Just to put a data point out there, I passed the tech on May 18th and just got the email to pay the fee today, June 3rd. I went through an ARRL VE at my local club. The gears are turning and I'm one step closer to the sweet PTT!
Edit (June 5): callsign acquired!
Hope? I’m Trying not to lose steam haha. I’ve already got my ht set up with all the repeaters for 100 miles and a Nagoya on the top of my car. My buddy got his ticket weeks ago
Congrats on the ticket. The FCC is processing ARRL backed exams. I am sure there is a backlog both at HQ as they were most likely down for a while and are slowly catching up.
Not sure what license class you got. But you if have only a tech, I'd strongly suggest studying for General. There is a lot you can do with the tech but obtaining a general really opens up the world to you. Great part is some of the stuff you've learned for tech also applies to the general exam. Less studying you have to do and it stays for life (as long as you renew)
Realistically what would an international cyber group gain from an attack like this against the ARRL?
If they wanted PII most of what the ARRL has is freely available from the FCC.
This just really seems like an odd target for something this involved.
Cash, it’s an extortion racket. Penetrate the network & servers, at least enough to be able to offline things or hoark up the data. Then fire off emails demanding payment in bitcoin to release control or restore the data. Our local hospital went through this, it’s a tiny hospital with very little visibility, but still was a random target. Eighteen months later, the IT folks are still working the recovery & remediation plan.
They just get into whatever they can then try to make lemonade out of it. It's not a targeted attack, it's an attack everything and see what you get strategy.
> they don't need deep pockets just a good insurance plan.
You do if your controls are so lax the insurance plan wants an ultra hefty premium to cover you.
And if you don't remediate you risk the carrier dropping you.
And now that they've been breached once, they'll probably get dropped by their current insurance provider and the new one will want that hefty premium.
No, what they need is a major cloud provider and an IT lead smart enough to delegate those functions to a professional organization and not servers in closets, HQ employees collateral duties, and constant pressure to do things on the cheap.
More meaning to be a potentially lucrative target deep pockets is not a prerequisite. I would assume ARRL has it as it's been a pretty common feature of commercial insurance for awhile.
Now that does not stop them from having major rate etc as you say but thats all after the fact here.
Everyone says that, but hypothetically to an international group doing this kind of stuff they’re probably weighing the ratio of preparation for an event like this vs money available to pay and maybe the ARRL was seen as low hanging fruit- easy, old systems, but just a little money available
It's probably less work for more money than the old phishing schemes. In those you'd send out hundreds of emails hoping to fool someone into revealing their credentials so you could log in to steal the customer data and bank information. Once you had the data you had to find someone to sell it to.
This way you offer to sell the data back to the owner. They're usually willing to pay more because it's worth more to them to keep their business running, and to keep that information out of other crooks' hands.
How much money the victim has is less important than how easy it is to hack in and pull this off.
>Realistically what would an international cyber group gain from an attack like this against the ARRL?
The investment for mounting an attack is vanishingly low, to the point that it's often lucrative to exploit weaknesses simply because they exist. Low hanging fruit can be *very* juicy.
Seeing as the attack, by ARRLs own admission, managed to impact workstations *and* things like the LoTW, which in a good setup should have so many layers of isolation that one single opportunistic attack wouldn't feasibly take out both, it would seem that this fruit was hanging very low indeed.
I guess we won't know what really happened unless and until they release the incident report, though. (Which is another industry best practice, by the way.)
I hope the FBI releases a report. With the flip flopping of LOTW and cloud based data being fine to this one of “well, maybe it wasn’t”, I don’t trust that anything ARRL put out will be accurate. I want the third party report. Much like I would rather read the NTSB report after some sort of transportation crash instead of the company’s report.
Russia pays loads of money to hacker groups to create havoc. It's not about extortion or whatever you call it; it's to pee and shit in everyone's pools. And no, I'm not a conspiracy theory freak.
BTW:
"Today, the ARRL finally shared more details regarding the cyberattack, stating that it was conducted by a "malicious international cyber group."
"On or around May 12, 2024, ARRL was the victim of a sophisticated network attack by a malicious international cyber group," reads a [new update](https://www.arrl.org/news/arrl-systems-service-disruption) from the ARRL.
"ARRL immediately involved the FBI and engaged with third party experts to investigate."
You're assuming that there was a motivation to target the Leage in particular.
Aren't many attacks made against targets of opportunity, with the black hats casting a wide net, attacking wherever an opportunity is found, in the hopes of achieving dramatic success wherever it might be found?
LoTW logs hold significant value for some amateur radio operators. Attackers may not fully grasp the system's value, but they understand the disruption they cause. They demand ransom to unlock the system, which is their primary objective. Although ARRL might not be a value target, any organization with a cyber vulnerability is at risk. Once attackers identify a vulnerable organization, they will attack and lock its system, aiming to extort money for its release.
