A 500-page document reviewed by WIRED shows that Corellium engaged with several controversial companies, including spyware maker NSO Group.

Corellium, a cybersecurity startup that sells phone-virtualization software for catching security bugs, offered or sold its tools to controversial government spyware and hacking-tool makers in Israel, the United Arab Emirates, and Russia, and to a cybersecurity firm with potential ties to the Chinese government, according to a leaked document reviewed by WIRED that contains internal company communications.

The 507-page document, apparently prepared by Apple with the goal of using it in the company’s 2019 copyright lawsuit against Corellium, shows that the security firm, whose software lets users perform security analysis using virtual versions of Apple’s iOS and Google’s Android, has dealt with companies that have a track record of selling their tools to repressive regimes and countries with poor human rights records.

According to the leaked document, Corellium in 2019 offered a trial of its product to NSO Group, whose customers have for years been caught using its Pegasus spyware against dissidents, journalists, and human rights defenders. Similarly, Corellium’s sales staff offered to provide a quote to purchase its software to DarkMatter, a now-shuttered cybersecurity company with ties with the UAE government that hired several former US intelligence members who reportedly helped it spy on human rights activists and journalists. 

In correspondence with WIRED, Corellium says NSO Group and Dark Matter had access to “a limited time/limited functionality trial version of Corellium's software” and that both were later denied requests to purchase the full version following its vetting process. 

For years Corellium has painted itself as a crucial defender against software bugs on Android and iOS. But the leaked document shows that Corellium worked with several companies that use bugs and exploits to hack into cell phones, as opposed to helping Google and Apple patch vulnerabilities.

The document includes emails between Corellium staff and customers or potential customers, including NSO Group and DarkMatter. The document is not public and is being reported on for the first time here. 

“As one of our early beta requesters, we’re delighted to extend you and your team at NSO Group an exclusive invitation to try Corellium, the world’s first and only mobile device virtualization platform. We think you’ll really enjoy the advanced mobile security research tools we have to offer,” reads a March 26, 2019, email between Correllium’s support staff and an NSO Group employee. “Your free trial will last until April 9. Trial accounts are limited, but if you need more time, or if you prefer to start your trial at a different time, just let us know.”

In the case of DarkMatter, the document includes an email exchange between a company employee and a Corellium sales email address. The emails are not dated, but they apparently reference a 2019 training on how to use the platform that Corellium offered potential customers at the cybersecurity conference Black Hat.

“I was a trainer at Blackhat last year where you guys had provided us access to the portal for a few days and I was very impressed with the amount of features it had,” the DarkMatter employee wrote. “We are interested in purchasing it. Can you guys provide us a quote for all the available options that you have?”

“We’re so glad to hear that you enjoyed using Corellium at Blackhat, and we actually have DarkMatter on our list of teams to reach out to regarding availability,” an unnamed Corellium employee responded. “We’d be more than happy to provide you a quote with all the options checked.”

Also in 2019, according to the document, Corellium sold its software to Paragon, a little-known company that has since been reported to be a provider of government surveillance technology. Corellium also licensed its software to a company called Pwnzen Infotech, whose founders were part of Pangu Team, a well-known Chinese group of elite iOS and iPhone hackers. A Pwnzen sales representative told Reuters in 2019, when Pwnzen was already a Corellium customer, that the company helped hack the phone of a person suspected of “subverting the government” in China. 

“There are a number of ties between Pwnzen and the People’s Republic of China’s government that are cause for concern,” says Dakota Cary, a consultant at Krebs Stamos Group who has written several reports about cybersecurity in China. “Bolstering Pwnzen’s hacking capabilities likely occurred at the detriment to US security interests,” he added, explaining that the company’s improved capabilities could have provided the Chinese government with better tools to hack targets inside and outside of the country, including the US.

Also, as of today, Corellium counts Russian iPhone hacking company Elcomsoft as a customer. And in 2019, Corellium sold to Elcomsoft’s Israeli competitor Cellebrite, a firm that helps law enforcement unlock iPhones and access the data stored within. Cellebrite has reportedly sold its phone-hacking products to countries such as China, Saudi Arabia, and Bahrain, among others. 

Corellium did not dispute the legitimacy of the document, but it also did not respond to a series of questions about its contents. Instead, Corellium CEO Amanda Gorton shared a draft of a blog post in which the company says it offered trials to NSO Group and DarkMatter but denied that the two companies became customers. 

“We’ve had opportunities to profit from these bad actors and have chosen not to,” the blog post reads. It further explains that Corellium restricts sales of its cloud product to “fewer than sixty countries” and has a “block list” of organizations.

Corellium didn’t specify the 60 countries, nor did it answer specific questions about Paragon, Pwnzen, Cellebrite, or Elcomsoft. The company wrote in the blog post that as the sales process goes on, the vetting gets “more intensive.” According to the blog post, that means Corellium asks about the customer’s use case, consults with “trusted contacts in the security community, including contacts at various US government agencies,” and looks at the potential customer’s online presence and investigates its “ownership, corporate structure, and employees.”

Apple did not respond to a request for comment, nor did NSO Group, Cellebrite, or Pwnzen. XiaBo Chen, who identifies as the founder of Pwnzen on LinkedIn, did not respond to multiple requests for comment. After the controversy surrounding DarkMatter’s role in targeting activists and journalists, the company reportedly rebranded to Digital14 in 2019, then to CPX in 2021. Digital14 and CPX did not respond to requests for comment.

Idan Nurick, the CEO and cofounder at Paragon, says that “as a matter of principle, Paragon maintains the confidentiality of its clients, as well as technology providers, and the company does not disclose any information pertaining to these entities.”

Vladimir Katalov, the CEO, cofounder, and co-owner of Elcomsoft, confirmed that his company is a Corellium customer. 

‘Puzzling’ Claims

The leaked document, prepared in 2021, according to an included timeline, mirrors Apple’s arguments against Corellium, which it accused of violating its copyright and the Digital Millennium Copyright Act by re-creating a virtual version of iOS. While Apple has never publicly presented the evidence that’s contained in the document against Corellium, the tech giant accused Corellium in its lawsuit of helping researchers develop zero-day exploits and spyware for governments around the world, hinting that this was one of the main reasons it didn’t approve of Corellium’s practices, apart from alleged copyright infringement.

“Although Corellium paints itself as providing a research tool for those trying to discover security vulnerabilities and other flaws in Apple’s software, Corellium’s true goal is profiting off its blatant infringement,” Apple said in the complaint. “Far from assisting in fixing vulnerabilities, Corellium encourages its users to sell any discovered information on the open market to the highest bidder.”

Corellium has forcefully defended itself against Apple’s claims, saying it sells to “well-known and well-respected financial institutions, government agencies, and security researchers” who use their product for legitimate purposes.

In December 2020, when he dismissed Apple’s copyright infringement claims, US District Judge Rodney Smith, of the Southern District of Florida, sided with Corellium, writing in the order on the parties’ motions for summary judgment that “Apple’s position is puzzling, if not disingenuous.”

“As for Apple’s contention that Corellium sells its product indiscriminately, that statement is belied by the evidence in the record that the company has a vetting process in place (even if not perfect) and, in the past, has exercised its discretion to withhold the Corellium Product from those it suspects may use the product for nefarious purposes,” the judge wrote. “Having reviewed the evidence, the Court does not find a lack of good faith and fair dealing.”

The case took an unexpected turn in August 2021, when Apple and Corellium settled out of court. (The terms of the deal were confidential.) Then, days later, the tech giant filed an appeal, keeping its case against Corellium alive.

