skip navigation

More signal. Less noise.

2017 cyberattacks proved more numerous, sophisticated, and ruthless than in years past.

WannaCry, NotPetya, ransomware-as-a-service, and fileless attacks abounded. And, that’s not everything. The victims of cybercrime ranged from private businesses to the fundamental practices of democracy. Read The Cylance Threat Report: 2017 Year in Review Report and learn about the threat trends and malware families their customers faced in 2017.

The Week that Was.

An apparent espionage campaign was (apparently) a glitch.

What looked like a Border Gateway Protocol (BGP) hijacking campaign Monday seems to have been the result of error. Traffic from Google enterprise-focused services was routed inexplicably through Chinese and Russian ISPs apparently because of a fumbled upgrade, swiftly remediated, at Nigerian ISP Main One. The incident amounted to a denial-of-service condition for Google business users that lasted for a little less than an hour and a half (WIRED). Main One publicly acknowledged responsibility, and outlined how the issue arose. Not everyone is convinced. A Tel Aviv University researcher and co-author of a paper on BGP hijacking as an espionage threat, said it would be easy to misrepresent attacks as nothing more than errors (Reuters). So, probably an error, but also an instructive reminder of the security and availability issues surrounding BGP, and of the risk of hair-trigger attribution of cyberattacks.

What the brightest minds are saying about network security.

We're asking knowledgeable security insiders like you to take a short survey. In return, we're offering all qualified respondents a chance to enter a drawing to win one of three gift cards valued at $50 each. Join other cybersecurity leaders and share your viewpoints. Click here to take the survey.

Operation Shaheen and the White Company

Cylance reports a cyberespionage campaign, "Operation Shaheen." It's unusually sophisticated—prepped, staged, evasive, and quiet—and targets Pakistan's military, especially the air force. Cylance researchers named the campaign after the Shaheen falcon that provides Pakistan's air force emblem. They call the threat actor "the White Company" because of the great care it takes to cover (whitewash) its activities. Cylance evaluates the White Company as a nation-state actor, but doesn't say which nation-state (CSO).

Securing the Vote: How Easily Could Our Elections Be Hacked?

U.S. voting systems are broken. They are peppered with risks from people, process, and technology – and something must be done to regain voter confidence. In the latest Securealities report, Coalfire identifies these vulnerabilities and provides recommendations for remediation based on analyses from their work on voting networks and systems, plus 3,000 cybersecurity engagements in the past year.

More Spectre and Meltdown vulnerabilities reported.

University researchers have reported seven new variations on the Spectre and Meltdown transient-execution chip flaws. Two are Meltdown variants (a protection key bypass and a bounds check bypass). The remaining five are Spectre variants: either pattern history table or branch target buffer vulnerability. Researchers say the flaws haven't all been addressed by vendors, but Intel at least disagrees (SecurityWeek).

Ground Truth or Consequences: the challenges and opportunities of regulation in cyberspace.

CyberWire-X is a new series of multi-part specials we’ve launched to share deeper discussions of important, complex security topics affecting individuals and organizations every day, and all over the world. Our first episode takes a closer look at cyber security regulation in the US. We hear from our Sponsor Gemalto as well.

The state of information operations.

Russian intelligence services weren't entirely quiet during the US midterm election cycle (USA Today), but they were apparently less active this year than they were in 2016. Why that's so, and why even their low-cost and probably low-risk trolling seemed attenuated, remains unclear, but speculation turns to a mix of possible explanations: US Cyber Command deterrence, more suppression of inauthentic accounts, US indictments of individual Russian operators, better Federal and state cooperation on election security, the inherently more disparate nature of midterms, and, finally, a sense on the Russians' part that they've already done enough damage to civic trust and civil discourse. President Putin may have been content to relax and let American rancor do his work for him (Wall Street Journal).

Facebook seems more willing to tackle trolls than it was in 2016. A New York Times report says the social network did a lot whistling in the dark during that presidential election cycle.

Get your copy of the definitive guide to threat intelligence.

We brought together a team of experts and wrote the definitive guide to everything you need to know about threat intelligence. Whether you work in vulnerability management, incident response, or another part of cybersecurity, our book has something for you. Get your free copy of “The Threat Intelligence Handbook” now.

GPS jamming during NATO exercises.

