This year’s Intelligence Authorization Act would mandate penetration testing for federally certified voting machines and allow independent researchers to work on exposing vulnerabilities.

Congress is moving closer to putting US election technology under a stricter cybersecurity microscope.

Embedded inside this year’s Intelligence Authorization Act, which funds intelligence agencies like the CIA, is the Strengthening Election Cybersecurity to Uphold Respect for Elections through Independent Testing (SECURE IT) Act, which would require penetration testing of federally certified voting machines and ballot scanners, and create a pilot program exploring the feasibility of letting independent researchers probe all manner of election systems for flaws.

The SECURE IT Act—originally introduced by US senators Mark Warner, a Virginia Democrat, and Susan Collins, a Maine Republican—could significantly improve the security of key election technology in an era when foreign adversaries remain intent on undermining US democracy.

“This legislation will empower our researchers to think the way our adversaries do, and expose hidden vulnerabilities by attempting to penetrate our systems with the same tools and methods used by bad actors,” says Warner, who chairs the Senate Intelligence Committee.

The new push for these programs highlights the fact that even as election security concerns have shifted to more visceral dangers such as death threats against county clerks, polling-place violence, and AI-fueled disinformation, lawmakers remain worried about the possibility of hackers infiltrating voting systems, which are considered critical infrastructure but are lightly regulated compared to other vital industries.

Russia’s interference in the 2016 election shined a spotlight on threats to voting machines, and despite major improvements, even modern machines can be flawed. Experts have consistently pushed for tighter federal standards and more independent security audits. The new bill attempts to address those concerns in two ways.

The first provision would codify the US Election Assistance Commission’s recent addition of penetration testing to its certification process. (The EAC recently overhauled its certification standards, which cover voting machines and ballot scanners and which many states require their vendors to meet.)

While previous testing simply verified whether machines contained particular defensive measures—such as antivirus software and data encryption—penetration testing will simulate real-world attacks meant to find and exploit the machines’ weaknesses, potentially yielding new information about serious software flaws.

“People have been calling for mandatory \[penetration\] testing for years for election equipment,” says Edgardo Cortés, a former Virginia elections commissioner and an adviser to the election security team at New York University’s Brennan Center for Justice.

The bill’s second provision would require the EAC to experiment with a vulnerability disclosure program for election technology—including systems that are not subject to federal testing, such as voter registration databases and election results websites.

Vulnerability disclosure programs are essentially treasure hunts for civic-minded cyber experts. Vetted participants, operating under clear rules about which of the organizer’s computer systems are fair game, attempt to hack those systems by finding flaws in how they are designed or configured. They then report any flaws they discover to the organizer, sometimes for a reward.

By allowing a diverse group of experts to hunt for bugs in a wide range of election systems, the Warner–Collins bill could dramatically expand scrutiny of the machinery of US democracy.

The pilot program would be a high-profile test of the relationship between election vendors and researchers, who have spent decades clashing over how to examine and disclose flaws in voting systems. The bill attempts to assuage vendors’ concerns by requiring the EAC to vet prospective testers and by prohibiting testers from publicly disclosing any vulnerabilities they find for 180 days. (They would also have to immediately report vulnerabilities to the EAC and the Department of Homeland Security.)

Still, one provision could spark concern. The bill would require manufacturers to patch or otherwise mitigate serious reported vulnerabilities within 180 days of confirming them. The EAC—which must review all changes to certified voting software—would have 90 days to approve fixes; any fix not approved within that timetable would be “deemed to be certified,” though the commission could review it later.

A vendor might not be able to fix a problem, get that fix approved, and get all of its customers to deploy that fix before the nondisclosure period expires.

“Updates to equipment in the field can take many weeks, and modifying equipment close to an election date is a risky operation,” says Ben Adida, the executive director of the vendor VotingWorks.

Some vendors might also chafe at the bill’s legal protections for researchers. The legislation includes a “safe harbor” clause that exempts testing activities from the prohibitions of the Computer Fraud and Abuse Act and the Digital Millennium Copyright Act, and bars vendors from suing researchers under those laws for accidental violations of the program’s terms.

There is also a funding question. The SECURE IT Act doesn’t authorize any new money for the EAC to run these programs.

“I hope Congress accounts for the necessary funding needed to support the increased responsibilities the EAC will take on,” says EAC chair Ben Hovland. “Investments in programs like this are critical to maintaining and strengthening the security of our elections.”

Meanwhile, the bill’s prospects are unclear. Even if it passes the Senate, there is no sign of similar momentum in the House.

A Senate Bill Would Radically Improve Voting Machine Security

Long-distance cables were severed across France in a move that disrupted internet connectivity.

Long-distance internet cables in France have been cut in an act of sabotage, causing disruption to internet services across the country. This is the second disruption during the Olympic Games in Paris, after high-speed train lines were targeted in a series of arson attacks hours before the Games kicked off.

Marina Ferrari, France’s junior minister for digital affairs, said on X that in the early hours of Monday morning, multiple locations around France were affected by several “damages” that impacted telecommunications providers and have resulted in “localized consequences” to fiber optic services as well mobile internet connectivity. Internet companies confirmed the damage.

The French Ministry of the Interior, which oversees policing agencies in the country, did not immediately respond to a request for comment. French cybersecurity agency ANSSI told WIRED the problems are not linked to a cybersecurity incident.

At the time of writing, nobody has claimed responsibility for either attack. Officials have yet to identify any suspects involved in the cable-cutting sabotage, but they believe the disruption to train services could have been committed by people with “ultra-left” political leanings.

The incidents around the Olympics come at a time when Russia has been blamed for a string of disinformation targeting France and has also been linked to a series of potential sabotage attacks in Europe.

The second largest French telecoms company, SFR, appeared to be one of the most impacted by the vandalism. “Our long-distance fiber network was sabotaged between 1 am and 3 am last night in five different locations,” a spokesperson from SFR told WIRED. SFR says its maintenance teams are working on repairing the damage and said the impact on its customers was “limited.”

“Also, between three and eight other operators are impacted since they use our long-distance network,” the spokesperson said.

