Along with other foreign influence operations—including from Iran—Kremlin-backed campaigns to stoke division and fear have gone into overdrive.

As the 2024 US presidential election comes to a close, and with Donald Trump on the ballot once again, Russian actors are spreading disinformation with unprecedented and alarming intensity—and US officials say that the Kremlin’s efforts to undermine confidence in the election and foment unrest are likely to continue into January.

Russian disinformation operations have had a prominent presence in United States elections since the Kremlin’s sea-changing influence campaign during the 2016 presidential race between Hillary Clinton and Trump. But with so much scrutiny and investigation into that operation’s mechanics and impact—including the use of hack-and-leak tactics against the Democratic National Committee, Clinton campaign, and other targets—Russia was less technically aggressive and more focused on influence operations in the midterms and 2020 presidential election. That momentary respite is now over.

In calls with reporters on Monday night and Tuesday, as well as in public statements, US intelligence and law enforcement officials working on election security warned repeatedly that foreign influence actors including Iran, but “particularly Russia,” are ramping up their activity with an “increasing volume of inauthentic content online.” And while officials say they haven't detected cyberattacks beyond floods of junk traffic, or DDoS attacks, attempting to knock election-related sites offline, Russian activity has become increasingly menacing.

On Tuesday morning, for example, Georgia secretary of state Brad Raffensperger attributed multiple bomb threats against two Georgia polling places to Russia. The threats were deemed non-credible, but they briefly disrupted voting at the two poll sites. The FBI added later on Tuesday that poll sites in “several states” faced non-credible bomb threats that appeared to “originate from Russian email domains.”

“It is a greater scope and scale of foreign influence operations we have seen in 2024 than in prior cycles, and yes, Russia presents, in terms of our adversaries, the greatest degree of capability and sophistication,” Cait Conley, senior adviser to the director of the Cybersecurity and Infrastructure Security Agency (CISA), told reporters in a call on Tuesday afternoon. “Overall, I think the range of tactics we are seeing being employed, and the level of sophistication, is greater than prior cycles.”

In a joint statement on Monday evening, the Office of the Director of National Intelligence, CISA, and the FBI emphasized that “Russia is the most active threat” to the US election. “Influence actors linked to Russia in particular are manufacturing videos and creating fake articles to undermine the legitimacy of the election, instill fear in voters regarding the election process, and suggest Americans are using violence against each other due to political preferences,” they wrote.

The agencies cited some specific examples of content from Russian influence campaigns. One was a fake interview with someone purporting to be a former aide to Arizona secretary of state Adrian Fontes, claiming a vast election fraud campaign involving the manufacture of fake overseas ballots. Another involved alleged Russian influence actors amplifying an article that falsely claimed US officials in swing states were committing election fraud using a variety of tactics, including ballot stuffing and cyberattacks.

A video claiming to show evidence of fraud in Georgia was also linked to “Russian influence actors” in late September. Last month, experts also credited Russia-aligned propaganda network Storm-1516 with amplifying baseless claims that Minnesota governor and vice presidential candidate Tim Walz previously assaulted one of his former students.

In a press release on Tuesday morning, the FBI also warned about two videos circulating online featuring fake press releases purporting to be from the bureau. Officials did not attribute the videos to a specific actor but said that both are “promoting false narratives surrounding the election.” One claims to be a terrorist warning from the FBI urging Americans to “vote remotely” due to “a high terror threat at polling stations.” The second video also contains a fabricated FBI press release and claims that the management of five prisons in Pennsylvania, Georgia, and Arizona “rigged inmate voting and colluded with a political party.”

US government officials have called out Russian influence operations and other foreign malign activity surrounding elections before, but never with the speed and consistency of this election cycle. The FBI has been putting out multiple alerts a week in recent weeks, and CISA alone is holding four briefings with the press on Tuesday along with an Election Threat Updates landing page to centralize information.

“It’s reassuring to see the attribution process move so quickly,” says John Hultquist, who leads threat intelligence at Google-owned cybersecurity firm Mandiant. “More than anything, the speed suggests a strong familiarity with threat actors who may be struggling to carry out a serious surprise and hide their hand in these operations. It’s important to expose these operations while taking care not to give them a boost. The biggest struggle for these actors is almost always their ability to generate attention.”

As CISA’s Conley told reporters, US foreign adversaries are focused on “undermining American confidence in American democracy and pitting Americans against one another … With all of the noise and disinformation out there, what Americans need to realize is that your state and local election official is the signal through that noise. That is your source for authoritative information on election security—on election administration. So if there are questions, that is who the American people should be turning to for the authoritative answers.”

_You can follow all of WIRED's 2024 presidential election coverage here._

Russia Is Going All Out on Election Day Interference

Alexander “Connor” Moucka was arrested this week by Canadian authorities for allegedly carrying out a series of hacks that targeted Snowflake’s cloud customers. His next stop may be a US jail.

For much of this summer, a mysterious group of hackers carried out a landmark spree of major data breaches, all targeting customers of the cloud data storage company Snowflake. Now one alleged hacker—whom experts believe to be the ringleader of that group—has been arrested in Canada, and he may be on his way to a US court.

On Monday, Bloomberg and 404 Media reported that a Canadian man named Alexander Moucka, who also goes by the name Connor Moucka, was detained at the end of October on a provisional arrest warrant. Moucka then appeared in a court hearing today, November 5, as part of extradition proceedings, 404 Media first reported.

