DPRK's Lazarus Group swiped $1.5 billion from crypto exchange Bybit

Metacurity was on hiatus last week. The following newsletter hits the high points of cybersecurity developments since February 14th.

We remind our readers that Metacurity is mostly a reader-supported publication that relies on the generous support of our paid readers. Please consider supporting Metacurity with an upgraded subscription.

If you can't commit to a subscription today, please consider donating whatever you can. Thank you!

Crypto exchange Bybit said it was hacked, resulting in what analysts estimate was the loss of almost $1.5 billion worth of tokens in the biggest theft ever committed in the industry, with cryptocurrency company Arkham Intelligence blaming the hack on North Korea's Lazarus Group.

The exchange's Chief Executive Officer, Ben Zhou, said a hacker took control of one of Bybit’s offline Ethereum wallets. An estimated $1.46 billion in assets flowed out of the wallet in a series of suspicious transactions, according to posts by on-chain analyst ZachXBT on Telegram. Research firm Arkham Intelligence confirmed around $1.4 billion in outflows from the exchange, posting on X that “the funds have begun to move to new addresses where they are being sold.”

According to blockchain analytics firm Elliptic, the hack is the largest-ever crypto theft, surpassing the $611 million stolen from Poly Network in 2021. It was likely the “largest incident ever, not just crypto,” said Rob Behnke, co-founder and executive chairman of blockchain security firm Halborn.

Zhou went on a live stream on social media platform X to alleviate clients’ concerns about the hack. The exchange has taken out bridge loans with partners and has secured about 80% of the funding needed to cover the loss, he said. At the same time, Bybit will try to recover the funds and take necessary legal action against the hackers.

However, on Feb. 21, the $1.4 billion exploit triggered a mass exodus of funds, triggering widespread panic among users.

Data from DeFiLlama reveals that Bybit processed $2.5 billion in withdrawals on Feb. 22 and another $3.26 billion on Feb. 23. The rapid outflows caused the exchange’s total assets to shrink from $16.9 billion to $10.8 billion as of press time. (Emily Nicolle, Muyao Shen, and Olga Kharif / Bloomberg and RT Watson / The Block and Elliptic and Oluwapelumi Adejumo / Cryptoslate)

Related: New York Times, TechCrunch, PYMNTS.com, DL News, BleepingComputer, The Block, PCMag, NBC News, Yahoo Finance, Engadget, CoinDesk, TheStreet, Forbes, TheStreet, Cointelegraph, Bitcoin Insider, Blockworks, Associated Press, Wall Street Journal, Cointelegraph, Forbes, Cryptopolitan, Fortune, The Record, Financial Times, Coinpedia Fintech News, The Crypto Times, Finextra, The Crypto Times, CoinGape, crypto.news, CryptoPotato, CryptoSlate, Protos, , Crypto Briefing, The Block, Web3 is Going Just Great, Watcher Guru, Reuters, CoinJournal, Bitcoinist.com, Cryptopolitan, NFTgators, Hackread, Decrypt, NewsBTC, DL News,  Blockchain News, Bloomberg, The Block, Benzinga, SlashGear, The Coin Republic, ZeroHedge News, CoinGape, Bitcoin Insider,  r/technology, r/news, Slashdot, DecryptCoinDesk, Blockchain.News, Decrypt, CoinGape, Cointelegraph, CryptoPotato, Wccftech, Cryptopolitan, Bitcoinist.com, DL News, Techreport, Security Affairs, PC Gamer, TechSpot, Hindustan Times, The Independent, Associated Press, Türkiye Today, The Verge, TradingView, SlashGear, Fortune, DL News, The Crypto Times, Cryptopolitan, Bitcoin Insider, The Crypto Basic, Benzinga, CoinGape, Coinpedia Fintech News, Crypto Briefing, Gulf Business, CryptoNinjas, The Block, Cointelegraph, Blockworks, The Record, Blockonomi, crypto.news, CyberInsider, CryptoSlate, Cryptopolitan, Coinpedia Fintech News, Decrypt, Silicon Republic, Infosecurity Magazine, ABC.net.au, Cointelegraph, DefiLllama

Apple is removing its most advanced encrypted security feature for cloud data in the UK, a stunning development that follows the government's order that the company build a backdoor to access user data.