Bad Reputations

Even in 2019, NSO Group and DarkMatter had poor reputations in the world of cybersecurity. At the time, there had already been several examples of abuse of NSO Group’s Pegasus spyware, particularly against journalists in Mexico. Ronald Deibert, the director of the Citizen Lab, a digital rights watchdog housed at the University of Toronto's Munk School that has investigated companies like NSO Group for years, said in March 2019 that there was a “mountain of evidence that NSO Group’s surveillance technology is being abused by its clients, and the company is either unwilling or unable to perform the type of due diligence to prevent that from happening.” 

Both Apple and Microsoft have called NSO Group “21st-century mercenaries.”

Gorton has publicly denied selling Corellium’s products to DarkMatter and NSO Group and said Corellium does not sell to companies in the Middle East.

“We have definitely rejected customers who have approached us. I’m sure you can imagine DarkMatter, NSO Group have all reached out and we just politely declined, we don’t sell to that region,” she said during a November 2021 interview with the _Decipher_ podcast. 

In the interview, she sold her company’s mission as positive and uncontroversial, saying that Corellium can be used to help researchers find bugs and report them to companies like Apple, something that companies like NSO Group, DarkMatter, Paragon, Pwnzen, Cellebrite, and Elcomsoft don’t do. Gorton added that hunting for security bugs is “kind of exactly what we wanted to see the platform used for.”

In the past, other Corellium executives and founders have repeatedly downplayed the possibility that bad actors could use its software. When asked whether he was worried that Corellium customers could use the product to find bugs and develop exploits that would then be used by governments, David Wang, one of the company’s cofounders, told _Forbes_ in 2018 that the company would be “selective in who we choose to do business with.” 

Wang did not respond to WIRED’s request for comment. 

In the podcast interview, Gorton has also fielded questions about how Corellium vets its customers to avoid selling to bad actors and that the company takes this process “very seriously,” selling only in the Asia-Pacific, European Union, and North America regions, and researching companies they don’t recognize. “We err on the side of caution,” she said.

The leaked document includes a 2021 email from Steve Dyer, the vice president of sales and business development at Corellium, to Gorton. In the email, Dyer explains the process for vetting “current and future cloud customers” as they submit requests for trials online. Part of the process, Dyer wrote, is to check that the companies are not from countries sanctioned by the US government, such as North Korea, Sudan, Syria, and Russia. (While Elcomsoft is headquartered in Russia, the company is not sanctioned by the US government.) 

“China has been added to the list for auto-denied trials,” Dyer wrote. 

Last year, the US government added NSO Group to a federal blocklist, preventing any US companies and individuals from doing business with the spyware company. In correspondence with WIRED, Corellium said it voluntarily refused to sell its software to NSO Group “more than two years before the United States Department of Commerce placed NSO Group on its Entity List.”

Nevertheless, Corellium’s engagement with these controversial companies may change the cybersecurity community’s view that Apple’s lawsuit is a case of an entitled tech giant going after a scrappy startup with an innovative product that it doesn’t like. 

John Scott-Railton, a senior researcher at the Citizen Lab, says the Corellium sales department’s outreach to NSO Group and DarkMatter is “a potentially cynical act” given the nature of those companies. “At that point, Corellium and everyone else knew exactly who NSO Group was and what they would do with that kind of technology and the people that would inevitably be harmed,” Scott-Railton says. “It raises questions about their ethics, their judgment, or both.”

Zach Edwards, an independent privacy and security researcher, says that “sensitive technology cannot be haphazardly sold to any company, in any country in the world.”

“While Corellium is a reverse-engineering tool that doesn't intrinsically create risks through its sale, the core purpose of the tool is to reverse malware,” Edwards says. “And if you sell the product to malware developers in countries averse to Western interests, we should assume that this tool will be used to improve malware.”

A person who tried Corellium in the past, who asked to remain anonymous because they were not allowed to speak to the press, says that “given what’s happening in the world today, you shouldn’t be dealing with Russian companies,” such as Elcomsoft. 

Elcomsoft’s CEO Katalov says that “the decision to work with a company based in Russia is a personal choice.”

“Please rest assured that we still strive to provide the best software and services, and trying to keep good relationships with our customers all over the world,” he adds. “We will just keep doing our job, making the world a safer place and battling the crime.”

Adrian Sanabria, a cybersecurity veteran, says that it’s not surprising that “groups interested in creating iOS exploits would be using a platform designed for iOS security research.” 

“For me, the core takeaway is that Apple created the need for platforms like Corellium by not providing the tools, access, and transparency the market needs and desires,” he says.

Danger Zones

Some of the organizations and companies linked to Corellium in the document come from countries seen as controversial by most people in the cybersecurity community in the West, including Alex Stamos, who acted as an expert witness for Corellium in the lawsuit against Apple.  

“I personally don’t believe it would be ethical to sell exploits to Saudi Arabia,” Stamos, the director of Stanford University’s Internet Observatory, said during testimony he provided in the lawsuit between Apple and Corellium, which is quoted in the document.  

Stamos also expressed doubts about selling products to the United Arab Emirates, whose government had a close relationship with DarkMatter. “The UAE has been shown to use malware and exploits to spy on journalists and suppress local dissent,” Stamos said. 

In response to the document’s revelations, Stamos says he doesn’t think “it's appropriate for Apple to use copyright law to try to stop security research, and I don't think it's responsible for Corellium to offer their product to companies known to create malicious software for authoritarian states.”

The document also includes the logos of alleged Corellium customers and companies linked to it. As well as the companies previously mentioned, the document includes the logo of Azimuth, a provider of advanced hacking tools to the intelligence and law enforcement agencies of the so-called Five Eyes. Other logos include the Centre for Strategic Infocomm Technologies of Singapore, or CSIT, as well as the logo of an academic institution in Saudi Arabia called the Center of Excellence in Information Assurance (COEIA), housed at the King Saud University. 

CSIT executives did not respond to a request for comment. Other than the logo of the COEIA, the document also shows a 2019 email titled “invitation to Corellium” sent to the organization. The COEIA did not respond to a request for comment.

The legal battle between Apple and Corellium is ongoing. Late last month, the two companies appeared at a hearing before the Eleventh Circuit of the US Court of Appeals in Florida. Apple’s lawyer, Melissa Sherry, argued that Corellium’s product is just a slightly tweaked version of iOS that’s not transformative enough not to be fair use. Corellium attorney Kevin Russell said the product helps users “shed light on the functionality of the Apple operating system” and is, therefore, fair use.

“I don't think there's a genuine dispute that the purpose of the product is to explore the unprotected functionality of the system's software,” he said. “What people do with that knowledge is the subject of another statute.”

A Leak Details Apple's Secret Dirt on Corellium, a Trusted Security Startup

Plus: Google’s location snooping ends in a $391 million settlement, Russian code sneaks into US government apps, and the World Cup apps set off alarms.

It was a truly wild week in the tech industry as new details emerged about the FTX cryptocurrency exchange's collapse and Elon Musk drove an ever-increasing number of Twitter employees out of the company. Cryptocurrency tracers have been scrambling to understand what happened to nearly half a billion dollars worth of cryptocurrency that was pulled out of FTX last weekend. It seems that some of it may have been seized by government authorities in the Bahamas, but the mystery is still unraveling. 

