skip navigation

More signal. Less noise.

Daily briefing.

Symantec announces discovery of "DragonFly," a sophisticated cyber campaign directed principally against energy sector targets in North America and Western Europe. Also known as "Energetic Bear," DragonFly employs both espionage and sabotage components, although no large-scale sabotage has yet been reported. The campaign has successfully implanted Havex and Karagany Trojans, although investigators decline to say precisely which firms were compromised.

Attribution remains under investigation, but F-Secure analysts are calling this one on the Russian intelligence organs: appropriate timestamps, Cyrillic text, and names all point to Russia; sophistication points to a state sponsor. DragonFly appears to have begun operations in 2011; its original targets were US and Canadian defense and aerospace firms.

F-Secure has found another campaign, "BlackEnergy," active in Belgium and devoted at least initially to espionage. It emanates from Ukraine or Russia, and researchers speculate plausibly that it represents Russian battlespace isolation preparation in the ongoing conflict with Ukraine. F-Secure thinks diplomats involved with Eastern European tensions should be especially on their guard.

NATO clarifies its Article 5 with respect to cyber attacks: a cyber attack on one will be considered a cyber attack on all. (This doesn't mean airstrikes in response to denial-of-service attacks: responses would be proportionate.)

Cisco finds a spearphishing operation, "String of 'Paerls'," targeting high-worth enterprises with Visual Basic Scripting for Applications exploits.

Much discussion of research ethics in the wake of the Facebook emotional contagion study.

Microsoft hits botnets by taking down No-IP domains, but does a lot of collateral damage in the process.


Today's issue includes events affecting Algeria, Bahamas, Belgium, Canada, China, European Union, France, Germany, Greece, India, Ireland, Israel, Italy, Kuwait, Mexico, NATO, Netherlands, New Zealand, Poland, Romania, Russia, Serbia, Singapore, Spain, Sweden, Turkey, Ukraine, United Arab Emirates, United Kingdom, United States..

First, the CyberWire will take a break this Friday as we observe US Independence Day. Normal publication resumes Monday. And second, we're pleased to announce that we'll be devoting special coverage to the SINET Innovation Summit, "connecting Wall Street, Silicon Valley and the Beltway," in New York on July 17. Keynote speakers will be US Deputy Energy Secretary Daniel Ponemon and US NSA Director Admiral Michael S. Rogers.

Cyber Attacks, Threats, and Vulnerabilities

Active malware operation let attackers sabotage US energy industry (Ars Technica) "Dragonfly" infected grid operators, power generators, gas pipelines, report warns

Energy companies hit by cyber attack from Russia-linked group (Financial Times) The industrial control systems of hundreds of European and US energy companies have been infected by a sophisticated cyber weapon operated by a state-backed group with apparent ties to Russia, according to a leading US online security group

Dragonfly: Cyberespionage Attacks Against Energy Suppliers (Symantec Security Response) Dragonfly initially targeted defense and aviation companies in the US and Canada before shifting its focus to US and European energy firms in early 2013

Cyberspying Campaign Comes With Sabotage Option (Dark Reading) New research from Symantec spots US and Western European energy interests in the bull's eye, but the campaign could encompass more than just utilities

Symantec's Irish staff lead probe into cyber spy attacks (Irish Times) Dublin-based team identify dragonfly virus and sabotage threat on energy companies

Beware BlackEnergy If Involved In Europe/Ukraine Diplomacy (F-Secure Lab) The universe is full of "Black Energy" and so is cyberspace. Not so very long ago, we wrote about a sample of the BlackEnergy family discovered via VirusTotal. The family is allegedly the same malware used in the cyber-attack against Georgia in 2008. Last Friday, another fresh variant was submitted to VirusTotal. And this time it is more obvious on how it was being distributed: a zip file containing an executable. Again, as was the case earlier this month, the sample was submitted from Ukraine

Cisco uncovers targeted spearphishing threat (ZDNet) The exploit attempt targeted the Visual Basic Scripting for Applications feature in Microsoft Word