Apple said Advanced Data Protection, an optional feature that adds end-to-end encryption to a wide range of user data, is no longer available in the UK for new users. The technology provides an extra layer of security to iCloud data storage, device backups, web bookmarks, voice memos, notes, photos, reminders, and text message backups.

“We are gravely disappointed that the protections provided by ADP will not be available to our customers in the UK given the continuing rise of data breaches and other threats to customer privacy,” the company said in a statement. “ADP protects iCloud data with end-to-end encryption, which means the data can only be decrypted by the user who owns it, and only on their trusted devices.”

Without ADP, the UK government is poised to have an easier time requesting user data — a potentially alarming scenario for customers in the country. The move also threatens to set a precedent that encourages other nations to push Apple to reduce security. (Mark Gurman / Blooomberg)

Related: BBC, TechCrunch, Washington Post, The Verge, 9to5Mac, Tech Policy Press, MacRumors, PCMag, Bloomberg, USA Today, Electronic Frontier Foundation, Daring Fireball, Financial Times, Six Colors, Redmond Pie, MacTrast, Android Headlines, SiliconANGLE, PhoneArena, Channel NewsAsia, Al Jazeera, Breitbart, Sky News, Wall Street Journal, Digital Trends, The Standard, Boing Boing, TechRadar, Neowin, mobilenewscwp.co.uk, Silicon UK, The Information, AppleInsider, PetaPixel, BGR, UPI, Cult of Mac, The Apple Post, mjtsai.com, Gizmodo, Engadget, CyberInsider,  r/privacy, r/applesucks, r/tech, r/europe, r/hardware, r/iphone, r/apple, r/technews, r/technology, r/iphone, Slashdot, MacRumors Forums, Philip Elmer‑DeWitt, Hacker News (ycombinator)

Google's threat intelligence team revealed that multiple hacker groups serving Russian state interests are targeting end-to-end encrypted messaging tool Signal, including in the Ukrainian military's battlefield communications.

Those Russia-linked groups, which Google has given the working names UNC5792 and UNC4221, are taking advantage of a Signal feature that allows users to join a Signal group by scanning a QR code from their phone. By sending phishing messages to victims, often over Signal itself, both hacker groups have spoofed those group invites in the form of QR codes that instead hide javascript commands that link the victim's phone to a new device, in this case, one in the hands of an eavesdropper who can then read every message the target sends or receives.

Two months ago, Google began warning the Signal Foundation, which maintains the private communications platform, about Russia's use of the QR code phishing technique. Last week, Signal finished rolling out an update for iOS and Android designed to counter the trick.

The new safeguard warns users when they link a new device and checks with them again at a randomized interval a few hours after that device is added to confirm that they still want to share all messages with it. Signal now also requires authentication, such as entering a passcode or using FaceID or TouchID on iOS to add a new linked device. (Andy Greenberg / Wired)

Related: Google Cloud, Google Cloud Blog, Ars Technica, CyberInsider, Infosecurity, CyberScoop, UPI, Hackread, Dark Reading, Forbes, r/technology, r/signal, r/technews, r/craftofintelligence, Hacker News (ycombinator), UPI, Politico, Infosecurity Magazine, The Record, Bleeping Computer

In a move that accommodates Donald Trump's false claims of election fraud and online censorship, the US Cybersecurity and Infrastructure Security Agency (CISA) has frozen all of its election security work and is reviewing everything it has done to help state and local officials secure their elections for the past eight years.

