News

September 9, 2021

CyberBay Summit to Spark the Next Digital Defense Movement

CyberBay 2025 Tampa Florida Oct. 13-15

Tampa Bay conference unites cybersecurity, AI, national security leaders

 July 15, 2025—Tampa, Fla— CyberBay2025, a high-impact summit uniting the nation’s leading minds in cybersecurity, artificial intelligence, and national security, is launching in Tampa Bay this fall. The event will engage leaders in business, investment, education, and the military with a bold agenda focused on redefining the front lines of digital defense.

Set for October 13–15, 2025 at the Tampa Marriott Water Street, the event is hosted by Cyber Florida, University of South Florida (USF), The USF Bellini College of AI, Cybersecurity and Computing, USF Institute for AI+X, and Bellini Capital. Registration is now open at CyberBay.org.

“Tampa Bay is the hub of America’s cyber resilience. Established companies, startups, investors, educators, and the military are building a next-generation cybersecurity ecosystem that outpaces threats and serves as an economic engine for the country,” said Arnie Bellini, Managing Partner at Bellini Capital. “CyberBay 2025 will ignite innovation and action from classrooms to corporations to command centers.”

Content at the summit will mobilize a new era of cyber readiness capable of safeguarding infrastructure, protecting free enterprise, and defending digital borders. The agenda will focus on cybersecurity, AI+X, national security, the start-up/VC ecosystem, research and development, and education, talent recruitment, and retention.

In addition, a cybersecurity Capture the Flag competition will feature rising talent, and an AI and Cyber Talent Showcase will bring graduating students and job seekers together with leaders from Tampa’s tech industry.

Current speakers include:

  • Jen Easterly, former director of the Cybersecurity and Infrastructure Security Agency, combat veteran, cybersecurity pioneer
  • General (Ret.) Frank McKenzie, Executive Director, Cyber Florida at USF and the Global and National Security Institute, USF
  • Patrick McDaniel, Professor of Computer Sciences, University of Wisconsin–Madison
  • Arnie Bellini, Tech Entrepreneur & Managing Partner, Bellini Capital
  • Gayle Sheppard, Board of Directors, Nutanix
  • Elisa Bertino, Samuel D. Conte Distinguished Professor of Computer Science, Purdue University

Early bird ticket pricing is available until July 31, 2025.

Ticket Early Bird Price Regular Price after July 31
General Admission $200 $250
Gov/Academia/Military/Nonprofit $150 $200
Student $20 $40

Sponsors for the event include ConnectSecure, ThreatLocker, and CyberFOX, among other Tampa institutions and cybersecurity organizations.

For sponsorship information, please contact Andrew Morgan at andrew@rightofboom.com.

Journalists interested in attending should contact Jennifer Kleman, APR, CPRC, Cyber Outreach Manager at Jennifer437@cyberflorida.org for a complimentary ticket.

About The University of South Florida (USF)
The University of South Florida is a top-ranked research university, serving approximately 50,000 students from across the globe at campuses in Tampa, St. Petersburg, Sarasota-Manatee and USF Health. USF is recognized by U.S. News & World Report as a top 50 public university and the best value in Florida. U.S. News also ranks the USF Health Morsani College of Medicine as the No. 1 medical school in Florida and in the highest tier nationwide. USF is a member of the Association of American Universities (AAU), a group that includes only the top 3% of universities in the U.S. With an all-time high of $738 million in research funding in 2024 and as a top 20 public university for producing U.S. patents, USF uses innovation to transform lives and shape a better future. The university generates an annual economic impact of more than $6 billion. USF’s Division I athletics teams compete in the American Athletic Conference. Learn more at www.usf.edu.

About USF Bellini College of AI, Cybersecurity and Computing
The Bellini College of AI, Cybersecurity and Computing at the University of South Florida is the first named college for AI, cybersecurity, and computing, dedicated to advancing education, research and ethical innovation. The College is designed to foster interdisciplinary innovation and technology development through strong industry and government partnerships, serving as a critical talent center for CyberBay and the cybersecurity sector as a whole.

About Cyber Florida at USF
The Florida Center for Cybersecurity at the University of South Florida, commonly referred to as Cyber Florida at USF, was established by the Florida Legislature in 2014. Its mission is to position Florida as a national leader in cybersecurity through comprehensive education, cutting-edge research, and extensive outreach. Cyber Florida leads various initiatives to inspire and educate current and future cybersecurity professionals, advance applied research, and enhance cybersecurity awareness and safety of individuals and organizations.

About USF Institute for Artificial Intelligence (AI+X)
The USF Institute for Artificial Intelligence (AI+X) is a university-wide research and education center for Artificial Intelligence. It conducts externally-funded research in Artificial Intelligence (AI) and associated areas (X = Healthcare, Medicine, Biology, Cybersecurity, Finance, Business, Manufacturing, Transportation), using a transdisciplinary approach across Neuroscience, Cognitive Science, and Computer Science, and work with industry to transition them into products that benefit humanity in an ethical and responsible manner.

About Bellini Capital
Deploying capital through a blend of seed investment and philanthropy, Bellini Capital is seeking to create an unbreakable ecosystem of cybersecurity innovation, talent development, and ecological stewardship. The firm was founded by technology entrepreneur, investor, and philanthropist, Arnie Bellini, and is based in Tampa, Florida (a.k.a. CyberBay).

