“The Kremlin continues to target a key pillar of democracy around the world — free and fair elections,” Brian Nelson, under secretary at the Office of Terrorism and Financial Intelligence at the Treasury Department, said in a statement. “The United States will not tolerate threats to our democracy, and today’s action builds on the whole of government approach to protect our system of representative government, including our democratic institutions and elections processes.”

Aleksey Borisovich Sukhodolov and Yegor Sergeyevich Popov, both Moscow-based officers of Russian Federal Security Service, or FSB, were directly engaged in a years-long effort to recruit local “co-optees” to influence elections that benefit the Kremlin, the Treasury said. “In support of its influence operations, Russia has recruited and forged ties with people and groups around the world who are positioned to amplify and reinforce Russia’s disinformation efforts to further its goals of destabilizing democratic societies.”

The sanctions announcement Friday follow a criminal indictment against Sukhodolov and Popov that the Department of Justice unsealed in April alleging the two were involved in a years-long campaign to influence elections. The U.S. government has also said the two are suspected of attempting to sway elections in Ukraine, Spain, the United Kingdom and Ireland.

According to the Treasury Department, Popov was the main handler for “co-optees” Aleksandr Viktorovich Ionov and Natalya Valeryevna Burlinova who were previously sanctioned by the Treasury Department and have also been indicted for their alleged activities. “From as early as 2015 through at least 2022, Popov worked with Burlinova and oversaw her activities on behalf of the FSB,” Treasury said.

Ionov and Burlinova influenced multiple U.S. individuals and political groups all in an effort to “to create or heighten divisions within the country,” according to a sanctions announcement in July 2022.

While it’s unlikely any of the four Russians sanctioned by the U.S. government and facing charges related to election interference will see the inside of an American court, the actions are part of broader government effort to more aggressively push back against foreign influence on elections, which many experts believe is only expected to increase ahead of the 2024 presidential campaign.

Former Cybersecurity and Infrastructure Security Agency Director Chris Krebs said earlier this month to expect a “very, very active threat landscape” concerning election influence and interference.

The post Treasury sanctions two Russian intelligence officers for election influence operations appeared first on CyberScoop.

With Republicans in control of the House of Representatives, Biden’s budget has no chance of being passed into law. Instead, the proposal released Thursday represents a signaling document ahead of what is likely to be a bitter negotiation between Republicans and Democrats over government spending levels.

In a message to Congress accompanying the proposal, President Biden said, “this Budget cements our commitment to confronting global challenges and keeping America safe,” including by advancing cybersecurity.

Biden’s budget proposes boosting cybersecurity-focused programs across a range of agencies.

The Cybersecurity and Infrastructure Security Agency would get a total of $3.1 billion, an increase of $145 million compared to last year. That includes $98 million to implement the Cyber Incident Reporting for Critical Infrastructure Act and $425 million to improve internal cybersecurity and analytical capabilities.

The budget would aims to improve the Federal Bureau of Investigation’s ability to carry out cyber-focused investigations via an additional $63 million for “more agents, enhanced response capabilities, and strengthened intelligence collection and analysis capabilities.”

“These investments are in line with the National Cybersecurity Strategy that emphasizes a whole-of-nation approach to addressing the ongoing cyber threat,” the budget notes.

The budget also requests a significant amount to support Ukraine’s digital defense, requesting$753 million “for Ukraine to continue to counter Russian malign influence and to meet emerging needs related to security, energy, cybersecurity, disinformation, macroeconomic stabilization, and civil society resilience.”

The budget would provide an additional $200 million for the Technology Modernization Fund, which provides investments aimed at delivering “excellent, equitable, and secure
services and customer experience by identifying opportunities to leverage technology across agencies and investing in IT modernization, cybersecurity, and user-facing services.”

Biden’s budget also includes $14 million in funding for new Violence Against Women Act (VAWA) programs to “address cybercrimes against individuals.”

An additional $245 million will fund the cybersecurity and resilience of clean energy technologies championed by the Biden administration.

The budget would allocate $395 million to the State Department’s Bureau of Cyberspace and Digital Policy and to fund USAID’s Digital Strategy, digital connectivity efforts under the Partnership for Global Infrastructure and Investment and and regional initiatives like Digital Transformation with Africa. The funds include cybersecurity efforts but also address other aspects of online security, including digital safety for LGBTQ individuals, supply chain security, data sharing and privacy.

The Treasury Department would get an additional $115 million above 2023 funding to increase network defense at the department, including implementing zero-trust architecture.

The post Biden’s budget seeks increase in cybersecurity spending appeared first on CyberScoop.

A statement issued by the U.S. Treasury Department referred to the group as a “notorious cyber gang,” and said the sanctions mean that all property and interests in property held by the named individuals in the U.S. or controlled by Americans must be blocked and reported to Treasury’s Office of Foreign Assets Control. Thursday’s action marks the first time the British government issued sanctions over ransomware, the British government said in a statement.