Threat Spotlight: A String of 'Paerls,' Part One (Cisco Blogs) This is part one in a two-part series due to the sheer amount of data we found on this threat and threat actor. This particular attack was a combined spearphishing and exploit attempt. As we’ve seen in the past, this can be a very effective combination

Brute force RDP attacks depend on your mistakes (ZDNet) Kaspersky reports that brute force attacks against RDP servers are on the rise. But they don't work unless you have done a poor job securing your server

We Have An APB on CryptoClones (AppRiver) Over the weekend and into this morning we've been seeing a run of malware that uses an interesting technique in order to entice potential victims into falling for its trick. Fear is certainly a social engineering technique that tends to work well and has been used plenty of times in the past. However it is usually used in fake receipts or withdrawal receipts where the attacker is trying to make the victim believe that someone is make purchases on their behalf or simply taking it right from an account of theirs. In this version though the delivery email warns New York City residents of a homicide suspect that is apparently on the loose and possibly on the prowl

Cryptowall Ransomware: What You Need to Know (Collaborista Blog) Cryptowall is "ransomware" — malicious software that takes the data on your computer hostage. It then demands that a financial payment be made (a ransom) in order to regain access to the lost files. Once in place, Cryptowall encrypts a wide variety of file types on victims' computers before asking that a ransom be paid within a specified time period

From the Labs: PlugX — the next generation (Naked Security) We've covered the PlugX backdoor here on Naked Security several times in the past

Not Running Android KitKat? Hackers Could Steal Info from Your Phone (Lumension) Security researchers at IBM have gone public about a critical security vulnerability in the Android operating system, that could allow hackers to remotely execute code on users' devices and steal sensitive information

TimThumb Zero-day Exploit Weakens WordPress (Infosecurity) The flaw can allow remote execution

163k individuals affected in Butler Uni data breach (Help Net Security) Personal and financial information of some 163,000 students, alumni, faculty, staff, and past applicants of Indianapolis-based Butler University have been stolen following a hack of the university's computer network

Security Patches, Mitigations, and Software Updates

Apple ships updates, including Snow Leopard (ONLY KIDDING!)‏ (Naked Security) We're kidding about updates to Snow Leopard, of course, not about the updates in general

Microsoft stops Patch Tuesday emails, blames Canada, then does U-turn (Naked Security) Well, it's been a busy few days for Microsoft. First it decided we would all have to kiss its Patch Tuesday emails goodbye

Isolated Heap for Internet Explorer Helps Mitigate UAF Exploits (TrendLabs Security Intelligence Blog) In the recent Microsoft security bulletin for Internet Explorer, we found an interesting improvement for mitigating UAF (User After Free) vulnerability exploits. The improvement, which we will name as "isolated heap", is designed to prepare an isolated heap for many objects which often suffers from UAF vulnerabilities

Cyber Trends

DDoS attacks are becoming more effective (Help Net Security) Disruptive cyber-attacks are becoming more effective at breaching security defenses, causing major disruption and sometimes bringing down organizations for whole working days, according to a new global study from BT

Number and diversity of phishing targets continues to increase (Help Net Security) The number of phishing sites in the first quarter of 2014 leaped 10.7 percent over the previous quarter, the Anti-Phishing Working Group reports. 2013 was one of the heaviest years for phishing on record, and Q1 2014 perpetuated that trend posting the second-highest number of phishing attacks ever recorded in a first quarter

Hebrew no shield from hackers, phony bank app shows (Times of Israel) Neither language nor a legitimate-looking interface — or even use of an iPhone — can protect users from phishing attacks, say top security mavens

A CISO's Biggest Challenge (Becker's Hospital CIO) The biggest challenge Gaylon Stockman, CISO of Lifespan in Providence, R.I., currently faces is not the complex technical requirements of data protection or incorporating changing laws and regulations into the health system's information security procedures. It's finding a balance between protecting data and ensuring physicians have access to the information they need

