The Washington PostDemocracy Dies in Darkness
The Cybersecurity 202

A newsletter briefing on cybersecurity news and policy.

NSA is surging its collaboration with the private sector

The Cybersecurity 202

A newsletter briefing on cybersecurity news and policy.

Welcome to The Cybersecurity 202! A ransomware attack against a candy maker won't curtail the Halloween candy corn supply. So, there's that to look forward to …

Below: A Russian hacking group was linked to the Sinclair Broadcast ransomware attack and Deputy Attorney General Lisa Monaco says hackers have become “more aggressive, more sophisticated and more belligerent.”

Dozens of firms are huddling with the National Security Agency on cybersecurity

More than 100 companies have joined a National Security Agency effort to collaborate with industry on big cybersecurity problems, a top NSA official tells us.

The private sector members of NSA’s Cybersecurity Collaboration Center – which launched earlier this year – are working together on numerous large-scale projects, said Rob Joyce, director of NSA’s Cybersecurity Directorate, in a wide-ranging interview. He declined to name specific members of the center, but said they include defense contractors, cloud computing and telecom companies, and cybersecurity firms. 

The new center is part of a government-wide effort to more actively help companies respond to a barrage of damaging cyberattacks from adversary governments and cybercriminals. But the NSA effort is particularly notable because the organization — once playfully dubbed No Such Agency — spent decades avoiding such public efforts.

How it's going

Some of those projects are happening inside the 36,000-square-foot center, just outside the agency's Fort Meade, Md., campus, where company officials can sometimes be privy to classified information from the NSA’s foreign spying arm. But the work is increasingly happening through virtual meeting tools — both because of the ongoing pandemic and because that makes it easier for the NSA and company officials to respond to real-time hacking threats, Joyce said. 

“What we’ve found are that we have to build trust relationships, and a lot of that is in-person engagements where we can act human to human,” he said. “But then you can quickly transfer that to interacting online, where you’re sharing indicators, sharing tradecraft and you’re working the problems jointly from the commercial side and the government foreign intelligence side.”

Getting proactive

Why the big change? For the NSA, it was largely driven by the overwhelming pace and scale of cyberattacks and a realization the agency must get better at stopping attacks before they happen. That’s a lot easier when it can glean information about hacking efforts from U.S. company networks, to which it normally doesn’t have access. 

The defense firms working with the NSA have learned they can’t defend themselves alone against sophisticated hackers from Russia and China. 

“These companies are constantly competitive about the next government contract … [but] cybersecurity information is absolutely on the table for them to work together and collaborate,” Joyce said. 

There are other benefits. 

Working with the companies has helped the NSA speed up its processes for translating intelligence about cyber threats into unclassified forms that can be shared with industry officials that lack government clearances, Joyce said. Companies have long complained that such information comes too slowly and, after it’s been stripped of classified information it’s too generic to be useful. 

Information shared within the collaboration center is automatically sent to the Cybersecurity and Infrastructure Security Agency, which can share it among a broader swath of companies. 

“That’s what the Cybersecurity Collaboration Center is built on. It’s taking that classified insight into foreign intelligence, making it actionable and getting it down to the people who can do something about it,” Joyce said. 

Here are other highlights from our interview with Joyce:

  • Hackers working for U.S. adversaries such as Russia, China, Iran and North Korea are increasingly using publicly available hacking tools rather than custom built ones. “What that lets them do is to obfuscate attribution,” by posing as criminal hackers, he said.
  • U.S. companies have grown better at defending themselves from Chinese government hackers trying to steal their intellectual property, but there’s a long way to go. “There’s a lot of improvements, but there’s still what we’d call regrettable losses,” he said.
  • Increasingly, hackers are also seeking complex routes into organizations such as by targeting subcontractors that work with major military contractors or law firms that have access to their clients’ intellectual property.
  • NSA, CISA and other government agencies are already game-planning how to respond to hacking and disinformation threats targeting the 2022 and 2024 elections. “They absolutely are on our radar. … It’s clear from the past elections that we need to bring these capabilities to bear,” Joyce said.

The keys

A Russian hacking group is connected to a ransomware attack on a conservative media giant

The hackers who targeted Sinclair Broadcast Group used a new strain of ransomware created by the hacking group Evil Corp, two people familiar with the attack told Bloomberg’s William Turton. The Trump administration sanctioned Evil Corp in 2019, alleging that it created malware that stole $100 million from financial institutions. Prosecutors also indicted Evil Corp leader Maksim Yakubets and an associate, Igor Turashev — and put a spotlight on their glitzy lifestyles.

The reemergence of Evil Corp throws yet another wrench into the notion that sanctions and indictments can deter foreign cybercriminals and reduce hacking threats. 

Here's an interesting analysis from Reuters’s Joseph Menn:

Sinclair did not respond to a request for comment from Bloomberg. The company, which operates more than 180 television stations and is known for its conservative bent, said it began investigating the attack over the weekend. The breach “has caused — and may continue to cause — disruption to parts of the company’s business, including certain aspects of its provision of local advertisements by its local broadcast stations on behalf of its customers,” it told investors.