CISA’s acting director, Bridget Bean, sent a memo saying she was ordering “a review and assessment” of every position at the agency related to election security and countering mis- and disinformation, “as well as every election security and [mis-, dis-, and malinformation] product, activity, service, and program that has been carried out” since the federal government designated election systems as critical infrastructure in 2017.

In her memo, Bean confirmed that CISA had, as first reported by Politico, placed seven teen employees “initially identified to be associated with the elections security activities and the MDM program” on administrative leave on February 7.

In justifying CISA’s internal review, which will conclude on March 6, Bean pointed to Trump’s January 20 executive order on “ending federal censorship.” Conservatives have argued that CISA censored their speech by coordinating with tech companies to identify online misinformation in 2020, during the final year of Trump’s first term. CISA has denied conducting any censorship, and the US Supreme Court dismissed a lawsuit over the government’s work. But in the wake of the backlash, CISA halted most conversations with tech platforms about online mis- and disinformation. (Christina Cassidy / Associated Press and Eric Geller / Wired)

Related:  Mother Jones, Alternet.org, New York Times, StateScoop,  r/technology, r/law, r/cybersecurity, r/politics, Default, TechCrunch

Several developments are swirling around Elon Musk's DOGE effort, including eleven lawsuits, sloppy work by the DOGE team and DOGE worker Edward "Big Balls" Coristine, along with a colleague joining as "staff" at the Cybersecurity and Infrastructure Security Agency (CISA).

The lawsuits claim DOGE has illegally accessed significant swaths of Americans’ personal information. All claim that DOGE has violated the Privacy Act of 1974 passed in the wake of the Watergate scandal and President Richard Nixon’s resignation, which heavily regulates what information about American citizens federal agencies can store and who can access that information.

The lawsuits and privacy claims have quickly become substantive challenges to DOGE's ability to operate fully. They represent attempts by critics to slow DOGE’s actions in some instances, at least temporarily.

In separate developments, DOGE's team of young workers has committed a series of errors that cast doubt on their capabilities, including poorly coded websites that don't show what DOGE contends they show, illegal publication of classified information, and more.

It’s not clear what level of access Coristine and his colleague might have to data and networks at CISA, but the agency, which is responsible for the defense of civilian federal government networks and works closely with critical infrastructure owners around the country, stores a lot of sensitive and critical security information on its networks. This includes information about software vulnerabilities, breaches, and network risk assessments conducted for local and state election offices. (Kevin Collier / NBC News and Brian Barrett / Wired and Kim Zetter/ Wired)

Related: SC Media, Nextgov/FCW, r/politics, r/craftofintelligence, r/espionage,  r/fednews, CNN, Nextgov/FCW, New York Times, Krebs on Security, The Atlantic

Cameron John Wagenius pleaded guilty to hacking AT&T and Verizon and stealing a massive trove of phone records from the companies.

Wagenius, who was a US Army soldier, pleaded guilty to two counts of “unlawful transfer of confidential phone records information” on an online forum and via an online communications platform. According to a document filed by Wagenius’ lawyer, he faces a maximum fine of $250,000 and prison time of up to 10 years for each of the two counts.

Wagenius was arrested and indicted last year. In January, US prosecutors confirmed that the charges brought against Wagenius were linked to the indictment of Connor Moucka and John Binns, two alleged hackers whom the US government accused of several data breaches against cloud computing services company Snowflake, which were among the worst hacks of 2024. (Lorenzo Franceschi-Bicchierai / TechCrunch)

Related: Gizmodo, United States District Court for the Western District of Washington, United States District Court for the Western District of Washington, Slashdot

In a joint advisory, CISA, the FBI, and the Multi-State Information Sharing and Analysis Center (MS-ISAC) said attackers deploying Ghost ransomware have breached victims from multiple industry sectors across over 70 countries, including critical infrastructure organizations.

Other industries impacted include healthcare, government, education, technology, manufacturing, and numerous small and medium-sized businesses.

