The Senate’s top Democrat called on the Department of Homeland Security Friday to work closely with state and local governments to defend against artificial intelligence-strengthened hacks. 

Senate Minority Leader Chuck Schumer, D-N.Y., wrote to DHS Secretary Markwayne Mullin to make sure state, local, tribal and territorial (SLTT) governments aren’t left behind as AI models advance, posing new hacking threats.

“There is a race between cybersecurity defenders and AI-enabled hacking — and there’s no time to waste,” Schumer wrote.

“While the White House has reportedly begun hosting meetings about its internal security priorities following these frontier AI cyber breakthroughs, it is glaringly obvious that the Department of Homeland Security needs an updated plan for coordinating these efforts with [state, local, tribal and territorial] governments and implementing procedures to reduce the risk of disruptive cyberattacks enabled by frontier AI,” he stated.

Schumer said he was worried about the capabilities of DHS and its Cybersecurity and Infrastructure Security Agency to carry out that coordination, given federal funding cuts to the Multistate Information Sharing and Analysis Center, and the lack of a Senate-confirmed CISA director for the duration of the second Trump administration.

Schumer wants a plan from DHS by July 1 on coordinating with state and local governments on a range of questions, such as how to identify top AI talent, carry out rapid patching and conduct risk assessments.

“AI is changing the cyber battlefield fast — and we cannot let hackers get there first,” Schumer said in comments accompanying the letter. “Hospitals, power grids, water systems, schools, elections, and emergency services cannot be left exposed while criminal gangs and state-backed hackers race to exploit new AI tools. DHS must immediately help states and localities find and fix vulnerabilities before Americans are hit with outages, disruptions, and attacks that could put lives and livelihoods at risk.”

CISA is using AI to help on the defensive side internally, agency officials recently said.

The post Sen. Schumer seeks DHS plan on AI cyber coordination with state, local governments appeared first on CyberScoop.

The Trump administration is redirecting a cybersecurity scholarship program that requires recipients to work in government service toward artificial intelligence, leaving some current program scholars dismayed and bewildered.

In an email to participating school program coordinators obtained by CyberScoop, the Office of Personnel Management and National Science Foundation said the CyberCorps Scholarship For Service program would now be known as CyberAI SFS.

“The SFS students we enroll today will not be employable when they graduate in 2-3 years without significant AI background,” the email reads. “Any SFS student in this new program must be proficient in using AI in cybersecurity or providing security and resilience for AI systems. Therefore, new students in the legacy CyberCorps program must learn to acquire AI expertise to augment their cybersecurity expertise.”

“Effective immediately, new SFS scholars will not be accepted to the Legacy CyberCorps(C) program without a description on how they will develop competencies at the intersection of cybersecurity and AI,” the email continues. “The description of the competency development could include, but are not limited to, formal program of study, experimental learning, research activities, capstone projects, competitions, certifications, and/or no-credit professional development via external providers.”

One current program scholar graduating soon said they were “disappointed” by the change for several reasons. As of earlier this week, the agencies collectively running the program — OPM, NSF and the Department of Homeland Security — hadn’t notified any program participants that any changes were on the horizon.

For another: “I was a little bit surprised that it was coming out as so blatantly disregarding the people that haven’t graduated yet, that everyone in my cohort is already considered ‘legacy,’ and the fact that it said people in the program that I’m currently in will not be employable in the coming years,” they said.

The email leaves scholars uncertain about what will happen as they try to fulfill their side of the agreement, especially since doing so has  already been difficult amid cyber job cutbacks and other concerns about how the program has recently been administered. The scholar told CyberScoop there are around 300 people in this current group.

“I assume it will affect placements,” they said. “I can’t say for sure one way or another, because placements are already so impacted by everything that’s been going on. I don’t know what’s due to lack of AI background and what’s due to everything else.”

Another scholar said it was wrong for OPM “to keep claiming repeatedly that they’re acting in our best interests,” when “we’re left out to dry.” Already, the current group of scholars has been frustrated by their inability to get questions answered.

“If we’re legacy CyberCorps, then how does that address anything?” the scholar asked. “We’re just kind of being shoved into a closet and forgotten about. Now in that email, they were saying that we were going to be unhireable in two years time without all this AI stuff under our belt. But at the same time, almost all of our universities were actively discouraging the use of AI.”

Another part of the email brought welcome news to those scholars: a temporary easing of the program’s requirements, including the 70-20-10 rule that sets targets for jobs in the federal government, state and local governments, and the education sector, as well as the rules for securing an internship.. Even so, scholars say they still haven’t received any direct information about the changes.

A spokesperson for NSF said there have been some misunderstandings about the email to school program coordinators (known as principal investigators), but didn’t address current scholars’ concerns about communication.

“The guidance does not require scholars to possess these competencies upon entry,” said the spokesperson, Michael Englund. “Rather, it requires principal investigators (PIs) to clearly describe how their programs will prepare scholars to develop AI-related competencies by the time they graduate (typically within two to three years). In other words, programs must have a concrete and immediate plan to ensure scholars gain these skills during the course of their studies, not prior to admission.”

A spokesperson for OPM addressed the two biggest concerns of current participants.

“There are no changes to placement requirements,” the spokesperson said. “As noted, NSF’s updates are forward-looking to ensure future cohorts are prepared for evolving workforce needs. NSF has encouraged institutions to use professional development funds to expand AI-related training where needed. At OPM, we are also expanding AI training and have introduced AI ambassadors to support adoption.”

On communication: “Principal investigators (PIs) remain the primary point of contact for scholars, but OPM plans to increase direct outreach and plans to issue follow-up communication to scholars on placement efforts,” the spokesperson said.

Last week’s email is the latest turn for the program, with the Cybersecurity and Infrastructure Security Agency last month declaring that it was canceling summer internships due to the lapse in funding for some DHS agencies. Congress has since provided funding for CISA. 

The agency didn’t answer a question about whether that cancellation decision has been reversed as a result.

The post Trump officials are steering a cybersecurity scholarship program toward AI appeared first on CyberScoop.

A House Democrat who’s been at the forefront of congressional efforts to scrutinize the federal government’s use of commercial spyware wants the Commerce Department to brief Capitol Hill amid apprehension that the Trump administration might further embrace the technology.

Rep. Summer Lee, D-Pa., sent a letter to the department Thursday seeking a briefing on several developments stemming from Immigration and Customs Enforcement acknowledging its use of Paragon’s Graphite spyware, as well as an American company purchasing a controlling stake in Israel’s NSO Group. The Commerce Department sanctioned NSO Group under former President Joe Biden after widespread abuse allegations, including eavesdropping on government officials, activists and journalists.

“The Trump Administration appears to be broadly receptive to using commercial spyware to infiltrate cell phones and allowing U.S. investment in sanctioned spyware companies like NSO Group,” Lee wrote in her letter to Commerce Secretary Howard Lutnick, which CyberScoop is first reporting.

NSO Group’s new executive chairman, David Friedman, is a former Trump ambassador to Israel and was his bankruptcy attorney. He has said in November that he expects the administration will be “receptive” to using NSO Group tech.

“Given those close ties between NSO Group and the Trump Administration, and the serious concerns about how NSO’s technology could be used to spy on Americans, we write to request information regarding the purchase of NSO Group by an American company and the potential usage of NSO Group spyware by federal law enforcement,” wrote Lee, who sits on the Oversight and Government Reform panel and is the top Democrat on its Federal Law Enforcement Subcommittee.