Under the hacker handles Waifu and Judische, Moucka is believed to be a notorious figure in the cybercriminal underground, says Allison Nixon, a security researcher and the chief research officer at security firm Unit 221B, who has long tracked his online activity. She alludes to Moucka’s alleged hacking activity going back years prior to the Snowflake breaches. “I was waiting for this one,” says Nixon. “Waifu was the leader of a group who was responsible for many major intrusions over the last half decade.”

Suspicious activity linked to Snowflake customer accounts was first spotted in April, according to a June report by Google-owned security company Mandiant, which was employed by Snowflake to jointly investigate the hacking. The first unknown victim’s Snowflake systems had been accessed using login details that were previously taken by infostealer malware, the report says. Over the next couple of chaotic months more than 165 Snowflake customers, according to Mandiant’s report, potentially had data they stored in Snowflake’s systems exposed or stolen. Hundreds of millions of records from AT&T, Santander, Ticketmaster owner Live Nation Entertainment, and more were accessed in the hacking spree.

Mandiant’s report in June said that the majority of the compromised Snowflake accounts did not have multifactor authentication turned on, and credentials gathered from infostealer logs—some dating back to 2020—were used to access them. Since the breaches, Snowflake has updated its systems to require multifactor authentication to be turned on by default.

A spokesperson for Snowflake tells WIRED it has no comment on the arrest. Ian McLeod, a spokesperson for Canada’s Department of Justice, says Moucka was arrested following a request by the United States. “As extradition requests are considered confidential state-to-state communications, we cannot comment further on this case,” McLeod says.

The cybersecurity firm Mandiant, a subsidiary of Google that has investigated the Snowflake breaches, referred to the hacker behind them as UNC5537, and the company's threat intelligence analyst Austin Larsen describes him in a statement to WIRED as “one of the most consequential threat actors of 2024.”

“The operation, which left organizations reeling from significant data loss and extortion attempts, highlighted the alarming scale of harm a single individual can cause using off-the-shelf tools,” Larsen adds.

While the hacker behind the Waifu and Judische handles has been linked to a Canadian identity for several months, they are believed to not be the only person linked to the Snowflake incidents. As WIRED reported in July, American hacker John Binns was allegedly involved in the Snowflake-related AT&T breach, which saw the company pay out more than $300,000 to have millions of stolen customer records deleted. (Binns was previously arrested in Turkey after the US indicted him for a 2021 breach of T-Mobile). Unit 221B’s Nixon says she’s aware of other members of the cybercriminal gang who remain at large.

According to Nixon, Waifu, now alleged to be Moucka, emerged from a cybercriminal community known as “the Com,” an underground network of young hackers and trolls active on platforms like Telegram and Discord and responsible for hacking and other digital crimes including ransomware, SIM swapping, cryptocurrency theft, sextortion, and harassment. The ransomware group known as Scattered Spider, which is responsible for highly disruptive extortion attacks against victims including MGM Entertainment and Caesars Entertainment, is among several criminal subgroups linked to the Com. “These are people who treat criminal statutes like a checklist,” says Nixon.

“I know that he’s been in the Com for a very long time, closer to a decade. He clearly spent his former teenage years being part of this culture,” Nixon says of Moucka, whom she says is now in his 20s. “When people grow up in the Com, this is how they turn out.”

As Nixon tracked Waifu and his associates over the past year, she says that he at one point made an operational security or “opsec” slipup that may have led law enforcement to his identity—though she declined to say what that mistake was or exactly when it occurred. Waifu subsequently tried to cover up this accidental reveal with false leads and misinformation posted to Telegram, what he described as “well poison.” But Nixon says law enforcement has nonetheless been aware of Moucka’s identity since at least early July. “If you make an opsec mistake, it’s done. You can’t bury it under a lot of bullshit you post later,” says Nixon. “All it’s accomplished is to show that he knew that what he was doing was wrong.”

While Moucka’s arrest is far from the end of the Com, Nixon says she sees it as a potentially important move in responding to the chaos that the larger criminal network has inflicted. Waifu, she says, was an example of a larger principle she’s observed in the cybercriminal world, that a small minority of criminals are often responsible for the majority of harms.

“This particular case is significant because they’ve picked up one of that tiny minority that causes disproportionate harm,” she says. “That’s why this is a good start. We need to arrest more of these disproportionately harmful actors.”

_Updated 3:55 pm EST, November 5, 2024: Added a statement from Mandiant._

Man Arrested for Snowflake Hacking Spree Faces US Extradition

A bug that WIRED discovered in True the Vote’s VoteAlert app revealed user information—and an election worker who wrote about carrying out an illegal voter-suppression scheme.

An app developed by the right-wing nonprofit True the Vote to crowdsource claims of voter fraud contained a security flaw that exposed the email addresses of all users who posted or commented on the platform, along with other information.

The vulnerability, which has since been patched, exposed a California election officer who used the app to post about her racist and illegal scheme to demand IDs from certain voters based on perceived citizenship status. California does not require voters to show identification in most cases. Election officials are now investigating the incident, WIRED has learned.

The app, VoteAlert, is the latest initiative from True the Vote, a Texas-based nonprofit founded by Catherine Engelbrecht, a once-fringe right-wing figure who helped to mainstream the modern election denial movement. Known for promoting election conspiracy theories without substantiating evidence, the organization has repeatedly touted technology to legitimize its claims of widespread voter fraud, even though it has refused to present proof when challenged.

WIRED discovered the data exposure while reviewing VoteAlert’s public-facing code. When loading new posts, VoteAlert inadvertently returned the email addresses of users who submitted reports or comments, making them visible to anyone who inspected the site’s source code.

