Romance-baiting losses were up 40% last year, as more and more pig-butchering efforts crop up in the wild.

Source: dpa picture alliance via Alamy Stock Photo

NEWS BRIEF

In what appears to be the more sinister side of romance, the amount of money individuals lost in 2024 to love-baiting scams, known to some as pig butchering, increased 40%.

That's according to ChainAnalysis, which said the scams, in which fraudsters approach their victims on dating apps or sites, groom them, and convince them to give them money or invest in a supposed "business venture," are growing in number, too. The number of people losing money this way increased by 210% year-over-year in 2024, probably because more scams are circulating. The operations are increasingly run out of compounds in Southeast Asia with staffers who are being held against their will.

One piece of good news though: The average loss per person declined 55% year-over-year.

"The combination of lower payment amounts and increased deposits could indicate a change in strategy for pig-butchering scams," said the researchers. "Scammers could be spending less time priming targets, and therefore, receiving smaller payments in exchange for targeting more victims."

Overall, with romance baiting comprising a third of total crypto fraud revenue in 2024, signs — or cupid arrows — point to romance scams becoming even bigger this coming year. Users of dating apps should be wary of connections made online, and should avoid sending money, cryptocurrency, wire transfers, or prepaid gift cards to anyone they don't know personally.

**About the Author**

Skilled writer and editor covering cybersecurity for Dark Reading.

Warning: Tunnel of Love Leads to Scams

CyberArk announces the Zilla deal on the same day leading identity service provider SailPoint returns to the public markets.

Source: Artemis Diana via Alamy Stock Photo

CyberArk has acquired Boston-based startup Zilla as part of its plans to add identity governance and administration (IGA) capabilities to its privilege access management (PAM) platform. The $165 million deal announced Thursday has already closed.

Zella is a small IAG provider that was led by Aveksa founder and CEO Deepak Taneja. CyberArk said it had $5 million in annual recurring revenue last year, 40 employees, and 125 customers. During CyberArk's earnings call with investors, CEO Matt Cohen touted Zilla's "modern" IGA platform.

"In stark contrast to legacy IGA systems, Zilla's modern IGA SaaS \[software-as-a-service\] platform was built from scratch to address today's digital environments characterized by an explosion of staff applications, decentralized management, and identity-based security threats," Cohen said. "Leveraging AI-driven role management, Zilla automates the processes of identity, compliance, and provisioning, making governance easy, intuitive, and all-inclusive for the modern enterprise."

Cohen noted that customers can deploy Zilla five times faster than traditional IGA offerings, resulting in 60% fewer service tickets.

"Legacy IGA are often slow to deploy, difficult to integrate, have limited integration with modern systems, and are reliant on manual processes," Cohen said.

Because CyberArk is integrating Zilla into its platform, Cohen said that in addition to managing entitlements, provisioning, and compliance, the same tool will grant access and provide controls.

"That integrated nature then creates a much more secure footprint across these modern environments," he said.

CyberArk, whose annual revenues topped $1 billion for the first time last year, has aggressively expanded its PAM and identity and access management (IAM) portfolio. Last year, CyberArk acquired nonhuman identity provider Venafi for $1.6 billion.

**Identity and Access Governance Is Vital**

CyberArk's announcement came on the same day that SailPoint returned to the public markets, two years after Thoma Bravo purchased it for $6.9 billion and took it private. Thoma Bravo spun out 60 million shares (roughly 12% of the company, to raise an estimated $1.38 billion in the first major tech IPO of 2025. SailPoint, the largest IGA provider, estimated in its prospectus recurring revenues of $875 million in the fiscal year that ended Jan. 31, a 41% increase over the prior year. Although the company hasn't been profitable, SailPoint reported net loss improved to $235.7 million in the first nine months of 2024, a 23.5% improvement over the previous year.

Just as CyberArk is expanding its IGA offerings, SailPoint has been moving into CyberArk's space with its 2023 acquisition of PAM provider Osirium. In December, SailPoint acquired Imprivata's IGA unit for $10.7 million, plus up to $7.4 million in earnouts.

Alex Bovee, CEO of ConductorOne, another IGA startup that offers an SaaS-based offering to compete with SailPoint and Zilla, says IGA has become an increasingly vital component of cybersecurity posture.

"I think the bull view on this is that every single security company is recognizing that identity and identity governance are critical parts of the stack, and that's why CyberArk made this investment," Bovee said. "CyberArk is traditionally a privileged access management solution, but the future is these converged identity platforms."

**About the Author**

Contributing Writer

Jeffrey Schwartz is a journalist who has covered information security and all forms of business and enterprise IT, including client computing, data center and cloud infrastructure, and application development for more than 30 years. Jeff is a regular contributor to Channel Futures. Previously, he was editor-in-chief of Redmond magazine and contributed to its sister titles Redmond Channel Partner, Application Development Trends, and Virtualization Review. Earlier, he held editorial roles with CommunicationsWeek, InternetWeek, and VARBusiness. Jeff is based in the New York City suburb of Long Island.

CyberArk Makes Identity Security Play With Zilla Acquisition

Cybersecurity experts weigh in on the red flags flying around the new Department of Government Efficiency's handling of the mountains of US data it now has access to, potentially without basic information security protections in place.