Lee was one of the authors of a recent Democratic letter seeking confirmation of ICE’s use of Paragon’s Graphite, which ICE acknowledged. But they criticized the administration for not answering all their questions, in addition to being outraged.

In her latest letter, Lee asked the Commerce Department to brief Oversight and Government Reform Committee staff about internal department deliberations, Commerce communication with the White House and any outside conversations — including with Friedman — about government use of NSO Group technology or any other commercial spyware, and American investment in NSO.

NSO Group “appears to view the Trump administration as friendly to its interests in the United States, pitching itself as a vital tool for the U.S. government to safeguard national security,” Lee wrote, citing company court filings that it “is reasonably foreseeable that a law enforcement or intelligence agency of the United States will use Pegasus.”

The Biden administration sanctions, and court losses in a case against Meta, represented setbacks for NSO Group’s ambitions. And prior to the U.S. investment firm controlling stake purchase last fall, the Commerce Department under Trump rebuffed efforts to remove NSO Group from its sanctions list.

But the tens of millions of dollars worth of investment, following news that Israel had used Pegasus to track people kidnapped or murdered by Hamas, was a boon.

NSO Group maintains that its products are designed only to help law enforcement and intelligence fight terrorism and crime, and that it vets its customers in advance as well as investigates misuse. News accounts and other investigations have turned up a multitude of abuses.

There have been scattered reports of U.S. flirtation with using NSO Group technology. The FBI acknowledged it had bought a Pegasus license, but stopped short of deploying it. The Times of London reported that “it is believed” the Central Intelligence Agency used Pegasus spyware as part of a rescue mission last month for a U.S. airman downed in Iran.

You can read the full letter below.

The post One House Democrat is pressing Commerce on the government’s spyware use appeared first on CyberScoop.

The Cybersecurity and Infrastructure Security Agency has gotten “by far” the biggest gains from artificial intelligence automation in its security operations unit to help analysts sift through threats, but it’s also proven valuable elsewhere within the agency, CISA officials said Tuesday.

It’s “really allowing those analysts to do triage very fast, so they focus on what matters versus the noise,” Tammy Barbour, acting chief of application management at CISA, said. “They’re able to do a lot of real-time, quick looks before events happen in most places.”

Barbour, speaking at the UiPath FUSION Public Sector event hosted by Scoop News Group, said automation has also been a boon to CISA’s Technology Operations Center.

“The top analysts are able to quickly respond to customers who are reaching out to talk and asking questions, and be able to get real-time efficiencies with that,” she said. 

And it’s been a big help for data migration, Barbour said.

Lauren Wind, acting deputy chief technology officer at CISA, said from her wing of the department, it’s focused on finding benefits from automation in areas like human resources, contracting and finance.

“So we can continue to drive mission, but also accelerate the mission-supporting functions,” she said. “We really want to ensure that our cyber analysts are focusing on the things that matter, like malware.”

But there are some barriers to adoption of the technology, both said.

“We’re still kind of in our infancy,” Barbour said. “But we still struggle with the legacy workflows, processes. We still have some systems that need to be modernized, that we’re currently working towards adoption. People love their spreadsheets. I just can’t force it out of their hands, especially the — sorry, all the accountants in the room, I apologize, but you’ve got to let it go.”

AI governance needs to be laid out in advance, too, and transparently, Wind said.

“One of the biggest things is ensuring that the CTO is driving governance, whether that’s for data, whether that’s for AI,” she said. “I think we’re pretty good on generative, and everyone’s a little bit catching up to industry on agentic.”

How to handle data is another consideration, Wind said.

“Whether you’re on the cloud and you’re serverless or you’re still on prem, if you haven’t figured out what your structure of your data platform looks like, it makes automation a lot more difficult,” she said. 

The comments from Barbour and Wind offered a window into how CISA is viewing AI internally. Much of the agency’s recent work related to AI is focused on advice for safe deployment of agentic AI at other organizations, or examination of the way AI is deepening threats.

The post CISA boasts AI automation improvements to threat analysis, mission support appeared first on CyberScoop.

Congress extended a controversial surveillance law for 45 days on Thursday, hours before its latest expiration following an earlier extension.

The Senate passed — then the House cleared — a 45-day extension of Section 702 of the Foreign Intelligence Surveillance Act, which authorizes warrantless surveillance of foreign targets. But those targets are sometimes communicating electronically with Americans, and intelligence officials can search the database using their identifying information, which has long given privacy groups and privacy-minded lawmakers heartburn.

The 45-day reprieve gives lawmakers more time to hammer out a lasting deal, and comes after the leaders of the Senate Intelligence Committee agreed to send a letter to the Director of National Intelligence and attorney general, seeking swift declassification of a letter on a classified ruling from the Foreign Intelligence Surveillance Court.

Sen. Ron Wyden, D-Ore., had sought release of that opinion, and had resisted giving unanimous consent for the latest short-term extension to move forward until Senate Intelligence Chairman Tom Cotton, R-Ark., and top panel Democrat Mark Warner of Virginia agreed to send the letter.

A declassification review was already underway, but the Cotton-Warner letter states that “We expect that this declassification review will be completed and the FISC opinion released publicly within 15 days,” according to Wyden, speaking on the Senate floor.

The March 17 opinion reportedly came with annual recertification of the warrantless surveillance program. The Justice Department is appealing that ruling because it blocked them from using certain tools to analyze communications.

“A few weeks ago, the Foreign Intelligence Surveillance Court found major compliance problems related to the surveillance law known as section 702,” Wyden said earlier this month. “These compliance problems are directly related to Americans’ Constitutional rights.”

Senate Majority Leader John Thune, R-S.D., said the extension will give lawmakers additional room to hold “discussion on reforms.”

The House this week had passed a 3-year reauthorization with some changes to the surveillance program, but key to doing so was leadership’s agreement to attach legislative language on a separate matter that would ban a central bank digital currency. Thune had said that language was going nowhere in the Senate.

On Thursday, the House voted 261-111 to extend the law for 45 days. President Donald Trump has sought a “clean” 18-month reauthorization of the surveillance powers.

The extension continues a perennial ritual for the Hill when it comes to Section 702: A deadline looms, and Congress kicks the can down the road repeatedly.

The post Congress kicks the can down the road on surveillance law (again) appeared first on CyberScoop.

The growth of data centers — and adversaries’ targeting of them — left lawmakers at a hearing Wednesday contemplating whether the federal government has the right setup for defending them.

Some industry witnesses and experts at the hearing of the House Homeland Security Subcommittee on Cybersecurity and Infrastructure Protection testified that the answer might be to give data centers their own standalone designation as a critical infrastructure sector.

The question of how to secure data centers against cyber and physical attacks coincides with artificial intelligence fuelling a boom in the building of such facilities across the United States. Last month, Iranian drones targeted two Amazon data centers in response to the U.S.-Israel bombing campaign on Iran, and a third data center in Bahrain was struck as well.

“If a major data center is attacked, disrupted, or taken offline, the consequences can reach far beyond one company or one sector,” Rep. Andy Ogles, R-Tenn., said in prepared opening remarks. “Yet our current framework does not provide a clear, unified approach to data center security. It does not clearly answer which federal agency is responsible for understanding the risk, coordinating with industry, or leading the response when this infrastructure is targeted.”

