CL0P, the ransomware gang executing the attacks, added both Schneider Electric and Siemens Energy to its leak site on Tuesday. Siemens confirmed that it was targeted; Schneider said it is investigating the group’s claims.

Since early June, the hacking campaign has added more than 100 victims after CL0P began to take advantage of a vulnerability in MOVEit, a widely used file transfer tool from Progress Software. Multiple federal agencies, including two Department of Energy entities, have been affected by the vulnerability, federal authorities have said. Additional reporting has indicated that the Department of Agriculture may have had a “possible breach” and the Office of Personnel Management is also affected.

Both Siemens Energy and Schneider Electric are among the largest vendors in industrial control systems, though there is little indicated of what information the hackers may have pilfered. Cybersecurity and Infrastructure Security Agency Director Jen Easterly has previously said that the MOVEit campaign appears to be largely opportunistic and the stolen files may be limited to what was in the software at the time the bug was exploited.

“As far as we know, the actors are only stealing information that is specifically being stored on the file transfer application at the precise time that the intrusion occurred,” Easterly said on June 15.

“Regarding the global data security incident, Siemens Energy is among the targets. Based on the current analysis, no critical data has been compromised and our operations have not been affected. We took immediate action when we learned about the incident,” a Siemens spokesperson said in an email.

A Schneider spokesperson said that the company became aware of the vulnerability on May 30 and “promptly deployed available mitigations to secure data and infrastructure and have continued to monitor the situation closely.”

“Subsequently, on June 26th, 2023, Schneider Electric was made aware of a claim mentioning that we have been the victim of a cyber-attack relative to MOVEit vulnerabilities. Our cybersecurity team is currently investigating this claim as well,” the spokesperson said in an email.

Since the Russian-speaking CL0P began publicizing its victims, state and local governments appear to have been heavily affected by the campaign as at least seven have been hit, including the nation’s largest public-employee pension fund the California Public Employees’ Retirement System. Over the weekend, around 45,000 New York City public school students had their personal data stolen which included information like Social Security numbers, StateScoop reported.

The State Department has offered a $10 million reward for information leading to the actors linking to the CL0P ransomware gang.

The post Two major energy corporations added to growing MOVEit victim list appeared first on CyberScoop.

The vulnerabilities in question, first revealed on June 1, appeared to have led the main Russian intelligence agency to make unusually public claims that Apple intentionally left the flaws in its iOS so the National Security Agency and other U.S. entities could compromise “thousands” of iPhones in Russia. Apple has denied those claims.

The charges from the Federal Security Service, or FSB, came the same day that researchers with cybersecurity firm Kaspersky published a report detailing what they said was an “ongoing” zero-click iMessage exploit campaign dubbed “Operation Triangulation” targeting iOS that allowed attackers to run code on phones with root privileges, among other capabilities. Kaspersky published an additional analysis Wednesday, saying that after roughly six months of collecting and analyzing the data, “we have finished analyzing the spyware implant and are ready to share the details.”

Researchers with the cybersecurity firm that’s headquartered in Moscow said in the June 1 report they found the exploit “while monitoring the network traffic of our own corporate Wi-Fi network dedicated for mobile devices.”

Both Kaspersky analyses did not attribute the operators behind the campaign. A Kaspersky spokesperson told CyberScoop on Wednesday that the company had “nothing to provide” on attribution or in response to the FSB using Kaspersky’s work to backstop its claims of Apple collusion with the NSA and “American intelligence services.”

Kaspersky researchers “proactively collaborated with the Apple Security Research team by sharing information about the attack and reporting the exploits,” the spokesperson told CyberScoop in an email. “As of now, Apple has publicly confirmed them as zero-day vulnerabilities that received the designation of CVE-2023-32434 and CVE-2023-32435 respectively, and announced the patching of those as part of the Security Updates release on June 21, 2023. We would like to thank Apple for taking action promptly to address and resolve the identified issues to keep users safe.”

