Details are starting to emerge about a stunning supply chain attack that sent the open source software community reeling.

On Friday, a lone Microsoft developer rocked the world when he revealed a backdoor had been intentionally planted in XZ Utils, an open source data compression utility available on almost all installations of Linux and other Unix-like operating systems. The person or people behind this project likely spent years on it. They were likely very close to seeing the backdoor update merged into Debian and Red Hat, the two biggest distributions of Linux, when an eagle-eyed software developer spotted something fishy.

“This might be the best-executed supply chain attack we've seen described in the open, and it’s a nightmare scenario: malicious, competent, authorized upstream in a widely used library,” software and cryptography engineer Filippo Valsorda said of the effort, which came frightfully close to succeeding.

Researchers have spent the weekend gathering clues. Here’s what we know so far.

**What Is XZ Utils?**

XZ Utils is nearly ubiquitous in Linux. It provides lossless data compression on virtually all Unix-like operating systems, including Linux. XZ Utils provides critical functions for compressing and decompressing data during all kinds of operations. XZ Utils also supports the legacy .lzma format, making this component even more crucial.

**What Happened?**

Andres Freund, a developer and engineer working on Microsoft’s PostgreSQL offerings, was recently troubleshooting performance problems a Debian system was experiencing with SSH, the most widely used protocol for remotely logging in to devices over the Internet. Specifically, SSH logins were consuming too many CPU cycles and were generating errors with valgrind, a utility for monitoring computer memory.

Through sheer luck and Freund’s careful eye, he eventually discovered the problems were the result of updates that had been made to XZ Utils. On Friday, Freund took to the Open Source Security List to disclose the updates were the result of someone intentionally planting a backdoor in the compression software.

**What Does the Backdoor Do?**

Malicious code added to XZ Utils versions 5.6.0 and 5.6.1 modified the way the software functions when performing operations related to .lzma compression or decompression. When these functions involved SSH, they allowed for malicious code to be executed with root privileges. This code allowed someone in possession of a predetermined encryption key to log in to the backdoored system over SSH. From then on, that person would have the same level of control as any authorized administrator.

**How Did This Backdoor Come to Be?**

It would appear that this backdoor was years in the making. In 2021, someone with the username JiaT75 made their first known commit to an open source project. In retrospect, the change to the libarchive project is suspicious, because it replaced the safe\_fprint funcion with a variant that has long been recognized as less secure. No one noticed at the time.

The following year, JiaT75 submitted a patch over the XZ Utils mailing list, and, almost immediately, a never-before-seen participant named Jigar Kumar joined the discussion and argued that Lasse Collin, the longtime maintainer of XZ Utils, hadn’t been updating the software often or fast enough. Kumar, with the support of Dennis Ens and several other people who had never had a presence on the list, pressured Collin to bring on an additional developer to maintain the project.

In January 2023, JiaT75 made their first commit to XZ Utils. In the months following, JiaT75, who used the name Jia Tan, became increasingly involved in XZ Utils affairs. For instance, Tan replaced Collins’ contact information with their own on oss-fuzz, a project that scans open source software for vulnerabilities that can be exploited. Tan also requested that oss-fuzz disable the ifunc function during testing, a change that prevented it from detecting the malicious changes Tan would soon make to XZ Utils.

In February of this year, Tan issued commits for versions 5.6.0 and 5.6.1 of XZ Utils. The updates implemented the backdoor. In the following weeks, Tan or others appealed to developers of Ubuntu, Red Hat, and Debian to merge the updates into their OSes. Eventually, one of the two updates made its way into several releases, according to security firm Tenable. There’s more about Tan and the timeline here.

**Can You Say More About What This Backdoor Does?**

In a nutshell, it allows someone with the right private key to hijack sshd, the executable file responsible for making SSH connections, and from there to execute malicious commands. The backdoor is implemented through a five-stage loader that uses a series of simple but clever techniques to hide itself. It also provides the means for new payloads to be delivered without major changes being required.

Multiple people who have reverse-engineered the updates have much more to say about the backdoor. Developer Sam James provided an overview here.

The XZ Backdoor: Everything You Need to Know

To settle a years-long lawsuit, Google has agreed to delete “billions of data records” collected from users of “Incognito mode,” illuminating the pitfalls of relying on Chrome to protect your privacy.

If you still hold any notion that Google Chrome’s “Incognito mode” is a good way to protect your privacy online, now’s a good time to stop.

Google has agreed to delete “billions of data records” the company collected while users browsed the web using Incognito mode, according to documents filed in federal court in San Francisco on Monday. The agreement, part of a settlement in a class action lawsuit filed in 2020, caps off years of disclosures about Google’s practices that shed light on how much data the tech giant siphons from its users—even when they’re in private-browsing mode.

Under the terms of the settlement, Google must further update the Incognito mode “splash page” that appears anytime you open an Incognito mode Chrome window after previously updating it in January. The Incognito splash page will explicitly state that Google collects data from third-party websites “regardless of which browsing or browser mode you use,” and stipulate that “third-party sites and apps that integrate our services may still share information with Google,” among other changes. Details about Google’s private-browsing data collection must also appear in the company’s privacy policy.

Additionally, some of the data that Google previously collected on Incognito users will be deleted. This includes “private-browsing data” that is “older than nine months” from the date that Google signed the term sheet of the settlement last December, as well as private-browsing data collected throughout December 2023. Certain documents in the case referring to Google's data collection methods remain sealed, however, making it difficult to assess how thorough the deletion process will be.

Google spokesperson Jose Castaneda says in a statement that the company “is happy to delete old technical data that was never associated with an individual and was never used for any form of personalization.” Castaneda also noted that the company will now pay “zero” dollars as part of the settlement after earlier facing a $5 billion penalty.

Other steps Google must take will include continuing to “block third-party cookies within Incognito mode for five years,” partially redacting IP addresses to prevent re-identification of anonymized user data, and removing certain header information that can currently be used to identify users with Incognito mode active.

The data-deletion portion of the settlement agreement follows preemptive changes to Google’s Incognito mode data collection and the ways it describes what Incognito mode does. For nearly four years, Google has been phasing out third-party cookies, which the company says it plans to completely block by the end of 2024. Google also updated Chrome’s Incognito mode “splash page” in January with weaker language to signify that using Incognito is not “private,” but merely “more private” than not using it.

The settlement's relief is strictly “injunctive,” meaning its central purpose is to put an end to Google activities that the plaintiffs claim are unlawful. The settlement does not rule out any future claims—_The Wall Street Journal_ reports that the plaintiffs’ attorneys had filed at least 50 such lawsuits in California on Monday—though the plaintiffs note that monetary relief in privacy cases is far more difficult to obtain. The important thing, the plaintiffs’ lawyers argue, is effecting changes at Google now that will provide the greatest, immediate benefit to the largest number of users.

Critics of Incognito, a staple of the Chrome browser since 2008, say that, at best, the protections it offers fall flat in the face of the sophisticated commercial surveillance bearing down on most users today; at worst, they say, the feature fills people with a false sense of security, helping companies like Google passively monitor millions of users who've been duped into thinking they're browsing alone.

The Incognito Mode Myth Has Fully Unraveled

Millions lost internet service after three cables in the Red Sea were damaged. Houthi rebels deny targeting the cables, but their missile attack on a cargo ship, left adrift for months, is likely to blame.

The ballistic missile hit the _Rubymar_ on the evening of February 18. For months, the cargo ship had been shuttling around the Arabian Sea, uneventfully calling at local ports. But now, taking on water in the bottleneck of the Bab-el-Mandeb Strait, its two dozen crew issued an urgent call for help and prepared to abandon ship.

