skip navigation

More signal. Less noise.

Daily briefing.

The Organisation for Security and Cooperation in Europe (OSCE) sustained a cyber espionage attack last month. OSCE disclosed the attack yesterday, but said it had insufficient evidence to attribute it to any particular actor. Le Monde is not so coy: their sources (in an unnamed "western intelligence service") tell them it's Fancy Bear. OCSE is an intergovernmental human rights and confidence-building organization that has been monitoring the fighting in eastern Ukraine.

Fancy Bear is widely believed to be Russia's GRU, and is generally thought responsible for supporting Russian hybrid warfare in Donbass and compromising networks of US political parties during the last election cycle. That latter activity may still prompt long-threatened US retaliation—Senators are talking about sanctions, and observers think covert US cyber operations against Russian targets a possibility.

Another large distributed denial-of-service attack was observed before Christmas. Imperva says its Incapsula network mitigated a 650 Gbps attack that had nothing to do with any Mirai botnet. Mirai exploits IoT devices, but IP spoofing has so far made it impossible to determine what devices were compromised into this new botnet, called "Leet." Unlike Mirai, Leet used relatively large SYN packets in its attack traffic.

Two threats affecting Android systems come to light. One, the "Switcher" Trojan, gets to TP-Link routers via Android devices on the routers' WiFi networks, then hijacks DNS settings. The second threat is to smart TVs—a Cyber.Police ransomware variant bricks LG TVs. LG seems to have been able to help affected customers unbrick their sets.


Today's issue includes events affecting Canada, China, Germany, India, Israel, Democratic Peoples Republic of Korea, Nigeria, Russia, Ukraine, United States.

A note to our readers: New Year's Day falls on Sunday, and so we'll take a break on Monday, January 2nd. Other than that we'll publish on our normal schedule. Best wishes for the new year from all of us at the CyberWire.

You can find information security lessons everywhere. We think we see some in the new Star Wars flick, "Rogue One." Here's a thought: the Empire's contractors on Eadu were apparently less than fully NISPOM compliant. Didn't Director Krennic require them to self-certify? (For background on NISPOM, see this account of a CRTC symposium, and lawyer up, padawans. Even the Empire has privacy and employment laws. We're pretty sure...although Krennic's HR policies seem a little strict...)

The CyberWire podcast this week offers a series of end-of-year long-form (but still brief) episodes. We're running extended interviews that include never-before aired conversations with some of our most interesting partners and guests. Our normal programming returns on January 3rd. If you've been enjoying the podcasts, please consider giving us an iTunes review.

You may also find the special edition of our Podcast of interest—the topic is venture capital. In it we examine the current state of investment in cyber security, speak to experts in the field, and learn from top cyber security-focused venture capitalists about what they expect before they invest.

Cyber Attacks, Threats, and Vulnerabilities

La Russie soupçonnée d’être responsable d’un piratage informatique contre l’OSCE (Le Monde) L’organisation basée à Vienne, chargée notamment d’observer le cessez-le-feu en Ukraine, a été la cible d’une attaque de grande ampleur attribuée à Moscou

OSCE victim of cyber attack (Reuters) The Organisation for Security and Cooperation in Europe has been the target of a cyber attack, a spokeswoman said on Wednesday

Group That Monitors Ukraine Conflict Suffers Cyber-Attack (ABC News) The organization charged with monitoring the Russia-fomented conflict in eastern Ukraine confirmed on Wednesday that it suffered a data breach “compromising the confidentiality” of its computer network

Is Russia Responsible for a Cyber Attack Against the OSCE? (Foreign Policy) The Organization for Security and Cooperation in Europe, a rights watchdog that for more than two years has monitored the ground war between Ukrainian forces and Russian-backed separatists, acknowledged Wednesday it had been hacked. The likely culprit, according to Le Monde: Russia

Malware in Ukraine armed forces app linked to DNC hackers (SC Magazine) A malicious remote access toolkit recently found in an app used by Ukrainian military forces is an Android version of the same proprietary malware that helped hackers steal files from the Democratic National Committee, researchers from CrowdStrike have reported

