Connect with us

Biz & IT

Ajit Pai’s “surprise” change makes it harder to get FCC broadband funding



Enlarge / Ajit Pai, chairman of the Federal Communications Commission, during an interview in New York, on Tuesday, Nov. 5, 2019.

After deciding to shut New York and Alaska out of a rural broadband fund, Federal Communications Commission Chairman Ajit Pai has made another change that could reduce or eliminate funding available for ISPs in other US states.

When the FCC yesterday approved the $20.4-billion Rural Digital Opportunity Fund (RDOF), the order contained a new provision that bans funding for areas already receiving money from any similar federal or state broadband-subsidy program. The new provision is so vague and expansive that it could affect areas in dozens of states or exclude some states from receiving money entirely, according to Democratic FCC Commissioner Geoffrey Starks.

“Based on my initial research, that means that the nearly 30 states that fund rural broadband through their own programs may find their eligibility reduced or eliminated,” Starks said before yesterday’s vote. “These provisions discourage badly needed state-federal partnerships, risk unequal application of the rules between states, and create an unnecessary risk of litigation.”

The draft version of the order, released publicly on January 9, excluded areas that already receive funding through the US Department of Agriculture’s ReConnect Program. The final version approved yesterday hasn’t been released publicly yet, but Starks said that it contained a much broader provision:

The version of the order now before us excludes from RDOF any area that the commission “know[s] to be awarded funding through the US Department of Agriculture’s ReConnect Program or other similar federal or state broadband subsidy programs, or those subject to enforceable broadband deployment obligations.”

The limit applies to Phase 1 of the program, which will distribute up to $16 billion of the $20.4 billion. The FCC says the first phase will “target those areas that current data confirm are wholly unserved,” and the remaining money will be set aside for the future second phase.

ISPs that obtain money through the program will be required to expand their networks to new homes and businesses. Each grant will provide annual support for 10 years, so the $16 billion in Phase 1 will amount to $1.6 billion a year. Phase 1 support will be distributed in a reverse auction beginning later this year.

Starks and fellow Democrat Jessica Rosenworcel partially dissented from yesterday’s vote.

“Surprise last-minute change”

Consumer-advocacy group Public Knowledge said the late addition to the order “may ban grants for millions of unconnected Americans.” Public Knowledge Senior VP Harold Feld said:

Read broadly, this surprise last-minute change impacts almost every state in the Union. Nearly every state either has its own broadband subsidy program, receives funds under the Department of Agriculture ReConnect program, or receives other federal funding for broadband.

Even read narrowly, this would appear to cut off millions of unconnected rural Americans from a program designed explicitly to help them. According to a Pew Report published in December 2019, 35 states have funds that directly subsidize broadband. Numerous other states have funds that might qualify as a ‘subsidy’ or ‘enforceable broadband deployment obligations,’ depending on how the FCC order defines these terms.

State-by-state lists of broadband programs and funds are available here and here.

The definitions used by the FCC will matter, because any single government program is unlikely to cover all the rural areas in a state with modern broadband service. Unless the new limit is carefully tailored to apply only to homes and businesses that are already slated to receive government-subsidized broadband, it could result in some unserved areas having no chance of getting modern Internet service in Phase 1 of the RDOF.

Pai hasn’t revealed which areas will be excluded from the program as a result of the change, nor has he said whether the FCC has determined which areas will be excluded. We contacted Pai’s office yesterday and will update this article if we get a response.

Pai defends new limit

Pai argued that the new limit that Starks objected to will prevent spending federal money twice in any given area. Pai said:

We must target our limited funds to bring broadband to those that will otherwise not be served. That means limiting our efforts to areas that do not have broadband and where there are no current federal and state programs, fiscal or otherwise, that will ensure that broadband is deployed in the near future. I cannot condone handing companies additional taxpayer money to deploy broadband in areas where they are already legally obligated to deploy broadband. Paying someone twice to do something once is something that everyone should oppose.

Before making the change, Pai’s office released a list of 48 states where ISPs can participate in the reverse auction along with the number of potentially eligible homes and businesses in each state. Those numbers presumably will be revised downward because of the new limit. The FCC said it shut New York and Alaska out of the program entirely “because of previously established programs to fund rural broadband in these states.”