Meanwhile, the wheels have increasingly been coming off the bus at Twitter. Earlier this week, for example, some users weren't receiving vital two-factor authentication codes sent over SMS, and it's unclear whether the problem has been fully resolved. With its staffing shortages and so much upheaval, we took a look at what the impacts would be if Twitter suffered a massive data breach or another major security attack in this precarious moment.

New research indicates that telehealth sites too often put addiction patient data at risk, with tracking tech lurking on substance-abuse-focused websites. And we've got part four in the series “The Hunt for the Dark Web’s Biggest Kingpin,” which chronicles the rise and fall of dark web marketplace AlphaBay. This installment tells how law enforcement agents in the Dutch National High-Tech Crime Unit took over and ran the dark web marketplace Hansa and follows US and Thai police as they were closing in on AlphaBay's kingpin, Alpha02, on the brink of attempting a dramatic arrest.

But wait, there’s more! Each week, we highlight the news we didn’t cover in-depth ourselves. Click on the headlines below to read the full stories. And stay safe out there.

A significant hack-and-leak operation in Moldova has released alleged Telegram correspondence of at least two politicians, leading to scandal and allegations of corruption. The site, called “Moldova Leaks,” has also threatened to release more data on government officials and politicians. The site published alleged messages from Moldova's minister of justice, Sergiu Litvinenco, and defense and national security adviser to the president Dorin Recean in the past two weeks. Some of the conversations imply that other Moldovan officials have won rigged elections or have been installed improperly in their positions, and the leaks particularly seem targeted at undermining anti-corruption officials. Moldova's pro-Russian political opposition has been quick to spread allegations based on the leaks that Litvinenco, Recean, and others must be removed from office. 

The Moldovan Justice Ministry said the leaked data is stolen, but it added that some of it has been manipulated. Litvinenco and other officials in Moldova's government have said that Russia is behind the operation. "The purpose of this fake is to divert the public's attention from the real problems faced by criminal groups in the Republic of Moldova and their connections with foreign services," Litvinenco wrote on Facebook. At the end of October, _The Washington Post_ reported on efforts by Russia's FSB security agency to undermine Moldova's pro-European government.

Google will pay a total of $391.5 million to 40 US states following an investigation related to the tech giant's user location tracking practices. The probe, a collaboration between state attorneys general, looked at whether Google had deceived users and obfuscated its location-tracking activities. “Consumers thought they had turned off their location tracking features on Google, but the company continued to secretly record their movements and use that information for advertisers,” Oregon attorney general Ellen Rosenblum told _The Washington Post_. "We settled an investigation with 40 US state attorneys general based on outdated product policies that we changed years ago,” Google wrote in a blog post about the agreement on Monday. “As well as a financial settlement, we will be making updates in the coming months to provide even greater controls and transparency over location data.”

Thousands of mobile apps in the Google Play and Apple App Store include code modules from a company called Pushwoosh that claims to be based in Washington, DC, but that Reuters reports is actually based in Russia. The Centers for Disease Control and Prevention incorporated Pushwoosh code into seven of its public apps and removed the service after learning of Reuters' findings. The CDC said that it had been misled about where Pushwoosh was headquartered. In March, the US Army also removed an app used by soldiers at a prominent US combat training base because it incorporated Pushwoosh code. In marketing materials and US regulatory filings, the company claims to be based in California, Maryland, or DC, but it actually pays taxes in Russia and is headquartered in Novosibirsk in Siberia. The company apparently had roughly 40 employees and reported revenue of 143,270,000 rubles (about $2.4 million) in 2021. Though it is unclear if Pushwoosh ever abused its position in apps distributed in the US or elsewhere, the Russian government has a track record of conducting “software supply chain” attacks for intelligence gathering as well as destructive attacks on its enemies.

Data and privacy regulators in Norway, France, and Germany have all warned that World Cup attendees should not download Qatar’s two World Cup apps or should do so on a wiped device if necessary. Officials warn that the apps are invasive, collecting significantly more data than they should and more than they claim to in their privacy policies. “One of the apps collects data on whether and with which number a telephone call is made,” Germany’s data protection commission said in an alert this week. “The other app actively prevents the device on which it is installed from going into sleep mode. It is also obvious that the data used by the apps not only remain locally on the device but are also transmitted to a central server.” World Cup events begin this weekend.

A Destabilizing Hack-and-Leak Operation Hits Moldova

Elon Musk laid off half the staff, and mass resignations seem likely. If nobody’s there to protect the fort, what’s the worst that could happen?

In the Weeks since Elon Musk was forced to complete his acquisition of Twitter for $44 billion, the social network has been in a state of dramatic upheaval. Musk laid off more than half its workforce and fired more via public tweets. Digital infrastructure went on the fritz. And today, a reported 75 percent of staff refused to sign a pledge to work “long hours at high intensity," ostensibly triggering their resignations. It's now unclear who still works at Twitter.

In short, all hell is breaking loose at the bird site.

As the chaos mounts, one consequence inside the company could be less attention on digital security monitoring and fewer dedicated staffers working to defend Twitter from cyberattacks. And that could put the company and its users at increased risk of a massive data breach or other security incident.

The possibility of a Twitter breach is particularly worrying given a whistleblower report and congressional testimony this summer from Twitter's former chief security officer, Peiter Zatko, that alleged an already dire state of the company's internal defenses and access controls. In other words, the company already seemingly had security issues before Musk took over—and the situation may have gotten worse since.

The good news is that, unlike the credit bureau Equifax or Sony Pictures—both of which suffered breaches of incredibly sensitive user or internal information in the past eight years—Twitter doesn't broadly collect or store government-issued identity data like Social Security numbers, doesn't hold financial information about most of its users, and doesn't require users to input data like street addresses or birth dates. Plus, while not all tweets are shared publicly, most are. Yet Twitter still holds a vast and potentially extremely valuable trove of user data, including the contents of their direct messages and the social graph of who users have communicated and interacted with on the platform, as well as phone numbers, email addresses, and other potentially private details. Users can also opt into location-sharing in tweets, and the company has collected different user information at different times over the years, which could mean it holds more than you realize.

Users also have limited ability to delete their direct messages on Twitter. The chat platform offers the option to “Delete for You,” meaning you can delete messages in your own account, but you can't delete them for the users with whom you are DM'ing. And in general, Twitter has not stated firmly what its practices are with regard to deleting user data even when they deactivate their accounts. Twitter's policy on account deactivation simply says, “If you do not log back into your account for the 30 days following the deactivation, your account will be permanently deactivated. Once permanently deactivated, all information associated with your account is no longer available in our Production Tools.” Given that no form of the word “delete” appears there, it's difficult to parse the true meaning of the policy. 

Twitter did not return multiple requests for comment from WIRED about data deletion. Relatedly, the company's entire communications department has reportedly been let go.

Security researchers and incident responders emphasize, though, that a breach of Twitter's infrastructure or a data leak wouldn't necessarily focus on impacting users but could also reveal sensitive company information. And malicious control of Twitter's infrastructure could be weaponized in a number of ways to spread disinformation, stoke conflict, or even hijack Twitter's mobile apps.

“Twitter has seemingly neglected security for a very long time, and with all the changes, there is risk for sure,” says David Kennedy, CEO of the incident response firm TrustedSec, who formerly worked at the NSA and with the United States Marine Corps signal intelligence unit. “There’s a lot of work to be done to stabilize and secure the platform, and there is definitely an elevated risk from a malicious insider perspective due to all the changes occurring. As time passes, the probability of an incident lowers, but the security risks and technology debt are still there.”

