Cyber
The Next Frontier
Become part of a critical layer of cyber defense. Cybersecurity positions will make up 45% of all US tech job openings.
The National Security Agency designated the University of Arizona's Cyber Operations program as a Center of Academic Excellence in Cyber Operations (CAE-CO). With this designation, UA joins an extremely exclusive group of only 24 cyber programs in the nation. The NSA's CAE-CO designation demonstrates that UA's Cyber Operations program meets the most demanding academic and technical requirements.
The Bachelor of Applied Science in Cyber Operations prepares graduates for cyber-related occupations in defense, law enforcement, and private industry.
Our curriculum includes both offensive and defensive cyber security content delivered within our state-of-the-art Virtual Learning Environment to ensure our students have extensive hands-on experiences to develop the knowledge, skills, and abilities necessary to succeed after they graduate.
Cyber
Engineering
Defense
& Forensics
Cyber Law
& Policy
Program News
DoD Cyber Scholarship Program (CySP)
The DoD CySP is a yearly scholarship program aimed at Juniors and Seniors pursuing a bachelor’s degree in cyber-related academic disciplines. The CySP is a 1-year scholarship, which grants selected Cyber Scholars tuition and mandatory fees (including health care), funding for books, a $25K annual stipend, and guaranteed employment with a DoD agency upon graduation.Cyber News
Iranian hackers impersonate journalists in social engineering campaign
A hacking group linked to the intelligence wing of Iran’s Revolutionary Guard Corps impersonated journalists and human rights activists as part of a social engineering campaign, according to research released Wednesday by Mandiant and Google Cloud.
The news organizations impersonated in the operation include The Washington Post, The Economist and The Jerusalem Post, and Mandiant’s researchers assess that the campaign was carried out by the hacking crew known as APT42. The group also spoofed prominent Washington think tanks, including the Aspen Institute, the McCain Institute and the Washington Institute.
According to Mandiant, the Iranian hackers spoofed these organizations in order to send phishing lures to targets meant to harvest their credentials. In other cases, the attackers masqueraded behind generic login pages, file hosting services, and legitimate services like YouTube, Gmail, Google Meet and Google Drive.
“APT42 was observed posing as journalists and event organizers to build trust with victims through ongoing correspondence and to deliver invitations to conferences or legitimate documents. These social engineering schemes enabled APT42 to harvest credentials and use them to gain initial access to Cloud environments,” wrote authors Ofir Rozmann, Asli Koksal, Adrian Hernandez, Sarah Bock and Jonathan Leathery.
Mandiant said there is no evidence that the spoofed organizations themselves were hacked or compromised in any way.
Wednesday’s report is the latest in a string of incidents in which Iranian hacking groups have used fake personas to trick their victims. Last year, SecureWorks detailed an effort by APT42 to use such personas and social media accounts to conduct phishing attacks on researchers around the world focused on Iran, including by inviting them to contribute to a forthcoming report from the Atlantic Council.
According to Mandiant, members of APT42, which is also known as Charming Kitten, TA453 and Mint Sandstorm or Mint Phosphorous, have been engaged in a widespread social engineering campaign since at least 2019.
The ultimate goal behind the efforts appears to be espionage, with the group using the stolen credentials to access the cloud environments of victim organizations and pilfer data of strategic interest to Tehran.
In one instance in February, a domain controlled by the group hosted a document apparently about women’s rights on DropBox and impersonated an Iranian filmmaker and a Fox News contributor to enhance the legitimacy of the lure. Another domain was used to host a decoy document on “The Secrets of Gaza Tunnels” in March, likely in an effort to play off interest in the ongoing Israel-Gaza conflict.
In many cases, the documents themselves were not laced with malware, something Mandiant said was likely an effort to establish a rapport with victim organizations and lay the groundwork for credential phishing. Once they obtained credentials, the actors bypassed multifactor authentication protections by creating cloned websites to capture MFA tokens and sending push notifications to victims.
That facilitated access to the victims’ Microsoft 365 cloud environments, where APT42 was able to steal data from OneDrive, Outlook emails and other documents related to Iranian geopolitical interests. The actor leveraged a mix of built-in features and open-source tools to obfuscate their presence in victim networks.
“The methods deployed by APT42 leave a minimal footprint and might make the detection and mitigation of their activities more challenging for network defenders,” the authors note.
While other Iranian threat groups have pivoted to disruptive and destructive attacks since the start of the Israel-Gaza conflict, Mandiant said APT42 has remained laser-focused on its traditional remit of intelligence collection from foreign targets.
The post Iranian hackers impersonate journalists in social engineering campaign appeared first on CyberScoop.
CISA’s incident reporting requirements go too far, trade groups and lawmakers...
