A bill with bipartisan support might finally give the US a strong federal data protection law.

Usually, when Congress is working on major tech legislation, the inboxes of tech reporters get flooded with PR emails from politicians and nonprofits either denouncing or trumpeting the proposed statute. Not so with the American Data Privacy and Protection Act. A first draft of the bill seemed to pop up out of nowhere in June. Over the next month, it went through so many changes that no one could say for sure what it was even designed to do. For such an important topic, the bill’s progress has been surprisingly under the radar.

Now comes an even bigger surprise: A new version of the ADPPA has taken shape, and privacy advocates are mostly jazzed about it. It just might have enough bipartisan support to become law—meaning that, after decades of inaction, the United States could soon have a real federal privacy statute.

Perhaps the most distinctive feature of the new bill is that it focuses on what’s known as data minimization. Generally, companies would only be allowed to collect and make use of user data if it’s necessary for one of 17 permitted purposes spelled out in the bill—things like authenticating users, preventing fraud, and completing transactions. Everything else is simply prohibited. Contrast this with the type of online privacy regime most people are familiar with, which is all based on consent: an endless stream of annoying privacy pop-ups that most people click “yes” on because it’s easier than going to the trouble of turning off cookies. That’s pretty much how the European Union’s privacy law, the GDPR, has played out.

“The reason I really like this bill is, it takes a data-minimization approach first,” says Sara Collins, senior policy council at Public Knowledge, a consumer advocacy group in DC. “The bill at the outset is like, ‘One, you don't collect any more data than you reasonably need, and, two, here’s a list of reasons you might need this data.’”

A major caveat is that the list of reasons includes targeted advertising, which is the economic driver of most commercial surveillance in the first place. So the bill falls well short of simply banning the practice, which is what many data-privacy advocates would prefer. On the other hand, it imposes much stricter limits on targeted advertising—and the data collection supporting it—than any law in the US and perhaps the world. It would completely prohibit targeting ads to minors, something Joe Biden called for in his 2022 State of the Union address. It would ban targeting ads based on “sensitive data.” That category includes things like health information, precise geolocation, and private communications—as well as “information identifying an individual’s online activities over time and across third-party websites or online services.” In other words, companies would no longer be allowed to follow you around the internet, gathering data on everything you do and using it to sell you stuff.

“I think it’s a pretty fundamental shift,” says Alan Butler, executive director and president of the Electronic Privacy Information Center. “It gets at the heart of what I see as the major privacy problem in the way that ad tech has developed over the last 20 years, largely because there was no privacy law in effect. What’s developed is an ad tech industry that just gorges on personal information in every possible way it can, grabbing every possible piece of data they can find about people.”

Under the new version of the ADPPA, Butler says, some forms of targeting would remain common, particularly targeting based on first-party data. If you shop for shoes on Target.com, Target could still use that information to show you ads for shoes when you’re on another site. What it wouldn’t be able to do is match your shopping history with everything else you do on the web and on your phone to show you ads for stuff you’ve never told them you wanted. Nor could Facebook and Google continue to spy on you by placing trackers on nearly every website or free app you use, in order to build a profile of you for advertisers.

“If they’re tracking your activity across third-party websites, which they certainly are, then that’s sensitive data, and they can’t be processing that for targeted advertising purpose,” says Butler.

To the extent that the new bill would still allow targeted advertising, it would require companies to give users the right to opt out—while prohibiting the sorts of tricks that companies often use to nudge users to click “Accept all cookies” under the GDPR. And it would direct the Federal Trade Commission to create a standard for a universal opt-out that companies would have to honor, meaning users could decline all targeted advertising in one click. (That’s an important feature of California’s recently adopted privacy law.)

The ad industry seems to agree that the bill would mark a fundamental shift. Yesterday, the Association of National Advertisers, a trade group, issued a statement opposing the bill on the grounds that it would “prohibit companies from collecting and using basic demographic and online activity data for typical and responsible advertising purposes.”

Apart from its data-minimization approach, the new bill contains quite a lot of provisions that data privacy experts have long called for, including transparency standards, anti-discrimination rules, increased oversight for data brokers, and new cybersecurity requirements.

Federal privacy legislation has been something of a white whale in DC over the last few years. Since 2019, a bipartisan agreement has supposedly been just around the corner. The effort kept stalling because Democrats and Republicans were divided on two key issues: whether a federal bill should preempt state privacy laws, and whether it should create a “private right of action” allowing individuals, not just the government, to sue companies for violations. Democrats are generally against preemption and in favor of a private right of action, Republicans the reverse.

The new bill represents a long-sought compromise on those issues. It preempts state laws, but with some exceptions. (Most notably, it empowers California’s brand-new privacy agency to enforce the ADPPA within the state.) And it contains a limited private right of action, with restrictions on the damages that people can sue for.

The bill has other shortcomings, inevitably. The universal opt-out requirement is nice, but it won’t mean much until the largest browsers, especially Chrome and Safari, add the feature. The bill gives the FTC new authority to issue rules and enforce them, but it doesn’t direct any new resources to the agency, which already lacks the staff and funding to handle everything on its plate.

As a result, not everyone in the privacy camp is on board. On Tuesday, a group of mostly blue-state state attorneys general sent a letter to the committee objecting to the preemption provision. And the Electronic Frontier Foundation tweeted on Wednesday that it is “disappointed” by the compromises in the bill.