Nicolas Guillaume, the CEO of telecom firm Nasca Group, which owns the ISP company Netalis, told WIRED he believed the damage was “deliberate” and that ISPs serving both customers and businesses have been impacted. Several of the damaged cables, according to images shared on X by the CEO, appear to have clean cuts across them. Guillaume says it is likely that people opened the ducts where cables are stored and cut them. Internet company Free 1337 also confirmed it was working on fixing the damage.

While billions of people around the world use wireless connections, the underlying internet backbone is made up of cables traversing across countries and under seas. This infrastructure, which is able to automatically reroute traffic to limit outages, can be fragile and vulnerable to attack or disruption. EU politicians have called for internet infrastructure security to be improved.

But the sabotage is not the first time that internet cables in France have been damaged in potentially deliberate acts. At the end of April 2022, crucial long-distance internet cables around Paris were deliberately cut and damaged—causing outages that impacted around 10 internet and infrastructure companies.

In that instance, according to photographs published by telecoms companies, the cables appeared to have been surgically cut, all at around the same time, in three locations, to the north, south, and east of Paris. Thousands of people around Paris—and also some farther away from the French capital—were plunged into a temporary internet blackout as network operators rerouted traffic. “It is the work of professionals,” Guillaume said at the time.

Arthur PB Laudrain, a postdoctoral research associate in cyber diplomacy at King’s College London, says the most recent incident seems “less serious” than the 2022 outages. “Such actions are within the capabilities of ultra-left or ecologist and anarchist groups, especially if they benefited from insider assistance or knowledge (current or former rail or network workers),” Laudrain says. “However, we cannot rule out the fact that a state actor is encouraging, supporting, or directing such domestic groups to create plausible deniability of their involvement.”

Saboteurs Cut Internet Cables in Latest Disruption During Paris Olympics

Infostealer malware is swiping millions of passwords, cookies, and search histories. It’s a gold mine for hackers—and a disaster for anyone who becomes a target.

For the past two months, cybercriminals have advertised for sale hundreds of millions of customer records from major companies like Ticketmaster, Santander Bank, and AT&T. And while massive data breaches have been a fact of life for more than a decade now, these recent examples are significant, because they are all connected. Each victim company was a customer of the cloud data storage firm Snowflake and was compromised not through a sophisticated hack, but because attackers had login credentials for each victim company’s Snowflake accounts—a data-stealing spree that impacted at least 165 Snowflake customers.

Attackers didn’t grab this trove of logins by directly breaching Snowflake or through a targeted supply chain attack. Instead, they found the credentials in a hodgepodge of stolen data grabbed haphazardly by “infostealer” malware.

After years of operation, infostealers are having a moment. The malware, which often finds its way onto people’s machines through downloads of pirated software, can steal usernames and passwords, cookies, search history, financial information, and more from web browsers. This data collected by infostealers is increasingly being used by all kinds of hackers to compromise companies—and cybersecurity experts warn of more high-profile data breaches to come.

“We’ve seen nation-states leverage infostealers, we’ve seen criminals leverage infostealers, and we’ve seen teenage hacking crews leverage infostealers,” says Charles Carmakal, chief technology officer of Google-owned cybersecurity firm Mandiant. Russia’s APT29 hackers and cybercriminal gangs such as Lapsus$ and Scattered Spider are among the many hackers using infostealers. Just days after the global CrowdStrike outage, hackers created a new infostealer in an attempt to capitalize on the chaos.

Infostealers are defined less by their technical capabilities and more by their role in the malicious hacker ecosystem. Of course, to minimally qualify, they must be designed to steal information. But what separates infostealers from spyware or other malware used in espionage or targeted data breaches is that infostealers are spread opportunistically and indiscriminately. They grab data from the browsers of whatever computers they end up infecting. Then the attackers who run them compile and organize this chaotic and largely random assemblage of data—often on a marketplace or in a public forum like a Telegram channel. It is only then that infostealer operators or their customers comb their haul for valuable credentials and access tokens amidst the massive amount of junk. Ian Gray, director of analysis and research at the security firm Flashpoint, says there are likely hundreds of variants of infostealers in circulation.

There are some account access tokens that would have obvious value for many types of cybercriminals. If a data dump included working login credentials for a corporate employee’s enterprise accounts, a ransomware gang, business email compromise scammer, or state-backed actor could use the access as a jumping off point to launch their attacks. But in addition to selling these prized details, infostealer operators maximize the value of the data they collect simply by making their stolen data available. Platforms like Genesis Market, which was taken down by law enforcement last year, and Russian Market, organize infostealer logs and even make them somewhat searchable so hackers who are looking to target more niche organizations or those who don’t have financial motivations can potentially find exactly what they need.

These platforms take cues in how they are designed and marketed from legitimate information and ecommerce services. Many markets and forums charge a subscription fee to access the platform and then have different pricing structures for data depending on how valuable it might be. Currently, Gray says, Russian Market has so much stolen data available from infostealers that it has been charging a low flat rate, typically no more than $10, for any subset of data users want to download.

“Organizations have become very good with their security, and people have also gotten more savvy, so they're not the best targets now,” for traditional tailored attacks, Gray says. “So attackers need something that’s less targeted and more based on what they can make use of. Infostealers are modular and often sold on a subscription basis, and that evolution probably aligns with the rise of modern subscription services like video streaming.”

Infostealers have been especially effective with the rise of remote work and hybrid work, as companies adapt to allowing employees to access work services from personal devices and personal accounts from work devices. This creates opportunities for infostealers to randomly compromise individuals on, say, their home computers but still end up with corporate access credentials because the person was logged into some of their work systems as well. It also makes it easier for infostealing malware to get around corporate protections, even on enterprise devices, if employees are able to have their personal email or social media accounts open.

“I started paying attention to this once it became an enterprise problem,” Mandiant’s Carmakal says. “And particularly around 2020, because I started seeing more intrusions of enterprises first starting from compromises of home computers—through phishing of people's Yahoo accounts, Gmail accounts, and Hotmail accounts that were totally unrelated to any enterprise targeting, but to me look very opportunistic.”