The sanctions are just the latest in a series of aggressive actions taken by the U.S. government against ransomware operators and their infrastructure. On Jan. 26, the Department of Justice announced it had seized servers and the website connected to the Hive ransomware group. That announcement came a week after Anatoly Legkodymov, a Russian national living in China, was arrested in Miami in connection with running Bitzlato, a cryptocurrency exchange the government called “a haven for criminal proceeds and funds.”

Both countries’ statements highlight the connections to Russian intelligence services. “The Trickbot Group’s preparations in 2020 aligned them to Russian state objectives and targeting previously conducted by Russian Intelligence Services,” Treasury said in its statement. “This included targeting the U.S. government and U.S. companies.” The British government said that “key group members highly likely maintain links to the Russian Intelligence Services from whom they have likely received tasking.”

“Cyber criminals, particularly those based in Russia, seek to attack critical infrastructure, target U.S. businesses, and exploit the international financial system,” Treasury Under Secretary Brian E. Nelson said in a statement. “The United States is taking action today in partnership with the United Kingdom because international cooperation is key to addressing Russian cybercrime.”

U.S. Secretary of State Anthony Blinken said in a statement that the joint action “demonstrates our continued commitment to collaborating with partners and allies to address Russia-based cybercrime, and to countering ransomware attacks and their perpetrators. As Russia’s illegal war against Ukraine continues, cooperation with our allies and partners is more critical than ever to protect our national security.”

Named in Thursday’s action were: Vitaly Kovalev, Maksim Mikhailov, Valentin Karyagin, Mikhail Iskritskiy, Dmitry Pleshevskiy, Ivan Vakhromeyev and Valery Sedletski.

The names of some of the men sanctioned Thursday were posted online in the days after the Russian invasion of Ukraine through a Twitter account called “trickleaks,” which posted a message March 4, 2022: “We have evidence of the FSB’s cooperation with members of the Trickbot criminal group (Wizard Spider, Maze, Conti, Diavol, Ruyk).”

Mikhailov, for instance, was known by the name “baget,” and a file with his image and detailed personal information was included in the leak. Vakhromeyev, known as “mushroom,” also appeared in the leaks.

The post US, UK sanction members of ‘notorious cyber gang’ TrickBot appeared first on CyberScoop.

A TikTok official speaking on condition of anonymity described the company’s proposal to the Committee on Foreign Investment in the United States to CyberScoop. Aspects of the proposal, known as Project Texas (a likely reference to Oracle’s Austin headquarters), have been previously reported and briefed to members of civil society, but as negotiations have stalled with CFIUS, which will decide whether the company can continue to operate in the U.S., the company has begun to describe the proposal in greater technical detail. 

Under the terms of the proposal, TikTok would divulge core segments of its technology to Oracle and a set of third-party auditors who would verify that the app is not promoting content in line with Beijing’s wishes or sharing U.S. user data with China. 

“Project Texas effort clearly reflects a serious effort to address U.S. government concerns and has been informed by years of negotiation,” said Samm Sacks, a senior fellow at Yale Law School’s Paul Tsai China Center who has been briefed on the plan. “My key takeaway is that you don’t have to trust TikTok or the Chinese government, because at least from what I can understand of the contours of this plan is that the U.S. government would have the ultimate oversight and monitoring of compliance with whatever they agree to.”

The proposal from TikTok, which is owned by the Chinese company ByteDance, represents an attempt to end a battle between TikTok and the U.S. government dating back to the Trump administration over whether it represents a national security threat. In 2020, President Trump attempted to ban the app and force its sale to a U.S. firm. That effort collapsed, and when President Biden entered office, he rescinded the ban, which had been ruled unlawful in U.S. courts. Yet, calls to outlaw TikTok have resurfaced over the past year, and nearly half of all states have moved to ban the app on government-owned devices. 

The ongoing debate over whether to allow TikTok to continue operating in the U.S. raises complex questions about the app’s hugely influential role in the American information ecosystem and in popular culture. At a time when Washington and Beijing are engaged in a wide-ranging conflict over who will control the technologies of tomorrow, who will control TikTok represents perhaps its most consequential battleground.

Corporate structures, gateways and audits

To address concerns that ByteDance’s ownership of TikTok would allow Beijing to influence the app, the proposal as described to CyberScoop would house TikTok’s American operations that are relevant to national security in a separate corporate entity — TikTok U.S. Data Security. The new organization would have an independent board of directors to be approved by CFIUS, a Treasury Department-led panel that reviews foreign investments, and a staff expected to total 2,500 to run the American version of the app and review U.S. content moderation policies. By virtue of its corporate structure and a technical infrastructure based in the United States, the proposal envisions a U.S. version of TikTok shielded from its Chinese owners. 

As described by the TikTok official, the company’s proposal relies on Oracle to operate so-called “gateways” that would wall off the U.S. app and American user data from the rest of the world. In doing so, these gateways would only allow data permitted by CFIUS to transit from the walled-off U.S. version to infrastructure elsewhere in the world. A third party would verify that U.S. user data has been deleted once transferred to the U.S. system. “No bit or byte goes in or out of the Oracle cloud unless it goes through these gateways, and only data that is permitted by CFIUS is allowed,” the official said.  

