Category Archives: NSA

The Central Intelligence Agency recently tapped LaNaia J. Jones, a veteran cybersecurity leader in the U.S. spy community, to be its new chief information officer.

We are delighted by the appointment of LaNaia J. Jones as the Agencys new Chief Information Officer and Director of the Information Technology Enterprise within the Directorate of Digital Innovation, CIA Deputy Press Secretary Luis Rossello said in a statement.

Jones brings a wealth of experience in information technology and innovation in the national security sphere to the post, he added. We look forward to her leadership in leveraging emerging digital technology to advance our mission.

Jones, who replaced Juliane Gallina and whose appointment was first publicly discussed with The Record, began work in late February.

She most recently served as the National Security Agencys deputy CIO where she oversaw IT investments and acquisition efforts and as the electronic spy agencys Information Sharing and Safeguarding Executive. Prior to the NSA, Jones served as acting CIO for the U.S. clandestine community within the Office of the Director of National Intelligence, working with CIOs and other senior leaders across the communitys 18 agencies.

Before that, she was the deputy CIO for the intelligence community. Jones also worked as the chief of Transformation and Transition for a global IT service provider within the Defense Department prior to her selection.

She graduated with a bachelor of science degree in Mathematics and Computer Science from the University of Maryland Eastern Shore and received a master of science degree in Technology Management from the University of Maryland University College.

Jones joins the CIA at a time when the organization is working to keep pace with technological changes in order to better develop and employ its own espionage capabilities, including detecting cyber threats from adversaries like Russia and China.

During his confirmation hearing last year, now-CIA Director Williams Burns said the SolarWinds breach which the U.S. has been attributed to the Russian government should serve as a warning to the federal government and the countrys national security apparatus about such dangers.

If this is a harsh wakeup call, then I think its essential for the CIA to work even harder to develop capabilities to help detect these kinds of attacks when they come from foreign players, he said.

Burns stressed the importance of technology again last week during the Senate Intelligence Committees annual hearing on the greatest threats to U.S. national security.

Nothing is going to matter more to the future of the CIA and, I think, the U.S. intelligence community more broadly than our ability to compete technologically. Its the main arena for competition with China, he said, noting the CIA last year created a mission center to focus on foreign technological development and another on Beijing and established the agencys first chief technology officer.

Together, the moves reflect the enormously high priority that we will continue to attest to that set of issues, according to Burns.

Martin is a senior cybersecurity reporter for The Record. He spent the last five years at Politico, where he covered Congress, the Pentagon and the U.S. intelligence community and was a driving force behind the publication's cybersecurity newsletter.

See the original post here:
The Central Intelligence Agency has a new CIO - The Record by Recorded Future

In recent days, The Debrieflooked at the evolving views on the subject of unidentified aerial phenomenon expressed by the Air Forcebeginning in the late 1940s. The Air Forces silence in dealing with this topic was also the subject of a recent analysis by Christopher Mellon, which seems to continue into the present.

While the views of many United States federal and military agencies when dealing with UFOs have evolved considerably over time, what of the National Security Agency (NSA), arguably one of the most secretive groups inside of Americas military and security apparatus?

Prying historical documents out of the NSA and challenging its decisions to classify information on any subject, including UFOs, is a daunting task on the best of days. This is a fact that researchers attempting to gather this type of data, such as John Greenewald jr of the Black Vault run into regularly. When Greenewald attempted to have a heavily redacted set of UFO-related NSA documents reviewed as part of a Mandatory Declassification Review (MDR), he was eventuallyinformed thatthe original, unredacted documents could not be found. The NSA is apparently so skilled at protecting the nations deepest, most critical secrets that they can even hide them from themselves.

But a few NSA documents dealing with the subject of UFOs have survived. One of these is a 1968 report on the phenomenon of unidentified flying objects, what the most common theories regarding their origins were, and what implications they might hold for matters as weighty as the survivability of human civilization. The document, produced by an author whose name remains redacted, was titled UFO Hypothesis and Survival Questions. The NSA was looking at the question seriously and considering the long-term implications of the possible existence of UFOs and how the nation might be best prepared for what such encounters could entail.

The document is a draft version of what was presumably the final release, but that makes it potentially even more interesting because it includes numerous footnotes and scribbled comments from the author. The paper broke down five different general hypotheses as to the overall explanation for the phenomenon of unidentified flying objects. Of potential interest is the first footnote in the document, attached to the first use of the acronym UFO. The footnote reads, All flying, sailing or maneuvering aerial objects whether glowing, pulsating or of a constant metallic hue, whose shape is somewhat circular or cigarish. Note the use of the adjective cigarish. It sounds rather reminiscent of the now-infamous tic-tac.

The general categories they identified were as follows:

To put this document in a historical context in terms of the debate over UAP, its worth pausing here and looking at the widely publicized UAP Task Force report from June 25, 2001. As you may recall, that document also broke down the governments assessment of various bins of potential explanations for sightings. Perhaps not coincidentally, the number of such bins in that report was also five. They were:

The 2021 report does not attempt to attribute any of the reported sightings to hoaxes or hallucinations, but this is easily explained by the preamble to that list which specifies that the reports under consideration were given by trained military observers. The majority were described as also involving observations with multiple sensors. That factor would almost eliminate the possibility of hoaxes and they certainly wouldnt wish to imply that their Top-Gun pilots were insane.

The other categories fit in remarkably well with items 3 through 5 in the 1968 report. Natural Phenomena would clearly encompass some airborne clutter and natural atmospheric phenomena. Secret Earth Projects is a perfect fit for USG/Industry developmental programs and foreign adversarial systems. And the other bin obviously opens the door to objects related to extraterrestrial intelligence, among other things. As in other studies of government UAP documents, The Debrief has examined here, its fascinating how little the conversation seems to have changed in more than seven decades.

The NSA report spends relatively little time on the idea of hoaxes accounting for all or most UFO sightings and takes a skeptical view on the theory. It speaks of the rarity of men of science perpetrating such fakery while acting in their professional capacities, including military professionals. The increasing frequency of such reports during the period being considered is also noted. It concludes by saying that if this number of reports were indeed all fictional, then a human mental aberration of alarming proportions would appear to be developing, and such an aberration would seem to have serious implications for nations equipped with nuclear toys.

