Cyber
The Next Frontier
Become part of a critical layer of cyber defense. Cybersecurity positions will make up 45% of all US tech job openings.
The National Security Agency designated the University of Arizona's Cyber Operations program as a Center of Academic Excellence in Cyber Operations (CAE-CO). With this designation, UA joins an extremely exclusive group of only 24 cyber programs in the nation. The NSA's CAE-CO designation demonstrates that UA's Cyber Operations program meets the most demanding academic and technical requirements.
The Bachelor of Applied Science in Cyber Operations prepares graduates for cyber-related occupations in defense, law enforcement, and private industry.
Our curriculum includes both offensive and defensive cyber security content delivered within our state-of-the-art Virtual Learning Environment to ensure our students have extensive hands-on experiences to develop the knowledge, skills, and abilities necessary to succeed after they graduate.
Cyber
Engineering
Defense
& Forensics
Cyber Law
& Policy
Program News
DoD Cyber Scholarship Program (CySP)
The DoD CySP is a yearly scholarship program aimed at Juniors and Seniors pursuing a bachelor’s degree in cyber-related academic disciplines. The CySP is a 1-year scholarship, which grants selected Cyber Scholars tuition and mandatory fees (including health care), funding for books, a $25K annual stipend, and guaranteed employment with a DoD agency upon graduation.Cyber News
Senate Intel chair warns confluence of factors make election threats worse
Misinformation and disinformation threats are being exacerbated this election season by artificial intelligence, legal battles, the continued low cost of influence operations and Americans’ increased willingness to believe outlandish things, Senate Intelligence Chairman Mark Warner, D-Va., said Thursday.
Speaking at the Ronald Reagan Presidential Foundation and Institute, Warner said that things had gotten better in the battle against such election threats in some ways, including via ever-improving coordination between key federal agency leaders and less interference than expected in other countries’ elections, such as in France or European parliamentary elections.
One way they’ve gotten worse, however, is in comparison to the 2016 election cycle when Russian influence operations proliferated, Warner said.
“Oftentimes, the Russians had to plant the false implication and then elevate it,” he said of the 2016 race. “Now they can simply elevate or promote” pre-existing false narratives, he said. The reason, he said, is that “Americans believe a lot more crazy stuff” simply because they saw it on the internet.
There’s also a low barrier for anyone who wants to meddle in elections, Warner said. “Foreign adversaries know disinformation and misinformation is cheap, and it works,” he said.
Furthermore, artificial intelligence has enhanced the scale and speed with which adversaries can spread false narratives, Warner said.
Then there have been legal hitches. The U.S. Supreme Court ultimately rejected a challenge brought by GOP attorneys general and social media users accusing government agencies — including the FBI and Cybersecurity and Infrastructure Security Agency — of censoring conservatives on social media platforms in the name of combating disinformation and misinformation.
But Warner said there was a “seven-to-eight-month chilling effect” while the case was working its way through the system, during which agencies were alternately forbidden from, or had halted, communicating with social media companies about mis- and disinformation.
The Justice Department’s Inspector General nonetheless recommended this week that the agency should develop a way to inform the public about its procedures for notifying social media companies about foreign influence campaigns in a manner that doesn’t compromise First Amendment rights.
Speaking at the same event, Rep. Brad Wenstrup, D-Ohio, said he didn’t expect election threats to change significantly in the approximately 100 days before Nov. 5. “I think some of them we’re already seeing, we just might see it accelerate,” predicted Wenstrup, who chairs the House Intelligence Oversight and Investigations Subcommittee.
But one thing that could shift the kind of mis- and disinformation abuses between now and the election is the emergence of Vice President Kamala Harris as the presumptive Democratic nominee, said Kat Duffy, a senior fellow for digital and cyberspace policy at the Council on Foreign Relations.
“I fully expect that we’re going to see just an absolutely extraordinary escalation of attacks on her,” said Duffy, citing the fact that Harris is a woman with Black and South Asian heritage. “She is like a trifecta for threats.”
U.S. intelligence officials recently said that Russia is the most active adversary in this election and that the Kremlin once again prefers former President Donald Trump in this race.
And at least one official at the world’s biggest social media platform maintained that users have gotten savvier, not more gullible, over time.
“I think the key difference between now and 2016 is that people are a bit more skeptical, at least when it comes to the types of activities [influence campaign operators] were doing in 2016, to say, ‘Hey, this isn’t real,’” said Lindsay Hundley, who works on global threat disruption at Meta, owner of Facebook and Instagram.