Source: Backyard Productions via Alamy Stock Photo

Elon Musk and his band of programmers have been granted access to data from US government systems to aid their stated efforts to slash the size of government, leaving cybersecurity experts deeply concerned over how all of this sensitive data is being secured.

So far, Musk and his Department of Government Efficiency (DOGE) have accessed the computer systems of the Department of Treasury, as well as classified data from the US Agency for International Development (USAID) and the Office of Personnel Management (OPM), which holds sensitive data on millions of federal workers — including, notably, security clearances — and has subsequently blocked key government officials from further accessing those personnel systems, according to a bombshell from Reuters.

The DOGE team reportedly also sent only partially redacted names of CIA personnel through a nonclassified email account, according to The New York Times, and Forbes reported that the team is feeding Department of Education data and Department of Energy data into an artificial intelligence model to identify inefficiencies, with an unknown level of information security protections in place. Moving forward, there are more plans to use AI to run the government. Reportedly, DOGE is also creating its own chatbot to run the federal government's General Services Administration, called GSAi.

Related:How Public & Private Sectors Can Better Align Cyber Defense

DOGE has not yet replied to a request for comment from Dark Reading, but this reporter did ask cybersecurity experts for their thoughts on the unraveling of cybersecurity protections around federal government data. The comments below were gathered from cybersecurity law and policy expert Stewart Baker; Evan Dornbush, former NSA cybersecurity expert; and Willy Leichter, chief marketing officer with AppSOC.

**Question 1: Do the activities of DOGE cause you concern regarding the cybersecurity of the data they are accessing?**

Stewart Baker: Of course DOGE's rapid-fire smartest-guy-in-the-room approach to government reform raises security risks, especially if DOGE is coding changes into government systems. The rule for software design is "fast, secure, and cheap — pick any two." Elon Musk has achieved enormous success in business by eliminating procedures and organizations and parts that the experts said were essential.

He's running Twitter/X with one-fifth the employees it had before he took over. He has dramatically simplified rocket design, enabling faster manufacturing and turnaround. So it's no surprise he'd want to challenge and ignore a lot of government rules, including those that protect information security. But the security rules protect against active adversaries. Taking shortcuts that seem sensible to smart guys in a hurry could lead to serious problems down the road, and it may take us a while to realize the damage. 

Related:President Trump to Nominate Former RNC Official as National Cyber Director

Musk's impatience is understandable, though. I'm sure that there are employees using the security rules to slow him down or thwart him entirely. It's important that DOGE take security seriously, but also that its critics be very specific about the security risks they see, rather than using cybersecurity as an all-purpose tool for delay.

Evan Dornbush: It's quite reasonable for people to be concerned, even alarmed, at how DOGE is currently operating. For any organization, the process of securing data is often developed over years, taking in myriad perspectives to ensure confidential data is minimally accessible, and that logging can recreate a picture of accessed data, or data in transit, when required.

Willy Leichter: The actions of DOGE, in just its first couple of weeks, is the largest, deliberate trampling of government security protocols in cyber history. The arrogance, deliberate ignorance, malevolence, and sheer stupidity of this gang of untrained and unaccountable hackers roaming sensitive government networks is staggering. If this type of activity happened in the private sector, with this level of highly sensitive and regulated information, we would be talking about massive fines and personal criminal liability for all the actors involved.

Related:Content Credentials Technology Verifies Image, Video Authenticity

This could not be happening at a more precarious time for government cybersecurity. China and other countries have been ramping up attacks, already targeting many of the same networks, stealing data and planting the tools to cripple our critical infrastructure. Putting this data in inexperienced and reckless hands, while dismantling defense systems, demoralizing our most experienced experts, disbanding public-private advisory groups, and defunding critical cyber initiatives will inevitably have disastrous consequences. The only questions are whether this will cost us billions versus trillions in losses, and whether it will take years versus decades to recover.

**Question 2: What has DOGE done specifically that causes you concern?**

Baker: Sending the names of CIA employees in unclassified channels is very risky, even if the names are only first name, final initial. Given all the other sources of information about individuals, reconstructing full names is something a hostile foreign service would seek to do, so they'll be trying to intercept the list of names. My question is why DOGE thinks that's a risk worth taking? Will the list of names do DOGE any good? I assume the request was tied to possible layoffs at the CIA, but did DOGE really need the names to decide who to lay off? If not, this was an unnecessary risk and irresponsible.

Dornbush: Lack of transparency. Right now, it seems like questions are being asked to DOGE about how it is securing the data it accessed from government sites. It is unclear if anyone from DOGE is even replying. Minimizing risk of unauthorized access requires whole teams of specialists, augmented by purpose-built hardware and software. Even if it is ultimately determined that DOGE does have authorization to access this data, \[if\] it has physically removed the data from these hardened and professionally monitored networks, how is DOGE ensuring the data is responsibly protected from its own compromise or disclosure? How is it able to certify that the data is destroyed once it is no longer required?

Leichter: The DOGE team has disregarded nearly every foundational security principle taught in the first week of a cybersecurity course — assuming they ever took one.

These include forcing entry to restricted and classified systems without proper authorization. Officials doing their sworn duty to prevent this were put on administrative leave. DOGE members were also given excessive access to sensitive systems that went far beyond what was necessary for their advisory roles. Also, DOGE personnel with controversial backgrounds, blatant lack of qualifications, and obvious conflicts of interest went through no legitimate vetting by qualified government agencies.

