The CyberWire Daily Podcast 7.26.23
Ep 1871 | 7.26.23

A malign AI tool: FraudGPT. Stealer logs in the C2C market. Signs in the blockchain that some Conti alumni are working with the Akira gang. And a kinetic strike against a cyber target.


Dave Bittner: FraudGPT is a chatbot with malign intent. Stealer logs in the C2C market. Signs in the blockchain that some Conti alumni are working with the Akira gang. Tim Starks from Washington Post's Cybersecurity 202 on the White House’s new National Cyber Director nominee. Maria Varmazis speaks with David Luber, Deputy Director of NSA's Cybersecurity Directorate, on space systems as critical infrastructure. And a kinetic strike against a cyber target: Ukrainian drones may have hit Fancy Bear’s Moscow digs.0

Dave Bittner: I’m Dave Bittner with your CyberWire intel briefing for Wednesday, July 26th, 2023.

A malign AI tool: FraudGPT.

Dave Bittner: Another malicious generative AI tool is being sold on the dark web, according to researchers at Netenrich. The bot, called “FraudGPT,” is designed to write malicious code, craft phishing pages, write scam emails, and more. The tool launched on July 23rd, and is being offered for $200 per month or $1700 per year. The researchers note, “While organizations can create ChatGPT (and other tools) with ethical safeguards, it isn’t a difficult feat to reimplement the same technology without those safeguards.”

Dave Bittner: A similar tool, called “WormGPT,” launched earlier this month. WormGPT also advertised itself as an “ethics-free” version of ChatGPT.

Stealer logs in the C2C market.

Dave Bittner: An infostealer log is simply the full list of credentials harvested from an infected machine, whether obtained by phishing or some other vector. In its research report “Stealer logs and Corporate Access,” Flare explains that infostealer malware and its surrounding criminal-to-criminal economy has developed into a complex ecosystem that is growing at an exponential rate. “The explosive growth rate of infostealer malware represents an ongoing and significant threat to all organizations. Employees regularly save credentials on personal devices or access personal resources on organizational devices, increasing the risk of infection,” writes Flare.

Dave Bittner: The report explains driving factors in the infostealer market by examining over 19.6 million stealer logs. These logs are regularly sold on the dark web after an infection. By examining the logs, Flare was able to determine that 46.9% (more than 8 million) had access to Gmail credentials while just over 1.91% had access to business application credentials like AWS, Salesforce, and GCP. Logs which contained credentials to financial institutions were sold for almost 7.5 times as much as those with access to consumer applications. 

Dave Bittner: Most stealer logs are distributed on Telegram via private or public channels, but Russian Market, a dark web marketplace, is also a popular site to purchase such logs. Genesis Market had been a popular clear web online log store until recent takedown by law enforcement. It now operates exclusively and at a reduced rate on the dark web. 

Dave Bittner: Flare goes on to outline three tiers of infostealer logs for sale. Tier one contains high-value corporate credentials. Tier two holds banking and financial service credentials. And tier three, finally, consists of more run-of-the-mill consumer application credentials. 

Dave Bittner: Credentials seem to be gathered, all too often, from accounts whose users cross their personal devices with work devices and save their credentials to their browser for ease of access. While saving credentials may be easier in the long run, the user is essentially putting all their access eggs in one basket, allowing hoods who can pick up that basket to walk away with some pretty valuable items.

Dave Bittner: The ecosystem surrounding these stealer logs is complex, and it seems that most of the lower-tier logs are used to gain access to subscription services like Spotify or Netflix so the “hacker” can save some money. But Flare explains the market path of a log containing corporate access credentials is much more sophisticated, “Based on the evidence from the dark web forum Exploit.IN, we rate it as highly likely that initial access brokers (IAN) are using stealer logs as a principle source to gain an initial foothold to corporate environments that can then be auctioned off on top-tier dark web forums.” This indicates that infostealers are the tip of the spear in large-scale cyber attacks. 

Dave Bittner: It’s important to understand the large economy that enables such attacks: without the logs, IANs wouldn’t get access so easily, and without the access, cybercriminals wouldn’t be able to get into a network and do as they please with the protected information inside. This economy provides a lower barrier to entry as criminals now need only to specialize in a specific phase of the attack. They can buy the work of others to complete their attack. Why build a tool when you can buy it? Commodification and division of labor work in illicit markets as they do in honest ones.

Conti and Akira may have teamed up to pull off cybercrimes. 

