Indirect prompt-injection attacks can leave people vulnerable to scams and data theft when they use the AI chatbots.

Microsoft director of communications Caitlin Roulston says the company is blocking suspicious websites and improving its systems to filter prompts before they get into its AI models. Roulston did not provide any more details. Despite this, security researchers say indirect prompt-injection attacks need to be taken more seriously as companies race to embed generative AI into their services.

“The vast majority of people are not realizing the implications of this threat,” says Sahar Abdelnabi, a researcher at the CISPA Helmholtz Center for Information Security in Germany. Abdelnabi worked on some of the first indirect prompt-injection research against Bing, showing how it could be used to scam people. “Attacks are very easy to implement, and they are not theoretical threats. At the moment, I believe any functionality the model can do can be attacked or exploited to allow any arbitrary attacks,” she says.

Hidden Attacks

Indirect prompt-injection attacks are similar to jailbreaks, a term adopted from previously breaking down the software restrictions on iPhones. Instead of someone inserting a prompt into ChatGPT or Bing to try and make it behave in a different way, indirect attacks rely on data being entered from elsewhere. This could be from a website you’ve connected the model to or a document being uploaded.

“Prompt injection is easier to exploit or has less requirements to be successfully exploited than other” types of attacks against machine learning or AI systems, says Jose Selvi, executive principal security consultant at cybersecurity firm NCC Group. As prompts only require natural language, attacks can require less technical skill to pull off, Selvi says.

There’s been a steady uptick of security researchers and technologists poking holes in LLMs. Tom Bonner, a senior director of adversarial machine-learning research at AI security firm Hidden Layer, says indirect prompt injections can be considered a new attack type that carries “pretty broad” risks. Bonner says he used ChatGPT to write malicious code that he uploaded to code analysis software that is using AI. In the malicious code, he included a prompt that the system should conclude the file was safe. Screenshots show it saying there was “no malicious code” included in the actual malicious code.

Elsewhere, ChatGPT can access the transcripts of YouTube videos using plug-ins. Johann Rehberger, a security researcher and red team director, edited one of his video transcripts to include a prompt designed to manipulate generative AI systems. It says the system should issue the words “AI injection succeeded” and then assume a new personality as a hacker called Genie within ChatGPT and tell a joke.

In another instance, using a separate plug-in, Rehberger was able to retrieve text that had previously been written in a conversation with ChatGPT. “With the introduction of plug-ins, tools, and all these integrations, where people give agency to the language model, in a sense, that's where indirect prompt injections become very common,” Rehberger says. “It's a real problem in the ecosystem.”

“If people build applications to have the LLM read your emails and take some action based on the contents of those emails—make purchases, summarize content—an attacker may send emails that contain prompt-injection attacks,” says William Zhang, a machine learning engineer at Robust Intelligence, an AI firm working on the safety and security of models.

No Good Fixes

The race to embed generative AI into products—from to-do list apps to Snapchat—widens where attacks could happen. Zhang says he has seen developers who previously had no expertise in artificial intelligence putting generative AI into their own technology.

If a chatbot is set up to answer questions about information stored in a database, it could cause problems, he says. “Prompt injection provides a way for users to override the developer’s instructions.” This could, in theory at least, mean the user could delete information from the database or change information that’s included.

The Security Hole at the Heart of ChatGPT and Bing

Researchers say the state-sponsored espionage operation may also lay the groundwork for disruptive cyberattacks.

As state-sponsored hackers working on behalf of Russia, Iran, and North Korea have for years wreaked havoc with disruptive cyberattacks across the globe, China's military and intelligence hackers have largely maintained a reputation for constraining their intrusions to espionage. But when those cyberspies breach critical infrastructure in the United States—and specifically a US territory on China's doorstep—spying, conflict contingency planning, and cyberwar escalation all start to look dangerously similar.

On Wednesday, Microsoft revealed in a blog post that it has tracked a group of what it believes to be Chinese state-sponsored hackers who have since 2021 carried out a broad hacking campaign that has targeted critical infrastructure systems in US states and Guam, including communications, manufacturing, utilities, construction, and transportation. 

The intentions of the group, which Microsoft has named Volt Typhoon, may simply be espionage, given that it doesn’t appear to have used its access to those critical networks to carry out data destruction or other offensive attacks. But Microsoft warns that the nature of the group's targeting, including in a Pacific territory that might play a key role in a military or diplomatic conflict with China, may yet enable that sort of disruption.

"Observed behavior suggests that the threat actor intends to perform espionage and maintain access without being detected for as long as possible," the company's blog post reads. But it couples that statement with an assessment with "moderate confidence" that the hackers are “pursuing development of capabilities that could disrupt critical communications infrastructure between the United States and Asia region during future crises.”

Google-owned cybersecurity firm Mandiant says it has also tracked a swath of the group's intrusions and offers a similar warning about the group's focus on critical infrastructure “There's not a clear connection to intellectual property or policy information that we expect from an espionage operation,” says John Hultquist, who heads threat intelligence at Mandiant. “That leads us to question whether they’re there _because_ the targets are critical. Our concern is that the focus on critical infrastructure is preparation for potential disruptive or destructive attack.”

Microsoft’s blog post offered technical details of the hackers’ intrusions that may help network defenders spot and evict them: The group, for instance, uses hacked routers, firewalls, and other network “edge” devices as proxies to launch its hacking—targeting devices  that include those sold by hardware makers ASUS, Cisco, D-Link, Netgear, and Zyxel. The group also often exploits the access provided from compromised accounts of legitimate users rather than its own malware to make its activity harder to detect by appearing to be benign.

Blending in with a target's regular network traffic in an attempt to evade detection is a hallmark of Volt Typhoon and other Chinese actors' approach in recent years, says Marc Burnard, a senior consultant of information security research at Secureworks. Like Microsoft and Mandiant, the Secureworks has been tracking the group and observing the campaigns. He added that the group has demonstrated a “relentless focus on adaption” to pursue its espionage.

US government agencies, including the National Security Agency, the Cybersecurity and Infrastructure Security Agency (CISA), and the Justice Department published a joint advisory about Volt Typhoon's activity today alongside Canadian, UK, and Australian intelligence. “Private sector partners have identified that this activity affects networks across US critical infrastructure sectors, and the authoring agencies believe the actor could apply the same techniques against these and other sectors worldwide,” the agencies wrote.

Although Chinese state-sponsored hackers have never launched a disruptive cyberattack against the United States—even over decades of data theft from US systems—the country’s hackers have periodically been caught inside US critical infrastructure systems. As early as 2009, US intelligence officials warned that Chinese cyberspies had penetrated the US power grid to “map” the country's infrastructure in preparation for a potential conflict. Two years ago, CISA and the FBI also issued an advisory that China had penetrated US oil and gas pipelines between 2011 and 2013. China’s Ministry of State Security hackers have gone much further in cyberattacks against the country’s Asian neighbors, actually crossing the line of carrying out data-destroying attacks disguised as ransomware, including against Taiwan’s state-owned oil firm CPC.