Displaying a disregard for security protocols, DOGE operatives bypassed standard security measures, accessing systems without authorization and ignoring protocols meant to protect sensitive data, \[and were provided\] unauthorized access to personal data of federal employees and US citizens, which violates multiple privacy laws, even if the data is not leaked.

**Question 3: What do you think needs to happen to secure the data in DOGE custody?**

Baker: DOGE should acknowledge its responsibility to maintain the security of data it handles, and its security procedures should be subject to audit. Judicial rulings that try to protect the data by denying DOGE access should be lifted.

Dornbush: DOGE securing the data is an impossibility. DOGE is newly formed. The data it is looking at sat behind years of accumulated people, products, and policy that specialize only in the security of that data set. Removing the data from these sites evaporates that progress, and ironically, is extremely inefficient and wasteful. If you want to see this data, fine. Work from the office.

Leichter: It's probably impossible to undo this type of damage. The data needs to be destroyed, all inappropriate access revoked, and the highly trained government custodians need to be allowed to return to work and do their jobs. All of this seems highly unlikely, as the administration is deliberately disabling as much of the federal government as possible and replacing highly trained experts with incompetent political hires.

**Question 4: What are you paying attention to most regarding DOGE and its information security strategy?**

Baker:  I'm still waiting to hear what DOGE's infosec strategy and commitments are.

Dornbush: What DOGE is purportedly doing is important and has merit. I'd love to know what the infosec strategy is. Right now, it seems like sharing the security steps they are taking with the public is not a priority.

Leichter: If DOGE has a strategy, it has kept it secret. Any legitimate government agency would have a well-documented strategy, public input, and defined objectives that align with larger goals. The only discernable strategy of DOGE and the administration is to dismantle as much of the government as quickly as possible, purging experience, which they seem to view as a liability.

The only question is how quickly judicial intervention can kick in and whether it will be ignored. The one thing that might influence this administration is widespread public condemnation after the next major security incident, which is probably lurking right around the corner. That’s a terrible security strategy.

Would you like to weigh in on any of the above four questions? If so, please send a note to \[email protected\] to be included in a follow-up story with reader reactions.

Roundtable: Is DOGE Flouting Cybersecurity for US Data?

With investment in cybersecurity capabilities and proactive measures to address emerging challenges, we can work together to navigate the complexities of combating cybercrime.

Chris Henderson, Senior Director of Threat Operations, Huntress

February 13, 2025

5 Min Read

Source: wsf AL via Alamy Stock Photo

COMMENTARY

Cybercrime isn't just an inconvenience — it's a serious threat capable of disrupting essential infrastructure, endangering public safety, and shaking the foundations of our financial systems and economy.

We've all seen the headlines in recent years — from a cyberattack on an energy pipeline that disrupted the fuel supply across parts of the US to a large-scale ransomware attack on a health insurance provider that led to a massive leak of personal data. Uncovering and combating cybercrime remains a complex challenge for many reasons, but chief among them is the disconnect in data collection, sharing, and collaboration between the public and private sectors.

Critical infrastructure, essential utilities like power and water, local municipalities and services (think 911 and EMS), small and midsize businesses, and healthcare — not one of these is off-limits to cybercriminals. And as threat actors become more aggressive, our defenses must keep up.

**Plenty of Red Tape, but No Clear Defenses**

The US government has a duty to take the lead in defending the nation against cybercrime. But while there's been some progress over the past few decades toward stronger national leadership on cybersecurity, the truth is that there's been a lot of added red tape with no clear responsible party.

Over the past 25 years, organizations like the FBI's Internet Crime Complaint Center (IC3), the National Cyber Investigative Joint Task Force (NCIJTF), and the Cybersecurity and Infrastructure Security Agency (CISA) have been created. They're producing valuable alerts and educational resources on growing cyber threats. That's all great, except for one thing. Despite decades of progress on building federal alignment around cybersecurity as a key priority, there's still no clear voice leading the charge. Meanwhile, cybercriminals are staying one step ahead, moving faster and more strategically than the agencies tasked with safeguarding citizens' cybersecurity.

That brings us to March 2024, when the Foundation for Defense of Democracies (FDD) released a report calling for the creation of a stand-alone military Cyber Force. This team would run Pentagon cyber-defense efforts from within the Department of the Army and help set the stage for a more unified defense strategy over the next five to 10 years. The report is rooted in feedback from over 70 active and retired military cyber experts who all seem to agree on one thing: Cybercrime poses a serious and growing threat to national security, and it's time to do something about it.

**Closing the Gap**

At the highest levels of government, the US has made a strong push to identify, address, and communicate emerging and critical cyber threats. And now, it's on both the public and private sectors to bridge the gap and work together. But the big question we've yet to fully address is whether there's sufficient collaboration between the public and private sectors and if our response times are suffering because of it.

Take March 2021, for example. Microsoft flagged that a hacking group exploited multiple zero-day vulnerabilities targeting Microsoft Exchange Server software. A month later, the Justice Department stepped in with a court-authorized effort to disrupt ongoing exploitation. And the patches? Those finally rolled out another month later, after cybercriminals had plenty of time to exploit the vulnerabilities and infiltrate organizations.

