skip navigation

More signal. Less noise.

Daily briefing.

Late December's cyber attack on a Ukrainian electrical utility has been linked to a variant of the BlackEnergy Trojan long disseminated by the "SandWorm" threat actors. The attack produced rolling blackouts in Western Ukraine, but ESET researchers believe the operation sought to affect a much wider area than a single oblast: they've found the malware in at least two other utilities' networks.

The attack was accompanied by a flood of calls to utility support centers, effectively distracting responders through misdirection and some telephony denial-of-service. BlackEnergy includes both persistence and file destruction functionality.

Ukraine's SBU security service unambiguously blames Russia for the operation (the Kremlin has not commented) and Western observers tend to agree. The nature of the attack, ongoing tension between Ukraine and Russia, and the absence of an obvious criminal motive strongly suggest state activity. Coming after revelation of Iranian reconnaissance of a small New York State dam's control system, this attack exacerbates concerns about infrastructure cyber vulnerabilities.

Hackers DDoS the Saudi Ministry of Defense to protest a leading Shiite cleric's execution. (Iran says the hackers are Saudi Shiites.)

As authorities hunt for "Jihadi John," the latest murderous online face of ISIS, the case for Daesh's effective use of crypto strikes observers as increasingly weak.

PlayStation succumbed to a DDoS attack last night (responsibility claimed by the PhantomSquad skids).

Emsisoft reports finding new Java-based ransomware, "Ransom32." It's evasive and works across several operating systems.

Cisco Jabber is vulnerable to man-in-the-middle attacks. No patch or workarounds are as yet available.


Today's issue includes events affecting Canada, China, Estonia, European Union, Iran, Iraq, Ireland, Israel, New Zealand, Poland, Russia, Saudi Arabia, Syria, Ukraine, United Kingdom, United States.

Cyber Attacks, Threats, and Vulnerabilities

Ukraine utility cyber attack wider than reported: experts (Reuters) A central European security software firm said on Monday that a cyber attack last month in Ukraine was broader than initially reported last week when the nation's secret police blamed a power outage on Russia

Из-за хакерской атаки обесточило половину Ивано-Франковской области Больше читайте здесь (ТСН) Прикарпатьеоблэнерго назвало причину отключения электроэнергии, которое имело место накануне, 23 декабря. Причиной стала хакерская атака, сообщает ТСН. Больше читайте здесь

Ukraine faces world's first blackout caused by hackers (The NextWeb) While 2015 was rife with news of hackers stealing data from governments, health insurers and adultery sites, it looks like targeting our energy infrastructure might be the next big thing in cyberattacks

"Russian" BlackEnergy malware strikes at Ukrainian media and energy firms (SC Magazine) Cyber-criminals behind the BlackEnergy trojan made a comeback in 2015, launching attacks against media and energy companies in the Ukraine, according to infosec researchers

BlackEnergy Malware Caused Ukrainian Power Outage, Confirms Researchers (Tripwire: the State of Security) Researchers have confirmed that a variant of the BlackEnergy malware was behind a power outage that occurred around Christmas Eve last year

BlackEnergy APT is back, deleting files and killing computer systems (Help Net Security) The BlackEnergy APT — or SandWorm group, as some researchers call it — has been active since 2007 (at least)

BlackEnergy cyberespionage group adds disk wiper and SSH backdoor to its arsenal (Computerworld) The group recently attacked Ukrainian energy distribution and media companies causing power and data loss

Українські ЗМІ атакують за допомогою Black Energy (CERT-UA) Нещодавно декілька українських ЗМІ у дні проведення місцевих виборів було атаковано невідомими зловмисниками. Про це у мережі оприлюднювалась досить дозована інформація про успішні хакерські атаки, напрямлені на них. До CERT-UA також звернулись з цього приводу і ми вважаємо за важливе повідомити про деякі деталі

First known hacker-caused power outage signals troubling escalation (Ars Technica) Highly destructive malware creates "destructive events" at 3 Ukrainian substations

The Attack We Have Long Predicted Just Occurred: Highly destructive cyber attacks drop a power grid (CTOVision) An article posted in the Ukrainian news services TSN reported that massive outages suffered in the country were caused by highly destructive malware that infected at least three regional power authorities in Ukraine. The site reported that the only way to restore power was to return to manual methods, something that may be hard to do in other nations (including the U.S.)