A draft rule for cyber incident reporting asks far too much of critical infrastructure entities and of the agency tasked with carrying out the law, trade groups representing the electric, telecommunications and finance sectors said during a House hearing Wednesday.
The cyber incident reporting mandate is one of the Cybersecurity and Infrastructure Security Agency’s biggest forays into a regulatory role — and it is proving to be a thorny one. The 447-page draft rule, released in March, would require select critical infrastructure companies to report significant cyber incidents within 72 hours and any ransomware payments within 24 hours. The rule was established largely for the government to better understand the cyber landscape after multiple major cyberattacks — such as the SolarWinds espionage campaign — highlighted the fact that many attacks go unnoticed.
Witnesses before the House Homeland Security’s cybersecurity subcommittee were largely in agreement that the rule is an important step for broader cyber awareness but also too broad, increasing the likelihood of CISA becoming overwhelmed by reports. Meanwhile, front-line defenders — particularly smaller organizations — could be hampered by trying to both file reports and deal with an attack. CISA will not be able to keep up with the amount of data due to the broad definition of cyber incidents and who should report, the witnesses argued.
While it’s no surprise that industry wants to shave off aspects of the regulatory requirement, that could mean the final version of the rule will be significantly pared down from the draft. Another aspect brought up by the witnesses is that there must be a greater focus on harmonizing other reporting requirements with the new mandate.
Lawmakers seemed to agree. Rep. Eric Swalwell, D-Calif., noted during his opening statement that “we have to make sure that we don’t wrap up non-relevant small and medium-sized businesses in reporting requirements that can both be cumbersome and expensive to businesses and provide worthless data to CISA.”
Rep. Yvette Clarke, the former chair of the subcommittee who sponsored the bill, also thought that CISA’s rule went too far. Citing testimony from 2021, the New York Democrat said that lawmakers did not intend to “subject everyone and every incident with reporting.”
As CISA’s definitions on what constitutes a significant cyber incident and what information should be provided were picked apart, the agency itself came under fire from witnesses who questioned its subject matter expertise as well as its ability to keep the information safe from hackers. The volume of reports will be so large that it will overwhelm the agency’s ability to parse all the information and send out actionable intelligence to defenders, witnesses said.
“CISA currently has challenges with having specific subject matter expertise to get through the noise,” said Heather Hogsett, the senior vice president of technology and risk strategy for the Bank Policy Institute.
CISA’s own cybersecurity breach serves as an example of the difficulty the agency might have in keeping sensitive data secure, said Scott Aaronson, senior vice president of security and preparedness at the Edison Electric Institute, an electric trade group that represents investor-owned utilities, which are for-profit electric utilities.
Additionally, CISA faces a sensitive balance in requiring a mandate from the same organizations that the agency needs to work with on a volunteer basis. Responding to a question about the electric sector’s relationship with the Department of Energy, Aaronson said that part of the reason the electric sectors work so well with DOE is because the agency “is not regulatory.”
The post CISA’s incident reporting requirements go too far, trade groups and lawmakers say appeared first on CyberScoop.
How to fine-tune the White House’s new critical infrastructure directive
It’s been more than a decade since the United States last revised the key policy document that describes the federal government’s role in protecting U.S. critical infrastructure, but this week the Biden administration finally took a significant step to update these authorities. With the release of National Security Memorandum 22 (NSM-22), the White House has issued a much-needed update to Presidential Policy Directive 21 (PPD-21), which was issued in 2013 and has become outdated in the face of a rapidly changing threat landscape.
On the whole, NSM-22 offers some important reforms to how the federal government hopes to protect U.S. critical infrastructure given more severe cyberattacks. But by omitting to designate the space and cloud computing industries as critical infrastructure, the document also leaves something to be desired. Moreover, it’s unclear whether the Cybersecurity and Infrastructure Security Agency, which NSM-22 places at the helm of the mission to protect American infrastructure, has the resources it needs to respond to a highly complex threat landscape.
The previous directive, PPD-21, was crafted when the nation’s cybersecurity challenges were relatively simple compared to today’s complex and sophisticated threats. In the years since, we have witnessed a deluge of devastating attacks across our critical infrastructure. Most recently, the Change Healthcare ransomware attack caused major disruption to the U.S. health care system. Meanwhile, Russian-linked hackers have breached a Texas water facility, and the Chinese-linked hackers known as Volt Typhoon have pre-positioned malware to disrupt U.S. infrastructure in the event of a conflict.
The new NSM represents a positive step forward in adapting to these evolving threats. One of its key achievements is the formal codification of CISA as the national coordinator for Critical Infrastructure cybersecurity efforts across the government and private sector. This move recognizes the critical role that CISA plays in ensuring the nation’s resilience and security.
