CyberWire Daily - The masterminds behind a $1.5 billion heist.
Episode Date: February 27, 2025FBI attributes $1.5 billion Bybit hack to DPRK hackers. Cellebrite suspends services in Serbia following allegations of misuse. A Belgium spy agency is hacked. New groups, bigger attacks. Sticky Werew...olf strikes again. US DNI orders legal review of UK's request for iCloud backdoor. A cybersecurity veteran takes CISA’s lead. DOGE accesses sensitive HUD data. Cleveland Municipal Court remains closed following cyber incident. Our guest today is an excerpt from our Caveat podcast. Adam Marré, Arctic Wolf CISO and former FBI special agent, joins Dave to discuss banning TikTok and increasing regulations for social media companies. And can hacking be treason? Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest Our guest today is an excerpt from our Caveat podcast. Adam Marré, Arctic Wolf CISO and former FBI special agent, joins Dave to discuss banning TikTok and increasing regulations for social media companies. You can hear Adam and Dave’s full discussion on today’s Caveat episode. Listen to Dave and co-host Ben Yelin discuss the issue following the interview on Caveat. Selected Reading FBI confirms Lazarus hackers were behind $1.5B Bybit crypto heist (Bleeping Computer) Cellebrite suspends Serbia as customer after claims police used firm's tech to plant spyware (TechCrunch) Belgium probes suspected Chinese hack of state security service (The Record) It's not just Salt Typhoon: All China-backed attack groups are showcasing specialized offensive skills (CyberScoop) Angry Likho APT Resurfaces with Lumma Stealer Attacks Against Russia (Hackread) Gabbard: UK demand to Apple for backdoor access is 'grave concern' to US (The Record) Karen Evans steps into a leading federal cyber position: executive assistant director for cybersecurity at CISA (CyberScoop) DOGE Gains Access to Confidential Records on Housing Discrimination, Medical Details — Even Domestic Violence (ProPublica) ‘Cyber incident’ shuts down Cleveland Municipal Court for third straight day (The Record) Cyber threat shuts down Cleveland Municipal Court for second day (News5 Cleveland) U.S. Soldier Charged in AT&T Hack Searched “Can Hacking Be Treason” (Krebs on Security) Share your feedback. We want to ensure that you are getting the most out of the podcast. Please take a few minutes to share your thoughts with us by completing our brief listener survey as we continually work to improve the show. Want to hear your company in the show? You too can reach the most influential leaders and operators in the industry. Here’s our media kit. Contact us at cyberwire@n2k.com to request more info. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the CyberWire Network powered by N2K.
Cyber threats are evolving every second and staying ahead is more than just a challenge,
it's a necessity.
That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted
by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control, stopping
unauthorized applications, securing sensitive data, and ensuring your organization runs
smoothly and securely.
Visit ThreatLocker.com today to see how a default deny approach can keep your company
safe and compliant.
FBI attributes $1.5 billion buy-bit hack to DPRK hackers.
Celebrite suspends services in Serbia following allegations of misuse.
A Belgium spy agency is hacked.
New groups?
Bigger attacks.
Sticky Werewolf strikes again.
U.S. DNI orders legal review of U.K.'s request for iCloud backdoor.
A cybersecurity veteran takes CISA's lead.
DOJ accesses sensitive HUD data. Cleveland
Municipal Court remains closed following cyber incident. Arctic Wolf's CISO and former FBI
Special Agent Adam Murray joins Dave Bittner to discuss banning TikTok and increasing regulations
for social media companies. And can hacking be treason?
Today is February 27th, 2025. I'm Maria Varmazes, host of the T-Minus Space Daily podcast on the mic for Dave Bittner. And this is your CyberWire Intel Briefing.
The U.S. Federal Bureau of Investigation has confirmed that North Korean hackers were behind
last week's theft of $1.5 billion worth of Ethereum from the Bybit cryptocurrency exchange.
The FBI attributes the hack to an activity cluster tracked as Trader Traitor, which is
tied to Pyongyang's Lazarus Group.
The Bureau provided a list of 51 Ethereum addresses holding assets from the theft, stating
that the FBI encourages private sector entities, including RPC node operators, exchanges, bridges, blockchain analytics firms,
DEFI services, and other virtual asset service providers to block transactions with or derived
from addresses trader-trader actors are using to launder the stolen assets.
Bleeping Computer reports that Bybit CEO Ben Jo has shared the results of two investigations
into the hack. First, investigators from Signia concluded that the root cause of the attack is malicious
code originating from SafeWallet's infrastructure.
