CyberWire Daily: Federal Agencies in Power Struggle Crossfire Release Date: February 3, 2025
Host: Dave Bittner
Guest: Tim Starks, Senior Reporter at Cyberscoop
1. Federal Agencies in Turmoil
The episode opens with a deep dive into the escalating power struggle within U.S. federal agencies. Elon Musk’s task force has initiated a controversial takeover of critical government operations, sparking chaos and uncertainty. The U.S. Agency for International Development (USAID) is at the center of this upheaval as President Trump pushes to significantly reduce foreign aid and restructure federal agencies.
-
Leadership Shakeup: Two top security officials at USAID, John Voorhees and Brian McGill, were placed on administrative leave after denying Elon Musk’s team access to classified systems. Additionally, USAID's Chief of Staff, Matt Hopson, resigned amidst the turmoil.
-
Musk’s Criticism: Elon Musk, leading the Department of Government Efficiency (referred to as "Doge"), has publicly labeled USAID a "criminal organization" and advocated for its shutdown. His influence extends to the Office of Personnel Management (OPM), where his appointees have restricted access for career civil servants to essential databases containing sensitive employee data.
-
Worker Protests and Cybersecurity Concerns: Federal employees have protested outside OPM offices, accusing Musk’s team of orchestrating a hostile takeover. Concurrently, an unsecured email system at OPM was exploited in a massive spam attack, highlighting the vulnerabilities exposed by the abrupt transition.
-
Implications for National Security: The restructuring has national security ramifications, particularly with agencies like the Cybersecurity and Infrastructure Security Agency (CISA) being excluded from buyout offers. This exclusion raises alarms about the future security landscape under Musk’s reorganization.
Notable Quote:
"[14:50] Tim Starks: ... his influence extends to the Office of Personnel Management, where his appointees have locked out career civil servants from critical personnel databases containing sensitive government employee data."
2. Evolution of XeGroup: From Skimming to Zero-Day Exploitation
XeGroup, a notorious cybercriminal organization, has transitioned its operations from traditional credit card skimming to exploiting zero-day vulnerabilities, posing significant threats to global supply chains.
-
Operational Shift: Initially targeting e-commerce platforms, XeGroup has expanded its focus to infiltrate manufacturing and distribution sectors. By 2024, they exploited vulnerabilities in Veracor, a supply chain management software, through an upload validation flaw and an SQL injection vulnerability. These exploits allowed for data exfiltration and persistent access.
-
Sophistication in Attacks: The group has demonstrated strategic patience by reactivating a web shell planted in 2020, utilizing customized web shells and PowerShell-based payloads to automate long-term infiltration efforts.
-
Attribution: While researchers suspect XeGroup operates from Vietnam, the minimal operational security measures suggest they are unlikely state-sponsored.
3. WhatsApp Disrupts Zero-Click Spyware Attack
WhatsApp has successfully identified and disrupted a zero-click spyware attack linked to the Israeli firm Paragon, targeting nearly 100 journalists, activists, and civil society members globally.
-
Mechanism of Attack: The spyware required no user interaction, making it exceptionally dangerous. It had capabilities to access messages, activate microphones, and steal passwords.
-
Collaborative Response: Upon detection, WhatsApp collaborated with Citizen Lab to analyze the breach and alert affected users. Victims, including Italian journalist Francesco Cancellato, are currently investigating the extent of their data exposure.
-
Paragon’s Position: Despite marketing itself as an ethical alternative to the NSO Group, Paragon faced increased scrutiny and national security concerns, halting its expansion into the U.S. market.
Impact: This incident underscores the urgent need for stronger regulations on commercial spyware and government surveillance tools.
4. Texas Expands Ban on Chinese AI and Social Media Apps
Governor Greg Abbott has broadened Texas's ban on Chinese-backed AI and social media applications, adding six more platforms—including Deep Seek, Lemon 8, and RedNote—to the prohibited list for government-issued devices.
-
Rationale: The expansion aims to prevent data harvesting and potential espionage by the Chinese Communist Party, following previous bans on TikTok in 2022 and further restrictions in 2023.
-
Context: This move responds to growing concerns over the influence of Chinese technology within the United States, particularly as platforms like RedNote gain traction among U.S. users.
5. Major Data Breaches Expose Over a Million Personal and Medical Records
Three significant data breaches have compromised the personal and medical information of more than one million individuals:
-
Asheville Eye Associates, North Carolina: A cyberattack impacted over 193,000 patients, exposing medical treatment details and insurance information. The Dragon Force Ransomware Group claimed responsibility for the breach in December.
-
Delta County Memorial Hospital: In May 2024, a breach affected 148,000 individuals, exposing Social Security numbers, medical data, and financial records. The hospital has offered free identity theft protection to victims.
-
Globe Life Insurance: A data theft incident notified 850,000 individuals, compromising insurance policy details and personal identifiers. While no business operations were disrupted, GlobeLife is collaborating with regulators and providing credit monitoring services to affected customers.
6. Nvidia and ARM Address Critical Security Vulnerabilities
Nvidia:
-
Vulnerabilities: Nvidia has released patches for multiple critical vulnerabilities in its GPU display drivers and virtual GPU software across Windows and Linux platforms. These flaws could lead to information disclosure, denial of service, data tampering, or code execution.
-
Affected Products: GeForce, Nvidia RTX, Quadro, NVS, and Tesla GPUs are impacted. Users are urged to update immediately via Nvidia’s Driver Downloads page to mitigate risks.
