. The NSA's CAE-CO designation demonstrates that UA's Cyber Operations program meets the most demanding academic and technical requirements.

Learn More

 

The Bachelor of Applied Science in Cyber Operations prepares graduates for cyber-related occupations in defense, law enforcement, and private industry.

Our curriculum includes both offensive and defensive cyber security content delivered within our state-of-the-art Virtual Learning Environment to ensure our students have extensive hands-on experiences to develop the knowledge, skills, and abilities necessary to succeed after they graduate.

 

Program News

DoD Cyber Scholarship Program (CySP)

The DoD CySP is a yearly scholarship program aimed at Juniors and Seniors pursuing a bachelor’s degree in cyber-related academic disciplines. The CySP is a 1-year scholarship, which grants selected Cyber Scholars tuition and mandatory fees (including health care), funding for books, a $25K annual stipend, and guaranteed employment with a DoD agency upon graduation.

Cyber News

Wednesday, April 17, 2024 - 17:50
House passes bill to limit personal data purchases by law enforcement,...

The House passed the “Fourth Amendment Is Not For Sale Act” on Wednesday, buoying the spirits of digital privacy advocates at the same time the Senate is gearing up for a fight over a broader extension of Section 702 of the Foreign Intelligence Surveillance Act.

The bill, introduced by Rep. Warren Davidson, R-Ohio, and a group of seven bipartisan co-sponsors, passed 219-199. It would prohibit law enforcement and intelligence agencies from purchasing personal information about customers or subscribers of electronic and remote computing service providers — such as social media, cell phone, email and cloud computing companies — without first obtaining a court order.

The measure saw a coalition of 123 Republicans join forces with 93 Democrats, including both House Speaker Mike Johnson, R-La., and Minority Leader Hakeem Jeffries, D-N.Y., to push the measure through to the Senate.

Privacy advocates cheered the bill’s passage, after arguing that the government’s purchase of large quantities of personal information via commercial companies and third-party data collectors represented an end-around the U.S. Constitution’s Fourth Amendment.

“The bipartisan passage of this bill is a flashing warning sign to the government that if it wants our data, it must get a warrant,” Kia Hamadanchy, senior federal policy counsel at the American Civil Liberties Union, said in a statement. “We hope this vote puts a fire under the Senate to protect their constituents and rein in the government’s warrantless surveillance of Americans, once and for all.”

An earlier House Judiciary Committee-approved version of a Section 702 reauthorization measure included the data broker legislation in its text. Johnson opted to advance a House Intelligence Committee-approved version of a Section 702 reauthorization bill that excluded it, and made it so the “Fourth Amendment is Not for Sale Act” could not be attached to the legislation by amendment on the floor. When lawmakers revolted against the 702 bill, Johnson was able to restart the debate with a promise that the “Fourth Amendment is Not for Sale Act” would get a standalone floor vote.

Sen. Ron Wyden, D-Ore., who has sponsored a companion bill in the Senate, immediately urged his colleagues to swiftly pass the measure.

“This is a huge win for privacy. Now it’s time for the Senate to follow suit,” Wyden said on X.

Despite the revelry, the bill faces an uncertain future in the chamber and with a White House that has strenuously objected to the legislation.

In a call with reporters this week, a senior administration official called the bill “unworkable” and “devastating” to homeland security. Among the criticisms were that the definition of third parties was overly broad, that agencies wouldn’t be able to confirm whether covered data was in a purchased dataset before buying it, and that it would inhibit the government’s ability to “detect and defeat adversary cyberattacks” and takedown malicious botnets.

“In practice, these standards make it impossible for the [intelligence community] or law enforcement to acquire a whole host of readily available information that they currently rely on,” the official said.

Tim Starks contributed to this article.

The post House passes bill to limit personal data purchases by law enforcement, intelligence agencies appeared first on CyberScoop.

Wednesday, April 17, 2024 - 09:41
Mandiant: Notorious Russian hacking unit linked to breach of Texas water...

The potent and enduring Russian military intelligence hacking operation known as Sandworm was likely responsible for attacks on water utilities in the United States, Poland and a small water mill in France, researchers with Google’s Mandiant said Wednesday.

