US Treasury targets darknet kingpin.
US Treasury Department sanctions Iranian national accused of running the Nemesis criminal marketplace. Hunters International threatens to leak data stolen from Tata Technologies. Apple challenges U.K.’s iCloud encryption backdoor order. UK competition regulator says no investigation into Microsoft's OpenAI partnership. Stealthy malware campaign targets the UAE's aviation and satellite industry. This week on our CertByte segment, N2K’s Chris Hare is joined by Troy McMillan to break down a question targeting the Cisco Certified Network Associate (CCNA) exam. And hackers hit the books.
Today is Wednesday, March 5th, 2024. I’m Maria Varmazis, host of N2K’s T-Minus Space Daily podcast in for Dave Bittner. And this is your CyberWire Intel Briefing. Thanks for joining us!
US Treasury Department sanctions Iranian national accused of running the Nemesis criminal marketplace.
The US Treasury Department's Office of Foreign Assets Control (OFAC) has sanctioned the administrator of the Nemesis darknet marketplace, which was shuttered by law enforcement last year. Treasury says Iranian national Behrouz Parsarad maintained full control of the marketplace and its illicit profits, pocketing millions of dollars while Nemesis was active.
Acting Under Secretary for Terrorism and Financial Intelligence Bradley T. Smith said in a press release, "As the administrator of the Nemesis darknet marketplace, Parsarad sought to build—and continues to try to re-establish—a safe haven to facilitate the production, sale, and shipment of illegal narcotics like fentanyl and other synthetic opioids. Treasury, in partnership with U.S. law enforcement, will use all available tools to dismantle these darknet marketplaces and hold accountable the individuals who oversee them."
Hunters International threatens to leak data stolen from Tata Technologies.
The Hunters International ransomware gang has claimed responsibility for an attack against Tata Technologies, a product engineering subsidiary of Indian auto manufacturing giant Tata Motors. The company disclosed in January that it had sustained a ransomware attack that affected some of its IT systems, SecurityWeek reports. The Hunters gang is threatening to publish 1.4 terabytes of stolen data if a ransom isn't paid by next week.
Hunters hasn't shared what the stolen data contains, and Tata hasn't commented on the gang's claims.
Apple challenges U.K.’s iCloud encryption backdoor order.
Apple has filed a legal complaint with the UK's Investigatory Powers Tribunal to challenge a government order demanding the creation of a backdoor into its encrypted iCloud systems. This order, issued under the Investigatory Powers Act of 2016, seeks access to data protected by Apple's Advanced Data Protection (ADP) encryption. In response, Apple has withdrawn ADP from the UK, arguing that such measures compromise user privacy and security. The case raises significant concerns about the balance between national security and individual privacy rights, with potential implications for global data protection standards.
UK competition regulator says no investigation into Microsoft's OpenAI partnership.
In other UK regulatory and big tech news, the UK's Competition and Markets Authority (CMA) has concluded its review of Microsoft's $13 billion investment in OpenAI, determining that the partnership does not warrant a formal merger investigation. The CMA found no evidence of Microsoft exercising "de facto control" over OpenAI, particularly in light of OpenAI's recent collaborations, such as the $100 billion AI infrastructure project "Stargate" with SoftBank, which reduces its reliance on Microsoft's computing infrastructure.
This decision comes amid increased regulatory scrutiny of AI-related partnerships, with the CMA also examining collaborations between other tech giants and AI startups, such as Amazon's investment in Anthropic.
Stealthy malware campaign targets the UAE's aviation and satellite industry.
Proofpoint has published a report on a highly targeted phishing campaign that targeted several aviation and satellite communications organizations in the United Arab Emirates, as well as critical transportation infrastructure. The threat actor, which Proofpoint tracks as "UNK_CraftyCamel," compromised an Indian electronics company that had a business relationship with the targets and used this access to send spearphishing emails tailored to each targeted entity. The emails were designed to deliver a custom Go backdoor, which Proofpoint has dubbed "Sosano."