Three providers account for 63 percent of the market share of data centers: Amazon Web Services, Microsoft Azure and Google Cloud Platform. 

The United Kingdom already has deemed data centers as a standalone critical infrastructure sector. Reps. Vince Fong, R-Calif., and LaMonica McIver, D-N.J., asked panel witnesses Wednesday about federal protection of them.

“Given the scrutiny that is required to make sure that those data centers are secure, there would be a benefit in having them work together as a unique coordinating council,” said Robert Mayer, senior vice president for cybersecurity and innovation at USTelecom, an industry group.

The Foundation for Defense of Democracies’ Mark Montgomery suggested a sector that combines data centers and cloud providers, given the overlap in ownership. The 2024 rewrite of a White House national security memo left some experts disappointed that it didn’t designate cloud computing as a critical infrastructure sector. 

Samuel Visner, chair of the board of directors of the Space Information Sharing and Analysis Center, said he agreed, given the role data centers are playing in the U.S. economy, military and other dependencies. “Finding a way to regard them as part of our critical infrastructure and protect them accordingly is sine qua non, absolutely necessary,” he said.

A fourth witness didn’t weigh in on the need for a separate critical infrastructure designation. But Scott Algeier, executive director of Information Technology Information Sharing and Analysis Center, said his organization had created a “special interest group” for data center providers.

“The data centers are integrated already into the critical infrastructure discussions,” he told the panel.

The post Congress, industry ponder government posture for protecting data centers appeared first on CyberScoop.

Illinois Rep. Delia Ramirez is taking over as the top Democrat on the House Homeland Security panel’s cybersecurity subcommittee, replacing former Rep. Eric Swalwell after his resignation.

Committee Democrats approved the change Tuesday at a meeting prior to a “shadow hearing” without the GOP majority, focused on protecting elections from Trump administration interference.

Ramirez first won election to Congress in 2022 and was reelected in 2024. She has served as the vice ranking member of the committee since 2023. She is now the ranking member of the Subcommittee on Cybersecurity and Infrastructure Protection.

She has leveled criticisms during committee hearings about the Trump administration’s personnel cutbacks at the Cybersecurity and Infrastructure Security Agency, and was critical of how data was secured under the administration’s Department of Government Efficiency initiative led by Elon Musk.

“Under a Musk and Trump presidency, it’s clear that the security of Americans’ information is not a priority. I mean, a private civilian with no security clearance bullied his way into the Treasury, set up private servers, and stole sensitive information from an agency. If that isn’t a national security crisis, a cybersecurity  crisis –then I don’t know what is,” Ramirez said at an early 2025 hearing. “The true threat to our homeland security is ‘fElon’ Musk, Trump, and their blatant misuse of power to steal information and coerce employees to leave agencies.”

She cosponsored legislation last year meant to strengthen the cybersecurity workforce by promoting measures to help workers from underrepresented and disadvantaged communities to join the field.

But she also had criticisms of U.S. cybersecurity under the Biden administration, including of Microsoft’s role in the SolarWinds breach.

In a statement about her appointment Tuesday, Ramirez took aim at at Trump, Vice President JD Vance, Department of Homeland Security Secretary Markwayne Mullin and White House homeland security adviser Stephen Miller.

“It’s clear that the security of our communities’ information, federal networks, and critical infrastructure have not been priorities” under them, she said. “Between the security failures of DOGE, the abuses of immigrant families’ data, and the decimation of CISA’s workforce and resources, Republicans have demonstrated a lack of interest in safeguarding our nation’s cybersecurity and our residents’ civil rights and privacy. In neglecting necessary oversight, Republicans have deregulated emerging technologies, allowed bad actors to profit from violations of our civil rights, and consented to the weaponization of government systems. It is more critical than ever that we assert our Congressional authority and disrupt the blatant corruption making us all less safe.”

Swalwell left the position following his resignation from Congress as a representative from California amid allegations of sexual misconduct.

Her ascension completes a full leadership turnover for the subcommittee. Rep. Andy Ogles, R-Tenn., took over the gavel late last year after former chairman Andrew Garbarino, R-N.Y., took over as chairman of the full committee.

The subcommittee is set to hold a hearing Wednesday on CISA and its role as the sector risk management agency for a number of critical infrastructure sectors.

Updated 4/28/26: to include comment from Ramirez.

The post Rep. Delia Ramirez takes over as top House cybersecurity Dem appeared first on CyberScoop.

Supreme Court justices lobbed sharp questions at both sides about the constitutionality of geofence warrants during oral arguments Monday in a case that could have broader implications for law enforcement collection of Americans’ data.

Chatrie v. The United States stems from the 2019 conviction of Okello Chatrie in a bank robbery, where authorities obtained location data from Google about people within a specific area at a specific time.

In questioning an attorney for the petitioner, Adam Unikowsky, a number of conservative justices — including Chief Justice John Roberts — asked why the government shouldn’t be allowed to access location data taken from a third party given that Chatrie had “opted-in” to share that data.

“I just don’t agree that one should have to flip off one’s location history as well as other cloud services to avoid government surveillance,” Unikowsky answered, raising whether the government was entitled to getting emails or calendar data that are also stored in the cloud. (Google has since moved location data to users’ individual devices.)

Some liberal justices, too, had skeptical questions for Unikowsky. “This identifies a place, a crime — a limited time frame, but a time frame,” Sonia Sotomayor said, referring to protections from open-ended searches under the Fourth Amendment. “So it’s not a general warrant in this historical sense.” But she also said that because location data follows users everywhere: “When the police are searching or asking for a search result, there’s no way to predict whether they’re going to invade your privacy.”

The line of questioning about how far a government request for bulk data can go continued from both conservative and liberal justices when it was the government’s turn to argue its position. Justices probed skeptically about what made emails or calendar data different, and whether the government could do a physical search of all of the lockers in a storage facility to find one gun they believed might be there.

It was an unusually long session for the Supreme Court, going two hours. A ruling could come in June or July. Predicting how a court will decide based on justices’ questions is famously fraught. Only one justice, Samuel Alito, hinted strongly at how he was likely to decide.

“I’m struggling to understand why we are here in this case, other than the fact that at least four of us voted to take it,” he said. He said he didn’t believe anything new of note could come out of the court based on lower court rulings during questioning of Unikowsky. “We are all free to write law review articles on this fascinating subject, but that seems like that’s what you’re asking for.”

Orin Kerr, a Stanford University law professor who filed a friend of the court brief on the government’s side, said he believed based on the oral arguments that the court will say geofence warrants can be drafted lawfully.

“The Justices seem likely to reject the broader argument Chatrie made about the lawfulness of the warrant,” he wrote on social media. “They’ll probably say the geofence warrants have to be limited in time and space.”

Casey Waughn, a privacy lawyer and senior associate at Armstrong Teasdale, was struck by the absence of a major focus on “third-party doctrine,” under which there’s no reasonable expectation of privacy when citizens give their information to an outside party like a bank. 

She also honed in on arguments Unikowsky made.

“His argument really gave two lines to go down for the judges, and one was that you have a property interest in your data on the cloud, and the other was that you have a reasonable expectation of privacy for your data on the cloud,” she told CyberScoop. “And historically, both of those avenues have been grounds on which the Court has found that …issue is protected under the Fourth Amendment, and therefore that the actions constituted a search. So I thought it was interesting that he went and kind of argued both of those lanes.”