A breach of Twitter could expose the company or users in myriad ways. Of particular concern would be an incident that endangers users who are activists, dissidents, or journalists under a repressive regime. With more than 230 million users, a Twitter breach would also have far-reaching potential consequences for identity theft, harassment, and other harm to users around the world. And from a government intelligence perspective, the data has already proved valuable enough over the years to motivate government spies to infiltrate the company, a threat the whistleblower Zatko said Twitter was not prepared to counter.

The company was already under scrutiny from the US Federal Trade Commission for past practices, and on Thursday, seven Democratic senators called on the FTC to investigate whether “reported changes to internal reviews and data security practices” at Twitter violated the terms of a 2011 settlement between Twitter and the FTC over past data mishandling. 

Were a breach to happen, the details would, of course, dictate the consequences for users, Twitter, and Musk. But the outspoken billionaire may want to note that, at the end of October, the FTC issued an order against the online delivery service Drizly along with personal sanctions against its CEO, James Cory Rellas, after the company exposed the data of roughly 2.5 million users. The order requires the company to have stricter policies on deleting information and to minimize data collection and retention, while also requiring the same from Cory Rellas at any future companies he works for.

Speaking broadly about the current digital security threat landscape at the Aspen Cyber Summit in New York City on Wednesday, Rob Silvers, undersecretary for policy at the Department of Homeland Security, urged vigilance from companies and other organizations. “I wouldn't get too complacent. We see enough attempted intrusions and successful intrusions every day that we are not letting our guard down even a little bit,” he said. “Defense matters, resilience matters in this space.”

Dan Tentler, a founder of the attack simulation and remediation firm Phobos Group who worked in Twitter security from 2011 to 2012, points out that while current chaos and understaffing within the company does create pressing potential risks, it also could pose challenges to attackers who might have difficulty in this moment mapping the organization to target employees who likely have strategic access or control within the company. He adds, though, that the stakes are high because of Twitter's scale and reach around the world.

“If there are insiders left within Twitter or someone breaches Twitter, there's probably not a lot standing in their way from doing whatever they want—you have an environment where there may not be a lot of defenders left,” he says.

Here’s How Bad a Twitter Mega-Breach Would Be

New research found pervasive use of tracking tech on substance-abuse-focused health care websites, potentially endangering users in a post-Roe world.

While mobile health options have been celebrated by doctors and advocates as a way to expand treatment for substance use disorders, there has been persistent concern over how private the websites offering treatment and support really are—especially now that the US Supreme Court’s toppling of _Roe v. Wade_ has reignited the national conversation about how far medical privacy protections extend online.

The Opioid Policy Institute (OPI) and Legal Action Center (LAC) today released the findings from a 16-month analysis of a dozen major substance-use-focused mHealth websites, revealing details of how much data is shared with third parties. While the sharing of any kind of patient information is often strictly regulated or outright forbidden, it’s even more verboten in addiction treatment, as patients’ medical history can be inherently criminal and stigmatized.

Generally, patients seeking treatment for substance use disorders, or SUDs, are protected not only by the Health Insurance Portability and Accountability Act (HIPAA) but by a law called 42 CFR Part 2 (commonly known as “Part 2”), which guarantees the confidentiality of treatment records and protects individuals from having their treatment history used against them. Browsing histories, however, exist in a gray area, and though it’s not exactly medical information, experts find these sites’ monitoring of it concerning.

The OPI and LAC analysis used Blacklight, a privacy tool created by news nonprofit The Markup to analyze the websites for Bicycle Health, Boulder Care, Bright Heart Health, Confidant Health, DynamiCare Health, Kaden, Loosid, Ophelia, PursueCare, reSET-O, SoberGrid, and WorkItHealth on four timepoints from March 2021 to July 2022. All 12 websites included technologies that collect, identify, and share information about users with third parties and had ad trackers that are used for advertising purposes. The average number of these trackers “generally” increased over the 16 months, researchers found.

Furthermore, 11 of the sites used third-party session cookies that identify visitors and track them across other websites to serve ads, and four of the 12 used session recording, which monitors the behavior of visitors to the sites, from their mouse movements and clicks to their scrolling and typing, even if the text input is never submitted. Half of the websites used Meta Pixel to send user data to Facebook, 10 used Google Analytics (which can track user metrics), and all 12 sent some data to ad tech companies that buy and sell user data for advertising.

Many of the providers highlight their commitment to “privacy” on their websites. However, as Regina LaBelle, director of the Addiction and Public Policy Initiative at Georgetown Law’s O’Neill Institute, explains, “In the addiction policy field, when we define our position about privacy, I think it is much more comprehensive than what is laid out in some of the companies’ definitions of privacy.”

Ad tracking is commonplace across the internet, but these are sites for individuals with highly stigmatized medical conditions. Experts are concerned about what could happen as a result of the tracking, but not necessarily that it’s already been used nefariously. Part 2 exists because the sensitive information people share during treatment for substance use disorders could easily impact their employment status, ability to get a home, custody of their children, and even their freedom. Health care providers and lawmakers recognized long ago that the potential threat of losing so much would deter people from getting life-saving help and set up strict laws to protect those who do seek treatment. Now, experts worry that data collected on telehealth sites could bring about the harm Part 2 was designed to prevent and more, even inadvertently.

Pointing to the recent case of a Nebraska teen who was charged for self-administering a miscarriage after police reviewed her Facebook messages, Dr. Westley Clark, who formerly lead health IT initiatives at the Substance Abuse and Mental Health Services Administration, drew a parallel: “It won’t take long for the narcotics section of criminal justice to realize that the abortion section of criminal justice has tools that they can also use,” Clark says. “With these technologies, all I have to do is get an administrative subpoena … if I suspect you of being an addict. I can go to Facebook. I can go to Google.” He also expresses concern that for the right price, entities holding such data wouldn’t even require a warrant to hand it over.

Clark cautions that he isn’t aware of law enforcement looking at data from addiction-focused mHealth sites but believes it could happen in the post-_Roe_ world. He, like other experts contacted for this story, is a strong proponent of telehealth as a tool to tackle the ever-expanding overdose crisis and wants to see telemedicine companies do a better job of protecting patient privacy. LaBelle says she thinks these mHealth companies are helmed by “well-meaning people who want to do good but may not understand the totality of the issues that are involved in getting people the services they need, and how critically important a broad definition of privacy is to protect these people.” The Legal Action Center’s Dr. Jackie Seitz, one of the authors of the research, says she also appreciates the value of these online services and questions whether providers themselves realize “all the different, leaky ways that the information they’re collecting about patients is sort of floating out.”

One person who does know about those leaky ways is Sean O’Brien, a lecturer on cybersecurity at Yale Law School who founded the Privacy Lab at Yale’s Information Society Project. He worked with the OPI and LAC on previous research that focused on mobile apps in the addiction telehealth space and lamented that it’s “shocking” to see mHealth providers still using so many third-party trackers despite the fact they’ve been “under the microscope” for some time now. “They’re just sharing it with everybody they can,” he says, adding that what he finds particularly problematic is the caching of the data on servers, where someone could “scoop up” the information.

Leaders at some of the analyzed companies were quick to respond and share their thoughts on privacy, noting they always aim to improve the services offered to such a vulnerable population.

Boulder Care CEO Stephanie Strong says her company is subject to HIPAA and Part Two and “takes patient privacy extremely seriously.” She adds that her company uses digital advertising and web measurement tools “sparingly” (indeed, Boulder Care used fewer of the tools than others in the report) and limits the use of ad tracking software to website visitors and inquiries only, without reporting back to Google or Meta on any actions that could be “indicative of actual treatment.” Patient care is delivered by Boulder’s app, which does not use any tracking software.