Dave Bittner: Through blockchain analysis, researchers at Arctic Wolf Labs assess that actors from the recently splintered ransomware group Conti are likely either working with the Akira gang now or were working with Akira and another group at some earlier time. “In some instances of pattern analysis, Arctic Wolf Labs has observed cryptocurrency address reuse between threat groups, indicating the individual controlling the address or wallet has either splintered off from the original group or is working with another group at the same time,” the researchers conclude. 

Dave Bittner: Akira’s code shares many similarities with Conti’s, but the presence of what is after all widely accessible leaked code isn’t conclusive evidence of collaboration. However the reuse of known blockchain addresses can indicate that at least one former member of Conti has joined Akira, “In at least three separate transactions, Akira threat actors sent the full amount of their ransom payment to Conti-affiliated addresses; the three transactions totaled over $600K USD.” Arctic Wolf explains that after the Conti cybergang splintered and had its ransomware source code leaked, it is highly likely that some of the members joined forces with the up and coming ransomware gang Akira. 

Dave Bittner: The researchers note that Akira is probably an opportunistic organization and has taken advantage of mostly small or medium sized businesses who are not employing multi factor authentication (MFA): “According to Akira’s leak site, the group has compromised at least 63 organizations, since their inception, with approximately 80% of their victims being small to medium-sized businesses (SMBs). Notably, some of the victims have been removed from the leak site.”

Ukrainian drone strikes on Moscow may have hit GRU offices.

Dave Bittner: And, finally, according to the Telegraph, Ukrainian drones that hit Moscow on Monday (which Moscow said did little damage) appear to have struck an office building that houses the GRU's Unit 26165, an organization responsible for Russian offensive cyber operations. The unit's activities are best known under their Fancy Bear nickname. 

Dave Bittner: Ukrainian officials said more attacks against Russia could be expected, and derided Russia's ability to defend its own airspace. “Today, at night, drones attacked the capital of ‘the orcs’ and Crimea,” Ukraine's Deputy Prime Minister Mykhailo Fedorov said. “Electronic warfare and air defence are already less able to defend the skies of the occupiers.”

Dave Bittner: So, whether by accident or intention, the kinetic and cyber phases of the hybrid war seem to have converged this week at a Moscow office high-rise.

Dave Bittner: Coming up after the break, Tim Starks from the Washington Post's Cybersecurity 202 on the White House's new National Cyber Director nominee, Maria Varmazis , speaks with David Luber, Deputy Director of NSA's Cybersecurity Directorate on Space Systems as Critical Infrastructure. Stay with us.

Maria Varmazis: is host of the T Minus podcast right here on the N2K network, and she recently spoke with Deputy Director of NSA's Cybersecurity Directorate, David Luber. She files this report.

Maria Varmazis: Thank you so much for joining me today, Dave, I really appreciate it. And we get to talk about my favorite topic which is space cybersecurity, so. You are the perfect person to start us off with an overview of what is the state of cybersecurity right now?

David Luber: Well, thanks. And you know, cybersecurity in space is one of my favorite topics as well. And I always think about cybersecurity as a team sport. And as you look across the US government and our community, within the Department of Defense, the Space Force, CISA, NIST, and our Defense Industrial Base, as well as the Department of Commerce, we're all working together when it comes to ensuring that we have the right cybersecurity for our current and future space systems. And for the National Security Agency, we focus specifically on the cybersecurity for our national security systems. As you might imagine, our military, our government relies on space, and that capability needs to be secured to ensure that we can withstand the threats that come from multiple adversaries.

Maria Varmazis: Could you help me understand maybe the different roles that the US government plays in helping security systems or maybe who specifically is responsible for what? Or could you give me a sense of that, please?

David Luber: Well, first off, as I mentioned, that team sport effort at NSA, we're responsible for ensuring that the guidance is in place for those key national security systems, even those systems in space that are supporting our weapons capabilities for the US military. But beyond that activity, then we look to other partners in CISA, in the Office of Space Commerce, and in NIST to really help in the areas of commercial use of space and the commerce of space and to ensure that those systems are also secure. But collectively together, we work together to ensure that the guidance can be used and consumed by both the national security systems, as well as other US government users and commercial entities. Just to give you an example, at NSA, we publish cyber security advisories that give insights into a variety of different threat activities that impact all types of different national security systems. But in the case of others, these advisories can also be used if you're in the commercial segment, if you're in other areas to ensure that you're securing those systems in a way that would keep an adversary, and when I talk about adversaries, I think about the adversaries of Russia, the PRC, Iran, North Korea, and even the non-state actors like ransomware actors from penetrating those key systems. We've also published advisories on how to protect the link segment, ensuring that the proper use of Tran sec is employed and even in some of the user segment areas to ensure that the user segment modems have the right firmware, that they're monitored just like any other device that would be used on a network.