Ghost ransomware operators frequently rotate their malware executables, change the file extensions of encrypted files, alter the contents of their ransom notes, and utilize multiple email addresses for ransom communications, which has often led to fluctuating attribution of the group over time.

Names linked to this group include Ghost, Cring, Crypt3r, Phantom, Strike, Hello, Wickrme, HsHarada, and Rapture, with ransomware samples used in their attacks including Cring.exe, Ghost.exe, ElysiumO.exe, and Locker.exe.

This financially motivated ransomware group leverages publicly accessible code to exploit security flaws in vulnerable servers. They target vulnerabilities left unpatched in Fortinet (CVE-2018-13379), ColdFusion (CVE-2010-2861, CVE-2009-3960), and Exchange (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207). (Sergiu Gatlan / Bleeping Computer)

Related: Hackread, SC Media, SiliconANGLE, CISA, DataBreachToday.com, Forbes, TechRadar, CyberInsider, Infosecurity, Tech Monitor, Cyber Security News, r/cybersecurity, The Register

Researchers at Orange Cyberdefense CERT spotted a previously undocumented ransomware payload named NailaoLockerin attacks targeting European healthcare organizations between June and October 2024.

The attacks exploited CVE-2024-24919, a Check Point Security Gateway vulnerability, to access targeted networks and deploy the ShadowPad and PlugX malware, two families tightly associated with Chinese state-sponsored threat groups.

Orange Cyberdefense CERT links the attacks to Chinese cyber-espionage tactics, though there is not enough evidence to attribute them to specific groups. Compared to the most prominent ransomware families, NailaoLocker is a relatively unsophisticated strain.

The reason why Orange sees NailaoLocker as a rather basic ransomware is that, it does not terminate security processes or running services, it lacks anti-debugging and sandbox evasion mechanisms, and does not scan network shares.

Orange says, "Written in C++, NailaoLocker is relatively unsophisticated and poorly designed, seemingly not intended to guarantee full encryption."

The malware is deployed on target systems via DLL sideloading (sensapi.dll) involving a legitimate and signed executable (usysdiag.exe).

Investigating deeper, Orange says they found some overlap between the content of the ransom note and a ransomware tool sold by a cybercrime group named Kodex Softwares (formerly Evil Extractor). However, there were no direct code overlaps, making the connection blurry. (Bill Toulas / Bleeping Computer)

Related: Orange Cyberdefense, MSSP Alert, SC Media, Security Affairs

Researchers at iVerify developed an iPhone app used to detect infections of NSO Group's spyware Pegasus that uncovered multiple undiscovered instances of the spyware, indicating that its infections are more widespread than has been believed.

In May 2024, iVerify released a $1 app for people to scan their iPhones for any signs of compromise. On Wednesday, iVerify said that, of the approximately 3,000 people who downloaded and used the app, there were seven verifiable detections of Pegasus.

The security outfit said this is about 2.5 infections per 1,000 phones scanned, or a 0.25% infection rate. These constituted "true positive Pegasus detections" that could be definitively proven and in instances where the user's identity was verified.

The study openly admits that the number may be skewed towards "highly-targeted individuals or people who already thought their device might be compromised." After publishing an initial report on its findings in December, it was given a second opportunity and a wider audience.

Approximately 18,000 more app downloads took place following that report, with 11 new cases detected in December alone.

The second wave, which included a larger and more generalized audience than the first, lowered the global incidence rate to 1.5 per 1,000 scans. At the same time, the group believes that a larger sample size increases its confidence that the 1.5 infection figure is "closer to the true incidence rate.

"It is inferred by this second group that mobile compromises can extend beyond high-value targets to "impact a broad cross-section of society," iVerify said. The new detections attacked users in government, finance, logistics, and real estate industries, with some attacked over several years with multiple variants used. (Malcolm Owen / Apple Insider)

Related: 9to5Mac, Cyber Security News, iVerify

HCRG Care Group, formerly Virgin Care, a major private provider of NHS services in Kent and Surrey, UK, said it was investigating claims by the ransomware group Medusa that more than two terabytes of sensitive information had been breached.