Media contact:
Jennifer Kleman, APR, CPRC
Cyber Outreach Manage
Jennifer437@cyberflorida.org

CyberBay Summit to Spark the Next Digital Defense Movement2025-07-15T09:10:09-04:00

Student Spotlight: Louis Noble

Louis Noble

Student: Louis Noble

School: Seminole Ridge Community High School

District: Palm Beach County

Meet Louis Noble! Louis is an outstanding cybersecurity student at Seminole Ridge Community High School in Palm Beach County. He consistently approaches every challenge with a commitment to excellence.

Starting as a self-taught programmer and cybersecurity enthusiast, Louis went on to complete AP Computer Science Principles and AP Computer Science A, while actively participating in the school’s IT program and standout cybersecurity class.

His interest in cybersecurity was first sparked through hands-on experience with a family mentor, whose encouragement inspired a lasting fascination with solving real-world cyber threats.

Today, Louis stands out as a dedicated learner—transforming curiosity into expertise and embracing every opportunity to drive innovation in the cybersecurity landscape. Cyber Florida is proud to recognize Louis’ inspiring journey in this vital field.

Do you teach a great student who should be featured in our Student Spotlight?
Please complete the form below!

Student Spotlight: Louis Noble2025-07-11T08:58:05-04:00

Teacher Spotlight: Valerie Mays

Teacher Valerie Mays

Teacher: Valerie Mays

District: Palm Beach

Meet Valerie Mays, an awesome teacher at Palm Beach Lakes Community High School in Palm Beach County. With over 22 years of experience in education, she understands the growing importance of cybersecurity as technology evolves and threats become more complex.

Valerie’s approach focuses on preparing students to thrive in this dynamic landscape by equipping them with the skills and certifications needed to step confidently into emerging cyber roles, many of which are just being defined. She values the opportunity to connect learners with industry-relevant knowledge while nurturing their passion and potential.

Through her guidance, students are empowered to design innovative solutions, launch new initiatives, pursue meaningful careers in government or the private sector, and become transformative leaders in the ever-changing digital world.

Cyber Florida is proud to celebrate Valerie’s outstanding contributions to cybersecurity education.

Would you like to be featured in our Teacher Spotlight? To nominate yourself or another deserving teacher, complete the interest form below!

Teacher Spotlight: Valerie Mays2025-07-10T13:13:29-04:00

Kathy Collins — From AOL to Award-Winning Cuisine to High-Stakes Hacking

Kathy Collins — From AOL to Award-Winning Cuisine to High-Stakes Hacking

Kathy Collins — From AOL to Award-Winning Cuisine to High-Stakes Hacking2025-07-07T12:30:51-04:00

Deepfake Cyber Threats: Understanding the Risks of AI-Powered Fraud and Scams

I. Targeted Entities

Deepfake technologies pose a threat to a wide range of entities, including but not limited to:

  • Individuals / General Public
  • Politicians and Political Processes
  • Celebrities and Public Figures
  • Organizations and Corporations:
    • Senior Executives
    • Financial Sector
  • Government Officials and Agencies

II. Introduction and Key Treat Details

Introduction

Synthetic media generated by Artificial Intelligence (AI), commonly known as deepfakes, are rapidly multiplying and increasing in sophistication. We are currently witnessing a significant surge in deepfake incidents; for instance, there was a 257% rise in recorded incidents from 2023 to 2024, and the rest quarter of 2025 alone surpassed the total incidents of the previous year.

The potential impacts are severe and varied. These include substantial financial losses for organizations and individuals, as seen by the $25 million fraud at Arup, where executives were impersonated via deepfake video. Deepfakes are key in disinformation campaigns that erode public trust and can influence political outcomes, such as through fake calls targeting voters. Furthermore, the technology is used to create non-consensual explicit content and enhance the effectiveness of social engineering attacks.

As outlined in Section I, targets span from the general public and public gures to corporations (particularly in nance) and government entities. Addressing this emerging threat requires a multi-layered strategy. Organizations must implement robust cybersecurity policies, conduct continuous employee awareness training, deploy technical safeguards, and enforce strict verification protocols. Also, individuals need to develop media literacy, enhance personal data security, and be skeptical of certain online information. Ocial bodies, such as the FBI, are increasingly issuing warnings and guidance, indicating a move towards more collaborative defense.

Key Threat Details

Threat Type: The threat involves the malicious use of deepfakes, which are AI-generated synthetic media (audio, video, or images) carefully crafted to impersonate real individuals or fabricate events that never occurred. The primary technology empowering deepfakes is Generative Adversarial Networks (GANs). A GAN consists of two neural networks: a ‘generator’ that creates the fake content and a ‘discriminator’ that attempts to distinguish the fake content from authentic examples. Through an iterative, adversarial training process, the generator becomes progressively better at creating realistic fakes that can deceive the discriminator, and ultimately, human perception. This technology is leveraged by increasingly accessible software, with tools like Iperov’s DeepFaceLab and FaceSwap, and services like Voice.ai, Mur.ai, and Elevenlabs.io for voice cloning.

Targets

  • Individuals (General Public): Targeted for fraud, non-consensual explicit content, and harassment.
  • Politicians and Political Processes: Disinformation campaigns, impersonation to influence elections, and reputational attacks.
  • Celebrities and Public Figures: Often targeted for non-consensual explicit content, endorsement scams, and reputational damage.
  • Organizations and Corporations:
    • Senior Executives (CEOs, CFOs): Impersonated in financial fraud schemes.
  • Financial Sector: Targeted for large-scale fraud, market manipulation through disinformation, and undermining customer trust.
  • Government Officials and Agencies: Impersonated to obtain sensitive information, spread disinformation, or authorize fraudulent actions.