The post Senate Intel chair warns confluence of factors make election threats worse appeared first on CyberScoop.
North Korean hacker used hospital ransomware attacks to fund espionage
Federal prosecutors announced the indictment Thursday of a North Korean hacker accused of carrying out ransomware operations that targeted American health care facilities and used the proceeds of those operations to fund espionage efforts against the U.S. military and defense contractors.
Rim Jong Hyok is accused of using malware developed by North Korea’s military intelligence agency to target at least five American health care providers. One of those facilities, a hospital in Kansas that in 2021 lost access to a server hosting x-ray and other diagnostic imagery due a ransomware attack allegedly orchestrated by Rim, had to cancel patient appointments as a result, according to an indictment filed in a Kansas federal court.
American prosecutors allege that Rim used the ransom payments he received from American health care providers to fund attacks on at least 11 federal agencies and defense contractors. Those attacks aimed to exfiltrate information of interest to the North Korean regime and sought to obtain material about missile technology, drones and the development of fissile materials.
The operation successfully breached and exfiltrated data from NASA, unnamed defense companies in California, Michigan and Massachusetts, and a pair of U.S. Air Force bases in Texas and Georgia, according to the indictment. The operation also penetrated and stole data from defense contractors in Taiwan and South Korea, in addition to a Chinese energy company.
The operations targeting South Korean defense contractors may have netted the North Korean hackers data on an anti-aircraft laser weapon.
“The benefits of these activities are symbiotic,” a senior FBI official speaking on condition of anonymity told reporters during a Thursday call. “Without the ability to conduct state ransomware operations and receive payments, other cyber operations conducted by DPRK would be difficult to continue.”
The State Department announced Thursday that it would provide a $10 million reward for information about Rim and the Andariel hacking group.
A senior Department of Justice official said that U.S. authorities had disrupted a number of accounts linked to the infrastructure used to carry out the North Korean operation and noted that the investigation and disruption activity was only possible because the targeted hospital in Kansas reached out to and cooperated with FBI investigators.
According to a joint cybersecurity advisory published Thursday to coincide with the indictment, the North Korean hacking operation, which is linked to a group within the country’s military intelligence unit, relies on custom tools and malware to carry out their work.
The advisory, published by U.S. cybersecurity agencies together with counterparts in South Korea and the United Kingdom, notes that the group has evolved from carrying out destructive attacks on the United States and South Korea to conducting specialized ransomware and espionage operations.
The advisory’s description of information targeted by the group reads like a wishlist for the North Korean military: fighter aircraft and unmanned aerial vehicles; radar systems; uranium processing and enrichment; and heavy and light tanks, among other targets.
Microsoft said in a blog post published Thursday that the company first observed the group in 2014 and that its ability to develop a toolkit and add features to those tools makes it a persistent threat. The group historically relied on spearphishing to carry out its operations but now tends to use recently disclosed and unpatched vulnerabilities in its attacks, including a TeamCity vulnerability last year, according to Microsoft.
In recognition of the group’s persistent activities, Google on Thursday upgraded the hacking crew to its list of top-tier of threats, dubbing the North Korean entity as APT45.
“APT45 has a history of targeting government and defense companies around the world, but this indictment showcases that North Korean threats groups also pose a serious threat to citizens’ everyday lives and can’t be ignored or disregarded.” said Michael Barnhart, a principal analyst at Mandiant.
“Their targeting of hospitals to generate revenue and fund their operations demonstrates a relentless focus on fulfilling their priority mission of intelligence gathering, regardless of the potential consequences it may have on human lives,” he said.
The post North Korean hacker used hospital ransomware attacks to fund espionage appeared first on CyberScoop.
Banking, oil and IT industry reps call on Congress to harmonize cyber...
Scores of overlapping and contradictory cyber regulations are overburdening the banking, oil and natural gas, and IT sectors, representatives from those industries told House lawmakers Thursday.
While the White House has prioritized the harmonization of regulations within critical infrastructure sectors and President Joe Biden’s cybersecurity strategy calls for “reciprocity” in mandates across federal agencies, witnesses told members of the House Oversight Subcommittee on Cybersecurity, Information Technology, and Government Innovation that they’re still waiting for the streamlining of rules to take effect.
“For as long as I can remember, there has been strong, long-standing, widely agreed upon bipartisan consensus on the need to harmonize inconsistent, duplicative or conflicting cyber regulations,” John Miller, vice president of policy, trust, data and technology at the Information Technology Industry Council, said in his opening statement.