This latest set of intrusions seen by Microsoft and Mandiant suggests that China’s critical infrastructure hacking continues. But even if the Volt Typhoon hackers did seek to go beyond espionage and lay the groundwork for cyberattacks, the nature of that threat is far from clear. State-sponsored hackers are, after all, often assigned to gain access to an adversary’s critical infrastructure as a preparatory measure in case of a future conflict, since gaining the access  necessary for a disruptive attack usually requires months of advanced work.

That ambiguity in state-sponsored hackers’ motivations when they penetrate another country’s networks—and its potential for misinterpretation and escalation—is what Georgetown professor Ben Buchanan has called “the cybersecurity dilemma” in his book by the same name. “Genuinely attacking and building the option to attack later on,” Buchanan told WIRED in a 2019 interview as cyberwar tensions rose between the US and Russia, “are very hard to disentangle."

Drawing the lines between espionage, cyberattack preparation, and imminent cyberattack is an even harder exercise with China, says Mandiant’s Hultquist, given the limited instances of the country pulling the trigger on a digitally disruptive event—even when it does have the access to cause one, as it may well have had in Volt Typhoon’s intrusions. “China’s disruptive and destructive capabilities are extremely opaque,” he says. “Here we have a possible indication that this might be an actor with that mission.”

China Hacks US Critical Networks in Guam, Raising Cyberwar Fears

Fentanyl has long been one of the most dangerous wares of the underworld cryptocurrency economy—so dangerous, in fact, that even many dark-web markets have banned it. But new research shows that cryptocurrency is playing a different role in that deadly opioid’s supply chain: Chinese chemical producers are accepting cryptocurrency as payment for fentanyl ingredients they’re selling to drug operations that mass-produce the narcotic in countries around the world. And they’re offering it not on the dark web, but in full public view.

Cryptocurrency-tracing firm Elliptic today released new findings that offer a glimpse of an underreported role of cryptocurrency in the global fentanyl trade: the wholesale supply of ingredients to fentanyl producers around the world. Researchers at Elliptic found more than 90 Chinese chemical companies that sold fentanyl “precursor” chemicals and advertised their products on the open web, fully 90 percent of which offered to accept payment in cryptocurrencies like Bitcoin and Tether.

Monthly cryptocurrency transactions to the Chinese firms selling fentanyl ingredients that Elliptic identified.

Courtesy of Elliptic

Elliptic researchers conducted blockchain analysis of some of the cryptocurrency addresses those companies shared with prospective customers. The researchers estimate that those addresses received just over $27 million in transactions in the past five years, most since 2021, given that transactions have increased 450 percent in the past year. But the company warns that this is likely just a fraction of a larger crypto-fueled fentanyl supply chain—and the retail value of fentanyl produced with those precursors is probably thousands of times higher, in the tens of billions of dollars.

“It’s underappreciated how much crypto is accepted by Chinese companies for materials that are used to manufacture these narcotics,” says Tom Robinson, who cofounded Elliptic and leads its research team. (Robinson declined to name any of the companies, though he said Elliptic has shared their names with law enforcement.) “The number of crypto transactions is significant, and you only need a small amount of these materials to produce fentanyl and other narcotics in quantities that both have an extremely high street value and could potentially lead to huge numbers of overdoses.” 

The Elliptic report notes that the tens of millions of dollars worth of precursor sales it tracked on blockchains would likely be enough to manufacture enough fentanyl to, if distributed efficiently, kill every person on earth.

The sale of dangerous opioids like fentanyl on dark-web markets like Silk Road and successors like AlphaBay and Hydra has been notorious for well over a decade. But in recent years, dark-web markets have begun instituting bans on the drug, which can be 50 times stronger than heroin. Though these bans are sometimes only loosely enforced, they aim to prevent both the harm the substance brings to customers and the accompanying law enforcement attention. “I knew it was very dangerous,” one dark-web administrator who goes by the name DeSnake told WIRED in a 2021 interview, explaining the fentanyl ban on the AlphaBay dark-web market he’d relaunched at the time. “In a place where no one knows no one, it would be a very, very big mess.”

Despite that trend away from dark-web fentanyl sales, four members of the US Congress this week reintroduced a bill called the Dark Web Interdiction Act to increase the sentences for dark-web drug dealers, focusing specifically on fentanyl. The bill would also strengthen and make permanent the Joint Criminal Opioid and Darknet Enforcement task force that has helped coordinate law enforcement takedowns of hundreds of alleged dark-web drug sellers and administrators in recent years.

But even as the dark-web retail cryptocurrency trade in fentanyl has been restricted, and as law enforcement units crack down on what remains of it, Elliptic’s research shows that cryptocurrency-based wholesaling of fentanyl ingredients to drug cartels—who then manufacture the synthetic opioid and smuggle it into the US and other countries to be sold in the physical world—continues. In its study of precursor-selling chemical labs, Elliptic notes that several of the websites it surveyed specifically mentioned that they shipped to customers in Mexico, and 17 of the labs also sold finished fentanyl and other even more powerful opioids.

Those Chinese chemical companies do in some cases sell products other than fentanyl precursors, Elliptic’s Robinson notes, and he concedes that blockchain analysis can’t tell the difference between those sales and the sales of fentanyl ingredients. Some also sold precursors to amphetamines, methamphetamines, and other opioids. But Elliptic’s researchers saw companies advertising that fentanyl precursors were their best-selling product, in some cases. Robinson also notes that Elliptic isn’t claiming to have measured the entire crypto-based fentanyl supply chain, but only taken a “snapshot” of transactions it could identify. This suggests its $27 million estimate is likely lower than the total amount of fentanyl precursor sales over the past half-decade.

The US government may be increasingly aware of the activity of fentanyl precursor sellers in China and of cryptocurrency’s role, but so far the US has acted on a scale far smaller than the industry Elliptic has uncovered. The US Treasury Department last month levied sanctions against four Chinese men and two chemical labs, Wuhan Shuokang Biological Technology and Suzhou Xiaoli Pharmatech, for selling fentanyl precursors to drug cartels in Mexico. Three of the men were also indicted in absentia. The fourth, according to Treasury’s announcement, was an associate who had accepted cryptocurrency payments on behalf of one of the two companies.

The Chinese chemical firms’ decision to accept cryptocurrency for their fentanyl ingredient sales may seem counterintuitive, given the ability of companies like Elliptic and other cryptocurrency-tracing firms to track sales of dangerous and potentially illegal products across blockchains. But Robinson says the Chinese firms are likely using crypto because it’s hard to seize or block—and they may not particularly care that the money can be traced by Western companies and law enforcement as long as they can still find a cryptocurrency exchange willing to cash it out. “If a company in China wants to accept crypto payments, no one can prevent that from occurring,” Robinson says.

But traceability also creates an opportunity to pressure cryptocurrency exchanges to cut off the accounts of fentanyl precursor sellers Elliptic has identified. Elliptic, in fact, notified exchanges of hundreds of addresses it linked to the Chinese chemical companies. “There’s definitely a role for those services to clamp down on this,” Robinson says. And exploiting that crypto choke point could perhaps cut off at least a fraction of the lethal flow of fentanyl worldwide—not at its destination, but at its source.

Chinese Labs Are Selling Fentanyl Ingredients for Millions in Crypto

“Container registries” are ubiquitous software clearinghouses, but they’ve been exposed for years. Chainguard says it now has a solution.