Lisa McLaughlin, co-CEO of WorkIt Health, says her company “is committed to creating a safe place for our members to receive discreet and accessible virtual care.” A representative for Confidant Health echoes that the company recognizes the importance of privacy in SUD care and will “continue to adhere to HIPAA and similar legislation as well as upholding our own internal protocols which we developed to protect our members.”

Representatives from other companies included in the study did not deny the use of the third parties that researchers identified, but they maintained that this poses no threat to patient privacy and is in keeping with standards across the internet and in the medical space.

Nick Mercadante, founder and CEO of PursueCare, says his company does not collect, store, or forward protected health information from visiting users, and that patients don’t receive their care directly on the PursueCare site. He also said PursueCare does not share protected health information (PHI) with third parties, though it does “utilize Facebook Pixel and Google Analytics for internal reporting purposes.”

“It is a reality that users of most websites on the internet today are subject to collection of user data,” Mercadante says. “Health-care-related websites, including those of health systems, hospitals, inpatient care facilities, and other brick-and-mortar care facilities, are no different.”

Pear Therapeutics, responsible for reSET-O, notes it doesn’t share PHI without patient consent, does not use any digital footprints to identify user identities, and reports data “on an aggregated and de-identified basis.” 

Experts remain concerned by the collection of the data in the first place, de-identified or not, but acknowledge that what’s happening here isn’t illegal and is likely to continue for that reason. Danielle Tarino, who formerly led the health IT team at SAMHSA and now works in cybersecurity, has spent a considerable chunk of her career investigating the privacy implications of mHealth, especially for people with substance use disorders. She believes the best shot at protecting privacy will come from the creation and implementation of additional tools.

“This is how small tech businesses work, and absent anyone telling you that you’re not allowed to do that, you’re allowed to do that,” she says, questioning whether the sites’ use of ad trackers and outside software boils down to finances. Clark, too, expresses concerns that the use of data collection is financially motivated and, for the right price, could be sold or leased to law enforcement or other parties. “When there’s monetary incentives, people make the changes. When there are no monetary incentives, they don’t,” he says. In short, data privacy experts don’t anticipate that mHealth companies will stop collecting data unless forced.

The opinions of cybersecurity professionals and telehealth company CEOs are relevant, but perhaps most important are the opinions of individuals with substance abuse disorders, the people who stand to lose the most if experts’ fears are realized and for whom Part 2 was designed. After being shown the data from the analysis, one patient who utilizes brick-and-mortar health care providers said via direct message, “Thank you for reaffirming why I don’t use telehealth.” He added that he wasn’t sure the findings would stop anyone from using telehealth if that were the only way they could get treatment. Those patients would simply have to trust their providers act in their best interest.

Another patient who uses one of the companies analyzed by the OPI and LAC was alarmed by the findings.“They should \[be required to\] have a service that prevents them from being able to track anything like that,” he says.

“How much is my information worth?” he asks, questioning whether data from his and other patients’ website use was more valuable than the few hundred dollars they generate each month as patients. “It’s so scary. This is the first time in my life I’m not on probation in 10 years. Now, I’m not. Thinking that someone could really just look at that … Who knows what’s going to happen?”

Telehealth Sites Put Addiction Patient Data at Risk

The team uses a secret technique to locate AlphaBay’s server. But just as the operation heats up, the agents have an unexpected run-in with their target.

The Hunt for the Dark Web’s Biggest Kingpin, Part 4: Face to Face

Problems with the important security feature may be some of the first signs that Elon Musk’s social network is fraying at the edges.

Following two weeks of extreme chaos at Twitter, users are joining and fleeing the site in droves. More quietly, many are likely scrutinizing their accounts, checking their security settings, and downloading their data. But some users are reporting problems when they attempt to generate two-factor authentication codes over SMS: Either the texts don't come or they're delayed by hours.

The glitchy SMS two-factor codes mean that users could get locked out of their accounts and lose control of them. They could also find themselves unable to make changes to their security settings or download their data using Twitter's access feature. The situation also provides an early hint that troubles within Twitter's infrastructure are bubbling to the surface.

Not all users are having problems receiving SMS authentication codes, and those who rely on an authenticator app or physical authentication token to secure their Twitter account may not have reason to test the mechanism. But users have been self-reporting issues on Twitter since the weekend, and WIRED confirmed that on at least some accounts, authentication texts are hours delayed or not coming at all. The meltdown comes less than two weeks after Twiter laid off about half of its workers, roughly 3,700 people. Since then, engineers, operations specialists, IT staff, and security teams have been stretched thin attempting to adapt Twitter's offerings and build new features per new owner Elon Musk's agenda.

Reports indicate that the company may have laid off too many employees too quickly and that it has been attempting to hire back some workers. Meanwhile, Musk has said publicly that he is directing staff to disable some portions of the platform. “Part of today will be turning off the ‘microservices’ bloatware,” he tweeted this morning. “Less than 20 percent are actually needed for Twitter to work!”

Twitter’s communications department, which reportedly no longer exists, did not return WIRED's request for comment about problems with SMS two-factor authentication codes. Musk did not reply to a tweet requesting comment.

“Temporary outage of multifactor authentication could have the effect of locking people out of their accounts. But the even more concerning worry is that it will encourage users to just disable multifactor authentication altogether, which makes them less safe,” says Kenneth White, codirector of the Open Crypto Audit Project and a longtime security engineer. “It's hard to say exactly what caused the issue that so many people are reporting, but it certainly could result from large-scale changes to the web services that have been announced."

SMS texts are not the most secure way to receive authentication codes, but many people rely on the mechanism, and security researchers agree that it's better than nothing. As a result, even intermittent or sporadic outages are problematic for users and could put them at risk.

Twitter’s SMS authentication code delivery system has repeatedly had stability issues over the years. In August 2020, for example, Twitter Support tweeted, “We’re looking into account verification codes not being delivered via SMS text or phone call. Sorry for the inconvenience, and we’ll keep you updated as we continue our work to fix this.” Three days later, the company added, “We have more work to do with fixing verification code delivery, but we're making progress. We're sorry for the frustration this has caused and appreciate your patience while we keep working on this. We hope to have it sorted soon for those of you who aren't receiving a code.”

That the issue seems to be recurring now indicates, perhaps, that systems Twitter has long struggled to maintain are among the first to destabilize without adequate maintenance and support. Current and former employees have painted a picture of Twitter as having convoluted and brittle technical infrastructure. Meanwhile, Musk's revisions to Twitter's “blue check” account-authentication policies have led to rampant scams on the site and even more extensive content moderation issues than existed under previous leadership.

If you haven’t already, switch to an app for generating your multifactor authentication codes, such as Google Authenticator. On Twitter go to **“Settings and Support,”** tap **“Settings and privacy,”** then **“Security and account access,”** **“Security,”** and then “**Two-factor authentication.”** Disable **“Text message”** if you have it in and instead toggle **“Authentication app”** and follow the instructions for adding Twitter to your authentication app. Or if you prefer to use a physical authentication token, turn on **“Security key.”**

For users who can't receive their SMS two-factor codes, though, questions about whether Twitter is in decline or what could be coming next are moot—the site already feels broken.