Victoria Kivilevich, director of threat research at security firm KELA, says that in some instances criminals can use cybercrime markets to search for the domain of potential targets and see if any credentials are available. Kivilevich says the sale of infostealer data can be considered as the “supply chain” for various types of cyberattacks, including ransomware operators looking for the details of potential victims, those involved in business email compromise, and even initial access brokers who can sell the details along again to other cybercriminals.

On various cybercrime marketplaces and Telegram, Kivilevich says, there have been more than 7,000 compromised credentials linked to Snowflake accounts being shared. In one instance, a criminal has been touting access to 41 companies from the education sector; another cybercriminal claims to be selling access to US companies with revenues between $50 million and $8 billion, according to Kivilevich’s analysis.

“I don’t think there was one company that came to us and had zero accounts compromised by infostealer malware,” Kivilevich says of the threat that infostealer logs provide to businesses, with KELA saying infostealer-related activity jumped in 2023. Irina Nesterovsky, KELA's chief research officer, says millions of credentials have been collected by infostealing malware in recent years. “This is a real threat,” Nesterovsky says.

Carmakal says there are multiple steps companies and individuals can take to protect themselves from the threat of infostealers and their aftereffects, including using antivirus or EDR products to detect malicious activity. Companies should be strict on enforcing multifactor authentication across their users, he says. “We try to encourage people to not synchronize passwords on their corporate devices with their personal devices,” Carmakal adds.

The use of infostealers has been working so well that it is all but inevitable that cybercriminals will look to replicate the success of compromise sprees like Snowflake and get creative about other enterprise software services that they can use as entry points for access to an array of different customer companies. Carmakal warns that he expects to see this result in more breaches in the coming months. “There’s no ambiguity about this,” he says. “Threat actors will start hunting for infostealer logs, and looking for other SaaS providers, similar to Snowflake, where they log in and steal data, and then extort those companies.”

How Infostealers Pillaged the World’s Passwords

Plus: More Pegasus spyware controversy, a major BIOS controversy, and more of the week’s top security news.

The fallout from CrowdStrike’s deleterious software update came into full view this week as system administrators and IT staffers scrambled to get digital systems back online and return operations to normal. Elsewhere, the Olympics began this week, and Paris is ready with a controversial new surveillance system that hints at a future of ubiquitous CCTV camera coverage. And researchers revealed new findings this week about the innovative malware Russia used in January to sabotage a heating utility in Lviv and cut heat to 600 Ukrainian buildings at the coldest point in the year.

The US Department of Defense has a $141 billion idea to modernize US intercontinental ballistic missiles and their silos around the country. Meanwhile, the European Commission is allocating €7.3 billion for defense research—from drones and tanks to battleships and space intelligence—over the next seven years. And hackers have established a “ghost” network to quietly spread malware on the Microsoft-owned developer platform GitHub.

In more encouraging news, a former Google engineer has built a prototype search engine, dubbed webXray, meant to allow users to find specific privacy violations online, determine which sites are tracking you, and see where all that data goes.

And there’s more. Each week, we round up the security news we didn’t cover in depth ourselves. Click the headlines to read the full stories, and stay safe out there.

**Israel Reportedly Worked to Keep Info on Pegasus Spyware Out of US Courts**

Leaked files obtained by The Guardian reveal that the Israeli government took extraordinary measures to prevent information about the Pegasus spyware system from falling into the hands of US courts, including seizing files directly from the company to prevent legal disclosure. The spyware is the product of the Israel-based NSO Group. It allows users to infect smartphones, extract messages and photos, record calls, and secretly activate microphones. NSO Group faces legal action in the US brought by WhatsApp, which claims the company engineered Pegasus to target users of its messaging software. According to WhatsApp, more than 1,400 of its users were targeted. NSO, whose software has been allegedly tied to the harassment and murder of journalist Jamal Khashoggi, has denied any wrongdoing.

**Massive Screwup Leaves BIOS on 200+ Computer Models Vulnerable**

In an effort to thwart BIOS-based threats, prompted in part by the rollout of a powerful rootkit designed by a Chinese researcher in 2007, Secure Boot became a widely adopted tool. Unfortunately, researchers at the security firm Binarly have revealed that Secure Boot is now “completely compromised” on more than 200 device models, affecting major hardware manufacturers like Dell, Acer, and Intel. The incident was the result of a weak cryptographic key used to establish trust between hardware and firmware systems. AMI, the key's owner, says it was meant to be used for testing and should never have made its way into production.

**Musk’s AI system, Grok, Is Now Feeding on All Your Tweets**

Following in Meta's footsteps, Elon Musk's X quietly adjusted its settings this week to give the company's AI system—known as Grok—access to all of its users' posts. There is a way to prevent Grok from ingesting your posts; however, you cannot perform this action from the mobile app. You'll need to access X's **Settings** using a desktop computer; select **Privacy and Safety**, then select **Grok**, and then uncheck the box. Or just head straight here to go directly to the right settings page. (You can also delete your conversation history with Grok, if you have one, by clicking **Delete conversation history**.)

Stop X’s Grok AI From Training on Your Tweets

KnowBe4 detailed the incident in a recent blog post as a warning for other potential targets.

KnowBe4, a US-based security vendor, revealed that it unwittingly hired a North Korean hacker who attempted to load malware into the company's network. KnowBe4 CEO and founder Stu Sjouwerman described the incident in a blog post this week, calling it a cautionary tale that was fortunately detected before causing any major problems.

"First of all: No illegal access was gained, and no data was lost, compromised, or exfiltrated on any KnowBe4 systems," Sjouwerman wrote. “This is not a data breach notification, there was none. See it as an organizational learning moment I am sharing with you. If it can happen to us, it can happen to almost anyone. Don't let it happen to you.”

KnowBe4 said it was looking for a software engineer for its internal IT AI team. The firm hired a person who, it turns out, was from North Korea and was "using a valid but stolen US-based identity" and a photo that was "enhanced" by artificial intelligence. There is now an active FBI investigation amid suspicion that the worker is what KnowBe4's blog post called "an Insider Threat/Nation State Actor."