Impact

If successful, deepfake attacks can lead to:

  • Financial Fraud: Significant monetary losses through impersonation of executives or trusted parties to authorize fraudulent transactions (vishing).
  • Disinformation and Political Destabilization: Manipulation of public opinion, interference in elections, incitement of social unrest, and damage to democratic processes.
  • Reputational Harm: Severe damage to personal or corporate reputations through the creation and dissemination of non-consensual explicit material, defamatory statements, or fabricated incriminating evidence.
  • Social Engineering and Data Breaches: Gaining unauthorized access to sensitive systems or information by impersonating trusted individuals and deceiving employees.
  • Erosion of Trust: Diminished public trust in authentic media, institutions, and digital communication (“liar’s dividend”).
  • Operational Disruption: Business operations can be disrupted by disinformation campaigns or internal fraud incidents.

Contextual Info

Deepfake technology is accessible to a wide spectrum of malicious actors. This includes individual fraudsters, online harassers, organized criminal enterprises focused on financial gain, and potentially state-sponsored groups deploying deepfakes for complex disinformation campaigns and political interference.

Related Campaigns/Past Activity

The versatility of deepfakes is seen through various high-prole incidents:

  • The $25 million financial fraud at Arup, where attackers used deepfake video and audio to impersonate senior executives in a conference call, compelling an employee to make unauthorized transfers.
  • AI-generated calls impersonating U.S. President Joe Biden, which urged voters in New Hampshire not to participate in the primary election, representing a direct attempt at election interference.
  • The widespread creation and distribution of non-consensual explicit deepfake images of public gures like Taylor Swi, highlighting the potential for severe personal and reputational harm.

MITRE ATT&CK TTPs

T1566 Phishing: Deepfakes, especially audio (voice clones), are used in vishing (voice phishing) campaigns, aligning with sub-techniques like T1566.003 Spearphishing Voice.

T1591.002 Create/Modify Content: Deepfakes inherently involve creating or modifying content to deceive, related to broader information operations or influence campaigns.

IV. Recommendations

For Organizations

Policies:

  • Develop and enforce robust cybersecurity policies that address the risks of deepfake attacks. Integrate deepfake scenarios into incident response plans and conduct regular practice incidents.
  • Establish clear guidelines on the acceptable use of AI and synthetic media tools within the organization.

Awareness/Training:

  • Implement continuous security awareness training for all employees, leadership, and relevant third parties. Training should cover deepfake identification, the psychological tactics used by attackers (e.g., urgency, authority bias), and established reporting procedures.

Technical Safeguards:

Enforce strong Multi-Factor Authentication (MFA) across all systems and users, prioritizing stronger methods for critical access points.

Deploy AI-powered detection tools for high-risk communication channels (e.g., video conferencing, customer service calls).

Adopt a Zero Trust security architecture, assuming no user or device is inherently trustworthy without continuous verification.

Monitor for Virtual Camera Software in Logs: For live deepfake attacks, attackers may use virtual camera software like Open Broadcaster Software (OBS) to feed the manipulated video into the meeting application. If logging is enabled for platforms like Zoom or Microsoft Teams, security teams can review logs for camera device names. The presence of uncommon camera names like ‘OBS Virtual Camera’ can be a strong indicator of a deepfake attempt, since this software is not typically used by employees for standard meetings.

Verification and Controls:

  • Implement strict verification (e.g., phone call authentication) for any unusual or high-value requests, specifically those involving financial transfers, changes to payment details, or disclosure of sensitive information over digital channels.
    • Implement “master passcodes” or challenge questions for authenticating identities during sensitive communications.
    • Enforce dual approvals for significant decisions/transactions.

Preventative Measures:

  • Minimize the public availability of audiovisual material of executives/employees to limit training data for attackers.
  • Assess organizational susceptibility to deepfake attacks, identifying vulnerable processes and personnel.

For Individuals

Increase Media Literacy and Critical Thinking:

  • Approach online content with healthy skepticism. Question the authenticity of unexpected, sensational, or emotionally manipulative videos, audio messages, or images.
  • Always consider the source of information. Verify claims through multiple reputable sources before accepting them as true.

Recognize Potential Red Flags:

  • Be aware of common visual indicators such as unnatural eye movements, mismatched lighting, a face that flickers when an object passes in front of it, or an unwillingness from the person to show their side prole. For audio, listen for robotic cadence, unnatural pitch, or lack of emotional inection. 17 However, understand that sophisticated deepfakes may not exhibit obvious aws.

Protect Personal Data:

  • Review and tighten privacy settings on all social media accounts to limit public access to personal images, videos, and information.
  • Be mindful of the amount of personal audiovisual data shared online.

Verify and Report:

  • If you receive a suspicious or urgent request, even if it appears to be from a known contact, verify it through a separate, trusted communication channel (e.g., call a known phone number).
  • Report suspected deepfakes immediately to the platform where they are hosted. If the deepfake is being used for malicious purposes (e.g., fraud, harassment, defamation, non-consensual explicit content), report it to law enforcement agencies.