The report treats the idea of hallucinations in a similar fashion. While agreeing that some people do experience hallucinations, occasionally even among groups of people sharing a vision, the author notes the number of reports that include data not limited to human sensory perceptions. They note that many observations are backed up by radar data and gun camera video footage. There is also a reference to reports where physical evidence of a circumstantial nature seemed to support the reports of sightings. The physical evidence reference is linked to works published by Jacques Vallee. Were all such sightings to be hallucinations, the report concludes that we might bring into strong question the ability of mankind to distinguish reality from fantasy, thereby producing a negative impact on mans ability to survive in an increasinglycomplex world.

The report finds the possibility that all UFOs might be natural phenomena to be troubling on multiple fronts, particularly when it comes to Americas ability to maintain early warning systems against potential Soviet nuclear missile attacks. This isnt a concern over the possibility that humans might misinterpret some form of weather pattern or other naturally occurring biological or meteorological activity, which is always a possibility. The larger danger here is that the people manning Americas defensive perimeter might develop a blind spot to legitimate UFO incursions, writing them off as such natural phenomena. Even worse, the Soviets might take advantage of this blind spot and build offensive systems that would mimic the UAP, luring us into complacency.

The reports final concern seems far more grave and suggests records of truly remarkable UFO behavior. It references objects that appear to defy radar detection and cause massive electromagnetic interference. The author goes on to stress the need to discover the nature of these objects or plasmas before any prospective enemy can use their properties to build a device or system to circumvent or jam our air and spect detection systems. This too is eerily reminiscent of the recommendations included in the June 25, 2021 AATIP report. Sadly, the only footnote included in this portion of the report sends the reader to an article in the Encyclopedia Brittanica describing Project Grudge.

The report only spares a single paragraph to the possibility of Secret Earth Projects. The author confidently states that there is little doubt as to the validity of this hypothesis. They warn that all UFOs should be carefully scrutinized to ferret out such enemy or friendly projects. The failure to do so could leave the nation vulnerable to a new, secret doomsday weapon.

That brings us to the most intriguing portion of the report, dealing with the possibility of an extraterrestrial intelligence being the source of these UFO sightings. Interestingly, the chapter is preceded by a handwritten note stating that the hypothesis cannot be disregarded. The note goes on to reference the 1952 wave of UFOs seen over Washington, D.C. A handwritten footnote to this addition points the reader to the work of Professor James E. McDonald, J. Allen Hynek, and (again) Jacques Vallee. McDonalds name is misspelled in the handwritten note as MacDonald, but there is little doubt as to who the author meant to reference. McDonald was a legendary UFO researcher in his own right, who died under what some researchers consider questionable circumstances. You can see the FBI file that was maintained on McDonald here.

As to the question of mankinds potential interaction with an extraterrestrial intelligence, the report divides the possibilities into categories based on whether we discover them or they discover us. A number of survival strategies are offered. The author references human interactions between technologically advanced civilizations and indigenous peoples who were overwhelmed by them, placing humanity in the role of the disadvantaged species if the creators of the UFOs have a significant scientific advantage over the humans they discovered here on Earth. The report suggests strategies such as full and honest acceptance of the nature of the inferiorities separating you from the advantages of the other people. It advises a strategy of national solidarity in dealing with the invading culture and limited interaction with the aliens to the extent that is possible. Humans are also advised to learn from the technology of the aliens as rapidly as possible and prepare for unconventional, asymmetrical warfare. These strategies could easily have been the inspiration for a variety of science fiction movies ranging from War ofthe Worlds to Independence Day.

Nothing in the NSA report suggests that the presence of nonhuman intelligences in our airspace had been definitively proven. But at the same time, the agency was not in any way scoffing at it. They were leaning toward preparing for the possibility and developing strategies that might best equip the nation in the event of a potentially hostile alien invasion. The report closes with the suggestion that more of this survival attitude is called for in dealing with the UFO problem.

It may be worth considering how often the phrase the UFO problem has shown up in military and government documents from the post-World War 2 era reviewed by The Debrief. Such references have been found in records from the Army, the Air Force, and security agencies. If the question was seen as purely speculative or the product of delusional conspiracy theorists, a reference to the UFO question or the UFO theory might have been more likely. But the word problem suggests that the guardians of our nations secrets and security were exploring a phenomenon that they saw as not only possible but perhaps likely, if not confirmed. And plans were under discussion to come up with a solution to that problem.

Perhaps if additional official documents come to light in the future, more answers will be revealed. But at this point, what we have learned of the United States governments early responses to reports of unexplained objects in our skies sounds more like a serious effort to understand and perhaps even confront a very real unknown phenomenon than any sort of preparation to respond to outbreaks of mass hysteria.

Follow Jazz Shaw and connect with him on Twitter @JazzShaw.

Read more:
The Secretive History of the NSA's UFO Studies in the Sixties - The Debrief

Professor Peter Twumasi Director-General of the National Sports Authority (NSA), has said, sports have the potential to create job opportunities for the youth and aged if given the needed attention.

According to Prof. Twumasi, sports was a big industry, that provides opportunities in the areas of coaching, medicine, psychology and other areas, hence the need for more investments in the sector.

He said the government would continue to embark on regular talent identification especially at the grassroots to unearth more talents for the nation in sports.

Prof. Twumasi made these remarks at the 4th edition of the National Cross Country 2022, held at the Akim Oda Sports Stadium in the Brim Central Municipality on the subject "Running Towards the 13th Africa Games.

He, however, noted that athletics and football should not be the only disciplines with regular contests, but volleyball, boxing and others must also be given the needed priority.

Prof. Twumasi praised the President for his contributions to the country's sporting infrastructure, following the construction of multi-purpose stadiums in various parts of the country.

Mr Kwame Seth Acheampong, District Chief Executive for Akyem Achiase on behalf of the Eastern Regional Minister, expressed his appreciation to the NSA for giving them the opportunity to host the 4th National Cross-Country Event.

He was pleased that the competition drew a large number of athletes and spectators, adding that, it was a sign that, sports was a tool for ensuring national unity.

The 10-kilometre race drew over 190 male and female participants from the country's 16 administrative regions.

Amponsah William of the Central Region took first place in the men's category with a time of 28:16.71, followed by Koogo Atia of the North East Region, with 29:25.61, and Aziz Mohammed of the Central Region picking the third place with a time of 29:25.61.