Apple said in its security update that the fixes would address an app that “may be able to execute arbitrary code with kernel privileges. Apple is aware of a report that this issue may have been actively exploited against versions of iOS released before iOS 15.7.”

In response to the June 1 claims from the FSB, an Apple spokesperson told CyberScoop that “[we] have never worked with any government to insert a backdoor into any Apple product and never will.”

The post Apple issues emergency patch to address alleged spyware vulnerability appeared first on CyberScoop.

The National Security Cyber Section — NatSec Cyber, for short — has been approved by Congress and will elevate cyberthreats to “equal footing” with other major national security issues, including counterterrorism and counterintelligence, Assistant Attorney General for National Security Matt Olsen said in remarks at the Hoover Institution in Washington.

The new section enables the agency to “increase the scale and speed of disruption campaigns and prosecutions of nation-state cyberthreats as well as state-sponsored cybercriminals, associated money launderers, and other cyber-enabled threats to national security,” Olsen said.

The NatSec Cyber center arrives at time of growing concern about nation-state cyberattacks especially originating from Russia and China. Last week, Jen Easterly, director of the Cybersecurity and Infrastructure Security Agency, warned Americans to be prepared for a major Chinese cyberattack. “This, I think, is the real threat that we need to be prepared for, and to focus on, and to build resilience against,” she said at an event in Washington.

However, the section has been many months in the making. It comes out of Deputy Attorney General Lisa Monaco’s July 2022 Comprehensive Cyber Review meant to review the agency’s approach to cyber-related matters and develop “actionable recommendations to enhance and expand the Department’s efforts.” It also tracks with a main theme of President Biden’s cybersecurity strategy, which calls for cross-agency collaboration to fight cybercrime.

The DOJ has taken a more proactive and aggressive approach to cyber-related prosecutions over the past two years, even when the agency’s actions preclude traditional prosecutions and convictions. Monaco described the shift in strategy in April on stage at the RSA Conference in San Francisco, saying that there is now “a bias toward action to disrupt and prevent, to minimize that harm if it’s ongoing,” with the goal “to take that action to prevent that next victim.”

The first major example of the policy shift was the April 2021 FBI action to proactively disable web shells related to Chinese-aligned efforts to exploit vulnerable Microsoft Exchange Servers, Monaco said. Another example of the proactive nature of DOJ actions was the April 2022 FBI operation that hobbled a Russian military intelligence-directed botnet that the FBI and DOJ determined could have enabled follow-on malicious activity.

The new unit within the DOJ will “give us the horsepower and organizational structure we need to carry out key roles of the Department in this arena,” Olsen said. “NatSec Cyber prosecutors will be positioned to act quickly, as soon as the FBI or an IC partner identifies a cyber-enabled threat and to support investigations and disruptions from the earliest stages.”

The post DOJ establishes cybercrime enforcement unit as U.S. warnings mount over Chinese hacking appeared first on CyberScoop.

While it’s unclear who infiltrated the DOE agencies, a ransomware group known as Cl0P has used the flaw in the widely used software to attack hundreds of organizations in recent weeks, including universities, banks and major multinational corporations. The group publicized online that it has victimized “hundreds of companies” and gave a June 14 deadline to negotiate a ransom price before they released stolen data.

So far, CLoP is the only threat group linked to the MOVEit vulnerability by the Cybersecurity and Infrastructure Security Agency and the FBI.

At a media briefing Thursday afternoon, CISA Director Jen Easterly said that “we are not tracking significant impact on civilian .gov enterprise but are continuing to work with our partners on this.” Additionally, she said, no federal agency has received extortion demands and no federal data has been leaked so far.

“As far as we know, the actors are only stealing information that is specifically being stored on the file transfer application at the precise time that the intrusion occurred,” she said, adding that the attack appears to be largely opportunistic and not “like SolarWinds that presents a systemic risk to our national security or our nation’s network.”

CNN first reported that “several federal agencies” had been victims as a result of the file transfer flaw at the Cybersecurity and Infrastructure Security agencies was urgently working with them to remediate the problem.

