The CyberWire Daily Podcast 3.19.24
Ep 2027 | 3.19.24

SIM swap scammer pleads guilty.


A SIM-swapper faces prison and fines. Here come the class action suits against UnitedHealth Group. Aviation and Aerospace find themselves in the cyber crosshairs. A major mortgage lender suffers a major data breach. A look at election misinformation. The UK shares guidance on migrating SCADA systems to the cloud. Collaborative efforts to contain Smoke Loader. Trend Micro uncovers Earth Krahang. Troy Hunt weighs in on the alleged AT&T data breach. Ben Yelin unpacks the case between OpenAI and the New York Times. And fool me once, shame on you…

Today is March 19th, 2024. I’m Dave Bittner. And this is your CyberWire Intel Briefing.

A SIM-swapper faces prison and fines. 

Jonathan Katz, a 42-year-old former telecommunications store manager from Marlton, New Jersey, pleaded guilty to participating in a scheme involving unauthorized SIM swaps. Katz admitted to using his managerial credentials to access customer accounts and swap their Subscriber Identity Module (SIM) numbers to devices controlled by an accomplice, who compensated Katz with Bitcoin for the swaps. This enabled the accomplice to take over the victims' phones and access their emails, social media, and cryptocurrency accounts. The plea was entered in Camden federal court on March 12, 2024, before Chief U.S. District Judge Renée Marie Bumb. Katz now faces a maximum sentence of five years in prison and a fine up to $250,000 or double the monetary gain or loss from the crime. Sentencing is scheduled for July 16, 2024. 

Here come the class action suits against UnitedHealth Group. 

Advanced Obstetrics & Gynecology PC in Mississippi has filed a class action lawsuit against UnitedHealth Group, alleging disruptions from a cyberattack on Change Healthcare have delayed claims processing, threatening bankruptcy for medical providers. The complaint, filed on March 14, represents all U.S. medical providers affected by the February 21 cyberattack's fallout. The lawsuit claims the attack has prevented payments for services, risking the financial stability of healthcare providers, including the plaintiff, who has missed approximately $132,700 in payments as of March 14. The legal action accuses Change Healthcare of failing to secure its systems adequately, leading to widespread service disconnections. While UnitedHealth Group asserts the attack was limited to Change Healthcare's IT systems, the lawsuit highlights the broader implications for healthcare providers reliant on timely claim payments. The incident reflects the critical need for robust cybersecurity measures within healthcare IT infrastructure and raises questions about liability and protection against cyber-induced operational disruptions.

Aviation and Aerospace find themselves in the cyber crosshairs.

The aviation and aerospace sectors are fighting increased attention from cyber attackers. T-minus host Maria Varmazis has the story. 

Be sure to check out the t-Minus daily space podcast wherever you get your podcasts. 

A major mortgage lender suffers a major data breach. 

Nations Direct Mortgage reported a data breach in December 2023 affecting over 83,000 individuals, exposing personal details such as names, addresses, Social Security numbers, and loan numbers. Although the breach, detected on December 30, allowed unauthorized system access, there's no evidence of data removal or misuse. The company says they’ve contained the incident and notified authorities, and is offering free identity monitoring services to those impacted. It also faces a class action lawsuit related to the breach. This incident adds Nations Direct to the list of major US financial services firms experiencing security breaches recently, alongside Fidelity National Financial, First American, LoanDepot, Mr. Cooper, and Prudential Financial. Nations Direct is a significant mortgage lender in the US, approved by Fannie Mae and Freddie Mac.

A look at election misinformation. 

Rik Ferguson is the Vice President of Security Intelligence at Forescout, and in a piece published by SecurityWeek, he outlines the escalating challenge of AI-driven disinformation, particularly in the context of political campaigns. Ferguson warns that the issues observed during the 2020 U.S. Presidential election may pale in comparison to what future elections could face. The advancement of artificial intelligence (AI) and analytics has the potential to accelerate the creation, dissemination, and impact of disinformation. To combat this, an understanding of AI's role in disinformation is crucial.

The report breaks down an AI-driven disinformation campaign into four key steps:

Reconnaissance: AI is utilized to mine data, analyze sentiment, and conduct predictive analytics to find leverage points for creating viral content, targeting specific issues, groups, and individuals.

Content Creation: Generative AI enables rapid production of realistic-looking content across various media and languages, raising concerns about the convincing nature of AI-generated disinformation compared to human-created content.

Amplification: AI and analytics power the creation of seemingly authentic online personas to spread and boost disinformation across social media platforms, making campaigns appear more genuine and widespread than ever before.

Actualization: Continuous refinement of content and strategy is achieved by analyzing feedback from the campaign's reach and engagement, allowing for more targeted and effective disinformation efforts.

Furgesen emphasizes the urgent need for security teams to proactively address these AI-powered disinformation tactics. Strategies such as "pre-bunking" are highlighted as essential to psychologically prepare the public for disinformation impacts, suggesting a focused approach for security teams to mitigate the advancing tactics of malicious actors ahead of significant events like the 2024 election cycle.

Meanwhile, YouTube has introduced a policy requiring users to disclose the use of synthetic media or generative AI in videos that alter reality in a realistic manner, like falsifying events or swapping faces, to combat AI-generated misinformation ahead of the US presidential election. However, the policy exempts AI-generated animations targeting children and minor aesthetic AI enhancements from this disclosure requirement. This decision allows content creators to produce and upload animated content for children without revealing the use of AI, raising concerns about the quality and authenticity of such videos. YouTube's move aims to address the spread of misleading AI-generated content while also acknowledging challenges in moderating children's content. The platform's history of struggles with moderating content for kids is noted by critics, alongside the potential for AI tools to exacerbate these issues by facilitating the rapid production of low-quality videos.