Another Massive DDoS Closes Out 2016, But Mirai Not To Blame (Dark Reading) Using a new malware variant called Leet, the 650 Gbps DDoS attack matched Mirai's floods of traffic

650Gbps DDoS Attack from the Leet Botnet (Imperva Incapsula) As the end of the year approaches, it’s natural to contemplate the future and look for signs of things to come. Sometimes, however, you don’t have to search too hard. Sometimes, these “signs” hit you like a ton of bricks

Switcher Android Malware Hacks TP-Link Routers, Changes DNS Settings (Bleeping Computer) An Android trojan named Switcher (Trojan.AndroidOS.Switcher) targets Android devices in order to take over local WiFi routers and hijack the web traffic passing through them

Android Trojan Switcher Infects Routers via DNS Hijacking (Threatpost) A new Android Trojan uses a victims’ devices to infect WiFi routers and funnel any users of the network to malicious sites. The malware doesn’t target users directly – instead its goal is to facilitate further attacks by turning victims into accomplices

LG Smart TV Screen Bricked After Android Ransomware Infection (HackRead) The victims have been asked to pay $500 to get their TV unlocked

Android Ransomware Infects LG Smart TV (Bleeping Computer) Security firms have been warning us for more than a year about the possibility of Android malware jumping from phones and tablets to other Android-powered devices, such smart TVs

Ransomware Economics: Why the Threat is Here to Stay (Infosecurity Magazine) The concept of extorting a victim for money is nothing new; in fact it’s older than the internet by many centuries. Over the years, however, malware has evolved from spying on users and harvesting information, to promoting malicious links for clickbait, to the current straight forward tactic of ‘give us your money'

Security Alert: GootKit and Godzilla Infostealers Target Victims’ Financial Information (Heimdal Security) These examples show how cyber attackers operate to collect & steal your financial data

Updated Sundown Exploit Kit Uses Steganography (Trend Micro) This year has seen a big shift in the exploit kit landscape, with many of the bigger players unexpectedly dropping out of action. The Nuclear exploit kit operations started dwindling in May, Angler disappeared around the same time Russia’s Federal Security Service made nearly 50 arrests last June, and then in September Neutrino reportedly went private and shifted focus to select clientele only. Now, the most prominent exploit kits in circulation are RIG and Sundown. Both gained prominence shortly after Neutrino dropped out of active circulation

'Frequent flyer points put at risk by website flaws' (BBC News) Airline booking systems lack basic security checks that would stop attackers changing flight details or stealing rewards, warn experts

Holiday Inn Parent IHG Probes Breach Claims (KrebsOnSecurity) InterContinental Hotels Group (IHG), the parent company for more than 5,000 hotels worldwide including Holiday Inn, says it is investigating claims of a possible credit card breach at some U.S. locations

Agent applications for Nevada’s medical marijuana program exposed (CSO) Altering the URL enables anyone to view submitted applications

Facebook Doesn’t Tell Users Everything It Really Knows About Them (Pro Publica) The site shows users how Facebook categorizes them. It doesn’t reveal the data it is buying about their offline lives

Security Patches, Mitigations, and Software Updates

Critical PHP 7 flaws detected and patched, Check Point (SC Magazine) Security researchers found three zero-day vulnerabilities in PHP 7, all of which could prove extremely dangerous to any site using the web programming language

Cyber Trends

How Artificial Intelligence Will Solve The Security Skills Shortage (Dark Reading) Unlike industries that fear the intrusion of AI, the infosec world is embracing this revolutionary technology, and the seismic changes it will bring to threat detection and mitigation

Four New Normals for 2017 (Threatpost) Let’s not talk about cybersecurity predictions for 2017. Let’s talk instead about new normals, things that have ceased to be novel because, well, they happen all the time and everywhere

What's Ahead for 2017: Predictions from the RSAC Advisory Board (RSA Conference) After an eventful year, it can be comforting to put a framework around the uncertainty of the future and try to look ahead at what next year may bring. And it’s in that spirit that we talked to the RSA Conference Advisory Board to find out what they think will happen in the world of cybersecurity as we enter 2017