Lariba Juliana of Upper East took first place in the women's category with a time of 35:07.90, followed by Sherifa Moro of Ashanti Region in second place with a time of 35:41.51 and Titi Rosina of Upper West in third place with a time of 35:52.35.

The Central Region was the overall regional best for males, with Upper West second and Ashanti Region third, while Upper West was the overall regional best for females, with Ashanti Region second and Upper East Region third.

Read more here:
'There are many job opportunities in sports' - Director-General of NSA - GhanaWeb

A report released today dives deep into technical aspects of a Linux backdoor now tracked as Bvp47 that is linked to the Equation Group, the advanced persistent threat actor tied to the U.S. National Security Agency.

Bvp47 survived until today almost undetected, despite being submitted to the Virus Total antivirus database for the first time close to a decade ago, in late 2013.

Until this morning, only one antivirus engine on Virus Total detected the Bvp47 sample. As the report spread in the infosec community, detection started to improve, being flagged by six engines at the moment of writing.

The Advanced Cyber Security Research team at Pangu Lab, a Chinese cybersecurity company, says that it found the elusive malware in 2013, during a forensic investigation of a host in a key domestic department.

The Bvp47 sample obtained from the forensic investigation proved to be an advanced backdoor for Linux with a remote control function protected through the RSA asymmetric cryptography algorithm, which requires a private key to enable.

They found the private key in the leaks published by the Shadow Brokers hacker group between 2016-2017, which contained hacking tools and zero-day exploits used by NSAs cyberattack team, the Equation Group.

Some components in the Shadow Brokers leaks were integrated into the Bvp47 framework - dewdrop and solutionchar_agents - indicating that the implant covered Unix-based operating systems like mainstream Linux distributions, Junipers JunOS, FreeBSD, and Solaris.

Apart from Pangu Lab attributing the Bvp47 malware to the Equation Group, automated analysis of the backdoor also shows similarities with another samplefrom the same actor.

Kasperskys Threat Attribution Engine (KTAE) shows that 34 out of 483 strings match those from another Equation-related sample for Solaris SPARC systems, which had a 30% similarity with yet another Equation malwaresubmitted to Virus Total in 2018 and posted by threat intel researcher Deresz on January 24, 2022.

Costin Raiu, director of Global Research and Analysis Team at Kaspersky, told BleepingComputer that Bvp47s code-level similarities match a single sample in the companys current malware collection.

This indicates that the malware was not used extensively, as it usually happens with hacking tools from high-level threat actors, who use them in highly targeted attacks.

In the case of the Bvp47 Linux backdoor, Pangu Lab researchers say that it was used on targets in the telecom, military, higher-education, economic, and science sectors.

They note that the malware hit more than 287 organizations in 45 countries and went largely undetected for over 10 years.

Pangu Labs incident analysis involved three servers, one being the target of an external attack and two other internal machines - an email server and a business server.

According to the researchers, the threat actor pivoted established a connection between the external server and the email server via a TCP SYN packet with a 264-byte payload.

At almost the same time, the [email] server connects to the [business] server's SMB service and performs some sensitive operations, including logging in to the [business] server with an administrator account, trying to open terminal services, enumerating directories, and executing Powershell scripts through scheduled tasks - Pangu Lab

The business server then connected to the email machine to download additional files, including the Powershell script and the encrypted data of the second stage.

An HTTP server is started on one of the two compromised machines, serving two HTML files to the other. One of the files was a base64-encoded PowerShell script that downloads index.htm, which contains asymmetrically encrypted data.

A connection between the two internal machines is used to communicate encrypted data via its own protocol, Pangu Lab researchers say in their report.

The researchers were able to restore the communication between the servers and summarized it into the following steps, where machine A is the external system and V1/V2 are the email and business server, respectively:

Referring to the above communication technology between the three servers, the researchers assess that the backdoor is the creation of an organization with strong technical capabilities.

Go here to read the rest:
NSA-linked Bvp47 Linux backdoor widely undetected for 10 years - BleepingComputer

Ransomware: The malicious phenomenon that has catapulted cybercrime to Numero-Uno crime syndicate in the world, easily surpassing syndicates like narco trafficking.

The year was 20162017, the saga unfolded straight from Hollywoodesque sci-fi potboiler. Hactivists in the elite National Security Agency(NSA) Of USA called The Equation Group were working at frenetic pace, stockpiling Zero-Day vulnerabilities (exploits not yet made public) in the ubiquitous Windows operating system, in-order to weaponise them to launch nation-state ,cyberwarfare attacks against hostile nations. NSA, instead of alerting Microsoft about fatal vulnerabilities in Windows operating system, was embellishing them as marquee trophies to use in cyberattacks against critical infrastructure of rogue nations.

Unbeknownst to NSA hackers, the infamous group shadow brokers, owing allegiance to Russian state, hacked onto NSA secrets and stole the catastrophic WannaCry and its family of ransomware codes, which exploited vulnerabilities in Windows operating system. The malware primarily consisted of twin codes ie, the double Pulsar, which created backdoor (malicious entry) in vulnerable windows systems, specially with open TCP (transmission control protocol) ports and the highly dangerous the eternal blue code, which was the payload for encrypting data in victims systems and was conspicuous by its worm like feature, which propagated it from one computer to another networked computer, without the need to click on any malicious link (zero click propagating feature), which made it extremely deadly and capable of spreading at lightning speed.

The shadow brokers put the arsenal of weaponized ransomware on an online auction in darknet (for detailed discourse on darknet kindly refer to my previous column dated 9 February 2022). However, they found no takers of the malware ,hence they released it gratis, wherein it was lapped up allegedly by the notorious Lazarus group of North Korea state actor. This is the horrific story of worlds deadliest family of ransomware attacks (RWAs) viz. ,WannaCry, Petya and GoldenEye.

In just few hours, computer systems in more than 150 countries became dysfunctional and more than 1 million computers were converted into an array of botnets (ie. a group of zombie networked computers hijacked by hackers by introducing malware and spreading the infection in a cascading effect). The ransomware spread at an incredible pace. Several small enterprises shut down as they could not bear loss of entire database, large enterprises suffered losses of billions of USD, MNCs, public sector, private sector, railways, police, banks, malls, energy companies, ISPs, and even ports and health services came to a grinding halt.

Indias own JNPT port was also hit and the operations of the largest container port in the country were halted for four days.