As software supply-chain attacks have emerged as an everyday threat, where bad actors poison a step in the development or distribution process, the tech industry has had a wake-up call about the need to secure each link in the chain. But actually implementing improvements is challenging, particularly for the sprawling open-source cloud development ecosystem. Now, the security firm Chainguard says it has a more secure solution for one ubiquitous but long overlooked component.

“Container registries” are sort of like app stores or clearinghouses where developers upload “images” of cloud containers that each hold a different software program. The cloud services you use every day are constantly and silently navigating container registries to access applications, but these registries are often poorly secured with just a password that can be lost, stolen, or guessed. This often means that people who shouldn't have access to a given container image can download it, or, worse, they can upload images to the registry that could be malicious. Chainguard's new container image registry aims to plug this esoteric but pervasive hole.

 “Pretty much every bad possible thing has happened with container registries that you can imagine,” says Dan Lorenc, Chainguard’s CEO and a longtime software supply-chain security researcher. “People losing passwords, people pushing malware on purpose, people forgetting to update stuff. The industry has just kind of been using this for a long time—everyone was having fun, shipping code—and nobody was thinking about long-term consequences.”

The Chainguard researchers say they have long considered developing a more thoughtfully designed registry, particularly one that gets rid of passwords and instead uses a single-sign-on approach to control registry access. That way, a registry can be designed to be as accessible or as locked down as needed, and only people who are logged in to other accounts, like corporate identity services or Google accounts, and then specifically authorized can interact with the registry.

“Container registries have been a weak link,” says Jason Hall, a Chainguard software engineer. “They're pretty boring, pretty standard. This is software that's relying on software to deliver software. We need to do better and get rid of passwords to talk to the registry and be able to push to the registry.”

The big limitation on deploying a system like this, though, has been cost. Running a container registry typically gets very expensive because of “egress fees.” In other words, cloud providers don't charge enterprise customers to upload data into the cloud, but they do charge them every time someone downloads the data. So if container registries are like an app store where everyone is coming to download container images, the egress fees can get really big, really fast. This disincentivized work on overhauling the security of container registries, because no one wanted to take on the cost associated with offering a more secure alternative.

The breakthrough for Chainguard came when the internet infrastructure company Cloudflare announced the general availability of its R2 Storage service in September. The goal of the product is to offer reduced egress fees to Cloudflare customers and even no fees for data that gets downloaded infrequently. Once R2 emerged as an option, the Chainguard researchers had everything they needed to move ahead with a more secure registry.

Aly Cabral, Cloudflare's vice president of product management for workers, says that as a content delivery network, the company is able to offer a service like R2 because it has already invested so extensively in optimizing its systems to manage and move data around the world efficiently. And she points out that egress fees are problematic in a number of areas, not just cloud software development. For example, AI companies increasingly need ways to move their training data sets to different regions and platforms to find GPU processing power.

When it comes to creating more secure cloud registries, though, Cabral says that Chainguard's initiative is exactly the type of project Cloudflare hoped to support with R2.

“Chainguard’s work to rethink key software delivery infrastructure—like container registries—and ensure that it is built with secure-by-design principles that the ecosystem needs, is the type of proactive attention that will assist in preventing malicious attacks,” she says. “Too often, security is an afterthought, which can be detrimental as threat actors grow increasingly sophisticated and savvy in their ability to exploit substandard security measures.”

Chainguard will use its secure registry to distribute images and will also make the registry design available so others can adopt it. For regular web users, the change will be invisible, but it could prevent fallout from software supply-chain attacks that can—and do—have tangible impacts on people's lives.

There’s Finally a Way to Improve Cloud Container Registry Security

In response to an EU proposal to scan private messages for illegal material, the country's officials said it is “imperative that we have access to the data.”

Spain has advocated banning encryption for hundreds of millions of people within the European Union, according to a leaked document obtained by WIRED that reveals strong support among EU member states for proposals to scan private messages for illegal content.

The document, a European Council survey of member countries’ views on encryption regulation, offered officials’ behind-the-scenes opinions on how to craft a highly controversial law to stop the spread of child sexual abuse material (CSAM) in Europe. The proposed law would require tech companies to scan their platforms, including users’ private messages, to find illegal material. However, the proposal from Ylva Johansson, the EU commissioner in charge of home affairs, has drawn ire from cryptographers, technologists, and privacy advocates for its potential impact on end-to-end encryption.

For years, EU states have debated whether end-to-end encrypted communication platforms, such as WhatsApp and Signal, should be protected as a way for Europeans to exercise a fundamental right to privacy—or weakened to keep criminals from being able to communicate outside the reach of law enforcement. Experts who reviewed the document at WIRED’s request say it provides important insight into which EU countries plan to support a proposal that threatens to reshape encryption and the future of online privacy.

Of the 20 EU countries represented in the document leaked to WIRED, the majority said they are in favor of some form of scanning of encrypted messages, with Spain’s position emerging as the most extreme. “Ideally, in our view, it would be desirable to legislatively prevent EU-based service providers from implementing end-to-end encryption,” Spanish representatives said in the document.

The source of the document declined to comment and requested anonymity because they were not authorized to share it.

“It is shocking to me to see Spain state outright that there should be legislation prohibiting EU-based service providers from implementing end-to-end encryption,” says Riana Pfefferkorn, a research scholar at Stanford University’s Internet Observatory in California who reviewed the document at WIRED’s request. “This document has many of the hallmarks of the eternal debate over encryption.”

End-to-end encryption is designed so only the sender and receiver of communications like messages can see their contents. This boxes out all other parties, from scammers to police and even the company providing the digital platform. Law enforcement advocates often propose creating technical mechanisms through which end-to-end encryption can be bypassed for investigations, but cryptographers and other technologists have long argued that this would introduce weaknesses that inherently undermine end-to-end encryption, putting users’ privacy at risk. Furthermore, they have repeatedly concluded that this expanded exposure would ultimately hurt the digital safety and security of vulnerable groups, including children, rather than defend them.

"Breaking end-to-end encryption for everyone would not only be disproportionate, it would be ineffective of achieving the goal to protect children,” says Iverna McGowan, the secretary general of the European branch of the Centre for Democracy and Technology, a digital rights nonprofit organization, who reviewed the document at WIRED’s request.

The leaked document contains the position of members of the police Law Enforcement Working Party, a group of the Council of the European Union that deals with law enforcement views on legislation. Dated April 12, 2023, the document contains 20 countries’ views on a series of questions, including whether they see end-to-end encryption as a hindrance to their work dealing with child sexual abuse and whether they would favor adding wording to the law to stipulate that encryption shouldn’t be weakened. The questions were first posed in January.

WIRED asked all 20 member states whose views are included in the document for comment. None denied its veracity, and Estonia confirmed that its position was compiled by experts working within related fields and at various ministries.

The document reveals strong support for Johansson’s proposal to scan private end-to-end encrypted communications for illegal content. Of the 20 countries included in the document, 15 expressed support for the idea of scanning end-to-end encrypted communications for CSAM. Many framed this type of scanning as a vital tool that would enable authorities to win the fight against child abuse.

