CyberWire Daily - FCC draws the line on Chinese tech threats.
Episode Date: March 13, 2025The FCC looks to counter Chinese cyber threats. Turmoil at CISA. Volt Typhoon infiltrated a power utility for over 300 days. Europe takes the lead at Ukraine’s annual cyber conference. Facebook disc...loses a critical vulnerability in FreeType. A new Android spyware infiltrated the Google Play store. Our guest is Alvaro Alonso Ruiz, Co-Founder and CCO of Leanspace, who is discussing software in space with T-Minus Space Daily host Maria Varmazis. A UK hospital finds thousands of unwelcome guests on their network. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest Today our guest is Alvaro Alonso Ruiz, Co-Founder and CCO of Leanspace, who is discussing software in space with T-Minus Space Daily host Maria Varmazis. Selected Reading US communications regulator to create council to counter China technology threats (Financial Times) ‘People Are Scared’: Inside CISA as It Reels From Trump’s Purge (WIRED) CISA cuts $10 million annually from ISAC funding for states amid wider cyber cuts (The Record) Arizona Secretary of State Proposes Alternative to Defunded National Election Security Program (Democracy Docket) China's Volt Typhoon Hackers Dwelled in US Electric Grid for 300 Days (SecurityWeek) Chinese cyberspies backdoor Juniper routers for stealthy access (Bleeping Computer) At Ukraine’s major cyber conference, Europe takes center stage over US (The Record) Facebook discloses FreeType 2 flaw exploited in attacks (Bleeping Computer) New North Korean Android spyware slips onto Google Play (Bleeping Computer) NHS Trust IT head: ‘Our attack surface was much bigger than we thought’ (Computing) Share your feedback. We want to ensure that you are getting the most out of the podcast. Please take a few minutes to share your thoughts with us by completing our brief listener survey as we continually work to improve the show. Want to hear your company in the show? You too can reach the most influential leaders and operators in the industry. Here’s our media kit. Contact us at cyberwire@n2k.com to request more info. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the CyberWire Network, powered by N2K.
We've all been there.
You realize your business needs to hire someone yesterday.
How can you find amazing candidates fast?
Well, it's easy.
Just use indeed.
When it comes to hiring, Indeed is all you need.
Stop struggling to get your job post noticed.
Indeed's Sponsored Jobs helps you stand out and hire fast.
Your post jumps to the top of search results, so the right candidates see it first.
And it works.
Sponsored jobs on Indeed get 45% more applications than non-sponsored ones.
One of the things I love about Indeed is how fast it makes hiring.
And yes, we do actually use Indeed for hiring here at N2K Cyberwire.
Many of my colleagues here came to us through Indeed.
Plus, with sponsored jobs there are no subscriptions, no long-term contracts.
You only pay for results.
How fast is Indeed?
Oh, in the minute or so that I've been talking to you, 23 hires were made on Indeed, according
to Indeed data worldwide.
There's no need to wait any longer.
Speed up your hiring right now with Indeed.
And listeners to this show will get a $75 sponsored job credit to get
your jobs more visibility at indeed.com slash cyber wire. Just go to indeed.com slash cyber
wire right now and support our show by saying you heard about indeed on this podcast. Indeed.com
slash cyber wire. Terms and conditions apply. Hiring, indeed, is all you need.
The FCC looks to counter Chinese cyber threats.
There's turmoil at CISA.
Volt Typhoon infiltrates a power utility for over 300 days.
Europe takes the lead at Ukraine's annual cyber conference.
Facebook discloses a critical vulnerability in free type.
A new Android spyware infiltrates the Google Play Store.
Our guest is Alvaro Alonso Ruiz,
co-founder and CCO of Lean Space, discussing
software in space with T-minus Space Daily host Maria Vermazes. And a UK hospital finds
thousands of unwelcome guests on their network. It's Thursday, March 13, 2025. Thanks for joining us here once again.
It is always great to have you with us.
The FCC is establishing a National Security Council to counter Chinese cyber threats and
maintain U.S. leadership in key technologies
like AI, 5G, and quantum computing.
FCC Chair Brendan Carr says the Council will focus on mitigating cyber attacks, espionage,
and reducing supply chain reliance on adversaries.
It will be led by Adam Chan, a former House China Committee lawyer.
The FCC's role has expanded amid U.S.-China tech tensions, overseeing telecom security,
drone certification, and subsea cables.