Wednesday’s report concludes that Sandworm is behind a set of online personas — including Xaknet, Cyber Army of Russia Reborn and Solntsepek — that have been linked to a string of recent attacks on critical infrastructure, including a water system in Texas. The personas claim the attacks as their own and often exaggerate their impact, while attempting to put distance between the incidents and one of Russia’s most notorious hacking crews. 

Sandworm is suspected of controlling the work of a pro-Russian hacktivist group that calls itself the CyberArmyofRussia_Reborn (CARR) that has targeted U.S. water utilities, according to Mandiant. On January 18, the hacktivist group posted a splashy video to Telegram that targeted water tanks in Muleshoe, Texas, appearing to use the human-machine interface (HMI) to turn on the pumps, causing the tank water level to overflow.

Muleshoe city officials confirmed the overflow in February while noting that it did not cause any service disruptions.

It is unclear whether Sandworm, a Russian military intelligence unit, is directing the work of CARR or whether the group informs its contacts within Russian intelligence after it has carried out an operation, Mandiant cautioned. CARR’s exact membership is unknown and may include individuals who are not members of Russian intelligence. 

Mandiant has observed links between Sandworm and CARR, including a YouTube channel created by the hacktivist group linked to infrastructure that, in turn, is linked to Sandworm. “These patterns of interaction align with TAG’s assessment that CyberArmyofRussia_Reborn is created and controlled by APT44,” Mandiant argues.

Russia’s attack using a persona controlled by Sandworm represents a significant escalation of the Kremlin’s attacks on U.S. critical infrastructure. Russian ransomware gangs have operated with impunity and have attacked U.S. critical infrastructure for years, causing major disruptions such as the Colonial Pipeline hack, but nation-state groups like Sandworm have to date not carried out disruptive attacks on U.S. soil.

Mandiant previously believed that the CyberArmyofRussia_Reborn was linked to the Russian hacking group APT28, also known as Fancy Bear. Mandiant said that after re-analyzing the data, it was able to attribute the suspected activity to Sandworm “with high confidence.”

CyberArmyofRussia_Reborn joins a small but growing group of hacktivist personas linked to nation-linked hackers that target U.S. critical infrastructure. The CyberAv3ngers, a group run by the Iranian Government Islamic Revolutionary Guard Corps, last year hit water facilities in Aliquippa, Pennsylvania., and others that were using devices made by the Israeli firm Unitronics.

Other attacks on critical infrastructure carried out by personas under Sandworm’s control include a March incident in which the group calling itself Solntsepek claimed credit for an attack on multiple Ukrainian telecommunications providers. Ukrainian officials told CyberScoop at the time that the attack was likely carried out by Sandworm. 

Wednesday’s findings are part of a comprehensive analysis in which Mandiant upgraded Sandworm as a fully fledged advanced persistent threat group. The group it now refers to as APT 44 is considered to be among the most capable, dangerous state-backed hacking groups.  

“APT44 is a uniquely dynamic threat actor that is actively engaged in the full spectrum of cyber espionage, attack, and influence operations,” Mandiant researchers wrote in the report.

“APT44 is the most brazen threat actor there is, in the midst of one of the most intense campaigns of cyber activity we’ve ever seen, in full-blown support of Russia’s war of territorial aggression,” Dan Black, a lead author of the report and manager of cyber espionage analysis for Mandiant, said in a statement. “There is no other threat actor today that is more worthy of our collective attention, and the threat APT44 poses is evolving rapidly.”

APT44 is believed to operate as Unit 74455. It is part of the Main Centre for Special Technologies, within the Main Directorate of the General Staff of the Armed Forces of the Russian Federation, which is commonly known as the Main Intelligence Directorate, or GRU, according to Mandiant. 

The group primarily targets government, defense, transportation, energy, media and civil society organizations in Russia’s near abroad, the researchers said. It has repeatedly targeted Western electoral systems and institutions, including in NATO member countries. On three separate occasions, the group has succeeded in using a cyberattack to disrupt electricity distribution in Ukraine.