US Senate Minority Leader Chuck Schumer (D-N.Y.) and Sen. Kirsten Gillibrand (D-N.Y.) objected to New York’s exclusion, saying that it would leave parts of New York unserved. The senators believe that their state shouldn’t be penalized for making previous attempts to fix its broadband-deployment problem.

(Update: After objections from members of Congress, Pai reversed course and informed lawmakers in a letter on January 30 that he has removed “overly broad language” that excluded New York from Phase 1 of the fund, and that New York’s eligibility “will be determined by the same neutral principles applicable to other states.” However, Pai noted that the change “does not guarantee that any particular area will be eligible for support,” and a provision that excludes census blocks with any access to 25Mbps/3Mbps service effectively shuts out 98.4 percent of residents in New York. This limit is described in the next section of this article.)

ISPs in each eligible area can apply for funding to support broadband networks offering at least 25Mbps download and 3Mbps upload speeds, or for higher tiers including 50Mbps/5Mbps, 100Mbps/20Mbps, and 1Gbps/500Mbps. ISPs are allowed to impose 250GB-per-month data caps on the 25Mbs/3Mbps and 50Mbps/5Mbps tiers, but must provide at least 2TB per month on the faster tiers.

Another limit, and bad broadband data

There’s another limit in Phase 1 that was in the FCC’s draft plan even before Pai added the provision blocking funding in areas with any “similar federal or state broadband subsidy programs.” Specifically, Phase 1 will exclude any census block where a home Internet provider offers service with at least 25Mbps download and 3Mbps upload speeds—even if only some homes in the census block have access to that network.

Pai acknowledged in his statement at yesterday’s meeting that some “partially served” areas will be ineligible for funding in Phase 1. “There are Americans living in areas where some but not all homes have service,” and those areas will not get funding in Phase 1, Pai said.

Partially served areas will be eligible for funding in Phase 2, which Pai says won’t happen until after the FCC fixes its broadband-mapping data. FCC broadband-access data is inaccurate, often underestimating the scope of the problem, and the commission voted in August to collect more precise data from ISPs going forward. Pai resisted calls from Democrats to delay Phase 1 until after more accurate data is available.

Rosenworcel said at yesterday’s meeting:

With today’s decision we commit the vast majority of universal service funds—$16 billion!—for the next ten years without first doing anything to improve our maps, survey service accurately, or fix the data disaster we have about the state of service today. That means if your home is marked as served by the FCC’s maps today and it is not, then for the next decade you are on your own. Good luck. It means millions of Americans will slip deeper into the digital divide.

Pai said that Phase 2 could end up distributing more than $4.4 billion, if Phase 1 doesn’t give out all of the allotted $16 billion. The FCC could also change the budget of Phase 2 “once we know precisely how large this part of the job is,” Pai said.

Republican Commissioner Michael O’Rielly defended the decision to move ahead with Phase 1 before data collection is improved. “[B]y limiting Phase 1 eligibility to those census blocks that have no broadband whatsoever and targeting those consumers truly deserving of FCC assistance, our action should not in any way trigger or exacerbate the rightful concerns raised over our broadband mapping procedures,” O’Rielly said.

The RDOF will replace the existing Connect America Fund. Both programs are paid for by Americans through fees imposed on phone bills.

Continue Reading

Biz & IT

Hackers tied to Russia’s GRU targeted the US grid for years



Yuri Smityuk | Getty Images

For all the nation-state hacker groups that have targeted the United States power grid—and even successfully breached American electric utilities—only the Russian military intelligence group known as Sandworm has been brazen enough to trigger actual blackouts, shutting the lights off in Ukraine in 2015 and 2016. Now one grid-focused security firm is warning that a group with ties to Sandworm’s uniquely dangerous hackers has also been actively targeting the US energy system for years.