Second, researchers at Verichains added that the attack specifically targeted Bybit by
injecting malicious JavaScript into app.safe.global, which was accessed by Bybitz signers.
The payload was designed to activate only when certain conditions were met.
This selective execution ensured that the backdoor remained undetected by regular users
while compromising high-value targets.
Based on the investigation results from the machines of Bybitz signers and the cached
malicious JavaScript payload found on the Wayback archive, we strongly conclude that AWS S3, or CloudFront account slash API key of Safe.Global,
was likely leaked or compromised.
The hack currently stands as the largest heist of any kind in history,
surpassing Saddam Hussein's theft of a billion dollars from the central bank of Iraq in 2003.
Israeli cell phone data extraction firm, Celebrite, has dropped the Serbian government as a customer
following a report that the Serbian police had used the company's tools to hack the phones of a journalist and an activist,
according to a report from TechCrunch. Amnesty International published a report in December 2024 asserting that Serbian authorities used Celebrite's hacking software in combination with an Android-focused spyware tool to covertly
infect individuals' devices during periods of detention or police interviews.
Celebrite said in a statement,
We take seriously all allegations of a customer's potential misuse of our technology in ways
that would run counter to both explicit
and implied conditions outlined in our end user agreement. After a review of the allegations
brought forth by the December 2024 Amnesty International report, Celebrite took precise
steps to investigate each claim in accordance with our ethics and integrity policies. We found it
appropriate to stop the use of our products by the relevant customers at this time.
Belgium has initiated a judicial investigation into an alleged Chinese cyber espionage operation that compromised the email system of its state security service,
or VSSE. Between 2021 and 2023, unidentified Chinese state-sponsored hackers reportedly
siphoned off 10% of the agency's
incoming and outgoing emails.
The attackers exploited a vulnerability in an email security product from Barracuda Networks,
deploying malware strains, saltwater, C-SPY, and C-Side in order to establish backdoors
into compromised systems.
While classified internal communications remained secure, the breach affected an external server
handling communications with government ministries and law enforcement, potentially exposing
personal data of nearly half of the VSSE staff and past applicants.
Belgian officials have refrained from commenting on the specifics, citing the ongoing nature
of the investigation. In 2024, China significantly advanced its cyber-espionage capabilities, with a 150%
increase in nation-state-backed intrusions across all sectors compared to 2023, as reported
by CrowdStrike.
Industries such as financial services, media, manufacturing, industrials, and engineering
experienced triple or quadruple the number
of China-related intrusions.
Notably, CrowdStrike identified seven new China-linked threat groups, five of which
demonstrated specialized skills targeting specific sectors.
Groups like Liminal Panda, Locksmith Panda, and Operator Panda, also known as Salt Typhoon,
focused on telecommunications networks, with Operator Panda, also known as Salt Typhoon, focused on telecommunications networks,
with Operator Panda linked to attacks on US and global telecom providers.
These groups have adopted advanced tactics, including the use of operational relay box
or orb networks, which are botnets of compromised edge devices, in order to obfuscate their
activities and maintain persistent access.
This evolution reflects China's long-term investment
in cultivating a highly skilled technical workforce,
enhancing its offensive cyber capabilities
to rival other global users.
While primarily focused on intelligence gathering,
the sophistication and specialization of these groups
pose significant threats to global critical infrastructure.
For instance, Volt Typhoon,
tracked by CrowdStrike
as Vanguard Panda, has targeted logistics networks related to maritime operations, air
transportation, and international travel, underscoring the pressing need for robust
cybersecurity measures to counteract China's expanding cyber-espionage activities.
In early 2025, cybersecurity researchers at Kaspersky's Securelist reported the resurgence
of the Angry Lyco Advanced Persistent Threat Group, also known as Sticky Werewolf, targeting
organizations in Russia and Belarus.
Active since 2023, Angry Lyco APT has been linked to cyber attacks on government agencies
and large corporate contractors within these regions.
The group's modus operandi involves highly targeted spearfishing emails directed at employees
of major organizations, including governmental bodies and their contractors.
These emails contain malicious RAR archives, embedding harmful shortcut files alongside
seemingly benign documents.
Once the archive is opened, a sophisticated infection chain is initiated,
culminating in the deployment of the Luma Stealer malware.
This malware is engineered to exfiltrate sensitive information
such as system details, installed software data,
browser cookies, login credentials, banking information,
and cryptocurrency wallet contents.
U.S. Director of National Intelligence Tulsi Gabbard has ordered a legal review of the UK government's secret demand
for Apple to provide a backdoor to access users iCloud data according to the record.