TikTok’s proposal relies on Oracle and a yet-to-be-identified third party to audit the app’s source code and recommendation algorithm. To ensure that the code base reviewed by Oracle is the same code that makes it onto users’ phones, Oracle would compile the app and deliver it to app stores. 

Taken together, the proposal aims to sever TikTok from Beijing. “This independent board reports to CFIUS it doesn’t report to global TikTok or to ByteDance,” Sacks said. “We’re talking about fully localizing the data access, the recommendation system, source code, personnel within a multi-layered system of U.S. government oversight.”

A spokesperson for TikTok said the company is beginning to implement provisions of the agreement as negotiations with CFIUS continue. “This is a comprehensive package of measures with layers of government and independent oversight to ensure that there are no backdoors into TikTok that could be used to manipulate the platform,” said Brooke Oberwetter. “These measures go beyond what any peer company is doing today on security.” 

For Washington policymakers, the perceived threat from TikTok is two-fold: that by amassing 100 million American users, China has a powerful trove of personal data to feed its data-hungry surveillance systems and that the app’s powerful algorithm gives Beijing a powerful propaganda tool.

To allay these fears, TikTok has taken a more transparent approach in describing the data-protection measures it is putting in place to prevent the forced sale of the company or from being banned from the U.S.. The company has stepped up its PR operation, too, with TikTok and ByteDance collectively spending $1.2 million on lobbying in the fourth quarter of last year and hiring blue-chip Washington powerbrokers, such as one-time Senate minority leader Trent Lott, the quintessential Southern Good Old Boy politician turned influence peddler. 

So far, its proposals and PR push have done little to mollify its most strident critics. “As long as TikTok remains under the ownership of ByteDance, a firm that is legally beholden to the Chinese Communist Party, no deal will ever address the app’s major security concerns,” Sen. Marco Rubio, the Florida Republican, told CyberScoop. “TikTok should be fully divested from Chinese ownership, or it should be banned from the United States altogether.”

‘A game of cat and mouse’

With 100 million users, TikTok is reshaping the social media landscape in the United States, and with 1 billion users globally, it represents one of the few real threats to the dominant social media platforms owned by Meta. TikTok’s meteoric popularity hinges on the company’s artificial intelligence technology, which powers the app’s recommendation engine. Rather than relying on a user’s social graph to determine what content to display, TikTok plumbs the app’s entire content library to decide what it shows. That recommendation engine can figure out what content users will engage with — and keep them coming back for more.

The recommendation engine lies at the heart of fears that Beijing could subvert the app. Decisions made by recommendation systems can be difficult to understand from the outside — a phenomenon AI experts call the “black box” problem — and their opaque nature means that Beijing could in theory secretly choose what content to promote and suppress. 

TikTok proposes to address these problems by relying on Oracle to audit its recommendation algorithm and ensure the algorithm isn’t suppressing content that China doesn’t like. “They’re going to make sure that the model that takes down videos with too much skin isn’t also taking down anti-China content,” the TikTok official said. “Oracle can review the algorithms, the software, the data models, exactly how all the stuff works.”

TikTok’s proposal places immense responsibility on Oracle — and as-yet-unidentified third-party auditors — to address concerns regarding the code base, the algorithm and data security. 

While the exact size of TikTok’s code base is unknown, computer security experts estimate that it could be more than 1 million lines of code — and perhaps larger. Inspecting such a large code base for flaws or backdoors represents a herculean task. A third-party auditor will carry out a separate review, but that auditor can’t be identified until CFIUS signs off on the proposal. 

Auditing TikTok’s algorithm represents an equally challenging task. Understanding why recommendation algorithms make certain decisions represents a difficult computer science problem, and while there have been advances in recent years to build auditable algorithms, it remains unclear whether TikTok’s proposal will satisfy questions about whether the app’s algorithm is — or could be — subverted by Beijing. 

“It’s not as though these recommendation algorithms are set in stone things — they are an agile piece of software in and of themselves,” said Klon Kitchen, a technology expert at the American Enterprise Institute. “How can you meaningfully assess the reliability of something that is always changing by definition?” 

Oracle will be responsible for operating the gateways that sit at the border of the U.S. version of TikTok and oversee data flows from inside the U.S. entity to the rest of the world and ensure that data only approved by CFIUS passes through the gateway. Pellaeon Lin, a senior fellow at Citizen Lab who has studied TikTok’s privacy and security features, said maintaining the integrity of such a system would amount to a “cat and mouse game” in which Oracle would need to constantly guard against ways to undermine the gateway regime. “It’s still technically possible to bypass the gateway just like it’s possible to bypass the Great Firewall of China.”

Oracle did not respond to an interview request for this article. 

The political battleground

Concerns about TikTok’s presence in the U.S. are as much political as they are technical. At the heart of the argument that TikTok poses a threat to America are provisions of Chinese law requiring its domestic companies to turn over data at the government’s requests. 

TikTok’s proposal in its totality — between its corporate governance reforms, the use of gateways to govern data transfer and source code and algorithm audits — tries to create a structure to address that concern, but for computer security experts who view these aspects of Chinese law as fundamentally incompatible with operating in the U.S., the provisions of TikTok’s proposal fall short. “What none of them do is decisively address the underlying challenge of Chinese law, which is exceedingly clear: Chinese companies and their derivative companies no matter where they operate must make every bit and byte of data that they collect or store available to the Chinese government,” Kitchen said.  