Over the next two weeks—while the crew were ashore—the “ghost ship” took on a life of its own. Carried by currents and pushed along by the wind, the 171-meter-long, 27-meter-wide _Rubymar_ drifted approximately 30 nautical miles north, where it finally sank—becoming the most high-profile wreckage during a months-long barrage of missiles and drones launched by Iranian-backed Houthi rebels in Yemen. The attacks have upended global shipping.

But the _Rubymar_ wasn’t the only casualty. During its final journey, three internet cables laid on the seafloor in the Bab-el-Mandeb Strait were damaged. The drop in connectivity impacted millions of people, from nearby East Africa to thousands of miles away in Vietnam. It’s believed the ship’s trailing anchor may have broken the cables while it drifted. The _Rubymar_ also took 21,000 metric tons of fertilizer to its watery grave—a potential environmental disaster in waiting.

An analysis from WIRED—based on satellite imagery, interviews with maritime experts, and new internet connectivity data showing the cables went offline within minutes of each other—tracks the last movements of the doomed ship. While our analysis cannot definitively show that the anchor caused the damage to the crucial internet cables—that can only be determined by an upcoming repair mission—multiple experts conclude it is the most likely scenario.

The damage to the internet cables comes when the security of subsea infrastructure—including internet cables and energy pipelines—has catapulted up countries’ priorities. Politicians have become increasingly concerned about the critical infrastructure since the start of the Russia-Ukraine war in February 2022 and a subsequent string of potential sabotage, including the Nord Stream pipeline explosions. As Houthi weapons keep hitting ships in the Red Sea region, there are worries the _Rubymar_ may not be the last shipwreck.

The _Rubymar_’s official trail goes cold on February 18. At 8 pm local time, reports emerged that a ship in the Bab-el-Mandeb Strait, which is also known as the Gate of Tears or the Gate of Grief, had been attacked. Two anti-ship ballistic missiles were fired from “Iranian-backed Houthi terrorist-controlled areas of Yemen,” US Central Command said. Ninety minutes after the warnings arrived, at around 9:30 pm, the _Rubymar_ broadcast its final location using the automatic identification system (AIS), a GPS-like positioning system used to track ships.

As water started pouring into the hull, engine room, and machinery room, the crew’s distress call was answered by the _Lobivia_—a nearby container ship—and a US-led coalition warship. By 1:57 am on February 19, the crew was reported safe. That afternoon, the 11 Syrians, six Egyptians, three Indians, and four Filipinos who were on board arrived at the Port of Djibouti. “We do not know the coordinates of _Rubymar_,” Djibouti’s port authority posted on X.

Satellite images picked up the _Rubymar_, its path illuminated by an oil slick, two days later, on February 20. Although the crew dropped the ship’s anchor during the rescue, the ship drifted north, further up the strait in the direction of the Red Sea.

For three days, satellite photos show, the vessel largely stayed in place thanks to low winds and weak currents. Then, on February 22, satellite images show peculiar circular wave patterns hitting the ship, as seen in the image below. One former naval intelligence analyst familiar with the images, who asked not to be named for safety reasons, says this could be a sign the anchor may have come loose. One image, they say, appears to show an unidentified object, which could be a small boat, nearby.

Both the wind and currents picked up on February 23, when the ship began drifting for a second time, says Robert Parkington, an intelligence analyst with geospatial analysis firm Geollect. “As wind increases, as current increases, that chance for movement gets so much higher,” says Parkington, who monitored the _Rubymar_’s movements with data from satellite technology firm Spire Global. “Even a small breeze can have an impact on where the vessel’s moving.”

Circular ripples are visible around the Rubymar.Courtesy of BlackSky

More than 550 internet cables run along the ocean floors and connect the world. They link continents and economies, beaming everything from Zoom calls to financial transactions every millisecond. Twelve of the cables run through the Bab-el-Mandeb Strait, says Alan Mauldin, research director at telecom research firm TeleGeography. “These cables vary massively in their age, also in their capacities,” Mauldin explains. The region is a crucial, but vulnerable, choke point.

While the _Rubymar_ was drifting, three cables were damaged: the Seacom/Tata cable, a 15,000-kilometer-long wire running the length of East Africa and also connecting it to India; the Asia Africa Europe-1 (AAE-1), which snakes 25,000 kilometers and links Europe to East Asia; and the Europe India Gateway (EIG), made of 15,000 kilometers of cable and joining India with the United Kingdom.

The Seacom cable went down at 9:46 am on February 24, according to new analysis shared exclusively with WIRED by Doug Madory, director of internet analysis at the web monitoring firm Kentik. Five minutes later, at around 9:51 am, the AAE-1 cable dropped offline. Madory says the third damaged cable, EIG, was already mostly offline following a separate fault elsewhere. A telecom industry notice seen by WIRED confirms the three faults and says this was the EIG’s second. The notice says the damage is located around 30 kilometers away from where the cables land in Djibouti and are at depths of around 150 meters.

To determine when the cables lost connectivity, Madory examined internet traffic and routing data from multiple networks. For instance, a network linked to Equity Bank Tanzania, the analysis shows, lost connectivity from the Seacom cable; moments later, it was impacted by the AAE-1 damage. The two clusters of outages impacted countries in East Africa, including Tanzania, Kenya, Uganda, and Mozambique, Madory says. But they also had an impact thousands of miles away in Vietnam, Thailand, and Singapore. “The loss of these submarine cables disrupted internet service for millions of people,” he says. “While service providers in the affected countries have shifted to using the remaining cables, there exists a loss of overall capacity.” The analysis matches when the Seacom cable went offline, says Prenesh Padayachee, the company’s chief digital officer. Both AAE and EIG cables are owned by consortiums of companies, which did not respond to requests for comment.

The telecom industry builds backups into its systems to account for disruptions—and the approach mostly works. When one cable goes offline, traffic is sent via other routes. “Connectivity just went away,” says Thomas King, the chief technology officer of German-based internet exchange DE-CIX, which used the AAE-1 cables. “The issue was detected automatically. Rerouting happens also automatically,” King says. Other firms sent data on different paths around the world.

In the days after damage to the cables first emerged, one unconfirmed press report claimed Houthi rebels could have sabotaged the cables. There has been no public evidence to support this. Farzin Nadimi, a senior fellow at the Washington Institute think tank who has been monitoring the region, says it is most likely that the _Rubymar_ damaged the cables, but Houthi sabotage should not be entirely ruled out, as “highly trained” divers could reach the cables’ depths. Telecom firms have reported fears about Houthi damage to cables, while Houthi spokespeople have repeatedly denied responsibility for the disruptions.

“We don’t even know if the cable is fully broken yet,” Padayachee says. “All we know is that the cable is damaged to a level where we’ve lost comms.” It could have been cut, or even dragged along the seabed and bent so light signals cannot pass through the cable, he says.

Many in the marine and cable industry have turned toward the _Rubymar_’s drift as the likely cause for the outage. Padayachee says it is the most “plausible” scenario given the ship’s predicted drifting speed. “If you work out the distance between the two cables that roughly relates to the same sort of timeframe as to when one cable will be affected to when the other cable will be affected,” the timing makes sense, he says, adding that the cables are 700 to 1,000 meters apart.

Anchor damage, alongside earthquakes and landslides, is one of the most common ways subsea internet cables are disrupted. For instance, multiple cables in the Red Sea region were damaged by a ship dragging its anchor in 2012. There are also several types of anchor, explain William Coombs and Michael Brown, professors at Durham University and the University of Dundee, respectively, who are researching the dynamics of anchors and how they can damage underwater cables. Some anchors sit on the seabed while others dig into the ground, they say. “If the soil type is not right, and the cable has quite shallow burial or it is on the seabed, you are going to catch it if your anchor starts to drag,” Brown says.

