A defective CrowdStrike kernel driver sent computers around the globe into a reboot death spiral, taking down air travel, hospitals, banks, and more with it. Here’s how that’s possible.

Only a handful of times in history has a single piece of code managed to instantly wreck computer systems worldwide. The Slammer worm of 2003. Russia’s Ukraine-targeted NotPetya cyberattack. North Korea’s self-spreading ransomware WannaCry. But the ongoing digital catastrophe that rocked the internet and IT infrastructure around the globe over the past 12 hours appears to have been triggered not by malicious code released by hackers, but by the software designed to stop them.

A software update from cybersecurity company CrowdStrike appears to have inadvertently disrupted IT systems globally.

Two internet infrastructure disasters collided on Friday to produce disruptions around the world in airports, train systems, banks, health care organizations, hotels, television stations, and more. On Thursday night, Microsoft’s cloud platform Azure experienced a widespread outage. By Friday morning, the situation turned into a perfect storm when the security firm CrowdStrike released a flawed software update that sent Windows computers into a catastrophic reboot spiral. A Microsoft spokesperson tells WIRED that the two IT failures are unrelated.

The cause of one of those two disasters, at least, has become clear: buggy code pushed out as an update to CrowdStrike’s Falcon monitoring product, essentially an antivirus platform that runs with deep system access on “endpoints” like laptops, servers, and routers to detect malware and suspicious activity that could indicate compromise. Falcon requires permission to update itself automatically and regularly, since CrowdStrike is constantly adding detections to the system to defend against new and evolving threats. The downside of this arrangement, though, is the risk that this system, which is meant to enhance security and stability, could end up undermining it instead.

“It's the biggest case in history. We’ve never had a worldwide workstation outage like this,” says Mikko Hyppönen, the chief research officer at cybersecurity company WithSecure. Around a decade ago, Hyppönen says, widespread outages were more common due to the spread of worms or trojans. More recently, global outages have happened on the “server side” of systems, meaning outages often stem from cloud providers such as Amazon’s Web Services, internet cable cuts, or authentication and DNS issues.

CrowdStrike CEO George Kurtz said on Friday that the issues were caused by a “defect” in code the company released for Windows. Mac and Linux systems were not affected. “The issue has been identified, isolated and a fix has been deployed,” Kurtz said in a statement, adding the problems were not the result of a cyberattack. In an interview with NBC, Kurtz apologized for the disruption and said it may take some time for things to be back to normal.

The widespread Windows outages have been linked to a software update from cybersecurity giant ​​CrowdStrike. It is believed the issues are not linked to a malicious cyberattack, cybersecurity officials say, but rather stem from a misconfigured/corrupted update that CrowdStrike pushed out to its customers.

Security and IT analysts searching for the root cause of the gargantuan outage say that it appears to be related to a “kernel driver” update to CrowdStrike’s Falcon software. Kernel drivers are the software components that allow applications to interact with Windows at its deepest level, the core of the operating system known as its kernel. That highly sensitive level of access is necessary for security software, so that it can run prior to any malicious software installed on the system and access any part of the system where hackers might seek to plant their code. As malware has improved and evolved, it has pushed defense software to require constant connection and more extensive control.

That deeper access also introduces a far higher possibility that security software—and updates to that software—will crash the whole system, says Matthieu Suiche, head of detection engineering at the security firm Magnet Forensics. He compares running malicious code detection software at the kernel level of an operating system to “open-heart surgery.”

Yet it’s nonetheless surprising that a kernel driver update would be able to cause such a massive global computer crash, says Costin Raiu, who worked at Russian security software firm Kaspersky for 23 years and led its threat intelligence team before leaving the company last year. During his years at Kaspersky, he says, driver updates for Windows software were closely scrutinized and tested for weeks before they were pushed out.

More importantly, they require that Microsoft also vet the code and cryptographically sign it, suggesting that Microsoft, too, may well have missed whatever bug in CrowdStrike’s Falcon driver triggered this outage. “It’s surprising that with the extreme attention paid to driver updates, this still happened,” says Raiu. “One simple driver can bring down everything. Which is what we saw here.”

A Microsoft spokesperson told WIRED that the “CrowdStrike update was responsible for bringing down a number of IT systems globally,” and added that “Microsoft does not have oversight into updates that CrowdStrike makes in its systems,” without further explanation of whether Microsoft does in fact inspect and sign kernel driver updates.

Raiu adds that even so, CrowdStrike is far from the only security firm to trigger Windows crashes with a driver update. Updates to Kaspersky and even Windows’ own built-in antivirus software Windows Defender have caused similar Blue Screen of Death crashes in years past, he notes. “Every security solution on the planet has had their CrowdStrike moments,” Raiu says. “This is nothing new but the scale of the event.”

Cybersecurity authorities around the world have issued alerts about the disruption, but have similarly been quick to rule out any nefarious activity by hackers. “The NCSC assesses that these have not been caused by malicious cyber attacks,” Felicity Oswald, CEO of the UK’s National Cyber Security Center, said. Officials in Australia have come to the same conclusion.

Nevertheless, the impact has been sweeping and dramatic. Around the world, the outages have been spiraling as companies, public bodies, and IT teams race to fix bricked machines, which involves manually taking machines through a series of corrective steps, including rebooting. In the UK, Israel, and Germany, health care services and hospitals saw systems that they use to communicate with patients disrupted, and canceled some appointments. Emergency services in the US using 911 have reportedly had problems with their lines too. In the earliest hours of the outages, some TV stations, including Sky News in the UK, stopped live news broadcasts.

Global air travel has been one of the most impacted sectors so far. Huge lines formed at airports around the world, with one airport in India using handwritten boarding passes. In the US, Delta, United, and American Airlines grounded all flights at least temporarily, with a dramatic graphic showing air traffic plummeting above the US.

The catastrophic situation reflects the fragility and deep interconnectedness of the internet. Numerous security practitioners told WIRED that they anticipated or even worked with clients to attempt to protect against a scenario where defense software itself caused cascading failures as a result of malicious exploitation or human error, as is the case with CrowdStrike. “This is an incredibly powerful illustration of our global digital vulnerabilities and the fragility of core internet infrastructure,” says Ciaran Martin, a professor at the University of Oxford and the former head of the UK’s National Cyber Security Center.

The ability of one update to trigger such massive disruption still puzzles Raiu. According to Gartner, a market research firm, CrowdStrike accounts for 14 percent of the security software market by revenue, meaning its software is on a wide array of systems. Raiu suggests that the Falcon update must have triggered crashes in other parts of web infrastructure, which could have multiplied the disaster. “CrowdStrike is big, but it can’t be this big,” Raiu says. “Airports, critical infrastructure, hospitals. It cannot be just CrowdStrike everywhere. I suspect we’re seeing a combination of factors, a cascading effect, a chain reaction.”

Hyppönen, from WithSecure, says his “guess” is that the issues may have happened due to “human error” in the update process. “An engineer at CrowdStrike is having a really bad day,” he says. Hyppönen suggests that CrowdStrike could have shipped software different to what they had been testing or mixed up files, or there could’ve been a combination of different factors. “Software like this has to go through extensive testing,” Hyppönen says. “That's what we do. That's what CrowdStrike, of course, does. You have to be really careful about what you ship, which is tough to do because security software is updated very frequently.”

While many of the impacts of the outage are ongoing and still unraveling, the nature of the problem means that individually impacted machines may need to be rebooted manually rather than through an automated process. “It could be some time for some systems that just automatically won’t recover,” CrowdStrike CEO Kurtz told NBC.

The company’s initial “workaround” guidance for dealing with the incident says Windows machines should be booted in a safe mode, a specific file should be deleted, and then rebooted. “The fixes we’ve seen so far mean that you have to physically go to every machine, which will take days, because it’s millions of machines around the world which are having the problem right now,” says Hyppönen from WithSecure.