Fast forward to the ConnectWise ScreenConnect vulnerability that surfaced last year. This time, the private sector was ahead of the game, with guidance and fixes hitting the headlines quickly. But, when it came to government action, CISA issued its advisory days after the vulnerability was announced.

Progress has definitely been made over the past two decades — there's no denying that. But there's still room to tighten the partnership between public and private sectors regarding cybersecurity. So, how do we achieve that?

**Building Future Defenses That Command Respect**

To build stronger defenses for the future, we need to respond to these kinds of incidents in minutes and hours — not days, weeks, or months. There has to be a faster, simpler way for leaders from both the public and private sectors to connect, share insights, and issue clear instructions for vulnerabilities, patches, and more.

I've pinpointed five key areas that, in my opinion, need serious attention to improve collaboration between public and private sectors:

1.  Insights: If we unify data collection, analysis, and sharing, we can give policymakers and practitioners a clearer picture of cybercrime — its scope, its patterns, and where to hit back with precision.
    
2.  Data: Taking that one step further and sharing more data between agencies and the private sector would make a tangible difference in how prepared organizations and municipalities are for known and emerging vulnerabilities.
    
3.  Policy and legislation: Here's a practical one — streamline classification processes. Using a common language for cybercrimes would cut down on miscommunication and confusion.
    
4.  Collaboration: Create task forces between government and industry that scale to the highest levels of government and the gravest threats, responding in a coordinated, powerful way.
    
5.  Hacking back: There are pros and cons to this option, but I'd like to see the federal government explore how to build skills to hack the hackers, and somewhat importantly, what the rules of engagement would be for companies and local governments. The notion has been introduced to the government, but to date, no laws have been passed yet to push it forward.
    

The fight against cybercrime is constantly evolving, and keeping up will take all of us working together and thinking creatively. Recent initiatives prove that when we harness technology, coordinate effectively, and build stronger public-private partnerships, we can significantly bolster our defenses, reducing the impact of cybercrime on individuals and institutions. It's no easy task — staying ahead requires vigilance, adaptability, and a willingness to tackle uncharted challenges. But together, through collaboration and determination, we can tackle cybercrime challenges head-on, creating a safer and more secure future for everyone.

**About the Author**

Senior Director of Threat Operations, Huntress

Chris Henderson runs Threat Operations and Internal Security at Huntress. He has been securing MSPs and their clients for more than 10 years through various roles in software quality assurance, business intelligence, and information security.

How Public &amp; Private Sectors Can Better Align Cyber Defense

Pivoting from prior cyber espionage, the threat group deployed its backdoor tool set to ultimately push out RA World malware, demanding $2 million from its victim.

Source: KB Photodesign via Shutterstock

NEWS BRIEF

A recent RA World ransomware attack utilized a tool set that took researchers by surprise, given that it has been associated with China-based espionage actors in the past.

According to Symantec, the attack occurred in late 2024. The tool set includes a legitimate Toshiba executable named toshdpdb.exe that deploys on a victim's device. It then connects to a malicious dynamic link library (DLL) that deploys a payload containing a PlugX backdoor.

The threat actors in this case used the tool kit to ultimately deploy RA World ransomware inside an unnamed Asian software and services company, demanding a ransom of $2 million. No initial infection vector was found. However, the attacker claimed they compromised the victim's network by exploiting a Palo Alto PAN-OS vulnerability (CVE-2024-0012), according to Symantec.

"The attacker then said administrative credentials were obtained from the company's intranet before stealing Amazon S3 cloud credentials from its Veeam server, using them to steal data from its S3 buckets before encrypting computers," added the researchers, who hypothesized that based on tactics, techniques, and procedures, the attacker could be China-linked Emperor Dragonfly, aka Bronze Starlight, a group that has been known to deploy ransomware to obscure intellectual property theft in the past.

Symantec researchers noted that prior intrusions using the tool set were against the foreign ministry of a Southeastern European country, the government of another, two Southeast Asian government ministries, and a Southeast Asian telecoms operator. Each of these attacks occurred between last July and January, and all were espionage-related, with no ransomware component.

"While tools associated with China-based espionage groups are often shared resources, many aren't publicly available and aren't usually associated with cybercrime activity," said the researchers in a posting this week.

**About the Author**

Skilled writer and editor covering cybersecurity for Dark Reading.

Chinese APT 'Emperor Dragonfly' Moonlights With Ransomware

Japan is on a mission to catch up to the US standard of national cyber preparedness, and its new legislation is a measure intended to stop escalating Chinese cyber-espionage efforts, experts say.

Source: Sean Pavone via Alamy Stock Photo

The Japanese government is on a mission to catch up to US national cybersecurity preparedness standards and has just passed bold legislation aimed at bolstering the country's cyber-response capabilities.

Together, the two articles of legislation constitute what's referred to as the Active Cyber Defense Bill, which enables the Japanese government to take more aggressive measures to stop cyberattacks before they can cause widespread damage.

After some delays in 2024, the bill was finally presented to, and approved by, the country's leading Liberal Democratic Party (LDP) last month. On Feb. 7, it was approved by the Cabinet (which consists of the prime minister and up to 19 other ministers), and was in turn submitted to the National Diet, Japan's parliament.

The passage of the law follows a warning in January from Japan's national police that Chinese state-backed threat actor MirrorFace has been committing wide-scale cyber espionage since 2019 in an effort to steal Japan's national security secrets.

