Nextgov/FCW - Cybersecurity

CISA resources ‘more limited than I would like’ amid shutdown, top official says

David DiMolfetta — Fri, 17 Apr 2026 13:09:00 -0400

The Cybersecurity and Infrastructure Security Agency’s top official said resources to detect and counter hacking threats are “more limited than I would like” as the cyberdefense office grapples with funding issues facing the Department of Homeland Security.

CISA acting Director Nick Andersen told House appropriators on Thursday that many “preparatory activities within the environment, a lot of the outreach that we’d typically be able to do” are not allowed during an ongoing shutdown in the department.

DHS employees were called back to the office this week, after President Donald Trump ordered the department to use funds from the One Big Beautiful Bill Act to pay civilian employees and their furloughed colleagues who hadn’t received pay throughout the shutdown.

But due to its current cash issues, CISA is unable to cover costs beyond employee salaries, according to an email Andersen sent to staff on Monday that was obtained by Nextgov/FCW. The email specified that any non-salary expenditures now require an exception under the Antideficiency Act, which governs how agencies use their congressionally appropriated funds.

DHS has now been unfunded for about two months, amid a partisan stalemate over immigration enforcement reforms.

The cyberdefense agency also canceled plans to onboard summer interns participating in a government scholarship program for cyber talent due to the funding lapse, Nextgov/FCW reported Tuesday.

Even beyond current financial limitations, the fiscal year 2027 budget request for CISA proposes to make significant reductions to election security, workforce development, stakeholder engagement and a range of infrastructure protection resources.

The budget plans reflect long-standing skepticism from the Trump administration and its allies toward the agency, particularly over its role in 2020 election security efforts and concurrent work to counter false information online. Critics have argued CISA strayed beyond its “core” mission of infrastructure protection and federal cyber defense.

Cyber practitioners and former officials have frequently said that even the cuts put in place in the last year go too far.

Those reductions, compounded by the current shutdown, come as the U.S. continues to face cyber threats from Iran, despite recent efforts by the Trump administration to broker a deal with Tehran and Israel.

Earlier this month, CISA and other agencies said Iran-aligned hackers exploited and disrupted operational technology control systems embedded in multiple U.S. critical infrastructure sectors.

Iran has been “opportunistically focused” in its hacking efforts and has targeted unsecured devices connected to the internet, added Andersen.

]]>

Expect more cybersecurity executive orders soon, national cyber director says

David DiMolfetta — Wed, 15 Apr 2026 12:34:00 -0400

President Donald Trump is expected to sign more cybersecurity-focused executive orders in the near future, following the release of his administration’s national cyber strategy, National Cyber Director Sean Cairncross said Wednesday.

At the Semafor World Economy forum in Washington, D.C., Cairncross said, “I think that that's the case, yeah,” when asked about the likelihood of more cyber executive actions from the president.

“There’s more coming and we expect that it will be relatively soon,” he added, without elaborating.

The second Trump administration’s national cyber strategy was unveiled early last month, alongside an executive order focused on “combating cybercrime, fraud, and predatory schemes.”

Executive orders and possible revisions to long-standing cybersecurity laws were expected to follow the strategy’s release, Nextgov/FCW previously reported.

The strategy’s pillars include goals to reshape adversary behavior; promote common sense regulation; modernize and secure federal government networks; secure critical infrastructure; sustain superiority in critical and emerging technologies; and build cyber talent and capacity.

Asked about the recent announcement of Anthropic’s Project Glasswing initiative and its concurrent Mythos Preview model, Cairncross said that Mythos is “the model right now that everyone’s talking about” but that AI capabilities, generally, are getting more sophisticated.

Advanced AI threats have caught the attention of senior administration officials, including Cairncross. The intelligence community has already been eyeing the Mythos Preview capabilities.

Earlier this year, Anthropic declined to ease restrictions against its tools being used for domestic surveillance or fully autonomous weapons for Pentagon use, triggering a “supply chain risk” designation from the Defense Department and a White House order that all federal agencies phase out their uses of Anthropic tools. The company has legally challenged the move.

Cairncross didn’t directly answer questions about whether Mythos Preview should be widely distributed. Anthropic says it held back the full, public release of its Claude Mythos Preview model because it was deemed too dangerous due to its advanced, autonomous hacking capabilities.

Project Glasswing grants certain companies selective access to Mythos for further safety and capability testing.

Asked about U.S. agencies — including the Treasury Department and Commerce Department — seeking access to the Mythos model, he said, “we’re working closely with the large-language model companies, we’re working closely with the tech sector [and] we’re working closely with industry to make sure that we do this in a responsible fashion.”

“This is not a special model,” Anthropic co-founder Jack Clark said Monday, referring to Mythos Preview. “There will be other systems just like this in a few months from other companies, and then a year to a year and a half later, there’ll be open-weight models from China that have these capabilities. So the world is going to have to get ready for more powerful systems that are going to exist within it.”

Nextgov/FCW Staff Reporter Alexandra Kelley contributed to this report.

]]>

FCC selects ioXt Alliance to lead cyber labeling program

David DiMolfetta — Mon, 13 Apr 2026 12:25:00 -0400

The Federal Communications Commission announced Monday that California-based ioXt Alliance will be the lead administrator for its cybersecurity labeling program after the prior administrator pulled out of the initiative amid an investigation into its China ties.

The program, called the Cyber Trust Mark, was launched during the Biden administration and is designed to certify consumer smart devices with a label that deems them cybersecure.

The ioXt Alliance is a standards and certifications body for internet-of-things devices like remote thermostats, fitness trackers and connected cars.

“ioXt is an independent, U.S.-based non-profit organization, whose focus is on improving the security, privacy, and transparency of IoT products,” the FCC said in a statement announcing the decision.

UL Solutions, the prior Cyber Trust Mark lead, withdrew in December after FCC Chairman Brendan Carr launched a national security review earlier that year into its alleged ties to China, including the presence of technology testing locations in China’s borders.

“We are honored to be selected as a Cyber Labeling Authority for this transformative program,” Gary Jabara, CEO and Founder of ioXt Alliance said. “This recognition aligns with our mission to drive IoT security forward, and we are committed to collaborating with the FCC, UL Solutions, and industry stakeholders to make this program a success.”

]]>

US push to counter hackers draws industry deeper into offensive cyber debate

David DiMolfetta — Fri, 10 Apr 2026 12:22:00 -0400

The U.S. government has an offensive cyber wish list, and the private sector is already bidding. Many federal contractors back the effort, though they still have deeper questions about semantics and where offense ends and defense begins.

Terms like “disruption,” “cyber effects” and “defensive operations” were flung around in discussions at the RSAC Conference in San Francisco last month, one of the largest cybersecurity gatherings in the world. In discussions during and after the conference, Nextgov/FCW sought to learn how industry players perceive the vision under President Donald Trump to punch back harder against cyber adversaries, and how those industry leaders might contribute to the cause.

For the past year, industry executives and U.S. officials in closed-door meetings have weighed the concept of enlisting private sector cyber titans to hack for the government, inspired by the centuries-old practice of letters of marque and reprisal that made waves in the old days of naval warfare. But last month, National Cyber Director Sean Cairncross appeared to pour cold water on the concept.

He told audience members at an event that there’s “an enormous amount of capability on the private sector side,” but that he’s “not talking about private sector, industry or companies engaged in a cyber offensive campaign.”

Cairncross said he wants to use the “ability of our private sector … to inform and share information so that the [U.S. government] can respond” either defensively or in a more agile way to enemy hackers. His remarks came after the release of Trump’s national cyber strategy, whose first pillar focuses on ways to create obstacles for foreign state cyber operatives and criminal hackers.

But nearly a dozen interviews with industry stakeholders and former officials indicate that it remains an open question where companies draw the line on cyber offense and where the government does. The boundaries around offensive cyber are often blurred, and the private sector is still trying to learn its place. That uncertainty leaves more questions than answers about how offensive cyber operations should be structured, regulated and integrated into a broader U.S. national security strategy.

New market force

There’s consensus among security leaders that the private sector doesn’t want to be deployed for offensive hacking, said Adam Marrè, chief information security officer at Arctic Wolf. The talk of “hacking back” comes up every five to ten years, he said, but those talks break down every time for a number of reasons, mainly because of legal and ethical concerns.

Still, there’s no indication that the global cybersecurity environment is calming. Foreign adversaries would “absolutely” want access to powerful exploits that can steal information or wreak havoc on systems, Marrè said.

“[Adversaries] are mainly worried about what’s effective. So if it works, and if it ain’t broke, don’t fix it,” he said. “But if I can find a more exotic exploit that is going to allow me to have more access or access without being detected, or be able to get to somewhere I haven’t been able to get before, 100% they’re going to be looking for that."

Governments across the world are hankering for the latest and greatest hacking tools, said Elad Schulman, CEO of Lasso Security.

“If we are not developing capabilities, our enemies are developing those capabilities,” he said. “That is why we need to assume that, at any point in time, someone will find and use exploits against us.”

For years, companies have helped develop special technologies for the U.S. government’s secret cyber missions. But the new White House cyber strategy’s offensive focus sets a tone for companies and their investors, said Rob Joyce, the NSA’s former cybersecurity director.

“There’s been companies that are defense industrial base firms that know how to sell to the government, and there’s been some very boutique cyber companies that sell into the military cyber and intel community,” he said. “But this has the whole community and people out here in Silicon Valley who are not government-adjacent talking about ideas that they can help with in offensive cyber. I think it changes that ecosystem a little bit.”

Joyce is now a venture partner at DataTribe, which invests in early-stage cybersecurity companies often led by people who worked in the intelligence community. He said the government is in the market for an array of cyber capabilities, including vulnerability scanning, exploit development, tooling to analyze cyber threat data and digital infrastructure to obscure the origin of covert cyber operations.

