The suspected Chinese influence operation had limited success. But it signals a growing threat from a new disinformation adversary.

Since Russia bombarded the 2016 election with Twitter trolls and astroturfed lies, election watchers have been on guard against social media “influence operations.” Four years later, Iran took a stab at meddling in the 2020 presidential election, with more mixed results. Now, the People's Republic of China—or, at least, a group with a long-running pro-Chinese government agenda—seems to be trying out its own political influence operation just ahead of this year's US midterm elections. And while that operation seems to have largely failed this time, the campaign represents the growing boldness of a new adversary in the fight against organized disinformation.

On Wednesday, cybersecurity and threat intelligence firm Mandiant published new findings about a group it calls Dragonbridge, which it's seen for years promoting pro-Chinese interests in fake grassroots social media campaigns designed to influence politics in Taiwan and Hong Kong. Now, Mandiant's analysts have tied Dragonbridge to a series of more US-focused influence campaigns. The group claimed that a notorious hacking spree carried out by known Chinese state-sponsored hackers was actually carried out by US intelligence, falsely blamed the sabotage of the Nord Stream pipeline on the US government, and—perhaps most brazenly—seeded hundreds of posts on social media designed to demoralize voters and reduce turnout ahead of the November midterms.

“This actor has been rapidly growing and hyper-aggressive. They went from carrying out limited campaigns focused on Hong Kong to a global operation on dozens of platforms,” says John Hultquist, Mandiant's VP of intelligence analysis. “Interfering in our elections is just another line that they're clearly willing to cross.”

Mandiant declined to reveal in its report or to WIRED the full collection of disinformation posts that it's tied to Dragonbridge, but the company says the posts numbered in the thousands. Nor would Mandiant name all the platforms where Dragonbridge had created accounts. But it describes posts published by these accounts arguing that American democracy was being taken over by extreme partisanship, as well as posts pointing to episodes of confrontations and violence between political groups and against the FBI as instances of “civil war.” The group also published a video, Mandiant says, that discourages Americans from voting, making claims about political gridlock and inaction and showing images of the January 6, 2021, insurrection at the US Capitol Building. “The solution to America’s ills is not to vote for someone,” the video argues at one point, according to Mandiant, but “to root out this ineffective and incapacitated system.” All of the content Mandiant identified in its report as part of the Dragonbridge operations has since been deleted, the company says.

Other simultaneous influence campaigns from the group tie it more evidently to Chinese government interests. Pseudonymous Twitter accounts that Mandiant says were controlled by Dragonbridge posted claims in both English and Mandarin stating that espionage campaigns carried out by the prolific China-linked hacker group APT41 were really the work of the NSA and CIA. “For at least ten years, the American hacker group \[APT41\] has repeatedly carried out cyber attacks, espionage activities, cyber piracy and cyber crimes against other countries,” reads one tweet in October from a seemingly fictional person named Karen Diaz.

In fact, the US Department of Justice indicted seven Chinese men in 2020 as members of APT41, tying them to a contractor working on behalf of China's Ministry of State Security known as Chengdu 404. The indictment accuses the men of hacking hundreds of targets around the globe, both to carry out espionage on behalf of the MSS and to profit from their own cybercrime operations.

In an attempt to shift that blame, Dragonbridge's influence campaign went so far as to create spoofed posts from Intrusion Truth, a mysterious pseudonymous Twitter account that has previously released evidence tying multiple hacking campaigns to China, including those of APT41. The fake Intrusion Truth posts instead falsely tie APT41 to US hackers. Dragonbridge also created an altered, spoofed version of an article in the Hong Kong news outlet _Sing Tao Daily_ pinning APT41's activities on the US government.

In a more timely example of Dragonbridge's disinformation operations, it also sought to blame the destructive sabotage of the Nord Stream natural gas pipeline—a key piece of infrastructure connecting European countries to Russian gas sources—on the United States. Mandiant says that claim, which echoes statements from Russian president Vladimir Putin and Russian disinformation sources, appears to be part of a larger campaign designed to sow divisions between the United States and its allies that have opposed and sanctioned Russia for its unprovoked and catastrophic military invasion of Ukraine.

None of those campaigns, Mandiant emphasizes, was particularly successful. Most of the posts had single-digit likes, retweets, or comments at best, the company says. Some of its spoofed tweets impersonating Intrusion Truth have no signs of engagement at all. But Hultquist warns nonetheless that Dragonbridge demonstrates a new interest in aggressive disinformation from pro-China sources, and possibly from China itself. He worries, given China's widespread cyber intrusions around the world, that future Chinese disinformation campaigns might include hack-and-leak operations that blend real revelations into disinformation campaigns, as Russia's GRU military intelligence agency has done. “If they get their hands on some real information from a hacking operation,” Hultquist says, “that's where they become especially dangerous.”

Despite Dragonbridge's occasional pro-Russian messages, Hultquist says that Mandiant has little doubt of the group's pro-China focus. The company first spotted Dragonbridge engaged in a fake grassroots campaign to disparage Hong Kong pro-democracy protestors in 2019. Earlier this year, it saw the group pose as Americans protesting against US rare-earth metal mining companies that competed with Chinese firms.

That doesn't mean Dragonbridge's campaigns are necessarily the work of a Chinese government agency or even a contractor firm like Chengdu 404. But they're very likely at least located in China, Hultquist says. “It's hard to imagine their activity, in its totality, being in any other country's interest,” says Hultquist.

If Dragonbridge is working directly for the Chinese government, it may mark a new phase in China's use of disinformation. In the past, China has largely stayed away from influence operations. A Director of National Intelligence report on foreign threats to the 2020 election declassified last year stated that China “considered but did not deploy influence efforts designed to change the outcome of the US Presidential election.” But just last month Facebook, too, says it spotted and removed campaigns of Chinese political disinformation posted to the platform from mid-2021 to September 2022, though it didn't say if the campaigns were linked to Dragonbridge.

