CyberWire Daily: Episode Summary – "The Masterminds Behind a $1.5 Billion Heist"

Release Date: February 27, 2025
Host: Maria Varmazes
Produced by: N2K Networks

Introduction

In this episode of CyberWire Daily, host Maria Varmazes delivers a comprehensive briefing on the latest developments in cybersecurity. The episode delves into significant cyber incidents, including a monumental $1.5 billion heist, and features an in-depth interview with Adam Murray, the Chief Information Security Officer (CISO) at Arctic Wolf and a former FBI Special Agent. Murray discusses the complexities of banning TikTok and the urgent need for enhanced regulations for social media companies. This summary encapsulates the key points, discussions, insights, and conclusions presented throughout the episode.

1. The Bybit $1.5 Billion Heist

Timestamp: [01:32]

The U.S. Federal Bureau of Investigation (FBI) has officially attributed the recent $1.5 billion Ethereum theft from the Bybit cryptocurrency exchange to North Korean hackers operating under the activity cluster known as Traitor Traitor, linked to Pyongyang's notorious Lazarus Group.

• Details of the Attack:

  • The FBI released a list of 51 Ethereum addresses associated with the stolen assets.
  • They urged various private sector entities—including RPC node operators, exchanges, DeFi services, and blockchain firms—to block transactions linked to these addresses.
  • The stolen funds are being laundered through these identified Trader Trader actors.

• Investigation Findings:

  • Bybit CEO Ben Joe revealed insights from two investigations:

    • Signia's Investigation: Identified malicious code originating from Safe Wallet's infrastructure as the root cause.
    • Vericain's Research: Determined that the attack involved injecting malicious JavaScript into App Safe Global, which compromised Bybit's signers. The payload was engineered to activate under specific conditions, evading detection by regular users.

  • Conclusion: The likely compromise of AWS S3 or Cloudfront account API keys from Safe Global facilitated the largest heist in history, surpassing previous records such as Saddam Hussein's $1 billion theft from Iraq's Central Bank in 2003.

Notable Quote:

"The hack currently stands as the largest heist of any kind in history, surpassing Saddam Hussein's theft of $1 billion from the Central Bank of Iraq in 2003."
— Dave Buettner [01:45]

2. Cellebrite Suspends Services in Serbia

Timestamp: [05:10]

Cellebrite, an Israeli firm specializing in cell phone data extraction, has ceased operations with the Serbian government amid allegations of misuse of their tools.

• Allegations:

  • Amnesty International's Report (December 2024): Claims Serbian police employed Cellebrite’s software alongside Android-focused spyware to hack journalists' and activists' phones during detentions or interviews.

• Cellebrite's Response:

  • The company emphasized their commitment to ethical use, stating, "We take seriously all allegations of a customer's potential misuse of our technology..." and proceeded to terminate services with the implicated Serbian authorities.

3. Belgian Spy Agency Hacked

Timestamp: [07:25]

Belgium has launched a judicial investigation into a sophisticated cyber espionage operation targeting its State Security Service (VSSE) from 2021 to 2023.

• Attack Details:

  • Chinese state-sponsored hackers exploited a vulnerability in Barracuda Networks' email security product.
  • Deployed malware strains, including Saltwater, CSPY, and Seaside, to establish backdoors while keeping internal communications secure.

• Impact:

  • Approximately 10% of VSSE's email traffic was compromised.
  • Personal data of nearly half of the VSSE staff and past applicants may have been exposed.

• Belgian Official Statement:

  • Officials declined to provide specifics, citing the ongoing investigation.

4. Surge in China's Cyber Espionage Activities

Timestamp: [09:30]

According to CrowdStrike, China intensified its cyber espionage efforts in 2024, marking a 150% increase in nation-state-backed intrusions compared to the previous year.

• Targeted Sectors:

  • Financial services
  • Media
  • Manufacturing
  • Industrials and engineering

• New Threat Groups:

  • Liminal Panda
  • Locksmith Panda
  • Operator Panda (Salt Typhoon)

  These groups exhibit specialized skills targeting telecommunications, logistics, and critical infrastructure.

• Advanced Tactics:

  • Utilization of Operational Relay Box (ORB) networks—botnets of compromised edge devices—for activity obfuscation and persistent access.

Notable Quote:

"These groups have adopted advanced tactics including the use of operational Relay Box or ORB networks, which are botnets of compromised edge devices, in order to obfuscate their activities and maintain persistent access."
— Dave Buettner [09:45]

5. Resurgence of the Sticky Werewolf APT Group

Timestamp: [10:50]

Kaspersky's Secure List reported the comeback of the Angry Lyco Advanced Persistent Threat Group, also known as Sticky Werewolf, in early 2025.

• Target Regions:

  • Russia
  • Belarus

• Attack Methods:

  • Highly targeted spear-phishing emails containing malicious RAR archives with harmful shortcut files.
  • Deployment of the lumastealer malware to exfiltrate sensitive information, including system details, login credentials, banking information, and cryptocurrency wallet contents.

6. US Review of UK’s iCloud Backdoor Request

Timestamp: [11:55]

Tulsi Gabbard, the U.S. Director of National Intelligence, has initiated a legal review concerning the UK government's secret demand for Apple to create a backdoor to access users’ iCloud data.

• Apple’s Stance:

  • Apple decided to discontinue its Advanced Data Protection (ADP) feature in the UK rather than comply with the backdoor request.