This week, the cybersecurity world was sent into shock when Anthropic revealed it was holding back a powerful frontier AI model that could find previously undiscovered vulnerabilities at mass scale. The intelligence community is already eyeing its capabilities, Nextgov/FCW reported.

Still operating defensively

Many practitioners are advising the cyber ecosystem to invest in defensive measures, regardless of the White House’s more offensive posture.

“Being a defender, an ounce of prevention is worth a pound of cure,” said Ryan Anschutz, the incident response lead at IBM’s X-Force threat intelligence arm and a former FBI official. “A defensive prevention perspective, I think, would have more of an impact … than offensive capabilities, which, quite frankly, some arms of the federal government — their offensive capabilities far surpass the private sector.”

Even among companies that simulate adversary cyberattacks to improve network defenses, known formally as red-teaming, the definition of “offensive hacking” can get fuzzy.

“Would you classify offensive hacking as going out and fingerprinting the threat that was attacking you to gain the threat intelligence?” Anschutz said. “Is that offensive? Where does that change? Where’s the line drawn between what is offensive and what’s not offensive?”

The answer depends on who you ask.

Hacking back, in the sense of breaking into adversaries’ computer systems for data and geopolitical intelligence, takes a level of access that only belongs in the government space, said another industry executive that works closely with the intelligence community on cyber matters.

Google’s threat intelligence arm recently came out swinging with discussions of its new disruption unit, though executives soon quashed the notion that the unit is “offensive” in any way, arguing that removing infrastructure that hackers sit on is a defensive move that impedes their forward operations onto U.S. and allied systems.

Some companies are building out advanced defensive cyber solutions at as rapid a pace as the offensive market, a sign that a more capable offense is driving equally urgent demand for stronger digital shielding.

“We had just seen too many examples over and over again of how burned out these poor kids in these security operations centers are, how just overwhelmed at the enormity of all the alerts, all the boxes always flashing red,” said Bill MacMillan, a former CIA official and now the chief product officer at security operations center solutions provider Andesite.

“We have to transform. We have to adopt this technology because this is the threat environment and the resource environment that we’re operating in,” he said.

Considering new frameworks

The offensive philosophy in Washington, D.C., has made some cyber experts weigh the pros and cons of the current legal environment that facilitates hacking activities.

The NSA, Cyber Command and others are permitted to take more aggressive cyber actions to stop foreign adversaries and criminal hacker gangs. This week, the FBI said it covertly sent shutdown commands to kick Russian state-backed hackers out of thousands of routers housed in organizations around the world.

The move, like many FBI takedowns of digital infrastructure, required court authorization. More broadly, some of the most sensitive intelligence operations do not rely on a standard U.S. court warrant at all.

Even so, private companies lack those authorities. They may build the capabilities used in cyber operations, but — like a defense contractor manufacturing a missile — the decision to deploy them and the consequences that follow rest with the government, not the company.

But what happens if a firm is hacked and wants to take action? There’s room to discuss “stand-your-ground” laws that could permit companies to respond to intrusions, at least to a certain degree, said Philip George, executive technical strategist at Merlin Cyber.

“Obviously, there are some authority issues and some rules of engagement concerns, and we don’t necessarily want everyone returning fire or preemptively thwarting an attack,” he said. But if attacked in cyberspace, “what’s the extent that I can return fire, to at least take down infrastructure that may be targeting me?”

Asked if such a legal authority constitutes a counter-attack, he clarified it as a “counter-action” or “counter-response” because the former term carries “a lot of weight.”

Some serious conversations will need to be had about the future of legal measures under this offensive posture, said John Fokker, head of threat intelligence at Trellix and a former official in the Dutch National Police’s High-Tech Crime Unit.

“If authorities are operating in the grey area with certain private sector entities, I’d much rather define and start talking about that grey area,” he said.

Information-sharing between the public and private sectors — a cornerstone of modern efforts to stop cyberattacks — should also continue, he said, though he argued the process should be streamlined given the number of existing groups.

But one executive said they expect the U.S. government will ultimately find ways to involve private contractors in offensive cyber operations, even as the administration publicly draws limits.

“I believe that the government will contract for cyber operations under carefully crafted contracts,” said Kevin Spease, president at ISSE Services. “It simply depends on how you define it.”

He pointed to past U.S. conflicts where private firms supported offensive missions, arguing cyber operations could follow a similar path.

The rationale, Spease added, comes down to capability. The government, in both civilian and defense agencies, already predominantly relies on technology made by the private sector for day-to-day operations.

“The private companies have far better expertise,” he said. “Sometimes it’s easier to have a contractor do it.”

]]>

Treasury debuts effort to share cyber threat intel with crypto firms

David DiMolfetta — Thu, 09 Apr 2026 16:25:00 -0400

The Treasury Department said Thursday it will begin sharing cyber threat intelligence with cryptocurrency firms following a string of incidents in which hackers siphoned off millions of dollars in customer funds.

The department’s Office of Cybersecurity and Critical Infrastructure Protection announced the effort to “provide timely, actionable cybersecurity information to eligible U.S. digital asset firms and industry organizations, helping them better identify, prevent, and respond to cyber threats targeting their customers and networks.”

Under the program, qualifying U.S. digital asset firms and industry groups that meet agency criteria will be able to access the same threat intelligence the department already distributes to traditional financial institutions at no cost.

The move signals Treasury is increasingly treating cryptocurrency firms as part of the nation’s core financial infrastructure, folding them into existing cyber threat-sharing channels as officials grow more concerned about the scale and sophistication of attacks targeting the sector.

“Cyber threats targeting digital asset platforms are growing in frequency and sophistication,” said Cory Wilson, deputy assistant secretary for cybersecurity at the Treasury Department. “This initiative expands access to actionable threat information that helps firms strengthen defenses, reduce risk, and respond more effectively to incidents.”

Cryptocurrency is becoming increasingly central to U.S. entities seeking to go after hackers, as such bad actors often seek to steal cryptocurrency or use it as a payment method to exchange stolen data.

North Korea has built a reputation for installing shadow workers in firms around the world to steal cryptocurrency and other financial assets to fund their regime, especially its missile program. Earlier this month, DPRK-aligned hackers stole some $285 million from Drift Protocol, a Solana-based decentralized derivatives exchange, in a breach that wiped out more than half of the platform’s total value in the system.

]]>

Anthropic’s Glasswing initiative raises questions for US cyber operations

Patrick Tucker, Alexandra Kelley, and David DiMolfetta — Wed, 08 Apr 2026 17:08:00 -0400

Anthropic’s decision to hold back a powerful frontier AI model over cybersecurity risks, paired with a new initiative to study its effects on global networks, is prompting discussions about how such tools could reshape hacking operations within the U.S. intelligence community, and how they might be used to identify and exploit weaknesses in adversary systems.

The company unveiled Project Glasswing on Tuesday, seeking to help secure critical software against AI-driven attacks, with partners including Amazon Web Services, Apple, Cisco, Google, Microsoft and others. Those participants will gain access to Claude Mythos Preview, an unreleased model the company says has already uncovered thousands of vulnerabilities as Anthropic looks to steer its tools toward defensive cybersecurity use.

“The fallout — for economies, public safety, and national security — could be severe. Project Glasswing is an urgent attempt to put these capabilities to work for defensive purposes,” the AI company said in a Tuesday blog. The Mythos Preview model “has already found thousands of high-severity vulnerabilities, including some in every major operating system and web browser,” it says.

The intelligence community is reacting to the news, according to a person familiar with the thinking of multiple IC agencies.

“They want secure code and to use AI to find network vulnerabilities as well,” said the person, who, like some others in this story, spoke on the condition of anonymity to describe sensitive internal deliberations.

Prior to any external release, Anthropic briefed senior officials across the U.S. government on Mythos Preview’s full capabilities, including both offensive and defensive cyber applications, said an Anthropic official. That engagement has included discussions with the Cybersecurity and Infrastructure Security Agency and NIST’s Center for AI Standards and Innovation, among others.

“Bringing government into the loop early — on what the model can do, where the risks are, and how we’re managing them — was a priority from the start,” the company official said.

Analysts inside the National Security Agency have also been casually chatting about the release of the Mythos model, another person familiar with the matter told Nextgov/FCW.

Multiple intelligence agencies and Defense Department components play roles in both offensive cyber operations and defending U.S. networks. Because offensive missions often depend on understanding a target’s defenses, tools like the Mythos model in the wrong hands could help adversaries identify and exploit weaknesses in critical systems. Agencies are already known to stockpile hacking exploits for future use.

The development is also drawing major attention and concern, in some cases, from cyber-focused firms that engage with the intelligence community.

“How is anyone supposed to defend against all of this at once?” said one executive at a cyber investment firm, alarmed by the scale at which the Anthropic model was able to identify vulnerabilities.

The Glasswing news is “scary and ominous” because it isn’t clear how Mythos Preview could be used offensively, especially if it falls into the hands of a foreign adversary, said Hayden Smith, a co-founder at Hunted Labs, a company focused on software supply chain risks.

It’s very possible the model could land in the possession of governments considered hostile to the U.S., he said, explaining that “even with deep vetting, the odds of Mythos flowing into the wrong hands is barely a hypothetical given the landscape of current attacks on the open source ecosystem and software supply chain.”

Because much of the internet runs on widely used open-source software maintained by developers around the world, tools like Mythos could uncover weaknesses in code that underpin large parts of the digital ecosystem.

That dynamic has come into sharper focus following recent software supply chain incidents that had widespread repercussions — including a compromise of the Axios JavaScript library disclosed last week — and amid concerns that some developers behind critical open-source projects are affiliated with companies the U.S. government considers tied to foreign adversaries.

Capitol Hill is also paying attention to the Anthropic development.

“We are already seeing cyber threat actors using AI tools to improve their capabilities, putting government, businesses and consumers’ security and personal information at risk,” said Sen. Mark Warner, D-Va., the vice chairman of the Senate Intelligence Committee. “As AI dramatically accelerates the discovery of new vulnerabilities, I hope industry will correspondingly accelerate and reprioritize patching.”