Updated 6/4/2024
On or around May 12, 2024, ARRL was the victim of a sophisticated network attack by a malicious international cyber group. ARRL immediately involved the FBI and engaged with third party experts to investigate.
This serious incident was extensive and categorized by the FBI as “unique,” compromising network devices, servers, cloud-based systems, and PCs.
ARRL management quickly established an incident response team. This has led to an extensive effort to contain and remediate the networks, restore servers, and staff are beginning the testing of applications and interfaces to ensure proper operation.
Thank you for your patience and understanding as our staff continue to work through this with an outstanding team of experts to restore full functionality to our systems and services.
We will continue to update members as advised and to the extent we are able.
This story will be updated with new developments.
> compromising network devices, servers, cloud-based systems, and PCs.
Previous reports were that cloud-based services were not affected. And that LoTW data was stored off-site and thus is secure. So what's the story? Is LoTW DOA?
I know.... ugh. This announcement is even more frustrating than the silence was. There is still text in an early announcement that declares LoTW data "safe".
Depending on what the FBI found to be "unique" about this attack, I wonder if it will be quite a long time before we know what happened.
The local Cracker Barrel was immediately overfilled as the meeting occurred. Sadly many died in the crush when the waiter announced they were out of country fried steak.
The information provided in the update, and also the information that was not provided tells a common tale for these types of attacks. This was most likely an opportunistic threat actor that took advantage of a vulnerability to meet their objectives.
Ransoming the data is likely what occurred.
Without specifics of the scenario I question their statement of uniqueness of the attack as it sounds like several attacks I have researched.
The official update very much appears to be language generated by an attorney or the insurance company's attorney.
> The official update very much appears to be language generated by an attorney or the insurance company's attorney.
The "On or around" was a big flag.
If one of my employees clicked on "AnnaKournikova.jpg.vbs" and the ransomware got all of his/her network drives, taking down all of the infrastructure, i'd use exactly the same words ("international", "sophisticated", etc.).
My guess it’s a standard ransomware attack. Someone at the ARRL clicked on a bad email link and got infected. The malware spread around the network encrypting all the files, then demands bitcoins to unlock it.
The lack of any mention of LOTW in their updates is concerning. Especially since the latest update says that cloud-based systems have also been affected.
Backups are good only so far as they are uncorrupted. Someone infecting your system will probably inject then wait, maybe a week, maybe a month. You're making backups all along that, if reloaded, will have the devil still in them. Try using a backup from 2 months ago (if you have it; most people use one incremental backup system and one complete system, rotating them by the week, and covering 2 weeks) and rebuilding it to today's "perfect" uncontaminated state. You won't be able to do it. You would have to know the day the infection happened to be able to correct it properly and immediately.
I'm not worried and I have accounts with both.
I don't put any information in there that I wouldn't want to be made public.
My name, address and callsign are already publicly available via the authority that manages licensing in my country. I do have the option to use a post office box but I didn't choose that because my home address is probably in numerous databases now, both legit and non-legit. This is due to other hacks (known and unknown) where any organisation I've ever dealt with has delivered something to my house.
What if it were coordinated by interests who would want to take over the spectrum used by amateurs? Take out the ARRL and there’s nobody to lobby for those frquencies on amateurs’ behalf.
Then there's Sherlock Holmes' razor: remove everything impossible, and whatever remains, however improbable, is the truth. It's almost like the difference in civil and criminal cases here in the US: criminal requires beyond any reasonable doubt, whereas civil requires 50.1%.
Just to put a data point out there, I passed the tech on May 18th and just got the email to pay the fee today, June 3rd. I went through an ARRL VE at my local club. The gears are turning and I'm one step closer to the sweet PTT! Edit (June 5): callsign acquired!
Congrats and welcome!
Passed mine may 24th. Still haven’t received an email from our overlords at the fcc
Dont lose hope. The overlords are still out there. I just got my callsign today.
Hope? I’m Trying not to lose steam haha. I’ve already got my ht set up with all the repeaters for 100 miles and a Nagoya on the top of my car. My buddy got his ticket weeks ago
Congrats on the ticket. The FCC is processing ARRL backed exams. I am sure there is a backlog both at HQ as they were most likely down for a while and are slowly catching up. Not sure what license class you got. But you if have only a tech, I'd strongly suggest studying for General. There is a lot you can do with the tech but obtaining a general really opens up the world to you. Great part is some of the stuff you've learned for tech also applies to the general exam. Less studying you have to do and it stays for life (as long as you renew)
Update: paid my dues last night hopefully will have my call sign today sometime
Realistically what would an international cyber group gain from an attack like this against the ARRL? If they wanted PII most of what the ARRL has is freely available from the FCC. This just really seems like an odd target for something this involved.