A Department of Energy spokesperson told CyberScoop on Thursday afternoon that “upon learning that records from two DOE entities were compromised in the global cyberattack on the file-sharing software MOVEit Transfer, DOE took immediate steps to prevent further exposure to the vulnerability and notified the Cybersecurity and Infrastructure Security Agency (CISA).”

DOE considers an entity any facility, office, or laboratory run by DOE or a DOE contractor. The agency is home to the national laboratories such as Sandia and Los Alamos National Labs that conduct nuclear power and weapons research.

The Federal News Network reported that Oak Ridge Associated Universities and a Waste Isolation Pilot Plant located around Carlsbad, New Mexico were the two DOE entities impacted by the vulnerability.

“The Department has notified Congress and is working with law enforcement, CISA, and the affected entities to investigate the incident and mitigate impacts from the breach,” the spokesperson said.

Speaking on background, an official at the briefing said that they are not aware of any federal agency that has not placed mitigations against the vulnerability.

CL0P claimed on its dark website to have “information on hundreds of companies” as part of its attack. The group also said that if the victim organization was “a government, city or police service do not worry, we erased all your data. You do not need to contact us. We have no interest to expose such information.”

The group added 27 victim organizations to its leak page since June 14, according to data collected by eCrime.ch, however it’s not clear whether all of those entities were MOVEit users or that they were targeted by CL0P in separate extortion attacks.

Censys, a company that tracks internet-connected devices, said on Tuesday that government and military organizations represent 7.56% of the visible MOVEit hosts, with more than 80% of those being in the U.S.

CISA acknowledged on Thursday that several federal agencies were impacted as a result of the MOVEit compromise.

Eric Goldstein, executive assistant director for cybersecurity at CISA, said in a statement that “CISA is providing support to several federal agencies that have experienced intrusions affecting their MOVEit applications. We are working urgently to understand impacts and ensure timely remediation.”

CyberScoop asked multiple federal departments and agencies if they were impacted as part of the MOVEit compromise. Only the Department of Energy reported any kind of compromise. Other agency officials responded their departments had taken steps to patch the vulnerability.

A Veterans Affairs official told CyberScoop that the department had “three systems that were running software susceptible to the MOVEit vulnerability. These systems were immediately remediated and there was no impact to VA or Veteran data.

“We have network blocks in place at their perimeters to prevent port connections, secure protocols, and safeguard inbound data, and VA has installed the latest patches to the systems that used the MOVEit Transfer software. We have also worked with security technology vendors to develop more robust detection capabilities for the vulnerability.” 

The post Two Energy Department entities breached as part of massive MOVEit compromise appeared first on CyberScoop.

Ruslan Magomedovich Astamirov, 20, was taken into custody on Wednesday, a spokesperson for U.S. Attorney Philip Sellinger, from the District of New Jersey, told CyberScoop after the DOJ unsealed a criminal complaint in the case.

LockBit, which emerged in January 2020, was the most active ransomware variant in 2022 in terms of victims claimed on the group’s data leak site, U.S. cybersecurity officials said in a June 14 advisory. Known LockBit attacks accounted for 16% of state, local, tribal and tribunal government ransomware attacks reported in the U.S. in 2022, as well as roughly 20% of known government ransomware attacks in Australia, Canada and New Zealand, the advisory said. Since January 2020 the group is associated with approximately $91 million in ransoms paid in the U.S., the advisory said.

Astamirov’s case will be tried out of New Jersey, which is handling the cases of two other men accused of participating in LockBit ransomware attacks: Mikhail Vasiliev, a dual Russian and Canadian national, was arrested in November, and Mikhail Pavlovich Matveev, also known as Wazawaka, was indicted in May for alleged roles in LockBit attacks along with other cyber activities. Matveev, a Russian national, remains at large.

“Astamirov is the third defendant charged by this office in the LockBit global ransomware campaign, and the second defendant to be apprehended,” U.S. Attorney Sellinger said in a statement. “The LockBit conspirators and any other ransomware perpetrators cannot hide behind imagined online anonymity. We will continue to work tirelessly with all our law enforcement partners to identify ransomware perpetrators and bring them to justice.”