True the Vote did not directly address specific questions about the data exposure, content posted to the app, or the likely election official using the tool to post about their illegal scheme to check citizenship status. Instead, a spokesperson attributed the leak to an issue with an infinite scroll feature introduced over the weekend, which they said “temporarily affected the configuration.” When WIRED pointed out that the exposure had been ongoing for several weeks, True the Vote did not respond further. The issue has since been resolved, and emails are no longer visible.

Prior to being patched, the flaw exposed at least 146 user email addresses of people who posted claims of voter fraud and commented on the site. WIRED’s analysis of the app’s content revealed 186 user-submitted reports of fraud and more than 200 more comments left on those reports, suggesting that the app has a relatively small user base. However, for these niche users, VoteAlert has become a hub for posting unverifiable and misleading claims about supposed election irregularities.

In one claim debunked by the New York Times, a user alleged that a Dominion voting machine displayed mismatched “public” and “private” vote counters—a feature Dominion says does not exist. Another post, now deleted, claimed a bake sale at a Delaware polling place was intended to sway votes, a potential violation of election law. ProPublica and Wisconsin Watch later reported that the photo included with the post was at least seven years old.

In a since-deleted VoteAlert post reviewed by WIRED, a user wrote: “I’m probably going to be fired for this but I was hired by the Riverside County Registrar of Voters as an Election Officer in Hemet, CA. Since I’m in charge at this polling center, I’m asking for citizenship ID of anyone that looks suspiciously like they’re not here legally.”

The post went on to suggest that the Riverside County Sheriff’s Office wouldn’t intervene in her scheme. “It’s just a drop in the bucket but I’m going to do my part to stop election fraud,” she wrote. “Wish me luck🙏”

WIRED traced the email associated with the post to a California woman who describes herself as a person who is “FED UP with all the bullsh\*t,” according to one app profile. “You’re only getting the hard, smack-your-face TRUTH from me.”

The woman, whose name WIRED is not publishing because it was revealed through a security flaw, did not respond to requests for comment.

In a phone call, Riverside County public information officer Elizabeth Florer confirmed that the county had hired an election worker matching WIRED’s findings, and committed to ensuring all election laws are followed, confirming that the county is investigating the incident. Florer added that additional personnel have now been deployed to the Hemet polling center to provide oversight and ensure strict compliance with election laws.

True the Vote is perhaps best known for its role in the widely debunked film _2,000 Mules_. The film relied heavily on the group’s research to allege that “ballot mules” were paid to fraudulently collect and deliver ballots for Democratic candidates in key swing states during the 2020 election. However, an investigation by the Associated Press found that the film was based on flawed and improper analysis of cell phone location data. After a defamation lawsuit, the film’s publishers, Salem Media Group, retracted the film, removing it from its platforms, and said there wouldn't be any future distribution of the book. They also issued an apology to a voter falsely portrayed as illegally voting in the film.

Undeterred, in 2022 True the Vote launched a web app called IV3, which it claimed led to the challenge of hundreds of thousands of voter registrations. A WIRED analysis found that the app’s methodology was unreliable and prone to error, with experts warning that IV3 weaponizes public data and is more likely to remove eligible voters from the rolls than to detect widespread fraud—a problem they note is virtually nonexistent in the US.

In records obtained by the nonprofit group American Oversight and shared with WIRED, in May 2024, an individual with the username “Totes Legit Votes” apparently used IV3 to challenge the eligibility of 5,000 people in Florida.

True the Vote has struggled to provide courts with meaningful evidence to substantiate its claims of widespread voter fraud.

In 2021, the group filed a complaint with Georgia’s secretary of state, alleging widespread illegal ballot stuffing in Atlanta during the 2020 election and subsequent runoff. However, when ordered by a judge to provide evidence, True the Vote admitted it had no names or documentation to support its claims.

The following year, court marshals arrested True the Vote founder Engelbrecht and board member Gregg Phillips after they defied a court order to produce evidence in a defamation case brought by the software company Konnech. The lawsuit accused True the Vote of falsely claiming that Konnech stored US election workers’ personal information on an unsecured server in China.

_You can follow all of WIRED's 2024 presidential election coverage here._

Flaw in Right-Wing ‘Election Integrity’ App Exposes Voter-Suppression Plan and User Data

When you download a piece of pirated software, you might also be getting a piece of infostealer malware, and entering a highly complex hacking ecosystem that’s fueling some of the biggest breaches on the planet.

On October 20, a hacker who calls themselves Dark X said they logged in to a server and stole the personal data of 350 million Hot Topic customers. The following day, Dark X listed the data, including alleged emails, addresses, phone numbers, and partial credit card numbers, for sale on an underground forum. The day after that, Dark X said Hot Topic kicked them out.

Dark X told me that the apparent breach, which is possibly the largest hack of a consumer retailer ever, was partly due to luck. They just happened to get login credentials from a developer who had access to Hot Topic’s crown jewels. To prove it, Dark X sent me the developer’s login credentials for Snowflake, a data warehousing tool that hackers have repeatedly targeted recently. Alon Gal from cybersecurity firm Hudson Rock, which first found the link between infostealers and the Hot Topic breach, said he was sent the same set of credentials by the hacker.

The luck part is true. But the claimed Hot Topic hack is also the latest breach directly connected to a sprawling underground industry that has made hacking some of the most important companies in the world child’s play.

