The U.S.'s once sleepy cyber diplomacy efforts are getting a jumpstart as a new State Department office gets its leadership.

Driving the news: The country's first cyber ambassador, Nathaniel Fick, started on the job last week after the Senate approved his nomination on Sept. 15.

• Fick, a former tech executive and entrepreneur, is leading the Bureau of Cyberspace and Digital Policy, which opened in April, as its ambassador at large.
• He made his international debut on the job as part of the U.S. delegation at this week's International Telecommunication Union's conference in Bucharest, Romania.

How it works: The Bureau of Cyberspace and Digital Policy is designed to focus on international cyber conflicts and negotiations, as well as promoting internet freedom and open communications.

• Helping allies build out their cyber capabilities, responding to internet blackouts and weighing in on international 5G deployment standards are each part of the bureau's portfolio.

Why it matters: Countries are increasingly turning to cyberspace to conduct intelligence operations, hack one another's infrastructure and gain control over how information is spread. This creates a growing need for countries to negotiate what activity is and isn't allowed.

• Without established cyber norms, countries like the U.S. are finding themselves making up the rules for acceptable behavior in cyberspace piece by piece.
• When the U.S. attributed cyberattacks on the Albanian government to Iran, Anne Neuberger, deputy national security adviser for cyber and emerging tech, told Axios the move could help the international community set a precedent for unacceptable state behavior in the absence of norms.

The big picture: Ever since the Trump administration dismantled the Office of the Coordinator for Cyber Issues in 2017, the U.S. has faced scrutiny for lacking a high-profile position dedicated solely to cyber diplomacy.

• In the meantime, other countries have been leading the charge in establishing tech- and cyber-focused ambassador positions. Denmark even created an ambassador to Silicon Valley.
• The new State Department bureau builds on the former unit's portfolio, which focused solely on cybersecurity, to include a focus on digital freedom as well as international information and communications policy issues.

What they're saying: "Bringing these three teams together in a single bureau allows us to strongly position the United States on important issues that cut across the foreign policy landscape," a State Department spokesperson tells Axios.

The intrigue: Fick and his office now face the daunting task of proving to international allies — and the cybersecurity and digital rights community — that the U.S. is in these talks for the long haul.

• Right now, there's nothing stopping a new administration from coming in and dismantling this office.
• The House has passed the Cyber Diplomacy Act, which would codify the office's existence, but it's still awaiting a vote in the Senate Foreign Relations Committee.

What's next: Sen. Angus King (I-Maine), one of the lawmakers who first recommended the new office's creation, tells Axios he wants to see the office working toward leading efforts to establish a Geneva Convention for cyber. Such an agreement would lay out acceptable norms for cyber warfare.

• Experts tell Axios they’re eager to see how Fick builds out his positions on internet freedom after he co-led a think tank report earlier this year boldly claiming that “the era of the global internet is over.”

Boston-based cybersecurity firm Recorded Future is planning to hire up to 100 employees in Ukraine before 2025, more than doubling its presence in the country.

Why it matters: Ukraine's success fighting off Russian cyber aggression during the war so far is due, in part, to the existing IT talent in the country, as well as Ukraine's partnerships with Western allies.

• Recorded Future CEO Christopher Ahlberg tells Axios he's more than doubling the size of his existing Ukraine staff because "we just love the quality of the work" coming from the team.

Details: Ahlberg says the hiring spree, which kicked off earlier this month, is moving quickly, although for security reasons, he declined to say how many people he's hired already.

• Recorded Future is mostly hiring software developers and engineers in Ukraine, as well as threat intelligence analysts who will study dark web forums for signs of attacks and share intel with their customers.
• Recorded Future's clients in Ukraine are all government agencies and a handful of critical infrastructure firms, Ahlberg says.
• Before the hiring spree, Recorded Future had fewer than 100 employees in Ukraine.