Apple recently said it would stop offering its advanced data protection or ADP feature in the UK rather than comply with the demand.
Gabbard said in a response to a letter from Senator Ron Wyden, Democrat of Oregon, and
Representative Andy Biggs, Republican of Arizona,
I share your grave concern about the serious implications of the United Kingdom or any
foreign country requiring Apple or any company to create a back door that would allow access
to Americans' personal encrypted data.
This would be a clear and egregious violation of Americans' privacy and civil liberties
and open up a serious vulnerability for cyber exploitation by adversarial actors."
Gabbard also added,
"...my lawyers are working to provide a legal opinion on the implications of the reported
UK demands against Apple on the Bilateral Cloud Act agreement.
Upon initial review of the US and UK Bilateral Cloud Act Agreement, the United Kingdom may
not issue demands for data of U.S. citizens, nationals, or lawful permanent residents,
nor is it authorized to demand the data of persons located inside the United States.
The same is true for the United States.
It may not use the Cloud Act Agreement to demand data of any person located in the United
Kingdom.
The Department of Government Efficiency, or DOJ, led by Elon Musk, has obtained access
to the Department of Housing and Urban Development's, or HUD's, Enforcement Management System,
which contains sensitive personal data on individuals alleging housing discrimination,
including domestic violence survivors. This system holds unredacted records such as medical histories, financial documents,
social security numbers, and confidential addresses.
While other agencies have resisted Doge's attempts to access confidential information,
HUD granted access, raising significant privacy concerns.
Doge's mission to modernize government technology and reduce improper spending has faced opposition, including legal challenges and
resignations, due to potential privacy violations. The Cleveland Municipal Court
is closed for the fourth day in a row following a cyber incident earlier this
week. The court hasn't disclosed the nature of the incident, but News 5
Cleveland cites an expert
as saying that ransomware is the most likely cause.
The court said in a Facebook post,
As a precautionary measure, the court has shut down the affected systems while we focus
on securing and restoring services safely.
These systems will remain offline until we have a better understanding of the situation.
All internal systems and software platforms will be shut down until further notice. The Ohio National Guard and Ohio Cyber Reserve are assisting
in their response.
Arctic Wolf's CISO and former FBI Special Agent Adam Murray joins Dave Bittner to discuss
banning TikTok and increasing regulations for social media companies.
And a soldier who Googles, can hacking be treason?
Well, finds out the hard way.
We'll be been there.
You realize your business needs to hire someone yesterday.
How can you find amazing candidates fast?
Well, it's easy.
Just use indeed.
When it comes to hiring,
Indeed is all you need. Stop struggling to get your job post noticed. Indeed's Sponsored
Jobs helps you stand out and hire fast. Your post jumps to the top of search results, so
the right candidates see it first. And it works. Sponsored jobs on Indeed get 45% more
applications than non-sponsored ones.
One of the things I love about Indeed
is how fast it makes hiring.
And yes, we do actually use Indeed for hiring
here at N2K Cyberwire.
Many of my colleagues here came to us through Indeed.
Plus, with sponsored jobs, there are no subscriptions,
no long-term contracts.
You only pay for results.
How fast is Indeed?
Oh, in the minute or so that I've been talking to you, 23 hires were made on Indeed, according to Indeed data worldwide.
There's no need to wait any longer.
Speed up your hiring right now with Indeed. And listeners to this show will get a $75 sponsored job credit to get your jobs more
visibility at indeed.com slash cyber wire. Just go to indeed.com slash cyber wire right now and
support our show by saying you heard about indeed on this podcast. Indeed.com slash cyber wire.
Terms and conditions apply. Hiring, indeed, is all you need.
Cyber threats are more sophisticated than ever.
Passwords?
They're outdated and can be cracked in a minute.
Cyber criminals are intercepting SMS codes and bypassing authentication apps. While businesses
invest in network security, they often overlook the front door, the login. Ubico believes
the future is passwordless. Ubiquis offer unparalleled protection against phishing for
individuals, SMBs and enterprises. They deliver a fast, frictionless experience that users love.
Ubico is offering N2K followers
a limited buy one, get one offer.
Visit ubico.com slash N2K to unlock this deal.
That's Y-U-B-I-C-O.
Say no to modern cyber threats.
Upgrade your security today.
Upgrade your security today.
Today, Dave Bittner sits down with Adam Aray from Arctic Wolf
to discuss banning TikTok and increasing regulations
for social media companies.
Right now, we've been presented with what I think
is a false choice or the wrong choice. And that is with TikTok, you know, this went before the Supreme Court as a choice between
free speech and national security, which there are implications and concerns for both.