KnowBe4 operates in 11 countries and is headquartered in Florida. It provides security awareness training, including phishing security tests, to corporate customers. If you occasionally receive a fake phishing email from your employer, you might be working for a company that uses the KnowBe4 service to test its employees' ability to spot scams.

**Person Passed Background Check and Video Interviews**

KnowBe4 hired the North Korean hacker through its usual process. "We posted the job, received résumés, conducted interviews, performed background checks, verified references, and hired the person. We sent them their Mac workstation, and the moment it was received, it immediately started to load malware," the company said.

Even though the photo provided to HR was fake, the person who was interviewed for the job apparently looked enough like it to pass. KnowBe4's HR team "conducted four video conference based interviews on separate occasions, confirming the individual matched the photo provided on their application," the post said. "Additionally, a background check and all other standard pre-hiring checks were performed and came back clear due to the stolen identity being used. This was a real person using a valid but stolen US-based identity. The picture was AI 'enhanced.'"

The two images at the top of this story are a stock photo and what KnowBe4 says is the AI fake based on the stock photo. The stock photo is on the left, and the AI fake is on the right.

The employee, referred to as "XXXX" in the blog post, was hired as a principal software engineer. The new hire's suspicious activities were flagged by security software, leading KnowBe4's Security Operations Center (SOC) to investigate:

> On July 15, 2024, a series of suspicious activities were detected on the user beginning at 9:55 pm EST. When these alerts came in KnowBe4's SOC team reached out to the user to inquire about the anomalous activity and possible cause. XXXX responded to SOC that he was following steps on his router guide to troubleshoot a speed issue and that it may have caused a compromise.
> 
> The attacker performed various actions to manipulate session history files, transfer potentially harmful files, and execute unauthorized software. He used a Raspberry Pi to download the malware. SOC attempted to get more details from XXXX including getting him on a call. XXXX stated he was unavailable for a call and later became unresponsive. At around 10:20 pm EST SOC contained XXXX's device.

**“Fake IT Worker From North Korea”**

The SOC analysis indicated that the loading of malware "may have been intentional by the user," and the group "suspected he may be an Insider Threat/Nation State Actor," the blog post said.

"We shared the collected data with our friends at Mandiant, a leading global cybersecurity expert, and the FBI, to corroborate our initial findings. It turns out this was a fake IT worker from North Korea," Sjouwerman wrote.

KnowBe4 said it can't provide much detail because of the active FBI investigation. But the person hired for the job may have logged into the company computer remotely from North Korea, Sjouwerman explained:

> How this works is that the fake worker asks to get their workstation sent to an address that is basically an "IT mule laptop farm." They then VPN in from where they really physically are (North Korea or over the border in China) and work the night shift so that they seem to be working in US daytime. The scam is that they are actually doing the work, getting paid well, and give a large amount to North Korea to fund their illegal programs. I don't have to tell you about the severe risk of this. It's good we have new employees in a highly restricted area when they start, and have no access to production systems. Our controls caught it, but that was sure a learning moment that I am happy to share with everyone.

_This story originally appeared on_ _Ars Technica._

A North Korean Hacker Tricked a US Security Vendor Into Hiring Him—and Immediately Tried to Hack Them

The European Commission is allocating €7.3 billion for defense research over the next seven years. From drones and tanks of the future to battleships and space intelligence, here's what it funds.

From €142 million to €1 billion ($1.1 billion) a year. The European Commission is pressing the accelerator on investment in weapons and defense technologies. From a total €590 million invested between 2017 and 2020, Brussels has moved to a €7.3 billion ($7.9 billion) package for the 2021 to 2027 period. This year alone, the European Defense Fund (EDF) has put €1.1 billion on the plate, divided into 34 calls for as many military-related research topics. From developing new drone models to sensors to increase radar capabilities. From systems to counter hypersonic missile attacks to enhancements in the analysis of images collected by satellites. From “smart weapons” to advanced communication technologies. The bidding process opened in late June, and there is time until November 5 to share a slice of the pie—and then a year to deliver the project.

The project for a common defense has distant origins and was formalized in 2015, but it was Russia's invasion of Ukraine that accelerated the European Commission's march to spend on arms, ammunition, and military technology. One only has to scroll through the list of projects vying for 2024 funding to get an idea of what Brussels is looking for. On the plate is €100 million to develop a new long-range, medium-altitude drone equipped with advanced intelligence, surveillance, target acquisition, and recognition systems (or Istar) and piloted remotely. On a similar project, the European Union has already invested, allocating €98 million of the total €290 million needed to develop a similar aircraft, dubbed Eurodrone, to a consortium consisting of France's Airbus and Dassault Aviation plus Italy's Leonardo. Another €11 million from the EDF goes to the prototype of a small, autonomously guided aerial drone.

**Telecommunications and AI**

Much of the resources go to strengthening communication and data exchange channels—in order to prevent, for example, someone from taking over the controls of the remotely piloted drone. The EDF allocates €25 million to a 5G network intended for the military sphere, the same amount to prototypes for satellite communications, and €24 million to develop dedicated systems for undersea drones. Information needed to feed algorithms and automatic analysis tools will have to be transferred through these secure channels. One grant awards €45 million for an AI software prototype that would make automated means and operations centers operated by live personnel talk to each other.

According to an article by Anthony King, professor at the University of Exeter, published in the Journal of Global Security Studies, so far in the military, “AI has not been used primarily to produce robotic or autonomous weapon systems. Over the past two decades, the military has sought to leverage big data to generate a richer and deeper understanding of the battlefield by tracking the footprints left in cyberspace by their adversaries. Because there is such a vast amount of digital data in cyberspace, the armed forces have begun to leverage the potential of AI, algorithms, and machine learning to identify patterns and signatures, thereby improving their awareness and so that crucial pieces of information are not missed.”