The announcement comes a day after the joint advisory from top cybersecurity officials in the U.S. and their counterparts in multiple countries detailing the threat from LockBit, which the advisory said was the most deployed ransomware variant in 2022. The variant is associated more than 1,400 attacks in the U.S. and around the world, according to the Department of Justice.

According to the complaint filed by prosecutors, Astamirov owned and controlled email addresses, an IP address and a cloud services account associated with the deployment of LockBit attacks. Astamirov “executed” attacks on victims in Florida, Tokyo, Virginia, France and Kenya dating back to August 2020, according to the complaint. Astamirov received at least 80 percent of the ransom payment made in Bitcoin with one of the attacks, the complaint alleges.

FBI agents interviewed Astamirov in May and searched several devices, including his phone and a laptop computer, according to the complaint.

The post Russian national arrested in Arizona, charged for alleged role in LockBit ransomware attacks appeared first on CyberScoop.

Posing as ransomware, the malware worked in two stages: First, it would overwrite the master boot record with a ransom note, pointing victims to a bitcoin wallet and demanding a relatively paltry $10,000 to recover corrupted files. Then it would download and deploy file corrupter malware, targeting files in particular directories to be overwritten. But the operation was a ruse: There was no way to recover the files.

Two days after the malware was deployed, Microsoft researchers published an analysis of the destructive tool, dubbing it WhisperGate. By May, officials in Ukraine, the United States and the United Kingdom attributed the attack to units working under Russian Main Intelligence Directorate (GRU).

A year later, Microsoft researchers have determined that the unit behind that attack is an active and distinct group within the GRU, responsible for website defacements, destructive attacks, cyber espionage and hack-and-leak operations. In a report published Wednesday, Microsoft concludes that a group it is calling “Cadet Blizzard” is behind a wave of attacks since February 2023 targeting not only Ukraine, but also NATO member states providing military assistance to Ukraine.

Wednesday’s report for the first time identifies the activity as distinct and novel from other GRU-affiliated cyber operations, which includes the group widely tracked as Sandworm and believed to be responsible for multiple attacks on Ukraine’s electric grid in recent years. Hacking operations linked to the GRU are considered among the most destructive and potent in the Russian-affiliated hacking ecosystem.

“The emergence of a novel GRU affiliated actor, particularly one which has conducted destructive cyber operations likely supporting broader military objectives in Ukraine, is a notable development in the Russian cyber threat landscape,” the researchers said Wednesday, while noting that the group’s attacks are generally less successful than more sophisticated and prolific Russian hacking groups, such as Sandworm.

Russian hacking groups have either refrained from or failed to carry out spectacular cyber attacks targeting Ukrainian critical infrastructure as part of the Kremlin’s attempt to overthrow the government in Kiev. But Russian hacking groups have nonetheless remained active in the conflict, carrying out attacks to wipe Ukrainian computer systems and carry out information operations — the type of action that is emblematic of Cadet Blizzard.

Dating to at least 2020, Cadet Blizzard’s activity includes attacks around the world — in Europe, Latin America and Central Asia — with a particular focus on government services, law enforcement, nonprofits/NGOs, IT service providers and emergency services, the researchers said. The group has consistently targeted IT and software providers, the researchers added, given that one successful attack can lead to multiple downstream compromises.

Microsoft characterizes the group as a conventional network operator that works without bespoke malware or tooling. “Unlike other Russian-affiliated groups that historically prefer to remain undetected to perform espionage, the result of at least some notable Cadet Blizzard operations are extremely disruptive and are almost certainly intended to be public signals to their targets to achieve the larger objective of destruction, disruption, and possibly, intimidation,” the researchers noted.

Cadet Blizzard’s activity overlaps with other cyber operations that “may have a broader scope or a nexus outside of Russia,” including connections to a group Microsoft tracks as Storm-0587, denoting an unattributed activity. That group is linked to malware known as SaintBot, a downloader that can be configured to deliver nearly any other payload. Cadet Blizzard also has support from “at least one private sector enabler organization within Russia,” the researchers noted.

