CyberWire Daily – "FBI Botnet Cleanup Backfires"

Date: September 15, 2025
Host: Dave Bittner (N2K Networks)
Guest: Tim Starks (Senior Reporter, CyberScoop)

Episode Overview

This episode explores the complexities and unintended consequences in cybersecurity, beginning with the FBI's recent attempt to disrupt a massive botnet—a move that inadvertently unleashed new problems. The show further surveys major security news, from hacktivist data leaks in China to ransomware gang retirements, and features an in-depth interview with Tim Starks about shifting norms and strategies in offensive cyber operations. The episode closes with a look at a campus IoT hack that left students without access to laundromats.

Key Discussion Points & Insights

1. FBI Botnet Cleanup: When Disruption Backfires

[00:53–03:01]

• Summary: The FBI disrupted a major botnet, freeing about 95,000 hijacked devices. Rather than neutralizing the threat, this created opportunity for other cybercriminals.
• Key development: Rival botnet Isuru rapidly took over more than a quarter of the liberated devices.
• Consequence: Isuru launched unprecedented DDoS attacks, with Cloudflare reporting one peaking at 11.5 trillion bps—a world record.
• Analyst warning: Botnet takedowns may inadvertently expose devices for rapid exploitation by others.
• Theme: The “cleanup” highlights how connected devices can be weaponized faster than law enforcement can protect them.

2. Ransomware Gangs Announce 'Retirement'

[03:01–04:10]

• Groups Involved: 15 collectives, including Scattered Spider, Lapsus.
• Statement: Claimed their true mission was to “harden systems, not extort” and mockingly boasted of retiring on millions in stolen funds.
• Cynical take: Few experts believe these “retirements”; such groups are notorious for rebranding and continuing criminal operations.

3. China’s Great Firewall Breach

[04:11–05:01]

• Leak scope: Hacktivists, Enlace Hacktivista, released 600GB of operational/internal data from Gige Networks and MESA Lab.
• Content: Source code, internal docs, and details on censorship and surveillance exported to Belt and Road countries.
• Researcher caution: Files may contain malware, but they offer rare insight into China's censorship infrastructure.
• Regulatory update: China is tightening incident reporting, requiring key breaches to be reported within an hour starting Nov 1.

4. DHS Mishandles Cyber Talent Program

[05:01–06:12]

• Inspector General report: DHS wasted over $100M on incentives to retain cyber experts at CISA.
• Key failures: Payments went to ineligible employees (over 240 with no cyber roles), and over 300 received erroneous back pay.
• Result: The mismanagement may worsen government cybersecurity attrition just as threats rise.

5. Malware Campaigns and Threat Actor Activity

a. “GPUGate” Malware

[06:13–07:16]

• Attack method: Google Ads and GitHub lookalikes to trick IT pros into downloading an MSI posing as GitHub Desktop.
• Evasion: Used dummy files plus a novel GPU-based decryption routine—payload activates only with a physical GPU, skirting most sandboxes.
• Impact: Targeted Western Europe; likely Russian operators; goals included credential theft and ransomware.

b. White Cobra Extension Attacks

[07:17–08:09]

• Attack: 24 malicious VS Code extensions uploaded, draining crypto wallets (notably Ethereum developer Zach Cole).
• Exposure: Lax extension vetting; packages appeared legitimate with pro design and tens of thousands of downloads.

c. North Korea’s Kimsuki Group Uses AI Deepfakes

[08:10–08:55]

• Phishing: AI-generated fake South Korean military IDs attached to emails, with deepfake images used as social engineering bait.
• Targets: Researchers, journalists, and activists related to North Korea.
• Innovation: Prompt injection used to sidestep AI content safeguards.

6. Cybersecurity Business Activity

[08:56–10:20]

• Notable deals:
  • Mitsubishi Electric to acquire Nozomi Networks ($883M).
  • SentinelOne acquires Observo AI ($225M).
  • Multiple smaller M&As in US, Europe, Israel.
• Investments:
  • ID.me ($340M), IQM Quantum ($320M), Shift 5 ($75M).
• Trend: Sector consolidation accelerates, with growing focus on AI-driven security for critical infrastructure.

Feature Interview: Tim Starks on “Offensive Cyber”

Context:

Tim Starks (Senior Reporter, CyberScoop) unpacks government and private sector approaches to offensive cyber operations, the ethics and legality of hacking back, and shifting cyber norms.

Segment Timestamps: [15:42–27:16]

What Is ‘Offensive Cyber’?