Alan Butler, executive director of the Electronic Privacy Information Center that filed a friend of the court brief on the side of the petitioner, said the stakes in the case are high.

“Today’s arguments underscored that the Supreme Court is weighing one of the most consequential privacy questions of the digital age: whether the government can use sweeping location data searches to identify a suspect,” he said in a statement after the arguments. “The Court should hold that the Constitution protects our digital data even when it is stored by an app or cloud provider. The Court should ensure that the highly sensitive records generated by our phones cannot be obtained without particularized suspicion and close judicial oversight.” 

The post Supreme Court justices skeptically question both sides in geofence surveillance case appeared first on CyberScoop.

A bipartisan pair of senators want a company that operates a tip line for anonymously reporting school safety concerns to answer questions about hackers compromising sensitive student information.

Sens. Maggie Hassan, D-N.H., and Jim Banks, R-Ind., announced on Monday they’d sent a letter to the firm, Navigate360, about last month’s incident.

“We write to express significant concern about the risks to students, staff, and schools from a recent cyberattack on your company’s P3 Global Intel tip line,” they said in the April 24 letter. “We are particularly concerned by reports that the cyberattack exploited platform vulnerabilities in order to steal students’ highly sensitive personally identifiable information. We urge you to provide the public clarity regarding what data was stolen, how Navigate360 is responding, and what safeguards Navigate360 will put into place to prevent this from happening again.”

According to the company, more than 30,000 schools and 5,000 public safety agencies use Navigate360’s products. Hackers claimed to purloin 93 gigabytes of data from the firm.

“Your company markets its product as an anonymous tip line,” Hassan and Banks said. “However, the personally identifiable information recently released by the hackers suggests otherwise. This puts the safety of students at risk and undermines public trust in using such platforms to report suspicious activity. Education and school safety experts have expressed concerns that, without guaranteed anonymity, students will choose not to report safety concerns.”

At the time of the alleged breach, Navigate360 CEO JP Guilbault said the company was working to determine if there was an incident and if there was, its extent. He did not confirm that sensitive information was released. The company did not immediately respond to a request for comment on the senators’ letter Monday.

A whopping 82% of K-12 schools said they experienced a cyber incident between July 2023 and December 2024, according to a report from the Center for Internet Security. The scale of cyberattacks on schools expanded during COVID-19. Hackers seeking student information usually have a financial motive, such as holding the information for ransom.

The hackers in the Navigate360 case were apparently motivated by hacktivism.

“Remember folks, don’t do the dirty work for the pigs,” they wrote. “Investigating crime is their job, not yours. They don’t care about you, they want convictions and prisoners to fuel the for-profit prisons.”

Hassan and Banks’ specific questions for Navigate360 included inquiries about its cybersecurity practices, what data was compromised, whether the tip line is fully anonymous and what kind of help the company has provided to school districts.

The post Senators seek answers about hackers obtaining sensitive student data from ostensibly anonymous tip line appeared first on CyberScoop.

The latest attempt to re-up a controversial expiring surveillance law has failed to placate vocal critics on both the left and right of the political spectrum.

Two House votes failed last week to extend the spying powers under Section 702 of the Foreign Intelligence Surveillance Act (FISA) for 18 months without changes, leading to Congress instead passing a 10-day reauthorization. GOP leaders have been scrambling to find a bill they can pass since with the April 30 deadline approaching.

House Speaker Mike Johnson, R-La., introduced a bill Thursday to extend it for three years, with a section stating that government officials can’t use Section 702 to target Americans. Under Section 702, U.S. spies and law enforcement agencies can warrantlessly search electronic communications of foreign targets. But those targets are sometimes communicating with U.S. persons, and officials can search the communications database using their personal information.

But critics of the latest Johnson proposal say the language about targeting Americans is window dressing.

“On the whole, it is an empty-calories bill and nothing more that does not engage in reform,” Jake Laperruque, deputy director of the center’s security and surveillance project at the Center for Democracy and Technology, said in a call with reporters Friday.

Civil liberties groups have long called for a warrant requirement for U.S. person-based searches.

“It doesn’t require a warrant or any kind of court process for U.S. person searches,” said Kia Hamadanchy, senior policy counsel for the American Civil Liberties Union’s political advocacy division. “The main reform just restates existing law… . It’s also completely irrelevant to the issue at hand, because backdoor searches have never been the product of the government intentionally targeting U.S. persons under 702. The problem is that they are incidentally collecting U.S. person communications and searching the communications of Americans.”

Gene Schaerr, general counsel of the conservative Project for Privacy and Surveillance Accountability, called the proposal “smoke and mirrors.”

The legislation did win over at least one key lawmaker, however: Rep. Warren Davidson, who had earlier introduced an amendment to attach a ban on the government buying American’s information from third-party data brokers, and who was a chief co-sponsor of legislation requiring a warrant for U.S. person searches under Section 702.

“Collectively, this set of reforms provides robust privacy protections for American citizens. Congress should bank this win and reauthorize Section 702,” Davidson said on X. “Then, we should swiftly begin gutting the unmitigated surveillance state left growing unchecked during these 702 fights.”

But it doesn’t look like it has yet won over enough conservative House Freedom Caucus members, and few Democrats have been on board with Johnson’s plans.

Rep. Ted Lieu, D-Calif., indicated on X in harsh terms that he doesn’t trust FBI Director Kash Patel with current Section 702 powers.

The post Latest spy power reauthorization bill leaves critics unimpressed appeared first on CyberScoop.

Campaigns employing commercial surveillance vendors tracked targets by exploiting mobile phone network vulnerabilities in what researchers said Thursday was the first-ever linking of “real-world attack traffic to mobile operator signalling infrastructure.”

The two unknown parties behind the campaigns mimicked the identities of mobile phone operators with customized surveillance tools, and manipulated signaling protocols and steered traffic through network pathways to hide, according to research from the University of Toronto’s Citizen Lab.

“Our findings highlight a systemic issue at the core of global telecommunications: operator infrastructure designed to enable seamless international connectivity is being leveraged to support covert surveillance operations that are difficult to monitor, attribute, and regulate,” a report published Thursday reads.

“Despite repeated public reporting, this activity continues unabated and without consequence,” Gary Miller and Swantje Lange wrote for Citizen Lab. “The continued use of mobile networks, built on a close inter-operator trust model and relied upon by users worldwide, raises broader questions for national regulators, policymakers, and the telecom industry about accountability, oversight, and global security.”

The attackers relied on identifiers and infrastructure associated with operators around the world, including networks based in Cambodia, China, the self-governing Island of Jersey, Israel, Italy, Lesotho, Liechtenstein, Morocco, Mozambique, Namibia, Poland, Rwanda, Sweden, Switzerland, Thailand, Uganda and the United Kingdom.

They shifted between SS7 and Diameter protocols, the signalling protocols known for 3G and 4G/most of 5G, respectively, according to the report. While Diameter was meant to be more secure than SS7, the Federal Communications Commission in 2024 opened a probe into both its vulnerabilities and SS7’s, and Sen. Ron Wyden, D-Ore., has asked for a Cybersecurity and Information Security Agency report about telecommunications vulnerabilities rooted in both protocols.