It's a pattern also pursued by European investments. Already last year, the EDF supported with €4 million a communication model to command swarms of autonomous vehicles, and as much went to strengthening undersea cables, the backbone of the internet and a military target. To make sure the data collected from space “speaks,” and provides a real-time and accurate representation of potential risks, there is a €157 million project, run by Leonardo, Airbus, and ArianeGroup (an aerospace company), to integrate information on a single platform, following in the footsteps of two previous projects. But if we add up all the intelligence programs through sensors, satellites, and other digital sources, the 2023 plan alone has deployed another €70 million on the subject. With another €6 million, the EU also tries to guard against communications blackouts, supporting an Estonian-driven plan for drone navigation technology that works even without satellite signals, relying on real-time analysis of what the machine sees.

**New Weapons**

The European Defense Fund, however, is also hunting for prototypes of new weapons. There is €25 million for the next generation of armored vehicles, €30 million for the creation of smart and increasingly accurate weapons, and €20 million earmarked for identifying at least four potential solutions for navigating a drone in “non-permissive” environments, which, translated from diplomatic jargon, means areas of war or those characterized by great instability.

Another €50 million concerns the creation of a new ground drone, equipped with “lethal functions.” What kind? This is best explained in an annex to the Commission's green light for EDF 2024. It says the program is to study a “fully autonomous process of targeting against different targets and solutions for mobility and engagement,” but also to produce an analysis of the “ethical and legal aspects of integrating autonomous combat drones into European armed forces.” With a clarification: “If necessary, research should be included to support recommendations and decisions” on these aspects. As in: Give us material to plead the case.

In the case of smart weapons, on the other hand, the EU calls for greater accuracy of missiles and rockets, but also refers to “loitering munitions,” i.e., suicide drones, which circle a defined area until they locate the target and hit it, bringing it down—a controversial military technology. The EU is also interested in copying the Iron Dome model, Israel's missile shield.

**Tanks and Corvettes of the Future**

Shortly before opening the new calls for proposals, the Commission also announced the 54 winning projects for the 2023 program. These include Marte, or the Main ARmored Tank of Europe, a program to develop new technologies to be integrated on a tank. Sharing the €20 million in funding is a string of some 40 companies, including the two defense champions from Italy and Germany, Leonardo and Rheinmetall, respectively. Just as much has been received by a similar project, again to upgrade the tank's architecture, which France's Thales is leading instead. From Brussels, €154 million will help fund the approximately €288 million needed to develop the new EU patrol corvette (Epc2), with Italy's Fincantieri among the project leaders. Another €25 million is earmarked for the construction of a prototype self-driving boat, 12 meters long, that rides on hydrofoils (i.e., with the hull out of the water).

Leonardo is spearheading a project to develop counter-aircraft systems for military drones, exploiting sensors, disturbances in telecommunications networks, and other technologies. France's Cilas, on the other hand, is spearheading a program to develop Europe's first laser weapon, backed by €25 million. A prototype electro-magnetic-propelled missile launcher has grossed €4 million, €26 million for an artificial intelligence agent called to autonomously manage protection and counterattack in response to cyber aggression, €80 million for a study on defense from hypersonic weapons. Another €27 million will support the creation of a new missile system with a range of 150 kilometers, €40 million is going to a military cargo ship, and €44 million is allocated for offensive technologies on undersea drones.

**Funds and Alliances**

But the channels for fueling Europe's military industry are varied. Alongside the EDF is Eudis, a scheme worth €2 billion for the seven-year period that supports the acceleration of startups and small and medium-size enterprises (target: 400 per year). There's also the European Investment Fund (EIF), managed by the European Investment Bank (EIB), which helps fund the defense sphere, particularly when it comes to dual (civilian and military) technologies. Its aim is to act as a key investor, consequently attracting other players willing to share the risk, but until 2027 it has €175 million to spend. The European Security Industry Bank can mobilize another €8 billion, also over the next three years.

Seven deals have already been signed. These include €10 million to Germany's Quantum Systems for vertical-takeoff drones, €30 million to Spain's Skydweller for its solar-powered self-driving aircraft, and €600 million on two space communications programs. Italy's Leonardo also benefited from EIB loans, which provided €260 million for research and development activities in various technological fields.

Europe Is Pumping Billions Into New Military Tech

A controversial new surveillance system in Paris foreshadows a future where there are too many CCTV cameras for humans to physically watch.

On the eve of the Olympics opening ceremony, Paris is a city swamped in security. Forty thousand barriers divide the French capital. Packs of police officers wearing stab vests patrol pretty, cobbled streets. The river Seine is out of bounds to anyone who has not already been vetted and issued a personal QR code. Khaki-clad soldiers, present since the 2015 terrorist attacks, linger near a canal-side boulangerie, wearing berets and clutching large guns to their chests.

French interior minister Gérald Darmanin has spent the past week justifying these measures as vigilance—not overkill. France is facing the “biggest security challenge any country has ever had to organize in a time of peace,” he told reporters on Tuesday. In an interview with weekly newspaper Le Journal du Dimanche, he explained that “potentially dangerous individuals” have been caught applying to work or volunteer at the Olympics, including 257 radical Islamists, 181 members of the far left, and 95 from the far right. Yesterday, he told French news broadcaster BFM that a Russian citizen had been arrested on suspicion of plotting “large scale” acts of “destabilization” during the Games.

Parisians are still grumbling about road closures and bike lanes that abruptly end without warning, while human rights groups are denouncing “unacceptable risks to fundamental rights.” For the Games, this is nothing new. Complaints about dystopian security are almost an Olympics tradition. Previous iterations have been characterized as Lockdown London, Fortress Tokyo, and the “arms race” in Rio. This time, it is the least-visible security measures that have emerged as some of the most controversial. Security measures in Paris have been turbocharged by a new type of AI, as the city enables controversial algorithms to crawl CCTV footage of transport stations looking for threats. The system was first tested in Paris back in March at two Depeche Mode concerts.

For critics and supporters alike, algorithmic oversight of CCTV footage offers a glimpse of the security systems of the future, where there is simply too much surveillance footage for human operators to physically watch. “The software is an extension of the police,” says Noémie Levain, a member of the activist group La Quadrature du Net, which opposes AI surveillance. “It's the eyes of the police multiplied.”