Observers have been awaiting the release of a model like Mythos Preview that could identify and exploit cyber vulnerabilities at scale for some time, said Morgan Adamski, the former executive director at U.S. Cyber Command and lead for PwC’s Cyber, Data & Technology Risk services.

“For those in the offensive cyber community, for the U.S. government, there’s obviously a huge potential there from an adversarial perspective,” she said in an interview.

But offense and defense are, in many ways, one and the same. If cyberintelligence analysts find a novel vulnerability in an enemy computer network, it’s possible a U.S. system might have the same vulnerability, too.

“There’s going to be a real equity conversation that occurs,” Adamski said. “If we exploit something in an adversarial network, we’re going to have to be able to defend against it in our own critical infrastructure.”

She also said to expect more of these innovations in the AI space, as “typically, when these types of models come out, other models aren’t far behind.”

In an interview, Gary DePreta, the senior vice president of Cisco’s U.S. Public Sector Organization, told Nextgov/FCW that the company’s participation in Project Glasswing is part of its larger aim to address cybersecurity threats while bringing the benefits of AI to its customer base.

“We’re going from an age of detect-and-respond — and as we automate with AI — to predict-and-prevent threats,” DePreta said on Wednesday. “We keep saying this phrase at Cisco: ‘there is a paradox of progress as it relates to AI and the enterprise.’ And what it simply means is the capabilities of AI are far exceeding the enterprise’s ability to implement it in a safe and secure way.”

Anthropic has become a major voice in the line AI companies are willing to draw in ethical uses of their technology, though that stance has drawn friction with the U.S. military. Earlier this year, the company declined to ease restrictions against its tools being used for domestic surveillance or fully autonomous weapons for Pentagon use, triggering a “supply chain risk” designation from the Defense Department and a White House order that all federal agencies phase out their uses of Anthropic tools. The company has legally challenged the move.

It’s possible that the Mythos announcement may reshape how the Defense Department interacts with the company.

The government “needs to make amends with Anthropic and help them and Glasswing members maintain the American lead on AI by preventing Chinese model theft,” said Leah Siskind, an AI research fellow at the Foundation for Defense of Democracies think tank.

“Anthropic is making the responsible call — but adversaries won’t,” she said. “China is already exploiting U.S. AI models to accelerate its own capabilities, and when they reach Mythos-level performance, they will weaponize it.”

]]>

Pro-Iran hackers are targeting US industrial control systems, advisory says

David DiMolfetta — Tue, 07 Apr 2026 15:21:00 -0400

Iran-aligned hackers have exploited and disrupted operational technology control systems embedded in multiple U.S. critical infrastructure sectors, targeting equipment manufactured by Rockwell Automation, according to an advisory issued Tuesday.

The hackers have set their sights on the company’s Allen-Bradley line of programmable logic controllers, or PLCs, which are digital computers that interface with operational equipment to monitor and automate industrial processes like water treatment, power generation and manufacturing.

The cyber intrusions have, in some cases, resulted in operational disruption and financial loss, according to the assessment signed by the Cybersecurity and Infrastructure Security Agency, FBI, NSA, EPA, the Department of Energy and U.S. Cyber Command’s Cyber National Mission Force.

The disruptions occurred by manipulating data on human-machine interfaces and on supervisory control and data acquisition, or SCADA, displays, as well as harmful interactions with project files, it adds.

The advisory is the latest signal indicating that Iran-aligned hacker groups have successfully targeted and impeded U.S. systems amid the ongoing U.S.-Israel war against Iran that broke out Feb. 28.

It comes after an apparent Tehran-backed hacker group carried out a cyberattack against medical technology giant Stryker last month, which wiped employees’ phones and prevented workers from accessing their computers.

“The authoring agencies assess a group of Iranian-affiliated advanced persistent threat (APT) actors is conducting this activity to cause disruptive effects within the United States.” the advisory reads. “The group has targeted devices spanning multiple U.S. critical infrastructure sectors, including Government Services and Facilities (to include local municipalities), Water and Wastewater Systems (WWS), and Energy Sectors.”

A request for comment sent to Rockwell Automation’s media relations email bounced back.

Pro-Iran hackers have made a habit of targeting any computer systems tied to nations deemed foreign adversaries by Tehran, especially the U.S. and Israel. In late 2023, amid the Israel-Hamas war, one hacker group defaced the interfaces of water treatment systems in Pennsylvania, which had Israel-made Unitronics equipment built inside.

In 2020, Rockwell Automation acquired Israel-based Avnet Data Security, aiming to bolster the cyber posture of its industrial control systems and operational technology.

The assessment urged organizations to keep PLCs off the open internet, review logs for suspicious activity and lock down affected Rockwell devices to prevent unauthorized access. Unsecured internet-connected operational technology can expose industrial systems to remote access, giving attackers a pathway to disrupt or manipulate functions.

The Iran war has been widely expected to test the strength of U.S. cyberdefenses, and experts have warned that exposed devices would be a potential target for pro-Iran hackers.

President Donald Trump escalated his threats against Tehran on Tuesday, saying a “whole civilization will die tonight” if Iran doesn’t open the Strait of Hormuz by an 8 p.m. ET deadline.

Trump has promised to attack “every bridge” and power station in the country if a deal isn’t reached. Iran has promised a “devastating” response if such an attack occurs. Any sharp escalation could heighten the risk of retaliatory cyberattacks.

]]>

Trump proposes cutting CISA election security program in FY27 budget

David DiMolfetta — Tue, 07 Apr 2026 10:25:00 -0400

The Trump administration is hoping to eliminate roughly $700 million in programs across the Cybersecurity and Infrastructure Security Agency in fiscal year 2027, a sweeping set of cuts that translate to a net reduction of about $360 million after accounting for internal transfers and other adjustments, according to a detailed budget justification.

The proposal targets election security, workforce development, stakeholder engagement and a range of infrastructure protection efforts, marking one of the most significant overhauls of the nation’s civilian cyber defense agency since its creation.

The budget would notably eliminate CISA’s election security program entirely, including cutting funding for information-sharing support to state and local officials and removing dedicated election security advisors across the country.

The proposal would also end CISA’s support for the Elections Infrastructure Information Sharing and Analysis Center, or EI-ISAC, a key hub for sharing threat intelligence, cyber alerts and incident response resources with state and local election officials.

The moves would scale back one of the federal government’s main avenues for coordinating with state and local election officials on election cybersecurity risks like ransomware attacks, phishing campaigns and efforts by foreign adversaries to probe election systems and conduct influence operations.

The 2027 proposal would significantly scale back CISA’s stakeholder engagement operations, eliminating offices focused on stakeholder coordination and international affairs while shifting more responsibility for certain infrastructure security and emergency communications programs to state and local governments.

Any move to eliminate these stakeholder engagement functions could have far-reaching effects, as those offices serve as a main conduit between CISA and state, local, private-sector and international partners that play a role in protecting critical infrastructure in the U.S. and around the world.

The budget also calls for significant workforce reductions, including through cuts to funded but unfilled positions.

Collectively, the changes would eliminate roughly 867 positions across CISA, according to the budget justification, as more than 1,100 positions tied to program cuts would be partially offset by transfers into the agency and targeted hiring.

Also notable is the proposed elimination of CISA’s chemical security program, which would cut more than 200 positions tied to inspections and oversight of high-risk facilities. At the same time, roughly $300 million and hundreds of personnel from the Department of Homeland Security’s Countering Weapons of Mass Destruction office would be transferred into CISA, shifting broader chemical, biological, radiological and nuclear threat functions into the agency.

Congress would have to approve the entire budget structure in upcoming appropriations talks. Prior efforts to reduce CISA’s funding met resistance on Capitol Hill last year, when the White House sought roughly $490 million in reductions but ultimately faced pushback from lawmakers that significantly narrowed the scope of the cuts.

“CISA has a vital role in fulfilling DHS’s core mission, one that I continue to strongly support,” Rep. Andrew Garbarino, R-N.Y., the chairman of the House Homeland Security Committee, told Nextgov/FCW after this story was published.

“Congress has a responsibility to ensure the agency has the resources it needs to succeed,” he said. “I look forward to discussing this in greater detail with Secretary Mullin and having him testify for the first time before the committee in our annual budget hearing in the coming months.”

The budget preserves funding for various technical cybersecurity functions, including investments in threat hunting and analysis tools.

The proposal also includes about $4.9 million to support cybersecurity and incident response planning for the 2028 Los Angeles Olympics, designated as a National Special Security Event under DHS standards. The funding would support exercises, drone threat assessments and coordination with federal, state and local partners ahead of the games, even as the budget scales back many of the agency’s broader coordination efforts.

Additional funding would also be diverted toward CISA’s implementation of the Cyber Incident Reporting for Critical Infrastructure Act, or CIRCIA. Amid the ongoing DHS funding lapse, the cyber agency has been delayed in developing a final rule for the law, which, in essence, mandates critical infrastructure entities report major cyber incidents to CISA within 72 hours and ransomware payments within 24 hours.

Also notable is a small increase in funding and staffing for CISA’s Office of the Chief Counsel, which the justification cites as a rising volume of litigation, including cases on employment-related matters, as the agency moves forward with workforce reductions and other staffing changes. The increase suggests the agency is preparing for a heavier legal workload as it implements the proposed cuts.

The budget plans reflect long-standing skepticism from the Trump administration and its allies toward CISA, particularly over the agency’s role in 2020 election security efforts and concurrent work to counter false information online. Critics have argued the agency strayed beyond its “core” mission of infrastructure protection and federal cyber defense.

Cyber practitioners and former officials have frequently said that even the cuts put in place in the last year go too far.

“You don’t cut the fire department and then wonder why buildings burn. CISA isn’t the bureaucratic overhead; for practitioners it’s the lifeline between government intelligence and the private sector running the infrastructure this country depends on,” said Seemant Sehgal, founder and CEO of BreachLock, which sells a variety of cyberdefense services.