Internet Of Things: Current Privacy Policies Don't Work (InformationWeek) Traditional ways to deliver privacy guidelines, such as online postings or click-through mechanisms, don't work with the Internet of Things

Who knew?! There are efforts out there to monetize and secure personal data! (FierceBigData) In response to my last week's post "Could customers charge for their information?," several little birdies whispered in my ear that there are several efforts already underway to enable consumers to do just that — charge you for their data, and hide it from you if you don't pay up. Upon further investigation, here's what I found out

The impact of IoT on IT infrastructure (Help Net Security) Enterprises say they are prepared for the Internet of Things (IoT) and see it as a potential opportunity. However, as it stands today, there may not be enough network capacity to handle the demand that will accompany an anticipated explosion in the number of connected devices

Payment card survey — where does your country sit on the fraud list? (Naked Security) A survey looking at our experiences of payment card fraud, and our reactions to the threat of fraud, has found that 27% of respondents reported being victims of fraud on either debit, credit or prepaid cards in the last five years


CRGT Receives Prime Position on Department of Homeland Security EAGLE II (Digital Journal) CRGT Inc., a leading provider of full life-cycle IT services and an expert in managing complex IT systems for the Federal Government, received one of multiple contract awards under the Department of Homeland Security's (DHS) Enterprise Acquisition Gateway for Leading Edge Solutions II (EAGLE II) Contract Vehicle, Functional Category (FC) 1 — Unrestricted Track. EAGLE II is a DHS Indefinite Delivery Indefinite Quantity (IDIQ) contract vehicle and provides a range of information technology (IT) support services for multiple DHS programs and component agencies. EAGLE II has a five-year base period with one two-year option period

Marillyn Hewson: Lockheed Seeks to Complement Intell Sharing Tech Portfolio With Zeta Associates Buy (GovConWire) Lockheed Martin (NYSE: LMT) has agreed to purchase Zeta Associates, a data-exchange technology provider to the defense and intelligence sectors, for an undisclosed amount

3 Hot Cloud Security Startups Snag Funding (Dark Reading) Tens of millions of venture capital dollars recently have been flowing into some growing cloud security endeavors

Check Point's Security Solutions Bode Well, Risks Persist (Zack's Analyst Blog) On Jun 27, 2014, we issued an updated research report on Check Point Software Technologies Ltd

Leading Cyber Security Company Grateful for Ohio's Warm Welcome (MarketWatch) Lunarline CEO: "We're eager to ramp up staffing for our new office in Kettering, Ohio"

Female Cyber Sleuths Hack Into Silicon Valley's Boys Club (Bloomberg BusinessWeek) Tiffany Rad is turning software-industry gender stereotypes on their head

Raytheon taps ex-Pwnie Express employee to lead sales for cyber products (Boston Business Journal) Raytheon, the Waltham-based defense contractor, announced last week it appointed former Pwnie Express employee Stephen Pace to lead its worldwide sales for cyber products

Products, Services, and Solutions

Comcast raises your electric bill by turning router into a public hotspot [UPDATED] (Ars Technica) Comcast says any extra electricity usage "would be nominal at most"

Virus Bulletin celebrates 25th birthday by making all content free (Virus Bulletin) Neither subscription nor registration required to access content

Lockheed Martin Releases Industrial Defender Platform Update To Improve Critical Infrastructure Cyber Security (Wall Street Journal) Lockheed Martin (NYSE: LMT) today announced the release of the latest version of the Industrial Defender Automation Systems Manager(TM) (ASM), a single platform that addresses cyber security, compliance and change management requirements for industrial control systems (ICS)

Technologies, Techniques, and Standards

Efforts to detect terrorism hampered by mass surveillance, says former NSA technical director (ComputerWeekly) The US National Security Agency (NSA) is collecting too much intelligence data to analyse, one of its former technical directors has warned

Gathering and using threat intelligence (Help Net Security) In this interview, Tomer Teller, Security Innovation Manager at Check Point, talks about the role of threat intelligence in the modern security architecture, discusses how it can help identify sophisticated malware attacks, and illustrates the essential building blocks of a robust threat intelligence solution