VII. References

Works cited

Deepfake statistics 2025: how frequently are celebrities targeted?, accessed June 7, 2025, hps://surfshark.com/research/study/deepfake-statistics

Cybercrime: Lessons learned from a $25m deepfake attack | World …, accessed June 7, 2025, hps://www.weforum.org/stories/2025/02/deepfake-ai-cybercrime-arup/

Understanding the Hidden Costs of Deepfake Fraud in Finance – Reality Defender, accessed June 7, 2025, hps://www.realitydefender.com/insights/understanding-the-hidden-costs-of-de epfake-fraud-in-nance

Top 5 Cases of AI Deepfake Fraud From 2024 Exposed | Blog – Incode, accessed June 7, 2025, hps://incode.com/blog/top-5-cases-of-ai-deepfake-fraud-from-2024-exposed/

Gauging the AI Threat to Free and Fair Elections | Brennan Center for Justice, accessed June 7, 2025, hps://www.brennancenter.org/our-work/analysis-opinion/gauging-ai-threat-free-and-fair-elections

FBI warns of fake texts, deepfake calls impersonating senior U.S. …, accessed June 7, 2025, hps://cyberscoop.com/i-warns-of-ai-deepfake-phishing-impersonating-government-ocials/

Top 10 Terrifying Deepfake Examples – Arya.ai, accessed June 7, 2025, hps://arya.ai/blog/top-deepfake-incidents

Deepfake threats to companies – KPMG International, accessed June 7, 2025,hps://kpmg.com/xx/en/our-insights/risk-and-regulation/deepfake-threats.html

Cybercrime Trends: Social Engineering via Deepfakes | Lumi Cybersecurity, accessed June 7, 2025,hps://www.lumicyber.com/blog/cybercrime-trends-social-engineering-via-dee pfakes/

Investigation nds social media companies help enable explicit deepfakes with ads for AI tools – CBS News, accessed June 7, 2025, hps://www.cbsnews.com/video/investigation-nds-social-media-companies-he lp-enable-explicit-deepfakes-with-ads-for-ai-tools/

How to Mitigate Deepfake Threats: A Security Awareness Guide – TitanHQ, accessed June 7, 2025, hps://www.titanhq.com/security-awareness-training/guide-mitigate-deepfakes/

Deepfake Defense: Your Shield Against Digital Deceit | McAfee AI Hub, accessed June 7, 2025, hps://www.mcafee.com/ai/news/deepfake-defense-your-8-step-shield-against-digital-deceit/

FBI Warns of Deepfake Messages Impersonating Senior Ocials …, accessed, June 7, 2025, hps://www.securityweek.com/i-warns-of-deepfake-messages-impersonating-senior-ocials/

FBI Alert of Malicious Campaign Impersonating U.S. Ocials Points to the Urgent Need for Identity Verication – BlackCloak | Protect Your Digital Life™, accessed June 7, 2025, hps://blackcloak.io/i-alert-of-malicious-campaign-impersonating-u-s-ocials-points-to-the-urgent-need-for-identity-verication/

AI’s Role in Deepfake Countermeasures and Detection Essentials from Tonex, Inc. | NICCS, accessed June 7, 2025, hps://niccs.cisa.gov/training/catalog/tonex/ais-role-deepfake-countermeasures-and-detection-essentials

What is a Deepfake Aack? | CrowdStrike, accessed June 7, 2025, hps://www.crowdstrike.com/en-us/cybersecurity-101/social-engineering/deepfa ke-aack/

Determine Credibility (Evaluating): Deepfakes – Milner Library Guides, accessed June 7, 2025, hps://guides.library.illinoisstate.edu/evaluating/deepfakes

Understanding the Impact of Deepfake Technology – HP.com, accessed June 7, 2025, hps://www.hp.com/hk-en/shop/tech-takes/post/understanding-impact-deepfake-technology

19.Deepfakes: Denition, Types & Key Examples – SentinelOne, accessed June 7, 2025, hps://www.sentinelone.com/cybersecurity-101/cybersecurity/deepfakes/

en.wikipedia.org, accessed June 7, 2025, hps://en.wikipedia.org/wiki/Deepfake#:~:text=While%20the%20act%20of%20cr eating,generative%20adversarial%20networks%20(GANs).

What are deepfakes? – Malwarebytes, accessed June 7, 2025, hps://www.malwarebytes.com/cybersecurity/basics/deepfakes

Complete Guide to Generative Adversarial Network (GAN) – Carmatec, accessed June 7, 2025, hps://www.carmatec.com/blog/complete-guide-to-generative-adversarial-network-gan/

How to Get Started with GANs: A Step-by-Step Tutorial – Draw My Text – Text-to-Image AI Generator, accessed June 7, 2025, hps://drawmytext.com/how-to-get-started-with-gans-a-step-by-step-tutorial/

Detection of AI Deepfake and Fraud in Online Payments Using GAN-Based Models – arXiv, accessed June 7, 2025, hps://arxiv.org/pdf/2501.07033

What is a GAN? – Generative Adversarial Networks Explained – AWS, accessed June 7, 2025, hps://aws.amazon.com/what-is/gan/

Overview of GAN Structure | Machine Learning – Google for Developers,accessed June 7, 2025, hps://developers.google.com/machine-learning/gan/gan_structure

Unlocking the Power of GAN Architecture Diagram: A Comprehensive Guide for Developers, accessed June 7, 2025, hps://www.byteplus.com/en/topic/110690

We Looked at 78 Election Deepfakes. Political Misinformation Is Not an AI Problem., accessed June 7, 2025, hps://knightcolumbia.org/blog/we-looked-at-78-election-deepfakes-political-misinformation-is-not-an-ai-problem

What is a deepfake? – Internet Maers, accessed June 7, 2025, hps://www.internetmaers.org/resources/what-is-a-deepfake/

Don’t Be Fooled: 5 Strategies to Defeat Deepfake Fraud – Facia.ai, accessed June 7, 2025, hps://facia.ai/blog/dont-be-fooled-5-strategies-to-defeat-deepfake-fraud/

Top 10 AI Deepfake Detection Tools to Combat Digital Deception in 2025 SOCRadar, accessed June 7, 2025, hps://socradar.io/top-10-ai-deepfake-detection-tools-2025/

