— U.S. cyber officials and critical infrastructure operators are on high alert this week as more countries warn about a potential Russian invasion of Ukraine.
— The Biden administration’s secret weapon in fighting ransomware could be sitting inside a seemingly unusual agency: the IRS.
— A local cyber investor’s recent $1.5 million donation to the Institute of Peace’s endowment comes with a lengthy, lawsuit-filed history.
HAPPY MONDAY, and welcome to Morning Cybersecurity! I’m your host, Sam Sabin. I’m writing this before the Super Bowl has concluded, so instead of trying to make a sports reference, I’ll just wish you all a love-filled and chocolate-filled Valentine’s Day! I’m grateful for each one of you today and every day.
Have tips and secrets to share with MC? Or thoughts on what we should track down next? Send what you’ve got to [email protected]. Follow along at @POLITICOPro and @MorningCybersec. (Full team contact info below.) Let’s get to it:
THE FINAL COUNTDOWN — As U.S. officials warn that a Russian ground invasion of Ukraine could happen within the week, America’s cyber defenders are preparing to stand guard against cyberattacks that could accompany an invasion.
CISA and the FBI published a new web page titled “Shields Up” on Friday warning that they’re bracing for Russian cyberattacks to target U.S. organizations. “While there are not currently any specific credible threats to the U.S. homeland, we are mindful of the potential for the Russian government to consider escalating its destabilizing actions in ways that may impact others outside of Ukraine,” the agencies said on the site.
CISA also said it’s been working with U.S. critical infrastructure organizations “over the past several months” to raise awareness about the potential threats. The web page follows weeks of warnings from cybersecurity agencies about Russia’s use of cyberattacks as it continues to amass troops on the Russia-Ukraine border, including an FBI request for critical infrastructure operators to report Russian cyber activity.
But will the weeks and years of cybersecurity preparations be enough? Here’s what MC is watching as the week unfolds:
— How well can U.S. critical infrastructure defend itself? Operators are often too resource-strapped to properly upgrade their security systems or staff their cybersecurity teams, which has left them wide open to ransomware attacks in the last year. However, emails between DHS officials during Russia’s 2015 attack on Ukraine’s power grid suggests that while the agency was nervous about a similar attack on the U.S. grid, it would be much more difficult for Russians to gain access to the American electric grid. Security publication README first reported the emails.
— Can Ukrainian officials get the cyber resources they need? As Maggie has reported, Ukrainian President Volodymyr Zelensky told U.S. lawmakers who traveled to Kyiv last month that his top aid request is for cybersecurity help. Given the years-long delays to standing up the State Department’s Cyber Diplomacy Bureau, the U.S. hasn’t been able to properly help its allies with cyber defenses, as Eric reported last week.
— At the same time, no one knows what exactly to prepare for: National security and cybersecurity experts have two different ideas of how Russia could use cyberattacks in its invasion strategy. One idea is that Russia will focus attacks on Ukraine to further destabilize the country. And the other idea involves Russia turning its cyber skills against the United States and other Western countries to prevent them from helping Ukraine.
Want to receive this newsletter every weekday? Subscribe to POLITICO Pro. You’ll also receive daily policy news and other intelligence you need to act on the day’s biggest stories.
MAN OF MANY TALENTS — When the FBI seized more than half of the Colonial Pipeline’s $4.4 million bitcoin ransom earlier this summer, it didn’t manage it alone. They needed an seemingly unusual agency to make it happen: the IRS.
For years, the agency that most people know for tax audits has been building up its cybercrime capabilities and assisting fellow law enforcement partners tackle big cyber cases. As your MC host reports for Pros this morning, the IRS’s criminal investigations unit gave a central assist in responding to the Colonial Pipeline ransomware attack and the SolarWinds cyberespionage campaign. The unit’s role in the Colonial Pipeline case has not been reported before.
— Why the IRS? The agency’s cybercrime unit specializes in the financial nitty-gritty of online transactions, including ransomware gangs’ favorite currencies: crypto. Given that speed is the name of the game in any cybercrime case, the IRS is usually tapped in to take over the crypto tracing elements of an investigation, while the FBI and Department of Homeland Security tackle the rest.
Now, the federal government is investing more resources in the IRS to fight the growing ransomware problem and other cybercrime. The IRS’ cybercrime unit has expanded from about five agents in 2015 to nearly 130 personnel today — in part because the agency combined its cybercrime and digital forensics team in July.
Jarod Koopman, acting head of the agency’s combined unit, also said the agency is opening a center in Northern Virginia later this year to bring together its cybercrime agents with other law enforcement partners as well as federal contractors who also focus on cryptocurrency investigations. “It’s almost like a cryptocurrency-fighting A-team,” Koopman said of the new center. “We’re trying to get the best of the best together to tackle some of the more challenging investigations that pop-up.”