There are plenty of reasons for TikTok critics to be worried. Last year, BuzzFeed reported that “​​China-based employees of ByteDance have repeatedly accessed nonpublic data about U.S. TikTok users,” even as the company has pledged to transfer American user data to servers in the U.S. Later in 2022, Forbes uncovered that TikTok employees had used internal data to track journalists reporting on the company in a bid to root out leakers. Amid widespread anti-China protests in Hong Kong, the app appeared to censor content from the protest movement. And amid China’s human rights atrocities against the Uighur people, TikTok suppressed content about events in the Xinjiang region.

With no comprehensive approach to address the risks posed by TikTok, states and Congress have taken piece-meal action against the app. A growing number of states have banned TikTok from use on government devices, and Congress late last year passed a measure forbidding TikTok on federal devices. Faced with a complex proposal before CFIUS to mitigate TikTok’s security risks, Lisa Monaco, the No. 2 official at the Justice Department, is reportedly skeptical that the proposal is sufficiently “tough on China,” as The New York Times put it. Meanwhile, banning the app outright would create massive political backlash, especially among young Americans for whom the app is an essential aspect of daily life.

While the Biden administration has taken a series of aggressive moves to limit Chinese access to U.S. technology, banning an app best known for its viral dance challenges would represent a major escalation in the White House’s war on Chinese influence — at a time when Washington is seeking to cool tensions with Beijing. “The whole thing is a mess,” said a former government official who until recently sat on CFIUS and spoke on condition of anonymity to describe the difficulty of inking an agreement. 

With its narrow focus on addressing U.S. concerns, some experts see the CFIUS proposal as the first step in the United States abandoning its vision of an open internet. If approved, the proposal would fundamentally change “the way that the internet is governed,” create a “blueprint” for how other countries could force companies to localize their operations and leave U.S. companies with little credibility to push back, Sacks said. 

“We see that model in China, we see that model in the E.U.,” she added. “Now we’ve just fueled a race to the bottom on that discussion of digital sovereignty.”

With the CFIUS process seemingly frozen in place, some voices within Congress are growing impatient, and Sen. Josh Hawley, R-Mo., has said he plans to introduce a bill banning TikTok nationwide. Sen. Mark Warner, D-Va., has advocated for a more comprehensive approach for governing foreign apps. His office declined to comment for this story but in an interview with The Washington Post earlier this week the chairman of the Senate Intelligence Committee wondered whether it’s time to take a new approach: “Is there a way that we can broadly look at foreign-based technology applications that raise serious national security concerns? … “I would even argue that for some of this, that even CFIUS may not be the right venue.”

Tonya Riley contributed reporting to this article.

The post Inside TikTok’s proposal to address US national security concerns appeared first on CyberScoop.

The report comes amid an effort by the Biden administration to crack down on ransomware operators globally and illustrates the scale of the challenge facing law enforcement agencies and policymakers.

On Tuesday, the White House wrapped up a two-day ransomware summit, where participants agreed to stand up a voluntary International Counter Ransomware Task Force to serve as a base for coordinated disruption and threat sharing. The initiative, which will launch sometime early next year, will start with a fusion center operated out of Lithuania’s Regional Cyber Defense Center as a test case for a bigger information-sharing program.

The Treasury report that was first reported by CNN underscores that curbing ransomware represents a key challenge in Washington’s fractious relationship with Moscow. Of the top five ransomware variants reported during the second half of 2021, four are connected to Russia, Treasury’s Financial Crimes Enforcement Network, FinCEN, said in its report, while cautioning that it cannot definitively attribute the variants to Moscow.

The data released Tuesday represents suspicious transactions that American banks have flagged to U.S. regulators as potentially connected to ransomware, and, for that reason, experts caution that the data from the Treasury Department offers only a partial picture of the broader ransomware industry.

“The $1 billion plus reported as potential ransomware-related payments likely represents only the tip of the iceberg,” Brett Callow, a threat analyst at Emsisoft who follows ransomware developments closely, told CyberScoop Tuesday in an online chat.

FinCEN analyzed information reported under the Bank Secrecy Act by financial institutions, which are required to file Suspicious Activity Reports related to transactions potentially connected to illegal activity. The data is limited, however, and “is not a complete representation of all ransomware attacks or payments,” the agency noted. The dollar figures include extortion attempts, attempted transactions and payments that were unpaid, the agency said.

“FinCEN’s rules only impose reporting requirements on U.S. financial institutions, meaning payments by victims or financial institutions outside the U.S. are not included,” Callow said. “The report nonetheless provides an indication of the massive sums involved in the ransomware economy—which, of course, is why the ransomware problem will be so hard to solve. The cybercriminals are motivated by the potential to earn millions.”

Callow added that ransomware variants’ connections to Russia aren’t necessarily indicative of where attacks are coming from. A recent example is Sebastian Vachon-Desjardin, a Canadian man arrested in Quebec in January 2021 and sentenced in October to 20 years in U.S. prison for a series of ransomware attacks around the world as part of the NetWalker ransomware gang, which had its own connections to Russia.