Despite the apparent resources put into Dragonbridge's long-running operations, its new foray into election meddling looks remarkably ham-fisted, says Thomas Rid, a professor of strategic studies at Johns Hopkins and author of a history of disinformation, _Active Measures_. He points to abstract phrases, like its call to “root out this ineffective and incapacitated system.” That kind of dull language fails to effectively exploit real wedge issues to exacerbate existing divisions in US society—often best identified by local agents on the ground. “It seems like they didn’t read the manual,” Rid says. “It seems like a remote, amateurish affair done from Beijing.”

But both Rid and Mandiant's Hultquist agree that Dragonbridge's relative lack of success shouldn't be seen as a sign of Americans' growing immunity to influence operations. In fact, they argue that the deep political divisions in American society may mean that the US is less equipped than ever to distinguish fact from fabrication in social media. “Authoritative sources are no longer trusted,” says Hultquist. “I'm not sure that we're in a great place right now, as a country, to digest that some major information operation is attributable to a foreign power.”

A Pro-China Disinfo Campaign Is Targeting US Elections—Badly

AlphaBay was the largest online drug bazaar in history, run by a technological mastermind who seemed untouchable—until his tech was turned against him.

The Hunt for the Dark Web’s Biggest Kingpin, Part 1: The Shadow

For months, an anonymous caller has terrorized communities around the US by reporting false shooting threats. We know how they did it. The question is, why?

Four times in the past year, the parents, teachers, and police officers of the small, neighboring Minnesota cities of Cloquet and Esko briefly believed that their children were about to be murdered in their classrooms. The calls began in the spring with two bomb threats. In the first, a man claimed to have seen a suspicious backpack with wires coming out of it at Cloquet and Esko high school. In July, he called again, this time reporting a bomb in a red backpack at Fond du Lac Tribal and Community College, according to police records. Then, in September, the same man, described by the Midwestern dispatchers as having a thick Middle Eastern accent, reported that a pair of gunmen, armed with AK-47s, had killed 10 people at Cloquet High School.

All of these calls turned out to be hoaxes. But according to Derrick Randall, Cloquet’s chief of police, each time they came in, it was “all hands on deck” for his department. Officers sprinted to their squad cars, threw on their extra body armor, and chambered rounds in the squad rifles. They may have blasted through stop signs and traffic signals while racing as fast as they could to face what might have been the worst thing they would ever see in their lives. “It’s dangerous, frustrating. It’s a waste, and we feel helpless,” says Randall. “Our job is to hold people accountable, and when there’s a person or group on the other side of the world able to take advantage of us and exploit our systems like this, they are taking away our power and control.”

According to the Minnesota Department of Public Safety, at least 26 schools in the state have received false reports of bomb threats or active shootings from the same individual or group since spring. The calls are part of an ongoing spree of hoax calls that police say are likely coming from overseas and have sent hundreds of thousands of students nationwide into lockdown. According to police records WIRED obtained, the hoax caller began their spree in March, earlier than previously reported, and could be linked to bomb threats called into dozens of colleges during the summer. Earlier this month, WIRED tracked more than 90 false reports of active shooters made to K-12 schools in 16 states around the country during the second half of September, and NPR found that the number may be even higher. The calls haven’t stopped. Scores of schools in New Jersey, Florida, California, South Carolina, South Dakota, Wisconsin, and Connecticut have been targeted in the past three weeks.

“The biggest frustration amongst parents is why no one can do anything to stop it,” says Hayley Katchenske, whose job includes sending messages to parents when there's an emergency at Cloquet Public Schools. “Why did it happen to us again, why can’t this be traced, and why can’t it be stopped?”

State and federal law enforcement are working to answer these questions. They believe they know how the person carried out these dangerous hoax calls, WIRED has found. But they have yet to discover who is behind this string of attacks and, crucially, why they are doing them. The answers will determine what, if anything, law enforcement can do to stop it.

TextNow, Investigate Later

In an October memo the FBI sent to schools in New York that WIRED obtained, the agency describes a single subject—a male “with a heavy accent described as Middle Eastern or African”—behind many of these hoax calls. Federal and local law enforcement in several states say that the caller appears to be located internationally, perhaps in Ethiopia, and is using VoIP technology to systematically call in threats to targeted schools.

WIRED traced six phone numbers used in the hoax calls to a service called TextNow, a platform that allows users to anonymously place calls using US phone numbers. Unlike with traditional cellular service, where a provider might need a credit card and address to sign up for service, TextNow customers need to provide only an email address to begin making calls. That drastically limits the information the company is able to provide to law enforcement.

According to the October FBI memo, TextNow has provided investigators with subscriber information. The memo also says that an email account behind at least one of the hoax calls was linked to previous hoax 911 calls and that the account had connected to TextNow through the Ethiopian Telecommunications Company, which is owned by the Ethiopian government.

Hot on the Trail of a Mass-School-Shooting Hoaxer

A former congressman who helped the House select committee investigate the Capitol attack says the US is losing sight of the big picture.

“Thousands of documents are great, but millions of lines of data are better. And so when you look at call detail records or open source intelligence research or you look at social media, those types of things can tell you a lot,” Riggleman says. “And I think it can actually direct the way that you investigate more than bringing people in who lie, plead the Fifth, or sometimes conveniently forget things.”