A key early focus is Salt Typhoon, the large-scale Chinese cyberattack on U.S. telecom networks.
The move aligns with broader U.S. efforts, like the CIA's China Mission Center, to curb
Beijing's tech ambitions.
China's embassy dismissed the concerns, urging a cooperative approach to U.S.-China relations.
In a piece for Wired, Eric Geller makes the case that the Cybersecurity and Infrastructure Security
Agency is in crisis due to mass layoffs and political pressure under President Donald
Trump's administration.
Employees report low morale, leadership failures, and weakened cybersecurity efforts, making
it harder to protect U.S. infrastructure from cyber threats.
Many critical staffers have been dismissed,
and partnerships with international and private sector allies are unraveling.
CISA's election security efforts have been suspended, and key AI and open-source security
programs are being dismantled. Employees fear political retaliation, and the agency's acting
director, Bridget Beane, is accused of prioritizing
Trump's agenda over national security.
Restrictions on communication, frozen projects, and uncertainty about future layoffs have
left employees demoralized and overwhelmed.
With adversaries like Russia, China, and Iran ramping up cyber threats, former officials warn that CISA's decline
could have dire consequences for U.S. security
and economic stability.
Many fear worse is yet to come.
Meanwhile, CISA is cutting $10 million in annual funding
for MSISAC and EIISAC, Cybersecurity Intelligence Groups,
that help state and local governments
defend against cyber threats.
The move is part of broader budget and staffing cuts under the Trump administration.
Experts warn that defunding EI-ISAC leaves election offices vulnerable to foreign cyber
attacks, shifting costs to local taxpayers.
Cuts are also undermining international anti-cybercrime efforts, including stopping Southeast Asian
scam operations.
Critics argue these moves weaken U.S. cyber defenses, leaving critical infrastructure
and elections exposed to increasing threats from nation-state hackers.
The states aren't taking the ISAC cuts lying down.
Arizona Secretary of State Adrian Fontes is proposing VoteISAC, an independent cybersecurity
initiative for state and local election offices.
The plan aims to replace EI-ISAC, which previously provided 24-7 threat monitoring and federal
intelligence sharing.
Without it, counties face a $45 million cybersecurity gap.
Fontes has already reached out to states and stakeholders
and plans to launch VoteISAC as a nonprofit
with support from public officials, philanthropy, and private industry.
Chinese threat actor Volt Typhoon infiltrated Littleton Electric Light and Water Departments
in Massachusetts, maintaining access for over 300 days before detection in November of 2023.
The attack, discovered during Dragos' OT security deployment, targeted operational
technology data, including energy grid operations and
spatial layouts.
Volt Typhoon, linked to Chinese espionage, is known for persistent access and data exfiltration.
Dragos warns the group could escalate to Stage 2 ICS attacks, potentially disrupting critical
U.S. infrastructure in the future. Elsewhere, Chinese cyber espionage group UNC3886 is
deploying custom backdoors on end-of-life Juniper
Network's MX routers, which no longer receive security
updates. The backdoors, based on tiny shell malware,
allow data exchange and command execution. Mandiant
discovered the attacks in mid-2024, linking them to UNC 3886, known for exploiting
zero-day vulnerabilities in Fortinet and VMware ESXi.
The hackers bypassed Juno OS security by injecting malicious code into trusted processes, circumventing
Vera exec protections.
This ongoing espionage campaign threatens critical networking infrastructure globally.
At Ukraine's Kyiv International Cyber Resilience Forum, Ukraine's major annual cyber conference,
European allies took the lead amid diminished U.S. presence. Last year, the U.S. Department of State and top American cyber officials played key roles,
but no Trump administration officials attended this year,
highlighting geopolitical tensions between Kyiv and Washington.
While Google, CloudFlare, and CrowdStrike partnered with the event,
only Mandiant's Sandra Joyce gave a keynote.
Discussions focused on European-led cybersecurity strategies, with Ukrainian officials advocating
for a collective European cybersecurity framework based on Ukraine's frontline experience.
Ukraine formalized ties with the European Cybersecurity Competence Center,
signaling closer European cooperation.
Past U.S. cyber aid, including software and funding via U.S. aid, was acknowledged but
largely absent from discussions.
Ukrainian officials remain hopeful for future U.S. cyber collaborations, though the State
Department has reportedly halted funding for cyber diplomacy programs under President Trump.