Deputy Secretary of the Treasury Wally Adeyemo, who attended the White House ransomware summit, stressed the need for a global approach to the ransomware threat.

“We may approach the challenge of ransomware with a different lens — and in some cases, an entirely different set of tools — but we are all here because we know that ransomware remains a critical threat to victims across the globe and continues to be profitable for bad actors,” he said. “In fact, we know that hackers around the world consider conducting ransomware attacks the most profitable scheme on the internet. More profitable even than selling illegal drugs via dark net markets and stealing and selling stolen credit cards.”

Tackling the threat posed by ransomware turned into a major headache for the Biden administration after a pair of high-profile attacks in May 2021 — one targeting Colonial Pipeline that disrupted gas supplies to the Eastern Seaboard and another targeting meatpacker JBS. In response, the Biden administration has attempted to get more aggressive with ransomware groups by sanctioning cryptocurrency exchanges, seizing cryptocurrency proceeds from attacks and carrying out offensive operations against ransomware infrastructure.

Prior to the Russian invasion of Ukraine, U.S. officials attempted to bargain with the Kremlin to crack down on ransomware operators sheltered by Russian authorities. But in the aftermath of the Russian invasion, that diplomatic initiative appears to have hit the rocks.

In the wake of the Russian invasion of Ukraine, some prominent ransomware groups — such as Conti — fractured, but run-of-the-mill attacks on small and medium businesses by a range of ransomware groups continue at a prolific rate. Tuesday’s data from the U.S. government illustrates the financial incentives that keep these groups operating.

Tonya Riley contributed reporting to this article.

The post Ransomware costs top $1 billion as White House inks new threat-sharing initiative appeared first on CyberScoop.

The two-day International Counter Ransomware Summit includes leaders from 36 countries and the European Union who will discuss how to bolster resilience against ransomware attacks and thwart the cybercriminals behind them.

“This is really a global problem,” a senior Biden administration official said ahead of the conference in Washington. “We’re seeing the pace and the sophistication of the ransomware attacks increase faster than our resilience and disruption efforts.”

One key factor that continues to fuel the ransomware problem is the fact that some nations such as Russia, which is not included in the summit, freely harbor ransomware actors. The countries participating in the summit are currently finalizing a shared statement that will address how to put pressure on countries harboring cybercriminals, the official said.

The summit, which is in its second year, is scheduled to begin with a threat briefing from Office of the Director of National Intelligence, FBI and the Cybersecurity and Infrastructure Security Agency outlining the current state of the ransomware problem, including a chart that shows 4,000 ransomware attacks over the past 18 months, broken down by sector worldwide.

Since last year’s virtual summit, participants have “worked to increase the resilience of all the partners to disrupt cybercriminals,” including hosting two global threat exercises to prepare nations to respond to ransomware attacks, the senior official said.

Yet, as the senior official noted, the problem only continues to become more challenging, with attacks against school districts, hospitals and other critical services still a common occurrence around the globe. That includes a recent attack that shut down services for members of CommonSpirit Health network, the second largest healthcare network in the U.S.

The official declined to comment on ongoing investigations into the attack but said it “certainly is the reason that we’re redoubling our work,” and pointed to White House discussions with the Department of Health and Human Services about cybersecurity requirements for hospitals.

Over the two days, participants will hear from leaders across the U.S. government including FBI director Christopher Wray, Deputy Secretary of Treasury Walley Adeyemo and Deputy Secretary of State Wendy Sherman.

New this year will also be the participation of 13 private sector companies and organizations: Crowdstrike, Mandiant, Cyber Threat Alliance, Microsoft, Cybersecurity Coalition, Palo Alto, Flexxon, SAP, Institute for Security + Technology, Siemens, Internet 2.0, Tata – TCS and Telefónica.

The Biden administration official said that one item of discussion for the summit will be putting into place information-sharing systems that will make it easier for Counter Ransomware Initiative members to share threat information.

The summit agenda is split between five working groups: resilience led by India and Lithuania, disruption led by Australia, virtual currency led by Singapore and the U.K., public-private partnerships led by Spain and diplomacy led by Germany.

The U.S. will stress the need for ongoing cooperation to thwart the illicit use of cryptocurrency by enacting strong know-your-customer standards globally.

Since the last summit, the Treasury Department has also hosted workshops for participant nations on how to use virtual currency tracing technology. The official pointed to how the U.S. is doubling down on the illicit use of cryptocurrency, including the sanctioning of Tornado Cash, a virtual currency mixer used by DPRK hackers to launder funds.

Other participating nations include Austria, Belgium Brazil, Bulgaria, Canada, Croatia, Czech Republic, the Dominican Republic, Estonia, European Commission, France, Ireland, Israel, Italy, Japan, Kenya, Lithuania, Mexico, the Netherlands, New Zealand, Nigeria, Norway Poland, Republic of Korea, Romania, South Africa, Sweden, Switzerland, Ukraine and United Arab Emirates.

The post White House seeks international cooperation to thwart growing ransomware threat appeared first on CyberScoop.