But identifying the vendors used in the two surveillance campaigns, or who was behind them, was beyond the researchers’ reach.

“The reality is that there are a number of known surveillance vendors and bad actors in this space, but given the opaque nature of telecommunications signalling protocols, those vendors are able to operate without revealing exactly who they really are,” Ron Deibert, director of Citizen Lab, wrote in his newsletter. “Much of the malicious things they are doing blend into the otherwise voluminous flow of billions of normal messages and roaming signals. They are ‘ghost operators’ within the global telecom ecosystem.”

One of the operators mentioned in Citizen Lab’s report, Israel-based 019 Mobile, wrote back that it didn’t recognize the hostnames referenced in the report as 019 Mobile’s network nodes, and couldn’t attribute the signaling activity it represents to 019 Mobile-operated infrastructure.

Another operator, Sure, said it has taken preventative measures to defend against misuse.

“Sure acknowledges that digital services can be misused, which is why we take a number of
steps to mitigate this risk,” CEO Alistair Beak said in a statement to CyberScoop. “Sure has implemented several protective measures to prevent the misuse of signalling services, including monitoring and blocking inappropriate signalling. Any evidence or valid complaint relating to the misuse of Sure’s network results in the service being immediately suspended and, where malicious or inappropriate activity is confirmed following investigation, permanently terminated.”

019 Mobile and a third operator, Tango Networks UK, didn’t respond to requests for comment from CyberScoop. The Citizen Lab report afforded some grace to the operators.

“It is important to note that the operator signalling addresses observed in the attacks do not necessarily imply direct operator involvement,” it states. “In some cases, access to the signalling ecosystem can be obtained through third-party providers, commercial leasing arrangements, or other intermediary services that allow actors to send messages using operator identifiers from legitimate networks.”

Updated 4/24/26: to include quote from Alistair Beak.

The post Surveillance campaigns use commercial surveillance tools to exploit long-known telecom vulnerabilities appeared first on CyberScoop.

Sean Plankey, the long-sidelined nominee to lead the Cybersecurity and Infrastructure Security Agency, asked President Donald Trump on Wednesday to withdraw his nomination.

“At this point in time, I am asking the President to remove my nomination from consideration,” he said in a notification letter seen by CyberScoop. “After thirteen months since my initial nomination, it has become clear that the Senate will not confirm me.”

Plankey’s request comes weeks after the Senate confirmed MarkWayne Mullin to lead the Department of Homeland Security, CISA’s parent agency.

“The Nation and Department of Homeland Security Secretary MarkWayne Mullin requires a confirmed director of CISA without further delay,” Plankey wrote, adding thanks to Trump himself. “While I humbly request the removal of my nomination, I wholeheartedly support President Trump’s upcoming nomination for CISA and look forward to the continued success of the United States of America.”

Plankey’s nomination was considered dead by most at the end of last year. His renomination this year caught many by surprise, with CBS reporting the paperwork filing was an accident. The White House denied that.

Numerous senators had placed holds on his nomination, including GOP senators who held him up over matters unrelated to cybersecurity. Most prominently, Sen. Rick Scott, R-Fla, had placed a hold on his nomination over a Coast Guard contract with a Florida company that DHS had partially canceled.

Plankey had been serving as an adviser to then-DHS Secretary Kristi Noem on Coast Guard matters. He retired from the Coast Guard last month.

While Plankey awaited confirmation, Bridget Bean, then Madhu Gottumukkala, served as acting director. Gottumukkala recently left the position for another at DHS amid widespread complaints about his leadership. Nick Andersen is currently serving as acting director.

Plankey told CyberScoop he had discussed withdrawing his nomination with Mullin. He said he has a “positive relationship” with Mullin and supported his leadership of DHS. And Plankey called Andersen “one of the most competent cybersecurity people in the country.”

Politico first reported Plankey’s withdrawal request. The White House and CISA did not respond to an official request for comment. When asked for a comment, a DHS spokesperson said the department doesn’t comment on personnel matters.

Plankey’s plans leave the agency with yet more upheaval. Trump has dramatically cut personnel and budget at CISA, with many top officials pushed out or otherwise departing. He has proposed deeper budget cuts still for fiscal year 2027.

Updated 4/22/26: to include DHS response.

The post CISA director pick Sean Plankey withdraws his nomination appeared first on CyberScoop.

The Supreme Court will hear oral arguments Monday in a case that could limit the government’s ability to obtain bulk digital data of device users with a single warrant, in a rare instance of the country’s top justices taking on digital rights.

Chatrie v. The United States is the first major Fourth Amendment case the court has taken up since 2018, despite the proliferation of technology that impacts privacy since then. At the center of what the justices will address are so-called geofence warrants, which compel companies to disclose user data from a certain time and location.

“It’s a really interesting question about a law enforcement tool that would have been unimaginable a few decades ago, where you can basically look at potentially every phone, for example, that passed through a particular area in a particular window,” said John Villasenor, a law professor at UCLA and nonresident senior fellow at the Brookings Institution.

Both conservative and liberal civil liberties advocates have lined up in favor of the petitioner, leaving the United States government with fewer friend-of-the-court briefs on its side. Okello Chatrie was convicted for a 2019 bank robbery after police used a geofence warrant to obtain information from Google about users during a one-hour period and 17.5-acre area, then refined the search.

In Congress, Democrats have raised concerns about geofence warrants as they might pertain to abortion rights, while Republicans have raised concerns about their use in tracking suspects linked to the Jan. 6, 2021 insurrection at the Capitol.

Courts have been divided on the legality of the geofence warrant in Chatrie’s case. Google has since stopped storing location data in the cloud and moved records directly to user devices, but those siding with Chatrie say it could have broader implications for financial records, search history records, chat bot records and more.

“We think it’s important that courts get it right and that, among other things, courts recognize that we have a property interest in many of our digital records,” said Brent Skorup, a legal fellow at the Cato Institute, which has filed an amicus brief on behalf of the petitioner. “If the government can get those digital records without a warrant, that renders the Fourth Amendment pretty empty and we’re not secure in our privacy and traditional rights to having control of our private papers and effects.”

The United States noted that Chatrie opted into Google’s storage of his location history, and that the information’s collection is not substantially different from identification of other markers of someone’s presence, like tire tracks or boot prints.

“Individuals generally have no reasonable expectation of privacy in information disclosed to a third party and then conveyed by the third party to the government,” it wrote. A collection of 32 attorneys general have sided with the U.S. government, as well as some law professors.

In the 2018 case, Carpenter v. The United States, the Supreme Court limited the applicability of that “third-party doctrine” — echoed by the U.S. government’s argument in the Chatrie case — to search and seizure of 127 days’ worth of someone’s cell site location information, ruling that it constituted a search under the Fourth Amendment and therefore required a warrant.

The type of warrant is at issue in Chatrie v. The United States. A Virginia court ultimately found that geofence warrant unconstitutional because it was not sufficiently specific and was not supported by probable cause for every user whose data was collected. However, the court ruled the evidence was admissible in court, because law enforcement acted in “good faith” in the belief that it was constitutional.

Villasenor said the court could clear a lot up by addressing the good faith exception, something lower courts have used to sidestep substantial constitutional rulings, according to one study. But both Villasenor and Skorup say it’s possible that the Supreme Court also could fail to arrive at a conclusive ruling on the issues at stake in Chatrie.