Near the entrance of the Porte de Pantin metro station, surveillance cameras are bolted to the ceiling, encased in an easily-overlooked gray metal box. A small sign is pinned to the wall above the bin, informing anyone willing to stop and read that they are part of an “video surveillance analysis experiment.” The company which runs the Paris metro RATP “is likely” to use “automated analysis in real time” of the CCTV images “in which you can appear,” the sign explains to the oblivious passengers rushing past. The experiment, it says, runs until March 2025.

Porte de Pantin is on the edge of the park La Villette, home to the Olympics’ Park of Nations, where fans can eat or drink in pavilions dedicated to 15 different countries. The Metro stop is also one of 46 train and metro stations where the CCTV algorithms will be deployed during the Olympics, according to an announcement by the Prefecture du Paris, a unit of the interior ministry. City representatives did not reply to WIRED’s questions on whether there are plans to use AI surveillance outside the transport network. Under a March 2023 law, algorithms are allowed to search CCTV footage in real-time for eight “events,” including crowd surges, abnormally large groups of people, abandoned objects, weapons, or a person falling to the ground.

“What we're doing is transforming CCTV cameras into a powerful monitoring tool,” says Matthias Houllier, cofounder of Wintics, one of four French companies that won contracts to have their algorithms deployed at the Olympics. “With thousands of cameras, it's impossible for police officers \[to react to every camera\].”

Wintics won its first public contract in Paris in 2020, gathering data on the number of cyclists in different parts of the city to help Paris transport officials as they planned to build more bike lanes. By connecting its algorithms to 200 existing traffic cameras, Wintics’ system—which is still in operation—is able to first identify and then count cyclists in the middle of busy streets. When France announced it was looking for companies that could build algorithms to help improve security at this summer’s Olympics, Houllier considered this a natural evolution. “The technology is the same,” he says. “It's analyzing anonymous shapes in public spaces.”

After training its algorithms on both open source and synthetic data, Wintics’ systems have been adapted to, for example, count the number of people in a crowd or the number of people falling to the floor—alerting operators once the number exceeds a certain threshold.

“That's it. There is no automatic decision,” explains Houllier. His team trained interior ministry officials how to use the company’s software and they decide how they want to deploy it, he says. “The idea is to raise the attention of the operator, so they can double check and decide what should be done.”

Houllier argues that his algorithms are a privacy-friendly alternative to controversial facial recognition systems used by past global sporting events, such as the 2022 Qatar World Cup. “Here we are trying to find another way,” he says. To him, letting the algorithms crawl CCTV footage is a way to ensure the event is safe without jeopardizing personal freedoms. “We are not analyzing any personal data. We are just looking at shapes, no face, no license plate recognition, no behavioral analytics.”

However, privacy activists reject the idea that this technology protects people’s personal freedoms. In the 20th arrondissement, Noémie Levain has just received a delivery of 6,000 posters which the group plans to distribute, designed to warn her fellow Parisians about the “algorithmic surveillance” taking over their city and urging them to refuse the “authoritarian capture of public spaces.” She dismisses the idea that the algorithms are not processing personal data. “When you have images of people, you have to analyze all the data on the image, which is personal data, which is biometric data,” she says. “It's exactly the same technology as facial recognition. It's exactly the same principle.”

Levain is concerned the AI surveillance systems will remain in France long after the athletes leave. To her, these algorithms enable the police and security services to impose surveillance on wider stretches of the city. “This technology will reproduce the stereotypes of the police,” she says. “We know that they discriminate. We know that they always go in the same area. They always go and harass the same people. And this technology, as with every surveillance technology, will help them do that.”

As motorists rage in the city center at the security barriers blocking the streets, Levain is one of many Parisians planning to decamp to the south of France while the Olympics takes over. Yet she worries about the city that will greet her on her return. “The Olympics is an excuse,” she says. “They—the government, companies, the police—are already thinking about after.”

At the Olympics, AI Is Watching You

Cybersecurity researchers have spotted a 3,000-account network on GitHub that is manipulating the platform and spreading ransomware and info stealers.

A secretive network of around 3,000 “ghost” accounts on GitHub has quietly been manipulating pages on the code-hosting website to promote malware and phishing links, according to new research seen by WIRED.

Since at least June last year, according to researchers at cybersecurity company Check Point, a cybercriminal they dubbed “Stargazer Goblin” has been hosting malicious code repositories on the Microsoft-owned platform. GitHub is the world’s largest open-source code website, hosting millions of developers' work. As well as uploading malicious repositories, Stargazer Goblin has been boosting the pages by using GitHub’s own community tools.

Antonis Terefos, a malware reverse engineer at Check Point who discovered the nefarious behavior, says the persona behind the network uses their false accounts to “star,” “fork,” and “watch” the malicious pages. These actions—which are loosely similar to liking, sharing, and subscribing, respectively—help make the pages appear popular and genuine. The more stars, the more realistic a page looks. “The malicious repositories appeared really legitimate,” Terefos says.

“The way he has developed it is really smart, taking advantage of how GitHub operates,” Terefos says of the person behind the persona. While cybercriminals have been abusing GitHub for years, uploading malicious code and adapting legitimate repositories, Terefos says he has not previously seen a network of fake accounts operating in this way on the platform. The buying and selling of repositories and starring is coordinated on a cybercrime-linked Telegram channel and criminal marketplaces. WIRED previously reported on other GitHub black markets.

The Stargazers Ghost Network, which Check Point named after one of the first accounts they spotted, has been spreading malicious GitHub repositories that offer downloads of social media, gaming, and cryptocurrency tools. For instance, pages might be claiming to provide code to run a VPN or license a version of Adobe's Photoshop. These are mostly targeting Windows users, the research says, and aim to capitalize on people potentially searching for free software online.

The operator behind the network charges other hackers to use their services, which Check Point call “distribution as a service.” The harmful network has been spotted sharing various types of ransomware and info-stealer malware, Check Point says, including the Atlantida Stealer, Rhadamanthys, and the Lumma Stealer. Terefos says he discovered the network while researching instances of the Atlantida Stealer. The researcher says the network could be bigger than he expects, as he has also seen legitimate GitHub accounts being taken over using stolen login details.