Experts separate fact from hype in reports of Iranian hacking (Christian Science Monitor Passcode) Recent stories suggest that foreign hackers are making dangerous inroads into utilities, putting critical infrastructure at risk of devastating cyberattacks. Yet, experts say these breaches aren't cause for panic

The 'mind-boggling' risks your city faces from cyber attackers (MarketWatch) During a 2014 cybersecurity drill New York City officials held with intelligence agencies in 2014, the Federal Bureau of Investigation posed several scenarios. What if the city noticed that the 911 system had shut down? What if criminals attempted to coordinate a computer attack on emergency infrastructure with a physical attack?

DDoS Attack Shuts Down Saudi Ministry of Defense Website (Hack Read) A group of unknown hackers conducted a DDoS attack on Saudi Arabian Ministry of Defense website forcing it to stay offline for more than 24 hours

The Flaw in ISIS's Favorite Messaging App (Atlantic) And what it says about the difficulty of encryption

China hacked thousands of Hotmail accounts belonging to Tibetan and Uighur minorities (Security Affairs) After many years, Microsoft admitted that Chinese authorities hacked thousands of Hotmail accounts, belonging to China's Tibetan and Uighur minorities

PlayStation Network is Back Online, Phantom Squad Claims They DDoSed It (Hack Read) A few hours ago it was reported that Sony's PlayStation network on PlayStation Vita, PlayStation 3 and PlayStation 4 were down worldwide

Difficult to block JavaScript-based ransomware can hit all operating systems (Help Net Security) A new type of ransomware that still goes undetected by the great majority of AV solutions has been spotted and analyzed by Emsisoft researchers

Meet Ransom32: The first JavaScript ransomware (Emsisoft Blog) Software as a service (or SaaS) is a relatively new model of how a lot of software companies are conducting their business today — often to great success. So it comes as no surprise that malware writers and cyber crooks are attempting to adopt this model for their own nefarious purposes. In the past year a whole bunch of these "Ransomware as a Service" campaigns appeared, like for example Tox, Fakben or Radamant. Today we want to spotlight the newest of these campaigns

Ransom32: The first javascript ransomware (Internet Storm Center) We have all seen how ransomware is becoming a pretty common trend in cybercrimes. Well, there is a new variant and this one has been build using javascript. This malware fakes the NW.js framework. Once installed, connects to its C&C server on TOR network port 85 to get the bitcoin address and the crypto key used for encryption

Cisco says chat client vulnerable to man-in-the-middle attack (SC Magazine) Californian tech giant Cisco has released an advisory statement explaining that its chat client Jabbar is currently vulnerable to a man-in-the-middle attack

Cisco Jabber STARTTLS Downgrade Vulnerability (Cisco Security Advisory) A vulnerability in the Cisco Jabber client could allow an unauthenticated, remote attacker to perform a STARTTLS downgrade attack

STARTTLS downgrade vulnerability in the Cisco Jabber client (Synacktiv) The Cisco Jabber client exists for different platforms (Windows, iOS, BlackBerry, and Android). This software uses the Jabber1 protocol (XMPP), SIP and SRTP streams to help collaborators, but also partners and customers to communicate more quickly and securely without running a VPN as it is mentioned in the Cisco website

Researchers Out Default Passwords Packaged With ICS/SCADA Wares (Dark Reading) 'SCADAPass' tool debuts; meanwhile, some PLCs found hackable via long, random passwords

18 million targeted voter records exposed by database error (CSO) There were 56 million voters in the database, and more than 18 million of them were further singled out with targeted profile data

The Curious Case of Creepy @FFD8FFDB Twitter Bot Spying and Posting Images (Hack Read) A while ago we reported about a creepy website was showing live footage from 73,000 private security cameras. Now, a Twitter Bot with the aforementioned account name is posting uncanny images with random, incomprehensible pieces to text regularly. Only recently, the man behind the bot has revealed that the Bot posts images from unsecured webcams that it looks for and discovers