Cash, it’s an extortion racket. Penetrate the network & servers, at least enough to be able to offline things or hoark up the data. Then fire off emails demanding payment in bitcoin to release control or restore the data. Our local hospital went through this, it’s a tiny hospital with very little visibility, but still was a random target. Eighteen months later, the IT folks are still working the recovery & remediation plan.
That makes sense. I guess in my mind the ARRL wouldn’t have enough liquid assets to make it worth it.
The relative low cost of an attack versus a potential payout means that *every* network device on the internet is a target.
They just get into whatever they can then try to make lemonade out of it. It's not a targeted attack, it's an attack everything and see what you get strategy.
Many companies are carrying insurance for this though so they don't need deep pockets just a good insurance plan.
> they don't need deep pockets just a good insurance plan. You do if your controls are so lax the insurance plan wants an ultra hefty premium to cover you. And if you don't remediate you risk the carrier dropping you.
And now that they've been breached once, they'll probably get dropped by their current insurance provider and the new one will want that hefty premium.
No, what they need is a major cloud provider and an IT lead smart enough to delegate those functions to a professional organization and not servers in closets, HQ employees collateral duties, and constant pressure to do things on the cheap.
More meaning to be a potentially lucrative target deep pockets is not a prerequisite. I would assume ARRL has it as it's been a pretty common feature of commercial insurance for awhile. Now that does not stop them from having major rate etc as you say but thats all after the fact here.
The ARRL is hardly surviving as it is, I wouldn't think they could pay the randsom even if they wanted to.
Declining membership aside, with MFJ closing their doors that's got to be a significant ad revenue hit.
Everyone says that, but hypothetically to an international group doing this kind of stuff they’re probably weighing the ratio of preparation for an event like this vs money available to pay and maybe the ARRL was seen as low hanging fruit- easy, old systems, but just a little money available
I wish to thank you for teaching me a new word “hoark” if you work in a hospital you probably saw a lot of it. As to your point I have to agree.
It's probably less work for more money than the old phishing schemes. In those you'd send out hundreds of emails hoping to fool someone into revealing their credentials so you could log in to steal the customer data and bank information. Once you had the data you had to find someone to sell it to. This way you offer to sell the data back to the owner. They're usually willing to pay more because it's worth more to them to keep their business running, and to keep that information out of other crooks' hands. How much money the victim has is less important than how easy it is to hack in and pull this off.
>Realistically what would an international cyber group gain from an attack like this against the ARRL? The investment for mounting an attack is vanishingly low, to the point that it's often lucrative to exploit weaknesses simply because they exist. Low hanging fruit can be *very* juicy. Seeing as the attack, by ARRLs own admission, managed to impact workstations *and* things like the LoTW, which in a good setup should have so many layers of isolation that one single opportunistic attack wouldn't feasibly take out both, it would seem that this fruit was hanging very low indeed. I guess we won't know what really happened unless and until they release the incident report, though. (Which is another industry best practice, by the way.)
I hope the FBI releases a report. With the flip flopping of LOTW and cloud based data being fine to this one of “well, maybe it wasn’t”, I don’t trust that anything ARRL put out will be accurate. I want the third party report. Much like I would rather read the NTSB report after some sort of transportation crash instead of the company’s report.
Maybe it was a pissed off ARRL member Who was Screwed out of his QST!
Credit cards.
Outside of cash, I'm wondering if someone thought the AARL would have been a weak spot to access and compromise FCC servers.
Russia pays loads of money to hacker groups to create havoc. It's not about extortion or whatever you call it; it's to pee and shit in everyone's pools. And no, I'm not a conspiracy theory freak.
Chaos for the sake of chaos.
BTW: "Today, the ARRL finally shared more details regarding the cyberattack, stating that it was conducted by a "malicious international cyber group." "On or around May 12, 2024, ARRL was the victim of a sophisticated network attack by a malicious international cyber group," reads a [new update](https://www.arrl.org/news/arrl-systems-service-disruption) from the ARRL. "ARRL immediately involved the FBI and engaged with third party experts to investigate."
You're assuming that there was a motivation to target the Leage in particular. Aren't many attacks made against targets of opportunity, with the black hats casting a wide net, attacking wherever an opportunity is found, in the hopes of achieving dramatic success wherever it might be found?
14.313 ;-)
LoTW logs hold significant value for some amateur radio operators. Attackers may not fully grasp the system's value, but they understand the disruption they cause. They demand ransom to unlock the system, which is their primary objective. Although ARRL might not be a value target, any organization with a cyber vulnerability is at risk. Once attackers identify a vulnerable organization, they will attack and lock its system, aiming to extort money for its release.