“It’s hugely problematic to require 2FA for something and not be able to fulfill it for authentication, whether it’s SMS or anything else,” says Jim Fenton, an independent identity privacy and security consultant. “It’s problematic, because it’s denying service to Twitter users.”

Twitter’s SMS Two-Factor Authentication Is Melting Down

Mysterious crooks took hundreds of millions of dollars from FTX just as it collapsed. Crypto-tracing blockchain analysis may provide an answer.

Cryptocurrency has always offered a strange mix of temptations and challenges for anyone trying to steal it. As digital cash, held in multibillion-dollar sums on hackable, internet-connected networks, it presents a lucrative target. But once it's stolen, the blockchains that almost every cryptocurrency is built on make it possible to follow that money's every movement and, very often, to identify the thieves. So after a massive heist pulled nearly half a billion dollars worth of funds out of the already collapsing FTX cryptocurrency exchange yesterday, the world's crypto tracers are now closely tracking where that loot ends up—and looking for any clues that reveal the thief to be an FTX insider or just an opportunistic hacker.

On Friday, hours after the major cryptocurrency exchange FTX had filed for bankruptcy in the wake of its epic, 10-figure collapse, FTX's remaining funds were drained of more than $663 million worth of cryptocurrency, much of which appears to have been stolen. "FTX has been hacked," wrote an administrator in FTX's Telegram channel. "FTX apps are malware. Delete them." Exactly how FTX might have been breached—and whether its apps are, in fact, compromised—is far from clear, and FTX hasn't officially announced any theft. But the company's US general counsel wrote in a tweet that "unauthorized access to certain assets has occurred." (FTX did not respond to WIRED's request for comment.)

Soon, crypto-tracing and blockchain analysis firm Elliptic revealed that the $663 million outflow seemed to be a combination of FTX's movement of coins into its own storage wallets and a mysterious theft. According to Elliptic, fully $477 million of the funds appear to have been stolen, though another crypto-tracing firm, TRM Labs, puts the number at $338 million. Twenty-four hours after the theft, most of that money had moved into just a handful of cryptocurrency addresses—where the entire cryptocurrency tracing industry, a vast community of amateur crypto sleuths, and no doubt law enforcement agencies around the globe are now all watching it with an unblinking gaze.

That observability, for the FTX funds and for other stashes of stolen crypto, presents a serious challenge for any thief trying to cash out their haul into traditional currency. In this case, where regulators and an army of aggrieved creditors are looking for any sign that FTX's staff or owners may themselves be the culprits, it could ultimately help confirm that insiders were responsible for the theft—or instead show that external hackers took advantage of the chaos at FTX to pull off a burglary.

"We’re definitely watching the movements of these funds," says Chris Janczewski, the head of investigations at TRM Labs and a former special agent at the IRS's criminal investigations division. "This potential thief has hundreds of millions of dollars. But it's like they went into a bank, took as much cash as they could carry, and then the dye packs went off. They've got all this money, but now everyone knows it's connected to this bank robbery. What can you actually do with it?"

According to Elliptic's analysis, at least $220 million of funds stolen in the form of a variety of cryptocurrencies were quickly traded through decentralized exchanges—trading platforms that allow users to swap coins without giving identifying information—to convert them into the cryptocurrencies Ethereum and Dai. But cashing out those coins and the rest of the stolen loot will likely require trading it on a centralized exchange, which almost always requires users to hand over identifying information. The thieves may try to put the money through a "mixing" service that launders the coins by blending them with those of other users. But crypto-tracing blockchain analysts have proven they can often defeat those mixers—particularly when users are feeding very large sums into them. And some mixers, like the Tornado Cash service that was sanctioned by the US Treasury in August, render cryptocurrency untouchable for many exchanges or vulnerable to seizure.

That means it will be very difficult for the thieves to abscond with their profits in a spendable form without being identified, says Michelle Lai, a cryptocurrency privacy advocate, investor, and consultant who says she's been tracking the movements of the stolen FTX funds with "morbid fascination." But the real question, Lai says, is whether identifying the thieves will offer any recourse: After all, many of the most prolific cryptocurrency thieves are Russians or North Koreans operating in non-extradition countries, beyond the reach of Western law enforcement. "It's not a question of whether they'll know who did it. It's whether it will be actionable," says Lai. "Whether they're on-shore."

In the meantime, Lai and many other crypto-watchers have been closely eyeing one Ethereum address that is currently holding around $192 million worth of the funds. The account has been sending small sums of Ethereum-based tokens—some of which appear to have little to no value—to a variety of exchange accounts, as well as Ethereum inventor Vitalik Buterin and Ukrainian cryptocurrency fundraiser accounts. But Lai guesses that these transactions are likely meant to simply complicate the picture for law enforcement or other observers before any real attempt to launder or cash out the money.

The pilfering of FTX—whether the theft totals $338 million or $477 million—hardly represents an unprecedented haul in the world of cryptocurrency crime. In the late-March hack of the Ronin bridge, a gaming cryptocurrency exchange, North Korean thieves took $540 million. And earlier this year, cryptocurrency tracing led to the bust of a New York couple accused of laundering $4.5 _billion_ in crypto.

But in the case of the high-profile FTX theft and the exchange's overall collapse, tracing the errant funds might help put to rest—or confirm—swirling suspicions that someone within FTX was responsible for the theft. The company's Bahamas-based CEO, Sam Bankman-Fried, who resigned Friday, lost virtually his entire $16 billion fortune in the collapse. According to an unconfirmed report from CoinTelegraph, he and two other FTX executives are "under supervision" in the Bahamas, preventing them from leaving the country. Reuters also reported late last week that Bankman-Fried possessed a "backdoor" that was built into FTX's compliance system, allowing him to withdraw funds without alerting others at the company.

Despite those suspicions, TRM Labs' Janczewski points out that the chaos of FTX's meltdown might have provided an opportunity for hackers to exploit panicked employees and trick them into, say, clicking on a phishing email. Or, as Michelle Lai notes, bankrupted insider employees might have collaborated with hackers as a means to recover some of their own lost assets.

As the questions mount over whether—or to what degree—FTX's own management might be responsible for the theft, the case has begun to resemble, more than any recent crypto heist, a very old one: the theft of a half billion dollars worth of bitcoins, discovered in 2014, from Mt. Gox, the first cryptocurrency exchange. In that case, blockchain analysis carried out by cryptocurrency tracing firm Chainalysis, along with law enforcement, helped to pin the theft on external hackers rather than Mt. Gox's own staff. Eventually, Alexander Vinnik, a Russian man, was arrested in Greece in 2017 and later convicted of laundering the stolen Mt. Gox funds, exonerating Mt. Gox's embattled executives.

Whether history will repeat itself, and cryptocurrency tracing will prove the innocence of FTX's staff, remains far from clear. But as more eyes than ever scour the cryptocurrency economy's blockchains, it's a surer bet that the whodunit behind the FTX theft will, sooner or later, produce an answer.

The Hunt for the FTX Thieves Has Begun

Plus: US midterms survive disinformation efforts, the government names the alleged Lockbit ransomware attacker, and the Powerball drawing hits a security snag.

The United States took to the polls this week to vote in a high-stakes midterm election. With public trust in election systems at an all-time low, the secret ballot is more important now than ever before. We also took a look at a flawed app built by prominent right-wing provocateurs that has been used to challenge hundreds of thousands of voter registrations.