AT&T. Ticketmaster. Santander Bank. Neiman Marcus. Electronic Arts. These were not entirely isolated incidents. Instead, they were all hacked thanks to “infostealers,” a type of malware that is designed to pillage passwords and cookies stored in the victim’s browser. In turn, infostealers have given birth to a complex ecosystem that has been allowed to grow in the shadows and where criminals fulfill different roles. There are Russian malware coders continually updating their code; teams of professionals who use glitzy advertising to hire contractors to spread the malware across YouTube, TikTok, or GitHub; and English-speaking teenagers on the other side of the world who then use the harvested credentials to break into corporations. At the end of October, a collaboration of law enforcement agencies announced an operation against two of the world’s most prevalent stealers. But the market has been able to grow and mature so much that now law enforcement action against even one part of it is unlikely to make any lasting dent in the spread of infostealers.

Based on interviews with malware developers, hackers who use the stolen credentials, and a review of manuals that tell new recruits how to spread the malware, 404 Media has mapped out this industry. Its end result is that a download of an innocent-looking piece of software by a single person can lead to a data breach at a multibillion-dollar company, putting Google and other tech giants in an ever-escalating cat-and-mouse game with the malware developers to keep people and companies safe.

“We are professionals in our field and will continue to work on bypassing future Google updates,” an administrator for LummaC2, one of the most popular pieces of infostealer malware, told me in an online chat. “It takes some time, but we have all the resources and knowledge to continue the fight against Chrome.”

**The Stealers**

The infostealer ecosystem starts with the malware itself. Dozens of these exist, with names like Nexus, Aurora, META, and Raccoon. The most widespread infostealer at the moment is one called RedLine, according to cybersecurity firm Recorded Future. Having a prepackaged piece of malware also dramatically lowers the barrier to entry for a budding new hacker. The administrator of LummaC2, which Recorded Future says is in the top 10 of infostealers, said it welcomes both beginner and experienced hackers.

Initially, many of these developers were interested in stealing credentials or keys related to cryptocurrency wallets. Armed with those, hackers could empty a victim’s digital wallets and make a quick buck. Many today still market their tools as being able to steal bitcoin and have even introduced OCR to detect seed phrases in images. But recently those same developers and their associates figured out that all of the other stuff stored in a browser—passwords to the victim’s place of work, for example—could generate a secondary stream of revenue.

“Malware developers and their clients have realized that personal and corporate credentials, such as login details for online accounts, financial data, and other sensitive information, hold substantial value on the black market,” RussianPanda, an independent security researcher who follows infostealers closely, told 404 Media. Infostealer creators pivoted to capture this information too, she said. In essence, the exhaust from cryptocurrency-focused heists has created an entire new industry in its own right that is causing even more destruction across healthcare, tech, and other industries.

Some stealers then sell these collected credentials and cookies, or logs, themselves via bots on Telegram. Telegram, rather than acting as simply a messaging app, provides critical infrastructure for these teams. The entire process from buying to selling stolen logs is automated through Telegram bots. Telegram did not respond to a request for comment.

Infostealers are not especially hard to write, but the malware developers constantly butt heads with engineers inside tech giants, such as Google, who are trying to stop them from stealing users’ credentials.

In July, for example, Google Chrome rolled out an update that was designed to lock applications other than Chrome—including malware—from accessing cookie data. For a moment, Chrome had the upper hand. LummaC2 gave its users some workarounds, but none were a reliable fix. Some malware developers make their grievances known more explicitly. In one update, a pair of infostealers included the phrase “ChromeFuckNewCookies” in their malware’s code.

“It's a little bit of a cat and mouse, but we think that this is a game that we want to play as much as we can if the outcomes remain positive,” Will Harris, staff software engineer on Google Chrome, said. “We want to protect users, obviously, as much as we can.” That doesn’t just come in securing Chrome itself and protecting more data from infostealers. It also includes “disruption,” such as more researchers writing about infostealers’ particular techniques, which in turn constrains the tools available to the malware developers. Releasing updates one by one on a regular basis, rather than all at once, can also disrupt the malware developers. Instead of the criminal coders knowing what they need to fix all in one go, they can never be quite sure what Google is going to clamp down on next, wasting more of their time.

After one update, a lot of the customers of a stealer were “extremely upset, and they \[the malware makers\] had to work nights on coming up with a bypass,” Harris said. He added that one stealer, called Vidar, increased the cost of its tool too. “We have to stay agile here. I mean the infostealers are moving fast on this as well, and we want to be keeping up with them, and I think we are able to in this case,” he said.

He also pointed specifically to Microsoft Windows. “When you compare Windows with, say, Android, or with ChromeOS, or even macOS, those platforms have this strong application isolation.” Meaning, that malware has a harder time stealing data from other parts of the system. “We noticed on Windows, which was obviously a major platform for us, that these protections didn’t exist.”

In an email, a Microsoft spokesperson said, “In addition to the hardware-backed baseline requirements for all Windows PCs—such as, TPM, Secure Boot, and virtualization-based security, there are many security features now enabled by default in Win11 which makes it more difficult for info-stealers. Our guidance is that users should run as Standard User and not Admin on their Windows device. Running standard user means users (and apps being used by users) can make changes to their computer but do not have full system access by default, so that info stealers will not have the full access required to make it easy to steal the data that they are after.”

Infostealer malware for Mac does exist, but to a much smaller degree, according to Recorded Future.

A malware creator may have an effective piece of software in their hands. But ultimately getting that software onto victims’ computers is the job of someone else.

**The Traffers**

With electronic rap music playing in the background, a man stretches his hands forward and leans back into a chair. The camera pans around their alleged apartment: huge floor-to-ceiling windows in a large dining room, wood-paneled floors, and a funky chandelier. In another shot the man opens a laptop, types away, and then takes a sip of what looks like whiskey. The implication: This could be you if we work together.