"The country is grappling with a mix of state-sponsored attacks, particularly from neighboring nations, and criminal activity targeting its advanced industrial base," Bugcrowd founder Casey Ellis explains. "Ransomware, supply chain attacks, and IP espionage (e.g., MirrorFace) are all high on the list, as are concerns around prepositioning attacks against critical infrastructure and the defense industry. Its move toward legalizing 'active cyber defense' is a bold step and, to me, is a reflection of the country's delicate geopolitical and geographic position."

**Japan Faces Cyber-Defense Hard Truths**

The overhaul of Japan's cyber-readiness efforts dates back to April 2022 and is a wake-up call delivered to the country's leadership by former US Director of National Intelligence Dennis C. Blair. He was sharply critical of the country's cybersecurity efforts, and this distressed Japanese lawmakers so much that his message left them in what is now known as "Blair Shock."

Blair told Tokyo's government a hard truth: that its cybersecurity preparedness just wasn't up to the standard of its allies in North America and Europe. To amend that, he suggested the government establish new positions and agencies equivalent to those in the US, such as the US Cyber Command and the executive position of National Cyber Director.

Then-Prime Minister Fumio Kishida's administration took the criticism to heart. As soon as it had the opportunity that December, it released a new National Security Strategy with new goals for improving cybersecurity response capabilities. Most notably, the government introduced what it called "active" cyber defense, "for eliminating in advance the possibility of serious cyberattacks that may cause national security concerns to the Government and critical infrastructures and for preventing the spread of damage in case of such attacks, even if they do not amount to an armed attack." In short: identifying the source of a cyberattack early, and defeating it before it can cause serious harm.

In case that sounds a bit like government overreach, lawmakers have since clarified how exactly its active cyber defense will work.

Roughly speaking, the first half of the Active Cyber Defense Bill defines the more passive changes Japan will implement in its national cyber posture.

Among other things, the bill establishes a cybersecurity council and a committee overseeing information gathering and analysis. It requires that critical infrastructure providers report cybersecurity incidents and imbues the prime minister's office with new power to collect certain relevant information through telecommunications providers. It also lays out restrictions on how the government can use that collected data and what sensitive information must be filtered out.

The second piece of legislation introduces more active measures for ensuring Japan's cyber defense.

The military will enjoy new powers to actively protect both its systems and certain systems associated with the US military presence in its borders. And, notably, law enforcement will be hiring new "cyber harm prevention officers," whose job will be to proactively address major cyber threats by, for example, shutting down enemy servers during an incident. When time is short, the prevention officers may act even without explicit approval from relevant oversight bodies.

Ellis says that "the idea of 'vigilante hacking' is controversial but not without merit in specific, controlled scenarios. It signals a shift toward a more proactive stance, which is arguably overdue given the evolving threat landscape."

**About the Author**

Nate Nelson is a writer based in New York City. He formerly worked as a reporter at Threatpost, and wrote "Malicious Life," an award-winning Top 20 tech podcast on Apple and Spotify. Outside of Dark Reading, he also co-hosts "The Industrial Security Podcast."

Japan Goes on Offense With New 'Active Cyber Defense' Bill

Sean Cairncross will be one of the primary advisers to the administration on national cybersecurity matters.

Source: Nimneth X via Shutterstock

President Donald Trump reportedly will nominate Sean Cairncross, former chief operating officer of the Republican National Committee (RNC), as the new head of the Office of the National Cyber Director (ONCD), according to multiple reports.

Cairncross's name apparently was mentioned in a list of planned White House nominees for various posts in the administration obtained by Politico, Axios, and other media outlets.

As national cyber director, Cairncross will play a key role in developing and shaping US cybersecurity policies in the new administration.

The ONCD serves as one of the principal advisers to the president on cybersecurity matters. Unlike the US Cybersecurity and Information Security Agency (CISA), which handles operational cybersecurity and directly engages with federal agencies, ONCD's primary mission is to develop a high-level, whole-of-nation cybersecurity strategy. Among other things, the ONCD led the development of President Joe Biden's National Cybersecurity Strategy of March 2023.

**Influential Role**

In his new role, Cairncross would be responsible for coordinating national cybersecurity policy, advising the president on cyber threats, and ensuring a unified federal response to emerging cyber-risks. He would share responsibility for advising the president on cyber matters, along with the director of cyber at the White House National Security Council (NSC) — a group that advises the president on all matters security related, and not just cyber.

Cairncross is a former RNC official and CEO of the independent US foreign aid agency Millennium Challenge Corporation (MCC). He brings considerable political experience but lacks formal cybersecurity credentials.

As CEO of the MCC from 2019 to 2020, Cairncross oversaw the agency's efforts to alleviate poverty through economic growth in developing nations. Before that, he was deputy assistant to President Trump and senior adviser to the White House chief of staff, and had served as chief operating officer (COO) of the RNC during the 2016 election cycle.

If confirmed, Cairncross fills the role formerly held by Harry Coker Jr., a former CIA senior executive and career Naval officer who served as the White House national cyber director from December 2023 to January, 2025. Coker now serves as Maryland Department of Commerce Secretary after his appointment by Maryland Governor Wes Moore in late January.