How to Spot Deepfakes – Fake News – Dr. Martin Luther King, Jr. Library at San José State University Library, accessed June 7, 2025, hps://library.sjsu.edu/fake-news/deepfakes

Threat Advisory created by The Cyber Florida Security Operations Center. Contributing Security Analysts: Derek Kravetsky

Deepfake Cyber Threats: Understanding the Risks of AI-Powered Fraud and Scams2025-07-02T09:38:08-04:00

Career Launch Series: From Apprentice to Advisor

Erika Delvalle

How Cyber Florida’s SOCAP Helped Erika Delvalle Launch Her Cybersecurity Career

When Erika Delvalle crossed the stage to receive her diploma from the University of South Florida in December, she wasn’t just closing a chapter; she was already deep into the next one. Now a full-time cybersecurity advisor at Rapid7, Erika helps organizations strengthen their security postures using tools like InsightIDR and InsightVM. However, she credits much of her early success to the experience and exposure she gained through Cyber Florida’s SOCAP (Security Operations Center Apprenticeship Program).

Real-World Skills, Real-World Confidence

SOCAP gave Erika more than just a preview of what life in cybersecurity could look like; it gave her a running start. During her time in the program, Erika helped write and distribute monthly threat hunting reports to government agencies, gaining valuable experience in technical analysis and professional communication.

“That experience gave me the confidence to write full reports and share them with external partners,” she recalled. “That was the moment I felt ready for the real world. It showed me I could handle the technical side and clearly explain what I found.”

She also became familiar with industry-standard tools like Splunk, CrowdStrike, and Recorded Future—knowledge that has translated directly into her current role.

“Much of what I do now is rooted in what I learned in SOCAP. The hands-on practice helped me hit the ground running.”

A Day in the Life at Rapid7

In her new role at Rapid7, no two days are the same. Erika works closely with clients to ensure they understand how to get the most out of their security tools while staying on top of constant product updates and industry developments.

“I spend a lot of time answering questions, helping clients troubleshoot, and collaborating with our SOC team to resolve any concerns,” she said. “There’s also a lot of learning—our tools evolve quickly, and I’ve had to develop strategies to keep up.”

Erika said she uses many methods to stay current, including watching videos, reading documentation, asking coworkers, and simply following her curiosity.

Building a Strong Foundation

While many of the incidents she deals with—such as phishing attempts or user authentication issues—may seem routine, Erika knows how critical the fundamentals are.

“Most challenges I see are about getting the basics right,” she said. “Things like user awareness, multi-factor authentication, and general security hygiene go a long way. My job is to help clients improve those areas and get more out of the tools they’re using.”

SOCAP’s emphasis on foundational skills made that transition smoother.

“If there’s one thing I wish I had done differently,” she reflected, “it’s diving deeper into the tools we had access to. There’s so much more under the surface, and those extra layers of understanding would be even more useful now.”

Advice for the Next Generation

To current SOCAP students and aspiring cybersecurity professionals, Erika offers practical advice: keep an open mind.

“Say yes to new opportunities even if they aren’t your dream job right away,” she said. “Everything teaches you something. Use outside resources like CTFs, certifications, or conferences to determine what you enjoy.”

And don’t underestimate the human side of the job.

“One thing that surprised me was how important it is to build personal connections. Before we dive into technical problems, we always check in and ask how the client’s day is going. It sets the tone.”

Looking Ahead

Erika sees herself continuing to grow within the blue team, focused on defense, incident response, and helping others understand the value of strong security practices. She’s also eyeing certifications from CISA and SANS as part of her professional development.

“I feel good about where I’m at, but there’s always room to grow,” she said. “I’d like to eventually move into a more technical SOC or support role and keep impacting that way.”

Life Outside the SOC

When she’s not helping organizations defend against cyber threats, Erika finds a different kind of freedom on two wheels.

“I got into motorcycles last summer after seeing a bunch of videos in my feed,” she said with a laugh. “It’s such a fun and relaxing way to take a break from work. Plus, it’s a great excuse to explore Florida and find new food spots.”

Erika Delvalle’s journey—from SOCAP apprentice to trusted cybersecurity advisor—is a testament to the power of experiential learning and the importance of mentorship, tools, and real-world practice. Her story is a shining example of how Cyber Florida’s mission to develop a skilled cyber workforce is making a tangible difference, one career at a time.

Career Launch Series: From Apprentice to Advisor2025-07-01T11:23:19-04:00

Russian GRU Targeting Western Logistics Entities and Technology Companies

I. Targeted Entities

  • Western logistics entities and technology companies involved in transportation and coordination of aid to Ukraine.
  • Defense industry entities
  • Transportation hubs (ports, airports)
  • Maritime sectors
  • Air traffic management systems
  • IT services

II. Introduction

Since early 2022, the Russian General Staff Main Intelligence Directorate (GRU), specifically its 85th Main Special Service Center (85th GTsSS), also identified as APT28, Fancy Bear, Forest Blizzard, and BlueDelta, has been actively conducting cyber espionage operations against Western logistics and technology entities. This ongoing campaign primarily targets entities facilitating foreign assistance to Ukraine, highlighting a strategic effort to monitor, disrupt, or influence the flow of aid to Ukraine.

Attack Details: The GRU unit 26165 has leveraged sophisticated cyber espionage tactics, including credential guessing, spearphishing, exploitation of known vulnerabilities, and abuse of internet-facing infrastructure such as corporate VPNs. Notable vulnerabilities exploited in this campaign include CVE-2023-23397 (Outlook NTLM), CVE-2023-38831 (WinRAR), and several Roundcube vulnerabilities (CVE-2020-12641, CVE-2020-35730, CVE-2021-44026).