“Considering the timings of when outages were reported, considering the rough location of where those cables are known to be, and considering where we believe to be the location of the _Rubymar_, I would say that there is a likely possibility that the anchor did cause the damage,” says Parkington of Geollect.

The _Rubymar_ finally sank on March 2. Videos reportedly taken inside the ship, gathered by Saudi state-owned news organization Al Arabiya English, show water gushing into the ship after the missile strike. As the _Rubymar_ took on more water and partially submerged, experts say, its drifting likely slowed and eventually brought it to a complete stop.

While the ship has finished its journey, the three internet cables will remain offline for some time. Padayachee, from Seacom, says that the Yemeni government is likely to approve permits for the company’s repair plans in the next couple of weeks, with repairs to all three damaged cables possibly starting later in April.

Padayachee says that additional security measures are being put in place for the operation, but the repair work itself should be relatively straightforward. The repairs are taking place in water only a couple of hundred meters deep—shallow compared to other cases where cables are more than a mile deep. When the cables are pulled out of the water by the repair crew, it should be possible to say whether the cuts were caused by the anchor or deliberately.

The _Rubymar_ presents one potential final challenge: Padayachee says the location of the cable damage is believed to be around one or two miles away from where the ship sank. “It doesn’t look like it will affect anything in the repair operation,” he says. “It could change by the time they get there: The vessel may have moved or, in fact, the vessel may have broken up and parts of it moved around.” The US Central Command has said the _Rubymar_ also presents a “subsurface impact risk to other ships.”

The Houthi’s missile launches, meanwhile, don’t look like they will stop any time soon. Other ships have been damaged; lives have been lost, and those factors will impact repairs. “It's not something you usually see: trying to have a cable ship into those waters, recover the cable, make a repair, and then be able to return to port. It's a long process. It’s risky,” says Mauldin, from TeleGeography. The risk, for other internet cables, is a repeat of the _Rubymar_. “It is not out of the question,” Madory concludes in his analysis, “that we could have another vessel, struck by a missile, inadvertently cut another submarine cable.”

_Correction 4/1/2024, 9:49 am: A previous version of this article incorrectly stated the length of the_ Rubymar, _which is 171 meters, not 17 meters._

How a Houthi-Bombed Ghost Ship Likely Cut Off Internet for Millions

Plus: Microsoft patches over 60 vulnerabilities, Mozilla fixes two Firefox zero-day bugs, Google patches 40 issues in Android, and more.

It’s time to check your software updates. March has seen the release of important patches for Apple’s iOS, Google’s Chrome, and its privacy-conscious competitor Firefox. Bugs have also been squashed by enterprise software giants including Cisco, VMware, and SAP.

Here’s what you need to know about the security updates issued in March.

**Apple iOS**

Apple made up for a quiet February by issuing two separate patches in March. At the start of the month, the iPhone maker released iOS 17.4, fixing over 40 flaws including two issues already being used in real-life attacks.

Tracked as CVE-2024-23225, the first bug in the iPhone Kernel could allow an attacker to bypass memory protections. “Apple is aware of a report that this issue may have been exploited,” the iPhone maker said on its support page.

Tracked as CVE-2024-23296, the second flaw, in RTKit, the real-time operating system used in devices including AirPods, could also allow an adversary to bypass Kernel memory protections.

Later in March, Apple released a second software update, iOS 17.4.1, this time fixing two flaws in its iPhone software, both tracked as CVE-2024-1580. Using the issues patched in iOS 17.4.1, an attacker could execute code if they convinced someone to interact with an image.

Soon after issuing iOS 17.4.1, Apple released patches for its other devices to fix the same bugs: Safari 17.4.1, macOS Sonoma 14.4.1 and macOS Ventura 13.6.6.

**Google Chrome**

March was another hectic month for Google, which patched multiple flaws in its Chrome browser. Mid-way through the month, Google released 12 patches, including a fix for CVE-2024-2625, an object-lifecycle issue in V8 with a high severity rating.

Medium-severity issues include CVE-2024-2626, an out-of-bounds read bug in Swiftshader; CVE-2024-2627, a use-after-free flaw in Canvas; and CVE-2024-2628, an inappropriate implementation issue in Downloads.

At the end of the month, Google issued seven security fixes, including a patch for a critical use-after-free flaw in ANGLE tracked as CVE-2024-2883. Two further use-after-free bugs, tracked as CVE-2024-2885 and CVE-2024-2886, were given a high-severity rating. Meanwhile, CVE-2024-2887 is a type-confusion flaw in WebAssembly.

The last two issues were exploited at the Pwn2Own 2024 hacking contest, so you should update your Chrome browser ASAP.

**Mozilla Firefox**

Mozilla’s Firefox had a busy March, after patching two zero-day vulnerabilities exploited at Pwn2Own. CVE-2024-29943 is an out-of-bounds access bypass issue, while CVE-2024-29944 is a privileged JavaScript Execution flaw in Event Handlers that could lead to sandbox escape. Both issues are rated as having a critical impact.

Earlier in the month, Mozilla released Firefox 124 to address 12 security issues, including CVE-2024-2605, a sandbox-escape flaw affecting Windows operating systems. An attacker could have leveraged the Windows Error Reporter to run arbitrary code on the system, escaping the sandbox, Mozilla said.

CVE-2024-2615 sees critical-rated memory safety bugs fixed in Firefox 124. “Some of these bugs showed evidence of memory corruption, and we presume that with enough effort \[they\] could have been exploited to run arbitrary code,” Mozilla said.

**Google Android**

Google has released its March Android Security Bulletin, fixing nearly 40 issues in its mobile operating system, including two critical bugs in its system component. CVE-2024-0039 is a remote code-execution flaw, while CVE-2024-23717 is an elevation-of-privilege vulnerability.

“The most severe of these issues is a critical security vulnerability in the System component that could lead to remote code execution with no additional execution privileges needed,” Google said in its advisory.

You Should Update Apple iOS and Google Chrome ASAP

Plus: “MFA bombing” attacks target Apple users, Israel deploys face recognition tech on Gazans, AI gets trained to spot tent encampments, and OSINT investigators find fugitive Amond Bundy.

The saga of WikiLeaks founder Julian Assange continued this week after the UK’s high court ordered a delay in his extradition to the United States. Assange faces 18 charges in the US, including 17 alleged violations of the Espionage Act—charges that have alarmed journalism watchdogs. The two judges who issued the ruling said in a summary of their decision that the US must offer further assurances that Assange’s First Amendment rights will be respected and that he will not face the death penalty if convicted.

The University of Cambridge’s medical school is still recovering from “malicious activity” which the school first detected last month. The incident impacted IT services provided by Cambridge’s Clinical School Computing Service, and several websites were knocked offline. While the university also recently suffered a distributed denial-of-service attack, allegedly carried out by the hacker group Anonymous Sudan, it’s unclear if the two incidents are related, and the university has not yet clarified the nature of the “malicious activity.”

US and UK authorities this week announced sanctions and charges against members of APT31, a Chinese state-sponsored hacker group. Also known as Violet Typhoon or Judgement Panda, APT31 hackers have for the past 14 years targeted critics and political enemies around the world to conduct espionage campaigns, according to the US Department of Justice.

Finally, WIRED discovered a trove of information left online by a location data broker that reveals sensitive details about the visitors to Jeffrey Epstein’s notorious “pedophile island.” The data includes more than 11,000 precise coordinates, as many as 166 of which pinpoint the likely homes and workplaces of visitors who live in the continental United States.