The real story, Riggleman contends, isn’t Trump. (“If you indict Trump, his polling numbers are going to go up,” he says. “So good luck.”) Trumpism is now gospel to an online army of devotees, hundreds of whom are now running for state and local offices. No matter which party comes out in control of Congress once the dust settles on Election Night, the next Congress is guaranteed to have Donald Trump’s stamp on it. The GOP candidates on the ballot next month include 291 who say they wouldn’t have certified Biden’s 2020 victory, according to the _Washington Post_. Of those, 171 are running in safely Republican districts.

As a former member of the House Freedom Caucus who has deep libertarian leanings (he farms his own hemp), Riggleman is worried about the digital takeover of a party he used to love, respect, and doggedly fight for. “You also have to figure out who the hell is pushing these radicalizing ideas over digital channels because that’s where it’s happening too,” Riggleman says.

Thousands of Trump supporters took his post-January 6 deplatforming as their cue to follow their leader off Twitter and Facebook and into a new world of almost-anything-goes social media apps, like Trump’s own struggling Truth Social, or Parler, which Kanye “Ye” West plans to buy. Those apps suck up the most recent coverage, but other apps continue to attract new and frustrated users.

There’s Gab (where QAnon devotees feel safe discussing ever-evolving conspiracy theories), GETTR (a “free speech”-focused app founded by former Trump aide Jason Miller), Rumble (think YouTube for the far right), MeWe (think Facebook for Trump Republicans), and CloutHub (if Twitter and Facebook had a baby). Even Reddit is helping Trump successfully spread ungrounded conspiracies about ballot-stuffing in Arizona.

Many on the right are also increasingly employing popular messaging apps like Telegram, which allows private groups to include as many as 200,000 members, and Signal, popular for its promised end-to-end encryption. That includes many of Trump’s most motivated followers, which we know from the dramatic spike in users they both attracted after Silicon Valley firms started their post-insurrection purges.

Then there are forums like 4chan, 8kun, and Endchan. Movement-inspiring memes, dangerous conspiracy theories, celebrations of violence and violent rhetoric all abound on these hubs connecting kindreds who proudly consider themselves social outcasts set on upending the “normie” society most of us inhabit.

As the select committee now prepares its final report on the preparation and planning leading up to the savage assault on the Capitol on January 6, 2021, the right has moved on. And in laying the groundwork to leave a Trump-sized imprint on this year’s midterms—including upending voting laws in countless battleground states and recruiting thousands of new pro-Trump poll workers to “police” local polling locations—the former president’s acolytes are also proving to be a few steps ahead of their opponents in their plan to capture the White House in 2024.

Just as an escalator helped Trump glide into the center of US politics, Riggleman says, the real story is the online gears, lubricants, chains, and steps lurking just under our feet. Likewise, unless more attention is paid to these means of political production, this new political order is something we all should get used to.

“We’re in a post-truth era, but we’re also in a post-Trump world—where those belief systems are baked in, and we’re going to have to deal with this for decades,” Riggleman says. “We need to look at going faster, harder, and better with more technology and more resources in that arena.”

The Quiet Insurrection the January 6 Committee Missed

Plus: A Microsoft cloud leak exposed potential customers, new IoT security labels come to the US, and details emerge about Trump’s document stash.

As Russia’s war in Ukraine drags on, Ukrainian forces have proved resilient and mounted increasingly intense counterattacks on Kremlin forces. But as the conflict evolves, it is entering an ominous phase of drone warfare. Russia has begun launching a series of recent attacks using Iranian “suicide drones” to inflict damage that is difficult to defend against. With Russian president Vladimir Putin escalating his rhetoric about the potential for a nuclear strike, and NATO officials watching closely for any signs of movement, we examine what indicators are available to the global community in assessing whether Russia is actually preparing to use nuclear weapons.

Meanwhile, an unrelenting string of deeply problematic vulnerabilities in Microsoft's Exchange Server on-premises email hosting service has left researchers to raise the alarm that the platform isn't getting the development resources it needs anymore, and customers should seriously consider migrating to cloud email hosting. And new research examines how Wikipedia's custodians ferret out state-sponsored disinformation campaigns in the crowdsourced encyclopedia's entries.

If you're worried about the ongoing threat of ransomware attacks around the world, researchers pointed out this week that middle-of-the-pack groups like the notorious gang Vice Society are maximizing profits and minimizing their exposure by investing very little in technical innovation. Instead, they simply run the most sparse and unremarkable operations they can to target under-funded sectors like health care and education. If you're looking to do something for your personal security, we've got a guide to ditching passwords and setting up “passkeys” on Android and Google Chrome.

But wait, there’s more! Each week, we highlight the news we didn’t cover in-depth ourselves. Click on the headlines below to read the full stories. And stay safe out there.

Officials in the United States have long warned of a potential national security threat because the wildly popular social video platform TikTok is owned by a Chinese company, ByteDance. But TikTok has always maintained that it is firewalled between ByteDance and its US userbase. But materials seen by _Forbes_ indicate that an internal ByteDance review board, the “Internal Audit and Risk Control department,” planned to direct TikTok to track the location of some specific US users. The group typically focuses on internal, employee issues, but the US-based individuals were reportedly not affiliated with TikTok or ByteDance. “In at least two cases, the Internal Audit team also planned to collect TikTok data about the location of a US citizen who had never had an employment relationship with the company, the materials show. It is unclear from the materials whether data about these Americans was actually collected,” _Forbes_ wrote.

Microsoft said this week that a misconfiguration exposed the data of some prospective customers of its cloud services. Researchers from the threat intelligence firm SOCRadar disclosed the leak to Microsoft on September 24, and the company quickly closed the exposure. SOCRadar said in a report that the exposed information stretched back to as far as 2017 and up to August of this year. The researchers linked the data to more than 65,000 organizations from 111 countries. Microsoft said the exposed details included names, company names, phone numbers, email addresses, email content, and files sent between potential customers and Microsoft or one of its authorized partners. Cloud misconfigurations are a longstanding security risk that have led to countless exposures and, sometimes, breaches.