The UK shares guidance on migrating SCADA systems to the cloud.

The UK's National Cyber Security Centre (NCSC) has released guidance for organizations considering the migration of their supervisory control and data acquisition (SCADA) systems to the cloud. Recognizing SCADA's critical role in infrastructure and its vulnerability to cyber-attacks, the guidance aims to navigate both the benefits and challenges of such a transition. It highlights fundamental changes in management, security, and connectivity, emphasizing the need for enhanced cybersecurity policies, skills, and consideration of shared services' impact on security. The guide also discusses the suitability of technology for cloud migration, architectural considerations, and the potential risks of increased attack exposure due to internet connectivity. Experts advocate for a zero-trust approach to improve cyber-resilience in light of these migrations.

Collaborative efforts to contain Smoke Loader. 

Palo Alto Networks' Unit 42 reports on a collaboration with Ukraine in combating Smoke Loader, also known as Dofoil or Sharik, a malware targeting Windows systems. Originating from Russian cybercrime circles since 2011, it functions primarily as a loader with information-stealing capabilities. Ukrainian financial and governmental sectors are increasingly targeted by Smoke Loader through phishing emails, indicating a concerted effort to disrupt operations and steal data. 

Trend Micro uncovers Earth Krahang. 

Researchers from Trend Micro have uncovered a significant Chinese cyber-espionage campaign called Earth Krahang that's possibly linked to the obscure  cybersecurity firm I-Soon. This campaign shares multiple connections with the Earth Lusca group, suspected to be I-Soon's penetration team, a Chinese government contractor. The revelation came after a GitHub leak exposed I-Soon's internal structure, suggesting two separate penetration subgroups. Earth Krahang has targeted 116 organizations across 35 countries, compromising 70, mostly in Southeast Asia, including 48 government organizations with foreign affairs departments being a primary focus. The campaign utilizes government infrastructure for further attacks, hosting malicious payloads, and spear-phishing using compromised government emails. Tactics include VPN servers on compromised servers for access, brute-force attacks for email credentials, and cyber-espionage as the ultimate goal. Despite differences in initial attack backdoors, overlaps with Earth Lusca's infrastructure and malware suggest a connection between the two campaigns.

Troy Hunt weighs in on the alleged AT&T data breach. 

Troy Hunt takes a closer look at the breach of over 70 million records that online hackers say came from AT&T, but that AT&T themselves deny. The incident began back in 2021 when the data was put up for sale on a dark web forum, with the entire dataset now freely available online, magnifying the potential threat to individuals' privacy. Given AT&T's stance that the data did not come from their systems, this assertion of authenticity leaves researchers like Troy Hunt in a tricky position, trying to validate the breach without direct evidence from the supposed source.

Utilizing BleepingComputer's initial report as a starting point, Hunt embarked on a mission to verify the data's authenticity. Leveraging Have I Been Pwned (HIBP) allowed him to cross-reference the breach against 4.8 million subscribers, revealing that 153,000 of them were indeed present in this dataset. He reached out to a small sample of these individuals for verification, receiving confirmations of the data's accuracy, including sensitive details like social security numbers—some of which were decrypted, indicating a sophisticated level of access by the threat actors.

Hunt is convinced the dataset is real, although AT&T’s continued denials complicate his and other researchers' attempts to determine the breach’s original source. 


Ben Yelin, of University of Maryland’s Center for Health and Homeland Security and my Caveat cohost, takes a look at how “OpenAI says New York Times ‘hacked’ ChatGPT to build copyright lawsuit.”  


Fool me once, shame on you…

And finally, Ransomware groups, such as the Russian-speaking Akira, frequently threaten to publish stolen data on dark web leak sites to extort victims. However, publishing this data often proves challenging, and some victims never appear on these sites. Threat intelligence firm Kela reports that even after paying ransoms, victims rarely receive the promised outcomes, such as effective decryption tools or evidence of data deletion. Kela's report highlights that Akira has never been proven to sell stolen data and often fails to honor commitments, like deleting negotiation chats or providing functional decryptors. The report also notes that ransom demands typically range from 0.1% to 12% of a victim's annual revenue, with victims often negotiating significant discounts. Security experts advise against paying ransoms, recommending instead investment in preparation, such as robust backup and recovery systems and incident response plans.

Our hearts go out to any organization that finds themselves victims of these ransomware groups. It’s a no win situation, and puts you in the unenviable position of deciding whether to trust someone who just robbed you blind. 

And that’s the CyberWire.

For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.

We’d love to know what you think of this podcast. You can email us at—your feedback helps us ensure we’re delivering the information and insights that help keep you a step ahead in the rapidly changing world of cybersecurity.

We’re privileged that N2K and podcasts like the CyberWire are part of the daily intelligence routine of many of the most influential leaders and operators in the public and private sector, as well as the critical security teams supporting the Fortune 500 and many of the world’s preeminent intelligence and law enforcement agencies.

N2K strategic workforce intelligence optimizes the value of your biggest investment—people. We make you smarter about your team, while making your team smarter. Learn more at


This episode was produced by Liz Stokes. Our mixer is Tré Hester, with original music by Elliott Peltzman. Our executive producers are Jennifer Eiben and Brandon Karpf. Our executive editor is Peter Kilpe, and I’m Dave Bittner. Thanks for listening.