But that’s not all. Each week, we round up the security and privacy news we didn’t cover in depth ourselves. Click the headlines to read the full stories. And stay safe out there.

A few rules of thumb can vastly increase your online safety: Don’t click on links or open attachments from strangers. Double-check the sender of emails and other messages to ensure they’re not surreptitious phishing attempts. And be sure a shipping company really is who it claims to be rather than a cybercriminal gang plotting to hijack a truckload of your yogurt and hold it for ransom.

The last of those lessons was highlighted by _The Wall Street Journal_ this week in a story about a troubling form of online fraud: Fraudsters are insinuating themselves into so-called load boards, the online platforms that manufacturers, shipping companies, and the brokers who work with them use to make deals for transporting goods via truck to retailers or other destinations. By spoofing the identity of a carrier—the companies that employ truck drivers to pick up goods—fraudsters can trick brokers who arrange those deals into handing over large amounts of cargo. The criminals can then either complete the deal with a legit carrier at a lower price and pocket the difference, or simply steal the cargo.

In the case of one $50,000 load of Danone yogurt and plant-based milk, the thieves opted for the latter. The broker who had arranged the deal discovered that the fraudsters had spoofed the motor carrier number, a unique identifier, for the broker’s intended trucking company. Then they rerouted their yogurt booty from its intended destination in Florida to a warehouse in Pennsylvania. The brokerage describes receiving emails and even a phone call from an Armenian number demanding a $40,000 ransom. (The brokers refused to pay and collected an insurance payout instead. What happened with the yogurt—and exactly how much yogurt a single gang of Armenian cybercriminals can feasibly consume before it spoils—remains unclear.)

The Journal’s story reveals that cargo hijacking fraud remains a serious problem—one that cost $500 million in 2023, quadruple the year before. Victims say load board operators need to do more to verify users’ identities, and that law enforcement and regulators also need to do more to address the thefts.

**Apple Users Targeted With “MFA Bombing” Hacking Tactic**

Multifactor authentication (MFA) has served as a crucial safeguard against hackers for years. In Apple’s case, it can require a user to tap or click “allow” on an iPhone or Apple Watch before their password can be changed, an important protection against fraudulent password resets. But KrebsOnSecurity reports this week that some hackers are weaponizing those MFA push alerts, bombarding users with hundreds of requests to force them to allow a password reset—or at the very least, deal with a very annoying disruption of their device. Even when a user does reject all those password reset alerts, the hackers have, in some cases, called up the user and pretended to be a support person—using identifying information from online databases to fake their legitimacy—to social engineer them into resetting their password. The solution to the problem appears to be “rate-limiting,” a standard security feature that limits the number of times someone can try a password or attempt a sensitive settings change in a certain time period. In fact, the hackers may be exploiting a bug in Apple’s rate limiting to allow their rapid-fire attempts, though the company didn’t respond to Krebs’ request for comment.

**Israel Deploys Controversial Facial Recognition Tech in Its Surveillance of Gazans**

Israel has long been accused of using Palestinians as subjects of experimental surveillance and security technologies that it then exports to the world. In the case of the country’s months-long response to Hamas’ October 7 massacre—a response that has killed 31,000 Palestinian civilians and displaced millions more from their homes—that surveillance now includes using controversial and arguably unreliable facial recognition tools among the Palestinian population. _The New York Times_ reports that Israel’s military intelligence has adopted a facial recognition tool built by a private tech firm called Corsight, and has used it in its attempts to identify members of Hamas—particularly those involved in the October 7 attack—despite concerns that the tech was sometimes faulty and produced false positives. In one case, for instance, the Palestinian poet Mosab Abu Toha was pulled out of a crowd by soldiers who had somehow identified him by name, before he was beat, accused of being a member of Hamas, and interrogated, before soldiers then told him the interrogation had been a “mistake.”

**AI Cameras Trained to Spot Encampments of Unhoused People**

In other dystopian AI news, _The Guardian_ this week reported on a government project in San Jose, California, that used AI-enabled computer vision technology to identify encampments and vehicles lived in by unhoused people. In the project, video recorded from a car around the city is given to participating companies including Ash Sensors, Sensen.AI, Xloop Digital, Blue Dome Technologies, and CityRover, which use it as training data to develop a system that can recognize tents or vehicles that people might be living in. While the project has been described as a way to identify and help people in need, advocates for the unhoused in San Jose say they’re concerned the data is likely to instead be given to the police, and thus as just another form of surveillance targeting the most vulnerable inhabitants of the city.

**Bellingcat Investigators Find Far-Right Fugitive Ammon Bundy**

Radical libertarian Ammon Bundy, a well-known figure on the far right, has been on the run since last year, charged with contempt of court after being ordered to pay $50 million to an Idaho hospital he’d accused of child trafficking and leading a campaign of harassment that targeted its staff. Then last month, he posted a provocative video to YouTube titled, “Want to Know Where Ammon Bundy Is?” The open source detectives at Bellingcat apparently did: They found enough evidence in Bundy’s videos to convincingly reveal his location. Bellingcat was able to use material like a school calendar in the background of one shot, a mountain range in another, and a highway sign in a third to place Bundy in a certain county in southern Utah. When contacted by Bellingcat, Bundy denied hiding and wrote, a little confusingly, that “at any time peace officers could find me if they wish.”

Yogurt Heist Reveals a Rampant Form of Online Fraud

A WIRED investigation uncovered coordinates collected by a controversial data broker that reveal sensitive information about visitors to an island once owned by Epstein, the notorious sex offender.

Nearly 200 mobile devices of people who visited Jeffrey Epstein’s notorious “pedophile island” in the years prior to his death left an invisible trail of data pointing back to their own homes and offices. Maps of these visitations generated by a troubled international data broker with defense industry ties, discovered last week by WIRED, document the numerous trips of wealthy and influential individuals seemingly undeterred by Epstein’s status as a convicted sex offender.

The data amassed by Near Intelligence, a location data broker roiled by allegations of mismanagement and fraud, reveals with high precision the residences of many guests of Little Saint James, a United States Virgin Islands property where Epstein is accused of having groomed, assaulted, and trafficked countless women and girls.

Some girls, prosecutors say, were as young as 14. The former attorney general of the US Virgin Islands alleged that girls as young as 12 were trafficked to Epstein by those within his elite social circle.

The coordinates that Near Intelligence collected and left exposed online pinpoint locations to within a few centimeters of space. Visitors were tracked as they moved from the Ritz-Carlton on neighboring St. Thomas Island, for instance, to a specific dock at the American Yacht Harbor—a marina once co-owned by Epstein that hosts an “impressive array” of pleasure boats and mega-yachts. The data pinpointed their movements as they were transported to Epstein’s dock on Little St. James, revealing the exact routes taken to the island.

The tracking continued after they arrived. From inside Epstein's enigmatic waterfront temple to the pristine beaches, pools, and cabanas scattered across his 71-acres of prime archipelagic real estate, the data compiled by Near captures the movements of scores of people who sojourned at Little St. James as early as July 2016. The recorded surveillance concludes on July 6, 2019—the day of Epstein’s final arrest.

Eleven years earlier, the disgraced financier was sentenced to 18 months in jail after a guilty plea in 2008 for soliciting and procuring a minor engaged in prostitution, securing a secret “sweetheart” deal to avoid any federal charges. Renewed interest in the case, notably prompted by a _Miami Herald_ investigation, spawned new charges against Epstein, who was apprehended at New Jersey’s Teterboro Airport in July 2019. A raid of Epstein’s Manhattan townhouse by federal agents yielded a cache of child sexual abuse material, nearly 50 individually cut diamonds, and a fraudulent Saudia Arabian passport, which had expired. He reportedly died by suicide a month later while incarcerated at the Metropolitan Correctional Center, a federal detention facility that closed shortly after Epstein’s death.