Recent analysis highlights the GRU’s use of geopolitical event lures, notably exploiting the Israel-Hamas conflict to deliver the HEADLACE malware, enabling comprehensive network penetration and persistent espionage (Mühr, Zaboeva, & Fasulo, 2025).

III. MITRE ATT&CK Framework

Initial Access:

  • Exploitation of Public-Facing Applications (T1190)
    • Exploited known vulnerabilities in publicly accessible applications such as Microsoft Exchange and corporate VPNs to achieve initial entry.
  • Spearphishing (T1566)
    • Distributed carefully crafted phishing emails using contextually relevant geopolitical lures (e.g., Israel-Hamas conflict) to trick users into executing malicious payloads.
  • Brute Force and Credential Guessing (T1110)
    • Conducted systematic credential guessing and brute force attacks targeting exposed remote services, including RDP and VPN logins.

Execution:

  • Command and Scripting Interpreter (T1059)
    • Command and Scripting Interpreter (T1059) is a highly prevalent execution technique in MITRE ATT&CK that adversaries use to run arbitrary commands, scripts, or binaries on target systems via built in interpreters like PowerShell, cmd.exe, Bash, Python, JavaScript, AppleScript, Visual Basic and more.
  • User Execution (T1204)
    • Deployed malicious attachments and phishing links designed to prompt users into inadvertently executing malicious scripts or payloads.

Persistence:

  • Scheduled Task (T1053)
    • Established scheduled tasks to regularly execute malicious scripts and maintain long-term access.
  • • Shortcut Modification (T1547.009)
  • o Altered desktop shortcuts to point to malicious executables, ensuring persistent and subtle execution during regular user operations.

Privilege Escalation:

  • Abuse of Elevation Control Mechanisms (T1548)
    • Exploited software vulnerabilities, notably CVE-2023-23397, enabling unauthorized elevation of privileges to access sensitive resources.

Credential Access:

  • Credential Dumping (T1003)
    • Harvested credentials through techniques such as memory scraping, registry dumps, and exploitation of NTLM hashes.
  • Exploitation of NTLM Vulnerability (CVE-2023-23397)
    • CVE 2023 23397 is a critical “zero touch” elevation of privilege vulnerability in Microsoft Outlook for Windows that allows attackers to exfiltrate a user’s Net NTLMv2 hash without any user interaction.

Lateral Movement:

  • Remote Desktop Protocol (T1021.001)
    • Employed Remote Desktop Protocol to navigate laterally through compromised networks, enhancing the attacker’s reach and access.
  • Use of tools such as Impacket and PsExec
    • Impacket is a Python-based collection of modules that allows attackers to craft and send network protocol packets, making it particularly useful for exploiting protocols like SMB, RDP, and Kerberos. It’s frequently used to perform pass-the-hash, NTLM relay, and DCSync attacks.
  • PsExec, part of Microsoft Sysinternals, enables remote execution of processes and is commonly used by adversaries to run commands or deploy payloads across a network without needing remote desktop access.

Discovery:

  • Active Directory Enumeration (T1087)
    • Mapped organizational structures by enumerating Active Directory objects to identify high-value targets.
  • Network Service Scanning (T1046)
    • Conducted extensive internal scans post-compromise to locate vulnerable or exploitable network services.

Command and Control:

  • Application Layer Protocol (T1071)
    • Used standard protocols such as HTTP(S) and DNS to blend malicious traffic with legitimate communications, complicating detection efforts.
  • Legitimate Web Services (T1102)
    • Leveraged trusted cloud and hosting services to host command and control infrastructure, reducing suspicion and bypassing traditional network defenses.

Exfiltration:

  • Data Exfiltration via Command and Control Channel (T1041)

Phase Technique Description
Data Prep T1560.001 ZIP compression via PowerShell
Exfiltration Channel T1041 Upload via C2 (SSH or API)
Tools Impacket, PsExec, Certipy, ADExplorer, SSH
Timing Strategy Periodic bursts, geo-proximity, stealth scheduling
  • Archive Collected Data (T1560)
    • Compressed and encrypted sensitive data into ZIP files using PowerShell scripts for exfiltration.