The intrigue: Ukraine's Ministry of Digitalization and the National Security and Defense Council officially endorsed Recorded Future's expansion, per a press release Thursday.

• Ahlberg says the endorsement helps give his company's hiring plans more legitimacy in the region.

What they're saying: "Building a strong Ukrainian software/IT industry with global impact will be instrumental in the rebuilding of Ukraine," said Yegor Dubynskyi, deputy minister of digital transformation of Ukraine, in a statement.

The big picture: Many cybersecurity firms have opted to either open offices in other Eastern European countries, like Poland, or move their teams out of Ukraine during the war.

• Google has an office in neighboring Poland, and Ukrainian startup Hacken moved its main offices from Kyiv to Lisbon, per the Wall Street Journal.

Government officials are warning defense companies and other organizations handling sensitive information about a potential new espionage campaign uncovered by cybersecurity firm Mandiant on Thursday.

Driving the news: A sophisticated, unknown hacking group has created a new malware that allows it to install backdoors in and out of a system on VMware’s virtualization software, according to a two-part Mandiant report.

Details: Hackers targeted the so-called "hypervisors," which let one physical computer create and manage several virtual machines on VMware's virtualization software. Typically, endpoint security tools can't reach those hypervisors, making the malicious code difficult to detect.

• Researchers discovered the backdoors earlier this year on fewer than 10 victims' networks in North America and Asia.
• Once installed, hackers can watch and run commands on any computer managed by the VMware tool.
• Mandiant researchers haven't fully identified the hackers behind the campaign, but they have low confidence that they're connected to China.

The intrigue: Targeting hypervisors brings a long-held fear in the cybersecurity community to life, as Wired reports, since it allows hackers to take control of several machines just by hijacking one physical computer.

• Before this week's findings, "hyperjacking" attacks, or those targeting hypervisors, only existed hypothetically in research papers.

The big picture: More than 400,000 customers use VMware's tech and services, per one company estimate, "including 100% of Fortune 500 and 100% of Fortune Global 100 companies."

What's next: VMware released tips Thursday for customers to help detect and mitigate the risks associated with the new malware strains.

• Rob Joyce, director of cybersecurity at the National Security Agency, tweeted that the new report is "one to watch for the defense industrial base and others with sensitive information targeted by nation states."
• The Cybersecurity and Infrastructure Security Agency encouraged all organizations to apply the mitigations and guidelines.

@ D.C.

☎️ The CIA's failure to properly secure its messaging systems helped Tehran arrest and detain several Iranian informants, according to a news investigation. (Reuters)

🏛 The Treasury Department is seeking comments on a possible federal cyber insurance program that would cover "catastrophic" cyberattacks. (Federal Register)

🚔 A former NSA employee has been arrested for attempting to sell classified documents, including one detailing updates to an agency's encryption program, to a foreign agent. (Associated Press)

@ Industry

🪙 Poorly written code has left dozens of decentralized finance startups susceptible to hacks and scrambling to recover. (New York Times)

✏️ Reproductive rights advocates are struggling to fight the pervasiveness of the data broker industry as they try to wipe their personal information from the internet. (CyberScoop)

@ Hackers and hacks

👾 Microsoft confirmed hackers are targeting two high-risk security vulnerabilities in Exchange Server that don't have a patch yet. (Microsoft)

🇰🇵 Microsoft also uncovered North Korean state hackers sending malware-laced open-source programs to victims in a new campaign. (Ars Technica)

🗝 The alleged hacker behind an attack on media site Fast Company earlier this week said they gained access by accurately guessing admins' WordPress passwords. (BleepingComputer)

I really enjoyed this excerpt from ProPublica reporters Renee Dudley and Daniel Golden’s forthcoming book, “The Ransomware Hunting Team: A Band of Misfits’ Improbable Crusade to Save the World From Cybercrime.”

• One fun part: The editor of security news site BleepingComputer was able to get a few gangs to pledge to not attack hospitals at the height of the COVID-19 pandemic — with some success.