Encryption in 2016: Small victories add up (Computerworld) The move from SHA-1 to SHA-2, a Congressional victory over backdoors, and the rise of encrypted communications are leading us toward a more secure world

Burrowing Bad? Ransomworms Deepen Crypto-Ransomware Threats in 2017 (IBM Security Intelligence Blog) What’s worse than ransomware? Ransomworms. According to CSO Online, 2017 may be a rough year for information security teams. Combined with evolving cryptography and ransomware techniques, cybercriminals are hoping to burrow even deeper into corporate networks. Here’s a look ahead

Gemalto Index highlights credentials concern (Planet Biometrics) Gemalto has released the findings of its Authentication and Identity Management Index, which revealed that 90% of enterprise IT professionals are concerned that employee reuse of personal credentials for work purposes could compromise security. However, with two thirds (68%) saying they would be comfortable allowing employees to use their social media credentials on company resources, Gemalto’s research suggests that personal applications (such as email) are the biggest worry to organisations

2017 – the tipping point for data being outside your control? (IT Pro Portal) More companies are betting on public Cloud services and applications

66 Percent of U.S. Consumers Have Given Their Phone Passcodes to Others (eSecurity Planet) One in four said something embarrassing has popped up on their phone while someone else was holding it, a recent survey found


Cyber attack will topple major company next year, business lobby group warns (Belfast Telegraph) A cyber attack will topple a major company next year as firms face a growing threat to their security systems from online hackers, according to an influential business lobby group

How Companies Need to Address Cybersecurity Risks in 2017 (Wall Street Journal) Peter Beshar, executive vice president and general counsel of Marsh & McLennan Companies, a global professional services firm that includes Marsh, an insurance brokerage and risk advisor, speaks about the current state of cyberthreats, what companies should be doing to protect themselves and the potential impact the Trump administration will have on cybersecurity

FireEye Inc's Best Moves in 2016 (Fox Business) I've generally been bearish on FireEye (NASDAQ: FEYE), the once-promising cybersecurity firm that lost over 40% of its value in 2016. The company's declining revenue growth, widening GAAP losses, unstable cash flow, and executive exodus all indicate that the stock could fall further next year. However, those challenges shouldn't completely overshadow its accomplishments this year. Let's take a look back at three of FireEye's smartest moves in 2016

Machine learning and artificial intelligence to get massive VC boost – FX automation generation nearing? (Finance Feeds) Pitango is a specialist in financing very successful FX industry ventures. Now the VC firm has launched a $175 million fund for machine learning and artificial intelligence. We take a close look at why this matters and where it will help firms develop and grow

Agencies embrace bug bounty programs (Government Matters) Federal Times editor Aaron Boyd discussed the proliferation of bug bounty programs across government and the January launch of Sightline Media Group’s new cybersecurity hub,

US Air Force Awards Satellite Anti-jamming Contract to Raytheon (Defense News) Raytheon has been awarded a $37 million Air Force contract to support anti-jamming efforts for satellite communications

illusive networks named 'Industry Innovator' by SC Magazine (GSN Magazine) illusive networks today announced that its pioneering Deceptions Everywhere® cybersecurity was selected by SC Magazine as a Next-Generation Security Monitoring and Analytic Innovator in its award-winning annual Reboot '16 Innovators issue

Former FCI Exec Julie Mehan Named MetroStar Systems Director of Cybersecurity Strategy and Alignment (GovConExecutive) Julie Mehan, former Femme Comp Inc. principal cybersecurity analyst, has been appointed as MetroStar Systems‘ new director of cybersecurity strategy and alignment as part of that company’s push to expand its cybersecurity capacity and thought leadership

Products, Services, and Solutions

5 Great 'Starter' Cybersecurity Certifications (Business News Daily) Looking for a career change in the new year? There's no better time to consider a career in cybersecurity: U.S. businesses and government agencies are spending billions of dollars each year to protect their data and assets from malicious attacks, with Forbes reporting that $170 billion will be spent worldwide by 2020