This is one of a dizzying number of adverts on an underground forum called Lolz where “traffers” gather to look for new recruits. In this case, the man in the video is looking for people to push a fake casino tool that can steal people’s funds. But much of the rest of the “traffers” section is dedicated to proliferating infostealers. The job of these contractors is to help spread the malware or get them traffic, with teams vying for attention in a crowded marketplace. Each tries to one-up the other with outrageous advertising and branding. They use names such as “Billionaire Boys Club,” “Baphomet,” and “Chemodan.” Their adverts include animated GIFs of computer-generated luxury cars or private jets. Another for “Cryptoland Team” shows a knight in armor looking down at a skeleton in a hood writing on parchment paper. Cryptoland Team say they work with LummaC2 and another stealer called Rhadamanthys.

“Payment by logs or money. We give you a choice: Either you take the logs, or we buy them,” one advert from a team called Baphomet, with satanic branding, says.

Each lists the brand of infostealer they use, what split of the profits a collaborator can expect, and whether they allow an associate to take any extra exfiltrated logs. And most explicitly say that anyone they work with is prohibited from targeting the Commonwealth of Independent States (СНГ), or former members of the Soviet Union, which includes Belarus, Ukraine, and Russia. Collaborators then leave reviews and screenshots proving they’ve made money working with the team.

Many of these teams take new applications via their own Telegram bots. Some are strict in that they only want to work with people who are already experienced, while others seemingly take anyone on board. 404 Media was able to easily pass an application process for two traffer teams by answering some basic questions. After that, the bots sent links to the teams’ respective manuals, which lay out how to spread the malware.

One manual from Baphomet, for example, recommends bundling the stealer into cheating software for Roblox. It then describes how to set up a YouTube video advertising the cheat, and by extension, help propagate the malware.

Another advert from a traffer team says it works with TikTok, Telegram, Instagram, Twitter, Facebook, YouTube, YouTube Shorts, email newsletters, bloggers, and influencers. In the video of the hacker drinking whiskey, at one point his laptop shows a page on TikTok. Many of the manuals reflect this and recommend distributing infostealers via other social media sites or point to GitHub as an effective trafficking method.

Some infostealers are also hidden inside cracked or pirated software. One reason they’re so effective is that users are seeking the software out, not the other way around. People are actively searching for free software, be damned about the consequences.

A Google spokesperson said in an email, “We have policies in place to prevent spam, scams, or other deceptive practices that take advantage of the YouTube community. This includes prohibiting content where the main purpose is to trick others into leaving YouTube for another site.”

Meta did not respond to a request for comment. TikTok acknowledged a request but did not provide a response in time for publication.

And these traffers and others are clearly successful on a massive scale. Recorded Future says it sees 250,000 new infostealer infections every day.

**The Channels and Sites**

The harvested credentials are then fed into Telegram channels, where a tsunami of cookies and logins are available for purchase. The administrator for LummaC2 told me “This brings us good income, but I am not ready to disclose specific amounts,” referring to selling the stolen logs. Testing out the Telegram bot, it’s possible to filter by country, the number of cookies, or passwords available. 404 Media saw many U.S. logs available for sale. Over the past few weeks, some of these Telegram channels have been deleted. Telegram did not respond to a request for comment asking if it had taken action against them.

These, in turn, have their own branding, much like the traffers. Many channels also distribute stolen credentials for free, likely in an attempt to advertise their paid offerings. Even the freely available credentials can be devastating for a targeted organization. Earlier this year, a security researcher used exposed logins to compromise a server belonging to AU10TIX, an identity verification company that works with TikTok, Uber, and X. Those credentials came from a free stream available on Telegram, the researcher showed 404 Media at the time.

Some websites are also dedicated to, or have sections for, selling infostealer logs. Genesis Market is a site where the hackers responsible for the 2021 breach of Electronic Arts sourced a login token for the company’s Slack. In 2023, authorities shut down Genesis Market. But much of the credential selling has moved over to another long-running site, Russian Market, according to Recorded Future.

And this is where the hackers come in. Judische, the hacker linked to breaches at AT&T, Ticketmaster, and other companies that used Snowflake, likely lifted stolen credentials from these sorts of feeds and then used those to log into target servers. In some instances, those companies were not using multifactor authentication. But the power of logs is that they can sometimes bypass that extra layer of protection—a cookie can trick a service into thinking the user is trusted, and not prompt them for an extra login code.

Potentially with no idea how the logs were ultimately sourced, some English hackers ask in large group chats for passwords related to targets in particular countries. One I recently saw said they wanted logs for Canadian victims.

When interviewing Dark X, the alleged Hot Topic hacker, they seemed to sense another potential way to make some money. They mentioned they also sell logs.

“You wanna buy? haha,” they wrote.

Inside the Massive Crime Industry That’s Hacking Billion-Dollar Companies

Plus: Cops take down a notorious infostealer, Strava leaks world leaders’ locations, and a hacking scandal is causing chaos in Italy.

With just days to go until the 2024 presidential election in the United States, WIRED reported on documents that revealed US government assessments about multiple components of election security and stability. First obtained by the national security transparency nonprofit Property of the People, one report distributed by the US Department of Homeland Security in October assessed that financially motivated cybercriminals and ideologically motivated hacktivists are more likely than state-backed hackers to attack US election infrastructure. Another government memo warned of the risk to the election of insider threats, noting that such internal malfeasance “could derail or jeopardize a fair and transparent election process.”

With so much at stake in a hyper-polarized and combative climate, US elections have become increasingly militarized, with bulletproof glass, drones, defensive blockades, and snipers protecting election offices, and election officials bracing for the possibility of violent attacks. A WIRED investigation also revealed a successful CIA hack of Venezuela’s military payroll system that was part of a clandestine Trump administration effort to overthrow the country’s autocratic president, Nicolás Maduro.