As system administrators race to contain the fallout, the larger existential question of how to prevent another, similar crisis looms large.

“People may now demand changes in this operating model,” says Jake Williams, vice president of research and development at the cybersecurity consultancy Hunter Strategy. “For better or worse, CrowdStrike has just shown why pushing updates without IT intervention is unsustainable.”

_Update 7/19/2024, 11am ET: Added comment from Microsoft saying that the Azure outage and the CrowdStrike kernel driver issue are unrelated._

_Update 7/19/2024, 12:30pm ET: Added further comment from Microsoft about its lack of oversight of CrowdStrike's updates._

_Update 7/19/2024, 3:45pm ET: Updated to clarify that Amazon Web Services was not impacted by the CrowdStrike update, according to the company._

How One Bad CrowdStrike Update Crashed the World’s Computers

A software update from cybersecurity company CrowdStrike appears to have inadvertently disrupted IT systems globally.

The outages could result in “millions” being lost by organizations impacted who have had to halt their operations or stop business, says Lukasz Olejnik, an independent cybersecurity consultant, who says the CrowdStrike update appears to be linked to its Falcon Sensor product. The Falcon system is part of CrowdStrike’s security tools and can block attacks on systems, according to the company.

“It reminds us about our dependence on IT and software,” Olejnik says. “When a system has several software systems maintained by various vendors, this is equivalent to placing trust on them. They may be a single point of failure—like here, when various firms feel the impact.”

The outage stemming from the CrowdStrike update has had a huge knock-on impact on public services and businesses around the world. Scores of airports are facing delays and long queues, with one passenger in India sharing a hand-written boarding pass that they have been issued. In the hours after the outages first emerged, more than 4,000 flights around the world have been canceled, although not all of them may have been directly linked to the disruption.

A defective CrowdStrike kernel driver sent computers around the globe into a reboot death spiral, taking down air travel, hospitals, banks, and more with it. Here’s how that’s possible.

Within health care and emergency services, various medical providers around the world have reported issues with their Windows-linked systems, sharing news on social media or their own websites. The US Emergency Alert System, which issues hurricane warnings, said that there had been various 911 outages in a number of states. In Portland, mayor Ted Wheeler declared a city emergency as a result of some of the outages, although also said many systems were being restored. White House officials say president Joe Biden has been "briefed" on the CrowdStrike outages and his team is monitoring the situation.

Germany’s University Hospital Schleswig-Holstein said it was canceling some nonurgent surgeries at two locations. In Israel, more than a dozen hospitals have been impacted, as well as pharmacies, with reports saying ambulances have been rerouted to unimpacted medical organizations.

In the UK, NHS England has confirmed that GP appointment and patient record systems have been affected by the outages. One hospital has declared a “critical” incident after a third-party IT system it used was impacted. Also in the country, train operators have said there are delays across the network, with multiple companies being impacted.

Indicating the far-reaching nature of the disruption, the organizers of the Paris Olympics, which is due to start next week, said that its systems have been impacted in a “limited way.” According to a statement from the organizers, the affected systems are linked to the delivery of uniforms and its ticketing system hasn’t been impacted.

Among other services, CrowdStrike provides endpoint detection and response (EDR) to companies around the world. This EDR technology runs on thousands of “endpoints”—such as computers, ATMs, and internet-of-things devices—and scans them to identify real-time threats, such as malicious activity from cybercriminals. The company has more than 24,000 customers around the world.

Cybersecurity researcher Kevin Beaumont posted on X that he has seen a copy of the CrowdStrike update that was issued and says the file isn’t properly formatted and “causes Windows to crash every time.” Beaumont says, in further posts, that it appears there isn’t an automated way to fix the issues, at least currently. This may mean that impacted machines need to be manually rebooted before they can come back online, a process that could take hours or days depending on the impacted entity.

Brody Nisbet, the director of overwatch at CrowdStrike, also posted on X indicating that the workaround fix the company had issued involves booting up Windows machines into safe mode, finding a file called “C-00000291\*.sys,” deleting it, and then rebooting the machine normally. “There is a fix of sorts so some devices in between BSODs should pick up the new channel file and remain stable,” Nisbet posted.

_Update 7/19/24 1:35pm ET: This story has been updated with further comment from Microsoft, and additional details about the outage's impacts._

Huge Microsoft Outage Linked to CrowdStrike Takes Down Computers Around the World

The Republican VP nominee's Venmo network reveals connections ranging from the architects of Project 2025 to enemies of Donald Trump—and the populist's close ties to the very elites he rails against.

US senator J.D. Vance, an Ohio Republican and former US president Donald Trump’s pick for vice president, has a public Venmo account that gives an unfiltered glimpse into his extensive network of connections with establishment GOP heavyweights, wealthy financiers, technology executives, the prestige press, and fellow graduates of Yale Law School—precisely the elites he rails against. A WIRED analysis of the account, the people listed as Vance’s friends, and, in turn, the people listed as _their_ friends highlights sometimes bizarre and surprising connections. Experts, meanwhile, worry that the information revealed by the peer-to-peer payment app raises the potential for stalking, trolling, and impersonation.

More than 200 people appear on Vance’s Venmo “friends” list. Among them is Amalia Halikias, government relations director at the Heritage Foundation—the conservative think tank coordinating the controversial Project 2025. So is an assistant US attorney for the Southern District of New York, among many other lawyers for the Department of Justice, frequently decried by Trump loyalists as enemies and part of the “deep state.” So are Jeff Flake, the famously anti-Trump former Arizona senator and current ambassador to Turkey; lobbyists from organizations like the Government Strategies Group; people affiliated with other conservative think tanks like the Hoover Institution and the American Enterprise Institute; journalists and media personalities like Bari Weiss and former Fox News host Tucker Carlson; and tech executives from Anthropic and AOL. (None of these people responded to requests for comment.)

Lanny Davis, a well-known political operative and former lawyer for Trump antagonist Michael Cohen, is among those who denied being Venmo friends with Vance despite seemingly appearing in Vance's contacts. (The account in question, which Davis declined to confirm or deny was his, was also linked to someone named Michael Cohen.) This points to one important caveat—being friends on Venmo does not mean two people have transacted together, or even know the payment app has designated them as friends.

According to Venmo, when someone first uses the app, they are prompted to allow it to access their phone contacts. If they agree, Venmo will find any contacts already using the app and automatically populate the user’s friend list. Users can also intentionally add or remove friends. Along with the user’s transactions, their friends list is public by default. This means it’s likely that Vance’s list of friends was largely populated by the contacts in his phone when he set up his account in December of 2016.

Vance’s Venmo account was first discovered by a law enforcement and extremism researcher who asked to remain anonymous, citing security concerns. WIRED verified the senator’s account through its connections to his wife, Usha Vance, as well as actors or producers in the 2020 film adaptation of his 2016 memoir, _Hillbilly Elegy_. In total, Vance is connected directly to 211 people.

On Monday, Trump officially named Vance as his pick for vice president, reflecting the prominence of the party’s growing populist wing. Vance has frequently positioned himself as anti-elite, writing in _Hillbilly Elegy_: “Sometimes I view members of the elite with an almost primal scorn.” In an April post on X, Vance, who graduated Yale Law School in 2013, condemned “elite universities,” calling them “expensive day care centers for coddled children.” His network is largely made up of attorneys, the vast majority of whom received their law degrees from Yale Law around the same time he did.

Despite his anti-elite stance, Vance's connections reveal a more complex relationship with establishment figures. At the same time, as the former president distances himself from Project 2025—a right-wing policy roadmap aiming to purge the federal government and reshape the executive branch and turn the US into what critics characterize as a Christian nationalist autocratic state—Vance’s Venmo network reveals his ties not just to Halikias but to others associated with a maximalist interpretation of MAGA. Gladden Pappin, for instance—president of the Hungarian Institute of International Affairs and a figure with close ties to the intellectual wing of the far right—shows up as one of Vance’s friends.