But the reason that we're at this point is a failure of leadership and a failure of Congress,
our elected officials, to deal with the real issue,
which is right now there is a complete lack of regulation
on technology companies and social media in particular,
which leaves us with few options to address real concerns
like the national security implications of TikTok and
So now we were using a band like a sledgehammer instead of a scalpel to deal with this problem
Do you think though either of those arguments are?
Legit here the the free speech argument the national security argument or is it as you say, that not really getting to the real issue?
Well, those are real concerns, and they both have something to do with TikTok.
There is a real value here we have in the United States of free speech.
And in many court rulings, the Supreme Court has upheld the right of US citizens to have
access to information,
even if it's propaganda from another country, and even if it's to hear speech from
organizations that originate in a foreign nation, even an adversary. So US citizens do have a right and there are free speech concerns there. However, there are also real national security issues here that have come to bear because
you have an app and to call it just a social media app is I believe to not really do it
justice at what it actually is.
But it is a app that is owned by a foreign nation and an adversary in many ways in this
case.
And so its ability to affect life in the United States
to threaten international security is very realistic.
And if you want, I can dive into that security concern.
So TikTok isn't just a fun video app, it's great at that.
And its algorithm is one of the best, but it is just that.
It's a highly sophisticated algorithm that has a content delivery system. And it is just that. It's a highly sophisticated algorithm
that is a content delivery system,
and it is controlled by a foreign adversary
with no oversight and no transparency
within the United States.
And if you don't think that matters,
imagine if a Chinese-owned company
controlled the front page of the New York Times
or what appeared on Fox News or CNN.
I think many of us would have concerns with that.
More than half of Americans
get at least some, if not most of their news from social media. So it's not just an app,
it's really the equivalent of a broadcast network inside the United States with no US editorial
oversight, no accountability, and with an owner that is beholden to some degree or maybe in a
great degree to the CCP.
We regulate many things in the United States.
We regulate who can own TV stations.
We regulate who can own radio networks, banks.
And many of the reason we do this is for national security concerns to a large degree.
Yet we've let foreign entities own the most powerful attention shaping tools in history, social media platforms
without any meaningful oversight. So that's really what the
concern is with with national security and why TikTok in
particular is different than the others, but it's also the same
in many ways.
You know, I've seen people say that it wasn't supposed to get to this point.
That the whole idea of the ban being the big hammer
was really to get us to the point of someone else buying it.
And it's the fact that that didn't happen
that has got us to the kind of, you know,
call your bluff, ban it or don't point here.
If TikTok divested from their Chinese owners,
does that get us where we need to be
or do we still have the bigger problem
of social media in general?
Well, that's the thing again,
I'd like to go before we were trying to use the ban
as kind of this again, sledgehammer
to deal with this problem.
And so we're like, hey, we're gonna do a game of chicken
here and say, we're gonna ban you or you divest. And what that're like, hey, we're going to do a game of chicken here and say, we're going
to ban you or you divest.
And what that even looks like is still murky to this day, even with this extension on the
deadline.
But no, it does not address the real issue.
What we really need is a comprehensive framework, data privacy laws, content transparency, algorithmic accountability,
and restriction on foreign ownership for this critical digital infrastructure.
The piecemeal, whack-a-mole approach just isn't going to work. Individual bans aren't going to
work. And if you want proof of that, look at what happened when the ban sort of temporarily went
into place over the weekend, that weekend where it was,
you know, the band was going to go into place and it stopped appearing on, you know, in the app store
and people's access to it was cut. What did they do? They immediately went to another app.
And of course, this one was also owned by China in many cases. And so it's really not going to solve the problem to just do it for one app.
Now TikTok is amazing.
It's a Leviathan.
It's huge.
It's so popular.
It works really well.
And so it would have an effect, but it would just push people to another app.
So we really need a comprehensive set of tools to deal with this through regulation.
And right now we just have an absolute dereliction of duty
of our elected officials, both sides of the aisle,
for decades to set up anything meaningful
to allow us to deal with this problem.
We just don't have the tools we need.
And so we use a ban and it's just not working well.
What sort of regulations do you think
could be effective here?
Well, one to really think about, well, first of all, I mentioned one, which is foreign ownership of broadcast networks. We just need to have a conceptualization of these social media apps that doesn't just treat them like an online bulletin board,
which is essentially what we're doing right now, or even like a newspaper. Many of the national security arguments that were presented to the Supreme Court were based
on analogies to mail order propaganda or newspapers.
I just don't think any of those analogies, they're apt in some ways, but they fail to
capture how social media apps and how the internet is different, especially with these
algorithms.