Secure your Chrome browser with the Avast Online Security extension (Windows Report) Google Chrome is the most popular browser among Windows users. Nowadays, hackers are extremely clever and use every possible gateway to reach their goals. In many cases, the main malware entry point is your browser

Here’s North Korea’s Totalitarian Android Tablet (Motherboard) When you think of North Korea, the first thing that springs to mind is probably not a well-featured tablet PC. But that's just what researchers at the Chaos Communication Congress hacking festival revealed on Tuesday

Technologies, Techniques, and Standards

FDA issues new security guidelines so that your pacemaker won’t get hacked (TechCrunch) This week, the US Food and Drug Administration issued a set of recommendations for securing medical devices that could jeopardize the safety and privacy of their users. The report, titled “Postmarket Management of Cybersecurity in Medical Devices,” focuses on security throughout the lifecycle of a device, emphasizing that robust cybersecurity is an ongoing process that requires maintenance and regular software updates, just like any non-medical piece of hardware would

Postmarket Management of Cybersecurity in Medical Devices: Guidance for Industry and Food and Drug Administration Staff (US Food and Drug Administration) The Food and Drug Administration (FDA) is issuing this guidance to inform industry and FDA staff of the Agency’s recommendations for managing postmarket cybersecurity vulnerabilities for marketed and distributed medical devices. In addition to the specific recommendations contained in this guidance, manufacturers are encouraged to address cybersecurity throughout the product lifecycle, including during the design, development, production, distribution, deployment and maintenance of the device

The Non-Refundable Fundamentals: Estimating the Cost of a Data Breach (Infosecurity Magazine) Quantifying the financial impact of a data breach before it occurs is like assuming you can win roulette using insider trading. How is that? The average cost of a breach per record stolen today is roughly $221, according to research released earlier this year by the Ponemon Institute. Of that figure, one-third is a predictable direct measurement. When estimating the monetary ramifications of a data breach, calculating the direct costs for resolution matters – such as technical services and notifications – is easier than predicting indirect expenditures such as customer retention and employee loss

What is ISR in non-physical domains? (C4ISRNET) Ask commanders what they want more of, and one of the top responses is more intelligence, surveillance and reconnaissance. ISR has become a critical asset in planning operations and understanding trends within a commander’s battlespace. Non-physical domains and maneuver spaces are becoming more prominent in emerging and future conflicts. But how will commanders be able to “see” in cyberspace or the electromagnetic spectrum?

Are APT Reports Still Valuable or Have They Become Marketing Fluff? (LookingGlass) Now that APT reports have been exposed, the “thrill” of discovering and calling out suspected nation state actors engaged in clandestine cyber activity has become almost routine. Excitement over what was once considered a difficult thing to do (detecting “advanced” cyber adversaries) is now expected. And therein lies the problem. The rush to attribute and increase marketing visibility in the wake of such incidents has taken the place of adding value through the exchange of actionable information

33C3: Understanding Mobile Messaging and Its Security (Hackaday) If you had to explain why you use one mobile messaging service over another to your grandmother, would you be able to? Does she even care about forward secrecy or the difference between a private and public key is? Maybe she would if she understood the issues in relation to “normal” human experiences: holding secret discussions behind closed doors and sending letters wrapped in envelopes

PayThink 'Threat intelligence' technology can fight big box data breaches (Payments Source) Financial institutions and e-commerce merchants have become targets of massive financial fraud as cyber criminals have used stolen payment card data from major data breaches, such as the ones involving Wendy’s restaurants in 2015, Home Depot in 2014, and Target in 2013 to make illegal purchases online

Design and Innovation

Mixing biology with technology: what could possibly go wrong? (Naked Security) If you were in the security business a dozen years ago, you’ll remember all the speculation around cellphone malware. The iPhone and other smartphones weren’t yet ubiquitous and attacks against such devices were discussed in the context of some distant future

Ford hits milestone in path to steering-wheel-less, pedal-less autonomous cars (Ars Technica) Company wants to mass-produce self-driving cars for ride-sharing services by 2021