A spokesperson for the group said: "Our team has not observed any suspicious activity since the implementation of immediate containment measures."

In an update on its dark website, the Medusa crew claimed it had stolen 2.275 TB of data from HCRG. It will either sell that information to a buyer for $2 million (£1.6 million), delete its copy of that info for the same amount, or leak it all online if no one pays up by February 27.

Additionally, the gang claims it will delay the release for $10,000 (£8,000) per day, presumably to keep negotiations open. It has already leaked samples, totaling 35 pages, of what's said to be pilfered information, including passport and driving license scans, staff rotas, a birth certificate, and data from background checks. (Iain Thomson / The Register)

Related: BBC News, Teiss, SC Media, TechRadar, Computing, Digital Health

Blockchain analytics firm Chainalysis said that sanctioned entities and jurisdictions were responsible for nearly $16 billion in cryptocurrency activity last year, driven in part by a resurgence of activity in the mixing service Tornado Cash and a spike in the use of crypto in Iran.

Chainalysis said that despite sanctions by the U.S. Treasury’s Office of Foreign Assets Control against Tornado Cash in 2022, the “core infrastructure of the platform has proven difficult to shut down.” 

Separately, Chainalysis said that individual Iranians moved more money out of the country’s beleaguered financial system and into cryptocurrency in 2024 than ever before. (James Reddick / The Record)

Related: Chainalysis, NCRI, Iran News Update, CryptoSlate, CryptoNews, The Block, Iran Focus, Cryptonews

A flurry of innovation from cybercrime groups in China is breathing new life into the carding industry by turning phished card data into mobile wallets that can be used online and at Main Street stores.

Ford Merrill of SecAlliance has been studying the evolution of several China-based smishing gangs and found that most of them feature helpful and informative video tutorials in their sales accounts on Telegram. Those videos show the thieves are loading multiple stolen digital wallets on a single mobile device and then selling those phones in bulk for hundreds of dollars apiece.

One promotional video shows stacks of milk crates stuffed full of phones for sale. A closer inspection reveals that each phone is affixed with a handwritten notation that typically references the date its mobile wallets were added, the number of wallets on the device, and the initials of the seller.

Merrill said one common way criminal groups in China are cashing out with these stolen mobile wallets involves setting up fake e-commerce businesses on Stripe or Zelle and running transactions through those entities — often for amounts totaling between $100 and $500.

Criminals also can cash out mobile wallets by obtaining real point-of-sale terminals and using tap-to-pay on phone after phone. But they also offer a more cutting-edge mobile fraud technology: Merrill found that at least one of the Chinese phishing groups sells an Android app called “ZNFC” that can relay a valid NFC transaction to anywhere in the world.

The user simply waves their phone at a local payment terminal that accepts Apple or Google pay, and the app relays an NFC transaction over the Internet from a phone in China.

Experts say the continued reliance on one-time codes for onboarding mobile wallets has fostered this new wave of carding. (Brian Krebs / Krebs on Security)

Researchers at Hudson Rock report that organizations across the defense sector, including military agencies, show signs of being infected by information-stealing malware.

Victims of infostealers in recent years have included at least 398 employees of defense giant Honeywell, 66 employees of Boeing, and 55 employees each at Leidos and Lockheed Martin.

A review of stolen data for sale on cybercrime markets found that other infostealer-infected organizations include the U.S. Army, with 71 infected employees, and the U.S. Navy with 30 and FBI with 24.