“Cutting its budget by $707 million, on top of what’s already been cut, is a gift to every nation-state actor that's been quietly targeting U.S. critical infrastructure,” he added.

The tensions between the Trump administration and CISA date back to the 2020 election, when its then-director Chris Krebs publicly affirmed the security of the vote and was subsequently dismissed by Trump. In his second term, Trump has continued to target Krebs, including ordering a federal investigation last year into his government tenure.

Editor’s note: This story was updated to include a comment from Rep. Andrew Garbarino, R-N.Y.

]]>

Government official impersonation scam complaints doubled in 2025, FBI report shows

David DiMolfetta — Mon, 06 Apr 2026 16:41:00 -0400

The number of complaints filed with the FBI that described cyberscammers impersonating government officials nearly doubled between 2024 and 2025 and resulted in some $800 million in losses last year, FBI data released Monday shows.

Recorded government impersonation complaints rose from some 17,300 in 2024 to nearly 32,500 in 2025, the FBI’s 2025 Internet Crime Complaint Center report shows. The center, dubbed IC3, documented some $797 million in losses in 2025 from those efforts, up from around $405 million in the year prior.

That type of scam was listed among the top five cyber-enabled fraud crimes by both number of recorded occurrences and amount of money lost. Other major cyber crimes include romance, tech support and investment scams.

The spike comes amid a broader surge in impersonation-based fraud, fueled by artificial intelligence-driven voice and messaging tools that can allow scammers to convincingly pose as government officials at scale.

AI was referenced 260 times in complaints involving government impersonations, the report shows, with $7 million lost in cases with those AI references. AI involvement was documented the most in complaints involving investment scams.

Government impersonation can be especially effective because scammers often exploit the built-in authority people associate with official institutions, prompting victims to act quickly out of fear of penalties, legal trouble or loss of benefits.

“It has never been more important to be diligent with your cybersecurity, social media footprint, and electronic interactions. Cyber threats and cyber-enabled crime will continue to evolve as the world embraces emerging technologies such as artificial intelligence,” the IC3 report says.

The increase coincides with a period of upheaval across much of the government’s workforce, though IC3 did not detail any evidence linking the rise in complaints to mass federal layoffs.

Cyber threats, additionally, continue to become more prevalent. Data breaches and ransomware were among the most prominent cyber threat complaints documented in 2025. Over 60 new ransomware variants — modified versions of ransom malware crafted by hackers to evade detection — were discovered last year, the report says. Government facilities also remain a top target of cyber adversaries.

]]>

Suspected Chinese breach of FBI system exposed surveillance targets’ phone numbers

David DiMolfetta — Fri, 03 Apr 2026 12:17:00 -0400

A suspected China-linked breach of an FBI surveillance system likely revealed phone numbers of targets being monitored by the bureau, according to a person familiar with a recent notification of the breach sent to Congress and a second person familiar with the matter.

On February 17, the FBI began investigating abnormal activity in an unclassified system that stores pen register and tap-and-trace surveillance data, said the people, describing a Justice Department notice transmitted to Congress earlier this week. The agency has currently identified that phone numbers were exposed, the people said.

The DOJ assessed that, under standards codified in the Federal Information Security Modernization Act, the breach was a “major incident,” and remediation efforts are ongoing, the people added.

Pen register and trap-and-trace tools let the FBI collect metadata on who a target is communicating with, though they do not capture the content of those communications.

Access to this data could allow foreign hackers to determine who the U.S. is surveilling. Phone numbers don’t necessarily reveal the identities of individuals, but they can be used to map relationships and build networks of associates and intelligence targets.

“The FBI, part of their job is counterintelligence,” said John Fokker, head of threat intelligence at Trellix and a former official in the Dutch National Police’s High-Tech Crime Unit. “So if they’re conducting any investigations on U.S. soil against, maybe some Chinese spies … that could be interesting for a party like the Chinese or the Russians, it could be anyone, just to get an inside look. It can give them a heads up of who they need to cut ties with, or bring back, or if their asset is compromised.”

Politico first reported the details of the breach involving targets’ phone numbers and the “major incident” determination under FISMA. The Wall Street Journal reported a suspected Chinese nexus to the hack. Nextgov/FCW has not independently confirmed a definitive link to China.

“The FBI identified anomalous activity on an unclassified network and quickly leveraged all technical capabilities to remediate the incident,” an FBI spokesperson said. “It was determined the access was obtained through a third party and constitutes a major incident under the Federal Information Security Modernization Act (FISMA). The FBI is following the required steps under FISMA, including notifying Congress, and remains focused on countering nation-state and cybercriminal activity.”

“Reports that China-linked threat actors compromised sensitive FBI systems are disturbing — and are even more evidence that the Trump administration has taken its eye off the ball when it comes to defending government and critical infrastructure networks from our adversaries,” said Mississippi Rep. Bennie Thompson, the top Democrat on the House Homeland Security Committee. “From its bare bones cyber strategy to pushing cyber talent out of government, the president is ignoring pressing cyber threats and leaving our nation vulnerable. It’s time for him to focus on what’s important.”

The development is the most recent known example of a potential foreign adversary attempting to acquire data tied to phone records collected by U.S. law enforcement.

In 2024, investigators concluded the Chinese state-backed Salt Typhoon group breached global telecom networks, including systems that facilitate “lawful intercept” requests used by law enforcement to surveil targets via court orders. It allowed them to directly target the calls of major political figures, including President Donald Trump and Vice President JD Vance when they were campaigning for the White House.

Rep. Andrew Garbarino, R-N.Y., the chairman of the House Homeland Security Committee, said the panel was in touch with the Cybersecurity and Infrastructure Security Agency about the incident.

“The PRC’s continued targeting of U.S. government systems, including through trusted third-party infrastructure as seen in the Salt Typhoon campaign, underscores the growing sophistication and persistence of these actors. CISA’s mission to work in close partnership with interagency partners and the private sector to identify and mitigate vulnerabilities before they are exploited is essential,” Garbarino said. “The fact that this intrusion took place during the ongoing DHS shutdown highlights the dangerous consequences of playing politics with our national security. The committee is actively engaged with CISA as we assess the scope and implications of this intrusion.”

]]>

North Korea-linked hackers suspected in Axios open-source hijack, Google analysts say

David DiMolfetta — Tue, 31 Mar 2026 14:42:00 -0400

North Korea-aligned hackers are believed to have seized a widely-used, open-source JavaScript library, Google intelligence analysts said Tuesday, in a move that could put a significant number of software developers at risk of system compromise.

The hackers introduced compromised versions of Axios, a popular open-source JavaScript library, on Monday. Developers use the package, which is downloaded millions of times weekly, to enable internet connectivity for their software. The open-source library is not related to the national news organization also named Axios.

Security firm StepSecurity detected and halted the hack within a few hours of its deployment between late Monday and early Tuesday.

Google’s Threat Intelligence Group is investigating the attack and has attributed it to a suspected North Korean group they track as UNC1069, said John Hultquist, the group’s chief analyst.

“North Korean hackers have deep experience with supply chain attacks, which they’ve historically used to steal cryptocurrency. The full breadth of this incident is still unclear, but given the popularity of the compromised package, we expect it will have far reaching impacts,” Hultquist added.

Rather than tampering with Axios itself, the attackers slipped in rogue code that executed during installation, bringing in a cross-platform remote access trojan, according to StepSecurity. The malware immediately reached out to a command-and-control server, deployed additional payloads and then wiped its own tracks, making detection difficult.

“This is among the most operationally sophisticated supply chain attacks ever documented against a top-10 npm package,” the StepSecurity blog says, referring to packaged collections of JavaScript code.

A supply chain attack occurs when hackers compromise a third-party software or service provider to distribute malware to its users downstream. The attack on Axios could give hackers remote access to infected systems, allowing them to steal credentials, move through networks and potentially compromise connected software used by thousands of other users.

Both the FBI and the Cybersecurity and Infrastructure Security Agency declined comment when contacted by Nextgov/FCW. It’s not immediately clear if that campaign has directly impacted U.S. government systems, though the attack vector could raise concerns for federal agencies and contractors that rely on widely used open-source packages.

Chinese, Russian and North Korean-affiliated hackers have been covertly working to insert backdoor hijacks and exploits into major publicly available software used by countless organizations, developers and governments around the world, according to findings released last August from Strider Technologies.

Open-source projects — which underpin software systems used everywhere — rely on contributions from community members to keep them updated with patches. The updates are often discussed on forums with volunteer software maintainers, who chat with one another about proposed changes.

Historically, community practices have operated under the premise that all contributors are benevolent. But that notion was challenged in 2024 when a user dubbed “Jia Tan” tried to quietly plant a backdoor into XZ Utils, a file transfer tool used in several Linux builds that power software in leading global companies.

In December, the chairman of the Senate Intelligence Committee asked the White House national cyber director to take steps to address vulnerabilities in open-source software projects that help power many systems used in U.S. military and civilian agencies.

Last August, Nextgov/FCW first reported that a Russia-based Yandex employee was the sole maintainer of a widely used open-source tool embedded in at least 30 pre-built software packages in the Department of Defense.

]]>

DHS drops investigation into former acting CISA chief’s failed polygraph exam

David DiMolfetta — Mon, 30 Mar 2026 08:00:00 -0400

The Department of Homeland Security has dropped a probe into seven Cybersecurity and Infrastructure Security Agency staffers who were placed on leave after arranging a counterintelligence polygraph exam that the agency’s former acting director failed, according to two DHS officials familiar with the matter.

The investigation was closed about a week ago and the staffers were cleared, one of the officials said. Both spoke on the condition of anonymity because they weren’t authorized to communicate details of the non-public investigation.

The move is a major reprieve for CISA staff who arranged the counterintelligence polygraph for then-acting director Madhu Gottumukkala. Gottumukkala failed the polygraph in July 2025, which was needed for access to a highly sensitive intelligence program.