The group uses a hacktivist front called “Free Civilian” to publish and share stolen data, according to the report. Free Civilian posted and leaked stolen Ukrainian government data from various sources on its website in January 2022 ahead of the invasion. The organizations whose data was leaked “strongly correlated to multiple Cadet Blizzard compromises earlier in 2022,” the researchers said, suggesting “that this forum is almost certainly linked to Cadet Blizzard.”

On Feb. 21, 2023, the Free Civilian launched a Telegram channel. The next day, a post in Russian began: “Hello, long time no see,” followed by promises of data from a range of Ukrainian government agencies and a message mocking Ukraine’s Cyber Police and its security service.

The channel has continued to post stolen data and references to stolen data, including as recently as April 26. The channel had just more than 1,300 subscribers as of Wednesday, with most posts “getting at most a dozen reactions as of the time of publication,” the researchers said, “signifying a low user interaction.”

A separate private channel likely operated by the group offers access to stolen data. The administrators of that channel have to manually approve requests to join, and as of Wednesday the channel had 779 members.

The post Microsoft identifies new hacking unit within Russian military intelligence appeared first on CyberScoop.

The hackers would compromise an email account of an employee for a given company, bypass Microsoft Office 365 authentication, and gain persistent access to the account. Then, they would use that account to to go after other targets.

“The phishing mails spread in a worm-like fashion from one targeted company to others and within each targeted company’s employees,” researchers with the Israeli cybersecurity firm said in a report published Tuesday. “All analyzed emails contain the same structure, only differing in their title, senders’ account and company, and attached link.”

Sygnia’s investigation revealed that the attack was part of a broad campaign that potentially impacted dozens of organizations — the company would not say exactly how many — around the world in a sprawling campaign of business email compromise, or BEC.

The report comes on the heels of a recent FBI public service announcement estimating that BEC compromises were linked to more than $50 billion in actual and attempted losses across more than 275,000 attacks between 2013 and 2022. The FBI reported that between December 2021 and December 2022 there was a 17% increase in identified actual and attempted losses worldwide, with a particular focus on the real estate sector.

“In the past few years, Sygnia’s IR teams have engaged in numerous incidents in which world-wide organizations were targeted by BEC attacks,” Sygnia’s researchers wrote in their report. “While some of these attacks were focal and concentrated, some were widely spread and affected massive number of cross-sectors victims.”

In the campaign detailed on Thursday, targets were sent an email with a link to a “shared document,” leading to a file sharing website with a previously compromised legitimate company name in the URL. Trying to view the document brought up a page showing that the contents were protected by Cloudflare, a tactic likely designed to prevent proactive analysis of the site showing where it would lead, the researchers said.

Getting through the Cloudflare wall led to a fraudulent Microsoft authentication site generated by a phishing kit, which was being hosted on a domain with varying IP addresses over time, with the most recent dating to January 2023. Records associated with the domain itself had been updated on June 2, suggesting an ongoing campaign.

In all, the investigation revealed more than 170 domains and subdomains connected to the attacker’s infrastructure, with further analysis revealing nearly 100 malicious files communicating back to the infrastructure, some of which were related to the FormBook infostealer malware family, the researchers said.

The post Researchers unpack massive email scam targeting dozens of companies appeared first on CyberScoop.

Alexey Bilyuchenko, 43, and Aleksandr Verner, 29, allegedly gained unauthorized access in 2011 to a server holding wallets belonging to the exchange and continued to launder funds through 2017. At the time, Mt. Gox was the largest cryptocurrency exchange in existence, handling a majority of bitcoin transactions globally.

The theft — valued at some $450 million — was the biggest ever suffered by the cryptocurrency industry at that point and led to Mt. Gox’s bankruptcy in 2014.