Meanwhile, Politico last week reported that Trump had appointed Alexei Bulazel, a former security researcher at Apple and former director of the NSC, as the new senior director for cyber at the Council. If true, that would make Cairncross the second high-level cybersecurity appointment that Trump has made since taking office on Jan. 20.

**Evolving Cybersecurity Strategies**

The nomination of Cairncross as national cyber director marks a significant development in the Trump administration's still nascent but evolving cyber strategy. In just four weeks in the White House, Trump has implemented changes that have sent ripples through the cybersecurity industry.

One of his first acts in office was to rescind a Biden administration executive order that required developers of major artificial intelligence projects and systems to adhere to safety and ethical guidelines. He has, however, left two other Biden cybersecurity executive orders untouched thus far: EO 14111, Strengthening and Promoting Innovation in the Nation's Cybersecurity; and EO 14028, Improving the Nation's Cybersecurity.

Almost immediately after taking office, the Trump administration terminated advisory committee members within the US Department of Homeland Security (DHS). That included members of CISA's Cyber Safety Review Board (CSRB), which among other things was investigating Chinese group Salt Typhoon's attacks on US critical infrastructure.

The Trump administration's moves have impacted CISA as well. Earlier this week, 17 CISA staffers involved in efforts to combat election-related threats were placed on leave pending an internal review of their work. In a report last week, NPR quoted unnamed CISA staffers as saying they had received deferred resignation offers as part of the Elon Musk-led Department of Government Efficiency's (DOGE) efforts to cut costs across the federal government.

**About the Author**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

President Trump to Nominate Former RNC Official as National Cyber Director

The open technology, which tackles disinformation, has gained steam in the past year, surpassing 500 corporate members and continuing to evolve.

Source: Tero Vesalainen via Shutterstock

When armed gangs raided a Haitian prison and released 4,700 prisoners last March, images and videos showing the violence and gunfire saturated social media around the world. Determining which graphic media was authentic — and marking those instances in a way that future viewers could verify for themselves what was real and what was modified — was a significant challenge.

Showcasing a solution to exactly that problem, the British Broadcasting Corporation (BBC) launched its adoption of Content Credentials, a technology for attesting to the authenticity and provenance of digital content, by using the technology to verify a TikTok video of the attack. The BBC verified the location of the video and its likely veracity, but it determined that audio of gunfire had been added after the fact. The company then digitally signed the video so that future viewers would know the BBC had verified it.

Content Credentials — an open technology that aims to solve disinformation and media integrity issues — is being developed by the Coalition for Content Provenance and Authenticity (C2PA), a group of more than 500 media, software, and hardware companies working to create an ecosystem for verified media.

The BBC's adoption of Content Credentials is just one use case but an important one, says Andy Parsons, senior director of the Content Authenticity Initiative (CAI) at Adobe and a steering committee member of the C2PA.

"The BBC \[is\] declaring that — regardless of whether this is a photo or whether AI was used to do a photo illustration — you can be guaranteed that it came from BBC, and even that simple proof-of-date or proof-of-origin is something we don't have in media right now," Parsons says.

In 2019, technology and media companies created the CAI to find solutions to disinformation and ways for news organizations to authenticate photos and video. Two years later, six companies — Adobe, Arm, BBC, Intel, Microsoft, and Truepic — founded the C2PA to pursue an open standard for establishing the provenance of various types of media files. The two efforts eventually combined forces to advance Content Credentials, a digital-signature technology and infrastructure for verifying and authenticating media.

In the past year, Content Credentials and the C2PA gained significant steam, with the addition of Amazon, Google, Meta, and OpenAI to the steering committee and the adoption of the technology by several camera makers — including Canon, Leica, and Sony — and smartphone makers, such as Samsung.

Yet the ecosystem is still in its infancy, Christian Paquin, a principal research software engineer at Microsoft, told attendees at last month's ShmooCon 2025.

"You can imagine the situation in five to 10 years when this technology is baked in a lot of the trusted news and a hardware ecosystem that can produce these signatures and can be validated by the social media themselves or the browsers, so that we can really have trust signals to differentiate what's real and what's not," he said.

**Manifest Destiny**

Content Credentials have three main components: the media data, a manifest describing the data and any actions transforming the data, and a digital signature binding the two pieces of information together in a tamper-evident way. The manifest includes typical metadata, as well as some additional C2PA-accepted fields — attestations — that can describe additional attributes of the photo, its source, and the software actions used to process the data.

Based on public-key encryption and digital signatures, Content Credentials act as an audit log of every action performed on a piece of media. A photo could be captured with a smartphone, cropped and lightened with photo-editing software, and then compressed by a content delivery network. Each of those steps would be an attestation in the manifest of the signed content credential.

A video signed with a Content Credential shows that it originated with the BBC News Lab. Source: https://contentcredentials.org/verify

The result is providing an audit trail with each piece of authenticated content, which could help citizens and users better know what is fake and what is arguably real, Adobe's Parsons says.

"All the companies involved — and I would lump in civil society and some governments as well — have a real urgency to solve this problem," he says. "And while C2PA is not a silver bullet at solving misinformation, it does put in place a fundamental foundational layer that the Internet probably should always have had around trust, and this is a really nice clean way to do it."

Already, most makers of foundational artificial intelligence (AI) models — such as Open AI, Meta, and Microsoft — digitally sign all images created by their image-generation models with a Content Credential, indicating that it was AI generated or manipulated.