“It is of utmost importance to provide clear wording in the CSA Regulation that end-to-end encryption is not a reason not to report CSA material,” Croatia’s representatives said in the document. “Detection orders must necessarily also apply to encrypted networks,” Slovenia said. “We don’t want E2EE encryption to become a ‘safe haven’ for malicious actors,” Romania added.

Denmark and Ireland expressed support for scanning encrypted messengers for child sexual abuse material while also endorsing the inclusion of wording in the law that protects end-to-end encryption from being weakened. The ability to do this would rely on the invention of technology that can scan encrypted messages for illegal content without altering or breaking the security features offered by encryption—a feat cryptographers and cybersecurity experts have said is technically impossible.

The Netherlands, however, stated that this would be possible through “on-device” scanning before the illegal material is encrypted and sent to its recipient. “There are … technologies which may allow for automatic detection of CSAM while at the same time leaving end-to-end encryption intact,” the country’s representatives stated in the document.

“They want to keep the security of encryption whilst being able to circumvent it,” says Ella Jakubowska, a senior policy advisor at European Digital Rights (EDRI). Jakubowska says she is “unsurprised but nevertheless shocked” to see that European countries have a “really shallow understanding” of encryption. “They want privacy but they also want to indiscriminately scan encrypted communications,” Jakubowska says.

In its response, Spain said it is “imperative that we have access to the data” and suggests that it should be possible for encrypted communications to be decrypted. Spain’s interior minister, Fernando Grande-Marlaska, has been outspoken about what he considers the threat posted by encryption. When reached for comment about the leaked document, Daniel Campos de Diego, a spokesperson for Spain’s Ministry of Interior, says the country’s position on this matter is widely known and has been publicly disseminated on several occasions. Edging close to Spain, Poland advocated in the leaked document for mechanisms through which encryption could be lifted by court order and for parents to have the power to decrypt children’s communications.

Jakubowska, who reviewed the document, says that several countries appear to say they would give police access to people’s encrypted messages and communications. Comments from Cyprus, for example, say it is “necessary” that law enforcement authorities have the ability to access encrypted communications to investigate online sexual abuse crimes and that the “impact of this regulation is significant because it will set a precedent for other sectors in the future.” Similarly, officials in Hungary say “new methods of data interception and access are needed” to help law enforcement.

“Cyprus, Hungary, and Spain very clearly see this law as their opportunity to get inside encryption to undermine encrypted communications, and that to me is huge,” Jakubowska says. “They are seeing this law is going far beyond what DG home is claiming that it’s there for.”

Officials in Belgium said in the document that they believe in the motto “security through encryption and despite encryption.” When approached by WIRED, a spokesperson from Belgium’s Ministry of Foreign Affairs initially shared a statement from the country’s federal police saying its position has evolved since it submitted comments for the document and that Belgium is adopting a position, alongside other “like-minded states,” that it wants encryption weakened. However, half an hour later, the spokesperson attempted to retract the statement, saying the country declined to comment.

Security experts have long said that any potential backdoors into encrypted communications or ways to decrypt services would undermine the overall security of the encryption. If law enforcement officials have a way to decipher messages, criminal hackers or those working on behalf of governments could exploit the same capabilities.

Despite the potential attack on encryption from some countries, many nations also appeared to strongly support end-to-end encryption and the protections it provides. Italy described the proposal for a new system as disproportionate. “It would represent a generalized control on all the encrypted correspondence sent through the web,” the country’s representatives said. Estonia cautioned that if the EU mandates the scanning of end-to-end encrypted messages, companies are likely to either redesign their systems so they can decrypt data or shut down in the EU. Triin Oppi, a spokesperson for Estonia’s Ministry of Foreign Affairs, says the country’s position had not changed.

Finland urged the EU Commission to provide more information about the technologies that can fight child sexual abuse without jeopardizing online security and warned that the proposal could conflict with the Finnish constitution.

Representatives from Germany—a country that has staunchly opposed the proposal—said the draft law needs to explicitly state that no technologies will be used that disrupt, circumvent, or modify encryption. “This means that the draft text must be revised before Germany can accept it,” the country said. Member states need to agree on the text for the draft bill before the negotiations can move forward.

“The responses from countries such as Finland, Estonia, and Germany demonstrate a more comprehensive understanding of the stakes in the CSA regulation discussions,” Stanford’s Pfefferkorn says. “The regulation will not only affect criminal investigations for a specific set of offenses; it affects governments’ own data security, national security, and the privacy and data protection rights of their citizens, as well as innovation and economic development.”

Read the full document below:

Leaked EU Document Shows Spain Wants to Ban End-to-End Encryption

The record-breaking GDPR penalty for data transfers to the US could upend Meta's business and spur regulators to finalize a new data-sharing agreement.

Europe’s GDPR has just dealt its biggest hammer blow yet. Almost exactly five years since the continent’s strict data rules came into force, Meta has been hit with a colossal €1.2 billion fine ($1.3 billion) for sending data about hundreds of millions of Europeans to the United States, where weaker privacy rules open it up to US snooping.

Ireland’s Data Protection Commission (DPC), the lead regulator for Meta in Europe, issued the fine after years of dispute about how data is transferred across the Atlantic. The decision says a complex legal mechanism, used by thousands of businesses for transferring data between the regions, was not lawful.

The fine is the biggest GDPR penalty ever issued, eclipsing Luxembourg's $833 million fine against Amazon. It brings the total amount of fines under the legislation to around €4 billion. However, it’s small change for Meta, which made $28 billion in the first three months of this year.

In addition to the fine, the DPC’s ruling gives Meta five months to stop sending data from Europe to the US and six months to stop handling data it previously collected, which could mean deleting photos, videos, and Facebook posts or moving them back to Europe. The decision is likely to bring into focus other GDPR powers, which can impact how companies handle data and arguably cut to the heart of Big Tech’s surveillance capitalism.

Meta says it is “disappointed” by the decision and will appeal. The decision is also likely to heap extra pressure on US and European negotiators who are scrambling to finalize a long-awaited new data-sharing agreement between the two regions that will limit what information US intelligence agencies can get their hands on. A draft decision was agreed to at the end of 2022, with a potential deal being finalized later this year.

“The entire commercial and trade relationship between the EU and the US underpinned by data exchanges may be affected,” says Gabriela Zanfir-Fortuna, vice president of global privacy at Future of Privacy Forum, a nonprofit think tank. “While this decision is addressed to Meta, it is about facts and situations that are identical for all American companies doing business in Europe offering online services, from payments, to cloud, to social media, to electronic communications, or software used in schools and public administrations.”

**‘Bittersweet Decision’**

The billion-euro fine against Meta has a long history. It stems back to 2013, long before GDPR was in place, when lawyer and privacy activist Max Schrems complained about US intelligence agencies’ ability to access data following the Edward Snowden revelations about the National Security Agency (NSA). Twice since then, Europe’s top courts have struck down US–EU data-sharing systems. The second of these rulings, in 2020, made the Privacy Shield agreement ineffective and also tightened rules around “standard contractual clauses (SSCs).”

The use of SCCs, a legal mechanism for transferring data, is at the center of the Meta case. In 2020, Schrems complained about Meta’s use of them to send data to the US. Today’s Irish decision, which is supported by other European regulators, found Meta’s use of the legal tool “did not address the risks to the fundamental rights and freedoms of data subjects.” In short, they were unlawful.