The agencies brought $24 and $29 million dollar fines respectively, resulting in a total of $29 million in fines after remittance.

An investigation by Treasury’s Office of Foreign Assets Control and Financial Crimes Enforcement Network, or FinCEN, found that Bittrex repeatedly failed to identify thousands of prohibited transactions, including direct transactions with dark web marketplaces such as AlphaBay, Agora and Silk Road. The company also failed to detect and investigate transactions connected to ransomware attacks against individuals and small businesses in the U.S.

“Bittrex failed to implement effective transaction monitoring on its trading platform, relying on as few as two employees with minimal anti-money laundering training and experience to manually review all of the transactions for suspicious activity, which at times were over 20,000 per day,” FinCEN said in the consent decree.

Bittrex also allegedly conducted over 116,000 transactions, valued at over $263 million, with individuals and entities in sanctioned jurisdictions including Iran, Cuba, Sudan, Syria and Crimea. OFAC determined that because Bittrex had access to customer IP addresses at onboarding, it had reason to know that the customers were in sanctioned jurisdictions. However, the company didn’t begin screening IPs until 2017.

U.S. officials called the penalties a warning to virtual currency firms that fail to enact effective anti-money laundering and sanctions compliance.

“When virtual currency firms fail to implement effective sanctions compliance controls, including screening customers located in sanctioned jurisdictions, they can become a vehicle for illicit actors that threaten U.S national security,” OFAC Director Andrea Gacki said in a statement. “Virtual currency exchanges operating worldwide should understand both who—and where—their customers are. OFAC will continue to hold accountable firms, in the virtual currency industry and elsewhere, whose failure to implement appropriate controls leads to sanctions violations.”

This isn’t the first time FinCEN brought civil penalties against a U.S. virtual currency entity for failing to report activity related to cybercrime.

In 2020, FinCEN fined the operator of the mixer service “Helix” $60 million for failing to meet federal anti-money laundering standards. It has also taken starker actions, sanctioning exchanges and mixers, most recently Tornado Cash, which was used by North Korean hackers.

In response to a March executive order on virtual currencies by President Biden, Treasury is currently drafting a report on the potential illicit finance and national security risks posed by virtual currencies and is seeking public comment.

“Bittrex is pleased to have fully resolved this matter with OFAC and FinCEN on mutually agreeable terms,” the company said in a statement provided by its lawyer. “The settlement provides full resolution of both OFAC’s inquiry into transactions in sanctioned jurisdictions that occurred predominantly through 2017, and FinCEN’s assertion that Bittrex did not fully implement all of its Anti-Money Laundering Program controls through 2018.”

The post Treasury fines virtual currency exchange Bittrex for failing to catch ransomware payments appeared first on CyberScoop.

The Treasury Department’s Office of Foreign Assets Control added Tornado Cash to its sanctions list in response to ongoing use of the technology by North Korea’s Lazarus cybercriminal group to launder more than half a billion in stolen cryptocurrency.

But according to some critics and legal experts, the agency may have overstepped its authorities and placed a number of U.S. consumers in the crossfires.

“We believe that OFAC has overstepped its legal authority by adding certain Tornado Cash smart contract addresses to the [Specially Designated Nationals] List, that this action potentially violates constitutional rights to due process and free speech, and that OFAC has not adequately acted to mitigate the foreseeable impact its action would have on innocent Americans,” cryptocurrency think tank Coin Center’s Jerry Brito and Peter Van Valkenburgh wrote in a post Monday announcing the group’s effort to overturn the decision. Coin Center is also exploring a legal challenge to the designation.

Fundamental to critics’ concerns is the Office of Foreign Assets Control’s decision to sanction addresses on the Ethereum blockchain that the Tornado Cash code runs on. The problem is the code’s developers have no control over the smart contract, or application, that runs the mixer. As long as the Ethereum blockchain exists, the code will keep running and mixing cryptocurrency indefinitely, regardless of sanctions. If a developer destroys the administrative key to the smart contract, as Tornado Cash’s founder claims he did, then the code will continue to operate without any human intervention in perpetuity.

“They basically sanctioned a robot,” Brito, executive director of Coin Center, explained to CyberScoop. Coin Center argues that because the authorities under which OFAC brought the sanctions require that an individual be tied to the sanction, the agency has overreached.

“Sanctions are a behavior change mechanism. It’s not punishment. So, it’s a pretty novel use here that hasn’t really been done before to sanction a smart contract, rather than a person or organization,” Michael Mosier, a former acting director of the Treasury Department’s Financial Crimes Enforcement Network who now works at a Web3 startup Espresso Systems, told CyberScoop “It’s unclear how code or a protocol — including without administrative keys — could change its behavior or petition for delisting on its own.”

Cryptocurrency owners use mixers to combine various types of virtual currencies to mask the origin of the assets. That promise of anonymity has made them popular with cybercriminals and therefore of interest to enforcement agencies going after financial criminals. The Treasury Department in May sanctioned individuals related to the Blender.io mixer for facilitating the transactions of criminal outfits such as the Lazarus group and several Russian cybercriminal gangs. The sanctions, which targeted individuals involved in running the operation, sparked little pushback from industry because the sanctions targeted Blender the company, not the technology.