Based on the specific types of credentials being sold, Hudson Rock researchers say buyers theoretically could have gained access to various sensitive corporate systems, including remote access VPNs and Active Directory Federation Services, Salesforce, SAP, and SharePoint software. (Matthew Schwartz / Bank Info Security)

Related: Hudson Rock, Infosecurity Magazine, CPO Magazine, Security Magazine, Cybernews, TechRadar, HackRead, Cyber Security News

An unknown leaker has released what they claim to be an archive of internal Matrix chat logs belonging to the Black Basta ransomware operation.

ExploitWhispers, the individual who previously uploaded the stolen messages to the MEGA file-sharing platform, which are now removed, has uploaded it to a dedicated Telegram channel.

It's not yet clear if ExploitWhispers is a security researcher who gained access to the gang's internal chat server or a disgruntled member.

While they never shared the reason behind this move, cyber threat intelligence company PRODAFT said today that the leak could directly result from the ransomware gang's alleged attacks targeting Russian banks.

"As part of our continuous monitoring, we've observed that BLACKBASTA (Vengeful Mantis) has been mostly inactive since the start of the year due to internal conflicts. Some of its operators scammed victims by collecting ransom payments without providing functional decryptors," PRODAFT said.

"On February 11, 2025, a major leak exposed BLACKBASTA's internal Matrix chat logs. The leaker claimed they released the data because the group was targeting Russian banks. This leak closely resembles the previous Conti leaks."

The leaked chats also contain 367 unique ZoomInfo links, which indicate the likely number of companies targeted during this period. Ransomware gangs commonly use the ZoomInfo site to share information about a targeted company, internally or with victims during negotiations.

ExploitWhispers also shared information about some Black Basta ransomware gang members, including Lapa (one of the operation's admins), Cortes (a threat actor linked to the Qakbot group), YY (Black Basta's main administrator), and Trump (aka GG and AA) is believed to be Oleg Nefedov, the group's boss. (Sergiu Gatlan / Bleeping Computer)

Related: PYMNTS, The Register, BankInfoSecurity, Cybernews, TechCrunch, The Record, GitHub

New York-based venture capital and private equity firm Insight Partners disclosed that its systems were breached in January following a social engineering attack.

The company manages over $90 billion in regulatory assets and has invested in over 800 software and technology startups and companies worldwide during its 30 years of activity.

The firm said some of its information systems were breached on January 16 through "a sophisticated social engineering attack." Insight Partners added that no evidence was found that the attackers maintained access to its network after their presence was discovered. (Sergiu Gatlan / Bleeping Computer)

Related: Insight Partners, Security Magazine, Infosecurity Magazine, Dark Reading, Security Affairs, CTech, TechCrunch, Teiss

InvestHK, the Hong Kong government’s investment promotion arm, said it is checking whether any personal information was compromised following a ransomware attack on its computer systems.

The firms said that preliminary findings revealed the attack, which occurred the day before, had affected areas including its internal customer relationship management system, intranet, and sections of its website operations, such as the contact form and events updates.

Its public services remain unaffected. Members of the public can continue to contact staff through telephone, email, or face-to-face meetings.

An InvestHK spokesman said risk assessments indicated that basic client information might be affected.

“Although this is an ongoing investigation, based on preliminary assessment, this could potentially include basic information on InvestHK’s clients, such as the companies’ contact information, and records of InvestHK staff,” he said. (Danny Mok and Wynna Wong/ South China Morning Post)

Related: China Daily, The Standard

The Cleveland, OH Municipal Court is investigating a cyber incident that happened Sunday evening, which forced the court shut down the systems affected as a precautionary measure while they focus on restoring services safely.

All the court's internal systems and software platforms will be shut down until further notice. Except for essential staff members, the court will be closed on Feb. 24, and the public will not observe regular business hours. (Mercy Sackor / News5 Cleveland)

Related: 19 News, WKYC

Government building in Anne Arundel County Maryland will be closed on Monday, Feb. 24 because of a cyber incident impacting county services, according to officials.