NATO’s large Trident Juncture exercises conducted in and around Norway last week saw apparent Russian jamming of GPS signals with the evident intent of disrupting the wargames. Russia had objected to the exercise—largest since the Cold War’s Autumn Forge exercises—as “sabre-rattling.” Trident Juncture opened on October 25th and wrapped up on November 7th. Russia denied any involvement in the jamming (Times).

Indiscriminate GPS jamming isn't just an operational nuisance, but a clear threat to safety of navigation as well. The Norwegian airline Wideroe said its flights lost GPS signal while inbound to airports in northern Norway and Finland, and Finnish air traffic control warned of widespread GPS disruption. Finland is investigating, and Prime Minister Juha SIpila said, "[I]t's possible that Russia was behind it. We will investigate, and then we will respond. This is not a joke; it threatened the air security of ordinary people" (Deutsche Welle). 

The Paris Call.

French President Emmanuel Macron issued the “Paris Call for Trust and Security in Cyberspace” at the UNESCO Internet Governance Forum this week (France Diplomatie). The Call amounts to a declaration of principles. About fifty countries signed on to it (but not China, Russia, or the United States), and it found favor with Big Tech, as both Microsoft and Google (and Kaspersky) figured prominently among private sector supporters (Fortune, Hypertext). The signatories commit to cooperation in eight areas: resilience, Internet availability and integrity, election security, IP theft prevention, cyberweapon counter-proliferation, more secure IT products and better digital hygiene, enforcement actions against cybercriminals and terrorists, and development of stronger international standards. The Paris Call could serve as a framework within which nations might achieve a modus vivendi, but obviously there’s a lot of work left to be done, and it's premature to regard any nation's reservations as a rejection of international norms in cyberspace.

Magecart updates.

RiskIQ and Flashpoint Tuesday issued a joint report on Magecart, the family of increasingly aggressive carding campaigns against e-commerce sites. The researchers identify six criminal groups as responsible for Magecart activity, and they trace the threat from its modest origins as the Cart32 online shopping cart backdoor (discovered in 2000) to the present threat responsible for large-scale attacks on large enterprises including Ticketmaster and British Airways. Magecart proper emerged in 2015. The criminals monetize their theft of paycard data either by selling it to other crooks in carding fora, or by enlisting mostly unwitting mules to buy goods and ship them to the gang.

Plum Island's black start.

Last week an exercise, "Liberty Eclipse," tested how utilities subjected to catastrophic cyberattack might restore electrical power to a dead grid, a "black start." DARPA's Rapid Attack Detection, Isolation and Characterization Systems (RADICS) program ran the tests on Plum Island in Long Island Sound, an isolated location where a small but realistic power grid could be safely disrupted without risk of the test outage cascading into the larger power grid. The RADICS director said, "We had 18 substations, two utilities, two command centers, and we had two generation sources that we had to bring up a crank path and synchronize. It had a realism that you don’t really find in lab environments that made you rethink the approach" (WIRED). A black start represents a tough case, and must be managed carefully and gradually. Liberty Eclipse's week-long challenge offered opportunities for interesting improvisation (E&E News).

Concerns about grid cybersecurity aren't confined to the US. The UK has long been thinking about the problem (Insurance Journal).

Patch news.

Microsoft fixed a number of issues this week, including one zero-day (Threatpost). Some of the updates have crashed features of Windows 10 Mobile (Naked Security).

Crime and punishment.

Phineas Phisher, whoever he may be, is off the hook in the Hacking Team caper of 2015 in which the Milan-based lawful intercept company was breached and doxed. Italian authorities have abandoned the investigation (BoingBoing). "I'm ready to go to jail if I have to, but I'd rather stay free and active," Phineas told Motherboard. Hacking Team's irregular reputation (its products were used by some uncontroversially repressive regimes) led many to regard Phineas Phisher as a kind of Dark Knight vigilante. There's some of that, maybe, but there's also a record of criminal behavior that goes beyond hacking a spyware vendor. Phineas Phisher paid for the attack infrastructure he used with stolen Bitcoin, the better to evade authorities.

Tyler Barriss has taken a guilty plea to charges stemming from his instigation of a lethal swatting in Wichita, Kansas, last December (Ars Technica). These were not the only charges he faced: the US Department of Justice said Mr. Barriss also admitted to almost fifty other charges, most of them hoax bomb threats. One of those bomb threats was directed against the Federal Communications Commission; Mr. Barriss disapproved of weakening net neutrality.