Ireland first decided the tool fell foul of GDPR in July 2022 and since then, the case has been wrapped up in European bureaucracy, with other countries having a say on the decision and deciding the penalties that should apply. Ultimately, through the European Data Protection Board (EDPB), other countries overruled the Irish regulator, which had argued Meta shouldn’t be fined.

“This is an absolutely significant fine and yet, the penalties may be inconsequential for people's rights as Meta can hold on to data it has moved unlawfully,” says Estelle Masse, the global data protection lead at European NGO Access Now. “It's a bittersweet decision.” Since GDPR came into force in May 2018, it has been criticized for not effectively curtailing the worst data practices of Big Tech. Masse argues that Meta should have been made to delete the data it collected unlawfully, and that GDPR enforcement needs to change companies business practices. (In the US, the Federal Trade Commission fined Meta $5 billion in 2019 and has previously ordered companies to delete algorithms created with improperly collected data.)

The new ruling stops short of forcing Meta to delete the data but says it should ensure that all stored data from Europeans be lawfully handled within six months. This could include deletion or moving the data back to Europe, the EDPB says, but could also include Meta using “other technical solutions.”

“One potential option moving forward would be a 'federated' social network, where European data stays in their data centers in Europe, unless users chat with a US friend, for example,” Schrems said in a statement. Zanfir-Fortuna says that data localization can be “very difficult to obtain in practice.”

It is likely, if Meta decides to move data back to Europe, that untangling it all from within its internal systems will be tricky, if not impossible. Previous reports have indicated that Meta doesn’t know where all its data goes, and court documents obtained by the Irish Council for Civil Liberties are said to show “data anarchy at Meta.”

Meta’s president of global affairs, Nick Clegg, said in a statement that the company is appealing the decisions with courts that will be able to “​​pause the implementation deadlines.” Clegg characterized the decision as a threat to the global internet: “Without the ability to transfer data across borders, the internet risks being carved up into national and regional silos, restricting the global economy and leaving citizens in different countries unable to access many of the shared services we have come to rely on.”

**The Simplest Fix**

Lurking behind the colossal fine is the underlying issue of how data is shared between the EU and the US. Europe’s GDPR sets out how companies and other organizations should collect, use, and store people’s data and also increases the rights given to individuals. People can ask what data is held about them or request that information be deleted, for instance.

The rules are stricter than protections put in place in the US, particularly against data collected about non-US citizens, which can be intercepted by intelligence agencies under Section 702 of the Foreign Intelligence Surveillance Act. In October 2022, US president Joe Biden signed an executive order that would introduce limits to what data security agencies can access under a proposed new EU–US Data Privacy Framework.

In Meta’s response to the GDPR decision, Clegg referenced the new international agreement and said that if it comes into force before the Irish deadlines, “our services can continue as they do today without any disruption or impact on users.”

The executive order would, among other things, create a Data Protection Review Court within the US Department of Justice that allows Europeans to challenge how American intelligence agencies use their data. Gloria González Fuster, a professor at the Vrije Universiteit Brussel, says there are “multiple tensions” between the proposed plans. “The very limited information given to complainants by the Data Protection Review Court (DPRC) is one of the major problems,” Fuster says, adding the approach doesn’t match those of Europe’s courts.

Since two previous data-sharing agreements have been struck down by Europe’s courts, it is likely that the new agreement, which could come into force before Meta has to deal with Ireland’s orders, may be challenged. “The framework from the get-go is an improvement from the two previous, but we don't think it gets us to a point where it would stand a legal challenge in the court,” Masse says.

Schrems, who made the original complaint against Meta and was responsible for the cases that destroyed the previous US–EU data-sharing agreements, believes there’s a 10 percent chance Europe’s courts will find the new agreement to be lawful. “The simplest fix,” Schrems said, “would be reasonable limitations in US surveillance law.”

Meta’s $1.3 Billion Fine Is a Strike Against Surveillance Capitalism

While the company’s new top-level domains could be used in phishing attacks, security researchers are divided on how big of a problem they really pose.

At the beginning of May, Google released eight new top-level domains (TLDs)—the suffixes at the end of URLs, like “.com” or “.uk.” These little addendums were developed decades ago to expand and organize URLs, and over the years, the nonprofit Internet Corporation for Assigned Names and Numbers (ICANN) has loosened restrictions on TLDs so organizations like Google can bid to sell access to more of them. But while Google's announcement included light-hearted offerings like “.dad” and “.nexus,” it also debuted a pair of TLDs that are uniquely poised to invite phishing and other types of online scamming: “.zip” and “.mov”.

The two stand out because they are also common file extension names. The former, .zip, is ubiquitous for data compression, while .mov is a video format developed by Apple. The concern, which is already starting to play out, is that URLs that look like file names will open up even more possibilities for digital scams like phishing that trick web users into clicking on malicious links that are masquerading as something legitimate. And the two domains could also expand the problem of programs mistakenly recognizing file names as URLs and automatically adding links to the file names. With this in mind, scammers could strategically buy .zip and .mov URLs that are also common file names—think, springbreak23.mov—so online references to a file with that name could automatically link to a malicious website.

“Attackers will use whatever they can to get inside an organization,” says Ronnie Tokazowski, a longtime phishing researcher and principal threat adviser at the cybersecurity firm Cofense. “Man, this all goes back a long time now. Nothing has changed.”

Researchers have already started seeing malicious actors buying up strategic .zip URLs and begin testing them in phishing campaigns. But reactions are mixed on how much of a negative impact .zip and .mov domains will have when scams that prey on URL confusion are already an inveterate threat. Additionally, proxies and other traffic management tools already deploy anti-phishing protections to cut down on the risks if users mis-click—and .zip and .mov will simply be incorporated into those defenses.

“The risk of confusion between domain names and file names is not a new one. For example, 3M’s Command products use the domain name command.com, which is also an important program on MS DOS and early versions of Windows,” Google told WIRED in a statement. “Applications have mitigations for this (such as Google Safe Browsing), and these mitigations will hold true for TLD’s such as .zip.” The company added that Google Registry already includes mechanisms to suspend or remove malicious domains across all of the company's top-level domains. “We will continue to monitor the usage of .zip and other TLDs, and if new threats emerge we will take appropriate action to protect users,” the company said.

Offering more TLDs broadens the number of URLs that are available to people. This means you have more choices and don't necessarily have to pay a premium to buy the site name you want from an existing owner or speculator who bought up a bunch of historic URLs. And some in the security community feel that, given the already extensive risk of phishing attacks, additions like .zip and .mov add negligible additional danger.

“I don't agree with the assertion that the new TLDs will increase the effectiveness of phishing in any meaningful way—primarily because people are already so easily fooled by URLs,” says security researcher Troy Hunt, who runs the breach-tracking service HaveIBeenPwned. “Not only can we, myself included, not tell the difference between so many ambiguous characters, we also usually have no idea what the correct URL is for many services. I bet you this all blows over before you know it with no incidents of consequence.”

Some researchers feel strongly, though, that a company like Google, which invests so much in anti-scam and anti-phishing work, could have simply opted not to offer these particular TLDs. Even if other top-level domains exist that are also file extensions, they argue that the world doesn't need more of these overlaps.