5 essential mobile security tips (Help Net Security) It doesn't matter if you're using iOS, Android, Windows Phone or BlackBerry, these tips apply to every mobile device that connects to the Internet

Mitigating the risks created by cyber attacks (SMEWeb) Don't be outbid by hackers and learn from eBay Inc's mistakes

McGraw on assessing medical devices: Security in a new domain (TechTarget) Since 1996 my company has analyzed hundreds of systems — both big and small — built for many different purposes. Recently, as security attention has turned to the healthcare vertical, me and my company have been called on to analyze medical devices. This article is a quick overview of what I've seen, covering both our approach and some of our most common findings

4 password mistakes small companies make and how to avoid them (Naked Security) F4ilWhen it comes to IT security, very small businesses and micro-enterprises are in a tight spot

4 Facebook Privacy Intrusion Fixes (InformationWeek) Facebook may control most of your data, but you can take protective steps. Here's what you need to know

How to achieve better third-party security: Let us count the ways (CSO) Today's connected business world means there are thousands of 'doors' in and out of companies. Experts say there are ways to secure them better, but it will require multiple improvements to contracts with third parties

Design and Innovation

Biocatch behavioural biometrics promises password obsolescence (Electronics Weekly) Software can identify people based solely on the way they use their mouse and keyboard, and it could let us do away with passwords altogether

Research and Development

DHS S&T antes up $95M for cyber research, development (Federal News Radio) The Homeland Security Department is putting up almost $100 million to fund the next generation of cybersecurity technologies

Everything You Need to Know About Facebook's Controversial Emotion Experiment (Wired) The closest any of us who might have participated in Facebook's huge social engineering study came to actually consenting to participate was signing up for the service

Facebook shrugs as 'emotional contagion' research outrages its users (Naked Security) Image of comedy tragedy masks courtesy of ShutterstockOver the weekend, a paper was published in a prestigious journal by Facebook researchers who, for one week, intentionally modulated the news feeds of Facebook users

Facebook's Emotional Manipulation Study: When Ethical Worlds Collide (Freedom to Tinker) The research community is buzzing about the ethics of Facebook's now-famous experiment in which it manipulated the emotional content of users' news feeds to see how that would affect users' activity on the site. (The paper, by Adam Kramer of Facebook, Jamie Guillory of UCSF, and Jeffrey Hancock of Cornell, appeared in Proceedings of the National Academy of Sciences)

Who's Responsible for the Facebook Research Scandal? An Association Journal (Mizz Information) By now, you've undoubtedly read about the fact that Facebook is using us all as lab rats. Shocker, right? That's just Facebook for you, just one more "oops" in the never-ending parade of privacy breaches

Facebook's emotional experiments on users aren't all bad (Ars Technica) There are ethical doubts about Facebook's study, but it wasn't all wrong


Rs 115 crore cryptology centre coming up in Kolkata (Economic Times) A first-of-its-kind Rs 115 crore cryptology centre will come up here in the next two years for carrying out research in providing data security to defence and finance sectors

Legislation, Policy, and Regulation

NATO updates cyber defence policy as digital attacks become a standard part of conflict (ZDNet) NATO has updated its cyber defence policy in the light of a number of international crises that have involved cyber security threats

NATO needs a cyber 'exercise range' to help bolster security capabilities, face emerging threats, report says (FierceGovernmentIT) NATO should create an "exercise range" to help its members test and exercise their cyber capabilities and share lessons learned and new concepts with the group

Addressing Cyberthreats and the Risks of a Changing Climate are Among DHS Goals (Emergency Management) Quadrennial review highlights the five missions of the department and how they've evolved

Two Senators Upbraid The Intelligence Community For Insufficient Disclosure (TechCrunch) Consider Senators Al Franken and Dean Heller unimpressed. Today the two Senators, one a Democrat and the other a Republican, released statements disparaging a recent transparency report from the U.S. intelligence community that broke down its activities in incredibly vague fashion