The Russian embassy in Washington, D.C., did not respond to a request for comment.

Sandworm’s operations targeting U.S. water facilities come as the White House has been sounding the alarm that the water sector needs to improve its cybersecurity defenses. With many of the nation’s water utilities strapped for resources, cybersecurity investments have fallen by the wayside. 

The White House has tried to put in place more stringent cybersecurity rules for the sector but has failed to find an effective mechanism by which to do so. The Environmental Protection Agency issued a directive last year for water utilities to beef up their defenses but withdrew that rule after several states and industry trade groups sued.

The post Mandiant: Notorious Russian hacking unit linked to breach of Texas water facility appeared first on CyberScoop.

Wednesday, April 17, 2024 - 09:00
After a sleepy primary season, Russia enters 2024 U.S. election fray

Russian influence operations targeting the 2024 U.S. elections have ramped up in the past 45 days, using Telegram as a primary distribution channel to spread propaganda to influence debate over Ukraine policy, according to new research from Microsoft’s Threat Analysis Center.

The rise in observed activity represents a late start for Moscow compared to efforts in 2020 and 2016, something Microsoft attributed to an uncompetitive presidential primary season that saw Donald Trump and Joe Biden cruise to their respective nominations with minimal resistance. Unlike in 2016 and 2020, when one or both parties were ensconced in heavily contested and contentious intraparty primaries, this cycle presented little motivation and fewer opportunities for foreign nations to move the needle with meddling.

That dynamic has changed as the race shifts to the general election, and Microsoft has tracked multiple groups targeting the U.S. elections and 70 different Russian-associated “activity sets” worldwide pushing content and messaging in English, Spanish, French, Arabic, Finnish and other languages designed to degrade international support for Ukraine, portray President Volodymyr Zelenskyy as the head of a corrupt state and diminish the appetite of Western governments to further fund the Ukrainian war cause.

“Oftentimes when we’re watching the activity that comes out of these actor sets, some people characterize it as they want to make chaos in the U.S. or they want to create problems for democracies. … With their messaging in regards to election 2024, it is absolutely about Ukraine policy,” said Clint Watts, general manager of Microsoft’s Threat Analysis Center.

Much of the content, including fake videos, news articles or explosive claims from sources identifying as whistleblowers or citizen journalists, is initially seeded on Telegram, which Watts said has become a primary distribution channel for Russian propaganda efforts since the start of the Ukraine invasion.

Two groups in particular, tracked by Microsoft as Storm 1516 and Storm 1099, have relied on this approach, posting anti-Ukraine content on purpose-built Telegram channels that are then picked up by seemingly unaffiliated news outlets and websites with names like “DC Weekly” and “Miami Chronicle” that pose as local sources but are actually Russian cut-outs.

Storm 1099 — otherwise known as Doppelganger — uses outlets that specifically target the United States, with names like “Election Watch” and “50 States of Lie.” These sites play up internal domestic divisions in U.S. society and politics, warning that “American elections have long since lost their democratic character” and that the nation faces an “unprecedented number of rebellions that could split the country in two.”

Watts said these Telegram channels function as “a bridge by which [content] gets pushed into and reposted and amplified in social media, such that it moves from one social media platform to another.”

That’s a marked change from eight years ago, when platforms like Facebook and Twitter had built up mass general audiences that allowed for direct targeting in influence campaigns. Today, audiences are far more fragmented across different social media, something that has led to Russian groups using Telegram as a staging ground for content that can be micro-targeted to different audiences on different platforms.  

Microsoft’s assessment that Russian operatives are laser focused on influencing Ukraine policy is backed up by several other sources, including Mandiant, which found a Russian hacking group targeting political parties in Germany in an effort to gain insights into policymaking on Ukraine. Rob Joyce, the former director of cybersecurity at NSA, told reporters in March that “Russia is very motivated to make sure that the focus on support to Ukraine is disrupted.”  

Russia has been by far the most prolific actor in the election interference space this cycle, with Microsoft also tracking activity from China, Iran and other countries, but not at nearly the same cadence or intensity. 