In other cybersecurity news, WIRED did a deep dive into the firewall vendor Sophos’ five-year turf war to try to remove Chinese hackers running espionage operations on some vulnerable devices—and keep them out. And researchers warn that a “critical” zero-click vulnerability in a default photo app on Synology network-attached storage devices could be exploited by hackers to steal data or infiltrate networks.

As always, there’s more. Each week, we round up the security and privacy news we didn’t cover in depth ourselves. Click the headlines to read the full stories. And stay safe out there.

**Ex-Disney Employee Accused of Hacking Disney World Menus, Changing Font to Wingdings**

A Disney employee who was fired from the company and still had access to its passwords allegedly hacked into the software used by Walt Disney World’s restaurants, according to reporting by 404 Media and Court Watch. A criminal complaint against Michael Scheuer claims he repeatedly accessed the third-party menu-creation system created for Disney and changed menus, including changing fonts to Windings—the font made up entirely of symbols.

“The fonts were renamed by the threat actor to maintain the name of the original font, but the actual characters appeared as symbols,” the criminal complaint says. “As a result of this change, all of the menus within the database were unusable because the font changes propagated throughout the database.”

The allegations aren’t limited to whimsical font vandalism, however. The federal complaint also details how Scheuer allegedly changed menu listings to say that foods with peanuts in them were safe for people with allergies, tried to log into Disney employees’ accounts, locked 14 employees out of their accounts by trying to log in with an automated script, and maintained a folder of personal information about employees and turned up at one person’s home. A lawyer representing Scheuer did not comment on the allegations.

**Redline Infostealer Taken Offline After Infecting Millions of Computers**

For the past few years, infostealers have become a popular tool of choice for hackers, from cybercriminals trying to make money to sophisticated nation state groups. The malware, which is often bundled into pirated software, uses web browsers to collect usernames and passwords, cookies, financial information, and other data you enter into your computer. This week, cops around the world took down the Redline infostealer, which has been used to grab more than 170 million pieces of information and has been linked to large-scale hacks. An almost identical infostealer called Meta was also disrupted. As part of Operation Magnus, US officials identified Russian national Maxim Rudometov as being behind the development of Redline. As TechCrunch reports, Rudometov was identified following a series of operational security errors, including reusing online handles and emails across social media apps and other websites. In its criminal complaint, the US Department of Justice pointed out Rudometov’s dating profile, which apparently has “liked” 89 other users and received no likes in return.

**Strava Data Leaks Sensitive Locations of World Leaders (Again)**

In January 2018, it emerged that GPS data from running and cycling app Strava could expose secret military locations and the movements of people exercising around them. Officials warned that it was a clear security risk. Years later, many seemingly haven’t paid attention. French newspaper Le Monde has revealed in a series of stories that US Secret Service agents are leaking their data through the fitness app, allowing the movements of Joe Biden, Donald Trump, and Kamala Harris to be tracked. Security staff linked to French president Emmanuel Macron and Russian president Vladimir Putin are similarly exposing their movements. Those exposing their data used public profiles and often posted runs starting or finishing at the locations they were staying during official trips. Included in the leaks were bodyguards linked to Putin who were running near a palace the Russian leader has denied owning.

**A Huge Hacking Scandal Rocks Italy—and May Be Spreading**

Italian prosecutors placed four people under house arrest and revealed they are investigating at least 60 others after an intelligence firm in the country allegedly hacked government databases and gathered information on more than 800,000 people. Intelligence company Equalize allegedly gathered information about some of Italy’s most prominent politicians, entrepreneurs, and sports stars, Politico reported. It is alleged that the information accessed included bank transactions, police investigations, and more. The hacked information was reportedly sold or potentially used as part of extortion attempts, with those behind the scheme allegedly earning €3.1 million. The scandal, which has enraged Italian politicians, may also be wider than just its impact in Italy, with the latest reports suggesting Equalize counted Israeli intelligence and the Vatican as clients.

Florida Man Accused of Hacking Disney World Menus, Changing Font to Wingdings

A vulnerability categorized as “critical” in a photo app installed by default on Synology network-attached storage devices could give attackers the ability to steal data and worse.

The researchers also said the photo application, which helps users organize photos, provided easy access whether customers connect their NAS device directly to the internet themselves or through Synology’s QuickConnect service, which allows users to access their NAS remotely from anywhere. And once attackers find one cloud-connected Synology NAS, they can easily locate others due to the way the systems get registered and assigned IDs.

“There are a lot of these devices that are connected to a private cloud through the QuickConnect service, and those are exploitable as well, so even if you don’t directly expose it to the internet, you can exploit \[the devices\] through this service, and that’s devices in the order of millions,” says Wetzels.

The researchers were able to identify cloud-connected Synology NASes owned by police departments in the United States and France, as well as a large number of law firms based in the US, Canada, and France, and freight and oil tank operators in Australia and South Korea. They even found ones owned by maintenance contractors in South Korea, Italy, and Canada that work on power grids and in the pharmaceutical and chemical industries.

“These are firms that store corporate data … management documents, engineering documents and, in the case of law firms, maybe case files,” Wetzels notes.

The researchers say ransomware and data theft aren’t the only concern with these devices—attackers could also turn infected systems into a botnet to service and conceal other hacking operations, such as a massive botnet that Volt Typhoon hackers from China had built from infected home and office routers to conceal their espionage operations.