“Alexey Bilyuchenko and Aleksandr Verner thought they could outsmart the law by using sophisticated hacks to steal and launder massive amounts of cryptocurrency, a novel technology at the time, but the charges unsealed demonstrate our ability to tenaciously pursue these alleged criminals, no matter how complex their schemes, until they are brought to justice,” Damian Williams, the U.S. attorney for the Southern District of New York, said in a statement.

As part of the money laundering scheme, prosecutors allege that Bilyuchenko and Verner entered into a fraudulent contract with a bitcoin brokerage service in the Southern District of New York to liquidate and transfer more than $6.6 million to overseas bank accounts.

Prosecutors allege that Bilyuchenko used proceeds from Mt. Gox to conspire with Russian national Alexander Vinnik to operate BTC-e, one of the world’s largest cryptocurrency exchanges and a key money laundering hub for cybercriminals. Vinnik was arrested in Greece in 2017 on a 21-count indictment related to BTC-e, which allegedly helped launder more than $4 billion in criminal proceeds.

Between 2011 to 2017 BTC-e served more than one million users worldwide and received criminal proceeds of “numerous computer intrusions and hacking incidents, ransomware events, identity theft schemes, corrupt public officials, and narcotics distribution rings,” according to the U.S. Justice Department.

Vinnik was extradited to the United States in August and has recently lobbied to be a part of a prisoner swap between Russia and the United States that might include the imprisoned U.S. journalist Evan Gershkovich.

On Friday, the Northern District of California also charged Bilyuchenko with money laundering conspiracy and operating an unlicensed money services business that prosecutors allege was used to enable criminal activity, including ransomware attacks and malicious hacking.

“Bilyuchenko and his co-conspirators will learn that the Department of Justice has long arms and an even longer memory for crimes that harm our communities,” Ismail J. Ramsey, the U.S. attorney for the Northern District of California said in a statement.

The post DOJ charges two Russian nationals with historic Mt. Gox hack appeared first on CyberScoop.

Hackers with the group exploited a previously undetected vulnerability in the MOVEit Transfer file transfer software, which the group said used to attack “hundreds of companies” as “part of exceptional exploit.” CL0P said this week it would give affected companies until June 14 to contact them and begin negotiating a price for their data. If a deal can’t be reached within three days, or the company does not get in touch, the group said it will publish the data.

The CL0P ransomware variant evolved from CryptoMix ransomware, according to the FBI and the Cybersecurity and Infrastructure Security Agency’s Wednesday advisory. It started as a typical ransomware as a service platform — where a core group of developers lease access to the malware and other infrastructure to “affiliates” and split any profits — and was known for its double extortion method of stealing and encrypting data and then publishing that data on its leak website. The group is also known to sell access to compromised networks to others — known as an initial access broker — as well as operating a large botnet spcecializing in financial fraud and phishing attacks, the advisory said.

The group has been tied to compromises of more than 3,000 U.S. organizations and 8,000 worldwide, Wednesday’s advisory said. CL0P told Bleeping Computer that it was moving away from encryption and preferred data theft encryption, the news site reported Tuesday.

CL0P first emerged in 2015 and has been associated with deploying other group’s malware, but has in recent years been developing custom code, according to cybersecurity firm Secureworks. The group, which Secureworks tracks as GOLD TAHOE, attacked the Accellion File Transfer Appliance in a pair of attacks in December 2020 and January 2021, affecting a range of downstream targets including hospital records, universities, insurance firms and others.

“The majority of MOVEit Transfer servers are located in the U.S. and the Secureworks Counter Threat Unit is aware of victims in the U.S.,” said Rafe Pilling, director of threat research for the Secureworks CTU. Known victims include several British companies such as British Airways, Boots and the BBC, who all shared a payroll provider that was a victim of the MOVEit attack, Pilling added. “This is likely just the tip of the iceberg in terms of potential future data disclosures.”

Censys, a company that tracks internet-connected devices, reported June 2 seeing nearly 3,800 MOVEit Transfer hosts online across nearly a dozen countries, primarily the U.S., spanning industries including the financial sector, education, U.S. federal agencies and state governments.