The county notified the public of the issue on Saturday, saying the incident came from an outside source. Cyber specialists say full-service restoration could take days. (Adam Thompson / WJZ News)

Related: WUSA, WMAR, Eye on Annapolis, DC News Now, Capital Gazette

The US Coast Guard’s payroll system suffered a data breach, with bi-weekly pay for 1,135 service members impacted and delayed.

The Coast Guard said it took its personnel and payroll system offline to help address security.

The breach impacted service members’ direct deposit account routing information, and was discovered after unusual activity was reported. Journalist Marisa Kabas first reported the news.

The Coast Guard Pay and Personnel Center’s Direct Access service was down for “unscheduled maintenance” and was due to be restored on Feb. 19. (Nicholas Slayton / Task and Purpose)

Related: TechRadar, Cyber Daily, USNI News, Military.com, Military Times, Federal News Network

Genea, a major Australian IVF provider used by tens of thousands of patients has confirmed an "unauthorised third party" has accessed its data, five days after its phone lines went down and patients were left concerned their treatment could be affected.

The company said it was "urgently investigating a cyber incident after identifying suspicious activity" on the network.

Patients had also complained that the company's app MyGenea — which allows patients to track their cycle and view fertility data, results and forms — could not be used.

Genea first notified patients on February 14 that phone lines were down. (Elise Worthington / ABC.net.au)

Related: TechCrunch, Sydney Morning Herald, The Record, Bleeping Computer, Teiss, Nine News, Infosecurity Magazine, The Economic Times, ABC.net.au, News.com, IT News

The pro-Russian hacking group NoName57 hit with DDoS attacks the Italian government websites in what it said was a reaction to a speech by Italian President Sergio Mattarella that compared Russia’s invasion of Ukraine to the Nazis ‘ “wars of conquest.”

The group hit the websites of the defense, interior and transport ministries, as well as law enforcement agencies. Access to the sites was spotty.

The group on said it attacked Italian banks, ports, airports and local transport agencies, but those attacks did not cause major disruptions. (Associated Press)

Related: Infosecurity Magazine, Vijesti, Security Affairs, Techerati

The Australian Department of Home Affairs issued a mandatory direction [pdf] “to prevent the installation of Kaspersky Lab products and web services from all Australian government systems and devices."

The direction, made under the protective security policy framework (PSPF), also requires federal entities to remove “all instances” of Kaspersky’s products.

Home Affairs secretary Stephanie Foster assessed that Kaspersky software "poses an unacceptable security risk to Australian government, networks and data, arising from threats of foreign interference, espionage and sabotage.

The move also coincides with a raft of sanctions issued by the Department of Foreign Affairs on February 24 against Russia.

The sanctions, which cover 149 entities and individuals, come in conjunction with a ban on the supply of Russian commercial drones and components. (Eleanor Dickinson / IT News)

Related: Australian Department of Home Affairs, InnovationAus.com, CSO Online, Channel News

A London talent agency, The Agency, reported itself to the UK's data protection watchdog after the Rhysida ransomware crew claimed it had attacked the business, representing stage and screen luminaries.

The agency was established in 1995, and its clients include Louis De Bernieres, Sam Mendes, Emma Thompson, and many others across the film, TV, and theatre industries.

The same group that hit the British Library with ransomware in 2023, Rhysida, claims it is now holding The Agency's data to ransom. Its data leak site suggests it is willing to sell the data for 7 Bitcoins ($678,035) and the gang already published a montage of documents it alleges to have stolen from The Agency. (Connor Jones / The Register)

Related: The Cyber Press, SC Media, Red Packet Security, The Sun, Gizmodo, Far Out Magazine

Sources say US prosecutors and regulators are investigating a $32 million deal between cybersecurity giant CrowdStrike and Carahsoft Technology to provide cybersecurity tools to the Internal Revenue Service.

Carahsoft Technology paid CrowdStrike for the deal the cybersecurity firm closed on the last day of a fiscal quarter in 2023, but the IRS never purchased the products.

