Welcome to The Cybersecurity 202! I’m a huge “Star Wars” fan, but the first season of “Obi-Wan Kenobi” vacillated so wildly between “awesome” and “this is goofy as heck,” so I’m not sad there are signs that a second season won’t happen.
Below: New details emerge about the ransomware attack that hit Dish, and an AI-generated image of a Pentagon explosion could have been much worse. First:
A trio of stories sheds light on a trio of spyware companies
Monday was not what you would call a good day for spyware manufacturers.
Three different makers of the invasive tech endured unflattering news:
- German authorities brought charges against four executives for the defunct Munich-based FinFisher GmbH, alleging that they illegally sold their spyware to Turkish secret services without necessary approval.
- Code for the spyware of Israeli firm QuaDream leaked online one month after it shut down, providing hints of its capabilities.
- NSO Group, the company behind the Pegasus malware, reportedly opened an investigation into attacks on human rights defenders in Mexico.
Here’s the situation for each of them.
1. FinFisher
Munich prosecutors didn’t name the FinFisher executives, instead only identifying each of them by a single initial. Prosecutors say the executives violated licensing requirements by selling their spyware to countries outside the European Union.
FinFisher sought to conceal a $5.4 million transaction in 2015 by routing it through a company in Bulgaria, prosecutors contend, per reporting from Ryan Gallagher of Bloomberg News. In Turkey, FinFisher’s FinSpy spyware targeted activists and political opponents of the ruling party, according to Access Now. The company’s representatives didn’t respond to Bloomberg News’s request for comment.
Organizations that joined to file a criminal complaint against FinFisher welcomed the charges.
The indictment is overdue but the European Union and member states have to act more decisively against misuse of surveillance technology, Miriam Saage-Maass, legal director of the European Center of Constitutional and Human Rights, said in a statement. (That group was one of several that sent prosecutors a complaint about FinFisher, leading to the investigation.)
The indictment comes as a set of recommendations from a special committee investigating spyware abuses in the E.U. awaits action from the European Parliament.
The rapporteur for that committee, Sophie in’ t Veld, welcomed the news on Twitter:
Important development: German prosecutors launch criminal charges against German #spyware company FinFisher. @EP_PegaInquiry @netzpolitik_org https://t.co/hmxe7Wbseg
— Sophie in 't Veld (@SophieintVeld) May 22, 2023
So did Gönül Tol, director of the Middle East Institute’s Center for Turkish Studies:
Scholars studying autocracy often point out the ways in which Western countries/financial institutions/companies/entities are complicit in helping to create modern-day autocrats. FinFisher is one example. Good to see this decision by German prosecutor to go after the company. https://t.co/ub9VwE1igf
— Gönül Tol (@gonultol) May 22, 2023
The charges in Germany aren’t the only legal troubles that the use of FinFisher has brought. The company shut down and filed for insolvency last year.
2. QuaDream
The QuaDream story by Omer Benjakob and Jurre van Bergen, which Israeli news outlet Haaretz published, has a lot of moving pieces.
One key part is the leaked code. It reveals that QuaDream’s Reign spyware gave users “unfettered access” to messages from services like WhatsApp, Telegram and Signal — all services intended to keep communications safe from outsiders. It also reveals that the spyware was active earlier than previously thought, in 2019.
Here’s TechCrunch reporter Lorenzo Franceschi-Bicchierai being unimpressed by QuaDream over the leak:
Sometimes spyware makes are really dumb.
— Lorenzo FB / @lorenzofb@infosec.exchange (@lorenzofb) May 22, 2023
Someone who used to work for Quadream, an Israeli surveillance tech maker that recently shut down, left the source code of the web panel of the company's REIGN spyware agent on GitHub. https://t.co/1mAROGK98V
A second key part of the story is that QuaDream opted to shut itself down after it was unable to gain authorization from Israeli regulators to sell its spyware to new clients, such as Morocco. The company had used a Cyprus firm to evade Israeli defense export regulators, according to Haaretz. QuaDream is now reportedly looking at selling off assets to other local spyware companies.
The closure came as QuaDream was developing “terrifying” new spyware, the outlet said, citing two sources with knowledge of the firm. QuaDream declined to comment to Haaretz.
Here’s in ‘t Veld again:
New 💥❗️ report on #spyware by @haaretzcom, highlighting how Israel repealed the #Pegasus export license to Morocco, and how #QuaDream was using 🇨🇾 Cyprus firm #InReach for its sales, thus escaping the Israeli regulatory reach. @EP_PegaInquiry https://t.co/PDGXqMKJBv
— Sophie in 't Veld (@SophieintVeld) May 22, 2023
3. NSO Group
NSO Group is the most infamous spyware maker. That’s thanks to its Pegasus spyware, which is the subject of a story about its use in Mexico in the New York Times.
Pegasus spyware targeted Alejandro Encinas, Mexico’s undersecretary for human rights, as he was investigating alleged military abuses involving the disappearance of 43 students, Natalie Kitroeff and Ronen Bergman reported.
The duo reported that while it’s not certain that the military spied on Encanis, it’s the only part of the Mexican government that has Pegasus contracts.
“The Israeli manufacturer of Pegasus, NSO Group, opened an investigation into cyberattacks on human rights defenders in Mexico after recent reports by the New York Times about the military’s use of the spyware, according to a person familiar with the NSO compliance investigations,” the Times wrote. “The company also began looking into the attacks on Mr. Encinas and his two colleagues after The Times asked about those hacks, the person said.”
