A

Cybersecurity Today would like to thank Meter for their support in bringing you this podcast. Meter delivers a complete networking stack, wired, wireless and cellular in one integrated solution that's built for performance and scale. You can find them@meter.com CST

B

new details emerge of alleged member of notorious hacking group Major Interpol operation takes down 45,000 malicious IPs Medical firm Stryker Inc. Insists its smart devices and online services are safe, and Poland says Iranian actors might be behind attempted hack on nuclear facility this is Cybersecurity Today and I'm your host David Shipley. Let's get started. We're now learning new details about the dramatic takedown of an alleged Canadian hacker tied to the Common a shadowy cybercrime group that has grown into a serious global threat. The hacker, known online as waifu, was brought down after launching a vicious campaign of harassment and threats against a prominent cybersecurity researcher. But here's the ironic twist. That campaign was the very thing that led to his downfall, reports Kim Zetter for the MIT Technology Review. For more than a decade, Allison Nixon has been a force to be reckoned with in the world of cyber investigations. As chief research officer at unit 221B, she's helped law enforcement arrest over two dozen members of the comm, a loosely affiliated group of cybercriminals operating across North America and Europe. What sets the Comm apart isn't just the scale of their attacks, targeting massive companies like AT&T, Microsoft, Uber and others, or the millions they've stolen through crypto theft or extorted with ransomware. It's their unpredictability and willingness to blur the lines between digital and physical world. Nixon has described the group as a, quote, cybercrime youth movement, end quote, made up of teens and 20somethings who thrive on the chaos. And their crimes are not just online. Members have been linked to horrifying real world acts including swatting, as well as violent assaults. As Nixon puts it, there's only so far that nation states like Russia or China are willing to go in their cyber operations. That doesn't stop the calm, end quote. Their combination of technical skill, lack of fear and ego driven motivations makes the Comm uniquely dangerous. Nixon's work taking down members of the Comm wasn't without risk, and in 2024 that risk caught up with her. It all started in April of that year, when Nixon became the target of a vile campaign of threats and harassment. Waifu, along with his associates, posted violent death threats on Telegram and Discord. One post chillingly Read quote, allison Nixon is going to get necklaced with a tire filled with gasoline, end quote. If that weren't enough, AI generated sexually explicit images of her were also shared online, a clear attempt to intimidate and discredit her. The harassment campaign came after waifu and his crew had just pulled off a massive hack, stealing over 50 billion call logs from AT&T's cloud provider. Among the stolen data were call records of FBI agents. And the attackers may have used this information to identify Nixon's phone number, calling attention to themselves. Why? Fu's group not only extorted $400,000 from the telecom giant, they also attempted to re extort them. They even tagged the FBI on social media posts. It was a move that Nixon later described as, quote, begging to be investigated, end quote. Using her signature investigative techniques, Nixon began connecting the dots. By July 2024, she had unmasked Waifu, who she says is Connor Riley Mucha, a 25 year old high school dropout living in Ontario. Nixon says Mucha had a history of using his hacking skills for cybercrime, and his ego and carelessness led him to making crucial mistakes. Mistakes she was quick to exploit. By October, the Royal Canadian Mounted Police had raided his home and arrested him. Mucha now faces nearly two dozen charges in the United States, including extortion, wire fraud and unauthorized computer access. None of these charges have been proven in a court of law. But the story doesn't end there. Nixon continues to face threats from other comm members and she remains firm in her resolve. As she puts it, the group continues to persist in their nonsense and they're getting taken out one by one. I'm just going to keep doing that until there's no one left on their side, end quote. Nixon's story is a testament to the power of perseverance and the critical role cybersecurity researchers play in holding even the most brazen criminals accountable. Speaking of success stories involving private cybersecurity researchers as well as police, 45,000 malicious IPs taken down, 94 arrests made, and 72 countries united in one mission. This wasn't the plot of the latest Hollywood cyber thriller. It was Operation Synergia 3, one of the largest international crackdowns on cybercrime in history. Coordinated by Interpol, the six month operation targeted the very infrastructure that powers ransomware, phishing and malware attacks worldwide. Law enforcement agencies across multiple