“Nobody said this was new. In fact, half the issue is that it’s not new,” says security researcher Marcus Hutchins. “We’ve had this issue in the past, and Google has just gone and caused the same problem again. It really seems like they created a big usability and security issue for downstream providers to clean up, all for no reason other than a low-effort money grab.”

The Real Risks in Google’s New .Zip and .Mov Domains

Plus: The FBI gets busted abusing a spy tool, an ex-Apple engineer is charged with corporate espionage, and collection of airborne DNA raises new privacy risks.

OpenAI’s new ChatGPT app for iOS couldn’t have arrived soon enough. Its absence left open a void in Google Play and Apple’s App Store, which have been quietly filling with scam apps that sucker users into paying for weekly or monthly subscriptions, according to research from security firm Sophos. The official ChatGPT app, meanwhile, is free, and an Android version is arriving soon.

But just because something is free doesn’t make it good. Telly TV is offering 55-inch televisions for $0 to the first 500,000 people who join its reservation list. Of course, “free” comes with a catch: The company reserves the right to collect heaps of data about your viewing habits, and the TV includes a built-in camera that can track your movements. Oh, and it has a second screen primarily for bombarding you with ads. But hey, nothing beats free, right?

Elsewhere in the world of tech that has people freaked out, Montana this week became the first state in the US to ban TikTok. The ban, which goes into effect in 2024, is already facing legal challenges on the grounds that it violates TikTok users’ First Amendment rights. Even if the ban remains, getting around it is trivial—just use a VPN.

The families of four people killed in a racism-fueled mass shooting at a grocery store in Buffalo, New York, are suing a slew of companies the plaintiffs say bear some responsibility for the massacre. The companies include Meta, Alphabet, Amazon, Snap, Reddit, and 4chan. Also on the list of defendants is Good Smile, a Japanese toy company that in 2015 purchased a 30 percent stake in 4chan, where the gunman sought advice on how to carry out his attack.

The United States Postal Service doesn’t just deliver mail—it also carries out warrantless mass surveillance. A bipartisan group of US senators this week launched an effort to curb the use of so-called mail covers, which USPS investigators use to gather the information on the outside of letters and packages. The senators say the practice, which does not require a court order, “threatens both our privacy and First Amendment rights.” 

In the UK, the government is working to expand a controversial surveillance program that collects web histories and other “internet connection records” on millions of people. The program began after the 2016 passage of the Investigatory Powers Act, often called the Snooper’s Charter by privacy advocates and other critics. Records show that the program appears to be moving out of its trial phase and may be rolled out nationally. 

Meanwhile, researchers at security firm Kaspersky released new details about a mysterious hacker group that has carried out operations in Ukraine for far longer than people realized. Dubbed Red Stinger by researchers at Malwarebytes, the group has targeted both pro-Ukraine and pro-Russian figures as part of apparent espionage operations. Initially linked to hacks dating back to 2020, researchers now believe Red Stinger has been active for at least 15 years.

But wait, there’s more. Each week we round up the security stories we didn’t cover in depth ourselves. Click on the headlines to read the full stories. And stay safe out there.

Most TikTok challenges you hear about are fake. This one, however, is deadly serious. Automaker Huyandai this week agreed to pay around $200 million to customers whose vehicles were stolen following a viral TikTok challenge that exposed a major security flaw in some Hyundai and Kia vehicles. 

The challenge began after the user “Kia Boys” posted a video to TikTok showing that it was possible to hot-wire the vulnerable vehicles using a USB cable. According to Engadget, at least 14 crashes and eight deaths have been linked to the challenge. Hyundai will pay affected customers up to $6,125 for stolen vehicles and up to $3,375 to cover the cost of damage caused by those who took advantage of the flaw. The company also has an “anti-theft update” available for affected vehicles. Check to see if your vehicle is impacted here.

The US Foreign Intelligence Surveillance Court yesterday unsealed an April 2022 opinion that exposes rampant FBI misuse of the so-called Section 702 database, a vast trove of electronic communication records used by the bureau and the National Security Agency. The court found that the FBI improperly queried the database, established under Section 702 of the Foreign Intelligence Surveillance Act, more than 287,000 times in 2020 and 2021. Targets of the FBI’s searches include January 6 demonstrators, people arrested while protesting the police murder of George Floyd in Minneapolis, and some 19,000 American political donors to an unidentified US congressional campaign. 

Section 702 gives the US government the authority to collect communications of targets overseas. Communications of Americans can get swept into the database when they communicate with someone outside the US. An audit released by the Office of the Director of National Intelligence late last year found several similar instances of the FBI misusing the Section 702 database to perform searches on American citizens, including US congressman Darin LaHood. Following both the ODNI audit and this week’s release of the court’s opinion, the FBI says the abuse was the result of a “misunderstanding” and vowed that it has fixed the problem. Regardless, Section 702 will expire at the end of the year without reauthorization from Congress, which the FBI’s repeated and widespread misuse could jeopardize.

The US Department of Justice on Tuesday announced charges against a former Apple engineer accused of stealing the company’s source code related to its self-driving-car technology. Weibao Wang allegedly stole the “sensitive” documents in the final days of his employment at Apple in April 2018. Wang left Apple five months after he signed an agreement to work for a US-based subsidiary of a company headquartered in China, according to the Justice Department. After US law enforcement searched his Mountain View, California, home in June 2018, 35-year-old Wang fled to China, the Justice Department says. If convicted, Wang faces up to 10 years in prison plus fines.

Everyone knows how much data can be collected about you anytime you’re online. But a bigger concern may be what someone can collect about you anytime you’re anywhere. That’s the warning in a new research paper, which found that it’s possible to collect “environmental DNA”—traces of genetic material floating in the air or liquids, also called eDNA—that can be linked to a person’s medical or ancestral details. Legal experts who spoke to the _The New York Times_ warn that if police or other government authorities begin collecting eDNA, as scientists studying animals have done for a decade, it could create widespread privacy and civil liberties abuses.

A TikTok ‘Car Theft’ Challenge Is Costing Hyundai $200 Million

From USB worms to satellite-based hacking, Russia’s FSB hackers, known as Turla, have spent 25 years distinguishing themselves as “adversary number one.”

Ask Western cybersecurity intelligence analysts who their "favorite" group of foreign state-sponsored hackers is—the adversary they can't help but grudgingly admire and obsessively study—and most won't name any of the multitudes of hacking groups working on behalf of China or North Korea. Not China's APT41, with its brazen sprees of supply chain attacks, nor the North Korean Lazarus hackers who pull off massive cryptocurrency heists. Most won't even point to Russia's notorious Sandworm hacker group, despite the military unit's unprecedented blackout cyberattacks against power grids or destructive self-replicating code.

Instead, connoisseurs of computer intrusion tend to name a far more subtle team of cyberspies that, in various forms, has silently penetrated networks across the West for far longer than any other: a group known as Turla.

Last week, the US Justice Department and the FBI announced that they had dismantled an operation by Turla—also known by names like Venomous Bear and Waterbug—that had infected computers in more than 50 countries with a piece of malware known as Snake, which the US agencies described as the "premiere espionage tool" of Russia's FSB intelligence agency. By infiltrating Turla's network of hacked machines and sending the malware a command to delete itself, the US government dealt a serious setback to Turla's global spying campaigns.