Maria Varmazis: I'm very curious to get your thoughts on the calls for designating space as a critical infrastructure. In your view, would that help move things along in the right direction or what would that materially impact if space were to become designated as critical infrastructure?

David Luber: Well, first I'd offer that the White House has not made a decision regarding space as a critical infrastructure and have called upon by the White House for insights and thoughts on that. Obviously NSA would provide input to that decision. But collectively, I'd offer too that the team is already working well together and absent any sort of decision, we will continue to focus on how we work together as a team across the US government, but in particular, that very important partnership between government and industry. Because I think that's where the power of partnerships really come together, sharing insights, sharing guidance, and ensuring that we can change as the threat arena changes as well. Just as we're talking right now, there are new vulnerabilities being discovered, there are changes that are happening in the cyber ecosystem. So this is not something that you publish and you're finished. This is something that's continuous that we need to work together on over time.

Maria Varmazis: And as space and commercial space especially continues to grow at an astounding pace, I'm wondering are there any emerging technologies that are of interest that you feel could present great opportunities for perhaps hardening systems or helping move along the maturity of cybersecurity and space systems?

David Luber: Absolutely. You know, when I think about any type of system out there today, some of the things that I immediately think about, especially for the space ecosystem, is concepts like implementing zero trust within ground system segments. It's a different thought process, but really ensuring that zero trust principles are applied and that we have the indications when one of those threat actors are attempting to gain access to those systems or if they are successful because zero trust does assume breach that they have little maneuver space to actually impact the actual space systems themselves. I'd also offer that building in cybersecurity from the beginning. If we look back in time, some of the early space systems didn't necessarily consider cybersecurity as one of the primary requirements during the acquisition, development implementation. So I think it's really important for us to think about how we ensure that cybersecurity is thought about during the actual development within the entire ecosystem that I mentioned earlier. And then for in particular for national security systems, but not just national security systems, the future of cryptography. We need to ensure that we have quantum resistant cryptography for our national security systems and US government systems, as well as commercial systems to ensure that cryptography advances along with the space systems and all that ecosystem that I just mentioned. And then lastly, I'd say that the complexity of space systems in proliferated Leo architectures now demand the ability for those systems to be able to communicate in space from system to system. So different technologies, different applications of cryptography, and zero trust, I think, are all areas that I think are not only emerging, but in many case is critical to ensure that current and future space systems can be relied on by the national security systems owners.

Maria Varmazis: Dave Lubber at NSA, thank you so much for walking me through this today. I am always fascinated hearing about not only what NSA is doing, but also space cyber, personal passion of mine. I really appreciate your time and expertise today.

David Luber: It's great to be here today. Thank you.

Dave Bittner: That's Maria Varmazis from the T Minus podcast speaking with David Luber, Deputy Director of NSA's Cybersecurity Directorate. If you've not yet checked out T Minus, what are you waiting for? It's a great show. Check it out.

Dave Bittner: It is always my pleasure to welcome back to the show Tim Starks. He is the author of the cybersecurity 202 at the Washington Post. Tim, welcome back.

Tim Starks: How do you Dave?

Dave Bittner: So your most recent posting here over on the Post's website is titled White House's Pick for National Cyber Director is Met With Praise And Questions. Take us through what's going on here because it's not exactly straightforward.

Tim Starks: Yeah, this has been a somewhat odd sequence of events. You'll recall that toward the end of last year, we found out Chris Inglish was leaving as the very, very first national cyber director. That's that position that has a strategic and advisory role to the president. It's kind of a replacement for the cyber czar that used to be existing in the White House. He left one of his deputies. I think his principal deputy, Kemba Walden, has been serving as an acting director and by pretty much all accounts doing an excellent job of it. She'd overseen the rollout of the national cyber security strategy. She led the development of the implementation plan. People were expecting her to get the nomination, but it kept not happening. She took that job in February and then me and a colleague, Ellen Nakashima, we both combined on a story last week that wrote about her being told she was not going to get the job because of personal debt issues that most people were pretty skeptical should have been or were the real reason for her not getting the nomination. So today, I guess I should say yesterday, the White House announced that Harry Coker, that's a name that we put in that story last week, was as the favorite candidate. Harry would be the nominee. He's a former NSA CIA official. Actually was part of the transition team for the Biden Harris administration. Has some cyber experience, but there's some questions about how much compared to especially Kemba and maybe other potential nominees. I think that's where we end up. You know, people seem to think highly of him overall. He has support on the Hill from key figures. So, you know, he has support. Chris Inglis told me that he thought he'd be a good candidate. I think that gets us up to speed. It's kind of a long winding saga so far.