“We disabled user accounts in accordance with GitHub’s Acceptable Use Policies, which prohibit posting content that directly supports unlawful active attack or malware campaigns that are causing technical harms,” says Alexis Wales, vice president of security operations at GitHub. “We have teams dedicated to detecting, analyzing, and removing content and accounts that violate these policies.”

GitHub has more than 100 million users who have contributed over 420 million repositories on the platform. Given the breadth of the platform, it’s unsurprising that cybercriminals and hackers are attempting to abuse it. In recent years, researchers have been mapping instances of fake stars, spotting dangerous code hidden in projects, facing growing supply-chain attacks against open source software, and seeing comments being used to spread malware.

The Stargazer Goblin threat actor identified by Check Point sells their services through ads on cybercrime forums and also through a Telegram account. A posts on a Russian-language cybercrime forum advertises 100 stars for $10 and 500 for $50 and says they can provide clones of existing repositories and trusted accounts. “For GitHub, the process looks organic,” one translated post says. The Check Point research says the network could have started operating as early as August 2022 and may have made as much as $100,000—from mid-May to mid-June this year, they estimate the operator made around $8,000.

Terefos says, in some instances, he has seen a legitimate code repository being changed by the threat actor, potentially using stolen credentials, and turned into a malicious one. If legitimate users fork a malicious repository, it has the potential to spread the code, Terefos says. The reverse malware engineer adds that he has automated the search for accounts linked to the network and is able to identify them based on common features, such as repositories using similar templates and tags. Some of the repositories seen by WIRED use variations on "instagram-follower" and "youtube-views" tags, with the names changed based on the software the page alleges to offer.

“Users of GitHub, and especially inexperienced users, can easily download malicious code, which can often be the result of fictitious reviews and starring,” says Jake Moore, global cybersecurity adviser at security firm Eset. “Telltale signs of malicious code on GitHub could also be unexpected or suspicious code changes, code that accesses external resources, and specific hard-coded credentials or API keys.”

Terefos says the activity of the network—staring and watching pages—is likely automated, as he saw repositories being acted upon in quick succession. “I don't think they're clicking, doing like manual work.” For GitHub, Terefos says, it may be difficult to identify this activity, as the behavior of the accounts is intended to look like a genuine GitHub user. Wales, from GitHub, says the company uses a combination of manual reviews and “at-scale detections” that use machine learning to identify suspicious activity

The Check Point engineer also says he identified one YouTube “ghost” account that was sharing malicious links via video, indicating that the network could be more encompassing. “I think this is not the whole picture,” Terefos says.

A Hacker ‘Ghost’ Network Is Quietly Spreading Malware on GitHub

A former Google engineer has built a search engine, webXray, that aims to find illicit online data collection and tracking—with the goal of becoming “the Henry Ford of tech lawsuits.”

This is, incidentally, how he plans to fund the operation—the basic version of webXray will be available to all, but Libert will offer a specialized tier for litigators, regulators, and businesses looking to keep their digital presences compliant with the law. He will also offer consulting services and serve as an expert witness in lawsuits.

I gave the keys to the site to digital rights activist Cory Doctorow, who took a quick look under the hood, and gave the idea a thumbs up. “I think the way to go here is class action,” Doctorow says, noting that this could lead to a trove of class action lawsuits against big tech companies. “So long as this is just exposing the API calls that produces evidence that Google is getting data that it doesn’t have lawful consent to receive or hold, this is the right move. I think it’s really a smoking gun,” he says.

Libert, for his part, concurs. “Yeah, I wanna be the Henry Ford of tech lawsuits—turn this into a factory assembly line.”

He’s already started. Three months after leaving Google, Libert served as an expert witness in a trial, testifying that websites were allegedly leaking data in violation of the law—against Google. His former employer tried to have him disqualified, arguing, somewhat ironically, that he knew too much. On Google’s policy and internal standards team, the company’s court records say, “Dr. Libert became the go-to person for all things related to cookies.” (On Monday, a judge dismissed that lawsuit, pending appeal.)

“When I did that first lawsuit, and used webXray for that, they lost it,” Libert says of Google’s reaction. “When you look at those legal filings, there’s one thing that’s driving that—fear. They’re afraid of this data being available, because they know it affects the bottom line. And it scares them.”

“One of the tragedies of Google is they used to lead by example in a positive way, and I think especially in the past three to five years, they’re not leading by positive example, they’re systematically leading by negative example,” Libert says. “And I think that’s burning down the web—the most powerful company doing things like recommending you put glue on your pizza. It’s not just that _a website_ is doing that, it’s that _the_ website, _the_ advertising platform is doing that, and that was part of my frustration.”

Google of course disagrees with this characterization of its tools and operations. “We design and build our products with strong security and privacy protections, including easy-to-use controls for managing and deleting data,” Bryant, the company spokesperson, says. “When it comes to advertising, Google was the first company to build a tool that lets people see and adjust their ads settings and even opt out of personalized ads entirely.”

Despite Libert’s gloomy view of the current state of online privacy, he is actually an optimist. He believes webXray will help speed up a shift to a better, more private, more secure web—the path to which Google and the other tech giants are currently blocking. And it’s no coincidence, perhaps, that there’s been an exodus from Google’s privacy teams in the last few months: The announcement of Keith Enright, Google’s privacy chief, exiting the company came in June, and the position “will not be replaced.” Libert says his colleagues are getting fired en masse. To Libert, it seems that Google is deprioritizing privacy at the very moment when users are calling for stronger policies.

“The problem we had 10 to 15 years ago is that there weren’t any laws. Now lots of countries have passed laws—the vast majority of people on the planet are protected by data privacy laws, but enforcement hasn’t caught up,” he says. “It’s going to catch up. I think we can speed it up.” Because people _want_ privacy; it’s that simple. It’s why he imagines law offices, government offices, and businesses turning to his new search engine to help root out the scourge of privacy violations across the web.

It’s why, perhaps, webXray’s tagline is simple and idealistic: “Privacy is inevitable.”

I guess we’ll find out.

_Updated 7/24/2024, 1:50 pm: Clarified the launch date of webXray, which was officially released publicly on Wednesday._

This Machine Exposes Privacy Violations

The code, the first of its kind, was used to sabotage a heating utility in Lviv at the coldest point in the year—what appears to be yet another innovation in Russia’s torment of Ukrainian civilians.