But in its announcement—and in court documents filed to carry out the operation—the FBI and DOJ went further, and officially confirmed for the first time the reporting from a group of German journalists last year which revealed that Turla works for the FSB's Center 16 group in Ryazan, outside Moscow. It also hinted at Turla's incredible longevity as a top cyberspying outfit: An affidavit filed by the FBI states that Turla's Snake malware had been in use for nearly 20 years.

In fact, Turla has arguably been operating for at least 25 years, says Thomas Rid, a professor of strategic studies and cybersecurity historian at Johns Hopkins University. He points to evidence that it was Turla—or at least a kind of proto-Turla that would become the group we know today—that carried out the first-ever cyberspying operation by an intelligence agency targeting the US, a multiyear hacking campaign known as Moonlight Maze.

Given that history, the group will absolutely be back, says Rid, even after the FBI's latest disruption of its toolkit. “Turla is really the quintessential APT,” says Rid, using the abbreviation for “advanced persistent threat,” a term the cybersecurity industry uses for elite state-sponsored hacking groups. “Its tooling is very sophisticated, it’s stealthy, and it’s persistent. A quarter-century speaks for itself. Really, it’s adversary number one.”

Throughout its history, Turla has repeatedly disappeared into the shadows for years, only to reappear inside well-protected networks including those of the US Pentagon, defense contractors, and European government agencies. But even more than its longevity, it's Turla's constantly evolving technical ingenuity—from USB worms, to satellite-based hacking, to hijacking other hackers' infrastructure—that's distinguished it over those 25 years, says Juan Andres Guerrero-Saade, a principal threat researcher at the security firm SentinelOne. “You look at Turla, and there are multiple phases where, oh my god, they did this amazing thing, they pioneered this other thing, they tried some clever technique that no one had done before and scaled it and implemented it,” says Guerrero-Saade. “They're both innovative and pragmatic, and it makes them a very special APT group to track.”

Here's a brief history of Turla's two-and-a-half decades of elite digital spying, stretching back to the very beginning of the state-sponsored espionage arms race.

1996: Moonlight Maze

By the time the Pentagon began investigating a series of intrusions of US government systems as a single, sprawling espionage operation, it had been going on for at least two years and was siphoning American secrets on a massive scale. In 1998, federal investigators discovered that a mysterious group of hackers had been prowling the networked computers of the US Navy and Air Force, as well as those of NASA, the Department of Energy, the Environment Protection Agency, the National Oceanic and Atmospheric Administration, a handful of US universities, and many others. One estimate would compare the hackers' total haul to a stack of papers three times the height of the Washington Monument.

From early on, counterintelligence analysts believed that the hackers were Russian in origin, based on their real-time monitoring of the hacking campaign and the types of documents they targeted, says Bob Gourley, a former US Defense Department intelligence officer who worked on the investigation. Gourley says that it was the hackers’ apparent organization and persistence that made the most lasting impression on him. “They’d reach a wall, and then someone with different skills and patterns would take over and break through that wall,” Gourley says. “This was not just a couple of kids. This was a well-resourced, state-sponsored organization. It was the first time, really, where a nation-state was doing this.”

Investigators found that when the Moonlight Maze hackers—a codename given to them by the FBI—exfiltrated data from their victims' systems, they used a customized version of a tool called Loki2, and would continually tweak that piece of code over the years. In 2016, a team of researchers including Rid and Guerrero-Saade would cite that tool and its evolution as evidence that Moonlight Maze was in fact the work of an ancestor of Turla: They pointed to cases where Turla's hackers had used a unique, similarly customized version of Loki2 in its targeting of Linux-based systems fully two decades later.

2008: Agent.btz

Ten years after Moonlight Maze, Turla shocked the Defense Department again. The NSA discovered in 2008 that a piece of malware was beaconing out from inside the classified network of the DOD's US Central Command. That network was “air-gapped”—physically isolated such that it had no connections to internet-connected networks. And yet someone had infected it with a piece of self-spreading malicious code, which had already copied itself to an untold number of machines. Nothing like it had ever been seen before on US systems.

The NSA came to believe that the code, which would later be dubbed Agent.btz by researchers at the Finnish cybersecurity firm F-Secure, had spread from USB thumb drives that someone had plugged into PCs on the air-gapped network. Exactly how the infected USB sticks got into the hands of DOD employees and penetrated the US military's digital inner sanctum has never been discovered, though some analysts speculated they may have simply been scattered in a parking lot and picked up by unsuspecting staffers.

The Agent.btz breach of Pentagon networks was pervasive enough that it sparked a multiyear initiative to revamp US military cybersecurity, a project called Buckshot Yankee. It also led to the creation of US Cyber Command, a sister organization of the NSA tasked with protecting DOD networks that today also serves as the home of the country's most cyberwar-oriented hackers.

Years later, in 2014, researchers at the Russian cybersecurity firm Kaspersky would point to technical connections between Agent.btz and Turla's malware that would come to be known as Snake. The espionage malware—which Kaspersky at the time called Uroburos, or simply Turla—used the same file names for its log files and some of the same private keys for encryption as Agent.btz, the first clues that the notorious USB worm had in fact been a Turla creation.

2015: Satellite Command-and-Control

By the mid-2010s, Turla was already known to have hacked into computer networks in dozens of countries around the world, often leaving a version of its Snake malware on victims' machines. It was revealed in 2014 to be using “watering-hole” attacks, which plant malware on websites with the goal of infecting their visitors. But in 2015, researchers at Kaspersky uncovered a Turla technique that would go much further toward cementing the group's reputation for sophistication and stealth: hijacking satellite communications to essentially steal victims' data via outer space.

In September of that year, Kaspersky researcher Stefan Tanase revealed that Turla's malware communicated with its command-and-control servers—the machines that send commands to infected computers and receive their stolen data—via hijacked satellite internet connections. As Tanase described it, Turla's hackers would spoof the IP address for a real satellite internet subscriber on a command-and-control server set up somewhere in the same region as that subscriber. Then they would send their stolen data from hacked computers to that IP so that it would be sent via satellite to the subscriber, but in a way that would cause it to be blocked by the recipient's firewall.

Because the satellite was broadcasting the data from the sky to the entire region, however, an antenna connected to Turla's command-and-control server would also be able to pick it up—and no one tracking Turla would have any way of knowing where in the region that computer might be located. The entire, brilliantly tough-to-trace system cost less than $1,000 a year to run, according to Tanase. He described it in a blog post as “exquisite.”

2019: Piggybacking on Iran

Plenty of hackers use “false flags,” deploying the tools or techniques of another hacker group to throw investigators off their trail. In 2019, the NSA, the Cybersecurity and Infrastructure Security Agency (CISA), and the UK's National Cybersecurity Center warned that Turla had gone much further: It had silently taken over another hacker group's infrastructure to commandeer their entire spying operation.