Senator Vance’s office declined to comment on the record for this story. In an interview with Newsmax earlier this month, he said that the Project 2025 document has good ideas in it, as well as things he disagrees with. Vance did not elaborate on what exactly those good or bad ideas are. At the time of publication, Vance’s Venmo account remains fully public.

Vance’s friends have an average of 277 friends each. This wider network of associates shows an extended web of accounts who share names with high-profile political figures like Cohen, Nick Ayers, Todd Ricketts, and Michael Flynn Jr., as well as far-right activists like Project Veritas founder James O'Keefe, Laura Loomer, and Ali Alexander.

“What you guys need to realize is that Vance is influenceable,” wrote Andrew Torba on X. Torba is the founder of Gab, a social network popular with conspiracy theorists and Christian nationalists. He has long promoted antisemitic content on his social media accounts. “We have plenty of people in his orbit. Plenty of our guys can be put into positions of power because he’s there.”

“This appears to be his actual personal contacts," says Jordan Libowitz, the vice president of communications for Citizens for Responsibility and Ethics in Washington, or CREW. He notes that the data found on Venmo is much more personal than what campaigns typically share through official channels, warning that “the more personal data that is public about someone the more points of pressure or influence there are on that person.”

Few of Vance’s transactions are public, and those that are seem mundane, like a payment to a staff member for doughnuts in January. WIRED also uncovered the Venmo account of his former Senate campaign manager, Jordan Wiggins, which shows a more extensive and occasionally eyebrow-raising transaction history, including more than 50 payments from as early as 2015, some labeled for things like “Back waxing & Happy Ending," and "adult 🎥". While these descriptions are likely jokes between friends, Wiggins didn’t respond to a request for comment.

After WIRED reached out to Vance’s Senate office on Wednesday, Wiggins made his account transactions private.

Experts say that the visibility of Vance’s account could create problems for the high-profile individuals connected to it. “Access to anyone’s social connections can reveal sensitive private information and expose them to security risks,” Jennifer Lynch, general counsel at civil liberties nonprofit the Electronic Frontier Foundation, tells WIRED. High-profile politicians like Vance, Lynch argues, may be especially prone to social engineering attacks and impersonation. “If someone who is a candidate for vice president hasn’t changed his privacy settings, I don't know how a company can expect the rest of us to stay on top of this.”

This is far from the first time a government official’s Venmo account and list of friends has been discovered by the public. In 2017, the account of Sean Spicer, a former press secretary to Trump, was sent scores of joke payments through the app. In 2021 the Daily Beast reported that US representative Matt Gaetz had used Venmo to send payments to a person who was later convicted of sex trafficking a minor. (Gaetz, WIRED found, is friends with at least five people in Vance’s contact list.)

Last year, the Guardian reported that several lawyers, including one who successfully challenged race-conscious admissions at universities, used Venmo to pay a top aide to Supreme Court Justice Clarence Thomas. (The payments appeared to be related to a holiday party.)

Privacy advocates at the EFF have long criticized Venmo for its permissive privacy settings and the associated risks. It wasn't until reporters at BuzzFeed News found president Joe Biden and his family members on the app in 2021 that Paypal, the company that owns Venmo, allowed users to make their friends lists private. Even now, this option is not the default setting and must be manually adjusted.

In a statement, Venmo spokesperson Caitlin Girouard tells WIRED that “Venmo takes our customers’ privacy very seriously, which is why we let customers choose their privacy settings—and we make it incredibly simple for customers to make their account private if they choose to do so.”

In spite of the attention Venmo’s privacy shortcomings have garnered, it seems like many haven’t gotten that message. WIRED easily identified other high-profile individuals through Venmo, such as former NSA director and Open AI board member Paul Nakasone.

J.D. Vance Left His Venmo Public. Here’s What It Shows

US prosecutors have charged Michail Chkhikvishvili, also known as “Commander Butcher,” with a litany of crimes, including alleged attempts to poison Jewish children in NYC.

Federal prosecutors in Brooklyn on Tuesday unsealed a sweeping felony indictment against the 20-year-old they say is the head of a violent Eastern European skinhead gang implicated in a number of assaults and attacks abroad, some of them fatal. The gang, known asManiac Murder Cult or MKY, is connected to the com/764 pedophilia network, with at least one killing in Romania directly connected to MKY.

Michail Chkhikvishvili, otherwise known as “Commander Butcher,” “Michael,” and “Mishka,” was arrested on an Interpol warrant on July 6 in Chișinău, Moldova, for allegedly conspiring to solicit attacks on homeless people, Jews, and other racial minorities in New York City, distributing explosives-making instructions, and making violent threats in online conversations with an undercover FBI employee. One plot prosecutors say he concocted with the undercover fed involved poisoning Jewish children by handing out tainted candy while dressed as Santa Claus on New Year’s Eve 2023.

Chkhikvishvili remains in custody in Moldova—which has previously collaborated with the US on the extradition of noncitizens—and has yet to be extradited to the United States and make his first appearance in court. He has not been assigned an attorney. If convicted, he faces a potential sentence of decades in an American prison.

The feds allege that Chkhikvishvili tried to incite the undercover agent into additional attacks with either edged weapons or molotov cocktails and that he claimed that the planned attack would be a “bigger action than Breivik,” referring to Anders Breivik, the Norwegian neo-Nazi who killed 77 people in 2011.

According to the FBI, MKY adheres to a “neo-Nazi accelerationist ideology and promotes violence and violent acts against racial minorities, the Jewish community, and other groups it deems “Undesirables.” Much like other accelerationist militants such as the Atomwaffen Division and The Base, MKY seeks to destabilize society through violence and terrorism. It was founded in the Ukrainian city of Dnipro by Yegor Krasnov and is accused of many homicides and assaults in both Russia and Ukraine. In their Telegram channels, MKY members lionized in-person violence and distributed how-to guides on committing violent assaults and shootings, causing maximum harm to victims, and how perpetrators could cover their tracks. Committing and documenting such an attack is the criteria for admittance to MKY.

Courtesy of Department of Justice

There are extensive ties between MKY and 764. That alliance was developed by Chkhikvishvili himself, particularly through contact with two 764 members who went by the handles of “Xor” and “Kush,” both of whom remain unidentified. “Tobbz,” a troubled young German who killed an elderly woman and stabbed a man in 2022, had also joined MKY, according to reporting by Der Spiegel and Recorder.

The US Attorney’s office for New York’s Eastern District is also prosecuting two related cases: the child abuse and CSAM distribution case against 764 member Angel Almeida, whose Fall 2021 arrest was the feds’ first glimpse into the world of com, 764, and MKY; and the case against Nicholas Welker, the alleged former head of the neo-Nazi group Feuerkrieg Division, who was convicted in April for threatening a Brooklyn-based journalist. According to court records, Welker and Chkhikvishvili were in contact from July 2022 to March 2023, when Welker was arrested and charged.

Chkhikvishvili, a Georgian national, was present in the United States in 2022, according to an affidavit by FBI special agent Erica Dobin of the New York City Joint Terrorism Task Force. US authorities say he visited his girlfriend in California in March and April of that year, information the FBI learned after interviewing the young woman about her virulent neo-Nazi social media posts. Shortly thereafter, Chkhikvishvili traveled to Brooklyn, where he stayed with his grandparents and worked in a rehab facility taking care of an elderly Orthodox Jewish patient. “I’m working in rehab center privately in Jewish family,” he messaged another neo-Nazi in July 2022, according to the criminal complaint. “I get paid to torture dying jew, I think I almost killed him today.” The government says Chkhikvishvili sent multiple images of the patient to his fellow extremist. The patient died later that year, though the government does not allege that Chkhikvishvili caused his death.