“The past three administrations have prioritized the issue. Multiple congresses have agreed it’s a priority, and yet I do not recall a single conflicting and consistent or duplicative cyber regulation ever being eliminated or streamlined after all these years,” he said, adding that the Office of the National Cyber Director could establish a standardized clearinghouse process for new regulations to avoid overlaps.
Witnesses pointed to the recent cyber reporting mandate from the Cybersecurity and Infrastructure Security Agency as a major example of where harmonization fell flat. The Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) requires that certain organizations report to the federal government within 72 hours of a substantial cyberattack and 24 hours if a ransomware payment is made. However, public comments from industry argued for clearer terms and more defined limits from the reporting mandate, while members of Congress said the agency went too far.
Other comments noted the need for the federal government to have some metric to understand the cyber threat landscape, though the line between requiring industry participation without overburdening organizations with less resources, like staffing, has proven difficult.
Patrick Warren, vice president of regulatory technology at the Bank Policy Institute, said during Thursday’s hearing that after CISA issued its proposal for cyber incident reporting, a separate proposal for federal acquisition regulation on cyber incident reporting was released, creating conflicting rules.
Rep. Gerry Connolly, D-Va., said the issue for the federal government is figuring out how to best navigate these conflicts. “What is the balance between the need of banks to do their business while the government tries to get its arms around the cyber problem and hopefully working with industry to protect American consumers?”
Maggie O’Connell, director of security, reliability and resilience at the Interstate Natural Gas Association of America, said that a single entity like CISA should oversee cybersecurity regulations. O’Connell noted that the Coast Guard and the Transportation Security Administration both have purview over portions of the oil and natural gas sector, and until Congress let authorities lapse, CISA also oversaw the Chemical Facility Anti-Terrorism Standards program, which included cybersecurity mandates. Ensuring that regulations are accepted across the federal board is the quickest way to ease any overlapping burdens, she said.
Charles Clancy, the chief technology officer at MITRE, noted that regulators from different agencies are layering “slightly different” versions of the same obligations for similar threats for critical infrastructure. Meanwhile, many of those regulations are rarely more than common best practices that may not stand up against nation-backed threats.
“None of it’s really new, and I don’t know that any of it necessarily rises to the nature of the threat that we’re seeing from Russia and China,” Clancy said. “So it’s just sort of creating a compounding set of the same and I think what we need is new thinking.”
In legislation released earlier this month, Sens. Gary Peters, D-Mich., and James Lankford, R-Okla., aimed to address the issue of “overly burdensome” cyber regulations facing industry. The Streamlining Federal Cybersecurity Regulations Act would establish an interagency committee to recommend which cyber regulations to pare down or eliminate.
The post Banking, oil and IT industry reps call on Congress to harmonize cyber regulations … again appeared first on CyberScoop.
North Korean hacking group makes waves to gain Mandiant, FBI spotlight
Stepped-up activity from a North Korean hacking group is prompting Mandiant to upgrade it to a top-tier hacking threat and the FBI to issue an alert about the outfit, which the company and agency say has long sought to obtain intelligence about defense and research and development but has since expanded to other targets.
Mandiant, a cybersecurity arm of Google Cloud, said in a report it released Thursday that the newly labeled APT45 has broadened its ransomware operations — rare for North Korean groups — to target health care providers, financial institutions and energy companies.
The FBI is set to follow with an advisory and news conference Thursday about the hackers.
Mandiant, which previously called the group Andariel or UNC614, says it has been active since at least 2009. The “APT” designation — APT is short for “advanced persistent threat” — comes as the company has noticed the group’s level of sophistication rise and the victim number increase. APT45 supports the interest of the North Korean government, according to Mandiant.
“The elevation of Andariel to an APT45 designation is a reflection of heightened awareness surrounding the group’s activities,” Michael Barnhart, Mandiant principal analyst at Google Cloud, told CyberScoop in a written statement.
“This heightened awareness is a natural consequence of their increasingly sophisticated attacks and the growing number of victims across various sectors,” he said. “Andariel has demonstrated a consistent ability to execute large-scale, impactful cyber operations targeting critical infrastructure and strategic industries, often involving data breaches, ransomware deployment, and sophisticated espionage tactics.”
Mandiant said it has worked with the FBI and other government agencies to track the hackers. The FBI advisory will outline how APT45 has targeted information about a range of technologies, from tanks to drones to missile defense systems to government nuclear facilities, according to the firm.