The national health services (NHS )of UK were badly crippled with thousands of patients, requiring critical surgeries ,turned away from hospitals leading to incalculable loss of lives. WannaCry family spread its tentacles from Europe to US to India, severely affecting Russias biggest oil company ROSNeft and worlds biggest advertising agency WPP. The sordid tale of worlds deadliest Ransomware Attack (RWA)had a grim twist. Even though billions of USD were paid in ransom through crypto currency by victims, the irony is that no-one got their data back and the RWAs of WannaCry are still continuing till date as we read this column.

What is ransom ware?

The world first came across the term ransomware, in true sense, after crypto currencies like bitcoin came in vogue in 2013, with the advent of malevolent Cryptolocker RWA, which utilised the Gameover Zeus botnet and extorted over USD 3 million. Russian hacker Evgeny Bogachevave, father of Zeus botnet and originator of first sophisticated Ransomware attack (RWA), is still at large and carries a reward of more than USD 5 million.

Ransomware may be defined as a malware code that exploits vulnerabilities in a computer system or uses phishing techniques to gain access in a victims computer network and runs an encryption process, which converts hard disk data in plain text to cipher text, which is nothing but unintelligible Gibberish. Subsequently, the malevolent actor demands ransom to re-convert or decrypt the unusable encrypted data into usable plaintext.

What makes Ransomware exponentially dangerous is that it is next to impossible to decrypt data by experts,as current techniques of decryption ,like RSA would require billions or even trillions of years to decrypt data.

Ransomware attacks or RWAs can severely impact business processes as sans data, mission critical services get obliterated, causing colossal economic and reputational adverse impact. Apart from data loss by coercive encryption, the malicious actors also make money by re-selling data on darknet and also selling access to data leading to disclosure of organisations sensitive information and breach of privacy. Imagine the plight of a housing loan company in India that was hit by a potent Ransomware attack RWA in 2020, owing to the loss of data, the organisation was entirely at sea, not even knowing how much loan to recover from which client. It paid over Rs.50 Crores in ransom in bitcoins to procure the decryption key. The case was never reported to Law enforcement agencies.

Cryptocurrencies have given a tremendous filip to ransomware proliferation. Virtual-currencies lend relative anonymity to the owner and though law enforcement agencies, with herculean trans-national effort, may sometimes be able to track the crypto currency wallet, but to track individual beneficiary requires extensive forensic analysis (IP address analysis), which makes it nigh impossible to track the cyber-criminal.

Hence, ransom is invariably demanded in crypto currencies. It is also remarkable that most cases of ransomware are never reported for the fear of loss of data or credibility and ransom is surreptitiously paid. The law enforcement agencies track the transactions of suspected crypto currency wallets to estimate the quantum of ransom paid and consequently, it only remains an approximation. From 2019 onwards, RWAs have witnessed a scale hitherto unprecedented. The pandemic induced shift to remote and hybrid online work, which has expanded the surface area of launching RWAs.

Forbes in its recent edition, states that in 2021, ransomware extortions have exceeded USD 20 billion and that a Ransomware attack is launched every 10 seconds somewhere in the planet affecting 2.5 million internet of things(IOT) devices . The eugenics in ransomware trade has seen best cyber-criminals earning millions of US dollars every month which has led to industrialisation of cybercrime, with revenues exceeding 6 trillion USD in 2021, which is about 2.5 times of Indias economy.

In mid 2021, JBS, the largest meat supplier in USA, paid USD 12 million as ransom (approximately Rs 90 crore) to malevolent actor REvil. Similarly, Colonial pipeline, the largest refined product pipeline in US, extending to over 5,500 miles was hit by a massive Ransomware attack (RWA) by a group christened as DarkSide, which crippled fuel supplies in east coast of US. It paid a ransom of about USD 5 million to get its critical data back.

A survey by Sophos cyber security firm, claimed that India is the 5th most affected country in the world by RWAs. A whopping 76% of Indian entities have faced RWAs in 202021 and many of these organisations are yet to discover that. In 2021, many Indian companies and government organisations fell victim to RWAs. The food giant Haldiram got its data encrypted in July 2020 with ransom demand of approximately Rs.70 Crores. The case till-date remains undetected, with rumour-mills in overdrive, claiming that ransom was secretly paid. Similarly in mid 2020 India-Bulls and Dominos fell victim to massive RWAs. The irony is that all these cases have hit a stalemate and remain undetected.

A celebrated case of RWAs affecting government organisations occurred in March 2021, when Maharashtra industrial development Corporation (MIDC)and its 16 regional offices were hit by SyNack RWA, which was allegedly traced to Kazakhstan and Bulgaria and ransom of over Rs 500 crore was purportedly demanded. The case too remains languishing in the police files of undetected cases. Ransomware has become such a profitable venture that ready-made ransomware package codes are being offered for sale in darknet. The out of the box Phenomenon Ransomware As a Service (RAS) claims to automatically handle key issues like scale of encryption required, ransom specifications and negotiations, answering FAQs of victims, how to get data back ,helping victims in signing up for bitcoin wallet, how to pay ransom et cetera.

Though RWAs have emerged as robust evil, with negligible cases being detected and perpetrators being brought to justice, the silver lining is that RWAs can easily be thwarted and made ineffective. The key lies in:

-Good cyberhygiene habits like regular vulnerability scanning and penetration testing.

-Regular cyber security audits involving updation and proper configuration of firewalls, adoption of latest patches and software updates to iron out exploits.

-Collective resilience by spreading awareness about phishing attacks and hardening guidelines like multifactor authentication (MFA ) for all services, to the extent possible for example VPN,s web mails et cetera.

-And most importantly, consistent schedule of taking data back ups in off-line devices so that in case of a potent RWA, off-line data can easily supplant the encrypted data.

It is high time that law enforcement agencies get their act together and become more proactive and act as bulwark to pre-empt RWAs.

With so many technologies offering anonymity like crypto currencies, proxy bouncing, VPNs, tor browsers, darknet: the only solution is that law enforcement agencies become smarter than cyber criminals and go undercover and join the forum where discussions about launching novel RWAs take place regularly in darknet. To catch a cunning, transnational, sagacious criminal hell bent on hiding tracks, the police have to think like them and pre-empt their next move

Views expressed above are the author's own.

END OF ARTICLE

The rest is here:
Good cyber habits to thwart ransomware attacks - The Times of India Blog

The US and UK governments have published a joint report today detailing a new malware strain developed by Russias military cyber-unit that had been deployed in the wild since 2019 and used to compromise home and office networking devices.