It is unclear when Chkhikvishvili left the United States. Federal prosecutors give his place of residence as Tbilisi, Georgia, even though he was arrested in a Balkan country on the opposite side of the Black Sea.

In allegedly urging the undercover fed to commit acts of violence and record them, Chkhikvishvili repeatedly emphasized the lethal level of violence MKY members employed in their attacks, prosecutors say. “We murder they larp,” he allegedly wrote to another extremist while comparing MKY to another neo-Nazi group, referring to “live action role play.” Even while allegedly planning the mass poisoning scheme with the undercover FBI agent, prosecutors say, Chkhikvishvili did not shy away from the potential “heat” the undercover agent warned it would bring on MKY: “That’s what we exactly want,” he wrote in reply.

Alleged ‘Maniac Murder Cult’ Leader Indicted Over Plot to Kill Jews

After the Supreme Court limited the power of federal agencies to craft regulations, it’s likely up to Congress to keep US cybersecurity policy intact.

To protect America’s vital infrastructure from hackers without relying on a moribund Congress, the Biden administration bet big on creative uses of existing laws. But the Supreme Court probably blew up that approach.

President Joe Biden’s strategy relied on agencies interpreting the laws that give them regulatory powers to include cybersecurity, with the expectation that courts would defer to their interpretations of those laws under a decades-old legal doctrine known as Chevron deference.

But in a landmark case decided in late June, _Loper Bright Enterprises v. Raimondo_, the United States Supreme Court’s conservative supermajority eliminated Chevron deference and ordered courts to determine for themselves what ambiguous laws say—without assigning nearly as much weight to agencies’ interpretations.

Now, that controversial ruling could completely upend multiple agencies’ plans to require better cybersecurity from critical infrastructure entities like hospitals, water systems, and power plants. It could even help corporate America overturn existing rules aimed at keeping hackers off cloud platforms, securing pipelines and airports, and improving disclosures of major breaches.

“There’s the possibility of lawsuits to test the waters in a lot of regulations,” says Harley Geiger, counsel with the Center for Cybersecurity Policy and Law. “It definitely becomes much more difficult to regulate on critical infrastructure cybersecurity in areas where there is not sound or clear statutory backing.”

**Landmark Cyber Program Under Threat**

Biden’s marquee cyber regulation may also be his most endangered: a pending requirement for critical infrastructure organizations to report cyberattacks within 72 hours and ransomware payments within 24 hours.

The regulation, authorized by the 2022 Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA), is meant to close massive gaps in the government’s awareness of the cyberattacks plaguing US companies every day. But when the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) released the proposed rule in April, the business community slammed it for going further than lawmakers intended. By the time the public comment period closed earlier this month, many companies and trade groups had urged CISA to pare back the rule—with some of them even citing the _Loper Bright_ ruling.

The criticism mostly focused on three aspects of the rule that could represent its biggest vulnerabilities in a future lawsuit: the definition of a “covered entity” subject to the reporting requirements, the definition of a “covered incident” that needs to be disclosed, and the list of information that needs to be reported. Businesses say CISA used much broader language for these three provisions than Congress intended.

“They have gone well beyond the text,” says one cybersecurity-focused attorney, who requested anonymity because they represent clients in disputes with federal agencies. “There's a lot of vulnerable aspects to it.”

Senate Homeland Security Committee chair Gary Peters, whose panel led the drafting of CIRCIA, added to the regulation’s legal peril when he filed a public comment saying that “the proposed rule is overbroad and needs additional clarity,” including on the definitions of covered incidents and covered entities. Peters’ objections are significant, because courts analyzing unclear laws will likely lean heavily on congressional intent.

It’s unclear if CISA will back down in the face of these headwinds. A spokesperson says the agency is “still assessing” the _Loper Bright_ ruling “and any potential impacts that this may have on the agency’s rulemaking actions.” The spokesperson says the final regulation will be “consistent with authorities given to us by Congress.”

CISA officials “seem quite committed to the scope that they're aiming for, because they really seem to view it as important to their mission,” says Stephen Lilley, a partner at the law firm Mayer Brown who focuses on cyber matters. Even so, he added, “CISA now has to be thinking, have we pushed too far in light of these recent decisions, and do we need to be a bit more modest in our ambitions?”

The consequences of a government retreat are hard to predict but potentially serious. Scaled-back CIRCIA requirements could exempt more companies from reporting or reduce the amount of information they have to report, easing the burden on those organizations but weakening the government’s understanding of digital threats.

Most experts predict only modest changes. “I would expect them to try to make as limited a reaction as their lawyers say they need to make,” Lilley says.

Still, it’s clear that the officials behind the government’s biggest-ever cyber regulation—due to be finalized by October 2025—are on notice.

“There's no way that CISA takes the next \[14\] months to develop this rule without considering the effect of _Loper Bright_ and the loss of Chevron deference,” Geiger says.

**Planes, Trains, and Cloud Services**

While CISA’s incident reporting mandate has attracted the lion’s share of post–_Loper Bright_ attention, the ruling threatens a host of other existing and pending cyber regulations.

The Department of Health and Human Services is working on a rule that would condition hospitals’ receipt of federal Medicare and Medicaid funding on their compliance with cyber requirements. The closely watched HHS rule represents the Biden administration’s attempt to stem a massive tide of ransomware attacks on hospitals and the rest of the health care sector. But the powerful hospital industry has objected to new mandates, saying they will overly burden already struggling facilities. Few details are known about the rule—including its exact legal basis—so it’s unclear whether HHS has been rewriting it to address _Loper Bright_.

Corporate America’s most-loathed cyber regulation is the Securities and Exchange Commission’s 2023 rule requiring publicly traded companies to announce cyber incidents with a “material” impact within four business days. That rule may be safe from new lawsuits, given the SEC’s clear legal authority to require the disclosure of information that materially affects stock prices. But Geiger says companies might instead challenge the SEC’s authority to penalize companies for hacks, since the underlying law and regulation don’t mention cybersecurity. (The SEC declined to comment for this story.)

Lawsuits could also hit the Transportation Security Administration over its cyber requirements for pipeline, rail, and aviation operators. The TSA significantly modified its emergency directives to address industry criticism, but as the agency codifies those directives in more formal rules, disgruntled companies could seize the chance to sue. “There’s not a history of that agency doing cyber, and there’s not a great statutory hook to point to,” says the cyber attorney, who cited “a lot of frustration” with the TSA’s “perpetual invocation of an ongoing but undescribed emergency” to justify the requirements. (The TSA declined to comment.)

The Commerce Department could hit a legal snag with its proposal to require cloud companies to verify their customers’ identities and report on their activities. The pending rule, part of an effort to clamp down on hackers’ misuse of cloud services, has drawn industry criticism for alleged overreach. A major tech trade group warned Commerce that its “proposed regulations risk exceeding the rulemaking authority granted by Congress.” (Commerce declined to comment.)

Lawsuits could also target other regulations—including data breach reporting requirements from the Federal Trade Commission, the Federal Communications Commission, and financial regulators—that rely on laws written long before policymakers were thinking about cybersecurity.

“A lot of the challenges where the agencies are going to be most nervous \[are\] when they’ve been interpreting something for 20 years or they newly have interpreted something that’s 30 years old,” says the cyber attorney.

The White House has already faced one major setback. Last October, the Environmental Protection Agency withdrew cyber requirements for water systems that industry groups and Republican-led states had challenged in court. Opponents said the EPA had exceeded its authority in interpreting a 1974 law to require states to add cybersecurity to their water-facility inspections, a strategy that a top White House cyber official had previously praised as “a creative approach.”