The staff involved were subsequently placed on leave. At least five career CISA staff members and one contractor involved in scheduling or approving the polygraph examinations were impacted, and received letters from DHS Acting Chief Security Officer Michael Boyajian informing them their security clearances were suspended.

The news of the investigation being dropped was first reported by Politico, which also first reported the initial story about the polygraph incident late last year.

“The investigation has concluded, and this matter has been handled internally,” a DHS spokesperson said.

Nextgov/FCW has also asked Gottumukkala for comment.

“We are pleased that the CISA personnel punished by previous DHS and CISA leadership for doing their jobs have been cleared of wrongdoing and invited back to work, as we demanded three months ago,” said a joint statement from Reps. Bennie Thompson, D-Miss., and Eric Swalwell, D-Calif., top lawmakers on the House Homeland Security Committee that has jurisdiction over CISA.

“We cannot, and will not, tolerate political leadership punishing career employees for faithfully executing their security mission,” they added. “We thank the career employees for their continued service and express our sincere regrets for the turmoil they experienced over the past several months.”

“Nonpartisan civil servants should never be targeted for political reasons,” Rep. James Walkinshaw, D-Va., said in an X post responding to news of the probe’s dismissal.

The polygraph incident was among a smattering of other matters reported in recent months by Politico about Gottumukkala’s tenure. Last month, Gottumukkala was moved into a strategic implementation role in DHS, and executive assistant director for cybersecurity Nick Andersen took his place leading CISA in an acting capacity.

Nextgov/FCW could not determine if all affected staffers would choose to return to CISA. It’s also possible that some of them resigned in full and would not go back to public service.

CISA remains without permanent leadership. Earlier this month, CISA director nominee Sean Plankey told Nextgov/FCW that he left a role in the Coast Guard to address concerns from a Republican senator with a hold on his nomination, but the status of that hold is unclear.

DHS, which houses CISA, got new leadership last week after Oklahoma Republican Senator Markwayne Mullin was confirmed to the post in a 54-45 vote.

]]>

Pro-Iran hackers claim breach of FBI director’s email

David DiMolfetta — Fri, 27 Mar 2026 11:51:00 -0400

A pro-Iran hacker group claimed to have accessed FBI Director Kash Patel’s personal email and posted purported contents from the inbox online.

Handala, which claimed responsibility in recent weeks for hacks against Stryker and Lockheed Martin in response to the Iran war, circulated images and documents online that they claimed to be from Patel’s email account. Many images include pictures of Patel in a personal capacity before becoming FBI director.

The leaks appear to be authentic, according to a person familiar with the matter who requested anonymity because they weren’t authorized to publicly discuss details of the breach.

The incident was first reported by Reuters.

“The FBI is aware of malicious actors targeting Director Patel’s personal email information, and we have taken all necessary steps to mitigate potential risks associated with this activity. The information in question is historical in nature and involves no government information,” the bureau said in a statement after this story published.

Handala said it carried out the intrusion after the FBI last week said it seized domains used by the group.

“Today, once again, the world witnessed the collapse of America’s so-called security legends,” the group wrote on its website. “While the FBI proudly seized our domains and immediately announced a $10 million reward for the heads of Handala Hack members, we decided to respond to this ridiculous show in a way that will be remembered forever.”

The breach is likely legitimate, according to a former U.S. official who said that administration officials’ personal email accounts are a frequent target of Iranian hackers.

It would not be the first time that Iran-aligned hackers executed a “hack and leak” operation against U.S. targets. In 2024, the Trump campaign was accessed in an Iranian hack that exposed vetting documents for Vice President JD Vance.

Editor’s note: This story has been updated to include remarks from a former U.S. official and the FBI.

]]>

Lawmakers question VPN impact on Americans' FISA surveillance protections

David DiMolfetta — Fri, 27 Mar 2026 10:40:00 -0400

Senate and House Democrats asked Director of National Intelligence Tulsi Gabbard on Thursday to clarify whether the use of virtual private networks could affect Americans’ protections against warrantless surveillance authorities.

The letter — signed by Sens. Ron Wyden, D-Ore., Alex Padilla, D-Calif., Ed. Markey, D-Mass., and Elizabeth Warren, D-Mass., alongside Reps. Sara Jacobs, D-Calif. and Pramila Jayapal, D-Wash. — argues VPN use may complicate how intelligence agencies assess a user’s location, which in turn can shape the legal protections applied to their communications.

Under domestic surveillance law, Americans are generally afforded stronger protections than foreigners overseas, including through requirements for court-approved warrants before their communications are lawfully intercepted. But VPNs — which route traffic through private servers to mask device locations — can obscure where a user is truly based. Under U.S. surveillance rules, users with unknown locations may be treated as foreigners, potentially altering the legal protections applied to their communications, the lawmakers say.

The letter points to provisions underpinning FISA Section 702 — which allows warrantless surveillance of foreigners overseas — and Executive Order 12333 as evidence that users with unknown locations may be treated as foreigners, affecting the protections applied to their communications.

“Under both Section 702 and EO 12333, the government is obligated to seek to determine the non-U.S. person status and location of its targets. Nonetheless, the federal government has taken the position that communications whose source remains unknown are treated as foreign, and thus subject to few privacy protections,” the letter says.

It adds: “While Americans should be warned of these risks, they should also be told if these VPN services, which are advertised as a privacy protection, including by elements of the federal government, could, in fact, negatively impact their rights against U.S. government surveillance.”

The letter comes as Congress faces an April 20 deadline to renew FISA 702, which expires unless renewed by lawmakers. The controversial law is widely deemed a powerful spying authority by intelligence professionals, but the collection mechanisms permit incidental collection of U.S. person communications, which leave the door open to unauthorized queries that privacy advocates say circumvent the Fourth Amendment.

Nextgov/FCW has asked a Gabbard spokesperson for comment.

President Donald Trump said in a Truth Social post this week that he supports a clean, 18-month extension of the 702 statute.

“The fact is, whether you like it or not, it is extremely important to our military,” he said, adding that he has spoken to military leaders and “they consider it vital.”

The Congressional Progressive Caucus recently came out against renewing FISA Section 702, its strongest stance yet, binding its 98 members — nearly a quarter of the House — against a clean reauthorization and complicating Republican efforts to secure enough votes.

Lawmakers’ concerns about Trump-era immigration enforcement and affiliated Fourth Amendment compliance are weighing on the reauthorization fight for 702, congressional aides previously told Nextgov/FCW.

“While Donald Trump and Stephen Miller are showing unprecedented disregard for the basic Constitutional rights of Americans, the last thing we should be doing is handing them massive surveillance powers they will abuse.,” Rep. Greg Casar, D-Texas, the CPC’s chair, said in an X post last week.

]]>

EU wants to support bedrock cyber vulnerability program, top official says

David DiMolfetta — Thu, 26 Mar 2026 20:16:00 -0400

SAN FRANCISCO — The European Union wants to assist with and help modernize a cornerstone cyber cataloging program after a contracting scare last year prompted renewed discussions and concerns over how to sustain the vulnerability-tracking system relied upon by hundreds of thousands of security practitioners worldwide.

The Common Vulnerabilities and Exposures Program faced a contracting fiasco last spring when MITRE, the non-profit research giant that funds much of the program’s functions, warned of an imminent end to federal backing for the project. The matter was addressed within hours amid outcry from the cybersecurity community.

The EU wants to help “build upon” the foundation of the program and “the great work that has been done there,” Hans de Vries, the chief cybersecurity and operational officer for the European Union Agency for Cybersecurity, or ENISA, said Thursday at the RSAC Conference in California.

After the initial contracting issue, EU member states asked ENISA to explore ways to strengthen the CVE process, de Vries explained.

“We cannot build on one contract alone, so we have to strengthen it, and make sure that foundation, that basic mechanism — and it’s a huge program — but that mechanism stays, and stays to the core that we want to build on,” he said.

CVE provides a standardized methodology for identifying and cataloging publicly known cybersecurity vulnerabilities. Each flaw is assigned a unique identifier, designed to help security researchers, vendors and officials more effectively communicate about the same issue. It was first launched in 1999.

The remarks from de Vries are some of the first showing how European officials are weighing a more formal role in contributing to the CVE program, amid growing concerns that its long-term stability cannot rely on a sole U.S. government contract.

Congressional staffers have also drafted legislation to codify the CVE program and address how the Cybersecurity and Infrastructure Security Agency would take a more active oversight role in its management, said Moira Bergin, who leads cyber policy work for the Democrat side of the House Homeland Security Committee.

“While CISA is certainly authorized to execute this program, it’s not specifically tasked with doing it, which, as an oversight committee, makes it harder for us to hold an agency accountable for executing a task,” she said. “And it doesn't give any of the stakeholders any expectation of what they can expect from the program and hold it accountable for.”

A newer version of the program managed under CISA should also “endure political cycles,” said Mike McLaughlin, a shareholder and Cybersecurity and Data Privacy Practice Group co-lead at Buchanan Ingersoll & Rooney PC, arguing that if CVE is housed in CISA but is perceived as politicized or fragile, other regions will fragment off and force competing programs to emerge.

Bergin said that, in the draft text, staffers are seeking to “inoculate the [CVE] board membership from political cycles” so those risks are diminished.

The discussion also came amid growing recognition among industry practitioners that AI has now become a core tool in hackers’ arsenals that can accelerate the speed and scale of cyberattacks.

On a regular basis, some people “seem to think that CVE records should be just read by humans,” said Bob Lord, a former Cybersecurity and Infrastructure Security Agency official who helped lead the agency’s Secure by Design initiative.

In the CVE program, a vulnerability record is created when a flaw is first published, while later “enrichment” can add details such as severity and exploitability. But as cyberattacks now move at machine speed, many experts argue those records need to be far more complete upfront, because waiting to fill in the gaps can leave defenders exposed.