In a story that's far less funny than bald retelling suggests, a Swedish man has received six and a half years in prison for mailing a letter bomb to what he thought was the address of a Bitcoin exchange that wouldn't change his password (Naked Security). The London Met's bomb squad rendered the device safe, but it could have been lethal, and it sat in the mailroom unopened for five months. (Graham Cluley).

Courts and torts.

Microsoft may be looking at GDPR fines for its use of Office 365 telemetry, specifically that collected for the ProPlus subscription to the desktop suite and Office 365's web-based version. It's a matter of Redmond sharing the data internally among some thirty members of its team as opposed to external leaks or data releases, and the EU acknowledges that telemetry is simply a part of the contemporary software donné (Computing). But the complaint, which originated in the Netherlands, is concerned with the intrusive level of detail the telemetry picked up, including not only email subject lines, but also sentences run through spellcheck and grammar checking tools, as well as input to the translation tool. One can imagine legitimate product-improvement interests in all of these, but still, it's a lot.

Fancy and Cozy Bear say the DNC can’t sue them. Russia's Ministry of Justice say that, even if the Bears did hack the Democratic National Committee (and they're not saying they did, understand, it's more that they're speaking hypothetically on behalf of a friend) the DNC can't sue them. Such is the claim the Russian Ministry of Justice made in a ten-page “statement of immunity” delivered to the US State Department. If such alleged hacking happened at all (which, mind you, they’re not saying it did, but IF it did)…they say that such alleged hypothetical hacking would have been a “military action” and as such shielded by the Foreign Sovereign Immunities Act of 1976, the US law that affords foreign governments a degree of immunity for some actions they take inside the US. If, that is, they took any such alleged action at all. And besides, you too, Yankees: with everything you do, you really want people to take you to court, too? Tu quoque, buckaroo (ABC News).

Policies, procurements, and agency equities.

The US Congress passed legislation establishing the Department of Homeland Security's National Protection and Programs Directorate as a major agency, and cementing its place as the principal Federal civilian agency for cybersecurity (Department of Homeland Security). It's now on the President's desk for signature (Fifth Domain).

Nigeria's young Cyber Command, which was established in August from elements of the military, is concerned with counterterrorism, but the government hopes the new organization will also be effective in reducing the country's notoriously vigorous and deeply entrenched cybercriminal gangs (TechNative).

Fortunes of commerce.

The Five Eyes glower at Huawei and other Chinese manufacturers. A US panel recommended Congress restrict the Government's doing business with a range of Chinese vendors (SecurityWeek). And Germany is expressing growing concerns about the potential security risk of made-in-China devices (Computing).

Belgium's government has decided to continue using Kaspersky products (Telceompaper).

To deflect criticism that it's too close to the Russian organs, and in the face of what it calls a trend toward "technological nationalism" (ZDNet), Kaspersky is moving key elements of its operation to Switzerland (Sky News). Zurich is safely remote from any GRU colonels you might run into at the banya.

Unicorn fans will find TechCrunch's state-of-the-herd summary interesting. There are more companies with billion-dollar valuations, they're staying private longer, and while they're born mostly in China and the US, they're also appearing in India, the UK, Israel, Germany, Indonesia, and elsewhere.

DeepMind has passed its medical app over the firewall to its data-hungry and data-monetizing corporate parent Google, and that's given observers a case of the willies. A "gut-punch" to privacy and trust, is how TechCrunch breathlessly put it.

And hey, Bitcoin barons: your favorite alt-coin has hit a new fork-fear-driven low, dropping below $6000 (CNBC) but it's probably too soon to call a bottom in this particular market.

Labor markets.

The tight labor market is about to get tighter around New York's Long Island City and Arlington, Virginia's, Crystal City. Amazon intends to establish its two new headquarters in those places (Wall Street Journal). The company is looking at fifty-thousand hires across the two locations (Quartz).

Mergers and acquisitions.

On Friday BlackBerry acquired Cylance for $1.4 billion in cash. Cylance, which applies machine learning and artificial intelligence to cybersecurity, will operate as a separate business unit. BlackBerry will integrate Cylance products with chip-to-edge BlackBerry Spark, a communications platform that creates trusted connections among endpoints in the "Enterprise-of-things" (PRNewswire).