Ghislaine Maxwell, former British socialite and an Epstein accomplice, was convicted in 2021 on five counts including sexual trafficking of children by force. Maxwell was arrested in New Hampshire, tracked to a million-dollar home by federal agents using location data pulled from her cell phone.

Little is known publicly about Epstein’s activities in the decade prior to his 2019 arrest. The majority of women who came forward that year to accuse the convicted pedophile in court say they were assaulted in the ’90s and early 2000s.

Now, however, 11,279 coordinates obtained by WIRED show not only a flood of traffic to Epstein’s island property—nearly a decade after his conviction as a sex offender—but also point to as many as 166 locations throughout the US where Near Intelligence infers that visitors to Little St. James likely lived and worked. The cache also points to cities in Ukraine, the Cayman Islands, and Australia, among others.

Near Intelligence, for example, tracked devices visiting Little St. James from locations in 80 cities crisscrossing 26 US states and territories, with Florida, Massachusetts, Texas, Michigan, and New York topping the list. The coordinates point to mansions in gated communities in Michigan and Florida; homes in Martha’s Vineyard and Nantucket in Massachusetts; a nightclub in Miami; and the sidewalk across the street from Trump Tower on Fifth Avenue in New York City.

The coordinates also point to various Epstein properties beyond Little St. James, including his 8,000-acre New Mexico ranch and a waterfront mansion on El Brillo Way in Palm Beach, where prosecutors said in an indictment that Epstein trafficked numerous “minor girls” for the purposes of molesting and abusing them. Near’s data is notably missing any locations in Europe, where citizens are safeguarded by comprehensive privacy laws.

Near Intelligence’s maps of Epstein’s island reveal in stark detail the precision surveillance that data brokers can achieve with the aid of loose privacy restrictions under US law. The firm, which has roots in Singapore and Bengaluru, India, sources its location data from advertising exchanges—companies that quietly interact with billions of devices as users browse the web and move about the world.

Before a targeted advertisement appears on an app or website, phones and other devices send information about their owners to real-time bidding platforms and ad exchanges, frequently including users’ location data. While advertisers can use this data to inform their bidding decisions, companies like Near Intelligence will siphon, repackage, analyze, and sell it.

Several ad exchanges, according to _The Wall Street Journal_, have reportedly terminated arrangements with Near, claiming that its use of their data violated the exchanges’ terms of service.

Officially, this data is intended to be used by companies hoping to determine where potential customers work and reside. But in October 2023, the _Journal_ revealed that Near had once provided data to the US military via a maze of obscure marketing companies, cutouts, and conduits to defense contractors. Bankruptcy records reviewed by WIRED show that in April 2023, Near Intelligence signed a yearlong contract with another firm called nContext, a subsidiary of the defense contractor Sierra Nevada.

nContext secured six federal contracts to provide data in support of the National Security Agency and the Defense Counterintelligence and Security Agency, according to reporting by Byron Tau, author of _Means of Control_, an exposé of the data-broker industry and its ties to the US surveillance state. According to information released during a $100 million funding round in 2019, Near claims to have information on roughly 1.6 billion people in 44 countries.

“The pervasive surveillance machine that has been developed for digital advertising now enables other uses completely unrelated to marketing, including government mass surveillance,” says Wolfie Christl, a Vienna-based researcher at Cracked Labs who investigates the data industry.

The data on Epstein’s guests was produced using an intelligence platform formerly known as Vista, which has now been folded into a product called Pinnacle. WIRED discovered several so-called Vista reports while examining Pinnacle’s publicly accessible code. While the specific URLs for the reports are difficult to find, Google’s web crawlers were able to locate at least two other publicly accessible Vista reports: one geofencing the Westfield Mall of the Netherlands and another targeting Saipan-Ledo Park in El Paso, Texas.

The Little St. James report features five maps, one of which reveals locations of devices observed on the island over more than three years prior to Epstein’s arrest. Two of the maps indicate the inferred “Common Evening Locations” and “Common Daytime Locations” for each device that had visited the island. According to the Vista report, these metrics are meant to show visitors’ “most frequented location on weekdays” as well as weeknights and weekends.

A fourth map shows the “general geographic areas from which a location generates the majority of its visits.” The fifth details visitors’ locations 30 minutes before and after they arrived on Epstein’s island, producing a trail of signals that show phones and other devices carried over by helicopter and boat from the main island.

WIRED extracted the location data from the charts and maps to conduct its analysis, which is ongoing. For this story, we reproduced some of the maps created by Near, while excluding any precise location data that could be used to identify properties or individuals, to protect the privacy of anyone uninvolved in Epstein’s crimes.

Crippled by debt, Near Intelligence filed for bankruptcy protection in December, reporting liabilities of approximately $100 million, less than a year after being listed by Nasdaq. An independent investigation commissioned by the company's board alleged multiple executives engaged in a years-long “concealed scheme” to cheat the company out of tens of millions of dollars. (One of those former executives has filed a claim against the company alleging defamation.)

Near Intelligence has since quietly resumed operations, under the same leadership that initiated the bankruptcy proceedings, rebranding itself as a newly incorporated entity called Azira.

US senator Ron Wyden in early February urged federal regulators to launch investigations into Near Intelligence, citing reporting by _The Wall Street Journal_ that found its platform had been used by a third party to geofence “sensitive locations,” including roughly 600 reproductive health clinics at the behest of a conservative group that waged a multiyear antiabortion campaign. US regulators have begun to designate certain types of locations “sensitive,” including health clinics, domestic abuse shelters, and places of religious worship, in an attempt to shield Americans from predatory data brokers amid the US Congress’s years-long failure to pass a comprehensive privacy law.

In an email to WIRED, Kathleen Wailes, speaking on behalf of Azira, acknowledged that Near Intelligence had deliberately collected the data on Epstein’s island for its own purposes. Wailes declined multiple invitations to discuss how the data was collected, which prospective client may have created the report of Epstein’s island, and what purpose it served.

Image: WIRED/Flourish

“Azira is committed to data privacy and responsible access to and use of location data,” Wailes said. “To this end, Azira works to track and respond to legal developments under emerging new state laws, FTC guidance and prior enforcement examples, and best practices. Azira is developing procedures to protect consumers' sensitive location data. This includes working to disable all sample offering accounts created by Near.”

Although the discovery of the Epstein island data involved many additional steps, WIRED also found it could be easily retrieved with a simple Google search.

A Department of Justice spokesperson for the US District Court for the Southern District of New York, where Epstein was prosecuted in 2019, declined to comment on whether its investigators ever did business with Near.

While many of the coordinates captured by Near point to multimillion-dollar homes in numerous US states, others point to lower-income areas where Epstein victims are known to have lived and attended school, including areas of West Palm Beach, Florida, where police and a private investigator say they located around 40 of Epstein’s victims.

"Most of the clients who come to me, their number one concern is privacy and safety,” says attorney Lisa Bloom, who represented 11 of Epstein's alleged victims. “It's deeply concerning to think that any sexual abuse victims’ location will be tracked and then stored and then sold to someone, who can presumably do whatever they want with it.”

Legislation introduced during multiple sessions of Congress have aimed to restrict the sale of location data, chiefly to prevent US law enforcement and intelligence agencies from tracking Americans without a warrant. So far, those efforts have failed. Separately, US president Joe Biden issued an executive order in February instructing the Justice Department to establish new rules preventing US companies from selling data to rival nations, which might include Iran, China, Russia, and North Korea. This order is unlikely to impact Azira’s business in the United States.