“While there certainly is a component where humans should be able to go in and look at CVE and understand what’s in there, what we really need to do is start making sure that we have high-quality records,” said Lord, referring to individual vulnerability entries. “Today, we’re going to really need to talk a lot more about record quality at the time of issuance, not enrichment later, but at the time of issuance.”

A CISA spokesperson told Nextgov/FCW that a “broad internal contracting review caused a brief renewal delay in April 2025, but operations continued without disruption and MITRE was ultimately retained as the program operator.” CISA and the Department of Homeland Security have since “taken proactive contracting steps to maintain MITRE’s support, ensure stable global vulnerability tracking and expand its usage,” the spokesperson added.

“MITRE, in support of CISA, is committed to CVE as a critical global resource,” Jordan Graham, a company spokesperson said.

Today, everyone uses CVE identifiers as a common vernacular, said McLaughlin. If it disappears, vendors and defenders can’t easily tell if they’re talking about the same bug, and regulators and service providers lose a shared reference system.

“I think if the program were to go away, you’d have fragmentation, which leads to inefficiency, which leads to less security,” Bergin said. “And when we make the case to our members that this is something that they should take their time with, that’s what we say: fragmentation, inefficiency, less security — it’s that simple.”

]]>

European officials highlight private sector help in major cybercrime takedowns

David DiMolfetta — Wed, 25 Mar 2026 19:02:00 -0400

SAN FRANCISCO — Private sector partners got a special shoutout in a panel of top European cyber law enforcement officials Wednesday as they discussed industry involvement in major takedowns of cybercrime groups.

At RSAC Conference, Dutch National Police cybercrime director Stan Dujif, UK National Crime Agency cyber crime unit lead Paul Foster, and Germany’s Bundeskriminalamt cyber division head Carsten Meywirth all acknowledged industry’s role in takedowns of cybercriminals’ digital infrastructure and the arrests of those allegedly involved in hacking schemes.

Just days before the U.S. and international partners went after LockBit — a prolific ransomware group — Foster said that private sector partners were brought in to be briefed about the forthcoming takedown. Industry was especially helpful in affirming that the takedown was legitimate so other criminal hackers couldn’t fill the void.

“So much of the amplification narrative came from private partners, rather than just law enforcement,” Foster said.

Private sector partners also estimated how long any law enforcement action would keep the notorious Scattered Spider group suppressed before it was able to reconstitute. Last July, arrests of alleged criminal gang operatives commenced. Paul said that estimates came in at six weeks and the true number ended up being five weeks.

Cybercrime is unique in the cybersecurity world because, unlike nation-state intelligence services, criminal hackers can operate across jurisdictions and rely on commercial infrastructure, often leaving a trail that private cybersecurity firms can track and help disrupt.

Industry involvement was designed as part of Operation Endgame, an ongoing international law enforcement initiative led by Europol and others that launched in May 2024 to dismantle critical criminal hacker infrastructure, said Maywirth.

“Nowadays for us, it is quite normal to integrate private partners as well in the operations. We proved that, and we had a very good success from those corporations,” he said.

The private sector often partakes in “covert” investigation support phases where they identify digital infrastructure for law enforcement to take down, Maywirth added.

And about two weeks ago, European officials and private company representatives came together in Germany to discuss strategy and approaches for takedowns and disruptions of hackers’ infrastructure, Maywirth said.

The discussions underscore how modern cybercrime responses increasingly hinge on collaboration between law enforcement and the private sector, with industry playing a hands-on role in tracking, disrupting and sometimes helping dismantle criminal operations, rather than just supplying intelligence.

“If we look at the intelligence job that we have to do, we would like to understand, really, how the kill chain of cybercrime is working,” Dujif said. “So we need information from our colleagues, from law enforcement agencies, but also from the private sector to understand … what’s the most impactful intervention we can take?”

]]>

Ex-NSA leaders say Americans are becoming ‘numb’ to cyber threats

David DiMolfetta — Wed, 25 Mar 2026 09:35:00 -0400

SAN FRANCISCO — American society is becoming increasingly apathetic to major cyberattacks, and the U.S. has still not achieved a hardline strategy to deter foreign adversaries and their hacker operatives, former NSA and Cyber Command leaders said Tuesday.

“I think we’ve become numb to it,” said retired Gen. Paul Nakasone, who served as director of Cyber Command and NSA from 2018 to 2024. He was joined on stage at an RSAC Conference discussion with other retired officials who held the dual-hatted role over the years, including Gen. Keith Alexander, Adm. Mike Rogers and, most recently, Gen. Tim Haugh.

“I think we continue to see these different intrusions, and intrusions have gotten to a size that the scale is just incredible to me” Nakasone said. “And I think that we are out of balance in terms of being able to keep up with the adversary, whether or not it’s ransomware, whether or not it’s deepfakes, whether or not it’s the brain drain within our government.”

“I think for society, we are just becoming so numb to this,” said Rogers. “We’re starting to accept this, in some ways, as the price of living in the digital age, and we have not yet had a level of trauma that has driven fundamental behavioral change.”

The sobering remarks underscore a growing concern among former U.S. cyber leaders that the steady drumbeat of high-impact cyber intrusions has failed to galvanize a proportional policy or societal response.

Recent incidents highlight that threat picture, from China-linked hackers like Volt Typhoon embedding in U.S. critical infrastructure systems and Salt Typhoon targeting global telecom networks for espionage, to ongoing disruptions at home, including a March breach at medical device maker Stryker that’s been tied to a pro-Iran hacker gang.

“I would definitely say we have not achieved deterrence,” Rogers said. “I see a private sector, network owners, that are very energized and focused. I see a government that’s unwilling to expend political capital to really drive fundamental change in cyber, and it’s a reflection of the fact that, politically, we are so divided. And as a society, we are so divided.”

Alexander reinforced the same worry over a lack of national readiness against major cyber players.

“What I’m concerned about is what we’re doing as a nation to think about what China could do to hurt us,” he said.

The Trump White House has released a long-anticipated national cyber strategy, which includes a pillar focused on reshaping the behavior of cyber adversaries to create incentives to not target U.S. networks. Details of that effort remain to be seen, though the private sector is expected to play a major part.

]]>

Google launches threat disruption unit, stops short of calling it ‘offensive’

David DiMolfetta — Mon, 23 Mar 2026 21:54:00 -0400

SAN FRANCISCO — Google’s threat intelligence arm officially launched its anticipated disruptive cyber unit on Monday, which comes as the Trump administration seeks to create a more offensive, proactive U.S. culture in cyberspace against foreign hacker groups and cybercriminals.

Company officials notably deemed the unit a defensive operation, however because it focuses on cutting off the paths hackers rely on to breach systems, rather than using technical capabilities to hack into other governments’ or foreign firms’ computer networks.

The unit was made public in a keynote address delivered at RSAC Conference by Sandra Joyce, the vice president of Google’s Threat Intelligence Group. “We’re now in a position where we can and we must actively shape the outcome of adversary behaviors,” she said on stage.

Google, like other major tech firms with cybersecurity services, can impede cyber adversaries by leveraging visibility into and control over widely used platforms and infrastructure that attackers routinely depend on to stage, deliver or manage their hacking operations. In recent months, Google has highlighted a series of intricate takedown efforts, and the announcement, executives say, is meant to encourage other firms in the cybersecurity and tech community to adopt a culture of proactive disruption.

“The private sector operates the very infrastructure that adversaries abuse,” Joyce said. “This gives us a unique vantage point of the technical capabilities that government agencies sometimes don’t have, and disrupting threat actors must become the status quo in our industry.”

The announcement dovetails with the release of the Trump administration’s national cyber strategy, which has focused, in part, on crafting a more offensive culture among U.S. cyber warriors and their private sector counterparts.

But Sean Cairncross, the White House cyber czar, made it clear earlier this month that he doesn’t want private sector firms hacking on behalf of the government. Joyce, in a similar fashion, said the unit is not a “hacking back” initiative, but makes “legal and ethical use of intelligence to protect our own platforms.”

Those legal actions include the practice of getting court orders to take down certain web infrastructure being used by hackers. Other aspects of the unit’s modus operandi include publicly exposing hacking groups, taking down their infrastructure and driving product improvements to prevent hackers from attempting further intrusions.

“I think people have had it,” John Hultquist, the company’s chief threat analyst, told reporters of the choice to launch the unit now after years of related efforts involving law enforcement takedowns of hacker infrastructure. “What we’re talking about is — can we deny the adversary the resources it needs to get between the water and the castle?”

“It’s not just about disabling things within the Google ecosystem,” added Charles Carmakal, the chief technology officer at Google subsidiary Mandiant. “We’re doing this in a way where we want to get more and more collaboration with other partners, so that the disruption is much broader and more impactful to the adversary.”

]]>

CISA, FBI have engaged with Stryker staff after cyberattack, official says

David DiMolfetta — Tue, 17 Mar 2026 18:05:00 -0400

The Cybersecurity and Infrastructure Security Agency and the FBI have engaged with executives at Stryker as they work to assess and mitigate the fallout from a major hack of the medical technology giant last week that an Iran-aligned group took credit for, a top official said.

“We’ve engaged with them. Our teams have worked with them, as well as some of the FBI teams, and our regional personnel have been engaged with them,” Nick Andersen, CISA’s acting director, told reporters after he spoke at a McCrary Institute event on Tuesday. He didn’t provide other updates.

The worldwide cyberattack wiped employees’ phones and prevented workers from accessing their computers and other remote work tools. The logo of Handala, a pro-Iran and pro-Palestinian hacking group, appeared on employee login pages, and the hacking collective’s X account also claimed responsibility.

Andersen added that CISA is engaging further with sector-based industry groups on foreign cyber threats. On Iran, “we still are seeing a steady state. [The groups have] not seen an increase in the rise of threat actor activity, which is fantastic,” he said.