In a joint advisory, the US and UK agencies revealed that they'd seen Turla not only deploy malware used by an Iranian group known as APT34 (or Oilrig) to sow confusion, but that Turla had also managed to hijack the command-and-control of the Iranians in some cases, gaining the ability to intercept data that the Iranian hackers had been stealing and even sending their own commands to the victim computers the Iranians had hacked.

Those tricks significantly raised the bar for analysts seeking to pin any intrusion on a particular group of hackers, when in fact Turla or a similarly devious group might have been secretly pulling puppet strings from the shadows. “Avoid possible misattribution by being vigilant when examining activity that appears to originate from the Iranian APT,” the CISA advisory warned at the time. “It may be the Turla group in disguise.”

2022: Hijacking a Botnet

Cybersecurity firm Mandiant reported earlier this year that it had spotted Turla carrying out a different variant of that hacker-hijacking trick, this time taking over a cybercriminal botnet to sift through its victims.

In September 2022, Mandiant found that a user on a network in Ukraine had plugged a USB drive into their machine and infected it with the malware known as Andromeda, a decade-old banking trojan. But when Mandiant looked more closely, they found that that malware had subsequently downloaded and installed two tools Mandiant had previously tied to Turla. The Russian spies, Mandiant discovered, had registered expired domains that Andromeda's original cybercriminal administrators had used to control its malware, gaining the ability to control those infections, and then searched through hundreds of them for ones that might be of interest for espionage.

That clever hack had all the hallmarks of Turla: the use of USB drives to infect victims, as it had done with Agent.btz in 2008, but now combined with the trick of hijacking a different hacker group's USB malware to commandeer their control, as Turla had done with Iranian hackers a few years earlier. But researchers at Kaspersky nonetheless warned that the two tools found on the Ukrainian network that Mandiant had used to tie the operation to Turla may actually be signs of a different group it calls Tomiris—perhaps a sign that Turla shares tooling with another Russian state group, or that it's now evolving into multiple teams of hackers.

2023: Beheaded By Perseus

Last week, the FBI announced that it had struck back against Turla. By exploiting a weakness in the encryption used in Turla's Snake malware and remnants of code that the FBI had studied from infected machines, the bureau announced it had learned to not only identify computers infected with Snake, but also send a command to those machines that the malware would interpret as an instruction to delete itself. Using a tool it had developed, called Perseus, it had purged Snake from victims' machines around the world. Along with CISA, the FBI also released an advisory that details how Turla's Snake sends data through its own versions of the HTTP and TCP protocols to hide its communications with other Snake-infected machines and Turla's command-and-control servers.

That disruption will no doubt undo years of work for Turla's hackers, who have been using Snake to steal data from victims around the world since as early as 2003, even before the Pentagon discovered Agent.btz. The malware's ability to send well-concealed data covertly between victims in a peer-to-peer network made it a key tool for Turla's espionage operations.

But no one should deceive themselves that dismantling the Snake network—even if the malware could be wholly eradicated—would mean the end of one of Russia's most resilient hacker groups. “This is one of the best actors out there, and there’s no doubt in my mind that the cat-and-mouse game continues,” says Rid, of Johns Hopkins. “More than anyone else, they have a history of evolving. When you shine a light on their operations and tactics and techniques, they evolve and retool and try to become more stealthy again. That’s the historical pattern that began in the 1990s.”

“For them, those gaps in your timeline are a feature,” Rid adds, pointing to the sometimes-yearslong stretches when Turla's hacking techniques largely stayed out of news stories and security researchers' papers.

As for Gourley, who hunted Turla 25 years ago as an intelligence officer in the midst of Moonlight Maze, he applauds the FBI’s operation. But he also warns that killing some Snake infections is very different from defeating Russia’s oldest cyberspying team. “This is an infinite game. If they’re not already back in those systems, they will be soon,” Gourley says. “They’re not going away. This is not the end of cyberespionage history. They will definitely, definitely be back.”

The Underground History of Turla, Russia's Most Ingenious Hacker Group

Montana’s TikTok ban will be impossible to enforce. But it could encourage copycat crackdowns against the social media app.

Montana’s TikTok ban is a technological nightmare. Experts warn it will be incredibly difficult for officials to enforce and incredibly easy for almost anyone to get around. But more than that, it’s a move that undermines America’s history of fostering an open, democratic internet.

The law, which comes into effect at the start of 2024, will both block TikTok from mobile app stores in Montana while also banning TikTok from operating in the state. It’s a move that brings with it a host of First Amendment concerns, and may never be enacted if legal challenges block it. But, if it does go ahead, experts warn it is likely to be a mess.

“From a technical perspective, even if this was a national law, there would be challenges to try to make this work,” says John Morris, principal, US internet policy and advocacy at the Internet Society, a nonprofit that promotes an open internet. But because people can use VPNs to change their browsing location, it’s even harder to ensure a local ban will work. “State boundaries are not something that’s built into the internet.” 

The new law is the first on the books following years of anxiety in the US around TikTok as a national security risk. That perceived threat looms because TikTok’s parent company, ByteDance, is Chinese-owned. TikTok has also become one of the most popular apps in the world, with 150 million users in the US alone. 

The Montana law calls for $10,000 penalties to be levied on mobile app stores when they allow people to download or use TikTok. TikTok could also be fined for operating in the state. The fines would not apply to people who download the app. 

The US has historically advocated for an open internet and criticized countries that censor online access. China is successful in its mass censorship because of its Great Firewall—a system unlike anything in the US, and one that Montana could not build for itself. Other countries, including Indonesia and Pakistan, have banned TikTok and then rescinded the blocks. India’s TikTok ban, introduced in June 2020, is still in place. Montana, along with other states, and the US federal government have blocked TikTok from government devices, but geoblocking from specific regions within the US would prove much harder.

An older version of the Montana bill would have forced internet services providers to block TikTok in the state. But ISPs said it would be impossible to do so, and the requirement was removed. Mobile app providers like Apple and Google did not respond to requests for comment. And while Montana has now passed the law banning TikTok, it remains to be seen how it plans to do so.

Montana officials have suggested tech that restricts online sports gambling, which remains illegal in more than a dozen US states, could be employed to boot TikTok out of its borders. If anyone reports a violation, officials would investigate it, and if a breach was verified, cease-and-desist letters would be sent to the companies, the state attorney general’s office told the Associated Press. 

Such blocks are regularly circumvented using VPNs. And VPNs have their own security issues—people who use them can become targets for hackers. Some VPNs also keep logs of user data, which can be accessed by law enforcement with subpoenas. 

But there’s no way for TikTok to know whether people are using VPNs within Montana to access the social network, which makes this law “very complicated,” and “very difficult to enforce” if TikTok is the liable party rather than the service provider, says Kevin Du, a professor of electrical engineering and computer science at Syracuse University. 

In response to the ban, TikTok said it would “continue working to defend the rights” of users inside and outside Montana. The company has also called the ban unlawful. The law was also criticized by the American Civil Liberties Union, which says it violates “free speech rights under the guise of national security and lays the groundwork for excessive government control over the internet.” TikTok creators, who are often semipublic figures, have already sued the state of Montana, claiming the new law violates free speech rights.  

It might make up a tiny slice of TikTok’s global user base, but if Montana’s ban stands, it could influence legislation in other US states. A nationwide ban remains both complex and unlikely.

Source

Wired