There are no easy answers to improve the longstanding security dumpster fire created by cheap, undefended internet of things devices in homes and businesses around the world. But after years of problems, countries like Singapore and Germany have found that adding security labels to internet-connected video cameras, printers, toothbrushes, and more. The labels give consumers a better understanding of the protections built into different devices—and give manufacturers an incentive to improve their practices and get a gold seal. This week, the United States took a step in this direction. The White House announced plans for a labeling scheme that would be a sort of EnergyStar for IoT digital security. The administration held a summit with industry organizations and companies this week to discuss standards and guidelines for the labels. “A labeling program to secure such devices would provide American consumers with the peace of mind that the technology being brought into their homes is safe, and incentivize manufacturers to meet higher cybersecurity standards, and retailers to market secure devices,” National Security Council spokesperson Adrienne Watson said in a statement.

Sources told _The Washington Post_ this week that sensitive information related to Iran‘s nuclear program and the United States’ own intelligence operations in China were included in documents seized by the FBI this summer at former President Trump‘s Mar-a-Lago estate in Florida. “Unauthorized disclosures of specific information in the documents would pose multiple risks, experts say. People aiding US intelligence efforts could be endangered, and collection methods could be compromised,” the _Post_ wrote. The information could also potentially motivate retaliation by other countries against the US.

TikTok’s Security Threat Comes Into Focus

Endless vulnerabilities. Massive hacking campaigns. Slow and technically tough patching. It's time to say goodbye to on-premise Exchange.

Once, reasonable people who cared about security, privacy, and reliability ran their own email servers. Today, the vast majority host their personal email in the cloud, handing off that substantial burden to the capable security and engineering teams at companies like Google and Microsoft. Now, cybersecurity experts argue that a similar switch is due—or long overdue—for corporate and government networks. For enterprises that use on-premise Microsoft Exchange, still running their own email machine somewhere in a closet or data center, the time has come to move to a cloud service—if only to avoid the years-long plague of bugs in Exchange servers that has made it nearly impossible to keep determined hackers out.

The latest reminder of that struggle arrived earlier this week, when Taiwanese security researcher Orange Tsai published a blog post laying out the details of a security vulnerability in Microsoft Exchange. Tsai warned Microsoft about this vulnerability as early as June of 2021, and while the company responded by releasing some partial fixes, it took Microsoft 14 months to fully resolve the underlying security problem. Tsai had earlier reported a related vulnerability in Exchange that was massively exploited by Chinese state-sponsored hackers known as Hafnium, who last year penetrated more than 30,000 targets, by some counts. Yet according to the timeline described in Tsai’s post this week, Microsoft repeatedly delayed fixing the newer variation of that same vulnerability, assuring Tsai no fewer than four times that it would patch the bug before pushing off a full patch for months longer. When Microsoft finally released a fix, Tsai wrote, it still required manual activation and lacked any documentation for four more months.

Meanwhile, another pair of actively exploited vulnerabilities in Exchange that were revealed last month still remain unpatched after researchers showed that Microsoft’s initial attempts to fix the flaws had failed. Those vulnerabilities were just the latest in a years-long pattern of security bugs in Exchange’s code. And even when Microsoft does release Exchange patches, they’re often not widely implemented, due to the time-consuming technical process of installing them.

The result of those compounding problems, for many who have watched the hacker-induced headaches of running an Exchange server pile up, is a clear enough message: An Exchange server is, itself, a security vulnerability, and the fix is to get rid of it.

“You need to move off of on-premise Exchange forever. That’s the bottom line,” says Dustin Childs, the head of threat awareness at security firm Trend Micro’s Zero Day Initiative (ZDI), which pays researchers for finding and reporting vulnerabilities in commonly used software and runs the Pwn2Own hacking competition. “You’re not getting the support, as far as security fixes, that you would expect from a really mission-critical component of your infrastructure.”

Aside from the multiple vulnerabilities Orange Tsai exposed and the two actively exploited unpatched bugs revealed last month, Childs points to another 20 security flaws in Exchange that a researcher reported to ZDI, which ZDI, in turn, reported to Microsoft two weeks ago, and which remain unpatched. “Exchange right now has a very broad attack surface, and it just hasn’t had a lot of really comprehensive work done on it in years from a security perspective,” says Childs.

Childs points to two other ZDI discoveries of Exchange vulnerabilities, one in 2018 and another in 2020, that were actively exploited by hackers even after the bugs were reported to Microsoft and patched. Security podcast _Risky Business_ went so far as to title a recent episode “It’s Exchangehog Day,” in a reference to the dreary cycle of vulnerability revelations and subsequent patching the servers require.

When WIRED reached out to Microsoft for comment on its Exchange security issues, Aanchal Gupta, the corporate vice president of Microsoft Security Response Center (MSRC), responded with an exhaustive list of measures the company has taken to mitigate, patch, and harden on-premise Exchange servers. He noted that Microsoft quickly released updates in response to Tsai's findings to partially block the vulnerabilities he exposed before the company released the full fix in August. Gupta further wrote that  MSRC “worked around the clock” to help customers update their Exchange servers in the midst of last year's Hafnium attacks, released numerous security updates for Exchange over the year, and even launched an Exchange Emergency Mitigation service, which helps customers automatically apply security mitigations to block known attacks on Exchange servers even before a full patch is available.

Still, Gupta agreed that most customers should move from on-premise Exchange servers to Microsoft's cloud-based email service, Exchange Online. “We strongly recommend customers migrate to the cloud to take advantage of real-time security and instant updates to help keep their systems protected from the latest threats,” Gupta said in an emailed statement. “Our work to support on-premises customers to move to a supported and up-to-date version continues, and we strongly advise customers who cannot keep these systems up to date to migrate to the cloud.”