But he cautioned that “we just can’t take our eyes off of the fact that other adversaries continue to make maneuvers in this space. Cybercriminal groups continue to make moves within this space. It’s not just about one nation-state at one particular point in time.”

Stryker, one of the largest medical tech providers in the world, said last week it believed the incident was contained but the effects of the hack may continue causing “disruptions and limitations of access” to certain company information systems and applications supporting parts of their operations and functions.

Pro-Iran hacking groups frequently target the computer systems of nations considered adversaries to Tehran, namely the U.S. and Israel. In late 2023, during the Israel-Hamas war, another Iran-aligned hacking group defaced the interfaces of Pennsylvania water treatment systems that contained Israel-made Unitronics equipment.

Stryker acquired the Israeli medical technology firm OrthoSpace in 2019. It also has significant contracts with both the U.S. departments of Defense and Veterans Affairs.

It’s widely believed that a wiper attack was used against Stryker’s devices after the Handala group compromised a company Microsoft Intune administrative account. Intune is used to manage users’ access to company resources across their devices, and it can be used to remotely access specific computers or factory reset machines.

“The real failure here is that our core systems still rely on ‘God-like’ administrative keys that lack deep cryptographic validation,” said Denis Mandich, a former CIA official and co-founder of Qrypt. “We are essentially giving attackers a single point of failure that allows one compromised credential to execute a global factory reset.”

“All Stryker products across our global portfolio, including connected, digital, and life-saving technologies, remain safe to use,” the company said in a Sunday statement, but it added that there may be supply chain disruptions as ordering systems come back online. The company also said the incident “was not a ransomware attack, and there is no evidence of malware deployed to our systems.”

]]>

National cyber director doesn’t envision industry doing offensive hacking

David DiMolfetta — Tue, 17 Mar 2026 13:22:00 -0400

National Cyber Director Sean Cairncross said Tuesday that he does not intend for the private sector to fully engage in offensive cyber operations on behalf of the U.S. government.

“There’s an enormous amount of capability on the private sector side,” he said. “I’m not talking about private sector, industry or companies engaged in a cyber offensive campaign.”

The statement, made during a fireside chat at a McCrary Institute event, pushes back on speculation that private industry would be tasked in hacking campaigns authorized by government officials, a concept that surfaced in discussions leading up to the release of the Trump National Cyber Strategy earlier this month.

Cairncross said he wants to use the “ability of our private sector … to inform and share information so that the [U.S. government] can respond” defensively or in a more agile way.

Private-sector cyber firms provide myriad services like threat intelligence, defensive products and specialized hacking toolkits that are relied on heavily by U.S. government operators and analysts. But the government has not directed the private sector to directly carry out cyber intrusions or “hack backs” against adversaries on its behalf.

The private sector engagement hits on one of the cyber strategy’s key pillars, which is focused on reshaping the behavior of foreign adversaries to disincentivize hacking. Cairncross said he wants various U.S. agencies — including non-cyber offices like the Departments of State and Commerce — to contribute to that goal.

American cyber and intelligence giants like the NSA, CIA, FBI, Cyber Command and others already have legal authorities to offensively target foreign adversaries using their own hacking capabilities.

The cyber strategy’s other pillars include promoting common-sense regulation; modernizing and securing federal government networks; securing critical infrastructure; sustaining superiority in critical and emerging technologies; and building cyber talent and capacity.

Editor's note: This article has been updated to note that Cairncross made his remarks on Tuesday.

]]>

Stryker hack could set stage for more pro-Iran cyber sabotage

David DiMolfetta — Fri, 13 Mar 2026 12:33:00 -0400

Cybersecurity experts say the recent hack of medical technology giant Stryker may be an early indicator of wider, pro-Iran cyber sabotage activity.

Pro-Iran and pro-Palestinian hacking group Handala claimed responsibility for the cyberattack, which saw the hacking collective apparently deploy wiper malware targeting Microsoft InTune management services installed on employees’ phones, including their personal devices.

Pro-Iran hacking groups frequently target systems in the U.S. and Israel, as seen in late 2023 when a group defaced water treatment systems in Pennsylvania that utilized Israel-made Unitronics equipment. Stryker acquired the Israeli medical technology company OrthoSpace in 2019 and holds significant contracts with the departments of Defense and Veterans Affairs.

The Unit 42 threat intelligence arm of Palo Alto Networks is “tracking an increased risk of wiper attacks related to the conflict with Iran, including multiple related incidents impacting organizations in Israel and the U.S.,” the company said in a Thursday blog post.

“The reported wiper attack … may represent a similar dynamic, an early signal of activity that could expand beyond a single target,” said Justin Kohler, a former Air Force analyst and chief product officer at SpecterOps. “Organizations need to assume that attackers will gain a foothold and focus on proactively shutting down the attack paths adversaries rely on to escalate privileges, move laterally and expand their impact.”

A wiper-style attack on a company like Stryker is dangerous because “it targets operational continuity rather than just data theft. In the healthcare ecosystem, outages affecting device manufacturers or support systems can ripple across hospitals, supply chains and patient care environments,” said Ensar Seker, chief information security officer at SOCRadar.

The hack has challenged notions that direct physical targeting of apparent Iran state-funded cyberwarfare infrastructure would reduce the likelihood of any successful hacking attempts tied to the war. Pro-Iran hacking groups, until recently, have typically made overstated, unverifiable or false claims about their wartime activities.

“Organizations should take this as a reminder that destructive cyber operations are no longer limited to nation-state military targets,” Seker added.

The Cybersecurity and Infrastructure Security Agency said Thursday it is investigating the Stryker incident. The war, which broke out Feb. 28, was expected to test the strength of U.S. cyberdefenses.

California Rep. Eric Swalwell, the top Democrat on the House Homeland Security Committee’s cybersecurity panel, told reporters Thursday that his team was in touch with Stryker and evaluating how they’re working with federal responders, as well as how the hack may have impacted others that rely on the company’s devices.

“We want to understand from CISA … what is the vulnerability status right now for companies in the United States because of Iran’s capabilities?” he said, referring to workforce reduction mechanisms put in place over the last year within the Department of Homeland Security cyber agency that have shed around a third of its staff.

Complicating matters is an ongoing DHS shutdown, which has further reduced the number of working employees at CISA. Those employees are also not getting paid while the shutdown continues.

]]>

FBI queries of Americans’ data under FISA 702 rose 35% in 2025

David DiMolfetta — Thu, 12 Mar 2026 18:21:00 -0400

FBI searches of U.S. person data collected using a controversial spying authority rose some 35% in 2025, according to an FBI letter to Congress that was obtained by Nextgov/FCW.

The bureau’s searches of Americans’ data, collected under Section 702 of the Foreign Intelligence Surveillance Act, rose from 5,518 in December 2024 to 7,413 in November 2025, according to the March 11 letter signed by Ted Groves, the acting assistant director of the FBI’s Office of Congressional Affairs.

The letter was sent to Sens. Chuck Grassley, R-Iowa, and Dick Durbin, D-Ill., the top lawmakers on the Senate Judiciary Committee.

The 702 authority, which permits the NSA, FBI and other agencies to access foreigners’ communications overseas without a court warrant, can incidentally sweep up communications of Americans talking to targeted persons, raising major civil liberties concerns.

The number of U.S. person communications gathered under 702 is often a key statistic cited by civil society organizations that have long pushed for major reforms to the law.

In 2024, only 38% of queries “returned either content or non-content 702-acquired information,” the letter says, adding that the figure dropped to 28% in 2025.

“Content” refers to the substance of the communications, such as the actual text of emails, chat messages or recorded phone calls. Conversely, “non-content” information is metadata about communications, including details like the email addresses or phone numbers used, IP addresses or the time a message was transmitted.

Collected 702 communications are stored in classified databases, where analysts query them for foreign intelligence. Search terms — known as “selectors” — can include names, phone numbers or email addresses of targeted individuals. Analysts may query stored U.S. person data when they believe doing so is reasonably likely to return useful information for investigations.

The letter was reported earlier by The Record, the news unit of cyber threat intelligence firm Recorded Future.

The FBI declined to comment.

Section 702 is due to expire in April unless Congress acts to renew it.

The Trump administration is pushing for a clean reauthorization of the law. FBI Director Kash Patel and CIA Director John Ratcliffe met privately with Senate Republicans Wednesday to push for an extension, as House Speaker Mike Johnson, R-La., said he intends to try passing a renewal the week before the authority lapses.

Ratcliffe has previously told Congress that the Trump administration attributes many of its national security achievements to Section 702, according to a person familiar with the matter who spoke on the condition of anonymity to share details of private discussions about the statute.

The increase outlined in the FBI letter will likely disappoint civil liberties groups, which have long pushed for a warrant requirement for searches of U.S. person data. National security officials have historically and successfully pushed back against a warrant measure in prior reauthorization cycles, though it came close to fruition during the 2024 reauthorization debate, when a House amendment failed in a 212–212 vote.

The FBI has acknowledged its improper use of Section 702, specifically admitting to searching for information on individuals involved in the January 6, 2021, U.S. Capitol riot, as well as people arrested during 2020 racial justice protests following the police killing of George Floyd.

The law, enacted in 2008, codified parts of the once-secret Stellarwind surveillance program created under the Bush administration after the Sept. 11, 2001, attacks. In 2013, former NSA contractor Edward Snowden disclosed documents detailing how the authority was used, fueling a global debate over privacy and mass surveillance.

]]>

CISA launches investigation into Stryker cyberattack

David DiMolfetta — Thu, 12 Mar 2026 11:00:00 -0400

The Cybersecurity and Infrastructure Security Agency has launched an investigation into the hack of medical technology giant Stryker a day after an apparent pro-Tehran hacker group sabotaged employees’ devices around the world in response to the U.S.-Israel war against Iran.

The worldwide cyberattack wiped employees’ phones and prevented workers from accessing their computers. The logo of Handala, a pro-Iran and pro-Palestinian hacking group, reportedly appeared on employee login pages, and the hacking collective’s X account also claimed responsibility.