IV. Indicators of Compromise (IOCs)

  • IP Addresses observed in brute force activities:
  • 103[.]97[.]203[.]29
  • 109[.]95[.]151[.]207
  • 138[.]199[.]59[.]43
  • 147[.]135[.]209[.]245
  • 162[.]210[.]194[.]2
  • 178[.]235[.]191[.]182
  • 178[.]37[.]97[.]243
  • 185[.]234[.]235[.]69
  • 192[.]162[.]174[.]67
  • 192[.]162[.]174[.]94
  • 194[.]187[.]180[.]20
  • 207[.]244[.]71[.]84
  • 209[.]14[.]71[.]127
  • 212[.]127[.]78[.]170
  • 213[.]134[.]184[.]167
  • 31[.]135[.]199[.]145
  • 31[.]42[.]4[.]138
  • 46[.]112[.]70[.]252
  • 46[.]248[.]185[.]236
  • 64[.]176[.]67[.]117
  • 64[.]176[.]69[.]196
  • 64[.]176[.]70[.]18
  • 64[.]176[.]70[.]238
  • 64[.]176[.]71[.]201
  • 70[.]34[.]242[.]220
  • 70[.]34[.]243[.]226
  • 70[.]34[.]244[.]100
  • 70[.]34[.]245[.]215
  • 70[.]34[.]252[.]168
  • 70[.]34[.]252[.]186
  • 70[.]34[.]252[.]222
  • 70[.]34[.]253[.]13
  • 70[.]34[.]253[.]247
  • 70[.]34[.]254[.]245
  • 79[.]184[.]25[.]198
  • 79[.]185[.]5[.]142
  • 83[.]10[.]46[.]174
  • 83[.]168[.]66[.]145
  • 83[.]168[.]78[.]27
  • 83[.]168[.]78[.]31
  • 83[.]168[.]78[.]55
  • 83[.]23[.]130[.]49
  • 83[.]29[.]138[.]115
  • 89[.]64[.]70[.]69
  • 90[.]156[.]4[.]204
  • 91[.]149[.]202[.]215
  • 91[.]149[.]203[.]73
  • 91[.]149[.]219[.]158
  • 91[.]149[.]219[.]23
  • 91[.]149[.]223[.]130
  • 91[.]149[.]253[.]118
  • 91[.]149[.]253[.]198
  • 91[.]149[.]253[.]204
  • 91[.]149[.]253[.]20
  • 91[.]149[.]254[.]75
  • 91[.]149[.]255[.]122
  • 91[.]149[.]255[.]19
  • 91[.]149[.]255[.]195
  • 91[.]221[.]88[.]76
  • 93[.]105[.]185[.]139
  • 95[.]215[.]76[.]209
  • Outlook CVE Exploitation IOCs

    • md-shoeb@alfathdoor[.]com[.]sa
    • jayam@wizzsolutions[.]com
    • accounts@regencyservice[.]in
    • m.salim@tsc-me[.]com
    • vikram.anand@4ginfosource[.]com
    • mdelafuente@ukwwfze[.]com
    • sarah@cosmicgold469[.]co[.]za
    • franch1.lanka@bplanka[.]com
    • commerical@vanadrink[.]com
    • maint@goldenloaduae[.]com
    • karina@bhpcapital[.]com
    • tv@coastalareabank[.]com
    • ashoke.kumar@hbclife[.]in
    • 213[.]32[.]252[.]221
    • 124[.]168[.]91[.]178
    • 194[.]126[.]178[.]8
    • 159[.]196[.]128[.]120
  • Commonly Used Webmail Providers:
    • portugalmail[.]pt
    • mail-online[.]dk
    • email[.]cz
    • seznam[.]cz
  • Malicious Archive filenames
    • calc.war.zip
      • Hash: 763d47f16a230f7c2d8c135b30535a52d66a1ed 210596333ca1c3890d72e6efc
    • Zeyilname.zip
      • Hash: 22ed5c5cd9c6a351398f1e56efdfb16d52cd33cb4b2062
        37487a03443d3de893
      • Hash: 45e44afeb8b890004fd1cb535978d0754ceaa7129082c
        b72386a80a5532700d1
    • news_week_6.zip
      • Hash: 16bcd167162e4ded71b8c7e9a2587be821d3a752c71fc
        bb2ae64cf1088b62fc0
      • Hash: 5b8c240083cba4442fb6bbb092efd430ce998530cc10f
        d181b3f71845ec190ce
      • Hash: 84638698fdcf2e9e45e7dd560c8d00fb4da6fa32dabaac
        d31b3538d38755dad4
      • Hash: f983d786f4dc2d1793f6b28907c4035c96b6b5c8765ba1
        2dc4510dab0fceabf5
    • war.zip
      • Hash: d37779e16a92da7bd05eae50c64b36e2e2022eb4413
        82be686fda4dbd1800e90
      • Hash: 2ac6735e8e0b23b222161690adf172aec668894d17029
        9e9ff2c54a4ec25b1f4
      • Hash: 8cc664ff412fc80485d0af61fb0617f818d37776e5a06b7
        99f74fe0179b31768
      • Hash: ec64b05307ad52f44fc0bfed6e1ae9a2dc2d093a42a8347f069f3955ce5aaa89
    • SEDE-PV-2023-10-09-1_EN.zip
      • Hash: 8dba6356fdb0e89db9b4dad10fdf3ba37e92ae42d55e7bb8f76b3d10cd7a780c
    • Roadmap.zip
  • Malicious scripts/tools observed:
    • HEADLACE (backdoor)
      • A backdoor used to establish persistent access, execute commands remotely, and maintain stealth communication channels with the attackers.
    • MASEPIE (malware)
      • Custom malware designed for executing remote commands, data theft, and maintaining a persistent foothold within compromised networks.
    • STEELHOOK (credential theft)
      • Specialized malware created to extract and exfiltrate sensitive user credentials, aiding further lateral movement and deeper infiltration.

V. Recommendations

  • Patch Known Vulnerabilities:
    • Regularly update all software and firmware.
    • Conduct continuous vulnerability assessments to identify and mitigate security gaps.
  • Enhance Detection and Monitoring:
    • Deploy endpoint detection and response (EDR) systems.
    • Utilize behavioral analysis tools to detect anomalous activities.
  • Strengthen Authentication Practices:
    • Implement multi-factor authentication (MFA).
    • Regularly audit user permissions and account activities.
  • Network Security:
    • Employ network segmentation.
    • Block unauthorized VPN and proxy services.
  • User Awareness:
    • Conduct regular security training focusing on recognizing phishing and social engineering tactics.
  • Incident Response Preparation:
    • Establish and routinely test incident response protocols to quickly contain and remediate intrusions.

VI. Conclusion

Given the strategic nature of this campaign targeting critical logistical infrastructure, Western logistics and technology entities must maintain heightened vigilance. Employing comprehensive security measures and regular training will be crucial in mitigating the ongoing threat posed by the GRU’s advanced cyber espionage operations.

