The CyberWire Daily Podcast 2.29.24
Ep 2014 | 2.29.24

Iran's cyber quest in Middle Eastern aerospace.


Iran-Linked Cyber-Espionage Targets Middle East's Aerospace and Defense. SpaceX is accused of limiting satellite internet for US troops. Savvy Seahorse' Floods the Net with Investment Scams. GUloader Malware draws on a crafty graphic attack vector. Repo confusion attacks persist. European consumer groups question Meta’s data collection options. Allegations of Russia targeting civilian critical infrastructure in Ukraine. Cisco patches high-severity flaws. The US puts a Canadian cyber firm on its Entity List. On the Threat Vector segment, we have a conversation between host David Moulton and Michael "Siko" Sikorski, Unit 42's CTO and VP of Engineering, discussing Unit 42's 2024 Incident Response Report. And the counter-productive messaging in anti-piracy campaigns.

Today is February 29th, 2024. I’m Dave Bittner. And this is your CyberWire Intel Briefing. Happy Leap Day? 

Iran-Linked Cyber-Espionage Targets Middle East's Aerospace and Defense. 

Security researchers have identified an ongoing cyber-espionage campaign targeting the aerospace, aviation, and defense industries in the Middle East, with indications of links to Iran. This operation, conducted by a group Mandiant tracks as UNC1549 and associated with the Iranian-linked Tortoiseshell, is focusing on Israel, the UAE, and possibly extending to Turkey, India, and Albania. The campaign, initiated around June 2022, employs unique malware to infiltrate entities, leveraging evasion techniques and Microsoft Azure cloud infrastructure for concealment. Two specific backdoors, MINIBIKE and MINIBUS, facilitate file exfiltration, command execution, and enhanced reconnaissance. MINIBIKE was detected between June 2022 and October 2023, while MINIBUS appeared from August 2023 to January. Additionally, a custom tunneler, LIGHTRAIL, was utilized to obscure malicious internet traffic. The potential involvement of Iran’s Islamic Revolutionary Guard Corps (IRGC), particularly noted for its support of Hamas as well as recent sanctions by the U.S. for cyberattacks, underscores the geopolitical implications of this cyber-espionage effort against defense-related targets amidst regional tensions.

SpaceX is accused of limiting satellite internet for US troops. 

SpaceX has a contract with the US government to provide satellite internet services for US troops overseas. As my N2K colleague Alice Caruth reports for the T-Minus podcast, some believe they are coming up short. 

That’s Alice Caruth from the N2K T-Minus daily space intelligence podcast. 

Savvy Seahorse' Floods the Net with Investment Scams. 

Researchers at Infoblox describe a threat actor named Savvy Seahorse that orchestrates sophisticated investment scams, leading to over $4.6 billion in losses in the US in 2023, according to the Federal Trade Commission. Using Facebook ads, Savvy Seahorse entices victims into fake investment platforms, spoofing major companies, and employs advanced tactics like fake ChatGPT and WhatsApp bots for personal information phishing. Targeting a wide array of language speakers but excluding Ukrainians, the actor ingeniously uses DNS CNAME records to distribute traffic and evade detection, managing a vast network of scam campaigns since August 2021. This technique, a first of its kind reported, showcases Savvy Seahorse's ability to dynamically control campaign visibility and IP addresses, complicating security efforts to track and mitigate their operations.

GUloader Malware draws on a crafty graphic attack vector.

A report from McAfee highlights a notable GUloader campaign that leverages malicious SVG email attachments. Utilizing polymorphic code and encryption, it dynamically changes its structure to evade antivirus and intrusion detection, enabling persistent network infiltration. This latest campaign triggers a complex infection chain involving ZIP files, WSF scripts, and PowerShell commands to connect with malicious domains and execute shellcode. This process, culminating in the injection of shellcode into legitimate processes for persistence and further malware deployment, exemplifies GUloader's versatility in delivering various malware types, underscoring its significant threat to both organizations and individuals.

Repo confusion attacks persist. 

A significant resurgence of repo confusion attacks has been detected by security firm Apiiro, affecting over 100,000 GitHub repositories by tricking developers into using malicious versions of repositories that mimic trusted ones. These attacks, which rely on human error rather than exploiting package managers, involve cloning existing repositories, embedding them with malware, and then massively forking and promoting them online. Once a developer uses these malicious repositories, the malware executes a series of obfuscations to deploy a payload that collects sensitive information, sending it to a command-and-control server. Despite GitHub's efforts to remove these forked repositories, the automated nature of the campaign allows thousands of malicious repos to persist, exploiting the vastness of GitHub and the difficulty in detecting such a small fraction of malicious content. Apiiro has highlighted the necessity of advanced malicious code detection systems, underscoring the ongoing vulnerability of the software supply chain to such sophisticated attacks.

