The CyberWire Daily Podcast 1.26.24
Ep 1991 | 1.26.24

A new purchase is cause for a call out.


Senator Wyden calls out the NSA for purchasing American’s internet records. Senators look to add IT and ICS environments to federal employee cyber competitions. The FTC asks big tech about their investments in AI. Turns out the GSA bought a bunch of Chinese security cameras. Akira ransomware claims a breach of Lush cosmetics. ESET reports on the Blackwood cyberespionage group. Wired looks at Predatory Sparrow. The U.S. stands firm on the United Nations Cybercrime Treaty. Our guest is Tony Surak from DataTribe, with insights on the state of venture capital in cyber. And a Trickbot gang member will be doing some time.

Today is January 26th, 2024. I’m Dave Bittner. And this is your CyberWire Intel Briefing.

Senator Wyden calls out the NSA for purchasing American’s internet records.

U.S. Senator Ron Wyden has confirmed that the NSA is purchasing Americans' internet records, highlighting what he says is a significant privacy issue. Wyden criticized the intelligence community for legitimizing a data broker industry that operates in violation of Americans' privacy rights. These records can expose personal details, like mental health or medical faciluty visits. This practice, he argues, not only breaches privacy ethics but may also be illegal following a recent Federal Trade Commission (FTC) ruling requiring informed consent for data sales.

Highlighting a legal gray area, Wyden notes that data brokers and intelligence agencies have been covertly trading personal data. He criticizes app developers and advertisers for not disclosing their data sharing practices or seeking user consent.

Responding to these concerns, Wyden urges the Director of National Intelligence (DNI) Avril Haines to direct intelligence agencies to stop buying illegally obtained personal data. He also calls for compliance with the FTC's recent guidelines, which state that Americans must consent to their data being sold for national security purposes.

Wyden proposes three actions for intelligence agencies: conduct an inventory of purchased personal data, verify data sources against FTC standards, and purge data not meeting these standards, reporting any retained data to Congress and the public. This aligns with the DNI’s Senior Advisory Group's 2022 recommendations on managing commercially available information.

Senators look to add IT and ICS environments to federal employee cyber competitions.

The U.S. Homeland Security and Governmental Affairs Committee, led by Senators Gary Peters and Mike Braun, introduced a bipartisan bill to enhance federal cybersecurity training. This legislation aims to expand the President’s Cup Cybersecurity Competition to include skills in Operational Technology (OT) and Industrial Control Systems (ICS), vital for protecting critical infrastructure. Organized by the Cybersecurity and Infrastructure Security Agency (CISA), this national competition seeks to develop top cybersecurity talent in the federal workforce. The move responds to growing cybersecurity threats, particularly against crucial systems like those in the water utility sector. The initiative reflects a broader strategy to strengthen national cybersecurity defenses.

The FTC asks big tech about their investments in AI.

The U.S. Federal Trade Commission (FTC) has initiated an inquiry into the significant investments made by major tech companies in leading AI firms. The FTC's orders target Microsoft, Google, Amazon, OpenAI, and Anthropic, spurred by concerns that these investments may reinforce the dominance of these tech giants in the internet economy. Microsoft's substantial investment in OpenAI, known for ChatGPT, and its use of Microsoft's cloud computing, along with Amazon and Google's deals with Anthropic, a company focused on responsible AI, are under scrutiny.

FTC Chair Lina M. Khan emphasized the need to ensure healthy competition and innovation in AI, avoiding tactics that could distort these objectives. The inquiry, authorized under Section 6(b) of the FTC Act, seeks to understand the strategic rationale, competitive impact, and market dynamics of these investments and partnerships.

Turns out the GSA bought a bunch of Chinese security cameras.

The General Services Administration (GSA) was reported to have procured 150 Chinese-made cameras after receiving  misleading information, according to an inspector general report. This procurement, which contravenes a statute limiting federal agencies from buying Chinese products, highlights the challenges in keeping unauthorized foreign technologies out of U.S. federal systems. The complexity of global supply chains and the difficulty in vetting every component for security risks contribute to this issue. The inspector general recommended the GSA to dispose of these cameras and improve its procurement processes to prioritize secure and authorized technologies. The GSA has agreed with these recommendations, though it's unclear how many noncompliant cameras are still in use. 

Akira ransomware claims a breach of Lush cosmetics.

The Akira ransomware gang has claimed responsibility for a cybersecurity breach at British cosmetics company Lush, allegedly stealing 110 GB of data including personal documents like passport scans and company information related to accounting, finances, and clients. There is no evidence of customer data exposure. Akira, known for its extortion tactics, has threatened to publish the stolen data. The group, which emerged in early 2023, is notorious for targeting organizations across the UK, Australia, and North America, and is linked to the defunct Conti ransomware operation. Lush acknowledged the incident, working with forensic experts and taking immediate security measures. Akira’s tactics often involve exploiting vulnerabilities in remote access tools, underscoring the importance of timely patching and multifactor authentication. 