Georgetown research center adds Farsight Security to industry member roster (GSN) The Security and Software Engineering Research Center at Georgetown University (S2ERC ) announced today that Farsight Security, Inc., provider of the world’s only real-time DNS intelligence, has become an affiliate member as S2ERC continues to expand its base of industry members

Legislation, Policy, and Regulation

China’s Cybersecurity Law Seeks Scrutiny Of Technology (Dark Reading) Country's top internet regulator releases framework for stricter cyberspace laws, including review of local and foreign technology

China renews calls for tighter cyberspace security (Pakistan Observer) China’s top cy-bersecurity body reaffirmed its commitment to height-ened cybersecurity surveil-lance on Tuesday, calling for increased scrutiny of local and foreign technology used in industries deemed critical to the national interest

‘Meltdown’ over international cybersecurity agreement (Naked Security) How do you keep dangerous exploit software away from bad guys (and countries) and still let the good guys (security researchers, white-hat pentesters) have it when they need it? It’s never been easy – and it’s even tougher when 41 countries need to agree. They’ve been trying all year… and, for the moment, they’ve just given up

Obama's options on Russian hacks range from covert to military (Bloomberg via the Chicago Tribune) President Barack Obama has vowed that the U.S. will respond to Russian hacking undertaken during the U.S. presidential campaign. Yet the public may never hear about it

U.S. senator says Russia can expect sanctions after cyber attacks (Reuters) Russia and its president Vladimir Putin should expect tough sanctions after cyber attacks during the presidential election won by Donald Trump, U.S. Republican Senator Lindsey Graham said on Wednesday

U.S. losing cyberwar, security chief tells NJ-Israel Commission (New Jersey Jewish News) Christopher Rodriguez, the director of New Jersey’s Office of Homeland Security and Preparedness, warned members of the New Jersey-Israel Commission Dec. 20 that the United States is losing battles of cyberwarfare with “our adversaries"

CMAI Association of India emphasises the need for digital payment laws to check e-frauds (Tech2) As digital payments go up post-demonetisation, the country needs separate digital payment laws and digital payment courts should be established across India along with an appropriate legal framework, the CMAI Association of India (CMAI) said on Wednesday

Litigation, Investigation, and Law Enforcement

The 2016 Election Wasn’t Hacked, But the 2020 Election Could Be (Motherboard) After partial vote recounts in certain states, US election officials found no evidence that votes had been manipulated by a cyberattack on voting machines, security researchers told an audience at the Chaos Communication Congress hacking festival on Wednesday. But, the researchers called for a vast overhaul in voting machine security and related legislation, warning that an attack is still possible in a future election

Lawmakers urge Pentagon to probe Huawei deal (Washington Times) Three Republican members of Congress are urging Defense Secretary Ash Carter to investigate the security risks to American facilities and military forces in South Korea posed by a Chinese telecommunications company’s role in a new wireless network in the country

Trio charged with $4m insider trading by hacking merger lawyers (Register) Up to seven New York law firms targeted, say Manhattan prosecutors

Macau Resident Held In US For Hacking, Insider Trading (Dark Reading) Iat Hong and two others allegedly breached computers of major US law firms and stole confidential exchange on M&A transactions

Germany: Suspected contact of Berlin attacker arrested (Military Times) German prosecutors said Wednesday that they have detained a Tunisian man they think may have been involved in last week's truck attack on a Christmas market in Berlin

Islamic State arrests reveal jihadi threat near seat of U.S. government (Washington Times) Law enforcement agencies have arrested nine Northern Virginia residents on charges of aiding the Islamic State since the terrorist group rose to power in Syria and Iraq in 2014 and launched social media propaganda to attract followers, a government message to police states

Police ask: “Alexa, did you witness a murder?” (Ars Technica) Drowning in hot tub was followed by 140-gallon hose-down recorded by utility

Business Man Pleads Guilty for Operation Resume Hoard (Bleeping Computer) David W. Kent pleaded guilty last week of hacking his former company to boost his current business, which he then tried to sell back to his former firm, together with the stolen data

Sultry Sextortion Sisters Meet Their Match In Nigerian Oil Billionaire (HackRead) Jyoti Matharoo and Kiran Matharoo messed with the wrong Nigerian business tycoon

21 Biggest Cybercriminal Busts Of 2016 (Dark Reading) This year has been a tornado of major cyberattacks and hacker arrests. Here, we look back on the 21 most interesting 'cyberbusts' of 2016

For a complete running list of events, please visit the Event Tracker on the CyberWire website.