“The fact that they have this data in the first place and are allowing people to share it is certainly disturbing,” says Eva Galperin, the director of cybersecurity at the Electronic Frontier Foundation, a digital-rights nonprofit. “I just don’t know how many more of these stories we need to have in order to get strong privacy regulations.”

Jeffrey Epstein's Island Visitors Exposed by Data Broker

Multiple university departments linked to the Clinical School Computing Service have been inaccessible for a month. The university has not revealed the nature of the “malicious activity.”

The University of Cambridge is constantly ranked among the world’s top universities, with its medical school and vast research facilities among the very best. But for the past month, staff at the prestigious medical school have had work hampered following “malicious activity” on its computer network.

An emailed “staff notice” seen by WIRED, believed to have been sent at the end of February, alerted staff to the disruption and said the university was working to get systems back online as soon as possible. However, weeks later, the incident is still ongoing, and little information has been made public about the nature of the incident.

“IT services provided by the Clinical School Computing Service (CSCS) have been disrupted by malicious activity,” the email reviewed by WIRED says. “We appreciate that some staff and students are experiencing significant disruption to their work and studies, and we are grateful for their patience and understanding.”

The University has confirmed to WIRED that its systems have been impacted, that some services have been voluntarily taken offline, and that while it has “contained” the incident, the disruption is ongoing and its investigations will likely take some time to complete. No data has been taken, it says. The UK’s national cybersecurity body and the country’s data regulator are also looking into the events.

The email message sent to staff last month said a “Critical Incident Management Team” has been set up to handle the response. At the time the message was sent, the email said, there was no access to the local IT network and Wi-Fi, and wired internet access had been turned off in impacted buildings, with the Wi-Fi set to be turned on again that same day.

The CSCS provides IT support to staff and researchers in the university’s School of Clinical Medicine. An archived version of its website says there are more than 5,800 devices on its network, and the team provides computers and servers to staff. The email seen by WIRED says that the CSCS also serves the Department of Zoology, Sainsbury Laboratory, which researches plant life; the Stem Cell Institute; and Milner Institute of the School of Biological Sciences, which researches emerging therapies. All have been impacted.

A University of Cambridge spokesperson confirmed the incident to WIRED, saying that “malicious activity” was found on the Clinical School Computing Service last month. “We took immediate action to contain the incident including voluntarily taking some systems offline,” the spokesperson said in a statement. “As a result, there is ongoing interruption to some services.”

It is not clear what the “malicious activity” entails or whether the activity is an attack by criminal hackers or an incident of a different nature. Multiple staff members at university departments did not respond to questions sent by WIRED about whether their work or research had been disrupted, or they directed questions to the press office as they are not authorized to speak about the incident.

The university spokesperson did not describe the nature of the problem; however, they said a business continuity plan has been implemented to minimize disruption, and all of the other university and college IT systems are working as normal and are not impacted. “This will likely take some time to complete,” the spokesperson said of its ongoing investigation. “Investigations have found no evidence that data has been taken or transferred without authorization. We have also received third-party assurance that the incident is contained.” They say the situation has moved on since the email seen by WIRED was sent, and it is not possible to characterize the level of disruption across all departments.

While little is known about the current “malicious activity,” the University of Cambridge was among a number of academic institutions, including the University of Manchester, hit by a distributed denial-of-service attack on February 19. Hacktivist group Anonymous Sudan claimed responsibility for the DDoS incident—it is unclear whether the ongoing outage is linked in any way. The day after the DDoS, the Clinical School Computing Service posted on X that the disruption to the network appeared to be “largely over,” and a university spokesperson said that normal service “should now be restored” for centrally managed IT services.

The UK’s data regulator, the Information Commissioner’s Office, tells WIRED that the University of Cambridge had made it aware of an incident and that the regulator is “making enquiries.” Meanwhile, a spokesperson for the UK’s National Cybersecurity Center says it is “working with the University of Cambridge to fully understand the impact of an incident.”

The university’s status page for IT issues lists the vast majority of services as being online, with replacements taking place for some routers on its wireless networks. However, at the time of writing, the website for the medical school displays only basic contact information, and the CSCS website appears to be offline and inaccessible. A newsletter from the Stem Cell Institute, sent on February 27, acknowledged there had been “some IT issues on campus” and that it was postponing a seminar as a result. More recent newsletters from the Institute do not reference the issues.

The email sent to staff and seen by WIRED recommended people follow best security practices, including using multifactor authentication for accounts and using strong passwords, and advised that people change their passwords immediately if they receive a notice saying someone else has logged in to their account from another device.

‘Malicious Activity’ Hits the University of Cambridge’s Medical School

A high court in London says the WikiLeaks founder won’t be extradited “immediately” and the US must provide more “assurances” about any extradition.

The UK high court has extended WikiLeaks founder Julian Assange’s hope to avoid espionage charges in the United States, allowing Assange to further challenge his extradition from the UK to the US.

In a ruling issued in London on Tuesday, two high court judges said that Assange will not be immediately extradited to the United States. In a press summary of the 60-page decision, the court said Assange has a “real prospect of success” in appealing his extradition order and that it requires the US and UK to make further “assurances” about his treatment if he were to be extradited.

“The Court has given the Government of the United States three weeks to give satisfactory assurances: that Mr Assange is permitted to rely on the First Amendment to the United States Constitution (which protects free speech), that he is not prejudiced at trial (including sentence) by reason of his nationality, that he is afforded the same First Amendment protections as a United States citizen and that the death penalty is not imposed,” the press summary says.

Assange’s extradition was first authorized by the British government in June 2022, more than three years after his arrest. The appeals process was repeatedly delayed by the Covid-19 pandemic and Assange’s own deteriorating health, a result, his doctors say, of his prolonged pretrial confinement and his previous stay in the Ecuadorian embassy in London, where he lived under asylum for nearly seven years.

The embattled WikiLeaks founder faces an 18-count indictment in the US, which alleges a conspiracy to commit computer crimes and, most significantly, violations of the Espionage Act for soliciting and publishing classified information related primarily to the US-led wars in Iraq and Afghanistan.

For Assange, his supporters, and the US government, Tuesday’s ruling has been a long time coming, culminating more than four years of legal battles in the UK. The extensive delay inevitably gave rise to a flood of analysis and conjecture from legal scholars, human rights defenders, and envoys of the US intelligence system, spawning myriad theories about the ultimate repercussions of his potential capture, trial, and imprisonment.

Free press advocates have argued the charges against Assange amount to an attack on legal journalistic activities, portrayed by prosecutors as crimes against the state. The right of journalists to publish stolen or leaked information, even when classified “secret,” has been repeatedly affirmed by the US Supreme Court.

US prosecutors allege that Assange in 2010 took matters a step further than what is legally permitted, encouraging then-WikiLeaks source Chelsea Manning to violate the law further by stealing additional files, and by offering to help her crack a hashed password that would have, ostensibly, furthered her access inside a classified Defense Department network.

Though it is unclear whether any of Assange’s offers actually aided Manning or resulted in any additional files being leaked, under the scope of US law, legal experts widely agree, success is beside the point.

Manning, a former US Army intelligence analyst, confessed during a court martial in 2013 to leaking more than 725,000 documents to WikiLeaks, though her conviction pertains only to portions of hundreds of documents. Manning was accused but acquitted of “aiding the enemy.” Her 35-year prison sentence was commuted in January 2017 by former US president Barack Obama in one of his final acts of office.

The Espionage Act, under which Assange is charged, is among the most controversial in the nation’s criminal code, wielded by prosecutors against whistleblowers and national security leakers with the same intensity as any captured traitor or spy.