European consumer groups question Meta’s data collection options. 

European consumer groups are leveraging data protection laws to challenge Meta's recent EU service changes. Consumer groups say Meta is offering users a "fake choice" between consenting to data collection or paying for ad-free subscriptions. This action, coordinated by the European Consumer Organisation (BEUC) and based on GDPR violations, argues that Meta's model infringes on principles like purpose limitation, data minimisation, and transparency. The complaints suggest Meta's consent-based data processing for advertising lacks a valid legal basis under GDPR. Meta, disputing these allegations, insists its approach aligns with GDPR, referencing European Court of Justice support for its subscription model. This legal confrontation follows Meta's history of EU regulatory challenges, including a record €1.2 billion GDPR fine. Despite these issues, Meta continues to thrive financially, emphasizing its advertising-driven revenue model in its financial disclosures.

Allegations of Russia targeting civilian critical infrastructure in Ukraine. 

Wired describes a report from the Conflict Observatory, an organization backed by the US government, that reveals over 200 instances of damage to Ukraine's power infrastructure by Russia, costing over $8 billion. The study, using satellite imagery and open-source data, confirms Russia's strategy of targeting civilian utilities to pressure Ukraine, marking potential war crimes. Despite challenges in documenting and verifying specific instances due to Ukrainian government restrictions on public information, the report highlights widespread attacks across 17 of Ukraine's 24 oblasts, affecting millions. The findings underscore the deliberate nature of these attacks, raising questions about their justification and military necessity. The documentation aims to support accountability and further investigation into violations of international law, with some Russian officials claiming the targeting of infrastructure as a legitimate military strategy, a stance that contrasts with international humanitarian principles.

Cisco patches high-severity flaws. 

Cisco released a security advisory detailing four vulnerabilities in its FXOS and NX-OS software, including two high-severity flaws. The first high-severity vulnerability allows a denial-of-service (DoS) attack due to a rate-limiter queue issue, impacting specific Nexus 3600 and 9500 series products. The second involves insufficient error checking when processing MPLS frames, affecting multiple Nexus series with MPLS configuration. Patches for these issues have been released. Cisco has not reported any exploitation of these vulnerabilities in the wild.

The US puts a Canadian cyber firm on its Entity List. 

The US government has placed Canadian firm Sandvine on its Entity List, banning trade with the company due to its provision of technology facilitating mass surveillance and censorship in Egypt. Sandvine, known for its deep packet inspection technology, was cited for aiding the Egyptian government in web monitoring and blocking content targeted at political figures and human rights activists. This action extends to Sandvine's operations across Canada, India, Japan, Malaysia, Sweden, and the UAE, preventing organizations from trading with them or supplying goods and technology. Additionally, China's Chengdu Beizhan Electronics was also added to the Entity List for its role in supporting China’s nuclear weapons program through acquisitions for the University of Electronic Science and Technology, which is already restricted.

Next up on the Threat Vector segment, host David Moulton of Palo Alto Networks’ Unit 42 talks with Michael "Siko" Sikorski about the Unit 42's 2024 Incident Response Report. There’s a link to the report in our show notes.


The counter-productive messaging in anti-piracy campaigns. 

And finally, our reverse psychology desk tells us about a study from the University of Portsmouth that found that intimidating anti-piracy messages actually increase piracy intentions among men by 18%, while decreasing them in women. Examining the effects of different anti-piracy campaigns, researchers discovered gender-specific responses, with threatening legal language or highlighting risks like viruses and identity theft leading to an increase in piracy behaviors among men, but a reduction among women. Educational messages about piracy's harms showed no impact on intentions of either gender. The study suggests anti-piracy strategies need to be tailored to avoid psychological reactance, particularly among men who may react against perceived threats to their freedom. 

I don’t know. We hate to generalize, but on a certain level this tracks. I can say for myself that I’ve known plenty of men who respond to “Don’t do that,” with, “Challenge accepted!”

And that’s the CyberWire.

For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.


We’d love to know what you think of this podcast. You can email us at—your feedback helps us ensure we’re delivering the information and insights that help keep you a step ahead in the rapidly changing world of cybersecurity.

We’re privileged that N2K and podcasts like the CyberWire are part of the daily intelligence routine of many of the most influential leaders and operators in the public and private sector, as well as the critical security teams supporting the Fortune 500 and many of the world’s preeminent intelligence and law enforcement agencies.

N2K strategic workforce intelligence optimizes the value of your biggest investment—people. We make you smarter about your team, while making your team smarter. Learn more at


This episode was produced by Liz Stokes. Our mixer is Tré Hester, with original music by Elliott Peltzman. Our executive producers are Jennifer Eiben and Brandon Karpf. Our executive editor is Peter Kilpe, and I’m Dave Bittner. Thanks for listening.