“Although the exact version of the software cannot be determined with scans, it is highly improbable that all of these hosts have been patched against the newly discovered vulnerability,” the company said in a blog post.

More recently, in January 2023, CL0P targeted the GoAnywhere file transfer service, claiming more than 130 downstream victims in that attack, according to TechCrunch. In that case, the group sent ransom notes to executives, pressuring them to negotiate directly with the group or have their data leaked, Wednesday’s government advisory noted.

The earliest MOVEit exploitations were detected on May 27, resulting in the deployment of web shells and data theft, according to Google Cloud’s Mandiant, with data theft occurring “within minutes” in some cases. Another company, GreyNoise, reported scanning activity involving the login page for MOVEit Transfer and the particular file associated with this attack as far back as March 3.

On May 31, Progress Software Corporation, the company that owns MOVEit, posted its first notice of the situation and began posting patches. The vulnerability exploited by CL0P, CVE-2023-3462, affected all MOVEit Transfer versions, the company said.

“CISA remains in close contact with Progress Software and our partners at the FBI to understand prevalence within federal agencies and critical infrastructure,” CISA Executive Director for Cybersecurity Eric Goldstein said in a statement. “Today’s joint advisory provides timely steps that organizations can take to protect against and reduce the impact of CL0P ransomware or other ransomware threat. CISA continues to work diligently to notify vulnerable organizations, urge swift remediation, and offer technical support where applicable. Potentially impacted organizations should reach out to CISA via cisa.gov/report or your regional cybersecurity representative.”

The post US cyber officials offer technical details associated with CL0P ransomware attacks appeared first on CyberScoop.

“If we thought 2020 was active, there are more motivations for foreign actors to muck around from an influence perspective, certainly, but perhaps even from an interference perspective,” Chris Krebs, currently a partner at the consulting firm Krebs Stamos Group, told CyberScoop in an interview on Thursday. Drawing a distinction between what he sees as “influence” (the shaping of public opinion) and “interference” (attacking election infrastructure), Krebs said he’s “fully expecting a very, very active threat landscape.”

Given the state of Russia’s faltering military campaign in Ukraine, he wouldn’t be surprised if Russia didn’t once again try to interfere in the vote and attempt to “muck it up.” He also said that increased geopolitical tensions between Washington and Beijing could be enough reason for China to reengage with influence operations. Furthermore, he said, Iran could take “another whack at it” since it was actively involved in 2020.

Krebs comments come on the heels of a New York Times report that Jack Smith, the special counsel investigating Trump’s effort to overturn the 2020 election, has subpoenaed Trump administration officials involved in Krebs’ firing from his position leading CISA. Following the 2020 election, Krebs’ agency, which was responsible for overseeing election security issues, issued a statement attesting to the integrity of the election results. That statement infuriated Trump, who fired Krebs five days after it was issued.

Prosecutors in Smith’s office are examining efforts by Trump aides to test the loyalty of government officials to the president, and Krebs has testified before the inquiry, according to the Times.

Krebs would not discuss the special counsel’s investigation on Thursday but said that he expects the 2024 election will feature similar narratives that marked the 2020 contest. “We’ve got a very hypercharged political environment, and I would expect to see some of the same sort of misbehavior — to put the term lightly — that was on in 2020 return in ‘24,” Krebs said. 

As the election ramps up, Krebs said that he expects domestic political actors — ranging from political action committees to militia groups — to embrace some of the tactics used by foreign groups to meddle in the election. “What we’re seeing is some of the playbooks of foreign adversaries are being adopted by domestic actors,” Krebs said.

Amid widespread conspiracy theories about the integrity of the 2020 election, poll workers have been subjected to violent threats, and Krebs said many of these workers choosing to leave their jobs as a result represents perhaps the greatest threat to the 2024 election. 

Asked what messaging he expects Trump will adopt regarding the integrity of the 2024 election, Krebs demurred: “Don’t even want to think about it.”

The post The 2024 race promises to be ‘very, very active’ in terms of foreign and domestic meddling, says former CISA chief appeared first on CyberScoop.