Upcoming Events

CES® CyberSecurity Forum (Las Vegas, Nevada, USA, January 5, 2017) Now in its second year, the CES® CyberSecurity Forum presented by CyberVista is designed to ensure all stakeholders in developing high tech solutions understand the complexity and the need for action in...

SANS Security East 2017 (New Orleans, Louisiana, USA, January 9 - 14, 2017) Start the year off right by choosing from outstanding, cutting-edge courses presented by our top-rated instructors. SANS is looking forward to an exciting kickoff of 2017 with SANS Security East 2017 in...

Global Institute CISO Series Accelerating the Rise & Evolution of the 21st Century CISO (Scottsdale, Arizona, USA, January 11 - 12, 2017) These intimate workshops address the challenges that Board of Directors are placing on security and risk executives, and how to successfully manage and communicate today’s enterprise and organizational...

Cybersecurity of Critical Infrastructure Summit 2017 (College Station, Texas, USA, January 11 - 13, 2017) An inaugural event to convene thought-leaders, experts, and strategic decision makers from government, industry, and academia to discuss the technology and policy implications of the ever-evolving cyber-threats...

ShmooCon 2017 (Washington, DC, USA, January 15 - 17, 2017) ShmooCon is an annual east coast hacker convention hell-bent on offering three days of an interesting atmosphere for demonstrating technology exploitation, inventive software and hardware solutions, and...

SANS Las Vegas 2017 (Las Vegas, Nevada, USA, January 23 - 28, 2017) Attend SANS Las Vegas 2017, where SANS will provide outstanding courses in IT security, forensics, and security management presented by the best cybersecurity teachers in the country. At SANS events you...

BlueHat IL (Tel Aviv, Israel, January 24 - 25, 2017) Announcing BlueHat IL – a special edition of Microsoft's leading cyber security conference for top professionals, to be held for the very first time in Tel Aviv, Israel. Over the past 10 years, BlueHat conferences have drawn the brightest minds in security to discuss key industry challenges. And now, BlueHat IL is here to crank it up by exploring and creating new cyber security thoughts and boundaries. This exclusive, by invitation only, single track event will host top cyber security professionals from around the world, who will come together to tackle the present and peek into the future. It will feature brilliant speakers and focus on breakthrough research, key trends and emerging threats in the field. Registration closes December 28.

SANS Cyber Threat Intelligence Summit & Training 2017 (Arlington, Virginia, USA, January 25 - February 1, 2017) Join SANS at this innovative Summit as we focus on enabling organizations to build effective cyber threat intelligence analysis capabilities. Most organizations are familiar with threat intelligence, but...

Blockchain Protocol and Security Engineering (Stanford, California, USA, January 26 - 27, 2017) This conference will explore the use of formal methods, empirical analysis, and risk modeling to better understand security and systemic risk in blockchain protocols. The conference aims to foster multidisciplinary...

Grow your brand and reach new customers.

Grow your brand and increase your customer base by educating our audience about your products, services, and events by advertising on The CyberWire. We’ve built trust with an influential (and often hard to reach) audience of CISOs, CSOs, and other senior execs in the security space, across a wide array of industry verticals. Learn more.

Be a part of the CyberWire story.

People ask us (a lot) how they can support what we do. We have our sponsorships and services, of course, but those are not always within every supporter's financial reach, or it might just not be the right time for you to do those things. That's why we launched our new Patreon site, where we've created a wider variety of support levels, each with some new benefits. Our patrons are important to our future, and we hope you'll consider becoming one. We invite you to become part of the CyberWire story. Become a patron today.