• Private Sector:
  • Google’s new Disruption Unit: Not fully defined, but sits between ‘active defense’ and offensive action, potentially including court-ordered infrastructure takedowns and recovering assets from criminals.
• Public Sector:
  • Officials argue for ‘rebalancing’ risk away from victims/companies and toward attackers, making it “less about the victims and more about the villains.”
  • Quote ([16:54], Starks):

    "There was a broader discussion... is the private sector capable of doing this? Does it have the ability?"

Legality: Is 'Hacking Back' Legal?

• Short answer: No.
• Law: The Computer Fraud and Abuse Act prohibits it.
• Attempts at legislation: Proposals to authorize ‘hacking back’ or ‘Letters of Marque’ (privateers for cyber) have stalled in Congress.
• Quote ([18:10], Starks):

  "If you're literally going to go into an organization or companies, even governments, you're basically... running risks of being arrested under the federal anti-hacking law."

• Panel consensus: Even with potential legislative carve-outs, most cybersecurity firms don’t want to go near officially sanctioned offensive hacking.

Public-Private Partnerships

• Possibility: Federal agencies may contract specialized private companies, but market/law barriers and ethical concerns abound.
• Quote ([20:18], Starks):

  "Perhaps what you could see the private sector contributing would be just private sector, good old fashioned capitalist innovation... if they could somehow innovate in that field, that would be something that could really help the federal government."

Shifting the 'Risk Burden'

• Policy evolution:
  • Biden’s strategy shifted cyber risk from end users toward manufacturers.
  • New thinking (NSC perspective): Shift risk further onto attackers via greater offensive action.
  • Starks notes the ongoing debate between offense (deterrence) and defense (resilience).
• Quote ([21:54], Starks):

  "We need to shift the risk to yet a different place—that is, to the attacker. So that means going more on cyber offense. But... it's not the only tool in the toolbox."

Setting Red Lines and the Challenge of Norms

• No clear US red lines: Lack of explicit “if you do X, we do Y” policies.
• Pros & cons:
  • Ambiguity can deter; but defined lines can clarify consequences.
  • Norms regularly shift, are often ignored by attackers.
• Quote ([26:15], Starks):

  "The United States has never drawn in any very specific way what we call red lines in cyberspace... Some people think it's a good idea, some a bad idea."

Memorable Analogy

• Starks ([23:54]):

  "An example... might be from 2018, they went into the Russian troll farm... shut down their operations for a while. So that's a little bit like the drone strike you're talking about."

Notable Quotes & Memorable Moments

• On rapid botnet counter-weaponization ([02:30]):
  "What began as an FBI success has turned into a dangerous escalation, highlighting how today's Internet connected devices can be weaponized faster than law enforcement can neutralize them." — Dave Bittner

• On ransomware gang retirements ([03:50]):
  "If this sounds like a heartfelt farewell, don't bet on it. Cybercrime groups are notorious for rebranding, and few believe these attackers are hanging up their keyboards." — Dave Bittner

• On AI's effect on phishing attacks ([08:40]): "The campaign marks an evolution of Kim Suki's earlier click fix phishing attacks, showing how deepfake technology can enhance the credibility of social engineering attempts." — Dave Bittner

• On uncertainty in cyber policy ([26:56]): "What norms we do have are somewhat constantly shifting." — Tim Starks

Other Highlights and Threats

• GPUGate malware: Uses GPU-based anti-analysis.
• Crypto extension threats: Over 54k downloads before discovery.
• China breach: Offers rare insight into censorship infrastructure.
• IoT hack at Amsterdam's Spinoza campus ([28:51]):

  "IoT hacks usually fuel botnets or ad fraud, this one left students wringing out socks by hand, proof that cyber mischief can hit right at the fabric of daily life." — Dave Bittner

Important Timestamps

• 00:53: FBI botnet disruption fallout
• 03:01: Ransomware gangs 'retire'
• 04:11: China Great Firewall leak
• 05:01: DHS cyber talent report
• 06:13: GPUGate malware campaign
• 08:10: KimSuki AI phishing
• 08:56: Security business brief
• 15:42: Tim Starks interview
• 21:54: Shifting risk burden discussion
• 23:54: ‘Drone strike’ analogies
• 26:15: US and cyber “red lines”
• 28:51: Amsterdam student laundry IoT hack

Conclusion

This episode underscores the complexities of fighting cybercrime, from botnet whack-a-mole to the blurred line between defense and offense. As Tim Starks notes, “the norms are not established,” and the cyber chessboard is constantly shifting—leaving policymakers, businesses, and users alike to adapt in real-time.

For further reading and daily briefings, visit thecyberwire.com.