**All Eyes on Congress**

The government’s cyber regulation push is likely to run headlong into a judicial morass.

Federal judges could reach different conclusions about the same regulations, setting up appeals to regional circuit courts that have very different track records. “The judiciary itself is not a monolith,” says Geiger, of the Center for Cybersecurity Policy and Law. In addition, agencies understand cutting-edge tech issues much better than judges, who may struggle to parse the intricacies of cyber regulations.

There is only one real solution to this problem, according to experts: If Congress wants agencies to be able to mandate cyber improvements, it will have to pass new laws empowering them to do so.

“There is greater onus now on Congress to act decisively to help ensure protection of the critical services on which society relies,” Geiger says.

Clarity will be key, says Jamil Jaffer, the executive director of George Mason University’s National Security Institute and a former clerk to Supreme Court Justice Neil Gorsuch. “The more specific Congress gets, the more likely I think a court is to see it the same way an agency does.”

Congress rarely passes major legislation, especially with new regulatory powers, but cybersecurity has consistently been an exception.

“Congress moves very, very slowly, but it’s not completely passive \[on\] this front,” Lilley says. “There's a possibility that you will see meaningful cyber legislation in particular sectors if regulators are not able to move forward.”

One major question is whether this progress will continue if Republicans seize unified control of the government in November’s elections. Lilley is optimistic, pointing to the GOP platform’s invocation of securing critical infrastructure with heightened standards as “a national priority.”

“There's a sense across both sides of the aisle at this point that, certainly in some of the sectors, there has been some measure of market failure,” Lilley says, “and that some measure of government action will be appropriate.”

Regardless of who controls Capitol Hill next January, the Supreme Court just handed lawmakers a massive amount of responsibility in the fight against hackers.

“It's not going to be easy,” Geiger says, “but it's time for Congress to act.”

The US Supreme Court Kneecapped US Cyber Strategy

A hacker group called “NullBulge” says it stole more than a terabyte of Disney’s internal Slack messages and files from nearly 10,000 channels in an apparent protest over AI-generated art.

A group calling itself “NullBulge” published a 1.1-TB trove of data late last week that it claims is a dump of Disney's internal Slack archive. The data allegedly includes every message and file from nearly 10,000 channels, including unreleased projects, code, images, login credentials, and links to internal websites and APIs.

The hackers claim they got access to the data from a Disney insider and named the alleged collaborator. A person with that name who lists Disney as their current employer did not return WIRED's request for comment. Whether the hackers actually had inside help remains unconfirmed; they could also have plausibly used info-stealing malware to compromise an employee's account. Disney did not confirm the breach or return multiple requests for comment about the legitimacy of the stolen data. A Disney spokesperson told the Wall Street Journal that the company “is investigating this matter.”

The data, which appears to have been first published on Thursday, was posted on BreachForums and later taken down, but it is still live on mirror sites.

Roei Sherman, field CTO at Mitiga Security, says he isn't surprised that a giant like Disney could have a breach of this scale and significance. “Companies are getting breached all the time, especially data theft from the cloud and software-as-a-service platforms,” he says. “It is just easier for attackers and holds bigger rewards."

Sherman, who reviewed the data in the leak, added that “all of it looks legit—a lot of URLs, conversations of employees, some credentials, and other content.”

The NullBulge site says that it is a “hacktivist group protecting artists’ rights and ensuring fair compensation for their work.” The group claims it hacks only targets that violate one of three “sins.” First: “We do not condone any form of promoting crypto currencies or crypto related products/services.” Second: “We believe AI-generated artwork harms the creative industry and should be discouraged.” And third: “Any theft from Patreons, other supportive artist platforms, or artists in general.”

The group's “wall of knowledge,” where it lists its data dumps, summarizes the philosophy: “What better way to punish someone than getting them in trouble eh?” Previously, the group targeted the Indian content creator Chief Shifter with a “first shaming.” Then in May, NullBulge posted a “second punch” and teased the Disney breach. “Here is one I never thought I would get this quickly … Disney. Yes, that Disney,” NullBuldge wrote, suggesting that the group may be a single person. “The attack has only just started, but we have some good shit. To show we are serious, here is 2 files from inside.”

In addition to the alleged Slack data, NullBulge posted what appears to be detailed information about the individual whom they claim provided the insider access and data. The leak includes medical records and other personally identifying information, plus the alleged contents of the alleged Disney employee's 1Password password manager. NullBulge claims to have doxxed the individual in retaliation for cutting off communication and access, although whether the employee actually collaborated with the group in the first place remains unconfirmed.

Security researchers have long warned about corporate Slack accounts as a treasure trove for attackers if compromised. The popular team communication platform is owned by Salesforce and is used by an array of prominent organizations, including IBM, Capital One, Uber, and Disney rival Paramount.

“Disney will probably be targeted a lot more now by opportunistic threat actors,” Sherman warns.

Hackers Claim to Have Leaked 1.1 TB of Disney Slack Messages

Senator Mark Warner is trying to pass new limits on when the government can wiretap Americans. At least two senators are quietly trying to stop him.

Members of the United States Senate have been working for more than a month to shore up safeguards against further misuse of the US government’s most consequential surveillance program. Those efforts have hit a snag, however, with at least two Republican senators now privately objecting to the changes—provisions that seek to impose new limits on the US government’s power to wiretap communications between Americans and foreigners overseas.

In a bipartisan move, Senate Intelligence Committee members approved two provisions last month aimed at addressing what legal experts describe as troubling inadequacies in the Foreign Intelligence Surveillance Act (FISA), the key authority by which the US intelligence community can direct certain companies to secretly intercept calls, texts, and emails on the government’s behalf. The provisions were introduced last week as part of a must-pass piece of legislation authorizing various intelligence activities for the coming fiscal year.

One of the provisions seeks to clarify what types of businesses can be subjected to the wiretap orders—companies the government commonly refers to as “electronic communication service providers,” or ECSPs. The intelligence community has sought for years to expand the definition of the term in order to enlist the aid of new companies, and succeeded in doing so after a heated congressional fight this spring over the FISA wiretap program known as Section 702.

Privacy experts argue that the government drastically overshot its mark, creating ambiguity in FISA that threatens to ensnare limitless categories of new companies and individuals—anyone, virtually, deemed a “custodian” of equipment capable of storing and carrying the data it seeks.

Legal experts such as Marc Zwillinger, one of the few private attorneys to ever appear before the nation’s secret surveillance court, noted in April that the changes were likely to vastly increase the number of Americans whose communications are being wiretapped—communications that the government claims not to “target” but to merely intercept “incidentally.”

WIRED has learned from multiple sources that a Republican senator filed an objection to the provision addressing this issue, a “fix” that would limit the range of businesses subject to wiretap orders to those referenced in a 2022 FISA court opinion. As secret law, the exact nature of these businesses remains classified; however, it is widely believed that the government was seeking the power to compel the cooperation of US-based data centers in addition to service providers like AT&T and Google, which are among the more traditional targets of FISA directives.

WIRED could not immediately confirm the identity of the Republican senator objecting to the proposal, but understands they serve on a committee of jurisdiction. The judiciary holds jurisdiction over FISA, while the intelligence committee owns the amendment carrying the provision, the Intelligence Authorization Act (IAA). The IAA is passed annually, normally as a standalone bill, but is slated to be attached this year as an amendment to another piece of must-pass legislation, the National Defense Authorization Act, which Congress is aiming to vote on by fall.

The Senate’s practices for the approving of amendments prior to a floor vote are somewhat obscure and often informal, differing depending on the committee. In this case, a single objection by a member of the intelligence committee is likely enough to see it struck. Objections filed with committee leaders are typically kept private.