VII. References

Command and scripting interpreter. Command and Scripting Interpreter, Technique T1059 – Enterprise | MITRE ATT&CK®. (n.d.). https://attack.mitre.org/techniques/T1059/

Exfiltration over C2 channel. Exfiltration Over C2 Channel, Technique T1041 – Enterprise | MITRE ATT&CK®. (n.d.). https://attack.mitre.org/techniques/T1041/

Insikt Group. (2025, April 30). France Ties Russian APT28 to Attacks Targeting French Infrastructure and Institutions. Recorded Future. https://app.recordedfuture.com/portal/research/insikt/doc:5pGMcT?organization=uhash%3A5SiRB4MNDF

Insikt Group. (2024, May 30). GRU’s BlueDelta Targets Key Networks in Europe with Multi-Phase Espionage Campaigns. Recorded Future. https://go.recordedfuture.com/hubfs/reports/CTA-RU-2024-0530.pdf

Lesnewich, G., & Giering, C. (2023, December 5). TA422’s dedicated exploitation loop-the same week after week. Proofpoint. https://www.proofpoint.com/us/blog/threat-insight/ta422s-dedicated-exploitation-loop-same-week-after-week

Martin, A. (2025, May 21). Western intelligence agencies unite to expose Russian hacking campaign against logistics and Tech firms. Cyber Security News | The Record. https://therecord.media/western-intelligence-alert-russia-hackers-logistics-fancy-bear-apt28

Microsoft Incident Response. (2025, June 18). Guidance for investigating attacks using CVE-2023-23397. Microsoft Security Blog. https://www.microsoft.com/en-us/security/blog/2023/03/24/guidance-for-investigating-attacks-using-cve-2023-23397

Mühr, G., Zaboeva, C., & Fasulo, J. (2025, April 17). ITG05 operations leverage Israel-hamas conflict lures to deliver Headlace malware. IBM. https://www.ibm.com/think/x-force/itg05-ops-leverage-israel-hamas-conflict-lures-to-deliver-headlace-malware

Ribeiro, A. (2025, May 25). Russian GRU’s unit 26165 conducts two-year cyber espionage on logistics, Tech firms using IP cameras, supply chains. Industrial Cyber. https://industrialcyber.co/cisa/russian-grus-unit-26165-conducts-two-year-cyber-espionage-on-logistics-tech-firms-using-ip-cameras-supply-chains/

Russian GRU Targeting Western Logistics Entities and Technology Companies. U.S. Department of Defense. (2025, May). https://media.defense.gov/2025/May/21/2003719846/-1/-1/0/CSA_RUSSIAN_GRU_TARGET_LOGISTICS.PDF

Russian GRU targeting western logistics entities and technology companies: CISA. Cybersecurity and Infrastructure Security Agency CISA. (2025, May 21). https://www.cisa.gov/news-events/cybersecurity-advisories/aa25-141a

Threat Advisory created by The Cyber Florida Security Operations Center. Contributing Security Analyst(s): Kevin Wong, Jason Doan

Russian GRU Targeting Western Logistics Entities and Technology Companies2025-06-27T09:30:56-04:00

Protecting Against Elder Fraud and Scams: A Cybersecurity Guide

This resource offers practical steps to help protect older adults and those who support them against cyber elder fraud. Older adults are increasingly targeted by cybercriminals who exploit trust, unfamiliarity with technology, and financial vulnerability. From phishing scams to tech support fraud and identity theft, these attacks often result in significant emotional and financial harm.

Read through for information on common elder scams, best practices for keeping personal information protected, and where and how to report a cyber elder fraud.

Guide created by the Cyber Florida Security Operations Center. Contributing Security Analysts: Lara Radovanovic, Zahid Rahman, Waratchaya Luangphairin

Protecting Against Elder Fraud and Scams: A Cybersecurity Guide2025-06-30T12:19:09-04:00

CIP Flash Bulletin | Heightened Iranian Cyber Threat Activity

This special Critical Infrastructure Protection Flash Bulletin outlines increased cyber threat activity linked to Iran amid rising regional tensions. It highlights Iran’s history of targeting U.S. infrastructure, current threat actors and tactics, key vulnerabilities, and priority mitigation strategies. Critical infrastructure sectors are advised to stay vigilant and implement immediate protections. The bulletin also includes federal resources and recommendations to strengthen preparedness.

CIP Flash Bulletin | Heightened Iranian Cyber Threat Activity2025-06-23T14:22:51-04:00

Student Spotlight: Kailyn Roach

Kailyn Roach

Student: Kailyn Roach

School: Jupiter High School

District: Palm Beach County

Meet Kailyn Roach, a standout cybersecurity student at Jupiter High School in Palm Beach County, Florida. Kailyn has recently accepted a position as a programming intern with Neuro Building Systems.

Over the past three years, she has actively participated in the CSHS cybersecurity program and consistently competed in academic competitions, excelling in science and technology courses. With an impressive 4.96 GPA, Kailyn also shines outside the classroom as a competitive soccer player—earning the President’s Cup three years in a row—and holds multiple certifications in Java, JavaScript, and various engineering disciplines.

Beyond academics and athletics, Kailyn enjoys surfing, skiing, and practicing martial arts. Passionate about entering the field of cybersecurity, she hopes to contribute to advancements in ophthalmology by bridging the gap between medical professionals and the technology that supports them.

Do you teach a great student who should be featured in our Student Spotlight?
Please complete the form below!

Student Spotlight: Kailyn Roach2025-06-17T15:54:41-04:00