continents, working with private cybersecurity titans like Group id, Trend Micro and more brought them down. Together, they disabled tens of thousands of malicious IP addresses, Command and control servers and struck at the heart of global cybercrime networks. The operation exposed a staggering array of schemes. In Macau, over 33,000 phishing websites were neutralized, sites that have been tricking victims into handing over sensitive information by impersonating banks, government services and even online casinos. In Bangladesh, 40 suspects were taken into custody, along with 134 devices used for financial scams, identity theft and phishing. In Togo, a 10 person fraud ring was dismantled. Their tactics a chilling combination of technical hacking and social engineering. They hacked social media accounts, impersonated victims and launched elaborate romance scams and extortion campaigns. Their goals were exploiting the trust of unsuspecting victims for money and power. Neil Jetton, Interpol's director of the Cybercrime Directorate, put it, by working together, we're not just catching criminals, we're dismantling the very infrastructure that allows modern ransomware and financial fraud to thrive. In an age where cybercrime is growing more sophisticated and more destructive than ever before, the Success of Operation Synergia 3 is a beacon of hope. It proves that when nations collaborate and partner with private sector players, they can strike at the very core of the criminal ecosystem. And from cybercrime we now turn for an update on Iranian linked hacking activity. As a result of the ongoing war in the Middle East, Stryker, one of the world's largest medical technology companies, is still grappling with the aftermath of a devastating cyber attack that targeted its Microsoft corporate systems. Attackers are alleged to have used Microsoft's intune tools to wipe over 200,000 devices, including personal phones, company laptops and servers. While the company says the incident has been contained and no ransomware or malware was detected, the ripple effects are being felt by customers across the globe. Here's the good news. Stryker insists that its connected medical devices, apps and services, including life saving technologies like smart hospital beds, surgical systems and the Care AI platform are safe to use. According to updates from the company, these systems operate independently of the impacted Microsoft environment with their own separate security protocols. Stryker says there are no vulnerabilities or risks to the safety of patients. But despite these reassurances, some customers remain concerned. After all, Stryker's platforms play a critical role in hospitals and healthcare facilities worldwide. Products like the Vocera Voice and Engage systems, as well as Surgicount and Triton devices are essential to patient care, and any hint of potential risks raises alarms. Stryker has responded by ramping up security scans, reviewing access controls and increasing real time monitoring to safeguard its cloud based systems hosted in AWS and Google cloud platform. While the safety of its products has been confirmed by the company, Stryker's business operations remain disrupted. Electronic ordering systems are still offline following the attack last Wednesday, creating challenges for customers who rely on seamless ordering and shipping processes. The company has activated its business continuity plans, with local sales representatives stepping in to manually process orders and work directly with distributors. Orders placed before the disruption are being reconciled as systems are restored, and any electronic orders placed during the outage will be processed once operations are fully back online. Stryker has acknowledged these disruptions and is working closely, it says, with its global manufacturing sites to mitigate delays. Additional shifts and personnel have been deployed to address any backlogs. But for now, some healthcare providers are having to adapt their processes to ensure they receive the supplies they need. Stryker says its top priority is restoring systems that directly impact customers, like ordering and shipping. Comments on Reddit threads discussing the incident have highlighted potentially canceled procedures and anxiety about scheduled procedures that rely on specialized products from Stryker. The same user who said they were aware of canceled accounts also said some hospitals had restricted access for Stryker employees or confiscated Stryker employees digital devices as a precaution. It's common for company reps to work closely with surgical teams on cases involving specialized equipment in the operating room. While the company says it is making steady progress, it's clear they still have a long road ahead to regain full operational capacity and perhaps even more importantly, fully restore the trust of their customers. For healthcare providers, the stakes couldn't be higher as Stryker works to bring its systems back online. Hospitals and clinics are relying on clear communications and transparency