Facebook has disclosed a critical vulnerability in FreeType, an open-source font rendering library widely used in Linux, Android,
game engines, and GUI frameworks. The flaw, present in all versions up to 2.13,
The flaw, present in all versions up to 2.13, allows arbitrary code execution and is actively exploited.
The issue stems from an out-of-bounds write when parsing TrueType GX and variable font
files.
While FreeType patched the bug in February of 2023, older versions remain at risk.
Developers are urged to update immediately.
North Korean threat group APT-37, also known as SCARCruft, deployed CoSpy,
an Android spyware that infiltrated Google Play and APK Pure
via five malicious apps disguised as file managers and security tools. Active since March 2022, CoSpy steals
SMS, call logs, GPS data, files, audio, and keystrokes. The malware evades detection by
using Firebase Firestore and encrypted C2 communications. Google has removed the infected
apps, but users must manually uninstall them or reset devices.
Google Play Protect helps block known versions of co-spying.
Coming up after the break, Maria Bermazes sits down with Alvaro Alonso Ruiz to discuss software in space.
And a UK hospital finds thousands of unwelcome guests on their network. Stay with us.
Cyber threats are more sophisticated than ever. Passwords? They're outdated and can be cracked in a minute. Cyber criminals are intercepting SMS codes and bypassing authentication apps.
While businesses invest in network security, they often overlook the front door, the login. Ubico believes the future is passwordless.
Ubiquis offer unparalleled protection against phishing for individuals, SMBs and enterprises.
They deliver a fast, frictionless experience that users love.
Ubico is offering N2K followers a limited buy one get one offer.
Visit ubico.com slash N2K to unlock this deal. That's Y-U-B-I-C-O.
Say no to modern cyber threats. Upgrade your security today.
Do you know the status of your compliance controls right now? Like right now?
We know that real-time visibility is critical for security, but when it comes to our GRC
programs, we rely on point-in-time checks.
But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility
into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off. Alvaro Alonso Ruiz is co-founder and CCO of LeanSpace.
He recently got together with my N2K colleague Maria Vermazes, host of the T-Minus Space
Daily.
Their discussion centered on software in space.
What I saw is that the space industry is amazing,
especially there's this new space movement,
a lot of new companies spawning, doing amazing stuff.
So on the one hand I was very inspired by all the innovation going on,
and on the other hand I was appalled by the state
of software in the industry, especially because I
had seen software in other verticals.
And when I saw that space missions,
they were state of the art in many technologies,
but in software, they were stuck decades in the past.
I was amazed.
I couldn't believe it.
So that was kind of the driver for
Co-founding Lean Space. Tell me a little bit about what you've seen and maybe why are things the way they are?
Well, the space industry is
inherently risky. So a lot of decisions are made to minimize risks, which makes sense, right?
Especially because in the previous decades, space missions were done by engineers for engineers, if you know what
I mean. All the missions were kind of R&D in a way. Every mission was a one-off.
They were reinventing the wheel over and over again. Everything was a custom implementation. There was massive
redundancy being put in the spacecraft and also in the ground. And so they
were trying to minimize risks all across. They were extremely expensive missions.
They took forever. So you know, like when finally you launched that satellite,
nothing could fail. And it made sense in the past.
Right now it doesn't make sense anymore.
You see for example very successful companies like SpaceX, they operate in a completely
different manner.
They actually run their business as a software business.
They launch a lot of satellites and some of them fail but most of them succeed and they
have very quick turnaround. They innovate constantly. It's like in software
development you work in sprints, you work with close feedback loops, you don't do
waterfall approach, you do like agile approach. This is exactly the concept.
And still in the space industry, while this kind of Agile development methodologies have been around for, I don't know, over 20 years,
the space industry still operates waterfalls.
So you have missions that are defined at the outset, every single detailed requirement is carved in stone,
and only then you start development.
And then nothing can change.
But of course, things change.
Because when you have a mission that lasts for years, requirements will change.
So then things start to change, and then it's chaos all across, because introducing changes
in a waterfall process is very complex.
So what space companies have not realized is that they cannot keep on running hardware
businesses because every company in the world is a software business.
If you use software to deliver a service to your customers, if you use software to manage
your paychecks, you use software to do your planning, to manage your emails, you are a
software company. You just have assets that do things, but you run your business through
software. And you have to think as a software business. But in space, we are hardware focused.
And that's a limitation.