• Gabbard's Concerns:

  • Privacy and Civil Liberties: She emphasized the grave implications of such demands, stating, "This would be a clear and egregious violation of Americans' privacy and civil liberties."
  • Legal Limitations: The Bilateral Cloud Act Agreement restricts the UK from issuing data demands for U.S. citizens or those within the United States, and vice versa.

Notable Quote:

"This would be a clear and egregious violation of Americans' privacy and civil liberties and open up a serious vulnerability for cyber exploitation by adversarial actors."
— Tulsi Gabbard [16:00]

7. DOGE's Access to HUD’s Sensitive Data

Timestamp: [12:45]

The Department of Government Efficiency (DOGE), led by Elon Musk, has secured access to the Department of Housing and Urban Development's (HUD) Enforcement Management System.

• Data Accessed:

  • Confidential records, including medical histories, financial documents, Social Security numbers, and addresses of individuals alleging housing discrimination.

• Privacy Concerns:

  • Unlike other agencies resisting DOGE's data access attempts, HUD granted them access, sparking significant privacy debates.

• DOGE’s Mission and Challenges:

  • Aims to modernize government technology and reduce improper spending.
  • Faces opposition, including legal challenges and resignations over potential privacy violations.

8. Cleveland Municipal Court Cyber Incident

Timestamp: [13:45]

The Cleveland Municipal Court has been closed for the fourth consecutive day due to a cyber incident, suspected to be a ransomware attack.

• Court’s Response:

  • All affected systems and software platforms have been shut down as a precaution.
  • The Ohio National Guard and Ohio Cyber Reserve are assisting in the response and recovery efforts.

• Expert Insight:

  • While the court has not disclosed specifics, experts indicate ransomware is the likely culprit.

9. Interview with Adam Murray on Banning TikTok and Social Media Regulation

Timestamp: [15:22 – 24:28]

In this segment, Adam Murray, CISO at Arctic Wolf and former FBI Special Agent, engages in a critical discussion with host Dave Buettner about the complexities surrounding the potential ban of TikTok and the broader need for regulating social media companies.

Key Discussion Points:

• False Dichotomy of Free Speech vs. National Security:

  • Adam Murray argues that framing the TikTok ban as a choice between free speech and national security is misleading. Instead, he highlights the underlying issue: the lack of comprehensive regulation for technology and social media companies.

• Inadequacy of Bans:

  • Banning TikTok is likened to using a "sledgehammer" when a "scalpel" is needed.
  • Adam Murray emphasizes that individual app bans merely push users to alternative platforms, often owned by similar foreign entities, without addressing the systemic vulnerabilities.

Notable Quotes:

"There is a complete lack of regulation on technology companies and social media in particular, which leaves us with few options to address real concerns like the national security implications of TikTok."
— Adam Murray [15:31]

"We really need a comprehensive framework, data privacy laws, content transparency, algorithmic accountability, and restriction on foreign ownership for this critical digital infrastructure."
— Adam Murray [21:36]

Proposed Solutions by Adam Murray:

1. Comprehensive Regulatory Framework:

   • Implementing data privacy laws.
   • Ensuring content transparency.
   • Enforcing algorithmic accountability.

2. Restriction on Foreign Ownership:

   • Limiting foreign entities' control over critical digital infrastructure to mitigate national security risks.

3. Revamping Section 230:

   • Revising legislation to hold social media companies accountable for the content their algorithms promote, ensuring responsibility beyond individual posts.

4. Algorithmic Transparency:

   • Mandating transparency in how algorithms function and deliver content to users, preventing manipulation by foreign adversaries.

Conclusion of the Interview: Adam Murray underscores the necessity for elected officials to develop and implement robust regulatory measures. Without these, responses like banning TikTok will remain temporary and ineffective solutions to deep-rooted security challenges.

10. Case Study: US Army Soldier Cameron Wagenius

Timestamp: [25:23]

The episode concludes with a report on Cameron Wagenius, a U.S. Army soldier implicated in leaking confidential phone records and attempting to extort AT&T for $500,000.

• Criminal Activities:

  • Part of a hacker group responsible for stealing data from Snowflake, a cloud storage service.
  • Accessed records from major companies, including AT&T, Ticketmaster, and LendingTree.

• Impact:

  • AT&T experienced data breaches affecting 110 million customers, resulting in a $370,000 payment to hackers to prevent further leaks.

• Legal Proceedings:

  • Operating under the alias Kyber Phantom, Wagenius pleaded guilty to data leaks.
  • Evidence indicates attempts to defect to non-extradition countries and soliciting legal defense via Google searches.
  • Authorities discovered attempts to sell stolen information to a foreign military intelligence service and possession of over 17,000 stolen identity documents.

• Current Status:

  • Prosecutors label him a flight risk and seek to keep him in custody awaiting sentencing, which could result in up to 20 years in prison.

Notable Quote:

"He had searched for ways to defect to non extradition countries and even asked Google, 'can hacking be treason?'"
— Dave Buettner [25:23]

Conclusion

This episode of CyberWire Daily offers a deep dive into some of the most pressing cybersecurity issues of early 2025. From unprecedented financial heists orchestrated by state-sponsored actors to the intricate debates surrounding social media regulation, the episode underscores the evolving landscape of cyber threats and the imperative for robust, comprehensive defenses and policies. The interview with Adam Murray provides valuable perspectives on the intersection of technology, security, and legislation, highlighting the critical need for strategic regulatory frameworks to safeguard national security and individual privacy in an increasingly digital world.

For further insights and detailed discussions, listeners are encouraged to visit CyberWire's daily briefing and follow their email newsletter.