DIRECTOR'S NOTE
McCrary Institute for Cyber & Critical Infrastructure Security
Working to protect and advance U.S. interests in the areas of cyber and critical infrastructure security.
Dear readers,
I hope everyone had a joyful and restful holiday season. We move into a busy 2025 facing a slate of mounting challenges across the cybersecurity and critical infrastructure security landscape.?
Unfortunately, we also started the new year with some somber news: Amit Yoran passed away Jan. 3 as he battled cancer. From?being the founding director at US-CERT to leading Tenable, Amit had an?outsized impact in the cybersecurity community. His legacy as one of the founding fathers of the cybersecurity industry will be lasting. Amit was a cherished friend and colleague to many of us, and he will be dearly missed.
A new year and a new Congress means?fresh budget wrangling, and the Congressional Budget Office ended 2024 with a?timely review?of how the adoption of artificial intelligence could affect the U.S. economy and the federal budget. “By increasing efficiency, enabling the development of new products, and altering the demand for workers, AI has the potential to change the economy, perhaps in ways that are difficult to predict,” CBO said. “Whether or when those changes might occur is very uncertain.” Other changes brought by AI mean that companies must budget for better cyber defense soon.?Sam Sabin reports at Axios?on a new assessment that the world has about two years to prepare for AI-powered?cyber weapons?capable of evading current security tools.
Changes are also being weighed to counter threats to communications infrastructure such as those posed by China’s Salt Typhoon.?David DiMolfetta at Nextgov/FCW reports?that GAO is considering conducting a study to assess the rip-and-replace cost to tackle the problem of at-risk or compromised telecommunications equipment owned by small communications providers across the country. GAO staff are reportedly anticipating that Congress will formally request that such a review will begin soon.
The greater threat from Chinese hackers and their ascension to “military weapons” was the subject of an eye-opening piece by?Dustin Volz,?Aruna Viswanatha, Sarah Krouse and?Drew FitzGerald at The Wall Street Journal?on how massive “Typhoon” cyberattacks on U.S. infrastructure and telecoms have included data-gathering and positioning to impede response and sow chaos in potential conflict with Beijing. Other cyber targets of China are seeing escalation in the gray zone as well.?Yimou Lee at Reuters reported?that cyberattacks on Taiwan government departments, attributed mostly to Chinese cyber forces, doubled in 2024 from the previous year to an average of 2.4 million attacks a day.
This week delivered a strong reminder of the threat to another infrastructure sector. PowerSchool, which is the country’s largest provider of cloud-based education software for K-12 that supports more than 50 million U.S. students, said that hackers using a compromised credential breached its customer support portal and gained access to the company’s school information system,?Carly Page reports at TechCrunch. Alabama was among the states expressing concern about the security of student and teacher data,?Trisha Powell Crain reports at Alabama Daily News.?“This was an international incident where PowerSchool was hit off-site, and so?there’s nothing that our districts or the state department could have done differently,” Alabama State Superintendent of Education Eric Mackey said.
In an effort to steer consumers toward IoT products that are more resilient to hacking by incorporating secure design, the new?U.S. Cyber Trust Mark label that certifies a successful cybersecurity audit is being rolled out this year.?Kevin Collier reports at NBC News?that the voluntary program aims to incentivize companies to offer more cyber-secure products.
And?this is a Studies in Intelligence must-read?from Ronald Burgess, chairman of the McCrary advisory board, on standing up the Office of the Director of National Intelligence.?
This week by the numbers:
A new year means?lots of prognostication, from the potential for the?“largest cyber attack in history”?to the ultimate fate of CMMC 2.0?and whether a new cyber force is on the horizon.?What we do know is that it’s always the right time to prepare, and that preparation is enhanced by knowledge – whether that’s?issues to watch in the energy sector?or trending?malware threats. And we know where we’ve been, coming off a year?that included the telecom attacks, a rise in infostealers and more. So let’s start 2025 by committing to greater resilience against current – and future, whatever they may be – threats.