Meanwhile, the Department of Justice announced that a Georgia man has pleaded guilty to wire fraud nine years after stealing more than 50,000 bitcoins from the Silk Road, the legendary dark-web market. You may have heard that things are chaotic over at Twitter, with a wave of corporate impersonations plaguing the platform hours after the rollout of a service that allows anyone who pays $8 a month to get a blue check mark showing they are “verified.” It’s a gift for scammers and grifters of all shades.

New analysis shows that two large ships, with their trackers off, were detected near the Nord Stream 2 pipeline in the days before the gas leaks were detected. Officials suspect sabotage, and NATO is investigating. Plus, Russian military hackers are pivoting to a new strategy that favors faster attacks with more immediate results.

And there’s more. Each week, we highlight the news we didn’t cover in-depth ourselves. Click on the headlines below to read the full stories.

This week saw even more chaos at Twitter as security executives resigned after clashing with their new boss, Elon Musk, over how the company should meet its obligations to the Federal Trade Commission. After a pair of data breaches in 2009, Twitter agreed to submit regular reports about its privacy practices under the terms of a 2011 settlement with the Federal Trade Commission. The company settled with the FTC earlier this year after it was caught serving ads to user emails and phone numbers, which people supplied as part of their security measures. If Twitter doesn’t comply with its commitments to the agency, the FTC could fine the company billions of dollars.

On Wednesday, a day before the deadline for Twitter to submit a report to the FTC, Twitter’s chief information security officer, chief privacy officer, and chief compliance officer quit. The company’s head of Trust and Safety also left the company the following day.

In a message posted to Twitter’s Slack that was obtained by The Verge, an attorney on the privacy team wrote that engineers could be required to “self-certify” that their projects complied with the settlement, burdening the engineers with “personal, professional, and legal risk.” The employee added that Alex Spiro, Musk’s lawyer, told workers that “Elon puts rockets into space—he’s not afraid of the FTC.”

The resignations came as the company began battling a wave of corporate impersonators who gamed the company’s new paid verification system to shitpost hours after it launched.

About 60 of Maricopa county’s 223 voting locations reported technical issues on Election Day, frustrating voters and fueling conspiracies about election fraud. Technicians were dispatched to polling sites across Arizona’s largest county on Tuesday to fix dozens of malfunctioning vote tabulation machines. Election officials urged frustrated voters to vote at other locations or drop their ballots in a secure box to be counted later. “Everyone is still getting to vote. No one has been disenfranchised,” Bill Gates, chair of the Maricopa County board of supervisors, told reporters on Tuesday morning.

But that didn’t keep right-wing influencers, including former US president Donald Trump, from using the glitch to allege that votes were being suppressed. Researchers at the University of Washington found online chatter about tabulator problems started to trend after Republican activist Charlie Kirk posted about them; later in the day, Trump took to Truth Social to suggest, without evidence, that only “Republican areas” were impacted by the errors. Around 2:30 pm local time, officials in Arizona announced they had fixed the problem by changing the machines’ printer settings.

A Russian Canadian national named Mikhail Vasiliev was arrested in Canada on Wednesday over his alleged participation in the LockBit ransomware campaign, according to the US Justice Department and Europol. LockBit has claimed at least 1,000 victims, according to Deep Instinct’s 2022 Interim Cyber Threat Report, and is responsible for around 44 percent of ransomware campaigns this year. Vasiliev is charged with “conspiracy to intentionally damage protected computers and to transmit ransom demands” and is currently in Canada awaiting extradition to the United States. If convicted, he faces a maximum of five years in prison.

A security issue delayed a record-breaking $2.04 billion Powerball drawing after an unnamed state failed to submit the appropriate data and complete security protocols. According to the Multi-State Lottery Association, which runs Powerball, one of the regional lottery commissions failed to finish tabulating their sales and ticketing data in time for Monday night’s drawing. The 10-hour delay ended Tuesday with a single winner who had bought the ticket at Joe’s Service Center, a gas station in Altadena, California, state lottery officials said.

Elon Musk Introduces Twitter Mayhem Mode

Satellite monitors discovered two vessels with their trackers turned off in the area of the pipeline prior to the suspected sabotage in September.

The first gas leaks on the Nord Stream 2 pipeline in the Baltic Sea were detected in the early hours of September 26, pouring up to 400,000 tons of methane into the atmosphere. Officials immediately suspected sabotage of the international pipeline. New analysis seen by WIRED shows that two large ships, with their trackers off, appeared around the leak sites in the days immediately before they were detected.

According to the analysis by satellite data monitoring firm SpaceKnow, the two “dark ships,” each measuring around 95 to 130 meters long, passed within several miles of the Nord Stream 2 leak sites. “We have detected some dark ships, meaning vessels that were of a significant size, that were passing through that area of interest,” says Jerry Javornicky, the CEO and cofounder of SpaceKnow. “They had their beacons off, meaning there was no information about their movement, and they were trying to keep their location information and general information hidden from the world,” Javornicky adds.

The discovery, which was made by analyzing images from multiple satellites, is likely to further increase speculation about the cause of the blasts. Multiple countries investigating the incident believe the Nord Stream 1 and 2 pipelines were rocked by a series of explosions, with many suspicions directed at Russia as its full-scale invasion of Ukraine continues. (Russia has denied its involvement.) Once SpaceKnow identified the ships, it reported its findings to officials at NATO, who are investigating the Nord Stream incidents. Javornicky says NATO officials asked the company to provide more information. 

NATO spokesperson Oana Lungescu says it does not comment on the “details of our support or the sources used” but confirmed that NATO believes the incident was a “deliberate and irresponsible act of sabotage” and it has increased its presence in the Baltic and North Seas. However, a NATO official, who did not have permission to speak publicly, confirmed to WIRED that NATO had received SpaceKnow’s data and said satellite imagery can prove useful for its investigations.

To detect the ships, Javornicky says, the company scoured 90 days of archived satellite images for the area. The company analyzes images from multiple satellite systems—including paid and free services—and uses machine learning to detect objects within them. This includes the ability to monitor roads, buildings, and changes in landscapes. "We have 38 specific algorithms that can detect military equipment," Javornicky says, adding that SpaceKnow’s system can detect specific models of aircraft on landing strips.

Once it gathered archive images of the area, SpaceKnow created a series of polygons around the gas leak sites. The smallest of these, around 400 square meters, covered the immediate blast area, and larger areas of interest covered several kilometers. In the weeks leading up to the explosions, SpaceKnow detected 25 ships passing through the region, from “cargo ships to multipurpose larger ships,” Javornicky says. In total, 23 of these vessels had their automatic identification system (AIS) transponders turned on. Two did not have AIS data turned on, and these ships passed the area during the days immediately ahead of the leaks being detected.

By international law, large ships are required to install and use AIS. This vessel tracking system was created to help ships navigate and avoid potential collisions with other vessels. When turned on, AIS will broadcast a ship’s name, location, the direction of travel, speed, and other information.

It is relatively rare for ships to turn off their AIS transponders. Ships that “go dark” are often suspected of being involved in illegal fishing or modern slavery, with officials in Europe previously investigating ships that are believed to have turned off their AIS transponders. “It would not be common practice \[to have AIS turned off\], unless the vessels have a classified military mission or they would have some clandestine objectives, because the Baltic Sea is one of the busiest seas in the world in terms of commercial traffic,” says Otto Tabuns, the director of the Baltic Security Foundation, an NGO that focuses on the region.