Agencies like the UK National Cyber Security Center (NCSC), the US Federal Bureau of Investigations (FBI), the US Cybersecurity Infrastructure and Security Agency (CISA), and the US National Security Agency (NSA) have contributed to thejoint report, complete with a technical analysis of the new malware, which they namedCyclops Blink[PDF].

Officials said theyve first seen the malware deployed in the wild in June 2019 and has been primarily detected targetingWatchGuard Firebox firewalls, but they dont exclude having the ability to infect other types of networking equipment too.

The UK and US officials said the malware was developed by a threat actor known asSandworm, previously linked to a cyber-unit of the GRU, Russias military intelligence division.

Officials described Cyclops Blink as professionally developed and said the malware uses a modular structure that allows its operators to deploy second-stage payloads to infected devices.

Details about how the malware is deployed on infected systems and what are the capabilities of its second-stage modules are not included in the report, but in its own security advisory on the matter, WatchGuard said they believe the attackers used a vulnerability in old Firebox firmware as the entry point, a vulnerability the company patched in May 2021.

Both US and UK officials said they believe that the Sandworm group developed Cyclops Blink to replace s previous botnet created using the older VPNFilter malware, botnet that the FBI sinkholedin late May 2018.

At the time, US officials and security firms said that Russian state-sponsored hackers were preparing to use the VPNFilter botnet to launch DDoS attacks in the hopes of disrupting the IT infrastructure of the UEFA Champions League 2018 final, which was scheduled to take place that year in Kyiv, Ukraine.

The timing of the joint report on Cyclops Blink report today is not an accident and comes as Russia is days away from sending troops into Ukraine, an operation that many security experts believe will be accompanied by cyber-attacks meant to disrupt Ukrainian IT infrastructure.

While it is unclear if Cyclops Blink is expected to play any role in these possible attacks, US and UK officials believed it was an opportune moment to expose the Cyclops Blink botnet, as a way to limit its usefulness to Russian military intelligence.

The report contains technical details that cybersecurity firms will be able to use to create detection rules for Cyclops Blink activity.

Because the malware also burrows deep inside a devices firmware, a simple device restart or factory reset wont remove it from infected firewalls. For this, WatchGuard has released tools to detect the malware on its devices, and steps on how to clean compromised systems.

According toNate Warfield, Chief Technology Officer at cybersecurity firm Prevailion, there aremore than 25,000 WatchGuard Firebox firewallscurrently connected to the internet. WatchGuard estimated the number of infected systems at around 1%, which would put the botnet size at around 250 devices.

However, only around a dozen of these 25,000 systems are located in Ukraine, meaning they cant be used by Sandworm operators to pivot into the internal networks of many Ukrainian companies, yet this doesnt mean the other Cyclops Blink devices cant be used for other types of operations, such as DDoS attacks.

Coincidentally, the joint report came out just as several Ukrainian government sites were under a DDoS attack, but there is no evidence that Cyclops Blink played any role in these attacks or that it can even carry out these types of operations.

Confirmed: #Ukraine's Ministry of Foreign Affairs, Ministry of Defense, Ministry of Internal Affairs, the Security Service of Ukraine and Cabinet of Ministers websites have just been impacted by network disruptions; the incident appears consistent with recent DDOS attacks pic.twitter.com/EVyy7mzZRr

Catalin Cimpanu is a cybersecurity reporter for The Record. He previously worked at ZDNet and Bleeping Computer, where he became a well-known name in the industry for his constant scoops on new vulnerabilities, cyberattacks, and law enforcement actions against hackers.

Read more:
US and UK expose new Russian malware targeting network devices - The Record by Recorded Future

WASHINGTON, DC The not seasonally adjusted national construction unemployment rate plunged 4.6% in December 2021 from a year ago, down from 9.6% to 5%, while all 50 states had lower unemployment rates over the same period, according to astate-by-state analysisof U.S. Bureau of Labor Statistics data released today by Associated Builders and Contractors. This substantial improvement occurred even as the omicron COVID-19 variant was sweeping the nation.

While not fully recovered to its pre-pandemic level, national NSA construction employment was163,000higher than in December 2020. Seasonally adjusted construction employment was only 96,000, or 1.3%, below its February 2020 peak, before the impact of the COVID-19 pandemic began to affect the employment numbers. This beat national seasonally adjusted nonfarm payroll employment, which, though improving, was still 2.2% below its February 2020 peak as of December 2021.

The national NSA construction unemployment rate of 5% was unchanged in December 2021 from its December 2019 reading. Over that same period, 34 states had lower construction unemployment rates, and 16 states had higher rates.

The construction industry is making impressive progress despite continuing supply chain issues, which include extended delivery times and shortages of some building materials and appliances, said Bernard M. Markstein, president and chief economist of Markstein Advisors, who conducted the analysis for ABC. Employers are also coping with difficulties findingskilled workers. The normal winter slowdown in construction activity is, at least temporarily, relieving some of the stress from these challenges.

National and state unemployment rates are best evaluated on a year-over-year basis because these industry-specific rates are not seasonally adjusted. However, due to the changing impact of the COVID-19 pandemic and related shifts in public policy, month-to-month comparisons offer a better understanding of the pandemics effect on construction employment in a rapidly changing economic environment.

Since the data series began in 2000, national NSA construction unemployment rates have always increased from November to December. December 2021 was no exception, with a 0.3% rise in the rate. Eleven states had lower estimated construction unemployment rates than in November, 33 states had higher rates and six had the same rate.

The five states with the lowest December 2021 estimated NSA construction unemployment rates were:

1. Nebraska, 1.3%

2. Indiana and Utah (tie), 1.5%

4. Georgia, 1.6%

5. Oklahoma, 2%

All five states had their lowest December estimated NSA construction unemployment rate on record.

The states with the highest December 2021 estimated NSA construction unemployment rates were:

46. New Jersey, 8.3%

47. Michigan, 8.6%

48. North Dakota, 9%

49. New York, 9.5%

50. Alaska, 10%

Alaska posted its lowest December estimated NSA construction unemployment rate on record.

Click here to view graphs of overall unemployment rates and construction unemployment rates showing the impact of the pandemic, including a graphing tool that creates a chart for multiple states.

To better understand the basis for calculating unemployment rates and what they measure, check out theBackground on State Construction Unemployment Rates.