Yeah. That's the thing that I'm curious about. As I mentioned to you before we started recording,
I came from cybersecurity. So software is the world that,
and when I started doing this job,
the differentiation I often heard was,
well, that's bits, we're talking atoms,
we're making physical things,
we can't do that kind of thing here.
Is that just a mental limitation?
Is that just something, I mean, obviously they're different.
I mean, I'm not saying they're not,
but a lot of the pushback I've heard is, you know, we just
can't do those things.
It's just not possible in the physical space.
Do you buy that?
Do you feel that that's not valid?
Yeah.
Of course not.
Yeah, yeah.
Of course not.
Like, all the industries across the world, they're digitalizing.
I mean, this concept of digital transformation is a thing.
And even like the very aging industries, like banking, for example, they are undergoing this digital transformation because they have realized the risks of staying anchored in the past are
worse than the risks of actually implementing and introducing new technologies into their businesses.
worse than the risks of actually implementing and introducing new technologies into their businesses.
I think the problem in space is the mindset.
Everyone says that space is hard.
It is?
Or are we making it hard?
Because some things yes, some things no.
For example, today I know of a constellation of Earth observation satellites, which is
operated using Windows 95.
I'm not kidding.
Not kidding.
Oh, goodness.
So can you imagine?
I mean, you have a background in cybersecurity.
Can you imagine the risks these people are taking?
It's insane.
And when you talk to them and you say, hey, why don't you use, you can migrate your control
center into a cloud native, cyber secure infrastructure, resilient.
And they say, no, no, that's risky.
Really?
You're a pretty long system that is not maintained since 20 years.
It's really frustrating.
A few weeks ago, I was speaking at an event, I was on stage,
and it was a panel on artificial intelligence, of course, AI.
Of course.
Everyone talks about AI. And it was the third time I was on stage talking about how can
we leverage AI in the space industry. And it was extremely frustrating, because it's
like, how can we leverage AI if we are using
technologies from the 70s when we're using these connected systems that don't talk to
each other?
When operators are sending commands manually, literally typing the commands and sending
them manually to spacecraft, you cannot use AI.
We've missed a technological step.
So first, you need an infrastructure
that connects everything together.
So you have all your data harmonized, standardized, usable.
So that with this data, you can actually train
your AI models.
And then when after the outset of the AI algorithms,
you need actionable insights that you can actually action.
So you need a place where you bring it back, you bring back this output, and you can do something
with it. So you need this infrastructure that enables you to connect data in and out. And this
doesn't exist in the space industry. Very, very few companies have something like this. They all
have distinct systems, different technologies, incompatible.
It doesn't work.
So that was actually the trigger of me starting to be more vocal about, you know,
the inherent limitations we see in the space industry.
No one is doing anything about it.
So I'm trying to step up and, you know, and change things.
I think for folks who are outside of the space ecosystem, there is that general assumption that while space is either really, really behind
or really, really advanced, one or the other, or both at the same time,
but I don't know if there's that pipeline of talent going to the space industry from the software side.
That's a whole other conversation.
But I'm so curious about, as you said, that it's a mindset issue,
how we go about shifting that.
I think there's so much to be explored there.
Let me answer first to a comment you just made.
Like, do you have software talent
entering the space industry?
Because this is a question that was asked
in this last AI panel.
And the question is that this is part of the problem.
Because the space industry is plagued
by aerospace engineers,
not by software developers.
So when a software developer joins the industry,
and instead of working like in APIs or like microservices
or like AI, they have to maintain code written
in Fortran in the 70s.
I'm not kidding, this is the case. contain code written in Fortran in the 70s.
I'm not kidding. This is the case.
I know. I believe it.
It's a nightmare for a developer though.
We don't have good software talent entering the industry.
All the companies we work with, the people writing the ground software
are typically aerospace engineers. They don't know how to code.
And they're typically reusing libraries and things from way back because they're flag proven,
they're validated, open source.
There's so many open source tools in the industry
that people use.
There's a huge risk to open open source libraries.
Some of them are right.
Some of them, they're not because they might have a bug
that someone introduced during the 90s
and no one is maintaining this, no one knows
and no one will know.
It's a huge risk.
So technical debt.
Yeah, technical debt is a huge problem.
Yeah.
I was going to say, I'm imagining a software engineer looking for a really exciting job
and the prospect of going to facing what you just mentioned, they have a lot of options.
I'm not sure they'd want to take that on.
I don't know how one fixes that.
But anyway, I wanted to hear your thoughts.
What do we do?
Not about me, it's about you.