to ensure patient care disruptions are avoided as much as possible. Meanwhile, cybersecurity professionals are still waiting for more details on the exact nature of the potential abuse of Stryker's Microsoft environment and specifically the Intune device management service. A number of high profile chief information security officers have posted instructions on LinkedIn over the past few days on how to enable multi admin approval for intune actions. We've included a link to the instructions from Microsoft about this setup in our show notes. And as a side note for Microsoft, it might be a real good idea to make multi admin approval the default setting given this painful example, at least for large enterprise customers. Meanwhile, in other war related news, Iran's Internet connectivity continues to be restricted entering its 16th day with only a few state approved actors getting online and reports now of arrests for Iranians trying to work around the blockade with Starlink equipment. Iranian hackers have also claimed to have compromised Israel's rail network. Israeli officials have said all the hackers managed to do was to get into some screens used for advertising. More concerning for Israeli officials are hundreds of compromised security cameras that Iranian linked hackers may have access to. This kind of intelligence can be used to aid in missile attack targeting and post strike analysis. Finally, there's a more concerning Iranian alleged hack attempt against a Polish nuclear facility Polish authorities say they thwarted an attack on their national center for Nuclear Research, and early investigations suggest it may have originated from Iran. But officials are urging caution, warning that evidence could be an attempt to misdirect investigators and conceal the true source of the attack. The announcements came from Poland's Minister for Digital affairs, who told TVN24 that the attack happened just days ago. While the breach was not large scale, the minister confirmed the attackers attempted to break through the center's security systems. Fortunately, the attempt was caught and stopped and appropriate services are now investigating the incident. The national center for Nuclear Research in Poland focuses on nuclear energy and subatomic physics research, playing a key role in the country's emerging nuclear power ambitions. Poland does not possess nuclear weapons, but is building its first nuclear power plant, raising the stakes for protecting its critical infrastructure. So why Iran? According to the minister, early analysis of the attack's entry point had linked the vectors to Iranian territory. However, he emphasized the need for further verification, pointing out that such indicators could easily be manipulated by attackers to mislead investigators. Iranian officials have yet to comment, but the attack comes against a backdrop of escalating cyber tensions, and Poland has been a frequent target of cyberattacks since Russia's full scale invasion of Ukraine in 2022, with many incidents attributed to Russian hackers. Though Moscow has consistently denied its involvement, the possibility of misdirection in this latest attack raises questions about whether another actor could be attempting to sow confusion or or exploit the tensions in the Middle East. This incident is a stark reminder of the evolving nature of cyber threats, especially when it comes to critical infrastructure like nuclear research and energy facilities. Whether or not Iran is confirmed to be the source, it's clear cyberattacks are increasingly being used as tools of influence and disruption as investigations continue. Poland's ability to detect and stop this attack is an encouraging sign of resilience, but the question remains how many more attempts like this are happening behind the scenes in other countries and how prepared are other nations to defend against them? This was Cybersecurity today for Monday, March 16th. I've been your host, David Shipley. Thanks for listening and thank you for your continued support. On the weekend we hit a new milestone, reaching number three on the Apple Podcast Tech News rankings for Canada and number seven in the U.S. thanks for continuing to share the podcast with others leaving reviews and ratings. We'd love to reach even more people and we continue to need your help. Stay safe out there and if you use Microsoft Intune, today's a great day to enable multi admin approval. If you don't have it already, we'd

A

like to thank Meter for their support in bringing you the podcast. Meter delivers full stack networking infrastructure, wired, wireless and cellular to leading enterprises. Working with their partners, Meter designs, deploys and manages everything required to get performant, reliable and secure connectivity in a space. They design the hardware, the firmware, build the software, manage deployments and even run support. It's a single integrated solution that scales from branch offices, warehouses and large campuses all the way to data centers. Book a demo@meter.com CST that's M E T R.com CST.