Visitabc.org/economicsfor the Construction Backlog Indicator and Construction Confidence Index, plus analysis of spending, employment, GDP and the Producer Price Index.

Read this article:
ABC: Construction Unemployment Is Down in Every State From a Year Ago - Contractor

The early morning hours of August 16, 2019 began with the whirring and burping sound of computer printers. The scratch and screech echoed along the empty corridors of the Borger, Tex. administrative offices, paper sliding from tray to ink jet to tray and then back again.

Anyone in the office that steamy Friday who happened to glance at the finished pages would have seen sheets covered in gibberish: all ampersands, exclamation points and broken English.

To Jason Whisler, the citys emergency management coordinator, it was clear what this meant: Borger, population 13,000, was suffering from a ransomware attack and those pages on the printers were filled with demands. If you read between the lines it basically said, you know, the systems been infected, Whisler recalled. It was a very definite pay up or else.

Borger wasnt alone; it was one of nearly two dozen cities around the state that woke up that morning to find computers either locked up or misbehaving. They would learn much later that hackers had managed to infiltrate their managed service provider, the company that was handling their IT, and by cracking into the MSP they had their pick of dozens of victims it was very efficient. And all the cyber criminals wanted to make it stop was $2.5 million in Bitcoin.

The city manager at the time, he asked me, I have to ask because insurance is asking, do we want to consider paying the ransom? Whisler said. Immediately I said no. In his view, it was tantamount to negotiating with terrorists.

The decision not to pay had a surprising knock-on effect: it forced a notorious ransomware gang, the Russia-based REvil, or ransomware evil, to rethink how it did business. What it came up with something called ransomware-as-a-service is a big part of the reason why ransomware is one of the fastest-growing cybersecurity threats in the world today.

Ransomware-as-a-service, or RaaS, is a franchise model. Instead of launching a ransomware attack from beginning to end, cybercriminals have started to divvy up the work. In REvils case, it decided to give the time-consuming, front-end reconnaissance work of a hack to other groups: they could unearth vulnerabilities that compromise networks, and REvil would handle everything necessary for the ransomware operation itself from malware packages to negotiators to Bitcoin wallets waiting for payments. For their services, REvil would get a percentage of any ransom money paid.

In an interview published by The Record last year, one REvil manager claimed that the group had developed a coterie of more than 60 affiliates all of whom were launching cyber attacks. So instead of one group holding a couple dozen servers ransom as had happened in the past, there were dozens of groups working simultaneously to lock up tens of thousands of them.

Ransomware evil

About a year before the Texas attack, a managed service provider named Certified CIO discovered it had been compromised. Hackers had infiltrated its client networks and were beginning to take control of their servers in order to hold them for ransom.

We got called out because they just happened to be local enough to us that we could make the trip and sit alongside an incident response firm, said Kyle Hanslovan, the CEO of Huntress, a cyber security firm. And during the process, we realized that the actor got into the remote management software of the MSP.

It so happens that a videofeed the company had set up to record their help sessions with clients had accidentally captured the bad guys at work. So Hanslovan and his team suddenly had hours and hours of what was essentially cyber surveillance footage. They could see the hackers methodically working their way through the client networks turning off virus scanners, encrypting each host and stealing their passwords.

You could actually see them on screen, Hanslovan said. Whats funny is the naming schemes to the tactics, to the capabilities, to what they checked and what did they do after they got initial access all provided incredible insight into how the group ran their intrusions and Hanslovan came to believe that a group hed had an eye on for years, a group that would eventually become REvil, was behind it all.

My first run-ins with REvil were probably well before they ever called themselves REvil, is probably like 2017. Maybe even as early as 2016, he said, adding that he recognized them because they loved to target MSPs like Hanslovans client, Certified CIO.

The gang, it turns out, were particularly good at finding vulnerabilities in MSP software and at the time they were the only ones that appeared to be doing it. When Hanslovan heard about what happened in Texas, he was pretty sure REvil, the group he had studied for years, was behind that, too.

Manager: Unknown

Last year, a security analyst named Dmitry Smilyanets had a long online chat with someone who claimed to be a member of REvils management team. He went by the online handle Unknown.

Unknown was not a hacker. He was the operator. He was the manager, Smilyanets said. His job was to control the infrastructure, make sure it all works. Make sure that communication lines with victims were up and that payments go through.

Smilyanets didnt just take Unknowns word for it. He had been watching the REvil manager for some time, tracking his message traffic on the dark web, watching as his online wallet swelled with Bitcoin, and Smilyanets eventually became convinced that Unknown was who he claimed to be. (Smilyanets works at Recorded Future, a threat intelligence company. Click Here and The Record are divisions of Recorded Future and are editorially independent.)

While it is impossible to verify all the claims Unknown made in his chat with Smilyanets, he did make clear that after 2019, REvil did some rethinking. Their main goal is to make money and they will not stop on anything until they make this money, Smilyanets said. They bring new tactics, new techniques to help to pressure the victim to pay.

Ransomware-as-a-service was one of those new techniques. RaaS was not just more efficient, it provided a level of deniability. Security analysts and law enforcement might spot REvils code in the ransomware, but because of the new business model, they couldnt be sure if REvil was actually behind it. Whats more, because REvil was cycling through various affiliate groups it complicated attempts at attribution. According to the Justice Department since 2019, REvil has been linked to some 175,000 ransomware attacks, generating some $200 million in ransom.

We kind of slept

For Whisler and Garrett Spradling, Borgers city manager, the events of 2019 never became a whodunnit. Their singular focus was on getting the citys computers running again. Ive got enough to deal with the day-to-day business in the city of Borger, Spradling said. I mean, as bad as it may or may not sound, I didnt even think about the other cities. I have enough to worry about with my city.

So the fact that REvil was involved seemed at the time, and even now, beside the point. Chasing cybercriminals was left to others: federal law enforcement, including the FBI and, sometimes, the NSA.

Before Texas, the people behind epic hacks tended to be nation-state actors. The North Koreans broke into Sony Pictures in 2014; the Chinese stole millions of secret personnel files from the Office of Personnel Management a year later. Those kinds were Americas main adversaries in cyberspace and they were known as APTs Advanced Persistent Threats and in attacks against the U.S. they were usually from one of the Big Four: Russia, China, North Korea or Iran.