U.S. surveillance disclosure mostly useless to business (CSO) Surveillance report released by the Office of the Director of National Intelligence is too vague to have much meaning

U.S. unveils more export control changes, for military electronics (Reuters) The U.S. government on Monday published another big batch of changes to export control laws affecting military electronics, and said it was on track to finish reviewing remaining categories for possible streamlining by the end of the year

Staunch opponent of reform tapped to head US Patent Office (Ars Technica) Big pharma killed the patent bill, and now a favorite son will head the USPTO

Litigation, Investigation, and Law Enforcement

Court gave NSA broad leeway in surveillance, documents show (Washington Post) Virtually no foreign government is off-limits for the National Security Agency, which has been authorized to intercept information "concerning" all but four countries, according to top-secret documents

Snowden Won't Talk About His Time In Hong Kong — And Now We Know Why (Business Insider) Edward Snowden has provided few details about his flight from the U.S. and subsequent month-long stay in Hong Kong in May 2013

Revisiting Snowden's Hong Kong Getaway (Wall Street Journal) A year after the intelligence thief landed in Moscow, many questions remain about how he ended up in Putin's hands

Microsoft disrupts malware networks and APT operations (Help Net Security) Microsoft's Digital Crimes Unit struck again, and was allowed to seize 22 free domain names in an effort to strike a fatal blow to malware delivery networks run by a Kuwaiti and an Algerian national

Millions of dynamic DNS users suffer after Microsoft seizes No-IP domains (Ars Technica) Legitimate users caught in legal fire designed to take down botnets

Microsoft's takedown of No-IP pushes innocents into the crossfire (CSO) Four million domains have been shutdown, despite the fact that Microsoft only wants 18,472 of them

Microsoft No-IP Takedown (Internet Storm Center) Microsoft obtained a court order allowing it to take over various domains owned by free dynamic DNS provider "No-IP". According to a statement from Microsoft, this was done to disrupt several botnets. However, No-IP is crying foul, stating that Microsoft never contacted them to have the malicious domains blocked. Further, Microsoft is apparently not able to properly filter and support all queries for these seized domains, causing widespread disruption among legit no-ip customers. According to the court order, Microsoft is able to take over DNS for the affected domains, but because the legit domains far outnumber the malicious domains, Microsoft is only allowed to block requests for malicious domains

Breach Suit Filed Against P.F. Chang's (BankInfoSecurity) Experts say consumer legal action unlikely to succeed

If Brian Krebs is this hated he must be doing some good (TechWorld) Journalists are supposed to report cybercrime. Now one of them is regularly on the receiving end

Virtual currencies used for illegal activities pose real threats to law enforcement (FierceHomelandSecurity) Federal law enforcement and financial regulatory agencies have raised concerns about the use of virtual currencies for illegal activities, according to a recent Government Accountability Office report

Government Still Waiting On US To Answer Cellphone Spy Row Claims (Tribune 242) The government still has not received a formal report from the United States regarding the National Security Agency's reported surveillance of mobile phone calls in the country, Foreign Affairs Minister Fred Mitchell said yesterday

Supreme Court declines to intervene in Street View wiretapping scandal (Ars Technica) Google faces trial over packet-sniffing hardware in its mapping vehicles

Jilted ex-boyfriend avoids jail for Facebook post on woman's account (Ars Technica) But he still gets a $2,700 fine for the things he wrote

For a complete running list of events, please visit the Event Tracker on the CyberWire website.

Upcoming Events

INSCOM Cyber Day (Fort Belvoir, Virginia, USA, July 9, 2014) Cyber-industry vendors are invited to participate in the upcoming Cyber Day hosted by the United States Army Intelligence and Security Command (INSCOM), located at Ft. Belvoir. U.S. Army Cyber (AR Cyber)...

SiliconExpert Counterfeit Electronic Component Detection & Avoidance (Webinar, July 10, 2014) Join us for a free 60 minute webinar with Dr. Diganta Das from the University of Maryland's Center for Advanced Life Cycle Engineering (CALCE), which is a research leader in the area of counterfeit electronics...