Dave Bittner: Yeah. I mean, it's interesting to me that, you know, Coker seems to have a lot of support. There's a little question that he can come at this from a leadership point of view. Like, he has all the experience there to lead an agency. But you're reporting you spoke to some folks who may have some skepticism when it comes to his knowledge, particularly in the cyber realm?

Tim Starks: Yeah. So I mean, he certainly has some of that. He has been at Auburn University at the McCurry Institute as a senior fellow on cyber. He has advised some cyber companies, but he wasn't necessarily all that explicitly focused on cyber at the NSA or CIA. I mean, it was certainly part of what he did, but I don't think people thought of it as the main thing he did. So if you're looking at someone like him, who again, like you said, like the people I talked to, even the people who were skeptical of him, praised him as a person, praised him as for his leadership, his intelligence, compared him to like a Kemba Walden who had been back at DHS covering cyber, was there when CISA was being stood up and was an attorney, was it Microsoft with the digital crimes unit? Was there for the founding of, essentially the founding of the National Cyber Directors Office. You know, Inglish came in last year after getting confirmed. I think it was around June of last year. She joined in June of last year as well. So we're talking about someone who had a lot of capabilities and a lot of experience specifically in this job compared to Harry. And that's I think that's where he, you know, has some skeptics about whether he should have been the choice, whether he was the best pick for the job.

Dave Bittner: Yeah. Going back to Kemba Walden, I have to say I'm a little surprised we didn't see more from the Biden administration to fight for her getting this job.

Tim Starks: It struck everybody as strange because, like I said, everybody pretty much thinks she's done a good job. I say pretty much because I can't think of anybody who has said she's done a bad job. I've heard people, you know, criticize things like the implementation strategy, maybe I'm making some issues with it. But nobody said she did a bad job and everybody seems to think she's done a good job. She's a black woman. There are not a lot of black women in leadership positions in the Biden administration.

Dave Bittner: Right.

Tim Starks: And they prioritize that, you know, with like Supreme Court nominees and things like that. So it seems like that would have been a factor for her. Harry Coker is also black. So it's not as though they're completely abandoning diversity, but black woman is a different kind of diversity level we're talking about than a black man. It's confounded people.

Dave Bittner: This notion that it's an issue of personal debt, to what degree do folks think that is truly the case?

Tim Starks: Nobody that I've talked to, or nobody that I've seen react to it publicly seems to think that that is the authentic explanation. Sure, that was the explanation she was given. I should point out that Kemba, you know, at some time around the same point that the White House was saying that she's not going to get the job, she pulled herself back from consideration. So that's something to point out. You know, first off, if you go back to the story I wrote last week, you'll see that personnel expert types that we spoke to cannot recall a time that a nominee was sunk by any personal debt. You know, maybe questioned about it, but not sunk by it. And it seems to have come out of nowhere as this issue for her specifically. And I think that's part of what makes people skeptical about it, combined with the fact that she was doing a good job and makes people think there's something else going on.

Dave Bittner: Will she stay on with the agency?

Tim Starks: Yeah, my understanding is that she's staying on indefinitely as the acting. But what happens after that, once Harry Coker's nomination advances, I would probably expect her to leave, but I don't think we have a word on that yet.

Dave Bittner: All right. Well, Tim Starks is the author of the Cybersecurity 202 at the Washington Post. Tim, thanks for joining us.

Dave Bittner: And that's the Cyberwire. For links to all of today's stories, check out our daily briefing at the We'd love to know what you think of this podcast. You can email us at Your feedback helps us ensure we're delivering the information and insights that help keep you a step ahead in the rapidly changing world of cybersecurity. We're privileged that N2K and podcasts like the Cyberwire are part of the daily intelligence routine of many of the most influential leaders and operators in the public and private sector, as well as the critical security team supporting the Fortune 500 and many of the world's preeminent intelligence and law enforcement agencies. N2K's strategic workforce intelligence optimizes the value of your biggest investment, your people. We make you smarter about your team while making your team smarter. Learn more at This episode was produced by Liz Urban and Senior Producer Jennifer Eiben. Our mixer is Trey Hester with original music by Elliot Peltzman. The show was written by our editorial staff. Our Executive Editor is Peter Kilpe and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.