NSO Group, the often controversial Israeli lawful intercept vendor (or spyware merchant, depending upon where one sits) is said to be preparing to acquire another Israeli firm, Fifth Dimension, which offers predictive policing and threat assessment solutions (CTECH). 

Novetta has acquired Berico Technologies (Intelligence Community News). Novetta sees the move as enhancing its cloud engineering capabilities.

A survey of M&A professionals conducted by Merrill suggests that concerns over GDPR are inhibiting many transactions that would have otherwise proceeded relatively unproblematically (Help Net Security).

Investments and exits.

Santa Clara-based cloud security firm Netskope has raised a tidy $167.8 million in Series F funding. Lightspeed Venture Partners, an existing investor, led the round. Other existing investors Accel, Geodesic Capital, ICONiQ Capital, Sapphire Ventures and Social Capital also took part, as did new investor Base Partners (Netskope). This latest funding round pushes Netskope into a billion-dollar valuation (Fortune).

Rome-based IoT firmware security shop EXEIN has raised €2 million in a funding round led by United Ventures (

Israeli breach and attack simulation shop XM Cyber, known for its red-teaming platform, has closed a $22 million Series A funding round. Participants included Macquarie Capital, Nasdaq Ventures, Our Innovation Fund, and UST Global (Venture Beat). One way of characterizing what XM Cyber does is that they're an APT simulator (SecurityWeek).

Industrial control system firm Dragos has now raised a total of $37 million from venture backers (Fortune). They've also announced plans to open an office in Saudi Arabia (CyberScoop).

Homomorphic encryption shop Duality Technologies has secured a $4 million funding round led by Team8. Team8 itself is backed by a number of large corporations across several industries, Walmart, Airbus, Microsoft, Softbank, Nokia, Barclays, Munich Re, Cisco, and AT&T. among them (Fortune).

Boulder, Colorado, based Automox, which specializes in automated patching and configuration solutions, has raised $9.3 million in a Series A round led by TechOperators. Also participating were CRV, BlueNote Ventures, and other "previous insiders" (Globe Newswire).

Cognigo, the Tel Aviv-based compliance and data protection shop, has closed an $8.5 million Series A round led by OurCrowd, with participation by Prosegur and State of Mind Ventures (SecurityWeek).

Another Israeli firm, zero-day protection specialist Votiro, has raised $8 million from Senetas, the big Australian encryption shop (Globes).

Super-unicorn Palantir, the very capable data analytics company with a $20 billion valuation and an almost cult-like following in various US Government circles, does everything except not lose money. The company is thinking about how it might change that before its much-anticipated IPO (Wall Street Journal).

And security innovation.

DISA is interested in creative approaches to remote browser isolation; soliciting cloud-based approaches to the challenge of preventing attacks mounted through browsers (C4ISRNET).

Mach37 has opened applications for its latest incubator class (Globe Newswire).


Today's issue includes events affecting Australia, Belgium, Canada, China, Finland, France, Germany, Israel, New Zealand, NATO/OTAN, Nigeria, Norway, Pakistan, Russia, Sweden, United Kingdom, United States.

A note to our readers: The Week that Was will take next Saturday off as we observe the long Thanksgiving weekend. We'll be back as usual on December 1st. (If shop you must between now and then, please stay safe online. Here's some advice to that effect from Webroot and RiskIQ.)

Research Saturday is up. In this edition, "Doubling down on Cobalt Group activity," We hear from NETSCOUT Arbor, whose ASERT team has been tracking Cobalt Group campaigns that target financial institutions. Richard Hummel is manager of threat intelligence with ASERT, and he joins us to share his team's findings.

Grow your brand and reach new customers.

Grow your brand and increase your customer base by educating our audience about your products, services, and events by advertising on The CyberWire. We’ve built trust with an influential (and often hard to reach) audience of CISOs, CSOs, and other senior execs in the security space, across a wide array of industry verticals. Learn more.

Be a part of the CyberWire story.

People ask us (a lot) how they can support what we do. We have our sponsorships and services, of course, but those are not always within every supporter's financial reach, or it might just not be the right time for you to do those things. That's why we launched our new Patreon site, where we've created a wider variety of support levels, each with some new benefits. Our patrons are important to our future, and we hope you'll consider becoming one. We invite you to become part of the CyberWire story. Become a patron today.