2nd Annual Oil & Gas Cyber Security Conference (Houston, Texas, USA, July 15 - 17, 2014) This highly interactive, hands-on forum will break down each potential cyber threat specific to the oil and gas industry, as well as tackle key issues including managing communication between OT and IT...

Security Startup Speed Lunch DC (Washington, DC, USA, July 22, 2014) Our goal is to connect the most promising security startups in the world with decision-makers at aerospace, asset-management, banking, communications, defense, energy, healthcare, government, technology...

Seminar: Cybersecurity Framework for Protecting our Nation's Critical Infrastructure (Marietta, Georgia, USA, July 22, 2014) The Automation Federation and Southern Polytechnic State University will co-sponsor the "Cybersecurity Framework for Protecting our Nation's Critical Infrastructure." a free seminar from 8 a.m. to noon...

SHARE in Pittsburgh (Pittsburgh, Pennsylvania, USA, August 3 - 8, 2014) LEARN: Subject-matter experts and practitioners are on-hand at SHARE events to discuss major issues facing enterprise IT professionals today. FOCUS: SHARE provides leading-edge technical education on a variety of topics. Whether you are an IT manager, IT architect, systems analyst, systems programmer or in IT support, SHARE offers focused sessions to benefit all job roles. ENGAGE: At SHARE events, you will experience a wide variety of formal and informal networking opportunities that encourage valuable peer-to-peer interaction...

STOP. THINK. CONNECT. Two Steps Ahead: Protect Your Digital Life Tour (Clarksville, Tennessee, USA, August 5, 2014) The National Cyber Security Alliance (NCSA), a non-profit public-private partnership focused on helping all digital citizens stay safer and more secure online, is coming to TK with its STOP. THINK. CONNECT.

Passwords14 (Las Vegas, Nevada, USA, August 5 - 6, 2014) Passwords is the first and only conference of its kind, where leading researchers, password crackers, and experts in password security from around the globe gather in order to better understand the challenges...

BSidesLV 2014 (Las Vegas, Nevada, USA, August 5 - 6, 2014) We have an amazing array of speakers each year, covering topics such as Penetration Testing, Forensics, Incident Response, Risk, and everything in between. We have a Lockpick Village, the Squirrels in...

4th Annual Cyber Security Training Forum (Colorado Springs, Colorado, USA, August 5 - 6, 2014) The Information Systems Security Association (ISSA) — Colorado Springs Chapter and FBC, Inc. will co-host the 4th Annual Cyber Security Training Forum (CSTF). CSTF is set to convene from Tuesday August...

DEF CON 22 (Las Vegas, Nevada, USA, August 7 - 10, 2014) The annual hacker conference, with speakers, panels, and contests. Visit the site and penetrate to the schedules and announcements.

South Africa Banking and ICT Summit (Lusaka, Zambia, August 8, 2014) The South Africa Banking and ICT Summit is the exclusive platform to meet industry thought leaders and decision makers, discover leading edge products and services and discuss innovative strategies to...

SANS Cyber Defense Summit and Training (Nashville, Tennessee, USA, August 13 - 20, 2014) The SANS Institute's Cyber Defense Summit will be paired with intensive pre-summit hands-on information security training (August 13-18). This event marks the first time that SANS will conduct a training...

Grow your brand and reach new customers.

Grow your brand and increase your customer base by educating our audience about your products, services, and events by advertising on The CyberWire. We’ve built trust with an influential (and often hard to reach) audience of CISOs, CSOs, and other senior execs in the security space, across a wide array of industry verticals. Learn more.

Be a part of the CyberWire story.

People ask us (a lot) how they can support what we do. We have our sponsorships and services, of course, but those are not always within every supporter's financial reach, or it might just not be the right time for you to do those things. That's why we launched our new Patreon site, where we've created a wider variety of support levels, each with some new benefits. Our patrons are important to our future, and we hope you'll consider becoming one. We invite you to become part of the CyberWire story. Become a patron today.