If email administrators are, in fact, having trouble keeping Exchange fully patched, Trend Micro's Childs says that's due largely to the complexity of actually installing Exchange updates, both because of the age of its code and the risks of breaking functionality by changing interdependent mechanisms in the software. Security researcher Kevin Beaumont, for instance, recently live-tweeted his own experience of updating an Exchange server, documenting countless bugs, crashes, and hiccups in the process, which took him nearly three hours, despite the fact the server had last been updated just a few months earlier. “It’s a difficult and arduous process, so even though there are active attacks, people just don’t patch their on-premise Exchange,” says Childs. “So there are patched bugs that are taking forever to get fixed, and also unpatched bugs that have yet to get fixed.”

Another problem compounding on-premise Exchange’s security woes arises from the fact that vulnerabilities found in its software are often particularly easy to exploit. Exchange bugs aren’t any more common than, say, vulnerabilities in Microsoft’s Remote Desktop Protocol, says Marcus Hutchins, an analyst for security firm Kryptos Logic. But they’re far more reliable to use because, despite the fact that an Exchange server hosts email locally, it’s accessed through a web service. And passing commands through an online interface to a web server is a far more reliable form of hacking than methods like so-called memory corruption vulnerabilities, which have to alter data in a lower-level and less predictable portion of a targeted machine. “It’s basically very fancy web exploitation,” says Hutchins. “It’s not something that’s going to crash the server if you do it wrong. It’s very stable and simple.”

That exploitability is compounded by what seems to be Microsoft’s increasing inattention to maintaining the security of on-premise Exchange in favor of its cloud-based email service, 365 Exchange Online. As Beaumont pointed out earlier this month, Microsoft itself recommended that customers disable “legacy” authentication for Exchange—using industry jargon for outdated and often unsupported features—without acknowledging that there was no alternative form of authentication available.

That’s a strong hint that Microsoft itself thinks of on-premise Exchange servers on the whole as de facto “legacy” products, says Jake Williams, a former National Security Agency hacker who leads threat intelligence at cybersecurity firm Scythe. Microsoft no doubt wants customers to switch to its cloud-based service he says, and seems to have shifted its security resources accordingly. “It’s clear the depth on the on-premise Exchange team is not where it was a few years ago and hasn’t kept up with the security landscape,” says Williams. “It’s pretty stark.”

Williams acknowledges that some users may prefer or even require that their email be hosted locally rather than in the cloud for legal or privacy issues. But many enterprises that rely on the security of controlling the Exchange server themselves need to reckon with the fact they’re likely introducing more risks than they’re avoiding. “I tell customers, ‘I get it, you want to run on-prem for control reasons,’” says Williams. “But you have to start evaluating this as a liability. And that’s because Microsoft is not putting effort and resources into patching.”

“The proof is in the pudding,” Williams adds. “This code base is not getting the love that it clearly and desperately needs.” And if Microsoft isn’t giving that love to your Exchange server, perhaps Exchange no longer deserves your love, either.

Your Microsoft Exchange Server Is a Security Liability

A series of deadly attacks using Iranian “suicide drones” shows Russia is shifting gears in the conflict.

The war in Ukraine has an ominous new noise. People living in Afghanistan and Nagorno-Karabakh have talked about a sound that makes them run for cover. It’s not an explosion or a jet screaming overhead, it’s the menacing whirr of a drone. And on Monday, that whirr arrived in the skies above Kyiv.

Russia has ramped up its use of Iranian-made “suicide drones” in Ukraine, which travel in groups and explode by diving at their targets, obliterating themselves in the process. On Monday, dozens of drones attacked Ukrainian cities during morning rush hour, killing at least four people when they struck an apartment building in Kyiv, the Ukrainian capital. Drone and missile attacks have also destroyed 30 percent of the country’s energy infrastructure in the past 10 days, according to Ukrainian officials. Swathes of the country are now without power.

Armed drones have been involved in the fighting in Ukraine for months. Until now, both sides have mostly limited their use to the front lines, although Russia used Iranian drones to bombard the port of Odessa and military targets in the city center. But this week’s attacks by Russia mark the beginning of a dark new era for drone warfare in Ukraine. For the first time, drones are being used to target civilians and civilian infrastructure in a way that analysts say gives Russia little strategic advantage on the battleground. Instead, these attacks are designed to spread terror and crush morale—what German chancellor Olaf Scholz described as a Russian “scorched earth” tactic.

“\[Russia’s\] main goal … is to make sure that Ukrainians will have an extremely hard, dark, and cold winter,” says Kira Rudik, a member of Ukraine’s parliament, who is using a generator to power her laptop due to power restrictions in Kyiv. She compares the sound of the drones over the city to a loud motorbike. “It's pretty scary when you're sitting at home early in the morning and you hear \[the sound of\] a motorcycle passing by very loud,” she says. “And then you hear an explosion.”

Part of the psychological impact of these drones can be linked to that noise. Compared to missiles, drones are slow. The Iranian-made Shahed-136s travel at around 200 kilometers per hour, meaning civilians can see, hear, and even try to shoot at them before they hit, creating time for dread and panic to build. “This will likely have a significant psychological effect on Ukraine's civilian population, because everything could become a potential target of Russian attack,” says Ingvild Bode, associate professor at the Center for War Studies at the University of Southern Denmark.