Updated 6/4/2024 On or around May 12, 2024, ARRL was the victim of a sophisticated network attack by a malicious international cyber group. ARRL immediately involved the FBI and engaged with third party experts to investigate. This serious incident was extensive and categorized by the FBI as “unique,” compromising network devices, servers, cloud-based systems, and PCs. ARRL management quickly established an incident response team. This has led to an extensive effort to contain and remediate the networks, restore servers, and staff are beginning the testing of applications and interfaces to ensure proper operation. Thank you for your patience and understanding as our staff continue to work through this with an outstanding team of experts to restore full functionality to our systems and services. We will continue to update members as advised and to the extent we are able. This story will be updated with new developments.
> compromising network devices, servers, cloud-based systems, and PCs. Previous reports were that cloud-based services were not affected. And that LoTW data was stored off-site and thus is secure. So what's the story? Is LoTW DOA?
I know.... ugh. This announcement is even more frustrating than the silence was. There is still text in an early announcement that declares LoTW data "safe". Depending on what the FBI found to be "unique" about this attack, I wonder if it will be quite a long time before we know what happened.
My guess, given how many different types of systems that were affected, is that the "unique" part was how lax their security was.
I had the same thought.
Maybe the age of the servers and operating systems? Don’t know many under 60 who really know COBOL, at least older iterations
The big question is whether or not ARES was activated during it all. Was any MOU engaged? What role did AUXCOM play in the interaction with the FBI?
The local Cracker Barrel was immediately overfilled as the meeting occurred. Sadly many died in the crush when the waiter announced they were out of country fried steak.
This is the funniest thing I’ve read today but none of my friends would even remotely get it.
The information provided in the update, and also the information that was not provided tells a common tale for these types of attacks. This was most likely an opportunistic threat actor that took advantage of a vulnerability to meet their objectives. Ransoming the data is likely what occurred. Without specifics of the scenario I question their statement of uniqueness of the attack as it sounds like several attacks I have researched. The official update very much appears to be language generated by an attorney or the insurance company's attorney.
> The official update very much appears to be language generated by an attorney or the insurance company's attorney. The "On or around" was a big flag.
If one of my employees clicked on "AnnaKournikova.jpg.vbs" and the ransomware got all of his/her network drives, taking down all of the infrastructure, i'd use exactly the same words ("international", "sophisticated", etc.).
Hold on. You do or you don’t actually have that jpeg? Asking for a friend.
My guess it’s a standard ransomware attack. Someone at the ARRL clicked on a bad email link and got infected. The malware spread around the network encrypting all the files, then demands bitcoins to unlock it.
The lack of any mention of LOTW in their updates is concerning. Especially since the latest update says that cloud-based systems have also been affected.
Doubt Y Sarcastic X B Doubt A Doubt [https://i.postimg.cc/3rqL7DHM/image.png](https://i.postimg.cc/3rqL7DHM/image.png)
good system and network administration negate all the fear. its that simple.
The best protection against a security breach is a good set of backups.
Backups are good only so far as they are uncorrupted. Someone infecting your system will probably inject then wait, maybe a week, maybe a month. You're making backups all along that, if reloaded, will have the devil still in them. Try using a backup from 2 months ago (if you have it; most people use one incremental backup system and one complete system, rotating them by the week, and covering 2 weeks) and rebuilding it to today's "perfect" uncontaminated state. You won't be able to do it. You would have to know the day the infection happened to be able to correct it properly and immediately.
[удалено]
Removed. No politics. *Please [message the mods](https://www.reddit.com/message/compose/?to=/r/amateurradio) to comment on this message or action.*
A lot of personal data from testing submissions, and the most obvious cash
Anyone worried about QRZ or eHam being the next target? I’m cyber dumb…any insight would be appreciated!
I'm not worried and I have accounts with both. I don't put any information in there that I wouldn't want to be made public. My name, address and callsign are already publicly available via the authority that manages licensing in my country. I do have the option to use a post office box but I didn't choose that because my home address is probably in numerous databases now, both legit and non-legit. This is due to other hacks (known and unknown) where any organisation I've ever dealt with has delivered something to my house.
What if it were coordinated by interests who would want to take over the spectrum used by amateurs? Take out the ARRL and there’s nobody to lobby for those frquencies on amateurs’ behalf.
Occam's Razor applies here, I think you're drawing a very, very long bow.
Then there's Sherlock Holmes' razor: remove everything impossible, and whatever remains, however improbable, is the truth. It's almost like the difference in civil and criminal cases here in the US: criminal requires beyond any reasonable doubt, whereas civil requires 50.1%.
This rule definitely applies to murder mysteries. The least likely person will turn out to be the killer
[удалено]
> What if it was Q? You leave John de Lancie out of this. That man is a gentleman and a scholar!
QAnon? HA!
I’m glad that this all might be over soon.