FIRST IN MC: BEHIND-THE-SCENES — A press release on Friday from C5 Capital tells a simple story: Local cybersecurity investor André Pienaar dedicated $1.5 million to the U.S. Institute of Peace to honor the legacy of former South African president Nelson Mandela. But court documents filed in the last couple of months indicate the donation is the result of a years-long court battle between the cyber investor and the institute’s government tech accelerator PeaceTech.
— How we got here: PeaceTech, which is housed inside the agency focused on global conflict resolution and prevention, filed a lawsuit in April 2020 against C5 Capital and Pienaar for failing to provide promised funds to several business deals, including an investment in a PeaceTech company and a donation to the institute in exchange for naming rights.
The two parties have been going back and forth for the last two years: Every few months, PeaceTech or the Institute of Peace would file a legal complaint alleging Pienaar hadn’t made a promised payment or still owed interest on delayed payments, and Pienaar’s team would either question the terms of the payments or argue that the delays were due to technical difficulties, not bad faith.
— The latest: Friday’s $1.5 million appears to settle these legal disputes. A judge ordered Pienaar on Feb. 7 to show proof that he’s made a roughly $500,000 payment to the Institute of Peace after the agency said it still hadn’t received a part of the funds it was promised last month. The parties are also scheduled to appear at a virtual status conference Tuesday to go over the matter, although the court order states it could be canceled if they reach an agreement beforehand.
But, but, but: A lawyer representing Pienaar told MC Sunday that the $1.5 million payment to the Institute of Peace mentioned in Friday’s press release was “essentially a substitute” to the original PeaceTech pledge that everyone’s been debating. “PeaceTech and Mr. Pienaar agreed to the USIP pledge instead,” said Teddy Baldwin, Pienaar’s lawyer, in an email. The Institute of Peace acknowledged receiving the payment in a letter Friday that Baldwin shared with MC.
— What’s next: Lawyers representing PeaceTech did not respond to a request for comment, so it’s unclear at the time of reporting if PeaceTech or the Institute of Peace will still want to hold a scheduled court hearing Tuesday.
— Also note-worthy: C5 Capital has invested $35 million in IronNet, a cybersecurity and defense vendor founded by former NSA director Gen. Keith Alexander. The company announced a contract last week with an anonymous Middle Eastern country to protect critical infrastructure and government networks. Pienaar also still sits on the board.
LOVE IN THE SCAM-FILLED AIR — Romance scammers have become real cyber threats in recent years as more people fall victim to their tricks, Kaspersky security researcher Santiago Pontiroli told MC. With Valentine’s Day upon us. MC dove into some of the recent romance scam data to learn more about how the online threat has evolved:
— Timing is everything: Today is one of the best times for romance scammers to launch their attacks, Pontiroli said. “People want to meet someone as the day arrives,” he said. “So criminals know that this is the most important day to launch this type of campaign.”
— Record highs: Consumers reported listing a record $547 million in 2021 to romance scams, the Federal Trade Commission said Thursday, marking a nearly 80 percent increase from the year before. About $139 millions of those losses were paid in cryptocurrency, according to the FTC.
— Evolving tactics: While most romance scams tend to be about the money, Kaspersky has noted that some romance scammers have also started to send malware-laced links to targets while chatting one-on-one. Scammers have also been launching botnets so they can target multiple people at once and extorting victims so they don’t leak personal photos shared in private conversations, Pontiroli said.
ON THE DEFENSE — The San Francisco 49ers football team confirmed it was responding to a “network security incident” that temporarily disrupted some of its corporate IT network systems, the team said in a statement shared with MC. The statement, first reported by The Record, came after the team’s data was listed on ransomware group BlackByte’s dark web extortion site, which claims it’s demanding a $530 million ransom. The FBI and U.S. Secret Service issued an industry advisory Friday warning that BlackByte has compromised at least three unidentified U.S. critical infrastructure sectors.
From Luta Security CEO Katie Moussouris about Russian cyber threat warnings: “Recommendations that strengthen an org’s prevention, detection, containment, & recovery from cyber attacks should be followed regardless of the state of peace on Earth.”
— CISA ordered federal agencies to install security updates on iPhones and Macs by Feb. 25. (BleepingComputer)
— ID.me has been working with private contractor Palantir for “data analytics and trend analysis,” according to a memo obtained by the Washington Post. ID.me’s human reviewers say they’re stressed, overworked and struggling to maintain security standards as more companies and agencies use the company’s technology. (The Verge)
— The journalist that the Missouri governor accused of being a hacker after he reported on a security vulnerability in a government website won’t be facing charges. (Springfield News-Leader)
— Risk Based Security, a cyber firm owned by Flashpoint, said in a report released this morning that it spotted at least 28,695 publicly disclosed vulnerabilities in 2021, which the company says is the highest annual number on record so far.
Stay in touch with the whole team: Eric Geller ([email protected]); Konstantin Kakaes ([email protected]) ; Maggie Miller ([email protected]); Sam Sabin ([email protected]); and Heidi Vogt ([email protected]).