ESET reports on the Blackwood cyberespionage group. 

The cyberespionage group Blackwood, active since at least 2018, has been covertly targeting organizations and individuals in China and Japan. According to cybersecurity firm ESET, Blackwood uses adversary-in-the-middle (AitM) attacks to deploy the sophisticated NSPX30 implant through updates of legitimate software like Sogou Pinyin, Tencent QQ, and WPS Office. This implant, which includes a backdoor and other malicious components, is adept at concealing its command-and-control communications.

Blackwood's targets include individuals linked to a British research university and various businesses in China and Japan. 

ESET's findings suggest that Blackwood has a sophisticated operational capability, including the ability to deploy backdoors remotely and exfiltrate data effectively.

Wired looks at Predatory Sparrow.

Wired takes a closer look at the Predatory Sparrow hacker group that has been targeting Iran with disruptive cyberattacks for years, focusing on civilian infrastructure. One of their most notable attacks was on the Khouzestan steel mill in Iran. Despite Predatory Sparrow’s claim of caution, the attack endangered workers, causing a spill of molten steel and fire. Predatory Sparrow has also disrupted Iran's railway system and gas station payment systems, causing widespread inconvenience. Their tactics suggest high technical proficiency, possibly indicating government or military backing. Analysts believe Predatory Sparrow aims to demonstrate a capability to disrupt Iranian society in response to Iran's aggression. The group's actions, including sophisticated malware deployment and strategic targeting, highlight its role in the ongoing geopolitical tensions between Iran and its adversaries.

The U.S. stands firm on the United Nations Cybercrime Treaty.

As final negotiations wrap up, the U.S. is pushing for a narrower United Nations Cybercrime Treaty, focusing on 'cyber-dependent' crimes rather than a broader range of tech-enabled offenses, differing from Russia and China's preference for a wider scope. The U.S. emphasizes human rights protections and collaboration in law enforcement, countering concerns that the current draft could criminalize cybersecurity research and impact data privacy. Critics, including tech firms and human rights groups, call for significant revisions to align the treaty with human rights standards. The U.S., part of the Budapest Convention, seeks a treaty focused on serious cybercrimes and maintains that existing draft provisions adequately cover cybersecurity research. The U.S. aims to prevent the misuse of the treaty for controlling information and insists on safeguarding human rights in the final agreement.


Next up, we’ve got my conversation with Tony Surak from DataTribe about the current state of the VC cyber market.


A Trickbot gang member will be doing some time. 

And finally, Vladimir Dunaev, a former developer for the Trickbot cybercrime gang, was sentenced to five years and four months in a U.S. prison for his involvement in deploying ransomware and malware, which caused significant financial damage to American hospitals and businesses. Dunaev pleaded guilty to charges of conspiracy to commit computer and wire fraud. He played a key role in Trickbot's operations from June 2016 to June 2021, included developing browser modifications to steal credentials, managing servers, encrypting malware, and laundering stolen funds. The Trickbot gang is responsible for extorting at least $180 million globally, using the Trickbot malware initially as a banking Trojan before evolving it into a versatile malware-as-a-service platform. The dismantling of Trickbot in 2022 marked the end of its operations, although many of its developers have since engaged in other criminal activities. The U.S. and UK have sanctioned several individuals associated with Trickbot and related ransomware.

Dunaev was extradited from South Korea. To quote the Register’s coverage of his initial arrest, “Redactions in Dunaev's indictment document black out the names of other defendants, suggesting more of the Trickbot gang has been identified. Among those mentioned but not named is one gang member whose job title was "Malware Manager" – just imagine having that on your business card.”

And that’s the CyberWire.

For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.


Most recently, in the Tech News category we have been sitting in the number two position, right behind the Wall Street Journal. Hey, it’s great to even be in the top ten, let alone number two. But man, it sure would be great to be number one.

So, please, help us out. Keep on downloading those episodes, sharing on social media and recommending the CyberWire to your friends and colleagues. We can do this together! And thanks. 

We’d love to know what you think of this podcast. You can email us at—your feedback helps us ensure we’re delivering the information and insights that help keep you a step ahead in the rapidly changing world of cybersecurity.

We’re privileged that N2K and podcasts like the CyberWire are part of the daily intelligence routine of many of the most influential leaders and operators in the public and private sector, as well as the critical security teams supporting the Fortune 500 and many of the world’s preeminent intelligence and law enforcement agencies.

N2K strategic workforce intelligence optimizes the value of your biggest investment—people. We make you smarter about your team, while making your team smarter. Learn more at


This episode was produced by Liz Irvin. Our mixer is Tré Hester, with original music by Elliott Peltzman. Our executive producers are Jennifer Eiben and Brandon Karpf. Our executive editor is Peter Kilpe, and I’m Dave Bittner. Thanks for listening.