A Senate source with knowledge of the ongoing negotiations, granted anonymity because they are not authorized to speak on the record, tells WIRED that Senate practices for passing controversial amendments have grown increasingly nebulous in recent years, blaming the desire of many lawmakers to avoid scrutiny for their positions on contentious issues. Senate leaders may, for example, use substitute amendments to strike down or add language to a bill in place of a process that previously required a public vote.

In an effort to salvage the Section 702 program, Senate Intelligence Committee chair Mark Warner urged lawmakers in May to temporarily set aside concerns about the ECSP language, one impetus behind this year’s drawn-out congressional fight that delayed renewal of the 702 program for half a year, threatening to sunset the authority after a temporary extension last winter. In remarks to the press and to colleagues on the Senate floor, Warner, a Democrat of Virginia, promised to address the concerns this summer, vowing to reporters that he was “absolutely committed” to refining the text that experts like Zwillinger warned would expand the intelligence community’s authority beyond reason.

Successfully attaching the new language to the IAA in June, Warner appeared to follow through with his promise.

“As Senator Warner expressed during the 702 debate, and as evidenced by his efforts to include these provisions in the committee-passed IAA, he supports these measures and remains committed to working through any challenges that may arise ahead of the full vote in the Senate,” said Warner’s press secretary, Valeria Rivadeneira.

Zwillinger tells WIRED that any backtracking by the Senate over the ECSP concerns is likely to impact the public’s trust in the intelligence community’s word during future FISA debates. “The overbroad ECSP definition added during the reauthorization of Section 702 should be narrowed,” he says, noting that “even its sponsors had agreed to narrow it to the specific circumstances that generated the amendment.”

**Friends of the Secret Court**

A second provision approved by Senate intel members in June—and now similarly under threat—aims to ensure the FISA court more reliably calls upon attorneys like Zwillinger to provide advice about the impact of FISA surveillance on Americans’ civil liberties. These experts, known as amici curiae (literally “friends of the court”), are a common feature in US courts, used by judges to gain insight into key issues surrounding difficult cases, often when civil rights are involved. Unlike typical amici, experts called to submit briefs before the FISA court are few and far between, with the law demanding that they be eligible for access to classified information.

The law currently directs the FISA court to appoint an amicus when presented with a “novel or significant” concern, unless it finds that doing so is “not appropriate.” The new provision, however, would create a presumption that the court more reliably appoints amici when a government request for surveillance presents “exceptional” constitutional concerns, or when the government intends to directly target an American.

Last week, WIRED confirmed that Senator John Cornyn, whose committee assignments include both judiciary and intelligence, was the source of an objection to the new amicus language, threatening to scuttle the changes. Another Senate source with knowledge of the objection says that Cornyn is specifically concerned about delays that he believes will result from the court’s increased reliance on the amici, viewing the process as potentially tying up cases in discovery battles as experts vie with the government for access to classified files.

The source adds that Cornyn claims the new rules threaten to grant foreign nationals greater rights than those of criminal defendants, something that foreign adversaries could exploit. It is unclear, however, by what method Cornyn believes a foreign adversary might gain insight into the court’s proceedings. Information presented in the hearings are among the nation’s most closely guarded secrets.

Noah Chauvin, a former intelligence counsel for the US Department of Homeland Security, dismissed Cornyn’s concerns as overblown and, in some cases, invalid. “In almost every instance, the presumption that amici will be appointed applies to a circumstance where the surveillance targets a US person,” he says. The only exception is when the surveillance presents a “novel or significant interpretation of the law.”

Even when amici avail themselves of new appellate rights laid out in the provision, however—after objecting, for instance, to a new method of surveillance certified by the court—the process would not inhibit the government from continuing to intercept communications under FISA. Instead, the surveillance would continue under the last certification issued by the court, even if it has already expired.

Amici's right to access information is relatively narrow, says Chauvin, now an assistant professor at the Widener University Commonwealth Law School in Pennsylvania. He notes that the government has the ability to prevent delays at any time by simply providing experts with the information they need in advance, rather than forcing the court to debate what it’s required to disclose. While relying on constitutional experts more frequently may slow down the process in certain instances, he says, that is also largely the point. “To the extent \[amici\] create friction, making it more difficult for the government to access Americans’ private information without demonstrating to a court that such access is necessary—that’s a feature, not a bug.”

Notably, FISA proceedings are, for obvious reasons, conducted ex parte, meaning the target of a surveillance order has no presence or representation in court. This arguably heightens the need for the court to rely on advice from subject matter experts when it’s confronted with unprecedented uses of communications technologies, which are constantly evolving.

WIRED reached out to the White House, National Security Council, and Office of the Director of National Intelligence for comment on the possible fate of provisions, but has not received a response.

With regards to other concerns raised by Cornyn, such as the fact that the amici are not required to have specific intelligence-collection experience, Senate sources defending the new text noted that’s nothing new. While some experts called up by the FISA court have that experience, others are tapped for their knowledge of privacy and civil liberties or their expertise in communications technology. Ultimately, it’s the court’s prerogative to determine what “legal or technical expertise” is necessary depending on the matter at hand, so long as that person is “eligible for access to classified information.”

Experts and multiple Senate sources noted that the amicus provision approved by the Senate Intelligence Committee last month was effectively a watered-down version of an amendment introduced by senators Mike Lee and Patrick Leahy four years ago. For instance, that amendment would have directed the FISA court to appoint an amicus in cases where the government sought to surveil a congressional staffer—no longer the case. Such “sensitive investigative matters” now extend purely to elected officials and political candidates, in addition to members of political, news, and religious organizations.

Notably, the much stronger Lee–Leahy amendment passed the Senate in 2020 by a wide margin: 77–19. “That's how uncontroversial this provision is,” says Liza Goitein, a FISA expert and senior director at the Brennan Center of Justice at New York University School of Law. “This is a commonsense, good-government measure that is overwhelmingly supported by lawmakers on both sides of the aisle.”

Goitein says the concerns about delays resulting from the amici challenging FISA decisions are also exaggerated. “There's no appeal right,” she says. “They can _petition_ the FISA court to certify the case for review. The FISA court can say no, so the FISA court can police this and determine whether it's going to cause undue delay or not.”

Senate sources say discussions over the provisions will continue throughout the week as staffers attempt to hammer out a resolution. The timeline for a vote on the full package of amendments to the NDAA remains unclear, though Senate staffers cited rumors that leadership would attempt to force a vote by the end of July. That said, lawmakers just received the notoriously voluminous text last week, raising serious doubts about the chamber’s ability to move the bill before its August recess. That it’s a mystery as to which party will control the Senate following the November election only serves to add friction to the process.

Sean Vitka, policy director at the nonprofit Demand Progress, notes that the 702 surveillance program was reapproved by Congress only after Warner vowed to address both the ECSP and amicus concerns this year. “Concerns that these modest-but-critical fixes are somehow too privacy-protective, when in fact they explicitly give spy agencies exactly what they asked for, are so ill-informed they blow past bad faith and border on incoherence,” he says.

If the objections hold, Vitka says, the next US president will retain “one of the most dangerous spying powers to ever exist.” The consequences of failing to implement these provisions, he warns, “could be catastrophic.”

US Senators Secretly Work to Block Safeguards Against Surveillance Abuse

A security researcher who assisted with the deal says he believes the only copy of the complete dataset of call and text records of “nearly all” AT&T customers has been wiped—but some risks may remain.

US telecom giant AT&T, which disclosed Friday that hackers had stolen the call records for tens of millions of its customers, paid a member of the hacking team more than $300,000 to delete the data and provide a video demonstrating proof of deletion.