While some civil liberties advocates are optimistic about the outcome due to the court’s ruling in Carpenter, three justices in that case have since been replaced by others.

The rarity of such digital privacy cases rising to the level of the Supreme Court might be simply a function of a crowded court agenda, but it’s not the only possibility.

“Part of it might be because the court has not developed a consensus view about how to approach these yet,” Skorup said. “It’s speculation on my part, but they probably have some ambivalence about taking up cases where they know that they’re not going to speak with one voice, or they know they might speak with fractured voices.”

Google itself filed a brief in the case, but sided with neither party, saying it took no position on the warrant in Chatrie’s specific case.

“But it urges the Court to hold that Google Location History and other similar digital documents stored remotely deserve the Fourth Amendment’s protection,” it wrote. “A contrary rule would leave the intimate details of millions of Americans’ daily lives — data that will exist in many forms as technology rapidly develops — exposed to warrantless surveillance.”

The post The Supreme Court is about to decide how far geofence warrants can go appeared first on CyberScoop.

Lawmakers at a hearing Tuesday explored ways to beef up punishments for ransomware attacks against hospitals, possibly by labeling them as more severe crimes.

One proposal floated at the House Homeland Security Committee hearing, to treat ransomware attacks as terrorism, is an idea Congress has flirted with before. Another would be to press prosecutors to pursue homicide charges in attacks on hospitals where death resulted — something German authorities also once pondered.

A former top FBI cyber official, Cynthia Kaiser, put forward both ideas at the hearing, a joint meeting of the subcommittees on Border Security and Enforcement and Cybersecurity and Infrastructure Protection on cybercrime, drawing questions and interest from members.

“I believe there are no penalties too severe for individuals that would target our health care system,” said Mississippi Rep. Michael Guest, chair of the border subcommittee, whose home state of Mississippi’s health care clinics closed following a February ransomware attack.

The suggestions stem from a growing focus by ransomware attackers on the health care sector, with incidents doubling from 238 in 2024 to 460 in 2025 according to FBI statistics, making it the top targeted sector.

Kaiser, now senior vice of the Halcyon ransomware research center, said terrorism designations from the State, Treasury and Justice departments could lead to further sanctions, restricted travel and other punishments. Justice Department guidance on homicide charges could clarify its authorities, she said.

“It sounds like the language is there, it just has not been applied in these circumstances,” said Rep. Lou Correa of California, the top Democrat on Guest’s subpanel.

The notion of more closely entwining cyberattacks and terrorism is something both Congress and the executive branch have examined recently.

The fiscal 2025 Senate intelligence authorization bill would have directly linked ransomware to terrorism, although the final version of the bill that became law was less explicit than the original Senate language. The Treasury Department last month asked for public feedback on changing a terrorism risk insurance program to address cyber-related losses.

A University of Minnesota study from 2023 estimated that hospital ransomware attacks were responsible for dozens of deaths of Medicare patients. German authorities in 2020 opened a negligent homicide investigation following a death in the aftermath of a ransomware attack, but ultimately decided against charges.

The Trump administration’s national cyber strategy advocates for taking a more offensive approach to hackers. It released an executive order on cybercrime and fraud the same day it published the strategy. Kaiser said the proposals are in line with those approaches.

Hackers know their attacks could end lives, she said. “They have simply decided these deaths are someone else’s problem,” Kaiser said.

The post Lawmakers ponder terrorism designations, homicide charges over hospital ransomware attacks appeared first on CyberScoop.

Congress is grappling with renewal of a surveillance law set to expire at the end of this month that critics say is a mystery on how much of a difference it has made for controversial government spying authorities — for better or worse.

The 2024 law reauthorized so-called Section 702 powers of the Foreign Intelligence Surveillance Act (FISA), which authorizes warrantless surveillance of electronic communications of foreign targets. Most controversially, the law allows U.S. officials to search (“query”) those communications databases using Americans’ personal information, as long as the American is  in contact with someone overseas, which raises significant privacy concerns.

Backers of the 2024 law, known as the Reforming Intelligence and Securing America Act (RISAA), point to 56 changes it made to deal with criticisms of Section 702, following a period where abuses came to light, including hundreds of thousands of improper searches. At the same time, the law made changes that some feared could actually expand Section 702 powers.

The House voted to extend the law as-is for 10 days early Friday. The Senate then did the same. The Trump administration has sought a 180-day “clean” reauthorization.

As Congress weighs potential extensions of the 2024 law without making changes to it, “I don’t think we know” what good has come of it, said Elizabeth Goitein, senior director of the Brennan Center for Justice’s liberty and national security program. By the same token, it’s difficult to know whether some of the expansion fears have come to fruition, she said: “We don’t have reliable information on this.”

Added Jake Laperruque of the Center for Democracy and Technology: “There’s a lot of black boxes here.”

Examining Past Changes

Both Goitein and Laperruque are skeptical of any positive change from RISAA, though, and have long advocated for a warrant requirement for U.S. person searches. Intelligence agencies have resisted that addition, claiming that it would dramatically slow down time-sensitive national security investigations.

By contrast, Glenn Gerstell, former general counsel at the National Security Agency, said RISAA constituted “the most significant set of reforms to the statute since its adoption in 2008.” and that “those reforms have had a dramatic effect.” 

One major point of dispute is to what degree the number of U.S. person searches dropped, particularly because of a conclusion in last year’s Justice Department inspector general report finding that an “advanced filtering tool generated queries that were not tracked by the FBI.” 

As the report outlines, an FBI system has an “‘advanced filter function’ that allows users to select a specific FBI casefile number or ‘facility’ (e.g., a phone number or email address), using a drop-down menu or search bar, to review communications with targeted facilities.

“This functionality enables users to select from lists of ‘participants’ in communication with targeted facilities and review communications of those participants.In or around August 2024,” the report continues. The National Security Division of the Justice Department “became aware of the participants filter function in [the system] and was concerned that searches conducted through use of the participants filter constituted separate queries that must satisfy the query standard and comply with all query procedural requirements.”

By the intelligence community’s count, the number of U.S. person searches has otherwise mostly declined even going back to before the 2024 law’s passage: 119,383 in 2022, 57,094 in 2023, 5,518 in 2024 and 7,413 in 2025.

“It is quite clear that the searches that were run using this filter function met the statutory definition of queries, and yet the FBI for some significant period of time decided to not count them as queries,” Goitein said.

Laperruque, deputy director of CDT’s security and surveillance project, said an audit mandate in the 2024 law was potentially useful, but hasn’t proven to be in reality.

“At least it should mean that it should help try to detect abuse if it is happening,” he said. “The problem there, though, is you’re still relying on the FBI to properly log all of its quarries and hand them over for DOJ to be checked, which hasn’t happened. You’re trusting DOJ and the executive to engage in self-policing, and that’s something where folks rightfully have a lot of skepticism based on how DOJ has conducted itself recently.”

Gerstell, a senior adviser at the Center for Strategic and International Studies, points to numerous reviews — including a staff report from the Privacy and Civil Liberties Oversight Board (PCLOB) — that indicate a drop in U.S. person searches. It’s the biggest change of RISAA, he said.