Much of the US case is based on digital logs of conversations held between WikiLeaks associates and accounts allegedly manned by Assange himself. Ironically, most if not all of this evidence has itself been leaked over the years or otherwise amassed by independent researchers. Distributed Denial of Secrets (DDOS), a WikiLeaks successor, has compiled at least hundreds of thousands of pages of relevant documents from various confidential sources, including those targeted by FBI informers and by the bureau itself via search warrants.

A private database created by DDOS, reviewed by WIRED, currently contains roughly 100 gigabytes’ worth of WikiLeaks material, including several hundred thousand internal emails and tens of thousands of chat logs, many bearing account names known to have been used by Assange personally.

Despite being rigorously cataloged by DDOS researchers, it remains difficult to quantify how many individuals’ communications were logged due to the sheer volume of text. The anti-secrecy organization’s earliest files pertaining to Assange’s activities online date back 30 years.

Emma Best, a journalist and co-founder of DDOS, says it is believed the organization possesses all—or nearly all—of the recorded conversations cited in the US government’s indictment. A large percentage of internal WikiLeaks chatter is said to have been recorded by Sigurdur Thordarson, a former WikiLeaks associate, in the years and months prior to his betrayal of the organization.

Following his stint as an FBI informer in 2011, Thordarson faced multiple convictions in Icelandic court for sex crimes involving minors and for fraud in relation to funds embezzled from WikiLeaks. According to Best, a close inspection of the files would shed even further doubt as to Thordarson’s reliability, as he often mischaracterizes statements by Assange when communicating with other WikiLeaks associates and supporters.

Best says making the WikiLeaks files public is a priority due to the US’s aggressive moves in the case and the international repercussions, but distribution remains limited currently to trusted professionals, primarily for privacy reasons. WIRED’s review found that the documents identify countless individuals, including many who are not affiliated with WikiLeaks. Additionally, while the US and UK governments presumably have access to all or most of the same files, Best says, other governments, which could seek to act upon them legally, likely do not.

“The case against WikiLeaks and Assange is as misunderstood as it is secretive and important, problems worsened by the many liars involved and the largely vibes-based analysis of it,” she tells WIRED. “The first step to fixing this is simple: Leak the case.”

Assange’s case has garnered scrutiny from human rights groups, many evaluating the conditions inside US prisons as too brutal and lousy to be considered anything but cruel and inhumane.

Concerns over American prison conditions posed a major hurdle for US prosecutors in 2021 after the UK high court ruled the odds they would result in Assange’s death by suicide as unacceptable. The court decided that the US successfully mitigated these concerns by offering assurances that Assange would not face certain treatments that, while commonplace in the US, are widely gauged to run afoul of international law, including the use of extreme isolation.

The US’s assurances did little to quell protests from rights groups and Assange family members, as they’d been offered in the past to little effect. Frequently highlighted is the case of British poet Syed Talha Ahsan, who was kept in solitary confinement for years in a Connecticut “supermax” prison known as the Northern Correctional Institution. The prison closed in June 2021.

A key assurance offered by the US is that Assange will never be confined at another supermax prison, Colorado’s ADX Florence, which currently cages more than 300 prisoners. The use of prolonged isolation, common within the prison but employed throughout the US, has been labeled “torture” by current and past United Nations prison watchdogs. Repeated studies have shown prolonged isolation to have deleterious and potentially irreversible effects on the human brain, leading to significantly higher rates of suicide, homicide, and opioid dependence among incarcerated people upon their release.

Another assurance offered by the US is that Assange will not be subjected to “special administrative measures,” an Orwellian euphemism for the government surveilling a prisoner’s attorney-client communications. Among other justifications, the US can implement this procedure—known as SAM—by claiming the monitoring is necessary to “prevent the disclosure of classified information.”

If convicted, Assange’s lawyers say he faces a maximum of 175 years in prison, though US prosecutors have downplayed in the press the likelihood of him receiving such a lengthy sentence.

_This is a developing story and is being updated with new information._

Julian Assange Won’t Be Extradited to the US Yet

US and UK officials hit Chinese hacking group APT31 with sanctions and criminal charges after they targeted thousands of businesses, politicians, and critics of China.

For years, China’s state-backed hackers have stolen huge troves of company secrets, political intelligence, and the personal information of millions of people. On Monday, officials in the United States and United Kingdom expanded the long list of hacking allegations, claiming China is responsible for breaching the UK’s elections watchdog and accessing 40 million people’s data. The countries also issued a raft of criminal charges and sanctions against a separate Chinese group following a multiyear hacking rampage.

In August last year, the UK’s Electoral Commission revealed “hostile actors” had infiltrated its systems in August 2021 and could potentially access sensitive data for 14 months until they were booted out in October 2022. The deputy prime minister, Oliver Dowden, told lawmakers on Monday that a China state-backed actor was responsible for the attack. In addition, Dowden said, the UK’s intelligence services have determined that Chinese hacking group APT31 targeted the email accounts of politicians in 2021.

“This is the latest in a clear pattern of malicious cyber activity by Chinese state-affiliated organizations and individuals targeting democratic institutions and parliamentarians in the UK and beyond,” Dowden said in the UK’s House of Commons. The revelations were accompanied by the UK sanctioning two individuals and one company linked to APT31.

Alongside the UK’s announcement on Monday, the US Department of Justice and Department of the Treasury’s Office of Foreign Assets Control unveiled further action against APT31, also known as Violet Typhoon, Bronze Vinewood, and Judgement Panda, including charging seven Chinese nationals with the conspiracy to commit computer intrusions and wire fraud.

The DOJ claims the hacking group, which has been linked back to China’s Ministry of State Security (MSS) spy agency, has spent 14 years targeting thousands of critics, businesses, and political entities around the world in widespread espionage campaigns. This includes posing as journalists to send more than 10,000 malicious emails that tracked recipients, compromising email accounts, cloud storage accounts, telephone call records, home routers, and more. The spouses of one high-ranking White House official and those of multiple US senators were also targeted, the DOJ says.

“These allegations pull back the curtain on China’s vast illegal hacking operation that targeted sensitive data from US elected and government officials, journalists and academics; valuable information from American companies; and political dissidents in America and abroad,” Breon Peace, a US attorney for the Eastern District of New York, said in a statement. “Their sinister scheme victimized thousands of people and entities across the world, and lasted for well over a decade.”

The moves come as countries increasingly warn of an increase in China-linked espionage, during a year when more than 100 countries will host major elections. Statements from officials focus on the impact of the hacking activity on democratic processes, including the targeting of elected officials around the world and the compromising of pro-democracy activists and lawmakers in Hong Kong. However, the disclosures also coincide with continued jostling from Western politicians over pro- or anti-China stances, including the proposed sale of TikTok to a US company, which could result in a ban on the popular app if the sale fails to go through.

As officials in the UK disclosed the details of the hacking activity, Lin Jian, a Chinese foreign ministry spokesperson, claimed it was “disinformation” and told reporters the country “opposes illegal and unilateral” sanctions. “When investigating and determining the nature of cyber cases, one needs to have adequate and objective evidence, instead of smearing other countries when facts do not exist, still less politicize cybersecurity issues,” Jian said in a daily press conference on Monday.

“China is embarking on a huge global campaign of interference and espionage, and the UK and the like-minded nations are pretty sick of it,” says Tim Stevens, a global security lecturer and head of the cybersecurity research group at King’s College London. Stevens says the public shaming and sanctions are unlikely to significantly change China’s actions but may signal a warning to other countries about what is and isn’t deemed acceptable when it comes to international affairs.