Furthermore, the NSM introduces the concept of Systemically Important Entities (SIEs), acknowledging that specific organizations and systems have far-reaching impacts that extend beyond their immediate sectors. By identifying and prioritizing the protection of these SIEs, the memorandum aims to mitigate the cascading effects that disruptions to these entities could have on interconnected systems and critical services.
While the NSM represents progress, it has its limitations and missed opportunities. Despite their growing importance, one glaring omission is the failure to designate space and cloud assets as critical infrastructure sectors. While cloud infrastructure warrants consideration, given its role underpinning digital services, the space domain demands urgency. This arena is increasingly contested, with adversaries recognizing the strategic value of space-based capabilities and actively seeking ways to disrupt or deny our access in this rapidly emerging frontier. From communication and navigation to surveillance and weather forecasting, space systems underpin a wide range of vital civil and military operations, making their protection a matter of economic and national security.
Another concern is the need for more funding or resources allocated to CISA and the sector risk management agencies (SRMAs) — which refer to those agencies designated to oversee a given critical infrastructure sector — to carry out their expanded roles and responsibilities under the new NSM. While the memorandum aims to provide an updated policy framework and better define these agencies’ roles, it needs to address the critical issue of resourcing.
Effective implementation of any policy directive hinges on adequate resources such as personnel, technological capabilities, and funding. These resources are necessary for agencies like CISA and the SRMAs to meet the heightened expectations the NSM sets, potentially undermining its overall effectiveness.
As threats continue to evolve, the roles and resources allocated to these agencies will become even more crucial in securing their respective sectors and maintaining the overall resilience of the nation’s critical infrastructure. Congress must recognize the importance of adequately funding and staffing these organizations to ensure they can effectively fulfill their mandates and accomplish their missions.
Collaboration between government agencies, the private sector, and other stakeholders will be vital in identifying and addressing potential gaps or areas for improvement. The United States can ensure its cybersecurity posture remains robust and responsive to the evolving threat landscape through continued collaboration, adaptation and a proactive approach to policy development.
Missed opportunities aside, make no mistake: NSM-22 represents a step in the right direction. There will be opportunities to address these shortcomings and refine the nation’s cybersecurity policies. We must make the next set of updates before another decade. A proactive approach is crucial and will help ensure the U.S. remains agile and responsive to emerging threats.
Frank Cilluffo directs the McCrary Institute for Cyber & Critical Infrastructure Security at Auburn University. He previously served as a commissioner on the U.S. Cyberspace Solarium Commission and served as a special assistant to President George W. Bush for Homeland Security. Alison King is the vice president of government affairs at Forescout Technologies and an OT Cyber Coalition executive member. Previously, she was a staff member of the U.S. Cyberspace Solarium Commission.
The post How to fine-tune the White House’s new critical infrastructure directive appeared first on CyberScoop.
Data stolen in Change Healthcare attack likely included U.S. service members,...
After warning that a substantial portion of Americans’ data was compromised by a February ransomware attack on Change Healthcare, Andrew Witty, CEO of UnitedHealth Group, told lawmakers Wednesday that current and former U.S. military personnel are among those who were likely impacted.
During an occasionally withering Senate Finance Committee hearing, Chair Ron Wyden, D-Ore., pressed Witty on whether UnitedHealth leadership had determined that the Change Healthcare hackers accessed the data of federal employees, referencing national security concerns presented by the 2015 Office of Personnel Management data breach that exposed the personal information of more than 20 million U.S. government workers.
“We do believe there will be members of the armed forces and … veterans” whose data was stolen, Witty said, adding that he would make it a “top priority” to deliver on Wyden’s demand for an accounting, in writing, of the number of military personnel affected and UnitedHealth’s “best assessment of who they are.”
Witty testified that UnitedHealth hasn’t yet notified individuals whose data was stolen, going beyond the 60-day reporting window required by the Health Insurance Portability and Accountability Act. The CEO said the company is working with U.S. regulators on “how best to do that,” but faced delays in accessing Change’s original dataset.
Sen. Maggie Hassan, D-N.H., said UnitedHealth needs to “at least send preliminary notifications to individuals so that they can take protective actions like monitoring their bank accounts, changing passwords and enrolling in the credit monitoring system that United Healthcare set up” with Equifax.
Wyden and other committee members, meanwhile, railed against Witty over the revelation that the Change Healthcare server breached by an affiliate of the ALPHV ransomware gang did not employ multi-factor authentication, allowing the hackers to gain remote access to the payment processor’s systems with a set of stolen credentials.
Witty said all external systems across UnitedHealth Group have now enabled MFA, but Change Healthcare — which UHG acquired in October 2022 — hadn’t taken those precautions on this particular server as of February.