There's more: Evil Corp. may also be behind a ransomware attack against the Japanese tech giant Olympus, TechCrunch's Zack Whittaker and Carly Page report

Hackers are “more aggressive, more sophisticated and more belligerent” since the Obama administration, top Justice Department official says

The United States is at a cyber “inflection point,” Deputy Attorney General Lisa Monaco said at a cybersecurity roundtable hosted by the Justice Department’s criminal division. 

The line between criminal hackers and those backed by countries like China or Russia is increasingly blurring. Cybercriminals are forming “alliances of convenience, alliances of opportunity and sometimes alliances by design with nation-state actors,” Monaco said. And attacks on critical infrastructure companies like pipelines and food companies show that the hacks are a national security threat, she said. 

More from Monaco: “The other thing that has struck me is the sheer brazenness of this activity. There is a brazenness to the tactics and the techniques being used, especially when it comes to ransomware and digital extortion.” 

Monaco's big ask: The U.S. government needs ransomware victims to cooperate with federal law enforcement because “we are seeing lives and livelihoods risked."

Authorities charged eight Nigerians with involvement in romance scams

Seven of the indicted men were leaders of the Neo Black Movement of Africa, also known as “Black Axe,” and operated from South Africa, according to U.S. indictments. They were arrested Tuesday and remain at large, the Justice Department said.

The men were also linked to business email compromise scams, a type of scheme where online fraudsters trick businesses into paying invoices from legitimate-looking email addresses. Prosecutors identified a university that lost $4.6 million and a business that lost $2 million to the scams.

“The Co-conspirators used social media websites, end-to-end encrypted means of communication, Voice over Internet Protocol phone numbers, and online dating websites to locate and communicate with victims,” an indictment said.

Chat room

Candy corn supporters and skeptics debated a ransomware attack on Ferrara Candy, which makes Brach’s Candy Corn. New America's Peter Singer:

FedScoop's Benjamin Freed:

Writer Thom Dunn:

Dark Reading's Kelly Jackson Higgins:

Government scan

CISA grants aim to help the unemployed move into cyber jobs

CISA awarded $2 million in grants to organizations that develop cyber workforce programs for people who are unemployed and underemployed. The grants will go to NPower and the CyberWarrior program, according to a news release

“Addressing the cyber workforce shortage requires us to proactively seek out, find, and foster prospective talent from nontraditional places,” CISA Director Jen Easterly said. 

Seven years later, DHS set to roll out dramatic changes to system for hiring cyber pros (CyberScoop)

Two Eastern Europeans Sentenced for Providing Bulletproof Hosting to Cyber Criminals (The Hacker News)

Cyber insecurity

Hackers targeted YouTube accounts, Google says

Hackers who were recruited on a Russian-language forum hijacked stolen accounts to promote cryptocurrency scams, Google said.

The hackers used around 15,000 fake Google accounts to carry out the campaign, which tricked victims into opening Google Drive or Google Documents, the company said. Google referred the phishing campaign to the FBI, the company said.

SIM swapper doxes and SWATs his accomplice (Motherboard)

Hill happenings

House passes bills to secure telecommunications infrastructure (The Hill)

Senate Republicans raise concerns about TSA cyber directives for rail, aviation (The Hill)

Global cyberspace

Malaysia’s Covid-19 app reports ‘malicious script’ misuse (Bloomberg)


  • Homeland Security Secretary Alejandro Mayorkas is scheduled to testify before the Senate Judiciary Committee today at 10 a.m.
  • Sen. Michael F. Bennet (D-Colo.), Defense Innovation Unit Director Michael Brown and John Costello, National Cyber Director Chris Inglis’s chief of staff, discuss a U.S. national technology strategy at a Center for a New American Security event today at 10:30 a.m.
  • CISA Director Jen Easterly speaks at the Capital Cyber Summit on Friday at 8 a.m.
  • Inglis participates in an event hosted by American University’s Tech, Law & Security Program on Friday at 10:30 a.m.
  • House Veterans' Affairs Committee Chairman Rep. Mark Takano (D-Calif.) discusses law enforcement algorithms at a Brookings Institution event on Oct. 25 at 3 p.m.
  • The Irish Defense Forces hosts an event on national and international cybersecurity coordination on Oct. 26 at 7:30 a.m.
  • Senate Homeland Security and Governmental Affairs Committee Chairman Gary Peters (D-Mich.) and SolarWinds President and CEO Sudhakar Ramakrishna participate in a Washington Post Live event on Oct. 26 at 10:30 a.m.
  • Inglis and Deputy national security adviser Anne Neuberger speak at a Center for Strategic and International Studies event on Oct. 26 at 2 p.m.

Secure log off

If a candy corn has a child does it become a popcorn? Thanks for reading. See you tomorrow.