War Eagle,
Frank Cilluffo
TODAY'S TOP 5
TIKTOK’S BIG SCOTUS DAY: TikTok’s day of?reckoning in the U.S.?has arrived. Today the United States Supreme Court will hear the company’s appeal against its slated nationwide ban, which could come into force in a little more than a week if the company’s efforts fail. If a law banning the social video app this month is upheld, it won’t disappear from your phone — but it will get messy fast, WIRED reports. The social video app, which is owned by Chinese firm ByteDance and is used by around 170 million Americans, has been appealing the ban since President Joe Biden signed the law underpinning it last year.?
HURDLES FOR THE EO: An executive order set to be published by the Biden administration in its waning days could offer the next White House a blueprint to counter Chinese cyberattacks but experts fear its timing — so close to the transition of power — could make it practically dead on arrival, GovInfoSecurity reports. "We all have our thoughts on what the Trump administration should do with regard to national cybersecurity," said a former official involved in the drafting of the order. "But what they're planning for the next four years is really anyone's guess."
NITIN NATARAJAN ON THREATS TO WATCH: From application security to zero trust, it's been a busy four years for the current leaders of the Cybersecurity and Infrastructure Security Agency. Deputy Director Nitin Natarajan shared with GovInfoSecurity the agency's accomplishments and the threats that await the next administration's cyber leaders. Natarajan cited the agency's focus on collaborating with the public and private sectors as a major strength in the nation's cyber defense. "There is not a federal solution to what we're trying to do here as we build resilience to cyber and physical risk," Natarajan said. "It's a national and international solution that is predicated on our partnerships with our state and local, tribal, and territorial governments, with the private sector, industry, academia and others."
RUSSIA WANTS AN AI BOOST: Russia's efforts to obtain China's help in enhancing artificial intelligence is seen as a bid to challenge America's lead in the field even as the outgoing Biden administration is expected to impose new export control measures to further curb Beijing's access to AI chips, VOA reports. As the new year began, Russian President Vladimir Putin ordered the country's state-owned Sberbank to work with China in researching and developing AI technology, according to the Kremlin.
ZERO-DAY LINKED TO CHINESE HACKERS: Mandiant connected the recent zero-day attack against Ivanti Connect Secure VPN appliances to UNC5337, the same China-nexus threat actor that was tied to the exploitation of two Ivanti zero-day flaws one year ago, Tech Target reports. Ivanti disclosed the flaw?on Wednesday and warned users that it was being exploited in the wild. Patches are available, and users are urged to apply fixes as Ivanti products have proved to be a popular target for attackers.?
CYBER FOCUS PODCAST
In the latest episode of?Cyber Focus, host Frank Cilluffo speaks with Manny Cancel, senior vice president at NERC and CEO of the Electricity Information Sharing and Analysis Center (E-ISAC). The conversation explores the evolving threat landscape impacting grid security, including challenges posed by ransomware, physical attacks and AI-driven cyber risks. Cancel highlights the importance of public-private collaboration, resilience engineering and supply chain security to mitigate nation-state and extremist threats. He also discusses the ISAC's role in information sharing, mutual aid programs and exercises such as GridEx to strengthen critical infrastructure defenses. Cancel shares insights on emerging technologies, operational technology (OT) convergence and preparing the next generation of cybersecurity leaders.