“Many advances in North Korea’s military capabilities in recent years can directly be attributed to APT45’s successful espionage efforts against governments and defense organizations around the world,” Barnhart said in a separate statement. “When Kim Jong Un demands better missiles, these are the guys who steal the blueprints for him.”
APT45 motives have gradually shifted toward financially motivated operations, according to Mandiant. The group initially focused on health care and pharmaceutical companies in the early stages of the COVID-19 pandemic, but continued to target those sectors after other groups had pivoted elsewhere — perhaps indicating a mandate to collect such information, the report states.
Gary Freas, Mandiant senior analyst at Google Cloud, told CyberScoop that even though the firm suspects the money obtained in such attacks is funneled back to the North Korean regime, the group’s primary objective isn’t to generate revenue.
“Upon seeing the success of ransomware attacks other threat groups were having against medical entities, APT45 began using the same, off-the-shelf ransomware and began demanding ransomware payments equal to the same price-range of other publicly reported incidents — regardless of the size of the victim,” Freas said.
This isn’t the first time the hacking group has gained U.S. government attention. The Treasury Department’s Office of Foreign Asset Control announced sanctions against it in 2019. The office cited the hackers’ focus on operations against businesses and government agencies, including the targeting of South Korea’s government, stealing bank card information and hacking into online gambling sites.
The group has been called by other names as well, such as Plutonium and Onyx Sleet.
The post North Korean hacking group makes waves to gain Mandiant, FBI spotlight appeared first on CyberScoop.
Cyber firm KnowBe4 hired a fake IT worker from North Korea
A remote worker hired by KnowBe4 as a software engineer on its internal IT team was actually a persona controlled by a North Korean threat actor, the security firm revealed in a blog post Tuesday.
Detailing a seemingly thorough interview process that included background checks, verified references and four video conference-based interviews, KnowBe4 founder and CEO Stu Sjouwerman said the worker avoided being caught by using a valid identity that was stolen from a U.S.-based individual. The scheme was further enhanced by the actor using a stock image augmented by artificial intelligence.
An internal investigation started when KnowBe4’s InfoSec Security Operations Center team detected “a series of suspicious activities” from the new hire. The remote worker was sent an Apple laptop, which was flagged by the company on July 15 when malware was loaded onto the machine. The AI-filtered photo, meanwhile, was flagged by the company’s Endpoint Detection and Response software.
Later that evening, the SOC team had “contained” the fake worker’s systems after he stopped responding to outreach. During a roughly 25-minute period, “the attacker performed various actions to manipulate session history files, transfer potentially harmful files, and execute unauthorized software,” Sjouwerman wrote in the post. “He used a [single-board computer] raspberry pi to download the malware.”
From there, the company shared its data and findings with the FBI and with Mandiant, the Google-owned cyber firm, and came to the conclusion that the worker was a fictional persona operating from North Korea.
KnowBe4 said the fake employee likely had his workstation connected “to an address that is basically an ‘IT mule laptop farm.’” They’d then use a VPN to work the night shift from where they actually reside — in this case, North Korea “or over the border in China.” That work would take place overnight, making it appear that they’re logged on during normal U.S. business hours.
“The scam is that they are actually doing the work, getting paid well, and give a large amount to North Korea to fund their illegal programs,” Sjouwerman wrote. “I don’t have to tell you about the severe risk of this.”
Despite the intrusion, Sjouwerman said “no illegal access was gained, and no data was lost, compromised, or exfiltrated on any KnowBe4 systems.” He chalked up the incident to a threat actor that “demonstrated a high level of sophistication in creating a believable cover identity” and identified “weaknesses in the hiring and background check processes.”
“This is a well-organized, state-sponsored, large criminal ring with extensive resources,” he wrote. “The case highlights the critical need for more robust vetting processes, continuous security monitoring, and improved coordination between HR, IT, and security teams in protecting against advanced persistent threats.”
Brian Jack, KnowBe4’s chief information security officer, said in an email to CyberScoop that “not a lot” has changed since the incident with the company’s cybersecurity controls given that the current controls “are what enabled us to detect this.”
“We are enhancing our hiring processes to include more thorough validation of identities prior to employment start date and are training all hiring staff on common red flags seen for this type of threat,” Jack added.
This story was updated July 24, 2024 with comments from KnowBe4.
The post Cyber firm KnowBe4 hired a fake IT worker from North Korea appeared first on CyberScoop.