**An Evolving Standard**

The technology is not done, either. The C2PA specification has quickly evolved over the past three years, reaching version 2.1 in September. Among the new features are efforts to make the credentials more "durable" — in other words, adopting techniques, such as digital fingerprinting and watermarking, to indicate the provenance of images, even if they are manipulated after publication or captured from a screenshot.

The combination of signed metadata with fingerprinting and watermarking is powerful, Adobe's Purdy wrote in a 2024 analysis of the techniques.

"\[N\]one of these techniques is durable enough in isolation to be effective on its own," he said. "But combined into a single approach, the three form a unified solution that is robust and secure enough to ensure that reliable provenance information is available no matter where a piece of content goes."

Watermarks, fingerprinting, and Content Credentials can be a powerful combination. Source: "Durable Content Credentials," CAI blog

A number of technical problems remain to be solved. Journalists reporting on an authoritarian regime, for example, may want to remain anonymous and mask their location. Zero-knowledge proofs can help, allowing a name to be redacted and only the organization — BBC News, for example — to be shown or to generalize the location. ZK proofs allow an attribute to be signed, so a photo's GPS coordinates could instead be reduced to New York City or Kiev to provide a general location that hides the photographer's identity, and verified with a digital signature.

"This is an evolving set of certifications," Microsoft's Paquin told the audience at ShmooCon. "The main challenge is establishing who can sign certificates ... establishing PKI that is worldwide is a big problem."

**About the Author**

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

Content Credentials Technology Verifies Image, Video Authenticity

US, UK, and Australian law enforcement have targeted a company called Zservers (and two of its administrators) for providing bulletproof hosting services to the infamous ransomware gang.

Source: Alexey Krukovski via Alamy Stock Photo

The US government has joined Australia and the UK in sanctioning a Russia-based bulletproof hosting (BPH) services provider and two of its administrators for the company's role in supporting LockBit ransomware attacks. The move is a continuation of a barrage of law-enforcement actions against the Russia-based cybercriminal organization.

The Department of the Treasury's Office of Foreign Assets Control (OFAC), Australia's Department of Foreign Affairs and Trade, and the United Kingdom's Foreign Commonwealth and Development Office jointly sanctioned Zservers, based in Barnaul, Russia, for enabling "ransomware attacks and other criminal activity," the Treasury Department revealed in a press release Feb. 11. That illicit activity specifically centers on providing the infrastructure to facilitate attacks by LockBit, a prolific Russian-based ransomware-as-a-service (RaaS) group, according to the release.

The latest sanctions against Zservers are a continuation of multinational law-enforcement actions aimed at putting LockBit — which has committed severely disruptive ransomware attacks against numerous global organizations — permanently out of commission.

Specifically, they follow four LockBit-related arrests and device seizures made in October by Europol and Eurojust, which at the time also sanctioned and named as a LockBit affiliate Aleksandr Ryzhenkov (aka Beverley). Ryzhenkov was once second-in-command for the infamous Evil Corp cybercrime organization. Officials also arrested one of LockBit's lead developers in Israel last August, while a separate action by Australia sanctioned LockBit's head honcho, LockBitSupp (aka Dmitry Yuryevich Khoroshev), in May 2024.

Related:President Trump to Nominate Former RNC Official as National Cyber Director

"Ransomware actors and other cybercriminals rely on third-party network service providers like Zservers to enable their attacks on Us and international critical infrastructure," Bradley T. Smith, the Treasury Department's acting under secretary for terrorism and financial intelligence, said in a press statement. The sanctions demonstrate the US government's "collective resolve to disrupt all aspects of this criminal ecosystem, wherever located, to protect our national security," he added.

**LockBit Investigation Trail Leads to Zservers**

Law enforcement investigating LockBit discovered the criminal activity of Zservers after the company advertised its BPH services on known cybercriminal forums, according to the Treasury Department. BPH service providers sell access to specialized servers and other computer infrastructure designed to evade detection and thus defy law enforcement attempts to disrupt malicious activities.

Related:Content Credentials Technology Verifies Image, Video Authenticity

Allegedly, Zservers has provided BPH services, including leasing numerous IP addresses, to LockBit affiliates, who have used the hosting services to coordinate and launch ransomware attacks, according to international law enforcement, which collected evidence over several years to come to this conclusion.

During a 2022 search of a known LockBit affiliate, Canadian law enforcement uncovered a laptop operating a virtual machine connected to a Zservers' subleased IP address and running a programming interface used to operate LockBit malware. Also that year, a Russian cybercriminal purchased IP addresses from Zservers, which the department said was likely for use to power LockBit chat servers to discuss ransomware operations. In 2023, Zservers also leased infrastructure, including a Russian IP address, to a LockBit affiliate, the department said.

**Do Anti-Russian Sanctions Work?**

The idea behind government sanctions is to prohibit companies in certain countries from doing business with people involved in cybercriminal activity with the aim of deterring that activity. However, given the resilience of professional ransomware and other cybercriminal groups, experts have mixed opinions on whether this strategy actually works in the long run.

Related:India's Cybercrime Problems Grow as Nation Digitizes

"It is important to acknowledge that although sanctions might impede ransomware operations by targeting their infrastructure, ransomware groups such as LockBit are highly adaptive and well-connected, and will likely have other providers they're able to call on," says Andrew Costis, engineering manager of the Adversary Research Team at security firm AttackIQ.