SUBSCRIBE TO CYBER FOCUS:?YouTube?|?Spotify?|?Apple Podcasts
CYBER AND CI UPDATES
ATTACKS AND INCIDENTS
Education
School district claims software company paid ransom after cybersecurity breach
In a statement, PowerSchool writes in part: "We have taken all appropriate steps to prevent the data involved from further unauthorized access or misuse. The incident is contained and we do not anticipate the data being shared or made public. PowerSchool is not experiencing, nor expects to experience, any operational disruption and continues to provide services as normal to our customers." (NBC26.COM)
MORE: PowerSchool says hackers stole students’ sensitive data, including Social Security numbers, in data breach (TECHCRUNCH.COM)
Ransomware attacks on education declined in 2024, report shows
Ransomware attacks on the education sector, one of the?16 critical infrastructure sectors?in the United States, decreased last year, according to a report published Thursday by the software review company Comparitech. The?report?found that educational institutions, such as schools and universities, suffered 116 confirmed ransomware attacks in 2024, down from 188 attacks in 2023. The report estimates those ransomware attacks impacted 1.8 million records, with cybercriminals demanding an average of $847,000 in ransom payments. (STATESCOOP.COM)
Healthcare
Largest U.S. addiction treatment provider notifies patients of data breach
BayMark Health Services, North America's largest provider of substance use disorder (SUD) treatment and recovery services, is notifying an undisclosed number of patients that attackers stole their personal and health information in a September 2024 breach. The Texas-based organization provides medication-assisted treatment (MAT) services targeting both substance use and mental health disorders to more than 75,000 patients daily in over 400 service sites across 35 U.S. states and three Canadian provinces. (BLEEPINGCOMPUTER.COM)
Excelsior Orthopaedics data breach impacts 357,000 people
In June 2024, Excelsior fell victim to a “data security incident” that was initially believed to have resulted in the information of current and former employees being compromised. Following an initial wave of written notification letters to the potentially affected individuals sent in early August, the company sent a second wave of letters on December 31, after learning that the scope of the data breach was wider and that patient information was also compromised. (SECURITYWEEK.COM)
Florida firm fined $337K by feds for data deleted in hack
In addition to paying the financial penalty, USR Holdings, a business associate to behavioral health centers including its own subsidiaries, also agreed to implement a corrective action plan as part of its?resolution agreement?with the U.S. Department of Health and Human Services released Wednesday. (HEALTHCAREINFOSECURITY.COM)
Recovery
Michigan county’s residents face financial turmoil as cyber attack cripples deeds office
It's been more than two months since Wexford County experienced a cyber attack. Most departments have found workarounds to move forward, but the Register of Deeds Office is still offline. Residents are concerned that once the Register of Deeds is back up and running the office will be significantly behind on title searches. (UPNORTHLIVE.COM)
THREATS
Data
Candy Crush, Tinder, MyFitnessPal: See the thousands of apps hijacked to spy on your location
Some of the world’s most popular apps are likely being co-opted by rogue members of the advertising industry to harvest sensitive location data on a massive scale, with that data ending up with a location data company whose subsidiary has previously sold global location data to U.S. law enforcement. (WIRED.COM)
Phishing
Fake CrowdStrike job offer emails target devs with crypto miners
CrowdStrike is warning that a phishing campaign is impersonating the cybersecurity company in fake job offer emails to trick targets into infecting themselves with a Monero cryptocurrency miner (XMRig). The company discovered the malicious campaign on January 7, and based on the phishing email's content it likely didn't start much earlier. (BLEEPINGCOMPUTER.COM)
Vulnerabilities
New Banshee Stealer variant bypasses antivirus with Apple's XProtect-inspired encryption
The new variant is notable for removing a Russian language check used to prevent infections of Macs that had set Russian as the default system language. Dropping the feature alludes to the possibility that the threat actors are looking to cast a wider net of potential targets. Another crucial update is the use of a string encryption algorithm from Apple's XProtect antivirus engine to obfuscate the plaintext strings used in the original version of Banshee Stealer. (THEHACKERNEWS.COM)
Critical RCE flaw in GFI KerioControl allows remote code execution via CRLF injection