The hacker, who is part of the notorious ShinyHunters hacking group that has stolen data from a number of victims through unsecured Snowflake cloud storage accounts, tells WIRED that AT&T paid the ransom in May. He provided the address for the cryptocurrency wallet that sent the currency to him, as well as the address that received it. WIRED confirmed, through an online blockchain tracking tool, that a payment transaction occurred on May 17 in the amount of 5.7 bitcoin. Chris Janczewski, head of global investigations for crypto-tracing firm TRM Labs, also confirmed using the company's own tracking tool that a transaction occurred in the amount of about 5.72 bitcon (the equivalent of $373,646 at the time of the transaction), and that the money was then laundered through several cryptocurrency exchanges and wallets, but said there was no indication of who controlled the wallets.

A security researcher who asked to be identified only by his online handle, Reddington, also confirmed that a payment occurred. The hacker enlisted him to serve as the go-between for their negotiation with AT&T, and Reddington received a fee from AT&T for serving in that capacity. Reddington provided WIRED with proof of the fee payment. The hacker initially demanded $1 million from AT&T but ultimately agreed to a third of that.

WIRED viewed the video that the hacker says he provided to AT&T as proof to the telecom that he had deleted its stolen data from his computer. Reddington says he believes it was the entire AT&T dataset that Binns allegedly stole because the hacker and Binns stored the data in a cloud server that they both could access, and he says the hacker deleted it from that server.

AT&T did not respond to WIRED’s request for comment.

It was indirectly through Reddington that AT&T learned about the data theft three months ago.

Reddington tells WIRED that in mid-April, an American hacker living in Turkey and believed to be John Erin Binns—not the hacker who received payment—contacted him to say that he had obtained Reddington's AT&T call logs. After Reddington verified that the call logs were real, Binns allegedly told Reddington that he had also obtained call and texting logs of millions of other AT&T customers through a poorly secured cloud storage account hosted by Snowflake. Reddington notified the security firm Mandiant about the breach, and Mandiant then notified AT&T. In a regulatory filing it made to the Securities and Exchange Commission on Friday, AT&T said that it first learned of the breach in April.

AT&T is one of more than 150 companies that are believed to have had data stolen from poorly secured Snowflake accounts during a hacking spree that unfolded throughout April and May. It's been previously reported that the accounts were not secured with multi-factor authentication, so after the hackers obtained usernames and passwords for the accounts, and in some cases authorization tokens, they were able to access the storage accounts of companies and siphon their data. Ticketmaster, the banking firm Santander, LendingTree, and Advance Auto Parts were all among the victims publicly identified to date.

Reddington has facilitated a number of negotiations between the hackers and victims of the Snowflake account breaches. He says Binns asked him to contact AT&T “to facilitate a buyback of the data,” and that “given the importance of the data” and the potential for harm, “I felt an obligation to ensure he did not sell the data to anyone else.”

He notes that the sequence of events indicates that Ticketmaster’s Snowflake account was likely the first one breached in the campaign, after which the hackers targeted AT&T and others.

“Analysis of the data samples \[the hackers\] provided from other victims indicated that the hack of Ticketmaster occurred first,” he tells WIRED. “From there, it seems the actors figured out they could target ‘snowflakecomputing.com’ domains by looking for stolen credentials. It did not take them long to compile a list and write a script to hit all of the Snowflake victims simultaneously.”

The stolen AT&T data included call and text messaging metadata, but not the content of calls or messages or the names of the phone owners, according to AT&T’s SEC filing. Reddington alleges that Binns demonstrated how easily he could identify the owners of the numbers using a reverse-lookup program that identified by name the family members, colleagues, and others attached to the phone numbers who communicated with them.

The stolen data included telephone numbers of “nearly all” of AT&T's cellular customers and the numbers of customers of other wireless carriers who exchanged calls or messages with those AT&T customers between May 1, 2022, and October 31, 2022, as well as on January 2, 2023, according to the company. It also included the landline phone numbers that communicated with the affected AT&T customers during this period. The data included dates for the communication and the duration of calls. “For a subset of the records, one or more cell site ID numbers associated with the interactions are also included,” the company said in a blog post. Cell site IDs reveal which cell towers a phone pings and can potentially be used to identify a phone user’s general location and movements.

News of the breach became public on Friday only when AT&T disclosed it in its blog post and SEC filing. Although public companies are required to report breaches to the SEC after learning about them, AT&T wrote that the Department of Justice had granted it exemptions in May and June to delay notification due to a potential national security or public safety harm if the breach were revealed. The FBI told CNN that AT&T had contacted the bureau shortly after learning about the hack, but the bureau wanted to review the data to determine what had been taken and assess any potential harm before AT&T disclosed it publicly and to the SEC.

The hacker who received the payment from AT&T alleges that Binns was responsible for the breach and shared samples of the data with him and others after downloading it. He says he believes Binns allegedly stole "several billions" of records from AT&T, though WIRED was unable to confirm this. Reddington understands that the data that was deleted was the only complete dataset taken by the hackers. Reddington says he does not believe the hackers posted the data publicly, though he's not sure how many people received excerpts of the data Binns allegedly provided or what they did with it.

Despite the payment and deletion, some AT&T customers and those who communicated with them may still be at risk, given that others may have samples of the data that were not deleted.

The hacker who spoke with WIRED obtained payment from AT&T instead of Binns because, he says, in an odd twist to the case, Binns was arrested in Turkey in May for an unrelated breach dating back to 2021. That one involved a massive theft of data from T-Mobile. AT&T said in its SEC filing that it believed “at least one person” associated with the breach had already been apprehended, but didn't identify him. 404 Media was first to report on Friday that Binns is allegedly that person.

Binns was indicted in 2022 on 12 counts related to the 2021 hack of T-Mobile "and theft and sale of sensitive files and information" that involved data on more than 40 million people. Binns, however, had moved from the US to Turkey in 2018 with his Turkish mother, according to an interview he gave three years ago to The Wall Street Journal. The indictment remained sealed until this year. Last September, the US learned he could possibly be arrested in Turkey and extradited to the US because he didn’t have Turkish citizenship. Prosecutors in Seattle, near where T-Mobile is based, asked a US court in December to unseal parts of the indictment so they could give it and an arrest warrant to Turkish authorities who were making the final decision on whether Binns could be extradited legally under Turkish law. The court granted the request to unseal in January.

The hacker who received payment from AT&T tells WIRED he believes Binns was arrested in Turkey around May 5, since Binns hasn't responded to any attempts by him and others to contact him. WIRED contacted the Seattle public defender representing Binns in the T-Mobile case but did not receive a reply.

Binns has had contact with US authorities on a number of occasions and has accused the CIA and other agencies of wild conspiracies to harm and entrap him. As part of a 2020 FOIA lawsuit against the FBI, CIA, and US Special Operations Command to obtain records he claimed they held about him, Binns claimed that CIA contractors spied on him, experimented on him, harassed him, and that one of them pointed a “psychotronic weapon” at his head and used a microwave oven to shock him, among other allegations. He later filed a motion to dismiss his FOIA case, claiming he had filed some documents while “experiencing a psychological episode brought on by intoxication.”

Last October, in the T-Mobile case, Binns wrote to the US District Court in Seattle and said he believed his actions were affected by a chip that had been implanted in his brain when he was an infant. In a certified letter sent to the court and viewed by WIRED, Binns told the judge that he believed a “wireless brain (basal gangliea) stimulation implant or device implanted” shortly after he was born was responsible for “erratic behavior to include irresistible impulses, artificial neurological problems, and the possible commission of crimes.”

The timeline suggests that if Binns is responsible for the AT&T breach, he allegedly did it when he was likely already aware that he was under indictment for the T-Mobile hack and could face arrest for it.

AT&T Paid a Hacker $370,000 to Delete Stolen Phone Records

Plus: The Heritage Foundation gets hacked over Project 2025, a car dealership software provider seems to have paid $25 million to a ransomware gang, and authorities disrupt a Russian bot farm.