The first thing we have to do is educate the market.
And that's what I'm trying to do.
Because I mean, the problem is that it's a lack of knowledge.
There's a lack of knowledge that actually modern software
technologies reduce risk.
They reduce costs. they reduce delays.
There's a massive advantage that people need to understand.
That's the first thing, changing the minds.
The second thing is that we need phased transitions
because we cannot just like disconnect
a control center flying satellites
and connect another one.
It doesn't work.
So we need a middleware layer
that connects legacy systems with cloud-based applications.
Kind of an integration platform.
And that's what we're doing at LeanSpace, for example.
We have an integration platform that can connect
to all the hardware,
all the different legacy software systems,
and you can build applications with all this data
that has been centralized.
It also enables to break down monolithic architectures into microservices.
And then the third thing I would say is like most of the systems in the space industry are based on-premise
because the cloud, you know, is like, oh, cloud sounds like dangerous or insecure,
or public is like security of my data.
But actually, a lot of times,
cloud providers have
much better security than you have in your own basement.
Some missions, of course, they need to be
overgapped because of obvious reasons,
but some don't need to be. So I think adopting hybrid cloud approaches
and gradually migrate functionality
as we are comfortable with or as the mission requires
makes sense.
So I think that's how I would take it.
And there are technologies out there
that enable this transition,
but the first step is actually willing to do so. Be sure to check out the T-minus Space Daily podcast
wherever you get your favorite podcasts.
Hey everybody, Dave here. Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try DeleteMe.
I have to say, DeleteMe is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data
brokers.
I finally have peace of mind knowing my data privacy is protected.
DeleteMe's team does all the work for you with detailed reports so you know exactly
what's been done.
Take control of your data and keep your private life private by signing up for DeleteMe. Now at a special discount
for our listeners, today get 20% off your DeleteMe plan when you go to
joindelete.com slash n2k and use promo code n2k at checkout. The only way to get
20% off is to go to joindelete.com.n2k and enter code n2k at checkout.
That's joindelete.me.com.n2k, code n2k. And finally, our device inventory desk tells us that the Princess Alexandra Hospital in
the UK recently discovered that PlayStations, coffee machines, and even passing electric
cars were connecting to its network.
Deputy Director of ICT, Geoffrey Wood,, "...our attack surface was bigger than we thought, after finding between five and ten
thousand unknown devices lurking in their system."
This alarming revelation came during a trial of a cyber-exposure platform, part of a broader
tech modernization effort.
With no dedicated cybersecurity team, the hospital's infrastructure staff handles security,
integrating automated tools, XDR, and AI-driven protections.
Network segmentation has even freed the marketing team to use Apple devices, which were previously
banned.
However, zero-trust security remains a distant dream.
Deputy Director Wood says the hospital is embracing
a one-NHS partnership model rather than siloed vendor relationships, but warns, this isn't
just cyber risk, this is risk. Attacks could harm our patients. There's nothing like a
cybersecurity audit to find out your MRI machine shares a network with somebody's PS5.
And that's the CyberWire. For links to all of today's stories, check out our daily briefing
at the cyberwire.com. We'd love to know what you think of this podcast. Your feedback ensures
we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity.
If you like our show, please share a rating and review in your favorite podcast app. Please also fill out the survey in the show notes or send an email to cyberwire at n2k.com.
N2K's senior producer is Alice Carruth.
Our Cyberwire producer is Liz Stokes.
We're mixed by Trey Hester with original music and sound design by Elliot Peltsman.
Our executive producer is Jennifer Iben.
Peter Kilpe is our publisher and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow. And now, a message from our sponsor Zscaler, the leader in cloud security.
Enterprises have spent billions of dollars on firewalls and VPNs, yet breaches continue
to rise by an 18% year-over-year increase in ransomware attacks and a $75 million record
payout in 2024.
These traditional security tools expand your attack surface with public-facing IPs that
are exploited by bad actors more
easily than ever with AI tools.
It's time to rethink your security.
Zscaler Zero Trust plus AI stops attackers by hiding your attack surface, making apps
and IPs invisible, eliminating lateral movement, connecting users only to specific apps, not the entire network, continuously
verifying every request based on identity and context, simplifying security management
with AI-powered automation, and detecting threats using AI to analyze over 500 billion
daily transactions.
Hackers can't attack what they can't see.
Protect your organization with Zscaler Zero Trust and AI.
Learn more at zscaler.com slash security.