Threat actors are attempting to take advantage of a recently disclosed security flaw impacting?GFI KerioControl?firewalls that, if successfully exploited, could allow malicious actors to achieve remote code execution (RCE). The?vulnerability?in question, CVE-2024-52875, refers to a carriage return line feed (CRLF) injection attack, paving the way for?HTTP response splitting, which could then lead to a cross-site scripting (XSS) flaw. (THEHACKERNEWS.COM)
PoC exploit code released for macOS TCC bypass vulnerability
This vulnerability allows attackers to bypass the?Transparency, Consent, and Control (TCC) protection mechanism, potentially granting unauthorized access to sensitive user data. The vulnerability, which affects versions of macOS prior to Sonoma 14.0, exists in the XPC service. This service possesses powerful TCC entitlements, including “com.apple.private.tcc.manager” and “com.apple.private.tcc.allow”. (CYBERSECURITYNEWS.COM)
Facebook awards researcher $100,000 for finding bug that granted internal access
In October 2024, security researcher?Ben Sadeghipour?was analyzing Facebook’s ad platform when he found a security vulnerability that allowed him to run commands on the internal Facebook server housing that platform, essentially giving him control of the server.??After he reported the vulnerability to Facebook’s owner Meta, which Sadeghipour said took just one hour to fix it, the social networking giant awarded him $100,000 in a bug bounty payout.?(TECHCRUNCH.COM)
ADVERSARIES
North Korea
Researchers reveal exploitation techniques of North Korean Kimsuky APT Group
A North Korean APT since 2012 has conducted cyber espionage targeting South Korea, the US, Japan, Russia, and Europe by employing spearphishing, watering hole attacks, and zero-day exploits to compromise government, education, and business entities, exfiltrating sensitive data for intelligence gathering. For the initial system access and keylogging, Kimsuky makes use of open-source tools such as xRAT, which is comprised of multiple stages.?(GBHACKERS.COM)
Russia
Ukrainian hackers managed to nearly destroy Russian internet provider
A regional Russian internet provider named Nodex was infiltrated and almost completely destroyed in an attack by a Ukranian hacking group. Nodex confirmed the attack in a statement on Russian social network VK, saying its network had been “destroyed” and that it was working to restore infrastructure from offline backups. (GIZMODO.COM)
Hackers claim to breach Russian state agency managing property, land records?
The group, which calls itself Silent Crow, created a Telegram channel in December to announce the breach, and Rosreestr is the only incident it has posted about. As evidence of the hack, the group publicly?released?a portion of a database containing names, dates of birth, addresses, phone numbers, email addresses and individual insurance account numbers of Russian citizens. (THERECORD.MEDIA)
GOVERNMENT AND INDUSTRY
Artificial intelligence
VA accounts for majority of all agencies’ safety- and rights-impacting AI
In total, 37 agencies reported a combined 1,757 AI use cases in 2024, according to OMB’s?consolidated inventory. 227 of these overall use cases were identified as safety- or rights-impacting, with VA accounting for 145 of those identified tools — roughly 64%. By comparison, the agency with the second-most use cases identified as safety- and rights-impacting in 2024 was the Department of Homeland Security, which reported 34 such instances out of its total of 183 documented AI capabilities.?(NEXTGOV.COM)
It’s remarkably easy to inject new medical misinformation into LLMs
A new study by researchers at New York University examines how much medical information can be included in a large language model (LLM) training set before it spits out inaccurate answers. While the study doesn't identify a lower bound, it does show that by the time misinformation accounts for 0.001 percent of the training data, the resulting LLM is compromised. (ARSTECHNICA.COM)
With executive order, Mississippi sets path to AI innovation
The order mandates the?Mississippi Department of Information Technology Services?(ITS) review all AI technologies now used in the state and create a comprehensive inventory. This involves assessing existing processes, procurement practices, and current AI applications. The order also directs ITS to collaborate with public and private stakeholders to craft policy recommendations that ensure AI is utilized ethically, securely and effectively within Mississippi. (GOVTECH.COM)
Data
India readies overhauled national data privacy rules
Organizations have not yet been forced to adjust their data trafficking practices, as the act was waiting on a set of clearly defined rules of implementation. On Jan. 3, India's Ministry of Electronics and Information Technology (MeitY) released those?draft rules, designed to operationalize DPDP. In 22 provisions and seven schedules, the DPDP Rules provide businesses with a framework for complying with the act once the government begins to enforce it. (DARKREADING.COM)