Scam IRS emails deliver malware payload (SC Magazine) Just in time for tax season in the U.S., scammers are once again using fake emails from the Internal Revenue Service (IRS) to launch attacks

Security bod watches heart data flow from her pacemaker to doctor via…er, SMS? 3G? Email? (Register) Wow, beats me

2015: The Year Of 'Attacks on Trust' (Dark Reading) Nine attacks that leveraged stolen, compromised, or unprotected cryptographic keys and digital certificates show how easy it is for cybercriminals to bypass security controls and hide their actions

Security Patches, Mitigations, and Software Updates

Google Patches Another Critical Mediaserver Vulnerability (Threatpost) Since last summer's Stagefright vulnerabilities toppled the Android world for a few weeks, researchers inside and out of Google have been taking a close look at not only the maligned media playback engine, but also at Mediaserver where it lives

Google Nexus devices will get their January Android security updates anytime now (Phone Arena) This past summer, following the two episodes of the Stagefright scandal, Google started delivering monthly Android security updates

Cyber Trends

Minimizing Risk in the Face of FCPA Compliance (Legaltech News) Mitratech's paper offers a way for organizations to keep afloat as compliance grows more complex, though not everyone agrees

Upheaval and Flux: Privacy and Data Security in 2015 and Beyond (Legaltech News) Examining the overarching trends and providing practical, actionable advice for managing risk and liability in such challenging times

Demanding accountability: The need for cyber liability (Help Net Security) GCHQ director Robert Hannigan pulled no punches last month when he stated that the free market is failing cybersecurity

Digital divide widens as the Web adopts stronger encryption standard (Christian Science Monitor Passcode) Because the switch to a newer encryption algorithm means older phones won't be able to use basic Web security measures, many in the developing world will be at greater risk from criminals and online surveillance


FireEye bucks tech weakness, rising 4.8% after getting Buy rating (Seeking Alpha) Though equity markets are down sharply, FireEye (NASDAQ:FEYE) has rallied after receiving a Buy rating and $35 target from Summit Research's Srini Nandury

3 Reasons FireEye Will Bounce Back in 2016 (Motley Fool) After a rough 2015, FireEye investors are hoping for a much happier new year

FireEye acquisition rumors resurface (FierceEnterpriseCommunications) Last spring, Cisco executives squashed rumors that it was planning to acquire network threat prevention vendor FireEye, but a Seeking Alpha article has brought those rumors to the forefront again

Israeli malware detection co TopSpin Security raises $7m (GLOBES) Investors in the cyber security startup include Shlomo Kramer, Mickey Boodaei, Zohar Zisapel, and Rakesh Loonkar

Maine entrepreneur's latest venture: Making the Internet safer for everyone (Portland Press Herald) The 38-year-old who — with his partner — sold OkCupid for $50 million in 2011 intends to bring encryption technology to the masses

Wynyard Group inks $27m deal with security agency (NBR) NZX-listed Wynyard Group says it has inked a $27 million deal with a "national security bureau"

Corero Network Security wins order for defence system (DigitalLook) AIM-listed online protection solutions provider Corero Network Security has won a significant order for its SmartWall Threat Defense System (TDS) from a US hosting provider valued at over $400,000 (£272,000)

Five cybersecurity names to follow in 2016 (CSO) A look at tech industry leaders who are influencing the cybersecurity industry

Products, Services, and Solutions

For the First Time, EU Workplaces Gain Full Visibility into the Connected Devices Posing Threats to their Networks (MarketWired via EIN News) Pownie Express launches Pwn Pulse SaaS Platform in Europe to automatically detect the wireless and wired devices putting European businesses and critical infrastructure at risk

Security firm Guardtime courting governments and banks with industrial-grade blockchain (International Business Times) Guardtime is a cyber-security provider that uses blockchain systems to ensure the integrity of data. In a recent announcement, its technology will be used to protect the UK's nuclear power stations, flood-defence mechanisms and other critical infrastructure