On Wednesday, industrial cybersecurity firm Dragos published its annual report on the state of industrial control systems security, which names four new foreign hacker groups focused on those critical infrastructure systems. Three of those newly named groups have targeted industrial control systems in the US, according to Dragos. But most noteworthy, perhaps, is a group that Dragos calls Kamacite, which the security firm describes as having worked in cooperation with the GRU’s Sandworm. Kamacite has in the past served as Sandworm’s “access” team, the Dragos researchers write, focused on gaining a foothold in a target network before handing off that access to a different group of Sandworm hackers, who have then sometimes carried out disruptive effects. Dragos says Kamacite has repeatedly targeted US electric utilities, oil and gas, and other industrial firms since as early as 2017.

“They are continuously operating against US electric entities to try to maintain some semblance of persistence” inside their IT networks, says Dragos vice president of threat intelligence and former NSA analyst Sergio Caltagirone. In a handful of cases over those four years, Caltagirone says, the group’s attempts to breach those US targets’ networks have been successful, leading to access to those utilities that’s been intermittent, if not quite persistent.

Caltagirone says Dragos has only confirmed successful Kamacite breaches of US networks prior, however, and has never seen those intrusions in the US lead to disruptive payloads. But because Kamacite’s history includes working as part of Sandworm’s operations that triggered blackouts in Ukraine not once, but twice—turning off the power to a quarter million Ukrainians in late 2015 and then to a fraction of the capital of Kyiv in late 2016—its targeting of the US grid should raise alarms. “If you see Kamacite in an industrial network or targeting industrial entities, you clearly can’t be confident they’re just gathering information. You have to assume something else follows,” Caltagirone says. “Kamacite is dangerous to industrial control facilities because when they attack them, they have a connection to entities who know how to do destructive operations.”

Dragos ties Kamacite to electric grid intrusions not just in the US, but also to European targets well beyond the well-publicized attacks in Ukraine. That includes a hacking campaign against Germany’s electric sector in 2017. Caltagirone adds that there have been “a couple of successful intrusions between 2017 and 2018 by Kamacite of industrial environments in Western Europe.”

Dragos warns that Kamacite’s main intrusion tools have been spear-phishing emails with malware payloads and brute-forcing the cloud-based logins of Microsoft services like Office 365 and Active Directory as well as virtual private networks. Once the group gains an initial foothold, it exploits valid user accounts to maintain access, and has used the credential-stealing tool Mimikatz to spread further into victims’ networks.

Kamacite’s relationship to the hackers known as Sandworm—which has been identified by the NSA and US Justice Department as Unit 74455 of the GRU—isn’t exactly clear. Threat intelligence companies’ attempts to define distinct hacker groups within shadowy intelligence agencies like the GRU have always been murky. By naming Kamacite as a distinct group, Dragos is seeking to break down Sandworm’s activities differently from others who have publicly reported on it, separating Kamacite as an access-focused team from another Sandworm-related group it calls Electrum. Dragos describes Electrum as an “effects” team, responsible for destructive payloads like the malware known as Crash Override or Industroyer, which triggered the 2016 Kyiv blackout and may have been intended to disable safety systems and destroy grid equipment.

Together, in other words, the groups Dragos call Kamacite and Electrum make up what other researchers and government agencies collectively call Sandworm. “One group gets in, the other group knows what to do when they get in,” says Caltagirone. “And when they operate separately, which we also watch them do, we clearly see that neither is very good at the other’s job.”

When WIRED reached out to other threat-intelligence firms including FireEye and CrowdStrike, none could confirm seeing a Sandworm-related intrusion campaign targeting US utilities as reported by Dragos. But FireEye has previously confirmed seeing a widespread US-targeted intrusion campaign tied to another GRU group known as APT28 or Fancy Bear, which WIRED revealed last year after obtaining an FBI notification email sent to targets of that campaign. Dragos pointed out at the time that the APT28 campaign shared command-and-control infrastructure with another intrusion attempt that had targeted a US “energy entity” in 2019, according to an advisory from the US Department of Energy. Given that APT28 and Sandworm have worked hand-in-hand in the past, Dragos now pins that 2019 energy-sector targeting on Kamacite as part of its larger multiyear US-targeted hacking spree.