ARM:
-
Vulnerabilities: ARM disclosed critical security flaws in its MALI GPU kernel drivers and firmware, affecting Bifrost, Valhall, and 5th generation GPU architectures. One active exploit allows local attackers to access freed memory, risking further system compromises. Nine additional vulnerabilities could cause system crashes, privilege escalation, or data leaks.
-
Affected Devices: Primarily smartphones and tablets. Users should promptly update drivers and firmware to safeguard their devices.
7. UK Government Sets Global AI Security Standard
The UK government has introduced a new AI code of practice, developed in collaboration with the European Telecommunications Standards Institute, the National Cybersecurity Center, and industry stakeholders. This voluntary code aims to establish a global benchmark for securing AI through 13 principles covering secure AI design, deployment, and maintenance.
-
Key Principles: Include threat modeling, secure infrastructure, software, supply chain security, and regular updates. The code is applicable to AI vendors and organizations utilizing AI, excluding vendors selling AI models without deployment.
-
Ambition: The UK seeks to lead globally in AI safety, enhancing AI resilience and protecting digital ecosystems from security threats. This initiative follows previous efforts to criminalize deepfake creation and aims to fortify AI security while promoting innovation.
Notable Quote:
"[0029] UK government aims to set the global standard for securing AI through the European Telecommunications Standards Institute... The code outlines 13 principles covering secure AI design, deployment and maintenance."
8. Interview with Tim Starks: Senate Confirmation Hearings and USAID Crypto Jacking
Senate Confirmation Hearings: Tim Starks discusses the Senate confirmation hearings for Kash Patel, the nominee for the FBI. Despite minimal questioning on cybersecurity, the hearings revealed significant concerns from lawmakers about Patel’s views on digital surveillance laws.
- Section 702 Debate: Patel opposed adding a warrant requirement to Section 702, a law allowing warrantless collection of communications targeting foreign individuals. He viewed the addition as detrimental to investigations. This stance placed him on the hawkish side of the debate, emphasizing national security over privacy concerns.
Notable Quote:
"[14:50] Tim Starks: ...the most significant policy thing they discussed that was cyber related was his view on section 702... Patel's view was that's not something that's good that would actually harm investigation."
USAID Crypto Jacking Incident: Starks elaborates on a rare cyberattack where USAID fell victim to cryptojacking, costing the agency half a million dollars. The attack involved unauthorized cryptocurrency mining, diverting significant resources.
-
Financial Impact: The half a million-dollar loss equates to essential services, such as notifying children of tuberculosis, underscoring the tangible repercussions of the breach.
-
Attack Motivation: The rationale behind targeting a federal agency like USAID remains unclear. It might have been a case of targeting opportunity rather than a strategic attack, as cryptojacking typically targets the private sector for higher financial rewards.
-
Agency Response: USAID implemented additional defenses, including multi-factor authentication, to prevent future incidents. However, detailed responses from USAID or CISA were not provided, leaving questions about the extent of the agency's mitigation efforts.
Notable Quote:
"[18:12] Tim Starks: ...cryptojacking is a real threat, but it's a lower level threat than say, ransomware... it could have been worse because these cryptojackers, cryptojacking is a real threat, but it's a lower level threat than say, ransomware."
9. National Cryptologic Museum Diversity Incident
Larry Pfeiffer, former CIA Chief of Staff and current Director of the Hayden Center, highlighted a troubling action at the National Cryptologic Museum at NSA in response to President Trump’s anti-diversity directive. Images of notable figures from the Women in American Cryptology Hall of Honor and the People of Color in Cryptologic History were obscured with brown paper.
-
Implications: This act has ignited discussions about the administration's stance on diversity and its impact on recognizing the contributions of marginalized groups in national security history.
-
Museum’s Response: The museum stated a commitment to presenting historically accurate exhibits and corrected the mistake by uncovering the obscured images. However, the incident reflects broader fears and uncertainties among government employees regarding diversity initiatives under the Trump administration.
-
Concerns: The decision to obscure these images, whether intentional or cautious, signifies potential self-censorship and the erasure of important historical contributions due to political pressures. It signals how ideology-driven policies can hinder truthful storytelling in public institutions.
Notable Quote:
"[24:50] Dave Bittner: ...Larry Pfeiffer... highlighted a concerning action taken in response to President Trump's anti diversity directive... the decision to obscure the images... reflects the deep fear and uncertainty gripping government employees under the Trump administration's crackdown on diversity initiatives."
Conclusion
This episode of CyberWire Daily sheds light on the intricate power struggles within federal agencies, the evolving landscape of cyber threats posed by sophisticated groups like XeGroup, and significant security breaches affecting both public and private sectors. Additionally, it highlights proactive measures by governments to secure AI technologies and the ongoing debates surrounding digital surveillance laws. The discussions underscore the critical importance of robust cybersecurity measures and the implications of political influences on national security and diversity initiatives.
Notable Quotes Overview:
-
Tim Starks on Federal Agencies:
"[14:50] Tim Starks: ...his influence extends to the Office of Personnel Management...".
-
Tim Starks on Kash Patel’s Views:
"[14:50] Tim Starks: ...Section 702... Patel's view was that's not something that's good that would actually harm investigation."
-
Tim Starks on Crypto Jacking:
"[18:12] Tim Starks: ...cryptojacking is a real threat, but it's a lower level threat than say, ransomware."
-
Dave Bittner on Museum Incident:
"[24:50] Dave Bittner: ...Larry Pfeiffer... highlighted a concerning action... reflects the deep fear and uncertainty..."
For those keen on staying ahead in the rapidly evolving world of cybersecurity, this episode offers critical insights and thorough analysis of current events shaping the industry.