Synology did not respond to a request for comment, but the company’s web site posted two security advisories related to the issue on October 25, calling the vulnerability “critical.” The advisories, which confirmed that the vulnerability was discovered as part of the Pwn2Own contest, indicate that the company released patches for the vulnerability. Synology’s NAS devices do not have automatic update capability, however, and it’s not clear how many customers know about the patch and have applied it. With the patch released, it also makes it easier for attackers to now figure out the vulnerability from the patch and design an exploit to target devices.

“It’s not trivial to find \[the vulnerability\] on your own, independently,” Meijer tells WIRED, “but it is pretty easy to figure out and connect the dots when the patch is actually released and you reverse-engineer the patch.”

Zero-Click Flaw Exposes Potentially Millions of Popular Storage Devices to Attack

Sophos went so far as to plant surveillance “implants” on its own devices to catch the hackers at work—and in doing so, revealed a glimpse into China's R&D pipeline of intrusion techniques.

For years, it's been an inconvenient truth within the cybersecurity industry that the network security devices sold to protect customers from spies and cybercriminals are, themselves, often the machines those intruders hack to gain access to their targets. Again and again, vulnerabilities in “perimeter” devices like firewalls and VPN appliances have become footholds for sophisticated hackers trying to break into the very systems those appliances were designed to safeguard.

Now one cybersecurity vendor is revealing how intensely—and for how long—it has battled with one group of hackers that have sought to exploit its products to their own advantage. For more than five years, the UK cybersecurity firm Sophos engaged in a cat-and-mouse game with one loosely connected team of adversaries who targeted its firewalls. The company went so far as to track down and monitor the specific devices on which the hackers were testing their intrusion techniques, surveil the hackers at work, and ultimately trace that focused, years-long exploitation effort to a single network of vulnerability researchers in Chengdu, China.

On Thursday, Sophos chronicled that half-decade-long war with those Chinese hackers in a report that details its escalating tit-for-tat. The company went as far as discreetly installing its own “implants” on the Chinese hackers' Sophos devices to monitor and preempt their attempts at exploiting its firewalls. Sophos researchers even eventually obtained from the hackers' test machines a specimen of “bootkit” malware designed to hide undetectably in the firewalls' low-level code used to boot up the devices, a trick that has never been seen in the wild.

In the process, Sophos analysts identified a series of hacking campaigns that had started with indiscriminate mass exploitation of its products but eventually became more stealthy and targeted, hitting nuclear energy suppliers and regulators, military targets including a military hospital, telecoms, government and intelligence agencies, and the airport of one national capital. While most of the targets—which Sophos declined to identify in greater detail—were in South and Southeast Asia, a smaller number were in Europe, the Middle East, and the United States.

Sophos' report ties those multiple hacking campaigns—with varying levels of confidence—to Chinese state-sponsored hacking groups including those known as APT41, APT31, and Volt Typhoon, the latter of which is a particularly aggressive team that has sought the ability to disrupt critical infrastructure in the US, including power grids. But the common thread throughout those efforts to hack Sophos' devices, the company says, is not one of those previously identified hackers groups but instead a broader network of researchers that appears to have developed hacking techniques and supplied them to the Chinese government. Sophos' analysts tie that exploit development to an academic institute and a contractor, both around Chengdu: Sichuan Silence Information Technology—a firm previously tied by Meta to Chinese state-run disinformation efforts—and the University of Electronic Science and Technology of China.

Sophos says it’s telling that story now not just to share a glimpse of China's pipeline of hacking research and development, but also to break the cybersecurity industry's awkward silence around the larger issue of vulnerabilities in security appliances serving as entry points for hackers. In just the past year, for instance, flaws in security products from other vendors including Ivanti, Fortinet, Cisco, and Palo Alto have all been exploited in mass hacking or targeted intrusion campaigns. “This is becoming a bit of an open secret. People understand this is happening, but unfortunately everyone is _zip,_” says Sophos chief information security officer Ross McKerchar, miming pulling a zipper across his lips. “We're taking a different approach, trying to be very transparent, to address this head-on and meet our adversary on the battlefield.”

**From One Hacked Display to Waves of Mass Intrusion**

As Sophos tells it, the company's long-running battle with the Chinese hackers began in 2018 with a breach of Sophos itself. The company discovered a malware infection on a computer running a display screen in the Ahmedabad office of its India-based subsidiary Cyberoam. The malware had gotten Sophos' attention due to its noisy scanning of the network. But when the company's analysts looked more closely, they found that the hackers behind it had already compromised other machines on the Cyberoam network with a more sophisticated rootkit they identified as CloudSnooper. In retrospect, the company believes that initial intrusion was designed to gain intelligence about Sophos products that would enable follow-on attacks on its customers.

Then in the spring of 2020, Sophos began to learn about a broad campaign of indiscriminate infections of tens of thousands of firewalls around the world in an apparent attempt to install a trojan called Asnarök and create what it calls “operational relay boxes” or ORBs—essentially a botnet of compromised machines the hackers could use as launching points for other operations. The campaign was surprisingly well resourced, exploiting multiple zero-day vulnerabilities the hackers appeared to have discovered in Sophos appliances. Only a bug in the malware's cleanup attempts on a small fraction of the affected machines allowed Sophos to analyze the intrusions and begin to study the hackers targeting its products.

Inside Sophos' 5-Year War With the Chinese Hackers Hijacking Its Devices

A successful CIA hack of Venezuela's military payroll system, insider fights for spy agency resources, and messy opposition politics: A WIRED investigation reveals a secret Trump-era attempt to oust autocratic ruler Nicolás Maduro.

The Untold Story of Trump's Failed Attempt to Overthrow Venezuela's President

From bulletproof glass, drones, and snipers to boulders blocking election offices, the US democratic system is bracing for violent attacks in 2024.