Dragos’ report goes on to name two other new groups targeting US industrial control systems. The first, which it calls Vanadinite, appears to be have connections to the broad group of Chinese hackers known as Winnti. Dragos blames Vanadinite for attacks that used the ransomware known as ColdLock to disrupt Taiwanese victim organizations, including state-owned energy firms. But it also points to Vanadinite targeting energy, manufacturing, and transportation targets around the world, including in Europe, North America, and Australia, in some cases by exploiting vulnerabilities in VPNs.

The second newly named group, which Dragos calls Talonite, appears to have targeted North American electric utilities, too, using malware-laced spear phishing emails. It ties that targeting to previous phishing attempts using malware known as Lookback identified by Proofpoint in 2019. Yet another group Dragos has dubbed Stibnite has targeted Azerbaijani electric utilities and wind farms using phishing websites and malicious email attachments, but has not hit the US to the security firm’s knowledge.

While none among the ever-growing list of hacker groups targeting industrial control systems around the world appears to have used those control systems to trigger actual disruptive effects in 2020, Dragos warns that the sheer number of those groups represents a disturbing trend. Caltagirone points to a rare but relatively crude intrusion targeting a small water treatment plant in Oldsmar, Florida earlier this month, in which a still-unidentified hacker attempted to vastly increase the levels of caustic lye in the 15,000-person city’s water. Given the lack of protections on those sorts of small infrastructure targets, a group like Kamacite, Caltagirone argues, could easily trigger widespread, harmful effects even without the industrial-control system expertise of a partner group like Electrum.

That means the rise in even relatively unskilled groups poses a real threat, Caltagirone says. The number of groups targeting industrial control systems has been continually growing, he adds, ever since Stuxnet showed at the beginning of the last decade that industrial hacking with physical effects is possible. “A lot of groups are appearing, and there are not a lot going away,” says Caltagirone. “In three to four years, I feel like we’re going to reach a peak, and it will be an absolute catastrophe.”

This story originally appeared on

Continue Reading

Biz & IT

AT&T announces deal to spin off DirecTV into new company owned by… AT&T



Enlarge / AT&T’s logo at its corporate headquarters on March 13, 2020 in Dallas, Texas.

Nearly six years after buying DirecTV for $48.5 billion, AT&T today announced a deal to sell a minority stake in the business unit and spin it out into a new subsidiary.

AT&T said its deal with private equity firm TPG Capital values the TV business at $16.25 billion. A press release said that AT&T and TPG “will establish a new company named DirecTV that will own and operate AT&T’s US video business unit consisting of the DirecTV, AT&T TV, and U-verse video services.”

AT&T will own 70 percent of the spun-off DirecTV company’s common equity while TPG will own 30 percent. DirecTV in its new form “will be jointly governed by a board with two representatives from each of AT&T and TPG, as well as a fifth seat for the CEO, which at closing will be Bill Morrow, CEO of AT&T’s US video unit,” the announcement said.

AT&T acknowledged that its DirecTV purchase didn’t work out as planned.

“With our acquisition of DirecTV, we invested approximately $60 billion in the US video business,” AT&T said in materials distributed to reporters. “It’s fair to say that some aspects of the transaction have not played out as we had planned, such as pay TV households in the US declining at a faster pace across the industry than anticipated when we announced the deal back in 2014. In fact, we took a $15.5 billion impairment on the business in 4Q20.”

Focus on 5G, fiber, and HBO Max

Separating DirecTV into a new unit will help AT&T focus on its key “strategic” areas of 5G mobile service, fiber Internet, and HBO Max, AT&T said.

“As the pay-TV industry continues to evolve, forming a new entity with TPG to operate the US video business separately provides the flexibility and dedicated management focus needed to continue meeting the needs of a high-quality customer base and managing the business for profitability,” AT&T CEO John Stankey said. “TPG is the right partner for this transaction and creating a new entity is the right way to structure and manage the video business for optimum value creation.”

The companies said they expect to close their transaction in the second half of 2021 and that it “is subject to customary closing conditions and to regulatory reviews.” AT&T said it expects to receive $7.6 billion in cash from the partial sale and that it will use the money to reduce its debt.