But that’s not all. Each week, we round up the security news we didn’t cover in depth ourselves. Click on the headlines to read the full stories. And stay safe out there.

For the third time since 2010, spyware vendor mSpy has suffered a substantial data breach, this time exposing millions of customers and prospective users around the globe, many of whom appear to have used the software to snoop on others. The leaked trove, published by transparency group Distributed Denial of Secrets, contains potentially terabytes of data apparently stolen from mSpy’s customer support system, Zendesk. It reveals names, email addresses, customer support tickets and documentation, and more.

Unlike military-grade spyware, like NSO Group’s infamous Pegasus, mSpy is a consumer product that’s often marketed as a way for parents to keep tabs on their children’s phone usage. But its customer base isn’t necessarily limited to nosey parents. Among the data is evidence that US government entities at least inquired about using the software, including the Social Security Administration, Immigration and Customs Enforcement personnel, and a US federal judge. Given the amount of data exposed by the leak, expect more revelations to trickle out.

**“Gay Furry Hackers” Annoy the Heritage Foundation**

The Heritage Foundation—a right-wing think tank whose “Project 2025” plan for molding the US into what critics describe as an autocratic Christian nationalist state ruled by an Über President Donald Trump—suffered a minor cyberattack this week at the gloved hands of self-described “gay furry hackers.” The breach itself appears to have been fairly minor—2 gigabytes of data taken from a blog called the Daily Signal. Much of it was “useless,” according to “vio,” one of the hackers with the group SeigSec, which said it targeted the Heritage Foundation because “Project 2025 threatens the rights of abortion health care and LGBTQ+ communities in particular.” Still, the intrusion apparently irked Heritage columnist Mike Howell, whose alleged chat with “vio” was leaked and later shared by Howell. SeigSec, which previously targeted a US nuclear lab and NATO, now says it is disbanding.

**Car Dealership Software Firm Appears to Have Paid $25M to Ransomware Gang**

Victims of ransomware attacks only have two choices, and both of them are bad: Refuse to pay the attackers and try to claw your way back without access to your systems and data, or pay up and hope they give you the decryption keys—and don’t leak your data anyway. CDK Global, which provides software to US car dealerships, seems to have picked the latter option. According to researchers at crypto tracing firm TRM Labs, CDK sent 387 bitcoin, worth around $25 million, to an account believed to be controlled by the BlackSuite ransomware gang. CDK has not confirmed the payment, but if accurate it would be at least the second major payment to ransomware gangs this year. In March, Change Healthcare paid a $22 million ransom to help end the disruption to medical facilities across the US. The problem with paying—besides costing a literal fortune—is that it can encourage more ransomware attacks. In fact, following Change Healthcare’s payment, researchers at security firm Recorded Future saw the largest spike in ransomware attacks targeting the health care industry in the four years that it has tracked the criminal activity. The catch, of course, is that paying can work: CDK indicated last week that nearly all of the 15,000 dealerships it works with are back online.

**DOJ Disrupts “AI-Enhanced” RT Bot Farm**

The US Department of Justice announced on Tuesday that US, Canadian, and Dutch authorities seized two domains used to operate a “bot farm” allegedly created by RT, the Russian state media organization, and operated by Russia’s Federal Security Service (FSB). The DOJ says it identified 968 social media accounts linked to the bot farm that were used to amplify RT content online. The RT bot farm was created in 2022, according to the DOJ, and commandeered by an FSB agent in 2023. It is unclear what impact the bot farm had, and the DOJ says its investigation is ongoing.

Spyware Users Exposed in Major Data Breach

Telecom giant AT&T says a major data breach has exposed the call and text records of “nearly all” of its customers, epitomizing the dire state of data security.

From targeted wiretaps to bulk surveillance dragnets, phone companies have been at the center of privacy concerns for decades—and their time in the limelight isn't over yet. On Friday, telecom giant AT&T announced that it recently suffered a data breach impacting call and text messaging records of “nearly all” its customers. The company is in the process of notifying about 110 million people that they were affected.

AT&T said in a US Securities and Exchange Commission filing that it learned about the data breach on April 19. Attackers exfiltrated data between April 14 and April 25. The company said in its SEC submission that the US Justice Department authorized delayed disclosure of the breach on May 9 and again on June 5, pending investigation. AT&T added that it is “working with law enforcement in its efforts to arrest those involved in the incident.” So far, “at least one person has been apprehended.”

“Yeah, this is really bad,” says Jake Williams, vice president of research and development at the cybersecurity consultancy Hunter Strategy. “What the threat actors stole here are essentially call data records. These are a gold mine in intelligence analysis because they allow someone to understand networks—who is talking to whom and when. And threat actors have data from previous compromises to map phone numbers to identities. But even without identifying data for a phone number, closed networks—where numbers _only_ communicate with others in the same network—are almost always interesting.”

The incident is significant not only because of its sheer scale and reach but because AT&T says it is the latest in a staggering spate of data thefts that resulted from attackers compromising organizations’ Snowflake cloud accounts. Snowflake is a data warehousing platform, and attackers collected its customers’ account credentials in recent months to steal hundreds of millions of records from about 165 Snowflake clients, including Ticketmaster, Santander bank, and LendingTree’s QuoteWizard.

The AT&T data is from both landline and cellular accounts and spans May 1, 2022, to October 31, 2022. A smaller, undisclosed number of people also had records from January 2, 2023, stolen in the breach. The company said on Friday that the data trove “does not contain the content of calls or texts” and does not include the date and time of communications. But attackers did make off with phone numbers and a massive amount of so-called “metadata” about calls and texts, including who contacted whom, call durations, and tallies of a customer’s total calls and texts. The trove also includes some cell site identification numbers—essentially cell tower data that can be used to approximate a cellphone's location when it made or received a call or text.

The data includes some records of people who are customers of phone carriers—known as “mobile virtual network operators”—that contract with AT&T to use the larger company's networks and infrastructure for their service. And, crucially, the stolen trove exposes people who have no relationship with AT&T when they communicated with an AT&T customer during the relevant time spans.

Though the breach is not a worst-case scenario in every possible way—the data does not, for example, include identifying customer information like Social Security numbers—it could be a gold mine for attackers looking to construct compelling phishing attacks and other scams to target individuals or specific communities of people. And the breach underscores that even without the contents of communications, leaked metadata still has major implications for people's privacy and security. This is why privacy advocates have long made a distinction between communication platforms—namely, the secure messaging app Signal—that are designed to generate the absolute bare minimum of metadata, versus other communication platforms that don't curtail metadata use to the same degree. This even includes other end-to-end encrypted services like WhatsApp.

The Google-owned cybersecurity firm Mandiant investigated the string of Snowflake account intrusions and said in June that financially motivated criminal hackers, tracked under the name UNC5537, are behind the attacks. The group used info-stealing malware to grab credentials for companies’ Snowflake accounts and then easily logged into any accounts that didn't have two-factor authentication enabled. The security feature was turned off by default on Snowflake accounts. Snowflake has since put new multifactor authentication policies in place.

AT&T emphasizes that it “does not believe” the data stolen in the breach is publicly available. But that doesn't mean that it poses no threat from the actor that stole it. On Friday, the US Cybersecurity and Infrastructure Security Agency released an alert about the situation. And, though only a handful of victims of the Snowflake rampage have come forward, hackers have already been advertising, trying to sell, and demanding ransoms from impacted companies over data stolen from their Snowflake accounts. Actors including ShinyHunters and another account going by the handle Sp1d3rHunters have been advertising the data on the cybercrime marketplace BreachForums, which was recently resurrected after being taken down by law enforcement, and demanding companies pay millions for the data to be removed.

_Additional reporting by Matt Burgess._

Source

Wired