The transaction under investigation was big enough that it could have made the difference between CrowdStrike beating or missing Wall Street projections for the period, although the Austin, Texas-based company has declined to detail how it accounted for the deal. (Jake Bleiberg / Bloomberg)

Related: Computerworld, Sherwood

The US Justice Department announced that Health Net Federal Services (HNFS) and its parent company, Centene Corporation, agreed to pay a $11.2 million fine to settle allegations that it lied about meeting federal cybersecurity standards, the latest penalty levied on a contractor as part of a 2021 initiative to root out cyber-related fraud.

According to prosecutors, between 2015 and 2018, the company, which administered the Tricare healthcare program for 22 states, “falsely certified compliance” with certain cybersecurity controls required of federal contractors. The company allegedly failed to scan for known vulnerabilities in a timely fashion and to address security flaws on its networks.

The Justice Department also accused the company of ignoring internal and third-party reports about network risks related to patch management, password policies, end-of-life hardware and software and configuration settings.

The settlement agreement is part of the DOJ’s Civil Cyber-Fraud Initiative, announced in October 2021, which puts a spotlight on federal contractors to ensure they adhere to cybersecurity rules. It falls under the auspices of an 1863 law, the False Claims Act, that created civil. (James Reddick / The Record)

Related: Justice Department, DataBreachToday, SC Media

Katie Arrington, the former South Carolina state lawmaker who helped steer Pentagon cybersecurity contracting policy before being placed on leave amid accusations that she disclosed classified data from a military intelligence agency, announced that she is the Defense Department’s new chief information security officer.

Arrington, who posted about her new role on LinkedIn Tuesday night, joined the Defense Department in 2019 following a single term in the South Carolina House and served in the Pentagon’s Office of Acquisition and Sustainment in President Donald Trump’s first term.

In 2022, she reached a legal settlement with the government and resigned from her role, and later ran for an unsuccessful bid for Congress where she lost against Republican House lawmaker Nancy Mace of South Carolina. (David DiMolfetta / NextGov/FCW)

Related: LinkedIn, DefenseScoop, Breaking Defense

Identity-first security startup SGNL announced it had raised $30 million in a Series A venture funding round.

Brightmind Partners led the round with participation from Costanoa Ventures, Microsoft’s M12, and Cisco Investments. (Ingrid Lunden / Tech Crunch)

Related: VC News Daily, FinSMEs, SGNL

Dream, an AI company based in Tel Aviv, Israel, that provides cyber resilience for nations and critical infrastructure announced it had raised $100 million in a Series B venture funding round.

Bain Capital Ventures led the round with the participation of Group 11, Tru Arrow, Tau Capital, and Aleph. (Gillian Tan / Bloomberg)

Related: Reuters, PYMNTS.com, Dream, SiliconANGLE, FinSMEs

Crypto security firm Blockaid announced it had raised $50 million in a Series A venture funding round.

Ribbit Capital led the round with the participation of GV, formerly known as Google Ventures, and existing investors Variant and Cyberstarts. (Suvashree Ghosh / Bloomberg)

Related: CTech, Globes Online

MirrorTab, a San Francisco, CA-based provider of advanced web application protection, announced it had raised $8.5m in seed funding.

Valley Capital Partners led the round, with participation from GV, Ludlow Ventures, Altman Capital Fund, NextGen Venture Partners, and Alumni Ventures. (FinSMEs)

Related: Pulse 2.0, Business Wire

Best Thing of the Day: Yup, America Is Now Officially the Bad Place

European entrepreneur Bert Hubert is warning organizations that it "is madness to continue transferring the running of European societies and governments to American clouds under the current right-wing regime.

Worst Thing of the Day: Imagine the Suffering

Thai police are warning that tens of thousands of people could be held in illegal cyber scam compounds in Myanmar.

Closing Thought