However, sanctions should make it more difficult for cybercriminals to operate by increasing their costs and forcing attackers to find less effective methods to commit ransomware attacks, another security expert says. This can serve to at least slow them down if not totally put them out of service, notes Randolph Barr, CISO at security firm Cequence.

"The recently announced sanctions and law enforcement actions against Zservers will aid in disrupting ransomware groups by targeting their infrastructure, seizing servers, and blocking financial transactions," he says.

Still, sanctions alone may not necessarily disrupt LockBit and other ransomware groups entirely, meaning that organizations must remain vigilant, Barr says. "As threat actors adapt, companies must continue improving incident management and include ransomware scenarios in their preparedness exercises," he notes.

Indeed, Costis says, given the adaptability of RaaS and its network of affiliates in particular, "organizations must stay vigilant and focus on the latest tactics, techniques, and procedures (TTPs) attackers deploy, to stay ahead of ever-changing threats."

**About the Author**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

Feds Sanction Russian Hosting Provider for Supporting LockBit Attacks

Sandworm (aka Seashell Blizzard) has an initial access wing called "BadPilot" that uses standard intrusion tactics to spread Russia's tendrils around the world.

Source: Kenishirotie via Alamy Stock Photo

Arguably, no advanced persistent threat (APT) enjoys as much notoriety as Sandworm, otherwise known as Military Unit 74455 within Russia's military intelligence (GRU). Its highlight reel includes NotPetya, an attack against the 2018 Winter Olympics, and two effective assaults on Ukraine's power grid. More recent activities include a campaign against Denmark's energy sector and an unsuccessful attempt to down Ukraine's grid for a third time, followed by a successful attempt.

In a sign of the times, Sandworm has subtly been shifting toward quieter, more widespread intrusions. Microsoft, which tracks the group as "Seashell Blizzard," has identified a subgroup within 74455 focused solely on gaining initial access to high-value organizations across major industries and geographic regions. It calls this subgroup "BadPilot."

**Sandworm's IAB, BadPilot**

Since at least late 2021, BadPilot has been performing opportunistic attacks against Internet-facing infrastructure, taking advantage of known vulnerabilities in popular email and collaboration platforms. Notable examples include Zimbra's CVE-2022-41352, the Microsoft Exchange bug CVE-2021-34473, and CVE-2023-23397 in Microsoft Outlook. All three of these vulnerabilities received "critical" 9.8 out of 10 scores in the Common Vulnerability Scoring System (CVSS).

BadPilot uses these critical vulnerabilities to gain useful initial access to traditionally high-value organizations: telecommunications companies, oil and gas companies, shipping companies, arms manufacturers, and entities of foreign governments. Targets have ranged from Ukraine and broader Europe to Central and South Asia and the Middle East.

Since early 2024, BadPilot has expanded to access targets in the US and UK as well. For this, it has made particular use of bugs in remote monitoring and management software: CVE-2023-48788, for example, a remote injection opportunity in the Fortinet Forticlient Enterprise Management Server (EMS), and the rare 10 out of 10 CVSS-rated CVE-2024-1709, allowing for authentication bypass in ScreenConnect by ConnectWise.

After gaining its foothold on a targeted system, BadPilot follows all the usual steps of any average hacking operation. It promptly establishes persistence using its custom "LocalOlive" Web shell, as well as copies of legitimate remote management and monitoring (RMM) tools, or "ShadowLink," which configures compromised systems as Tor hidden services. It collects credentials, performs lateral movement, exfiltrates data as necessary, and sometimes performs further post-compromise activities.

"There is not a lack of sophistication here, but a focus on agility and obtaining goals," says Sherrod DeGrippo, director of threat intelligence strategy at Microsoft. "These TTPs work because this threat actor is persistent and continues pursuing its objectives."

**The Impact in Ukraine**

Ultimately, BadPilot's job is to lubricate more significant attacks by its parent group, and, by extension, empower its controlling government. While a lot of its activity seems opportunistic, Microsoft wrote, "its compromises cumulatively offer Seashell Blizzard options when responding to Russia's evolving strategic objectives."

It may or may not be a coincidence, for example, that the group came into being just months before Russia's invasion of Ukraine. As that war began, and Russia peppered its neighbor with more cyberattacks than ever before, BadPilot was right in the mix, helping gain access to organizations perceived to be providing political or military support to its adversary. Additionally, Microsoft says, the group has enabled at least three destructive attacks in Ukraine since 2023.

Sandworm has targeted critical infrastructure across Ukraine since the war started, including telecommunications infrastructure, manufacturing plants, transportation and logistics, energy, water, military and government organizations, and other infrastructure meant to support the civilian population. It has also targeted military communities for the purpose of intelligence gathering.

"These threat actors are persistent, creative, organized, and well-resourced," DeGrippo emphasizes. For this reason, "Critical sectors need to ensure that they sustain above-average security practices, patch their software, monitor Internet-facing assets, and enhance their overall security posture."

**About the Author**

Nate Nelson is a writer based in New York City. He formerly worked as a reporter at Threatpost, and wrote "Malicious Life," an award-winning Top 20 tech podcast on Apple and Spotify. Outside of Dark Reading, he also co-hosts "The Industrial Security Podcast."

Source

DARKReading