“The most significant one is a very substantial drop in the number of queries of the database for U.S. person information, which has been a big focus for privacy advocates, and there’s been a dramatic drop, so much so that both the Inspector General for the Department of Justice and the staff of the PCLOB have said, ‘I wonder if we’re overdoing it.’ … Every single one of them presents those numbers, without caveat.”

On the advanced filter function count, Gerstell acknowledged the ambiguity, but referred to reports that said, as he summarized, “If they had been considered queries, it appears that most would have been compliant anyway… because they were a subset of something that was already compliant. But we don’t know if any of them were noncompliant, and we don’t have the data.”

On the other side of the RISAA debate, critics argued that its revised definition of “electronic communications service provider” could dramatically expand surveillance to include businesses like coffee shops or landlords. The reported, but formally undisclosed, real target of the change was data centers.

“That was a pretty big expansion with a lot of potential abuse,” Laperruque said. But “we don’t really know much about how it’s changed” anything, he said.

Virginia Sen. Mark Warner, the top Democrat on the Intelligence Committee, sought to advance clarifying language about that subject after RISAA’s passage, and the Biden administration said it would confine the provision’s use to the kind of undisclosed businesses that prompted the provision in the first place. Laperreque noted that the Trump administration has made no such promises, and Warner’s clarifying language never became law.

The Foreign Intelligence Surveillance Court (FISC) has issued its annual opinion re-certifying the Section 702 program for another year. However, the court reportedly took issue with the program’s f filtering systems, saying that when such a system is used to look for information on Americans it must be counted as a query, subjecting it to additional restrictions. The Trump administration plans to appeal the ruling.

Other critiques of the 2024 law include that many of its biggest changes weren’t changes at all, but instead codifications of changes that then-FBI Director Christopher Wray had implemented. Abuses continued after those changes, Goitein said.

Gerstell said enshrining those changes into law wasn’t a bad thing. “The statute expressly codified some but not all of Wray reforms — and some went beyond that in many ways,” he said. Those changes included requiring FBI deputy director approval of U.S. person queries that target elected officials, government appointees, political candidates or organizations, or media. Those were some of the more criticized prior targeting abuses.

The fight still ahead

Republicans remain divided over extending the law. Some who had reservations about a clean reauthorization have come on board, such as Senate Judiciary Chairman Chuck Grassley, R-Iowa, who had taken issue with limitations on congressional attendance of FISC proceedings but since has had that concern resolved.

Others may have been swayed by direct lobbying from the Trump administration, including a social media post from Trump himself this week, where he wrote, “I am willing to risk the giving up of my Rights and Privileges as a Citizen for our Great Military and Country!” Still others have had their position against a clean extension hardened by the FISC court opinion and additional concerns.

Other issues have become enmeshed in the reauthorization debate, such as calls to block government agencies from purchasing information from data brokers. But “this has nothing to do with this authority,” said George Barnes, former deputy director of the NSA. 

But lawmakers of both parties have complained for months that the administration was silent for too long as the law’s expiration loomed.

Only recently did the Trump administration share new examples of the law’s successes, including that it had thwarted a 2024 terrorist attack on a Taylor Swift concert. Barnes said releasing such examples might offer a public case for the law, but has its downsides, too.

“I was always understanding but frustrated by the need to release examples just because they choreographed to the adversary what we could do,” said Barnes, now Red Cell’s cyber practice president. 

Reauthorizing Section 702 is urgent, though, for cybersecurity purposes, he said.

“A lot of the impact that I saw the authority having over my time was in cybersecurity as well,” he said. “And so when you have foreign entities that are targeting the U.S., or U.S. interests overseas, that authority can be positioned to help eliminate those activities.”

The post The surveillance law Congress can’t quit — and can’t explain appeared first on CyberScoop.

National Cyber Director Sean Cairncross expects more executive orders coming from the White House as part of implementing the national cybersecurity strategy, he said Wednesday.

Staffers on Capitol Hill and others in the cyber world have been awaiting the implementation guidance the Trump administration had proclaimed would come to accompany the strategy  published last month.

Asked at a Semafor event about whether that would include executive orders, Cairncross answered, “I think that that’s the case.”

The administration released an executive order on fraud the same day it released its cyber strategy on March 6. Some of that order touched on cybercrime.

“This is rolling forward actively, and you should expect that there will be more execution and action in line with our strategic goals,” he said.

Cairncross cited another administration activity that fit into the strategy, such as the first conviction last week under the Take It Down Act, a law First Lady Melania Trump advocated for that seeks to combat non-consensual AI-generated sexually explicit images, violent threats and cyberstalking.

He declined to preview any future implementation plans, and said he expected they would be coming “relatively soon.”

A centerpiece of the administration strategy is confronting adversaries to make sure they suffer consequences for their hacking of United States targets.

Cairncross wouldn’t say explicitly if Trump, in his visit to Beijing next month, would address Chinese hacking.

“When we start to see things like prepositioning on critical infrastructure, that is something that needs to be addressed,” he said. Pressed on whether that meant cyber would be on the agenda during the visit, Caincross said, “I would expect that the safety and security of the American people will be first and foremost, as it always is for the president.”

Cairncross touted American ingenuity for producing an artificial intelligence model like Anthropic’s Claude Mythos, rather than it developing under U.S. cyber rivals like China or Russia. He acknowledged reports about the administration holding meetings about the cyber risks and benefits of something like Mythos — “the model right now that everyone’s talking about” — adding that the administration is looking to balance the dangers and positive capabilities of AI in cyberspace.

“I would say from the White House perspective, we are working very closely with industry,” Cairncross said. “We’ve been in close collaboration with the model companies across the interagency to make sure that we are evaluating and doing this.”

The post Executive orders likely ahead in next steps for national cyber strategy appeared first on CyberScoop.

The recent FBI-led operation to knock Russian government hackers off routers sought to topple an especially insidious and threateningly contagious cyberespionage campaign, top bureau cyber official Brett Leatherman told CyberScoop.

Researchers, along with U.S. and foreign government agencies, revealed details of the campaign this week by which APT28 — also known as Forest Blizzard or Fancy Bear, and attributed to Russia’s Main Intelligence Directorate of the General Staff (GRU) — compromised more 18,000 TP-Link routers and infiltrated more than 200 organizations worldwide. 

The compromise of routers used in small and home offices prompted the takedown operation, Operation Masquerade, which involved sending commands to the routers to reset Domain Name System (DNS) settings to prevent the hackers from exploiting that access.

“What’s unique to me in this one is that when you change the internet settings in a router like they did, it propagates to all the devices in your house,” Leatherman, assistant director of the FBI’s cyber division, said. “All those devices now, once they’re connected to that Wi-Fi, are getting the malicious IP addresses that they are then routing their traffic through, and it gives the Russian GRU tremendous access to the content offered through a router itself.”

“The difficulty in an attack like this is that it’s virtually invisible to the end users,” he said. “Actors were not deploying malware like we often see. And so when you think about endpoint detection on your computer or something like that, it’s not seeing that activity because they don’t have to. They’re using the tools on the router itself to capture your internet traffic and extend it  throughout the house, and so traditional tools that detect that activity [are] just not there.”

The disruption operation is in line with the cyber strategy the Trump administration published last month, with its emphasis on going on offense against malicious hackers and protecting critical infrastructure, Leatherman said.

The FBI understands its role in implementing that strategy, he said, and worked with the Office of the National Cyber Director and other agencies in developing it. The White House has kept the public and Capitol Hill in the dark about strategy implementation, however.