Quantum
Novel ‘quantum refrigerator’ is great at erasing quantum computer’s chalkboard
The research effort, a NIST collaboration with physicists at Sweden’s?Chalmers University of Technology, could address one of the main issues confronting quantum computer designers: the need to keep the bits in a superconducting quantum processor free of errors and ready to perform calculations whenever necessary. These “qubits” are notoriously sensitive to heat and radiation, which can spoil their calculations just as stray chalk marks might make the numeral 1 look like a 7. (NIST.GOV)
Regulations
EU Commission liable for breaching EU’s own data protection rules
In a civil litigation action brought by an EU citizen living in Germany, the General Court of the EU found that the Commission infringed the individual’s right to the protection of their personal data by transferring their details to recipients in the U.S. At the time of the data transfer it could not be ensured that the U.S. had an adequate level of protection for the personal data of EU citizens. (INFOSECURITY-MAGAZINE.COM)
Workforce
New tech skills projects aim to boost UK cyber defenses
Projects across England and Northern Ireland will be given a share of almost £2 million in private and government funding, which will ‘make sure the country has the cyber workforce it needs’ in order to counter the rising threat of cyberattacks by providing training to upskill workers in small businesses. (TECHRADAR.COM)
ALSO: Questions raised over UK government’s latest cyber funding scheme (ITPRO.COM)
LEGISLATIVE UPDATES
Lawmakers to seek GAO review of TSA’s biometrics, facial recognition use
House Homeland Security Committee Chairman Mark Green (R-Tenn.) and Rep. Carlos Gimenez (R-Fl.), chairman of the homeland security committee’s transportation and maritime security subcommittee, are drafting a letter to GAO on the topic. Federal News Network obtained a draft copy of the letter. It comes as TSA has been steadily expanding its use of facial recognition at airport screening checkpoints in recent years. (FEDERALNEWSNETWORK.COM)
On Jan. 14, Senate committees are scheduled to hold confirmation hearings for Doug Collins to be secretary of Veterans Affairs, Pete Hegseth to be secretary of Defense and Doug Burghum to be secretary of Interior.?
On Jan. 15, Senate committees are scheduled to hold confirmation hearings for Kristi Noem to be secretary of Homeland Security, Marco Rubio to be secretary of State, John Ratcliffe to be CIA director, Sean Duffy to be secretary of Transportation, Chris Wright to be secretary of Energy and Russ Vought to be OMB director.
On Jan. 16, Senate lawmakers are expected to hold hearings to consider the expected nominations of Eric Scott Turner to be secretary of Housing and Urban Development.
On Jan. 15 and Jan. 16, the Senate Judiciary Committee is expected to hold hearings to consider the expected nomination of Pam Bondi to be attorney general.
EVENTS
AI AND CHINA: On Jan. 10, the John L. Thornton China Center at Brookings and the Center for International Security and Strategy at Tsinghua University will host a panel of U.S. and Chinese experts to analyze how AI will influence national security issues facing both countries.
ENERGY OUTLOOK: Daniel Yergin, vice chairman of S&P Global and a Pulitzer Prize-winning author, discusses the forces behind the evolving energy landscape and what they mean for the world energy outlook on Jan. 13 at the Atlantic Council.
CISA: FDD’s Center on Cyber and Technology Innovation hosts a fireside chat with CISA Director?Jen Easterly?on Jan. 15 about protecting critical infrastructure in the cyber age.?
NUCLEAR SECURITY: CSIS’ Project on Nuclear Issues will host a live debate on AI Integration in U.S. Nuclear Command, Control and Communications (NC3) on Jan. 24. As Russia continues its saber-rattling and China accelerates its nuclear buildup, should the United States increase its reliance on artificial intelligence to enhance resilient decision-making in its NC3 systems to prevent inadvertent escalation? The CSIS Project on Nuclear Issues will then host its 2025 Virtual Winter Conference on Feb. 11.??
ZERO TRUST SUMMIT: This annual event on Feb. 19 in Washington, D.C., is presented by CyberScoop and will feature federal and industry tech and cybersecurity leaders discussing their firsthand experiences and strategies in laying the foundations for and establishing the major pillars of zero-trust cybersecurity.
SPACE SECURITY: Chatham House’s 2025 Space Security Conference online and in person on March 5 convenes policymakers and leaders from the private sector, multilateral organizations, academia and NGOs for a day of high-level interactive discussions examining conflict, competition and cooperation in outer space.?
FOLLOW THE McCRARY INSTITUTE ON LINKEDIN | X | FACEBOOK
SUBSCRIBE TO THE CYBER FOCUS PODCAST:?YOUTUBE?|?SPOTIFY?|?APPLE PODCASTS