The researchers note, "The campaign used polyglot files to obfuscate payload content, a technique that is relatively uncommon for espionage-motivated actors in Proofpoint telemetry and speaks to the desire of the operator to remain undetected."
Proofpoint doesn't attribute the campaign to any known threat actor, but notes that the TTPs overlap with previous operations tied to Iran's Islamic Revolutionary Guard Corps (IRGC).
Scammers impersonate ransomware gang via snail mail.
Scammers are imitating the BianLian ransomware gang and sending physical letters with fake ransom demands to C-suite employees in the US, BleepingComputer reports. The letters inform the recipient that their organization's data has been stolen and will be published if a ransom isn't paid within ten days. The letters contain a QR code leading to a Bitcoin wallet address, and recipients are instructed to pay up to $350,000.
GuidePoint Security, which is tracking the scam, assesses "with a high level of confidence" that the extortion demands are fake and are not tied to the BianLian gang. The security firm hasn't observed any evidence of intrusions at the targeted organizations, and the information in the letters is copied from BianLian's public websites.
Cryptocurrency investors beware of calls from fake police.
According to police in the UK, scammers are impersonating police officers to steal cryptocurrency from investors. Using personal information obtained from data leaks, they create fake Action Fraud reports and contact victims, claiming to investigate alleged fraud. Victims are then instructed to expect a call from their cryptocurrency wallet provider. Subsequently, a scammer posing as a security officer requests sensitive information, including the seed phrase of the victim's cryptocurrency wallet, enabling them to access and steal the funds. Kent Police reports that nine individuals have collectively lost £1 million to this scheme. Authorities advise against sharing personal details over the phone and recommend verifying the identity of callers claiming to be from law enforcement or financial institutions.
More connections between Black Basta and Cactus ransomware gangs.
Recent research has uncovered further links between the Black Basta and Cactus ransomware gangs, with members of both groups utilizing the same social engineering attacks and the BackConnect proxy malware for post-exploitation access to corporate networks. These shared tactics and tools suggest a potential overlap between the Black Basta and Cactus ransomware groups, indicating that they may be collaborating or sharing resources.
Coming up after our break, we’ve got out CertByte Segment, and cybercriminals are studying court docs.
We’ve got our CertByte segment up next. N2K’s Chris Hare is joined by Troy McMillan to break down a question from N2K’s Cisco Certified Network Associate (CCNA 200-301) Practice Test.
Be sure to visit our show notes for links to the practice test and other helpful resources that Chris and Troy talked about.
Hackers hit the books.
Cybercriminals aren’t just launching attacks—they’re studying how law enforcement investigates them. A cybercrime investigator recently revealed that hackers use the U.S. court records system (PACER) to analyze legal cases, learning investigative tactics and adapting to avoid prosecution.
But PACER access is just one of law enforcement’s challenges. A major hurdle is the lack of standardized naming for hacker groups. Different cybersecurity firms use different labels for the same threat actors, making it harder to track and dismantle cybercriminal operations.
Jurisdictional red tape further complicates cyber investigations. With 40 federal agencies handling cybercrime, overlapping cases create inefficiencies. Unlike EUROPOL, which assigns dedicated personnel to cross-border cases, U.S. agencies rely on detailees who remain tied to their home organizations, often competing rather than collaborating.
The solution? Standardized threat intelligence, better coordination between agencies, and more flexible jurisdictional policies. Cybercrime knows no borders—law enforcement must evolve to keep up.
And that’s the CyberWire.
For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.
We’d love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com
We’re privileged that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world’s preeminent intelligence and law enforcement agencies.
N2K makes it easy for companies to optimize your biggest investment, your people. We make you smarter about your teams, while making your teams smarter. Learn how at n2k.com.
N2K’s senior producer is Alice Carruth. Our CyberWire producer is Liz Stokes. We’re mixed by Tré Hester, with original music and sound design by Elliott Peltzman. Our executive producer is Jennifer Eiben. Peter Kilpe is our publisher, and I’m Dave Bittner. Thanks for listening.