8 million TV customers fled AT&T

AT&T has lost over 8 million customers since early 2017 from its Premium TV services, which include DirecTV satellite, U-verse wireline video, and the newer AT&T TV online service. Total customers in that category decreased from over 25 million in early 2017 to 16.5 million at the end of 2020.

“Since AT&T closed the DirecTV acquisition in 2015, the business has generated cash flows of more than $4 billion per year, and the company expects this to continue in 2021,” today’s announcement said.

DirecTV’s deal with NFL Sunday Ticket apparently will not be disrupted, as AT&T said it will continue to “fund NFL Sunday Ticket for 2021 and 2022 (up to a $2.5B cumulative cap).”

Current video customers should not expect major changes, AT&T said.

“Existing AT&T video customers will become DirecTV customers at close and will be able to keep their video service and any bundled wireless or broadband services as well as associated discounts,” AT&T said. “AT&T and TPG are committed to a smooth transition and seamless customer experience and will work to further improve customer service and bring new features to DirecTV’s video services.”

Continue Reading

Biz & IT

Armed with exploits, hackers on the prowl for a critical VMware vulnerability



Hackers are mass scanning the Internet in search of VMware servers with a newly disclosed code-execution vulnerability that has a severity rating of 9.8 out of a possible 10.

CVE-2021-21974, as the security flaw is tracked, is a remote code-execution vulnerability in VMware vCenter server, an application for Windows or Linux that administrators use to enable and manage virtualization of large networks. Within a day of VMware issuing a patch, proof-of-concept exploits appeared from at least six different sources. The severity of the vulnerability, combined with the availability of working exploits for both Windows and Linux machines, sent hackers scrambling to actively find vulnerable servers.

“We’ve detected mass scanning activity targeting vulnerable VMware vCenter servers (,” researcher Troy Mursch of Bad Packets wrote.

Mursch said that the BinaryEdge search engine found almost 15,000 vCenter servers exposed to the Internet, while Shodan searches revealed about 6,700. The mass scanning is aiming to identify servers that have not yet installed the patch, which VMware released on Tuesday.

Unfettered code execution, no authorization required

CVE-2021-21972 allows hacker with no authorization to upload files to vulnerable vCenter servers that are publicly accessible over port 443, researchers from security firm Tenable said. Successful exploits will result in hackers gaining unfettered remote code-execution privileges in the underlying operating system. The vulnerability stems from a lack of authentication in the vRealize Operations plugin, which is installed by default.

The flaw has received a severity score of 9.8 out of 10.0 on the Common Vulnerability Scoring System Version 3.0. Mikhail Klyuchnikov, the Positive Technologies researcher who discovered the vulnerability and privately reported it to VMware, compared the risk posed by CVE-2021-21972 to that of CVE-2019-19781, a critical vulnerability in the Citrix Application Delivery Controller.

The Citrix flaw came under active attack last year in ransomware attacks on hospitals and, according to a criminal indictment filed by the US Justice Department, in intrusions into game and software makers by hackers backed by the Chinese government.

In a blog post earlier this week, Klyuchnikov wrote:

In our opinion, the RCE vulnerability in the vCenter Server can pose no less a threat than the infamous vulnerability in Citrix (CVE-2019-19781). The error allows an unauthorized user to send a specially crafted request, which will later give them the opportunity to execute arbitrary commands on the server. After receiving such an opportunity, the attacker can develop this attack, successfully move through the corporate network, and gain access to the data stored in the attacked system (such as information about virtual machines and system users). If the vulnerable software can be accessed from the Internet, this will allow an external attacker to penetrate the company’s external perimeter and also gain access to sensitive data. Once again, I would like to note that this vulnerability is dangerous, as it can be used by any unauthorized user.

The researcher provided technical details here.

Positive Technologies

CVE-2021-21972 affects vCenter Server versions 6.5, 6.7, and 7.01. People running one of these versions should update to 6.5 U3n, 6.7 U3l, or 7.0 U1c as soon as possible. Those who can’t immediately install a patch should implement these workarounds, which involve changing a compatibility matrix file and setting the vRealize plugin to incompatible.

Continue Reading