We should capture in a different way legally what these entities are and then control their
ownership to a way that satisfies national security concerns and will give us a better
way to deal with it.
So that's one.
Another one is Section 230, and that's really legislation passed back in the 90s that allows these online applications
to be free of any kind of responsibility for the things that are posted on their sites.
And it was very important to pass at the time, but we are way, we're decades beyond the need
for that, especially when it comes to these social media apps.
So one thing that's been suggested, I think, is a very interesting thing that would give us another tool,
is making companies, social media companies,
accountable for what their algorithms serve up people.
So they may not be accountable for individual posts,
but they would be accountable for what
an algorithm serves them up.
So that would help us have additional controls.
And then in addition to that, you can have transparency on what the algorithm is doing
and how it works, and if anyone is putting their thumb on the scale one way or the other
of what the algorithm is serving up.
These kinds of laws, or at least exploring them or working on them, would give us more
tools so that we could...
It wouldn't just be ban TikTok because we think they might be serving up propaganda
or making all these young people who are online feel just that much worse about America and just that much more positive about
other things.
We would know if they were doing that, if there was transparency laws passed and how
these algorithms work.
But not only would it help us with TikTok, it would help us with all the US based companies
like Facebook, Instagram, X, all of these.
We would have the same set of tools that could help us with that problem
and would also address foreign-owned apps like this one.
You can hear Adam and Dave's full discussion on today's caveat episode.
Following the interview on caveat, Dave and co-host Ben Yellen discuss the issue. Do you know the status of your compliance controls right now?
Like right now.
We know that real-time visibility is critical for security, but when it comes to our GRC
programs, we rely on point-in-time checks.
But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility
into their controls with Vanta.
Here's the gist, Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting, and helps you
get security questionnaires done five times faster with AI.
Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
A U.S. Army soldier, Cameron Wagenius, was recently caught leaking confidential phone
records and attempting to extort AT&T for $500,000.
Prosecutors say he was part of a group of hackers that stole data from Snowflake, a
cloud storage service, accessing records from companies like AT&T, Ticketmaster,
and LendingTree.
AT&T alone had data from 110 million customers stolen and reportedly paid hackers $370,000
to prevent further leaks.
Wagenius, who operated online under the alias KyberPhantom, pleaded guilty to leaking data,
but had also searched for ways to defect to non-extradition
countries and even asked Google, can hacking be treason?
Because nothing says criminal mastermind like crowdsourcing your legal defense from a search
engine.
Authorities found evidence that he attempted to sell stolen information to a foreign military
intelligence service and had a cache of over 17,000 stolen identity documents. Prosecutors argue that he is a flight risk,
and the government is pushing to keep him in custody
while he awaits sentencing,
where he could face up to 20 years in prison. And that's the CyberWire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
We'd love to know what you think of this podcast.
Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity.
If you like the show, please share a rating and review in your podcast app.
Also, please fill out the survey in the show notes or send an email to cyberwire at n2k dot com.
For privilege, that N2K Cyberwire is part of the daily routine of the most influential leaders and operators in the public and private sector,
from the Fortune 500 to many of the world's preem operators in the public and private sector, from the Fortune 500
to many of the world's preeminent intelligence and law enforcement agencies.
N2K makes it easy for companies to optimize your biggest investment, your people.
We make you smarter about your teams while making your team smarter.
Learn how at n2k.com.
This episode was produced by Liz Stokes.
Our mixer is Trey Hester with original music and sound design by Elliot Peltzman. Our executive producer is Jennifer Iben. Peter Kilpe is our publisher, and I'm
your host, Maria Varmasis, in for Dave Vintner. Thanks for listening. We'll see you tomorrow. And now, a message from our sponsor Zscaler, the leader in cloud security.
Enterprises have spent billions of dollars on firewalls and VPNs, yet breaches continue
to rise by an 18% year-over-year increase in ransomware attacks and a $75 million record
payout in 2024.
These traditional security tools expand your attack surface with public-facing IPs that
are exploited by bad actors more easily than ever with AI tools.
It's time to rethink your security.
Zscaler Zero Trust plus AI stops attackers by hiding your attack surface, making apps
and IPs invisible, eliminating lateral movement, connecting users only to
specific apps, not the entire network, continuously verifying every request based on identity
and context, simplifying security management with AI-powered automation, and detecting
threats using AI to analyze over 500 billion daily transactions.
Hackers can't attack what they can't see.
Protect your organization with Zscaler Zero Trust and AI.
Learn more at zscaler.com slash security.