Ukrainians are bracing for the possibility that a lot more of these drones will be heading their way. “We know that \[Russia\] has purchased over 1,000 drones from Iran,” says Rudik. The Shahed-136 is comparatively cheap and expendable, costing $2,000 to $3,000, analysts estimate. “We know that there will be more and more and more, and that is of course terrifying.” Iran has denied providing Russia with drones to use in Ukraine—a denial the US has called a lie. The White House said yesterday it had evidence Iranian troops were on the ground in Crimea, helping Russia to operate the drones.

While Ukraine has already had some success in intercepting these drones, the country is still scrambling to respond to Russia’s new strategy. The military was able to shoot down 15 of 20 Iranian drones launched yesterday, according to a Facebook post by the General Staff of the Armed Forces.

But shooting them down is easier said than done. A Shahed-136 is hard to detect. These drones fly low, meaning radar systems struggle to see them. “Unfortunately, it is not possible to hit 100 percent \[of them\] because the target is difficult,” Ukraine's air force spokesperson, Yuriy Ihnat, told Reuters. To compensate, Ukraine has started crowdsourcing ways to detect drones early. The country’s armed forces launched an Android app called ePPO, which asks civilians to report sightings of cruise missiles or drones, and share what direction they are traveling.

Once Ukrainians can detect the drones, they still need to figure out the best way to target them. Electronic warfare tools, such as GPS jammers, don’t work well, because analysts believe the Shahed-136s are programmed with their target’s location before they take off.

The ideal way to shoot them down would be with long-range missiles, says Marcel Plichtav, a former US Department of Defense analyst who is now a PhD candidate at the University of St. Andrews in Scotland. “But these are many, many times more expensive than the drone itself, which in terms of sustainability is an issue.” Shorter-range air defenses are cheaper, he says. “But they also have a lot less range, so you’re risking not being able to shoot them all down before they reach their targets.”

And if Ukraine focuses all its defenses on Shahed-136s, there’s a risk the drones could act as a decoy for other attacks. The conflict in Yemen between the Saudi-backed government and the Houthi rebels has shown that missiles are more likely to hit their targets if air defense systems are distracted with drones, says Plichtav.

The best option would be to stop or sabotage the drones before they ever take off, says Wim Zwijnenburg, project leader in humanitarian disarmament at PAX, a Dutch organization that campaigns to end armed violence. Yesterday, the European Union announced it would freeze the assets of three Iranian generals and Shahed Aviation Industries, the company responsible for developing the Shahed-136. Sabotaging the drones themselves, however, is made more difficult by the fact a Shahed-136 is estimated to have a 1,000-kilometer range, which means these drones have been launched by Russia from Belarus and Russian-occupied Crimea, according to Rudik.

Ukraine’s drone problem is one reason the country has been reaching out to Israel, Zwijnenburg says. “Israel has a lot of knowledge on the type of drones Iran produces.” However, Israel—which has previously limited its assistance to Ukraine to humanitarian relief—said this week it would only help the country develop an early-warning system to better protect civilians from air attacks.

“We need air force protection systems, the sophisticated ones,” says Rudik, adding it’s not just Israel who has these systems but also the US, the UK, and some European countries.

“This is something that we have been asking since day one of the invasion. And it's an incredible frustration for us that right now, eight months into the war, we are still asking for the same thing.”

Ukraine Enters a Dark New Era of Drone Warfare

Vice Society has a superpower that’s allowed it to quietly carry out attacks on schools and hospitals around the world: mediocrity.

a ransomware attack on the Los Angeles Unified School District in the first week of September crippled digital operations across the system, which includes more than 1,000 schools and serves roughly 600,000 students. Two weeks after the initial attack, as the district worked to recover and restore its systems, the hackers said that they would leak the 500 gigabytes of data they claimed to have stolen from LAUSD if the school system didn't pay a ransom. 

After the school system refused to pony up, the hackers released the trove, which contained sensitive data of students who had attended LAUSD between 2013 and 2016, including their Social Security numbers, financial and tax information, health details, and even legal records. And as LAUSD set up a hotline for worried families and scrambled to deal with the fallout, the hacking group behind the attack moved on, seemingly without making any money off the incident. 

That's Vice Society for you.

The apparently Russian-speaking group is a prolific ransomware actor that has hit an array of educational institutions since emerging at the end of 2020. But in addition to focusing on schools, Vice Society is notorious for targeting health care facilities and hospitals—a sector long-plagued by ransomware attacks, but one that some hacking groups pledged not to target at the height of the Covid-19 pandemic. Amidst a nonetheless brutal wave of North American hospital ransomware attacks in 2020, though, Vice Society's activity has been just unremarkable enough to keep the group out of the spotlight.

“We would probably think of them as a second- or maybe third-tier group overall, compared to big names like LockBit, Hive, and Black Cat,” says Allan Liska, an analyst for the security firm Recorded Future who specializes in ransomware. “But the bulk of their victims are either in the education or health care sectors, and their attacks make up a significant chunk of the total known attacks in those categories for 2021 and 2022 so far. They loom large in those two sectors.”

Vice Society is, in many ways, an unremarkable ransomware gang. The group relies on exploiting known vulnerabilities like PrintNightmare to gain access to victims' systems and may sometimes buy a foot in the door from criminal actors known as “initial access" brokers. Once inside a network, Vice Society uses automated scripts and takes advantage of an organization's own network management tools to conduct standard reconnaissance and exfiltrate data. Then the group deploys prepackaged ransomware. 

Shortly after the LAUSD attack, the United States Cybersecurity and Infrastructure Security Agency and the FBI published an alert about Vice Society, noting that the group is “disproportionately targeting the education sector with ransomware attacks.” The agencies added that “Vice Society is an intrusion, exfiltration, and extortion hacking group … \[The\] actors do not use a ransomware variant of unique origin."

In addition to its technically unremarkable attacks, Vice Society has also hit targets around the world, spreading its victimes between North America, South America, and Europe. 