“We are working shoulder-to-shoulder with our public- and private‑sector partners as we continue to uncover relevant information and provide technical assistance for the targeted attack on Stryker, while steadfastly standing at the ready to defend our nation’s critical infrastructure,” CISA acting director Nick Andersen said in a statement to Nextgov/FCW. “As with all cyber incidents, we have launched an investigation into this matter.”

Stryker is based in Michigan and has business units worldwide. The company is one of the largest medical technology organizations in the world and specializes in creating devices and equipment for use in hospitals and surgeries.

Pro-Iran hacking groups have made a habit of targeting any computer systems tied to nations deemed foreign adversaries to Tehran, especially the U.S. and Israel. In late 2023, amid the Israel-Hamas war, one hacker group defaced the interfaces of water treatment systems in Pennsylvania, which had Israel-made Unitronics equipment built inside.

In 2019, Stryker acquired Israeli medical technology company OrthoSpace. The company and some of its business units have major contracts with the departments of Defense and Veterans Affairs.

In a filing with the Securities and Exchange Commission, Stryker said it believes the hack is “contained” but is expected to continue causing “disruptions and limitations of access” to certain company information systems and applications supporting parts of their operations and functions.

The filing acknowledges a “cybersecurity incident” that impacted “certain information technology systems of the company that has resulted in a global disruption to the company’s Microsoft environment.”

The FBI declined to comment when asked if it was investigating the hack.

“We’re in a new phase here, as this is our first public example of Iranian cyber retaliation in the course of this conflict,” said Alex Orleans, head of threat intelligence at cybersecurity firm Sublime Security. “Before, we were seeing mostly hacktivist groups or hacktivist front personas (including Handala) making unverifiable claims. Now we have an apparently concrete incident with a known Iranian intelligence front taking credit for the operation.”

“We expected to see some groups emerging from the rubble, so to speak, following the initial stage of this conflict. The nature of this incident functions as a strong leading indicator, in that it’s unlikely to have been an isolated case,” he added. “Additional Iranian state-nexus groups likely have attempted, or will attempt, similar disruptive operations in the near-term.”

On Thursday, Polish officials said Iran may have attempted to hack into the European nation’s National Centre for Nuclear Research.

Editor's note: This article has been updated to note that the FBI declined to comment.

]]>

Suspected pro-Iran hacker group tied to Stryker cyberattack

David DiMolfetta — Wed, 11 Mar 2026 13:17:00 -0400

A pro-Iran hacker group is believed to be behind a worldwide cyberattack affecting medical device company Stryker, wiping employees’ phones and preventing workers from accessing their computers.

The logo of Handala, a pro-Iran and pro-Palestinian hacking group, appeared on employee login pages, according to posts on social media site Reddit. Several purported employees described being locked out of company-linked phones and other devices. The hacking collective’s X account also claimed responsibility.

Stryker is based in Michigan and has business units worldwide. Many colleagues’ phones have been wiped, and employees have been instructed to remove various company management features like Microsoft Intune from personal devices, according to one person on Reddit claiming to be an employee based in Australia.

“We are currently experiencing a global network disruption affecting the Windows environment. Our teams are actively working to restore systems and operations. Stryker has business continuity measures in place, and we’re committed to serve our customers,” the company said in a statement.

Stryker is one of the largest medical technology companies in the world and specializes in creating devices and equipment for use in hospitals and surgeries.

If fully confirmed, the hack would represent, arguably, the most significant cyber incident linked to the recent Iran war so far.

In 2019, Stryker acquired Israeli medical technology company OrthoSpace. The company and some of its business units also have significant contracts with the Departments of Defense and Veterans Affairs, according to GovTribe, a federal market intelligence platform owned by Nextgov/FCW parent company GovExec.

Nextgov/FCW has also asked the FBI and the Cybersecurity and Infrastructure Security Agency for comment.

“This incident, if confirmed, is a significant escalation because it moves from theater-linked cyber noise into disruptive, potentially destructive effects against a major U.S. medical technology firm,” said Alexander Leslie, a senior advisor at cyber threat intelligence firm Recorded Future.

“The big risk now is copycat escalation and opportunistic follow-on activity, especially if the attackers pair disruption with ‘proof’ drops and narrative packaging to manufacture momentum and, therefore, enable influence operations,” he added.

The U.S.-Israel war on Iran, launched Feb. 28, is expected to test U.S. cyberdefenses. Experts for weeks have advised organizations to stay on guard for cyber retaliation from Iran-aligned groups.

]]>

Russia-linked hackers appear on Iran war’s cyber front, but their impact is murky

David DiMolfetta — Tue, 10 Mar 2026 12:21:00 -0400

Apparent Russia-linked hacking collectives backing Iran have been observed joining the cyber activity unfolding alongside the U.S.-Israel war against Iran, though analysts have mixed views on whether their involvement represents a meaningful escalation or little more than online noise.

The outlook on such “hacktivist” groups — hackers who attempt to penetrate systems and steal information for political activism — comes days after The Washington Post reported that Russia is supplying Iran with intelligence to help target U.S. forces in the Middle East and adds another dimension to the already complex cyber and information environment surrounding the war.

One well-known pro-Russia group dubbed “NoName057(16)” recently claimed massive distributed denial-of-service attacks against Israeli defense contractors and also claimed to have gained full access to the human-machine interfaces of Israeli water management systems, said Kathryn Raines, a cyber threat intelligence team lead at cybersecurity firm Flashpoint. But company analysts have not verified these claims, she said.

Distributed denial-of-service hacks, known colloquially as “DDoS” attacks, overwhelm websites with large amounts of artificial internet traffic to stop legitimate users from accessing them.

CrowdStrike has similarly observed a surge in pro-Iran hacktivists with ties to Russia. In the first few days after the war broke out on Feb. 28, one Russia-aligned hacktivist group the company dubs “Z-Pentest” claimed responsibility for compromising several U.S.-based entities, said Adam Meyers, the company’s head of counter adversary operations.

Those claims are also unverified, though “Western organizations should continue to remain on high alert for potential cyber response as the conflict continues and activity may move beyond hacktivism and into destructive operations,” he said.

The United States has long supplied Ukraine with intelligence and equipment to strike Russian targets within its borders. Now, as the war unfolds in Iran, Moscow could be seizing its own opportunity for retaliation by aiding Tehran.

“Russia is comfortable providing some proxy support to Iran, or at least taking advantage of an unstable situation,” Cynthia Kaiser, a former deputy director at the FBI’s Cyber Division, said in a LinkedIn post this weekend. “Expect exaggeration, but don't dismiss the underlying access. These groups regularly inflate the impact of their attacks for media attention. But they have caused real physical damage to critical infrastructure. Calling their bluff shouldn't mean ignoring the threat.”

“Russia has a variety of partner engagements with Iran that could prompt Moscow to get involved in the conflict, particularly if Russia perceives that U.S. military operations dragging out would further pull the White House’s focus from Ukraine,” said Justin Sherman, founder and CEO of Global Cyber Strategies, a Washington, D.C.-based research and advisory firm.

The Kremlin’s vast and complex cyber ecosystem allows it to leverage state elements, hired or coerced cybercriminals and patriotic hackers encouraged by propaganda to pursue its goals, Sherman said, explaining that “one of the benefits of Russia’s cyber web for the state is how the Kremlin can pick and choose its actors and capability sets as it pleases, depending on its needs.”

In a recent case, Russian state-backed groups initiated a massive global campaign targeting the Signal and WhatsApp accounts of officials, military personnel and civil servants, Dutch intelligence said Monday.

But Sherman said that attributing Russian-origin cyber operations is complex, and that analysts should try to examine which parts of Vladimir Putin’s government may have authorized an operation to better understand how Moscow would be aiding Iran in cyberspace.

Some are skeptical that Russia sharing targeting intelligence would translate directly into cyber support for Tehran.

“Russia providing intelligence assistance to the Iranian government to support kinetic strikes, and the idea of Russian cyber actors as implied by the conventional use of the phrase — i.e., those with a nexus to the Russian state — ‘joining the cyber aspect of this conflict’ are two very different things,” said Alex Orleans, a former National Security Council contractor and head of threat intelligence at Sublime Security.

“I have not encountered Russian APTs inserting themselves into a conflict to support a third-party and I’d be surprised if they did now,” he said, referring to “advanced persistent threat” groups that are typically well-resourced, highly skilled and backed by a nation-state.

Other analysts have not publicly attributed any hacktivist activity to a particular nation.

“While we have observed some initial hacktivist groups supporting the Iranian regime, these activities are in the very early stages. There is currently no clear indication that this is being directed by a state actor like Russia or Iran, and it remains difficult to verify,” said John Fokker, vice president of threat intelligence at Trellix. “That said, in any geopolitical conflict, it is common practice for involved countries to provide aid in various forms.”

Iran’s cyber capabilities have likely diminished in recent days, said Dave DeWalt, CEO of NightDragon, a venture capital firm that manages a portfolio of cybersecurity companies.

“We’ve been monitoring almost every actor and every indicator of compromise that we possibly can, and we've seen next to zero activity … and that’s largely because we believe that most of their cyber operations have been dismantled physically,” he said in an interview.

Israel said last week it destroyed Iran’s cyberwarfare headquarters, though it’s not immediately clear how much effect that’s had on its cyber operations.

“We’ve seen little activity from [Iran] globally, that doesn’t mean that it’s completely dismantled,” DeWalt said. “I don’t have full confirmation, but I would tell you it certainly looks like no other case I've seen in 20 years, where we’ve seen such silence in the digital world from [Iran].”

Asked about whether China and Russia are sharing capabilities with Iran at this point, he said those nations may be keeping their distance, but there’s possible sharing of satellite, electronic warfare and radar-jamming services. “I would not be surprised at all,” he said.

]]>