China has a broad range of hacking groups linked to its intelligence services and military, as well as companies that it contracts to launch some cyber operations. Many of these groups have been active for more than a decade. Dakota Cary, a China-focused consultant at security firm SentinelOne, says that groups associated with China’s civilian intelligence service are largely conducting diplomatic or government intelligence collection and espionage, while China’s military hackers are behind attacks on power grids and US critical infrastructure such as water supplies. “We do see China engaging in all of those activities simultaneously,” Cary says.

In announcing criminal charges and sanctions against members of APT31, officials in the US laid out a series of hacking allegations that include the targeting of businesses, political entities, and dissidents around the world. These included a “leading provider” of 5G telecoms equipment in the US, Norwegian government officials, and people working in the aerospace and defense industries. APT31 was run by the MSS’s Hubei State Security Department in the city of Wuhan, US officials say.

The seven Chinese nationals hit with charges are Ni Gaobin, Weng Ming, Cheng Feng, Peng Yaowen, Sun Xiaohui, Xiong Wang, and Zhao Guangzong. Both Zhao Guangzong and Ni Gaobin were also sanctioned. The two are alleged to be affiliated with Wuhan XRZ, a company that has also been sanctioned by the US and UK and is believed to be a cover for MSS-linked hacking operations. Employees of the company hacked into a Texas-based energy company in 2018, the US Treasury Department said.

The group used sophisticated malware—including Rawdoor, Trochilus, and EvilOSX—to compromise systems, according to a 27-page indictment unsealed by the DOJ. They also used a “cracked/pirated” version of penetration testing tool Cobalt Strike Beacon to compromise victims, the indictment says. It adds that, between 2010 and November 2023, the group “gained access” to a defense contractor that designed flight simulators for the US Army, Air Force, and Navy; a multi-factor authentication company; an American trade association; a steel company; a machine learning laboratory based in Virginia; and multiple research hospitals.

In its announcement, the UK outlined two separate China-linked incidents: first, the targeting of the email inboxes of 43 members of parliament (MPs) by APT31 in 2021; and second, the hack of the Electoral Commission by further unnamed China-linked hackers. Elections in the UK are decentralized and organized locally, with the commission overseeing the entire process. This setup means the integrity of the electoral process was not impacted, the commission says; however, a huge amount of data may have been taken by the hackers.

When the Electoral Commission revealed it had been compromised last year, it said the details of around 40 million people may have been accessed. The commission said names and addresses of people in Great Britain who were registered to vote between 2014 and 2022 could have been compromised, and that file-sharing and email systems could have been made accessible. “It’s really remarkable that China would go after election oversight systems, particularly given the diplomacy that the PRC \[People’s Republic of China\] is trying to pull off with the EU,” Cary says. “It’s a very significant act for the PRC to go after these types of systems,” Cary says. “It’s something that democracies are really sensitive to.”

While nations have called out China’s hacking activities for years, the country has evolved its tactics and techniques to become harder to detect. “Over the past couple of years, tired of having their operations rumbled and publicly outed, the Chinese have placed a growing emphasis on stealthy tradecraft in cyber espionage attacks,” Don Smith, vice president of threat intelligence at security firm Secureworks’ counter-threat unit, said in a statement. “This is a change in MO from its previous ‘smash and grab’ reputation but it is viewed by the Chinese as a necessary evolution to one, make it harder to get caught and two, make it nearly impossible to attribute an attack to them.”

Chinese Hackers Charged in Decade-Long Global Spying Rampage

Plus: The Biden administration warns of nationwide attacks on US water systems, a new Russian wiper malware emerges, and China-linked hackers wage a global attack spree.

The next time you stay in a hotel, you may want to use the door’s deadbolt. A group of security researchers this week revealed a technique that uses a series of security vulnerabilities that impact 3 million hotel room locks worldwide. While the company is working to fix the issue, many of the locks remain vulnerable to the unique intrusion technique.

Apple is having a tough week. In addition to security researchers revealing a major, virtually unpatchable vulnerability in its hardware (more on that below), the United States Department of Justice and 16 attorneys general filed an antitrust lawsuit against the tech giant, alleging that its practices related to its iPhone business are illegally anticompetitive. Part of the lawsuit highlights what it calls Apple’s “elastic” embrace of privacy and security decisions—particularly iMessage’s end-to-end encryption, which Apple has refused to make available to Android users.

Speaking of privacy, a recent change to cookie pop-up notifications reveals the number of companies each website shares your data with. A WIRED analysis of the top 10,000 most popular websites found that some sites are sharing data with more than 1,500 third parties. Meanwhile, employer review site Glassdoor, which has long allowed people to comment about companies anonymously, has begun encouraging people to use their real names.

And that’s not all. Each week, we round up the security and privacy news we don’t cover in depth ourselves. Click the headlines to read the full stories. And stay safe out there.

Apple’s M-series of chips contain a flaw that could allow an attacker to trick the processor into revealing secret end-to-end encryption keys on Macs, according to new research. An exploit developed by a team of researchers, dubbed GoFetch, takes advantage of the M-series chips’ so-called data memory-dependent prefetcher, or DMP. Data stored in a computer’s memory have addresses, and DMP’s optimize the computer’s operations by predicting the address of data that is likely to be accessed next. The DMP then puts “pointers” that are used to locate data addresses in the machine’s memory cache. These caches can be accessed by an attacker in what’s known as a side-channel attack. A flaw in the DMP makes it possible to trick the DMP into adding data to the cache, potentially exposing encryption keys.

The flaw, which is present in Apple’s M1, M2, and M3 chips, is essentially unpatchable because it is present in the silicon itself. There are mitigation techniques that cryptographic developers can create to reduce the efficacy of the exploit, but as Kim Zetter at Zero Day writes, “the bottom line for users is that there is nothing you can do to address this.”

**US Warns of Widespread Cyberattacks Against Water Systems**

In a letter sent to governors across the US this week, officials at the Environmental Protection Agency and the White House warned that hackers from Iran and China could attack “water and wastewater systems throughout the United States.” The letter, sent by EPA administrator Michael Regan and White House national security adviser Jake Sullivan, says hackers linked to Iran’s Islamic Revolutionary Guard and Chinese state-backed hacker group known as Volt Typhoon have already attacked drinking water systems and other critical infrastructure. Future attacks, the letter says, “have the potential to disrupt the critical lifeline of clean and safe drinking water, as well as impose significant costs on affected communities.”

**A New Russian Wiper Malware Threatens Communication Networks**

There’s a new version of a wiper malware that Russian hackers appear to have used in attacks against several Ukrainian internet and mobile service providers. Dubbed AcidPour by researchers at security firm SentinelOne, the malware is likely an updated version of the AcidRain malware that crippled the Viasat satellite system in February 2022, heavily impacting Ukraine’s military communications. According to SentinelOne’s analysis of AcidPour, the malware has “expanded capabilities” that could allow it to “better disable embedded devices including networking, IoT, large storage (RAIDs), and possibly ICS devices running Linux x86 distributions.” The researchers tell CyberScoop that AcidPour may be used to carry out more widespread attacks.

**China’s Earth Krahang Hackers Target Victims Around the World**

Volt Typhoon isn’t the only China-linked hacker group wreaking widespread havoc. Researchers at security firm TrendMicro revealed a hacking campaign by a group known as Earth Krahang that’s targeted 116 organizations across 48 countries. Of those, Earth Krahang has managed to breach 70 organizations, including 48 government entities. According to TrendMicro, the hackers gain access through vulnerable internet-facing servers or through spear-phishing attacks. They then use access to the targeted systems to engage in espionage and commandeer the victims’ infrastructure to carry out further attacks. Trend Micro, which has been monitoring Earth Krahang since early 2022, also says it found “potential links” between the group and I-Soon, a Chinese hack-for-hire firm that was recently exposed by a mysterious leak of internal documents.

Source

Wired