Throughout 2021, Vice Society's health care targets included Barlow Respiratory Hospital in California, Eskenazi Health in Indiana, Centre Hospitalier D'Arles in France, United Health Centers in California, and a dental company in Brazil. The group also attacked New Zealand's Waikato District Health Board that summer, which, among other impacts, resulted in the cancellation of two Air New Zealand flights; the airline couldn't obtain proof of negative Covid-19 tests for crew members because the health department's digital systems were down.

Vice Society also targeted schools and universities in 2021 and seems to have favored this sector more and more as the United States and other countries devote more resources to ransomware enforcement and hone mitigation techniques. In the wake of high-profile 2021 attacks, like the Colonial Pipeline ransomware incident, prominent Russian-speaking actors faced infrastructure takedowns, indictments, and even rare Russian arrests for their brazen crimes. 

Vice Society may view education as a quieter and less well funded category where it can fly under the radar. For example, the group hit the Austrian Medical University of Innsbruck in June and Linn-Mar Community School District in Iowa at the beginning of August—neither of which many people would flag as major, obvious targets. The Bluets maternity hospital in Paris accused the group last week of a ransomware attack on its systems. Vice Society has not taken credit so far for the hack.

“They’re a perfect example of the success of mediocrity in the ransomware ecosystem,” says Claire Tills, a researcher for the security firm Tenable who has studied Vice Society's tactics and organization. “You have the top-tier groups developing their own zero days and acting all polished and professional. But meanwhile, Vice Society is just chugging along, not really innovating, stealing tools from other folks, but they have just enough stability to launch attacks, get paid, keep moving."

Researchers view the group's attack on the Los Angeles Unified School District as significant because LAUSD is a major target, and it made more of a splash than most of Vice Society's other hacks. Tills notes that the group may not have understood the scale and prominence of the school district it was taking on or may have chosen the target deliberately as a test of whether it was ready to up its game and focus on larger victims. But the apparent failure to secure payment and scrutiny that came from the incident may have warned the group off of such visible attacks.

“They're focusing on not necessarily big targets. Not everyone is aware of how bad and how devastating these attacks are, because they are so regional and they don't necessarily break into the mainstream,” Recorded Future's Liska says. “You may not want to be Conti and take down a whole country’s health care system, because if you do, you’re going to draw the ire of these countries.”

By focusing on lesser-known schools, Tenable's Tills warns, Vice Society may be able to maintain its low profile and continue its streak if defenders and law enforcement don't make mid-tier ransomware groups a higher priority. 

“Vice Society has taken the approach of knowing that the education sector isn’t doing great emotionally or financially,” Tills says. "Schools are under so much pressure after being closed on and off for two years, and ransomware actors know that the more stressed people are, the more likely they are to make suboptimal decisions. The group's success makes them sustainable, but they're still kind of written off. So they're not getting raided or arrested that we’ve seen so far. They're a really good example of what we as an industry are not paying enough attention to.”

The Vice Society Ransomware Gang Thrives in a Crucial Blind Spot

While tensions over a possible nuclear attack on Ukraine remain high, experts say surveillance will likely catch Russia if it plans to do the unthinkable.

This week, NATO is conducting its regular, long-planned nuclear strike exercise known as “Steadfast Noon" to practice deploying fighter jets used to carry nuclear weapons. And Russia is expected to conduct its own nuclear drills sometime this month—as it typically does—in reaction to NATO's exercises.  While these rehearsals don't involve actual bombs, they come at a fraught moment, given Russian president Vladimir Putin's recent suggestion that the Kremlin could deploy nuclear weapons in its war against Ukraine. 

Officials from the United States and the United Kingdom have emphasized that they do not see indications that Russia is actively preparing to launch a nuclear strike. And the signals the global community has to draw on in monitoring the Russian nuclear weapons program, while not infallible, are robust. That means the world would likely know if a nuclear attack were imminent.

 “We take any nuclear weapons or nuclear saber-rattling very seriously here," White House press secretary Karine Jean-Pierre told reporters earlier this month. But, she added, “we have not seen any reason to adjust our own strategic nuclear posture, nor do we have any indication that Russia is preparing to imminently use nuclear weapons."

Similarly, Jeremy Fleming, director of the UK's GCHQ intelligence agency, said last week, “I would hope that we will see indicators if they started to go down that path.” He added that there would be a “good chance” of detecting Russian preparations.

“With Russia, the arsenal is old and established, much like the US's nuclear weapons program," says Eric Gomez, a senior fellow at the Cato Institute focused on arms control and nuclear stability. “Russia is very much enmeshed in the international and bilateral arms control treaties that provide a lot of transparency. They’re not an open book—no country is. Everyone still has certain secrets that they preserve. But if you can keep satellite or aircraft sensors trained on key spots, you can catch it if things are moving or dispersing.”

As is the case in the US and among other world nuclear powers, Russia's intercontinental ballistic missiles and submarine-launched ballistic missiles are always deployed and in a constant state of readiness. Known as “strategic” nuclear weapons, these bombs are meant to target cities or large industrial targets—probably what you think of when you imagine a nuclear bombing. The “tactical” nuclear weapons that are of more immediate concern in a Russian strike on neighboring Ukraine are smaller and meant for more contained attacks, namely in battle zones. These bombs are also known as “battlefield” or “nonstrategic” nuclear weapons and have never been used in combat.

Russia's nuclear bombs are stored in military facilities and would need to be transported and loaded into either aircraft or launchers for deployment. Pavel Podvig, who runs the research organization Russian Strategic Nuclear Forces, notes that the global community knows the location of the roughly 12 nuclear weapons storage facilities around Russia where this activity would likely originate. He adds that the US has intimate knowledge of most of the sites because it worked with Russia to improve the physical security of the repositories between 2003 and 2012 as part of an initiative called Cooperative Threat Reduction.