“My understanding is that when Change came into the organization, there was [an] extensive amount of modernization required and, unfortunately, and very frustratingly, this server had not had MFA deployed on it prior to the attack,” said Witty, who confirmed that he signed off on the $22 million ransom payment made to the hacking group.
In response to questioning from Sen. Thom Tillis, Witty said he was not aware of any internal or external audits of systems controls that identified non-MFA compliance as a security risk. The North Carolina Republican also prodded Witty on why redundancy protocols — keeping data in multiple places within a storage system — weren’t employed, preventing a simpler process to restart systems.
Witty said Change was “in the process” of upgrading its systems when the hackers hit. “The attack itself implicated both the prime and the backup environments,” he added. “That was partly due to the age of the technology and the fact that large amounts were not in the cloud.
“With the elements which were in the cloud, we were able to bring back almost immediately. The elements which were in the older data centers, and had within them multi-layers of historical legacy technologies, that was the challenge on restart,” the CEO said.
Without minimum cybersecurity standards from the Department of Health and Human Services, some lawmakers expressed concern over the possibility of more attacks on health care providers. Sen. Mark Warner, D-Va., said the health care industry should be subject to baseline standards, just as the finance and energy industries are, and asked Witty for his feelings on that with respect to both UnitedHealth Group and Change Healthcare.
Witty said the company is “supportive” of moving “toward minimum standards,” noting that the industry currently suffers from a lack of clarity and “a mix of different oversight agencies” putting out guidance.
“As you think about smaller and medium-size organizations across health care, it’s difficult oftentimes to navigate some of those things,” he said. “So I do think … minimum standards do make sense. We’d be very, very happy to engage in any lessons learned from this review.”
Beyond any future adoption of minimum standards, Witty said UnitedHealth Group has worked to strengthen the company’s cybersecurity bona fides by adding Mandiant representation to its advisory board. The company also has “daily engagement” with the Centers for Medicare & Medicaid Services to “support providers and to prioritize recovery of the system,” Witty said, adding that the FBI continues to be its “prime” law enforcement partner.
Wyden closed the hearing with additional calls for MFA and redundancy, telling Witty that UnitedHealth “let the country down” with Change’s failures to implement both security practices. Going forward, the health care giant will need to be “much more active and much more forthcoming” on cyber issues, he added.
“We don’t even know what data was stolen. And I’m not convinced that we are going to find that out anytime soon. We may never find it out,” Wyden said. “So there’s a lot of heavy lifting to do.”
The post Data stolen in Change Healthcare attack likely included U.S. service members, executive says appeared first on CyberScoop.
Pro-Russia hacktivists attacking vital tech in water and other sectors,...
Pro-Russia hacktivists are compromising technology that keeps facilities safe and operational in the water, wastewater, energy, dam, food and agriculture sectors, federal and international agencies said in an advisory released Wednesday.
In some cases, the agencies said, the attacks pose physical threats.
The advisory, focused on hacktivist activity in those sectors in North America and Europe, provides guidance on defending operational technology (OT) devices and industrial control systems (ICS), which are involved in the maintenance, monitoring or controlling of industrial processes.
“The pro-Russia hacktivist activity appears mostly limited to unsophisticated techniques that manipulate ICS equipment to create nuisance effects,” according to the agencies. “However, investigations have identified that these actors are capable of techniques that pose physical threats against insecure and misconfigured OT environments.”
The hacktivists have carried out disruptions “causing water pumps and blower equipment to exceed their normal operating parameters,” and “in each case, the hacktivists maxed out set points, altered other settings, turned off alarm mechanisms, and changed administrative passwords.”
“Some victims experienced minor tank overflow events; however, most victims reverted to manual controls in the immediate aftermath and quickly restored operations,” the advisory continued.
One such case of an overflow where Russian hacktivists claimed credit was in Muleshoe, Texas. Mandiant said in a recent report that a Russian military intelligence operation is suspected of controlling that group.
The advisory was produced by the Cybersecurity and Infrastructure Security Agency, Federal Bureau of Investigation, National Security Agency, Environmental Protection Agency, Department of Energy, Department of Agriculture, Food and Drug Administration, Multi-State Information Sharing and Analysis Center, Canadian Centre for Cyber Security and the United Kingdom’s National Cyber Security Centre.
CNN first reported on the then-forthcoming advisory.
The agencies suggested that organizations immediately change all default passwords of OT devices to those with strong unique passwords; limit the exposure of OT systems on the internet; and implement multi-factor authentication.
The post Pro-Russia hacktivists attacking vital tech in water and other sectors, agencies say appeared first on CyberScoop.