Kyle Hanslovan used to work at the NSA and he said the focus inside Fort Meade, where the NSA and Cybercom fight these kinds of threats, was almost exclusively on the nation-state variety.

Lets go after the ATP was what it was all about back then, he said. And because there was such a focus on those actors, Hanslovan believes we kind of slept through an important shift: in 2015 or 2016, criminals were starting to weaponize cyberspace too. We were late behind the power curve on all of ransomware-as-a-service, Haslovan said.

The criminal element started slow, with something called initial access brokers just run-of-the-mill hackers who found vulnerabilities in random computers and bundled them together. Initial access brokers would get people who have all these unimportant accesses to computers and bundle them together, and resell them for dirt cheap, said Hansolvan. Were talking about sometimes as cheap as $10 for access.

The buyers would root around the various access points to see where it might take them. Could a small vulnerability on one computer, for example, allow them to monkey bar over to something else like a company email system or a company network? If that happened, they figured out that that access they bought for $10 could now be sold for $100 maybe even $1,000..

It was a service model.

You could have looked circa 2018 and seen that this behavior was going to happen, Hanslovan said. It just made economical sense. Its the same reason, again, that you have somebody delivering your paper for the last mile. It just makes so much sense to have a one-to-many relationship, but we were kind of very slow as a [cybersecurity] culture to react to it.

A $44,000 bill

Borger might have emerged from that 2019 attack as just another victim had they not been in the middle of upgrading their servers. It happened to have been in the middle of transferring its data over to a new City Hall server that August. Then Mother Nature lent a hand.

By luck, we had a faulty ups with that server, Whisler said. And a couple of nights before we had some storms roll through and when the power flickered that server shut down and was also offline. So even though a lot of our individual desktops were affected by this through the network, the lions share of our data that we need for just city operations, utility billing, that was actually preserved on a server that had shut down.

Spradling, the city manager, said that and a couple of other happy accidents meant that the ransomware attack was scary, but in the end not all that costly. To make everything right again ran the city about $44,000, he said, which wasnt even half the citys general contingency funding. The State of Texas helped them too. Officials talked to some of the computer companies, explained what happened, and the companies gave Borger a huge discount on new computers Whisler said they needed to upgrade anyway.

Its satisfying that they didnt get anything, he said. Our overall expenses are our losses and the replacement was mitigated by the state and we didnt pay any of the ransom. So all in all, I would call it a successful failure.

In its own way, REvil probably saw it that way too until back in October when their luck seemed to run out: U.S. Cyber Command and the NSA launched an offensive cyber operation against REvil, Reuters reported. They took over their server and redirected all their traffic, basically shuttering their RaaS ransomware operation.

A few months later, Moscow fired its own salvo. It released a video of authorities raiding the homes of more than a dozen alleged REvil members. Moscow said afterward it arrested REvil members as a favor to President Biden.

As for the REvil manager, Unknown, he has been missing for months. Hes disappeared, Smilyanets said.

And at least for now, REvil has too.

Additional reporting by Sean Powers and Will Jarvis

Dina Temple-Raston is the host and executive producer of the Click Here podcast as well as a senior correspondent at The Record. She previously served on NPRs Investigations team focusing on breaking news stories and national security, technology, and social justice and hosted and created the award-winning Audible Podcast What Were You Thinking. She was a longtime foreign correspondent for Bloomberg News in China and served as Bloombergs White House correspondent during the Clinton Administration. She is the author of four books, including The Jihad Next Door: Rough Justice in the Age of Terror, and A Death in Texas: A Story of Race, Murder and a Small Towns Struggle for Redemption.

Go here to read the rest:
How a Texas hack changed the ransomware business forever - The Record by Recorded Future

NAPLES, Italy Samara Sloan turned down a shot at a lucrative investment banking job because a U.S.-NATO military treaty first written in 1951 makes no provision for her to legally work while her husband serves in the Navy.

That was a huge opportunity that I had to turn down with a very good salary, said Sloan, who received the potential offer after moving to Naval Support Activity Naples in 2020. It was a huge financial hit to my family.

Sloan didnt have much choice. Italian law makes it practically impossible in most cases for military spouses and children living in the country under the NATO Status of Forces Agreement to work anywhere except on base and many of the jobs there arent open to them.

The agreement was written in an era when women were largely expected to stay home.

As time went on, supplemental agreements between the U.S. and NATOs member countries addressed taxes, driving privileges and other issues related to U.S. military personnel in a foreign country. But they generally avoided rules on military dependent employment.

The last time the U.S. and Italy agreed on a supplement to the SOFA was 27 years ago, again without addressing employment.

Military spouse unemployment has been acknowledged as a problem by the services for decades, due in part to the nature of two- and three-year tours.

The problem affects many dependents, regardless of age or gender. But it disproportionately affects women, who make up 92% of the military spouse community, a July 2020 Deloitte Insights report stated.

And among the larger overseas military communities, Italy is arguably the toughest place for a spouse to be legally employed. Even teleworking for a U.S. company is technically illegal, if sometimes overlooked.

Italian law requires military dependents to give up their SOFA rights and protections if they want to work for a private American, Italian or other employer while living in Italy. Had Sloan taken the job, she would have been forced to give up her SOFA status, return to the U.S., wait for an Italian work visa and permit, and then pay Italian income taxes.

The agreement does not exempt family members of the Force (DoD civilians and active-duty service members) from Italian work visa requirements and paying taxes in the host nation to which theyre assigned when they are involved in non-duty related employment, Morgan Gilliam, U.S. Navy Europe Africa Central spokeswoman, said in a statement.

Force impacts

For Sloan and other military dependents, the fallout from that inability to work is acute, ranging from under- or unemployment to resume gaps, financial instability, mental health issues and other impacts that negatively affect their lives and the well-being of their families, experts say.

Financial insecurity and unfulfilled career or personal aspirations for spouses have a direct impact on the retention of skilled service members, the 2020 Deloitte report said.

If the military is to retain its most skilled service members, it needs to find ways to improve the military spouse experience, which includes ensuring military spouses are fully employed with meaningful careers, the report stated.

Its difficult to determine how many people like Sloan are impacted by NATO SOFA-related employment restrictions. But with a U.S. military community of 15,020 active duty service members, reservists and Defense Department civilians in Italy, advocates say its a common problem.