A10 Networks Delivers Advanced DDoS Mitigation Service (CloudWedge) With recent high profile DDoS attacks happening to mainline news websites such as the BBC and others, the concept of protecting your data against a multi-vector DDoS attack is fresh on everyone's mind

HP tackles 'visual hacking' with privacy filters in laptop, tablet screens (IDG via CSO) HP wants to prevent Peeping Toms from stealing data with new privacy filters integrated in laptops

Technologies, Techniques, and Standards

Kid spends $5900 playing Jurassic World on Dad's iPad. Here's how to prevent that happening to you. (Naked Security) Nothing like memorizing dad's passwords — both for his iPad and his Apple ID — to buy all the scaly goodness your little heart desires

White House aims to engage private sector, international organizations in global cybersecurity standards development (FierceGovernmentIT) The Obama administration issued a strategy late last month that it hopes will better position the United States government to support the development of international cybersecurity standards

Testing for DNS recursion and avoiding being part of DNS amplification attacks (Internet Storm Center) Yes, it has been said too many times, but still there are too many DNS servers out there allowing recursion to devices outside their network, which could be used for DNS amplification attacks. How? The attacker sends a spoofed DNS request with the victim IP address, usually from a botnet. When the misconfigured DNS answers will send the packet to the victim IP address causing a DDoS attack

IPv6 celebrates its 20th birthday by reaching 10 percent deployment (Ars Technica) Twenty years ago this month, RFC 1883 was published: Internet Protocol, Version 6 (IPv6) Specification. So what's an Internet Protocol, and what's wrong with the previous five versions? And if version 6 is so great, why has it only been adopted by half a percent of the Internet's users each year over the past two decades?

5 sins cybersecurity executives should avoid (CSO) With the advent of 2016, I was tempted to touch upon my thoughts on what the future of the cyberlandscape will hold, prognosticating trends and shifts and what the next big threat would be

Phpsploit — Stealth Post-Exploitation Framework (Kitploit) PhpSploit is a remote control framework, aiming to provide a stealth interactive shell-like connection over HTTP between client and web server. It is a post-exploitation tool capable to maintain access to a compromised web server for privilege escalation purposes

Tips to Protect Your Personal Information While Online (IRS Security Awareness Tax Tip Number 7) The IRS, the states and the tax industry urge you to be safe online and remind you to take important steps to help protect your tax and financial information and guard against identity theft. Treat your personal information like cash — don't hand it out to just anyone

Design and Innovation

The Nature Lover's Guide to Cyber Security (Wall Street Journal) Biomimicry is catching on in the cyber security field as engineers take inspiration from nature to develop improved technologies for protecting data and thwarting cyber crime

From sci-fi to real life: Government's changing role in tech innovation (C4ISR & Networks) Anyone who ever saw an episode of the original "Star Trek" TV series will recognize the similarity between a flip phone and the show's communicator, the device that Starfleet personnel use to talk to one another across vast distances with no need for wires and dials

Research and Development

On normalized compression distance and large malware (Journal of Computer Virology and Hacking Techniques) Towards a useful definition of normalized compression distance for the classification of large files

Legislation, Policy, and Regulation

The Top Five Cyber Policy Developments of 2015: United States-China Cyber Agreement (Council on Foreign Relations) Over the next few days, Net Politics will countdown the top five developments in cyber policy of 2015. Each policy event will have its own post, explaining what happened, what it all means, and its impact on cyber policy in 2016. In this post, the United States-China Cyber Agreement

Canadian Financial Regulatory Organization Releases Cybersecurity Guides (Legaltech News) The two guides look to help investment dealers protect themselves and their clients against cyber attack

Approved — Cybersecurity Act of 2015 (Lexology) It is official, on December 18, 2015 President Obama signed the Cybersecurity Act of 2015, which encompassed the Cybersecurity Information Sharing Act of 2015 ("CISA"), into law