Moscow’s disinformation operations continue to leverage both online and offline methods to spread damaging narratives. A campaign collectively known as the NABU leaks was carried out by Andrii Derkach, a former Ukrainian member of Parliament, in the lead-up to the 2020 elections. Those efforts were meant to discredit the Ukrainian National Anticorruption Bureau and spread rumors of current and former U.S. officials engaged in corruption, money laundering and political influence in Ukrainian politics.

Derkach, who was sanctioned by the U.S. Treasury Department for the NABU leaks campaign, indicted in 2022 for efforts to covertly influence the 2020 election and stripped of his Ukrainian citizenship in 2023, had gone quiet since the start of the Ukraine invasion. 

However, he reemerged in January in an interview with a Belarusian media personality, reviving claims from the NABU leaks and seeking to implicate Biden in Ukrainian corruption at the same time that House Republicans were pursuing an impeachment inquiry against the president under the auspices of similar corruption claims.

A key witness in that inquiry, an American-Israeli citizen named Alexander Smirnov who had previously served as a confidential human source for the FBI, was indicted in February on charges of lying to the FBI about contacts between the Biden family and Ukrainian energy company Burisma. According to the indictment, Smirnov said in interviews with the FBI that the new information was gleaned from conversations with high-level Russian government officials.

There doesn’t yet appear to be solid evidence of Russian activity setting up the kind of hack-and-leak campaign that upended the 2016 U.S. presidential race. But Watts said in order to properly prepare such a campaign, Russian hackers “need to be hitting targets in the next 60 days” to leave enough time to leak content ahead of November.

AI becomes another tool in the influence toolbox

Both Russia and China have been observed leveraging AI-generated media in their influence campaigns over the past year. Most notably, a Chinese group known as Spamouflage used the tools to pump out a steady stream of AI-generated memes and deepfake audio and video targeting different candidates and parties in the lead-up to elections in Taiwan.
However, while there is evidence that foreign influence groups continue to experiment with incorporating the technology into their campaigns, so far the fear that fully generated deepfake videos will cause mass deception among voters “has not borne out,” according to Microsoft’s findings.

In many cases, “audiences gravitate toward and share disinformation” that “involve simple digital forgeries consistent with what influence actors over the last decade have regularly employed,” the report stated, and such cheapfake content still regularly outpaces fully synthetic generative AI videos in terms of views and shares.

One area that does show promise is voice cloning — either to generate fake audio phone calls and messages or to overlay with authentic video footage. This tactic was used in the U.S., when a Democratic operative tied to the Dean Phillips presidential campaign  used deepfake technology in January to impersonate Biden and target his supporters with messages urging them to stay away from the polls in the New Hampshire primary. Similar incidents have been observed in Slovakia and Taiwan.

Not surprisingly, Microsoft’s research has found that the more familiar a person is to the general public, the less effective deepfakes tend to be. One scenario where such audio could be particularly effective is in personal or private settings, such as a phone call or direct message, where the target is isolated and more vulnerable to deception.

That echoes what several state election officials and election security experts have told CyberScoop in previous interviews.

Corrected April 17, 2024: An earlier version of this article reported that Alexander Smirnov was indicted on charges of being a Russian agent, when he was in fact indicted for lying to the FBI.

The post After a sleepy primary season, Russia enters 2024 U.S. election fray appeared first on CyberScoop.

Wednesday, April 17, 2024 - 07:54
With a mysterious surveillance target identified, calls for Congress to change...

When the House of Representatives voted to extend a controversial surveillance law last week, lawmakers tacked on a vaguely written amendment that expanded the scope of Section 702 of the Foreign Intelligence Surveillance Act. Its vague language served a purpose — to avoid tipping off U.S. adversaries about systems the American intelligence agencies planned to target. 

But on Tuesday, a press report revealed the amendment’s goal — to give spy agencies the ability to target cloud computing data centers under the law — and that has civil liberties advocates arguing that Congress can now move to narrow the measure.  

The amendment adopted last week would, if passed into law, broaden the definition of “electronic communication service providers” required to furnish data under Section 702, prompting privacy groups and some lawmakers to warn that it could force a much wider swath of organizations to assist U.S. government surveillance. Critics argue that, as written, it could require everyone from building landlords to delivery personnel to comply.