“The procedure for deploying these weapons would include a number of steps,” says Podvig, who is also a senior research fellow at the UN Institute for Disarmament Research. “First taking these weapons out of their bunkers, loading them on trucks, and driving them to an airfield—moving them closer to the delivery systems—and doing a checkup procedure. My understanding is, you would see the movement of the launchers, the missiles, the aircraft. It would be a pretty visible operation, and quite frankly, I think Russia would want it to be visible."

Global powers monitor each others' nuclear weapons programs through a combination of aerial and satellite surveillance and other signals intelligence. The analysis is part art, part science, as monitoring of North Korea's nuclear program has particularly shown, given the country's extreme isolation. And while GCHQ's Fleming and other researchers caution that there is never perfect information, global knowledge of Russia's nuclear program and long-standing intelligence operations inside the country will likely allow international observers to spot any Russian nuclear preparations.

“What we’ve mostly seen from North Korea is technology tests where they're showing off a lot in the public space to send specific signals internationally and domestically,” Cato's Gomez says. “With the Russians, it's a different situation. In the lead-up to Russia's invasion of Ukraine in February, the Biden administration was putting out a lot of intelligence saying, ‘We’re seeing a buildup of troops here and these units moving to these places,’ and I think that would very likely be the playbook if they saw signs of Russian nuclear preparations.”

Podvig also notes that another version of Russia's nuclear weapons staging could involve transporting the weapons to forests and then readying the strike under tree cover to minimize aerial visibility. Such an approach would still be detectable during the transport phase and could offer a sort of hybrid in which the exact nature of Russia's plan remains unknown, but the activity still sends an escalatory signal to Ukraine and the world.

“I don’t see why Russia would want to hide the deployment,” Podvig says. “But even if it wanted to, I think they will not have the certainty that they could be successful. I would assume that US intelligence and everybody is watching those sites. The Americans cannot have absolute certainty that they will see it, but Russia does not have certainty that they will not.”

How the World Will Know If Russia Is Preparing to Launch a Nuclear Attack

Custodians of the crowdsourced encyclopedia are charged with protecting it from state-sponsored manipulators. A new study reveals how.

This network mapping may also identify a particular strategy used by bad actors of splitting their edit histories between a number of accounts to evade detection. The editors put in the effort to build reputation and status within the Wikipedia community, mixing legitimate page edits with the more politically sensitive ones.

“The main message that I have taken away from all of this is that the main danger is not vandalism. It's entryism,” Miller says.

If the theory is correct, however, it means that it could also take years of work for state actors to mount a disinformation campaign capable of slipping by unnoticed.

“Russian influence operations can be quite sophisticated and go on for a long time, but it's unclear to me whether the benefits would be that great,” says O’Neil.

Governments also often have more blunt tools at their disposal. Over the years, authoritarian leaders have blocked the site, taken its governing organization to court, and arrested its editors.

Wikipedia has been battling inaccuracies and false information for 21 years. One of the most long-running disinformation attempts went on for more than a decade after a group of ultra-nationalists gamed Wikipedia’s administrator rules to take over the Croatian-language community, rewriting history to rehabilitate World War II fascist leaders of the country. The platform has also been vulnerable to “reputation management” efforts aimed at embellishing powerful people’s biographies. Then there are outright hoaxes. In 2021, a Chinese Wikipedia editor was found to have spent years writing 200 articles of fabricated history of medieval Russia, complete with imaginary states, aristocrats, and battles.

To fight this, Wikipedia has developed a collection of intricate rules, governing bodies, and public discussion forums wielded by a self-organizing and self-governing body of 43 million registered users across the world.

Nadee Gunasena, chief of staff and executive communications at the Wikimedia Foundation, says the organization “welcomes deep dives into the Wikimedia model and our projects,” particularly in the area of disinformation. But she also adds that the research covers only a part of the article’s edit history.

“Wikipedia content is protected through a combination of machine learning tools and rigorous human oversight from volunteer editors,” says Gunasena. All content, including the history of every article, is public, while sourcing is vetted for neutrality and reliability.

The fact that the research focused on bad actors who were already found and rooted out may also show that Wikipedia’s system is working, adds O’Neil. But while the study did not produce a “smoking gun,” it could be invaluable to Wikipedia: “The study is really a first attempt at describing suspicious editing behavior so we can use those signals to find it elsewhere,” says Miller.

Victoria Doronina, a member of the Wikimedia Foundation’s board of trustees and a molecular biologist, says that Wikipedia has historically been targeted by coordinated attacks by “cabals” that aim to bias its content.

“While individual editors act in good faith, and a combination of different points of view allows the creation of neutral content, off-Wiki coordination of a specific group allows it to skew the narrative,” she says. If Miller and its researchers are correct in identifying state strategies for influencing Wikipedia, the next struggle on the horizon could be “Wikimedians versus state propaganda,” Doronina adds.

The analyzed behavior of the bad actors, Miller says, could be used to create models that can detect disinformation and find how just how vulnerable the platform is to the forms of systematic manipulation that have been exposed on Facebook, Twitter, YouTube, Reddit, and other major platforms.

The English-language edition of Wikipedia has 1,026 administrators monitoring over 6.5 million pages, the most articles of any edition. Tracking down bad actors has mostly relied on someone reporting suspicious behavior. But much of this behavior may not be visible without the right tools. In terms of data science, it's difficult to analyze Wikipedia data because, unlike a tweet or a Facebook post, Wikipedia has many versions of the same text.

As Miller explains it, “a human brain just simply can't identify hundreds of thousands of edits across hundreds of thousands of pages to see what the patterns are like.”

Source

Wired