Drones, snipers, razor wire, sniffer dogs, body armor, bulletproof glass, and 24-hour armed security.

This is not a list of protections in place for a visit by the president of the United States nor the contents of a shipment to frontline troops fighting in Ukraine. This is a list of the security measures election officials in counties across the US have had to implement ahead of Tuesday’s vote as a result of the unprecedented threats they have faced in recent years.

Officials are putting in place the typical final measures to ensure the smooth operation of an election, but beyond checking that they have enough ballots and that machines are working properly, officials are now faced with having to monitor for threats and make sure they have done everything they can to protect themselves and their staff.

“Given the current political environment, the possibility that an event may occur has increased, and our election professionals have responded in kind,” says Tammy Patrick, a former election official in Arizona’s Maricopa County who is now a senior adviser at the nonprofit Bolstering Elections Initiative. “Efforts focusing on the physical security of the voters, election workers, and staff by putting in bulletproof glass, panic buttons, razor wire, and fencing are fairly common, as is the installation of surveillance cameras and systems, cyber protections, and training on de-escalation techniques and response drills.”

Nowhere in the US is the militarization of the election process more evident than in Maricopa County.

The fourth largest county in the nation, Maricopa became ground zero for election denial conspiracists in recent years, after GOP lawmakers sanctioned a bogus recount in 2021, run by the Florida company Cyber Ninjas.

As a result, the county has for years been putting increased security measures in place. “We're a fortress now,” Stephen Richer, the Maricopa County Recorder, told WIRED back in February, outlining how he had to navigate security fencing, metal detectors, and security checks in order to get into his office.

As the 2024 election approaches, the measures Maricopa officials are putting in place have been ratcheted up significantly.

Officials have added a second layer of security fencing to protect election offices, as well as concrete k-rails, which means election workers will be bused in from offsite locations due to reduced parking spaces. At the country’s tabulation center, every door will be fitted with metal detectors, floodlights will be installed, and on election day the center will be protected by a ring of snipers deployed on roofs around the building, election officials told NBC.

‘We’re a Fortress Now’: The Militarization of US Elections Is Here

A report distributed by the US Department of Homeland Security warned that financially motivated cybercriminals are more likely to attack US election infrastructure than state-backed hackers.

Russian, Chinese, and Iranian state-backed hackers have been active throughout the 2024 United States campaign season, compromising digital accounts associated with political campaigns, spreading disinformation, and probing election systems. But in a report from early October, the threat-sharing and coordination group known as the Election Infrastructure ISAC warned that cybercriminals like ransomware attackers pose a far greater risk of launching disruptive attacks than foreign espionage actors.

While state-backed actors were emboldened following Russia's meddling in the 2016 US presidential election, the report points out that they favor intelligence-gathering and influence operations rather than disruptive attacks, which would be viewed as direct hostility against the US government. Ideologically and financially motivated actors, on the other hand, generally aim to cause disruption with hacks like ransomware or DDoS attacks.

The document was first obtained by the national security transparency nonprofit Property of the People and viewed by WIRED. The US Department of Homeland Security, which contributed to the report and distributed it, did not return WIRED's requests for comment. The Center for Internet Security, which runs the Election Infrastructure ISAC, declined to comment.

“Since the 2022 midterm elections, financially and ideologically motivated cyber criminals have targeted US state and local government entity networks that manage or support election processes,” the alert states. “In some cases, successful ransomware attacks and a distributed denial-of-service (DDoS) attack on such infrastructure delayed election-related operations in the affected state or locality but did not compromise the integrity of voting processes … Nation-state-affiliated cyber actors have not attempted to disrupt US elections infrastructure, despite reconnaissance and occasionally acquiring access to non-voting infrastructure."

According to DHS statistics highlighted in the report, 95 percent of “cyber threats to elections” were unsuccessful attempts by unknown actors. Two percent were unsuccessful attempts by known actors, and 3 percent were successful attempts “to gain access or cause disruption.” The report emphasizes that threat intelligence sharing and collaboration between local, state, and federal authorities help prevent breaches and mitigate the fallout of successful attacks.

In general, government-backed hackers may stoke geopolitical tension by conducting particularly aggressive digital espionage, but their activity isn't inherently escalatory so long as they are abiding by espionage norms. Criminal hackers are bound by no such restrictions, though they can call too much attention to themselves if their attacks are too disruptive and risk a law enforcement crackdown.

The report cites an incident from March, for example, in which an unnamed US county “experienced a ransomware attack that forced it to purchase new network devices and reconnect to the state-level election system.” If such an attack occurred on or around Election Day, it could meaningfully disrupt voting.

More broadly, domestic security concerns in connection with the 2024 election have skyrocketed, fostering what DHS calls a “heightened threat environment.” Reporting by WIRED this month revealed that the agency has been issuing warnings to law enforcement across the US since summer, alarmed by the efforts of some extremists to mobilize and commit actual violence against elected officials, while targeting US voter ballots for destruction.

Other warnings show that concern is mounting over propaganda calling for Americans to engage in “civil war,” a narrative that DHS fears is raising the risk of domestic attacks. Threats tied to what the government calls “immigration-related grievances”—including the false narrative of “migrant invasion,” which is core to Donald Trump’s reelection efforts—have escalated this year, while expanding to ensnare federal judges and US border patrol officers deemed “traitors” among some antigovernment groups.

“Targeted violence and terrorism associated with ideologically motivated individuals will continue to be a threat through the 2024 election cycle,” says another intelligence report also obtained by WIRED. It warns, meanwhile, that “insider threats” affiliated with US election systems will “likely be an issue.”

Source

Wired