But debate around the measure has been limited because lawmakers have only been able to discuss its details behind closed doors for classification reasons, and it wasn’t until The New York Times reported Tuesday that the amendment’s goal was to clarify whether cloud computing data centers have to cooperate with Section 702 that its intended purpose became a matter of public record. 

The provision has spurred at least one senator, Democrat Ron Wyden of Oregon, to threaten to do everything in his power to prevent the bill from becoming law. But with congressional authorization for the Section 702 surveillance tools currently set to expire Friday, the Biden administration is pushing the Senate to act quickly.  

“They didn’t want people to know what they were going after,” said Elizabeth Goitein, senior director of the Brennan Center for Justice’s Liberty & National Security Program, so lawmakers wrote it in “enigmatic terms” that led to the provision amounting to a “kitchen sink” of affected organizations.

“The practical effect is that this allows the government to compel assistance from an enormous swath of U.S. businesses,” Goitein said. “It is staggeringly irresponsible to write something this broad, such a massive expansion of surveillance power, just to avoid tipping people off.”

“Now that everybody knows we’re talking about” adding data centers to the list of entities that have to turn over data under Section 702, “if the administration wants to add data centers for cloud computing, that’s what they should attempt to do” in Congress, she argued.

Advocates for the amendment have said it wouldn’t permit a wide expansion, but they’ve not been able to give a detailed answer on the problem it’s meant to address.

A senior Justice Department official told CyberScoop on Monday that the classified nature of the matter made it hard to discuss, but said the amendment stems from a court decision last year. 

“There have been significant changes in communications technology that have taken place since the law passed in 2008,” the official said. “The intent of the amendment is to update the definition of an [electronic communication service provider] to encompass new types of services offered by electronic communication providers that do not fall within the current ECSP definition.” 

The official said that a ruling by the Foreign Intelligence Surveillance Court last year involving an ECSP “well within the existing definition” had “concluded that a specific type of service it was offering was not covered by the definition and that only Congress could change that.”

“Increasingly, we’ve seen adversaries most concerned about routing their communications outside of the existing backbone communication service providers using service providers inside the United States that transmit and store communications in a way that doesn’t rely on traditional ECSPs that were contemplated when the statute was first enacted,” the official said.

Authored by the heads of the House Intelligence Committee — Reps. Mike Turner, R-Ohio, and Jim Himes, D-Conn. — the amendment, as adopted, did carve out exceptions for restaurants, hotels and some other facilities. A senior administration official said Tuesday that other “far-fetched examples” wouldn’t be allowed under the law’s targeting procedures.

A group that represents top tech companies is nonetheless worried about whom it could impact. The Information Technology Industry Council’s John Miller wrote on Tuesday that the expanded definition of electronic communication service provider must be removed.

“Although the effects of this amendment may be unintentional, its impacts would be very real,” wrote Miller, the senior vice president of policy, trust, data, and technology and the general counsel for the group. “The language in the amendment vastly expands the U.S. government’s warrantless surveillance capabilities, damaging the competitiveness of U.S. technology companies large and small, and arguably imperiling the continued global free flow of data between the U.S. and its allies.”

Wyden’s office suggested that as written, the provision could be stretched to affect the communication of journalists.

“The government suspects that Journalist X communicates with Foreign Official Y, perhaps because Y is quoted in X’s story,” a Wyden aide said via email, outlining the hypothetical. “The government uses the Turner provision to conscript someone who can get access to X’s laptop to extract all communications with Y.”

“It’s not reverse targeting under the current definition because the government has an interest in Y,” the aide said, referencing Section 702’s prohibition on targeting people overseas as a way of actually conducting surveillance on U.S. persons. “It’s not a search requiring a FISA warrant because 702 is the exception to the warrant requirement.”

The DOJ official said not getting a renewed law in place by Friday could cause problems for the program, despite the FISA court’s one-year certification last week.