NSO Group told the paper that it investigates credible claims of misuse of its technology and has ended contracts when it finds improper use.
At least one information security expert, Runa Sandvik, offered some skepticism about NSO Group’s timing of opening an investigation:
NSO Group says it "opened an investigation into cyberattacks on human rights defenders in Mexico after recent reports" by the @nytimes, but worth noting @citizenlab reported on the targeting of Mexican journalists as early as 2016. https://t.co/Ty2l8ItcaO
— Runa Sandvik (@runasand) May 22, 2023
The news comes one week after the attorney general in Mexico announced the prosecution of the head of a former criminal investigative agency and three others for allegedly unlawfully purchasing Pegasus in 2014.
The keys
Ransomware group pilfered nearly 300,000 Dish employee records
Satellite TV giant Dish Network confirmed that nearly 300,000 employee records containing sensitive personal data were stolen by a ransomware group, Carly Page reports for TechCrunch.
- “In a data breach notification filed with Maine’s attorney general last week, Dish said that while customer databases were unaffected by the incident, hackers accessed hundreds of thousands of employee-related records during the cyberattack,” Page writes.
The breach notice comes months after the company confirmed hackers’ presence in their systems. The company at the time did not disclose if customers or employees were affected. The hack was first discovered in February.
The company last month was hit with several lawsuits over the ransomware incident, Ax Sharma reports for Bleeping Computer.
- “Dish, which currently employs around 16,000 people, said that former employees, employees’ family members and a ‘limited number of other individuals’ were affected by the breach,” the TechCrunch report adds.
Dish spokesperson Edward Wietecha declined to comment or confirm to TechCrunch what data types were obtained in the hack, but the breach notification ascertains that driver’s license numbers and ID numbers were accessed.
Spain advocated for banning end-to-end encryption in E.U. in bid to back contested child sexual abuse law, document shows
Spanish representatives advocated for banning end-to-end encryption in the European Union in a bid to support a contested law that would allow for the scanning of private messages to weed out child sexual abuse material and related illegal content, Lily Hay Newman, Morgan Meaker and Matt Burgess report for WIRED, citing a document the outlet obtained.
“Ideally, in our view, it would be desirable to legislatively prevent EU-based service providers from implementing end-to-end encryption,” representatives for Spain asserted in the document.
“The document, a European Council survey of member countries’ views on encryption regulation, offered officials’ behind-the-scenes opinions on how to craft a highly controversial law to stop the spread of child sexual abuse material (CSAM) in Europe,” the WIRED report says.
Spain’s position on the law emerges “as the most extreme” of the 20 European countries whose views are laid out in the document, the WIRED report said.
- The E.U. law would direct tech companies to scan their platforms — and private messages exchanged on their platforms — to detect illegal CSAM material.
- The proposal is drawing pushback from cryptographers, privacy advocates and other critics, who say it could diminish the use of end-to-end encryption.
A similar scenario is playing out in the United States, where cybersecurity advocates fear that legislation aimed at curbing CSAM could prompt tech companies to stop offering end-to-end encryption for users.
Fake AI image of Pentagon explosion got the attention of the stock market, but it could have been much worse
An AI-generated image of an explosion at the Pentagon sent the Dow Jones Industrial Average down 85 points within four minutes before rebounding on Monday. But the consequences could have been much worse, our colleagues Will Oremus, Drew Harwell and Teo Armus report.
The mechanisms involved in feeding the image’s virality, including retweets from Russian propaganda accounts, “suggest the potential for more such mischief if AI tools continue to make inroads in fields such as social media moderation, news writing and stock trading,” Will, Drew and Teo write.
- “And Twitter is looking like an increasingly likely vector, as new owner Elon Musk has gutted its human workforce, laid off a team that used to fact-check viral trends, and changed account verification from a manual authentication process to one that’s largely automated and pay-for-play,” they add.
- Finance-related accounts that aggregate and post stock market news also drove the image’s spread. Those included a 386,000-follower account named “Breaking Market News” and another account called “Bloomberg Feed” unrelated to the real Bloomberg, according to the report.
Although social media users and news reporters largely know how and when to view content with skepticism, the rapid circulation of such news makes it difficult to control, especially with Twitter’s new blue check mark policy.
“These circulate rapidly, and the ability to do that fact-check or debunk or verification at an institutional level moves slower and doesn’t reach the same people,” said Sam Gregory, executive director of the human rights organization Witness.
Government scan
Hill happenings
Securing the ballot
Industry report
National security watch
Global cyberspace
Cyber insecurity
Privacy patch
Daybook
- The Atlantic Council holds an event on cybersecurity and the Abraham Accords today at 9 a.m.
- CISA’s Bob Costello speaks at the UiPath TOGETHER event beginning at 9 a.m.
- The House Veterans' Affairs Committee holds a hearing on IT contracting tomorrow at 8 a.m.
- The House Administration Committee holds a hearing on American confidence in elections tomorrow at 2:30 p.m.
- The Institute of World Politics holds a critical infrastructure seminar tomorrow at 6 p.m.
Secure log off
Here’s how I used AI to clone a 60 Minutes correspondent’s voice to trick a colleague into handing over her passport number. I cloned Sharyn’s voice then manipulated the caller ID to show Sharyn’s name with a spoofing tool.
— Rachel Tobac (@RachelTobac) May 21, 2023
The hack took 5 minutes total for me to steal the info. https://t.co/bYUooZWOiH
Thanks for reading. See you tomorrow.