The distinction between a mixer as a software and a mixer as a service provider (implying a human component) is a messy enough question that the U.S. government has addressed it before. The Financial Crimes Enforcement Network (FinCEN), another Treasury Department that oversees money laundering, issued guidance in 2019 that mixer technology should be considered a software and not a service provider. OFAC isn’t bound by FinCEN guidance, however, and was free to take a different approach. It did, leaving the roughly 70 percent of Tornado Cash’s transactions not tied to any illicit activity in a legal grey area.

“Users and developers of this technology are in a real bind,” Coin Center’s Brito told CyberScoop. “Treasury took this action without seemingly evaluating the impact this would have on millions of Americans and not contemplating answers to basic questions.”

This lack of clarity has left industry frustrated and eager for Treasury engagement. In a Twitter Spaces conversation on Friday hosted by Espresso Systems, several industry and legal experts expressed frustration that Treasury had offered little engagement before or after the sanctions to help industry understand the ramifications and deal with potential collateral impact, a process the agency typically undergoes around enacting sanctions.

“It’s the lack of clarity and also the haphazard kind of way of going about this,” Jill Gunter, co-founder at Espresso Systems, pointed to as a key concern.

Despite frustrations, speakers during the Twitter Spaces event encouraged engagement with regulators.

“The main takeaway is that we have to work ourselves on privacy protecting solutions at the same time that we’re educating the government on ways that they could satisfy all of these national security interests, including privacy, through a more rifle shot approach,” said Gus Coldebella, a partner at True Ventures, a venture capital firm that invests in web3 technologies, and former lawyer at the Department of Homeland Security.

Several sources confirmed to CyberScoop that some of that discussion is already ongoing and OFAC has been engaging industry in conversation since late last week. The sources declined to comment on the private nature of the conversations.

The Treasury Department did not immediately respond to CyberScoop’s requests.

The sanctions come ahead of a wave of September deadlines set by the Biden administration’s March executive order on virtual currencies, which will create even more ground for discussion between industry and government. Industry reacted to the initial executive order with strong support, but some industry members have expressed concerns that the recent sanctions point to a clash between the administration’s investment in emerging technology and national security prerogatives like sending a strong message to North Korea.

Mosier, who has first-hand experience with the tensions that can emerge between technical expertise and political pressures at Treasury, sees a middle ground.

“I think some will say, ‘Well, we can’t stop enforcing against North Korea while we write reports.’ Which is somewhat fair but I think the other point is that you should be doing very tailored restrained, rather than novel, actions until you figure out what you want your policy to be,” he said.

Long before the political dust settles, the Tornado Cash sanctions are primed to have a chilling effect on developers and companies in the cryptocurrency space who seek to develop similar privacy-preserving technologies.

“This is a rough equivalent to sanctioning the email protocol in the early days of the internet, with the justification that email is often used to facilitate phishing attacks,” Lia Holland, campaigns director at Fight for The Future said in a statement.

The Electronic Frontier Foundation also expressed concerns about the sanctions, pointing to long-established legal precedent that code is free speech.

The tech sector is already seeing ramifications of the Tornado Cash sanctions. Last week, GitHub removed the account hosting Tornado Cash’s source code as well as three developer accounts who contributed to it, including found Roman Semenov and developer Alexey Pertsev, who was arrested last week by Dutch Police in relation to his work with Tornado Cash.

The post Why Tornado Cash sanctions are drawing fierce criticism, potential court challenge from crypto group appeared first on CyberScoop.

A near two-fold increase in funds sent from illicit addresses has accelerated the increase, indicating that the technology that can obfuscate the currency continues to be highly attractive to cyber criminals.

Cryptocurrency mixers work by taking an individual’s cryptocurrency and combining it with a larger pool before returning units equivalent to the original amount minus a service fee to the original account. As a result, it makes it harder for law enforcement and cryptocurrency analysts to trace the currency.

Mixers aren’t solely used by criminals, but they are extremely popular with them. Chainalysis found that 10% of all funds from illicit wallets are sent to mixers, while mixers received less than .5% of the share of other sources of funds tracked by the firm, including decentralized finance projects.

The bulk of illicit funds transferred to mixers came from sanctioned actors, primarily Russian dark net market Hydra and more recently the Lazarus Group, a group of North Korean state-backed hackers. International law enforcement took out Hydra, which had been responsible for 80% of dark web transactions involving cryptocurrency, in May. The U.S. Treasury’s Office of Foreign Assets Control followed with sanctions on more than 100 of its cryptocurrency addresses.

The use of mixers by North Korea state-backed hackers and a popular mixer they employed to launder funds made up the rest of the transfers.

North Korean hackers have consistently used financial hacking to get around U.S. sanctions and they have been especially busy this year targeting cryptocurrency firms. The Treasury Department updated its sanctions against the Lazarus Group in April to link the group to a March hack of $620 million worth of assets from a bridge connecting the Axie Infinity video game with the Ethereum blockchain.

More recently, researchers tied funds stolen by the Lazarus group from a blockchain project Harmony to the mixer Tornado Cash.