“We know from experience that we would be facing an uncertain legal environment if the authority would lapse,” the official said. “As what happened in 2008 when a predecessor statute to 702 lapsed, we may see that providers, the private sector companies that are subject to receiving directives, might challenge whether they’re still covered. The consequence is that we lose collection.”

Senate Majority Leader Chuck Schumer, D-N.Y., took a procedural step on Tuesday to set the gears in motion for the chamber to take action on the Section 702 legislation.

The post With a mysterious surveillance target identified, calls for Congress to change course appeared first on CyberScoop.

Wednesday, April 17, 2024 - 05:00
Decade-old malware haunts Ukrainian police 

More than 100 documents containing potentially confidential information related to government and police activities in Ukraine were uploaded to a publicly accessible repository recently as the result of nearly decade-old malware, an unusual case in which an old and imperfect virus has escaped detection, allowing it to persist and continue to pose a threat.

The documents, discovered as part of normal threat hunting activities carried out by researchers with Cisco’s Talos Threat Intelligence Research Team, were infected with a virus named “OfflRouter,” which dates to 2015 and has not been examined extensively in public, according to an analysis shared exclusively with CyberScoop. 

In this case, OfflRouter serves as a means to deliver an executable file known as “ctrlpanel.exe,” which attempts to lower Word security settings and select additional documents to infect, Vanja Svajcer, outreach researcher with Talos, told CyberScoop in an email.

The virus can only be spread by sharing laced documents and removable media, such as USB memory sticks, and only targets files with a “.doc” file extension, suggesting either that the virus was created to target a small number of entities or specific files, or that the virus’s author made a mistake in designing the malware. Newer versions of Word use the “.docx” file extension, but the “.doc” remains in use. 

Against the backdrop of a number of different hacking operations in Ukraine, the re-emergence of an old virus represents an anomaly. 

“When the same old virus, over the course of a few years (most recently in February 2024) causes users to upload over 100 official police and local government documents to VirusTotal, it becomes more interesting,” Svajcer said. “It seems likely to be impacting enough people to warrant the upload of significant amounts of documents.”

The virus is also also interesting, Svajcer added, because its activity is limited to Ukraine, where Russian hacking groups are carrying out  constant aggressive cyber operations ranging from destructive activity to cyberespionage against public and private entities. The researchers could not determine who was behind the operation. 

Talos researchers uncovered the virus after discovering several apparently Ukrainian local government and Ukrainian National Police documents uploaded to VirusTotal, a website used by threat intelligence researchers to scan documents for malware, viruses and other threats. Further investigation revealed more than 100 documents that included potentially confidential information about police activities.

The analysis of those documents revealed they were infected with OfflRouter. A 2018 OfflRouter analysis by the Slovakian government Computer Security Incident Response Team, also based on Ukrainian National Police files, noted that it was “rare” to discover malware that “looks like the 1st stage of some cyber operation, but currently it is not publicly known what tools on removable devices are used during the next stages and what kind of organizations are targeted in the campaign.”

That police files were uploaded in 2018 and more recently “indicates that the virus managed to survive over 5 years in that environment,” Svajcer said. “We think it is important to emphasize the risk of such a virus infecting government organizations and the dangers of non-deliberate data leaks which can happen as a result. Instead of VirusTotal, the data could have been leaked to a lot less friendly organization.”

The documents could be acting as lures to target additional agencies and organizations, according to the analysis. Lure documents — which are created by adding malware or abusing automated scripting capabilities in documents to deliver malware to carry out any number of tasks — are a common tactic employed by hacking groups as initial vectors to access targeted networks. 

Recent examples include the Russian-linked Gamaredon group using documents laced with information-stealing malware that targeted Ukrainian agencies as part of a cyber espionage operation. Last summer, a hacking campaign tracked as UNC1151 (which has possible links to the Belarusian government), targeted several government agencies across Ukraine and Poland using the tactic, Talos reported at the time.

An ongoing hacking campaign tracked as RomCom, with potential ties to Russia, also abused the tactic in July 2023 to gather information on Ukraine’s efforts to join NATO during the NATO Summit, researchers with BlackBerry detailed in a report at the time. 

The post Decade-old malware haunts Ukrainian police  appeared first on CyberScoop.