Clearance Process Will Include Social Media Checks (Security Clearance Jobs Forum) One of the items included in the 2016 omnibus appropriations bill is the Enhanced Personnel Security Program. Why is this significant? Because it will direct agencies to screen social media sites twice within every 5 years as a part of the continuous evaluation process

IG questions DoD cloud computing oversight (FierceGovernmentIT) The Defense Department doesn't have a standard definition for cloud computing or a comprehensive inventory of cloud computing service contracts, according to findings in a recent DoD Office of Inspector General report

DoD Needs an Effective Process to Identify Cloud Computing Service Contracts (Inspector General, US Department of Defense) Our objective was to determine whether selected DoD Components performed a cost-benefit analysis before acquiring cloud computing services. In addition, we were to identify whether those DoD Components achieved actual savings as a result of adopting cloud services

DoD Gives Extension for Vendors to Implement NIST Cloud Security Requirements (ExecutiveGov) The Defense Department has issued an interim rule that amends a provision in the Defense Federal Acquisition Regulation Supplement to enable contractors to implement National Institute of Standards and Technology security requirements through Dec. 31, 2017

Defense Federal Acquisition Regulation Supplement: Network Penetration Reporting and Contracting for Cloud Services (DFARS Case 2013– D018) (Federal Register (h/t Rogers Joseph O'Donnell)) DoD is issuing an interim rule amending the Defense Federal Acquisition Regulation Supplement (DFARS) to provide contractors with additional time to implement security requirements specified by a National Institute of Standards and Technology Special Publication

Air Force bolsters its cyber ranks by 40 percent (Defense Systems) With the projected completion of the Defense Department's Cyber Mission Force slated for 2018, the individual services are staffing up to fill their requirements to the overall force, expected to number more than 6,000

Head of Russia's military intelligence dies (Military Times) Russia's Defense Ministry says the head of the military's main intelligence service, Col.-Gen. Igor Sergun, has died at age 58

Litigation, Investigation, and Law Enforcement

Exclusive — Pete Hoesktra: NSA Spying on Congress Requires Suspending State of the Union Invite (Breitbart) Elected officials and leaders of the U.S. Intelligence Community (IC) must maintain the integrity of America's vast intelligence enterprise as a lawful, neutral, independent and fair arbiter of facts. Recent news that the Obama White House obtained intelligence containing private conversations of members of Congress and American Jewish organizations from the National Security Agency (NSA) suggests the integrity of our intelligence agencies have been undermined

Another View — Rand Paul: Fighting terror without sacrificing liberty (New Hampshire Union Leader) Recent revelations that the Obama administration abused the powers of the National Security Agency and spied on members of Congress is exactly why we need immediate reform of our government's lawless surveillance

The hunt to unmask the new 'Jihadi John' (Washington Post) The hunt is on to identify the new "Jihadi John," the masked, British-accented Islamic State militant who on a newly released video calls British Prime Minister David Cameron an "imbecile" and then helps slaughter five men suspected by the group of spying for Britain

Britain denounces Islamic State video showing 'spies' shot (Reuters) An Islamic State video showing a young boy in military fatigues and an older masked militant who both spoke with British accents is "desperate" propaganda from an organization that is losing ground, Prime Minister David Cameron said on Monday

London man says child in Isis video is his grandson (Guardian) Henry Dare tells Channel 4 that the boy is Isa, son of his daughter Khadijah, who left for Syria several years ago

Bumbling would-be UK bomber asked Twitter followers for target suggestions (Ars Technica) Once again, encryption was not used to cover tracks in any way

Microsoft back in court over US access to Irish servers — 'could have impact' on Safe Harbour talks, says firm (Computing) Microsoft is concerned that the upcoming recommencement of its legal battle to prevent the US government from accessing sensitive data in a data centre located in Ireland could have an impact on ongoing Safe Harbour negotiations between the EU and the US

For a complete running list of events, please visit the Event Tracker on the CyberWire website.