“It shows that the type and the type of profile of the user of the mixer has really evolved away from the kind of small crime, dark net marketplace vendor to the Russia or a nation-state actor,” said Kim Grauer, head of research at Chainalysis.

Financial regulators have taken note. The Treasury Department in May sanctioned popular mixer Blender.io for processing $20.5 million of the $620 million the Lazarus group stole from the Axie Infinity project.

The move is something that “would have been unheard of a few years ago,” said Grauer.

An increase in transfers from Decentralized Finance (DeFi) projects also contributed to an increase use of mixers, Chainalysis notes. State-backed actors have also been known to use DeFi projects as a laundering tool.

Both Chainalysis researchers and the Treasury Department are careful to note that there are legitimate uses for mixers, such as anonymity from an oppressive government. However, because most don’t follow U.S. regulations requiring that exchanges know who their customers are, it’s easier for criminals to exploit them.

Mixers come with one serious weakness, however. The more that criminals pump in funds, the more easily their mixer usage can be tracked. That means that hackers are limited in what they can launder before raising suspicion.

“I think in the long to medium term, it’s definitely going to reduce just because it’s not sustainable,” said Grauer.

The post Cryptocurrency ‘mixers’ see record transactions from sanctioned actors appeared first on CyberScoop.

The FBI, the Department of Homeland Security’s Cybersecurity an Infrastructure Security Agency and the Treasury Department said in an alert that the hackers were using a kind of ransomware dubbed “Maui” to go after health care and public health organizations.

“This malicious activity by North Korean state-sponsored cyber actors against the healthcare and public health sector poses a significant risk to organizations of all sizes,” said CISA’s executive director for cybersecurity, Eric Goldstein.

It’s not the first time the U.S. has accused Pyongyang of wreaking havoc on the health care sector. Most notably, the U.S. and U.K. blamed North Korea for the 2017 WannaCry outbreak, which led to canceled surgeries and postponed medical appointments in the U.K. after the bug worked its way into the National Health Service.

“They’re pretty ruthless, as we have seen in the past,” said John Riggi, national adviser for cybersecurity and risk at the American Hospital Association (AHA). “And the fact that there’s an urgency by the health care sector to continue the uninterrupted provision of health care is a reason why they’re targeting health care.”

The Wednesday alert came with a reminder of September guidance from the Treasury Department that paying ransomware operators potentially puts victims at risk of violating Office of Foreign Assets Control regulations, although cooperating with law enforcement and improving cybersecurity practices lessens that risk, according to the memo. Treasury has designated the North Korean government-backed hacking outfit known as the Lazarus Group and two sub-groups under its sanctions program.

The Maui ransomware variant received little public scrutiny prior to Wednesday. The same day of the feds’ alert, cybersecurity company Stairwell published an analysis of the ransomware, saying that it differed in major ways from traditional ransomware-as-a-service offerings, where ransomware creators allow others to use their product in exchange for a share of profits. Stairwell said it first observed Maui on April 3.

“Maui stood out to us because of a lack of several key features we commonly see with tooling from RaaS providers, such as an embedded ransom note to provide recovery instructions or automated means of transmitting encryption keys to attackers,” wrote Silas Cutler, principal reverse engineer. “Instead, we believe that Maui is manually operated, in which operators will specify which files to encrypt when executing it.”

That setup makes sense, said Daniel dos Santos, head of security research for Forescout.

“This is to be expected from a malware developed or used by a state-sponsored actor, which has different behavior and potentially different objectives than a cybercriminal group,” he said. “Maybe the actors are not looking immediately to scale this attack to hundreds of organizations, but instead looking into targeting some organizations that are more important for their objectives.”

Riggi said his organization was “anecdotally” aware of some Maui victims. The Health Information Sharing and Analysis Center (H-ISAC) was unable to identify any victims, but it was clear that law enforcement had, said Errol Weiss, chief information security officer for the group. Both H-ISAC and AHA were alerting members Wednesday, or planning to do so.

“Since May 2021, the FBI has observed and responded to multiple Maui ransomware incidents at HPH Sector organizations,” the federal alert reads. “North Korean state-sponsored cyber actors used Maui ransomware in these incidents to encrypt servers responsible for healthcare services—including electronic health records services, diagnostics services, imaging services, and intranet services. In some cases, these incidents disrupted the services provided by the targeted HPH Sector organizations for prolonged periods. “

Cyber firm Mandiant said that of late, the health care sector hasn’t seemed to be the top priority target for North Korea.

“We have noted recently that North Korean actors have shifted focus away from healthcare targets to other traditional diplomatic and military organizations,” John Hultquist, vice president of Mandiant Intelligence, said in a written statement. “Unfortunately, healthcare organizations are also extraordinarily vulnerable to extortion of this type because of the serious consequences of a disruption.”

In May, the Department of Health and Human Services identified LockBit and Conti as the ransomware groups that most afflicted the health sector in the first quarter of 2022.

Updated 7/6/22: to include comment from Forescout.

The post FBI, CISA, Treasury: North Korean hackers taking aim at health care with Maui ransomware appeared first on CyberScoop.