As Russia has tested every form of attack on Ukraine's civilians over the past decade, both digital and physical, it's often used winter as one of its weapons—launching cyberattacks on electric utilities to trigger December blackouts and ruthlessly bombing heating infrastructure. Now it appears Russia-based hackers last January tried yet another approach to leave Ukrainians in the cold: a specimen of malicious software that, for the first time, allowed hackers to reach directly into a Ukrainian heating utility, switching off heat and hot water to hundreds of buildings in the midst of a winter freeze.

Industrial cybersecurity firm Dragos on Tuesday revealed a newly discovered sample of Russia-linked malware that it believes was used in a cyberattack in late January to target a heating utility in Lviv, Ukraine, disabling service to 600 buildings for around 48 hours. The attack, in which the malware altered temperature readings to trick control systems into cooling the hot water running through buildings' pipes, marks the first confirmed case in which hackers have directly sabotaged a heating utility.

Dragos' report on the malware notes that the attack occurred at a moment when Lviv was experiencing its typical January freeze, close to the coldest time of the year in the region, and that “the civilian population had to endure sub-zero \[Celsius\] temperatures.” As Dragos analyst Kyle O'Meara puts it more bluntly: “It's a shitty thing for someone to turn off your heat in the middle of winter.”

The malware, which Dragos is calling FrostyGoop, represents one of less than 10 specimens of code ever discovered in the wild that's designed to interact directly with industrial control-system software with the aim of having physical effects. It's also the first malware ever discovered that attempts to carry out those effects by sending commands via Modbus, a commonly used and relatively insecure protocol designed for communicating with industrial technology.

Dragos first discovered the FrostyGoop malware in April after it was uploaded in several forms to an online malware scanning service—most likely the Google-owned scanning service and malware repository VirusTotal, though Dragos declined to confirm which service—perhaps by the malware's creators, in an attempt to test whether it was detected by antivirus systems. Working with Ukraine's Cyber Security Situation Center, a part of the country's SBU cybersecurity and intelligence agency, Dragos says it then learned that the malware had been used in the cyberattack that targeted a heating utility starting on January 22 in Lviv, the largest city in western Ukraine.

Dragos declined to name the victim utility, and in fact says it hasn't independently confirmed the the utility's name, since it only became aware of the targeting from the Ukrainian government. Dragos' description of the attack, however, closely matches reports of a heating outage at the Lvivteploenergo utility around the same time, which according to local media led to a loss of heating and hot water for close to 100,000 people.

Lviv mayor Andriy Sadovyi at the time called the event a “malfunction" in a post to the messaging service Telegram, but added, “there is a suspicion of external interference in the company's work system, this information is currently being checked.” A Lvivteploenergo statement on January 23 described the outage more conclusively as the “result of a hacker attack.”

Lvivteploenergo didn't respond to WIRED's request for comment, nor did the SBU. Ukraine's cybersecurity agency, the State Services for Special Communication and Information Protection, declined to comment.

In its breakdown of the heating utility attack, Dragos says that the FrostyGoop malware was used to target ENCO control devices—Modbus-enabled industrial monitoring tools sold by the Lithuanian firm Axis Industries—and change their temperature outputs to turn off the flow of hot water. Dragos says that the hackers had actually gained access to the network months before the attack, in April 2023, by exploiting a vulnerable MikroTik router as an entry point. They then set up their own VPN connection into the network, which connected back to IP addresses in Moscow.

Despite that Russia connection, Dragos says it hasn't tied the heating utility intrusion to any known hacker group it tracks. Dragos noted in particular that it hasn't, for instance, tied the hacking to the usual suspects such as Kamacite or Electrum, Dragos' own internal names for groups more widely referred to collectively as Sandworm, a notorious unit of Russia's military intelligence agency, the GRU.

Dragos found that, while the hackers used their breach of the heating utility's network to send FrostyGoop's Modbus commands that targeted the ENCO devices and crippled the utility's service, the malware appears to have been hosted on the hackers' own computer, not on the victim's network. That means simple antivirus alone, rather than network monitoring and segmentation to protect vulnerable Modbus devices, likely won't prevent future use of the tool, warns Dragos analyst Mark “Magpie” Graham. “The fact that it can interact with devices remotely means it doesn't necessarily need to be deployed to a target environment,” Graham says. “You may potentially never see it in the environment, only its effects.”

While the ENCO devices in the Lviv heating utility were targeted from within the network, Dragos also warns that the earlier version of FrostyGoop it found was configured to target an ENCO device that was instead publicly accessible over the open internet. In its own scans, Dragos says it found at least 40 such ENCO devices that were similarly left vulnerable online. The company warns that there may in fact be tens of thousands of other Modbus-enabled devices connected to the internet that could potentially be targeted in the same way. “We think that FrostyGoop would be able to interact with a huge number of these devices, and we're in the process of conducting research to verify which devices would indeed be vulnerable,” Graham says.

While Dragos hasn't officially linked the Lviv attack to the Russian government, Graham himself doesn't shy away from describing the attack as a part of Russia's war against the country—a war that has brutally decimated Ukrainian critical infrastructure with bombs since 2022 and with cyberattacks starting far earlier, since 2014. He argues that the digital targeting of heating infrastructure in the midst of Ukraine's winter may actually be a sign that Ukrainians' increasing ability to shoot down Russian missiles has pushed Russia back to hacking-based sabotage, particularly in western Ukraine. “Cyber may actually be more efficient or likely to be successful towards a city over there, while kinetic weapons are maybe still successful at a closer range," Graham says. “They’re trying to use the full spectrum, the full gamut of available tools in the armory.”

Even as those tools evolve, though, Graham describes the hackers' goals in terms that have changed little in Russia's decade-long history of terrorizing its neighbor: psychological warfare aimed at undermining Ukraine's will to resist. “This is how you chip away at the will of the people,” says Graham. “It wasn’t aimed at disrupting the heating for all of winter. But enough to make people to think, is this the right move? Do we continue to fight?”

Source

Wired