Upcoming Events

cybergamut Tech Tuesday: The Threat Landscape and the Path Forward: Fundamentals of a Risk-Aware Organization (Elkridge, Maryland, USA, January 5, 2016) John McLaughlin of IBM Security provides a quantitative analysis of the attacks seen by IBM and the thousands of IBM customers in the preceding year. Specific attention will be paid to the protocols engaged,...

CES CyberSecurity Forum (Las Vegas, Nevada, USA, January 6, 2016) Premiering at CES 2016 — the global stage for next generation technologies — The CyberSecurity Forum will bring together security experts and technology visionaries with executives and policymakers...

FloCon 2016 (Daytona Beach, Florida, USA, January 11 - 14, 2016) The FloCon network security conference provides a forum for large-scale network flow analytics. Showcasing next-generation analytic techniques, FloCon is geared toward operational analysts, tool developers,...

Breach Planning & Incident Response Summit: Proactive Collaboration Between Private Industry and Law Enforcement to Mitigate Damage (Odenton, Maryland, USA, January 12, 2016) The Cybersecurity Association of Maryland, Inc.(CAMI), Chesapeake Regional Tech Council, Maryland Chamber of Commerce, Chesapeake Innovation Center, Tech Council of Maryland are partnering together to...

Cyber Security Breakdown: Chicago (Chicago, Illinois, USA, January 12, 2016) This half day session will provide you with the critical information you need to start formulating an effective response in the eventuality of a cyber security event. Rather than try and handle the breach...

Insider Threat Program Development Training Course — Georgia (Atlanta, Georgia, USA, January 12 - 14, 2016) The National Insider Threat Special Interest Group website has some very "eye opening" examples of how "damaging and costly" an "insider threat incident" can be. The FBI Insider Threat Alert states companies...

FTC PrivacyCon (Washington, DC, USA, January 14, 2016) The Federal Trade Commission will in January hold a wide-ranging conference on security and privacy issues lead by all manner of whitehat security researchers and academics, industry representatives, consumer...

National Insider Threat Special Interest Group Meeting (Laurel, Maryland, USA, July 16, 2015) Topics to be discussed at the meeting; Insider Threat Program Development & Implementation, Behavioral Indicators Of Concern, Legal Considerations When Developing & Managing An Insider Threat Program.

POPL 2016 (St. Petersburg, Florida, USA, January 20 - 22, 2016) The annual Symposium on Principles of Programming Languages is a forum for the discussion of all aspects of programming languages and programming systems. Both theoretical and experimental papers are welcome,...

Automotive Cyber Security Summit — Shanghai (Shanghai, China, January 21 - 22, 2016) The conference, which brings together automakers, suppliers, various connected-services providers and security specialists, will focus on government regulations, emerging automotive cyber security standards...

SANS Institute: Information Security Training (Las Vegas, Nevada, USA, September 12 - 21, 2015) Information security training in Las Vegas from SANS Institute, the global leader in information security training. At SANS Network Security 2015, SANS offers more than 40 hands-on, immersion-style security...

CyberTech 2016 (Tel Aviv, Israel, January 26 - 27, 2016) Cybertech is the most significant conference and exhibition of cyber technologies outside of the United States. Cybertech provided attendees with a unique and special opportunity to get acquainted with...

Fort Meade IT & Cyber Day (Fort Meade, Maryland, USA, January 27, 2016) The Ft. Meade IT and Cyber Day is a one-day event held at the Officers' Club (Club Meade) on base. The event is held on-site, where industry vendors will have the opportunity to display their products...

Grow your brand and reach new customers.

Grow your brand and increase your customer base by educating our audience about your products, services, and events by advertising on The CyberWire. We’ve built trust with an influential (and often hard to reach) audience of CISOs, CSOs, and other senior execs in the security space, across a wide array of industry verticals. Learn more.

Be a part of the CyberWire story.

People ask us (a lot) how they can support what we do. We have our sponsorships and services, of course, but those are not always within every supporter's financial reach, or it might just not be the right time for you to do those things. That's why we launched our new Patreon site, where we've created a wider variety of support levels, each with some new benefits. Our patrons are important to our future, and we hope you'll consider becoming one. We invite you to become part of the CyberWire story. Become a patron today.