“We’ve got a long track record of leveraging unique authorities and capabilities to counter these actors, to impose costs, and through the 56 field offices to really defend critical infrastructure,” Leatherman said. “That’s part of our DNA, really. And so we want to make sure that we continue to align that in the most scalable and agile way we can, to align with the priorities of the strategy itself.”

Leatherman traced how Operation Masquerade — the success of which he credited to the FBI’s Boston offices and partnerships with the private sector and foreign governments — fits into a series of disruptions aimed at Russian government hackers dating back to 2018.

That’s when the bureau took on the VPNFilter botnet by seizing a domain used to communicate with infected routers. In 2022, the FBI took on the Cyclops Blink botnet, and in 2024, Operation Dying Ember went after another botnet.

“”Over the course of those four operations, while the adversary continued to evolve in their tradecraft, so did we,” Leatherman said. “We moved from just sinkholing domains to actually taking steps that block them at the door of these routers, pulled any capability off of those routers so they were no longer able to collect the sensitive information, and then prohibited them from getting back in.”

The post Inside the FBI’s router takedown that cut off APT28’s ‘tremendous access’ appeared first on CyberScoop.

An apparent hack-for-hire campaign from a group with suspected Indian government connections targeted Middle Eastern and North African journalists and activists using spyware, three collaborating organizations said in reports published Wednesday.

The attacks shared infrastructure that pointed to the advanced persistent threat group known as Bitter, which most frequently targets government, military, diplomatic and critical infrastructure sectors across South Asia, according to conclusions from researchers at Access Now, Lookout and SMEX.

Each group took on a different piece of the puzzle:

• Access Now got calls on its helpline that led it to examine a spearphishing campaign in 2023 and 2024. It contacted Lookout for technical support about the malware it encountered.
• Lookout attributed the malware to Bitter, concluding it was a likely hack-for-hire campaign, using the Android ProSpy spyware.
• SMEX dived into a spearphishing campaign targeting a prominent Lebanese journalist last year, collaborating with Access Now to discover shared infrastructure between the campaigns.

One of the victims, independent Egyptian journalist Mostafa Al-A’sar, said he contacted Access Now after receiving a suspicious link from someone he’d been talking to about a job position. He was skeptical because his phone had been targeted before, when he was arrested in Egypt in 2018.

The lesson for journalists and civil society groups is that cybersecurity “is not a luxury,” he said.

“I feel like I’m threatened,” Al-A’sar said, and even though he was living in exile, he feels like “they are still following me. I also felt worried about my family, about my friends, about my sources.”

The combined research found a wider campaign than just the original victims.

“Our joint findings expose an espionage campaign that has been operational since at least 2022 until present day primarily targeting civil society members and potentially government officials in the Middle East,” Lookout wrote. “The operation features a combination of targeted spearphishing delivered through fake social media accounts and messaging applications leveraging persistent social engineering efforts, which may result in the delivery of Android spyware depending on the target’s device.”

The Committee to Protect Journalists condemned the campaign.

“Spying on journalists is often the first step in a broader pattern of intimidation, threats, and attacks,” said the group’s regional director, Sara Qudah. “These actions endanger not only journalists’ personal safety, but also their sources and their ability to do their work. Authorities in the region must stop weaponizing technology and financial resources to surveil journalists.”

Access Now said it didn’t have enough information to attribute who was behind the attacks it identified.

ESET first published research on the ProSpy malware last year, after finding it targeting residents of the United Arab Emirates.

The post Hack-for-hire spyware campaign targets journalists in Middle East, North Africa appeared first on CyberScoop.

Iranian government hackers are launching disruptive cyberattacks on American energy and water infrastructure, U.S. government agencies “urgently” warned Tuesday.

The hackers are taking aim at devices and systems that control industrial processes, and have harmed victims in the last month following the onset of U.S.-Israel strikes against Iran, according to the joint alert from the FBI, National Security Agency, Cybersecurity and Infrastructure Security Agency, Environmental Protection Agency, Energy Department and Cyber Command.

“Iran-affiliated advanced persistent threat (APT) actors are conducting exploitation activity targeting internet-facing operational technology (OT) devices, including programmable logic controllers (PLCs) manufactured by Rockwell Automation/Allen-Bradley,” the alert states. “This activity has led to PLC disruptions across several U.S. critical infrastructure sectors through malicious interactions with the project file and manipulation of data on human machine interface (HMI) and supervisory control and data acquisition (SCADA) displays.”

U.S. government agencies have warned before about Iranian hackers going after similar targets with those similar methods. The first such warning came after an Iranian government-linked group took credit for attacking a Pennsylvania water facility in late 2023.

Since March of this year, however, the agencies said they have seen new victims emerge from an advanced persistent threat group tied to Iran.

“The authoring agencies identified (through engagements with victim organizations) an Iranian-affiliated APT-group that disrupted the function of PLCs,” the alert reads. “These PLCs were deployed across multiple U.S. critical infrastructure sectors (including Government Services and Facilities, WWS, and Energy sectors) within a wide variety of industrial automation processes. Some of the victims experienced operational disruption and financial loss.”

The earlier campaign compromised at least 75 devices, the alert states.

The latest disruptions include “maliciously interacting with project files, and manipulating data displayed on HMI and SCADA displays,” according to the agencies’ warning.

After the U.S.-Israel conflict with Iran began, Tehran-connected hackers claimed victims including major medtech company Stryker, local governments and more.

The FBI warned last month that Iranian hackers were deploying malware over the Telegram app, although that campaign also predated the current Iran conflict.

The post Iranian hackers launching disruptive attacks at U.S. energy, water targets, feds warn appeared first on CyberScoop.

A federal judge has sentenced the maker of stalkerware pcTattleTale, which went out of business after a data breach, to supervised release and a $5,000 fine.

Bryan Fleming pleaded guilty in January to a charge of intentionally manufacturing, possessing or selling a device with the knowledge that it would be primarily used for surreptitious interception of communications. On Friday, a judge handed down Fleming’s sentence.

It was the first stalkerware conviction since 2014, when the maker of StealthGenie, pled guilty and also didn’t serve prison time, instead receiving a $500,000 fine from the court.

According to Fleming’s plea agreement, his incriminating activity began as early as 2017, as the owner of Fleming Technologies LLC.

“Defendant’s software enabled buyers to covertly and remotely monitor a victim’s cellular telephone and computer activities, including, texts, emails, phone calls, geo-location, and web browsing,” the agreement states. “Defendant began directly advertising his spying software to persons wanting to spy on spouses or partners without their knowledge.”

It continued: “Defendant’s spying software covertly created a video every time a victim’s device was used, which captured any and all activity occurring on the device. The person monitoring the device could log into a remote dashboard and monitor the activity on the victim’s device.”

An undercover agent from Homeland Security Investigations, a division of U.S. Immigration and Customs Enforcement, posed as a marketing affiliate and customer to communicate with Fleming, according to a 2022 indictment.

pcTattletale went out of business in 2024 after suffering a data breach. Researchers have found that stalkerware apps often fail to protect personal information collected during their use.

An attorney for Fleming didn’t immediately respond to a request for comment Monday morning.

The post pcTattleTale stalkerware maker sentence includes fine, supervised release appeared first on CyberScoop.