Tabuns says the Baltic Sea has multiple main “arteries” where ships travel and it is “responsible” for ships in the area to have their AIS trackers turned on. Collisions at sea can be deadly and environmentally ruinous. “There are many places in the \[Baltic\] sea that are not navigable for bigger ships,” Tabuns says. “There are also some areas that are not recommended or where it is prohibited to ship because of the heritage of World War Two.” Decades-old wartime submarines and munitions litter the Baltic Sea’s floor.

SpaceKnow detected the ships that had AIS turned off using synthetic aperture radar (SAR) images from satellites. Most satellites observing Earth take photos of what’s beneath them; others, however, also use SAR to bounce radio waves off the ground and create images from them. Andrey Kurekin, a coastal ocean color scientist at the Plymouth Marine Laboratory who has analyzed satellite images for detecting objects at sea, says SAR technology can be useful for detecting ships, as it shows reflections from metal objects. “They are shown as bright objects in SAR images,” Kurekin says.

Kurekin says SAR images can be used to identify the longitude and latitude coordinates of a ship, the direction it is heading, and potentially to estimate its speed. “The main advantage of SAR over optical sensors is that the microwaves penetrate through clouds,” Kurekin says. The images are less impacted by the weather and can also provide visibility at night. “It's quite difficult to hide a ship from a SAR sensor,” Kurekin adds.

SAR images of the dark ships shared with WIRED show the vessels as glowing objects, not far from the explosion site around Nord Stream 2. “We assume it was one of those two dark ships that we have detected, but we're not making any decision,” Javornicky says. He says the company is not in the business of determining what may have happened or who is responsible but instead provided the data to authorities.

Kurekin cautions that AIS tracking systems onboard ships can, at times, fail. The signal from AIS could stop communicating with satellites or receivers on land, Kurekin says, adding that the signal can be impacted by the weather too. “If there is a vessel that you can see in SAR image but it's not reported by the AIS system, it does not necessarily mean that there's something wrong with this vessel,” Kurekin says. Signals from AIS transponders can also be manipulated—warships have had their AIS data spoofed, and ships around Russia and the Black Sea have vanished from trackers in recent years.

While there are multiple ongoing investigations into the explosions, determining the full picture of what happened may take some time. Police in Copenhagen said its initial investigations have determined that “powerful explosions” caused “extensive damage” to the pipes. Images taken from around the exploded sections of the pipe appear to show that at least 50 meters of the pipeline were destroyed in the explosions.

In an email, the Swedish security service, Säkerhetspolisen, said that due to “secrecy” around its operations, it could not discuss its investigation or whether it was looking at satellite data. However, agency spokesperson Gabriel Wernstedt says the organization is conducting a “criminal investigation of gross sabotage” around both the Nord Stream 1 and 2 pipes. “Certain seizures were made during the onsite investigations that are being analyzed,” Wernstedt says. In public statements, Säkerhetspolisen has confirmed denotations happened at the pipes and that the Swedish armed forces are involved in the investigations.

However, while the investigations are ongoing, there appear to be difficulties between the countries that are looking into the incident, which could slow the process. While Sweden says it is working with investigators in Germany and Denmark, the official leading its investigation has rejected plans to form a joint investigation.

Tabuns says he hopes that the incident will act as motivation for countries to work on better ways to share intelligence, particularly as Sweden and Finland apply to join NATO. Each country will have its own levels of classification for information and systems where it collects intelligence—these may often not be compatible, Tabuns says. However, he adds that the events should see countries look at increasing the “integration of existing national systems so that there would be real-time information sharing for any response.”

_Update 9:30 am, 11-11-22: Added statement from NATO._

‘Dark Ships’ Emerge From the Shadows of the Nord Stream Mystery

Questions about the Kremlin’s relationships with these groups remain. But researchers are finally getting some answers.

Russia-based ransomware gangs are some of the most prolific and aggressive, in part thanks to an apparent safe harbor the Russian government extends to them. The Kremlin doesn't cooperate with international ransomware investigations and typically declines to prosecute cybercriminals operating in the country so long as they don't attack domestic targets. A long-standing question, though, is whether these financially motivated hackers ever receive directives from the Russian government and to what extent the gangs are connected to the Kremlin's offensive hacking. The answer is starting to become clearer.

New research presented at the Cyberwarcon security conference in Arlington, Virginia, today looks at the frequency and targeting of ransomware attacks against organizations based in the United States, Canada, the United Kingdom, Germany, Italy, and France in the lead-up to these countries' national elections. The findings suggest a loose but visible alignment between Russian government priorities and activities and ransomware attacks leading up to elections in the six countries.

The project analyzed a data set of over 4,000 ransomware attacks perpetrated against victims in 102 countries between May 2019 and May 2022. Led by Karen Nershi, a researcher at the Stanford Internet Observatory and the Center for International Security and Cooperation, the analysis showed a statistically significant increase in ransomware attacks from Russia-based gangs against organizations in the six victim countries ahead of their national elections. These nations suffered the most total ransomware attacks per year in the data set, about three-quarters of all the attacks.

“We used the data to compare the timing of attacks for groups we think are based out of Russia and groups based everywhere else,” Nershi told WIRED ahead of her talk. “Our model looked at the number of attacks on any given day, and what we find is this interesting relationship where for these Russia-based groups, we see an increase in the number of attacks starting four months before an election and moving three, two, one month in, up to the event.”

The data set was culled from the dark-web sites that ransomware gangs maintain to name and shame victims and pressure them to pay up. Nershi and fellow researcher Shelby Grossman, a scholar at the Stanford Internet Observatory, focused on popular so-called “double extortion” attacks in which hackers breach a target network and exfiltrate data before planting ransomware to encrypt systems. Then the attackers demand a ransom not only for the decryption key but to keep the stolen data secret instead of selling it. The researchers may not have captured data from every single double-extortion actor out there, and attackers may not post about all of their targets, but Nershi says the data collection was thorough and that the groups typically have an interest in publicizing their attacks.

The findings showed broadly that non-Russian ransomware gangs didn't have a statistically significant increase in attacks in the lead-up to elections. Whereas two months out from a national election, for example, the researchers found that organizations in the six top victim countries were at a 41 percent greater chance of having a ransomware attack from a Russia-based gang on a given day, compared to the baseline. 

The increase wasn't visible in every sector, though. Russia-based ransomware gangs did seem to target government organizations and infrastructure at a slightly elevated rate two months out from a country's national election, but Nershi says the total number of attacks on government entities in the data set was small to begin with. The analysis didn't find a statistically significant increase in the number of attacks against organizations in the communications, finance, energy, and utility sectors leading up to elections. But because of the overall increase in attacks across all types of organizations, the researchers theorize that there may be a spillover effect that the Russian government's general increase of cyber activity in the lead-up to an election in one of the six countries indirectly fuels ransomware attacks.

“We are theorizing that there seems to be some level of loose ties between these ransomware groups based in Russia and the Russian government,” Nershi said, "In that they are criminal organizations, they’re in it for profit, but it seems like occasionally the Russian government will ask them for favors, and they’ll agree to operate on this sort of ad hoc basis."

The research aligns with other recent analyses and information, including details from a massive trove of chat logs leaked earlier this year that showed how the notorious Conti ransomware group operates. The data indicated that Conti members very likely have connections within Russia's FSB intelligence agency and knowledge of Russian military hacking operations, painting a picture of loose and ad hoc cooperation. 

“What the groups get out of it is generally not being prosecuted. And for the Russian government, it can allow them to outsource to some degree certain tasks in a way that gives them plausible deniability,” Nershi says. "As I perceive it, it's a strange, nebulous, ambiguous relationship."

Source

Wired