The Defense Department doesnt track spouse employment outside of the continental U.S. separately, said Jennifer Goodall, director of Military Family Policy and Spouse Programs for the government relations team of the Alexandria, Va.-based Military Officers Association of America.

But unemployment for military spouses continues to hover around 22-24% and likely increased following the COVID-19 pandemic, Goodall said.

Goodall and others would like to see the NATO SOFA and supplemental agreements reviewed and revised to accommodate more job options, such as telecommuting for a U.S. employer. But that process could open an entire document for review, resulting in changes that extend beyond the employment issue.

Because there are so many potential ramifications, this needs to be done thoughtfully and deliberately, Goodall said.

The decades-old NATO SOFA sets the rules, rights and responsibilities by which member countries, such as the U.S., Germany, Italy and others, may keep troops in another country.

While the pact impacts the conditions under which military dependents may get jobs, it doesnt directly address employment, according to a November 2019 research paper from the Institute for Veterans and Military Families at Syracuse University.

Rules for military spousal employment vary widely depending on host country laws and, sometimes, on NATO SOFA supplemental agreements with specific countries.

For example, U.S. military dependents living in Germany may work for a German or other employer without losing their SOFA status in most cases. Spouses similarly may work in South Korea or Japan, but varying requirements, such as acquiring a work permit, must be met.

In Italy, those who want to work and keep their SOFA status are limited to on-base jobs, which frequently are lower-paying positions in retail, child care or recreation.

Because each SOFA was constructed with an individual nation, there is no specific explanation as to why some countries make it more difficult for military dependents to work, Goodall said. The agreements were established decades ago and often included an intent to protect host-nation citizens and their employment opportunities.

You have to set a bar for yourself

Over the last 7 1/2 years, Jessica Olsen and her husband, a Navy sailor, have moved four times, including to NSA Naples.

Each move has meant an exhaustive and, sometimes, demoralizing effort to find a job suited for Olsens education, experience and skills.

At NSA Naples, Olsen eventually received two job offers for work at the child development center and one for a position at the gym. She turned all three down, realizing that she wouldnt be happy working in an environment where her knowledge and skills werent fully used.

You have to set a bar for yourself as to what your self-worth is and I do, the 34-year-old meteorologist and private pilot said. When I look for a job, I do value my self-worth but I also value what I can bring to that job.

It wasnt until she arrived in Naples that Andrea Gill discovered her hope to teach English to Italians living in the Naples area wasnt possible unless she gave up her SOFA status. That wasnt an option, since on-base housing and commissary access were among the benefits she would have lost, Gill said.

Gill accepted a full-time position working in the toddler room at NSA Naples child development center. But the job wasnt a good fit and she ultimately quit.

Ive put the time in to get a degree. Thats like six years of education Im basically not using, said Gill, who holds a masters degree. I feel like my skills are going down.

Nearly half of military spouses hold bachelors or advanced degrees, and 31%-53% of military spouses report being underemployed, according to the Deloitte report.

Part of the difficulty for the thousands of spouses in Italy is that there arent many jobs for U.S. workers on base.

At NSA Naples, 56% of the 1,445 occupied full-time positions funded through appropriated funds are filled by Italian citizens. Appropriated fund jobs vary in salary and responsibility, but they include professional and career-oriented positions.

The remainder are filled by U.S. citizens, and of those, 185 are spouses. There were another 83 vacant jobs open to U.S. citizens, base figures showed in November.

The base also employs 136 people full-time through the non-appropriated fund, or NAF, excluding the Navy Exchange and Naval Criminal Investigation Service. Of those, 57% are held by U.S. citizens, with more than half of those positions held by active-duty dependents. There were 21 vacant NAF positions available to all U.S. citizens, according to the November data.

Making sure our spouses and dependents have the resources and opportunities they need to continue working is a priority for us, said Gilliam, who noted that Navy family support centers offer information, such as search strategies and resume writing, for job seekers.

Rebecca Armbrister considers herself lucky. Not long after she and her active-duty husband arrived in Naples, she got a job that was similar to the work she did in the U.S. But Armbrister said she knows many highly skilled spouses who cant get jobs on base.

That just bothers me, said Armbrister, who wants base officials to take a more holistic approach to hiring, such as looking beyond a resume job title and seeing how skill sets can be used in a variety of positions. Theres a lot of talented and educated people here who want to work and sometimes they just need an opportunity.

Jessica Smith, the spouse of a Navy retiree, said she has seen the same problems play out for many families over the years she has been in Naples. They struggle with paying bills and saving for the future on a single income. Some have faced dire marital problems, she said.

Smith would like to see the U.S. military make it a priority to renegotiate employment restrictions and enable more off-base opportunities for military dependents in Italy.

Its an issue that impacts everyone and can have really severe consequences, Smith said. Its also not clear to me why it cant be updated.

More information

A Portability Roadmap for Military Spouses and their Employers is a 31-page research paper that includes information about the NATO Status of Forces Agreement as well as details about supplemental agreements and treaties. The paper includes a look at the rules impacting military spouse employment and SOFA status, income taxes and other effects of working in Germany, Brussels, Italy, Japan and South Korea. The paper also offers military spouses and their employers a guide of questions they should consider and steps needed to facilitate their decision-making process when it comes to employment while on an overseas military assignment.

Go here to read the rest:
Sexism and the SOFA: How a 71-year-old US military treaty and Italy's rules derail women's careers - Stars and Stripes

FORT MEADE, Md. The National Security Agency released the 2021 NSA Cybersecurity Year in Review today to highlight how its cybersecurity mission continues to prevent and eradicate threats to the nation's most critical systems.

The Year in Review shows the breadth of the NSA's cybersecurity mission from securing key Department of Defense weapons and space systems, to collaborating with industry analysts to better protect the Defense Industrial Base, to issuing actionable cybersecurity guidance that helps network defenders protect our most sensitive systems from adversary threats.

"While many of our mission successes must remain classified, I'm proud that we can showcase how NSA Cybersecurity helps contribute to securing the nation in this report," said Rob Joyce, NSA Cybersecurity Director. "The successes really show the value NSA Cybersecurity delivers through its foreign threat intelligence insights, partnerships and expertise."

Highlights include:

Click here to check out the full 2021 Year in Review, and visit our library for the cybersecurity information and technical guidance listed above.

Read more:
NSA Releases 2021 Cybersecurity Year in Review > National Security Agency/Central Security Service > Article - National Security Agency