On the whole, however, the ADPPA seems wildly popular both on the Hill and among advocacy organizations. It has the support of leading privacy and civil rights nonprofits, and the House Commerce Committee voted to advance it by a 53-2 margin—an overwhelmingly bipartisan consensus that bodes well for the bill’s prospects when the full House votes on it. During yesterday’s markup hearing, several members noted that while the bill isn’t perfect, it’s simply politically impossible to pass a federal privacy law that doesn’t involve compromise on those two key issues.

Even the tech industry hasn’t launched any public campaign to kill the bill. You could take this as a sign that it’s actually too weak to trouble the industry. But Adam Kovacevich, the CEO of Chamber of Progress, a Big Tech lobbying group, points out that even the bill’s liberal critics have acknowledged that it goes further than any of the state laws it would preempt—even California’s. “I don’t think anyone in industry is crazy about the idea of the private right of action, the idea of more lawsuits,” he says. But, he adds, tech companies have already spent years learning to comply with the growing web of privacy regimes around the world. A somewhat stricter law might not be so bad if it provides a clear, fixed national standard.

None of this means that the ADPPA is sure to become law, of course. In the Senate, Maria Cantwell, the top Democrat on the Commerce Committee, has not gotten behind the effort yet, though her Republican counterpart has. And time is running out for that sclerotic body to pass any major laws before next year, when Democrats will almost surely lose their governing trifecta.

Still, privacy advocates are cautiously optimistic. “You’re looking at a situation where you have bicameral, bipartisan support, with Republicans and Democrats on board on the House and Senate side,” says Butler. “I don’t think we’ve ever been this close.”

Congress Might Pass an Actually Good Privacy Bill

The ACLU released a trove of documents showing how Homeland Security contracted with surveillance companies to scour location information.

For years, people have wondered not if, but how much, the Department of Homeland Security accesses mobile location data to monitor US citizens. This week, the American Civil Liberties Union released thousands of heavily redacted pages of documents that provide a “glimpse” of how DHS agencies came to leverage “a shocking amount” of location data, apparently purchasing data without following proper protocols to ensure they had the authority to do so.

Documents were shared with the ACLU “over the course of the last year through a Freedom of Information Act (FOIA) lawsuit.” Then Politico got access and released a report confirming that DHS contracted with two surveillance companies, Babel Street and Venntel, to scour hundreds of millions of cell phones from 2017 to 2019 and access “more than 336,000 location data points across North America.” The collection of emails, contracts, spreadsheets, and presentation slides provide evidence that “the Trump administration's immigration enforcers used mobile location data to track people's movements on a larger scale than previously known,” and the practice has continued under Biden due to a contract that didn't expire until 2021.

The majority of the new information details an extensive contract DHS made with Venntel, a data broker that says it sells mobile location data to solve “the world's most challenging problems.” In documents, US Customs and Border Patrol said Venntel's location data helped them improve immigration enforcement and investigations into human trafficking and narcotics.

It's still unclear whether the practice was legal, but a DHS privacy officer was worried enough about privacy and legal concerns that DHS was ordered to “stop all projects involving Venntel data” in June 2019. It seems that the privacy and legal teams, however, came to an agreement on use terms, because the purchase of location data has since resumed, with Immigration and Customs Enforcement signing a new Venntel contract last winter that runs through June 2023.

The ACLU still describes the practice as “shadowy,” saying that DHS agencies still owed them more documents that would further show how they are “sidestepping” the “Fourth Amendment right against unreasonable government searches and seizures by buying access to, and using, huge volumes of people's cell phone location information quietly extracted from smartphone apps.” Of particular concern, the ACLU also noted that an email from DHS's senior director of privacy compliance confirmed that DHS “appeared to have purchased access to Venntel even though a required Privacy Threshold Assessment was never approved.”

DHS did not comment on the Politico story, and neither the DHS agencies mentioned nor the ACLU immediately responded to Ars' request for comment.

The ACLU says that no laws currently prevent data sales to the government, but that could change soon. The ACLU endorses a bill called the Fourth Amendment Is Not for Sale Act, which is designed to do just that. Even if that bill is passed, though, the new law would still provide some exceptions that would allow government agencies to continue tracking mobile location data. The ACLU did not immediately respond to comment on any concerns about those exceptions.

How to Stop Location Data Tracking

The main question being debated is whether a Supreme Court decision in 2017 that said police must have a warrant to search cell phone data applies to government agencies like DHS. It's a gray area, the Congressional Research Service says, because “the Supreme Court has long recognized that the government may conduct routine inspections and searches of individuals entering at the US border without a warrant” and that “some federal courts have applied the 'border search exception' to allow relatively limited, manual searches at the border of electronic devices such as computers and cell phones.”

DHS isn't the only government agency that considers itself an exception, though. In 2021, the Defense Intelligence Agency also purchased location data without a warrant, bypassing the 2017 Supreme Court decision because the Department of Defense has its own "Attorney General-approved data handling requirements."

It's all part of a troubling pattern that shows a growing preference for the practice across many government agencies that have considered themselves exempt from legal concerns over the past few years.

Now, as privacy concerns over data tracking by law enforcement have heightened in post-_Roe v. Wade_ America, more mobile phone users are considering ways to keep their data private.

The first step for many might be to stop sharing location data with untrustworthy apps or maybe even entirely. Any time an app asks to track location data, users can either opt in or out. The ACLU told Politico that this opt-in process is what gives third-party vendors like Venntel the right to grant government access to data, claiming users have given permission to share with the government just by opting in.

“It's very clear that when people are doing that, they're not expecting that that's going to be potentially creating this massive database of their entire location history that's available to the government at any time,” Shreya Tewari, the Brennan fellow for the ACLU's Speech, Privacy and Technology Project, told Politico.

For mobile phone users concerned about DHS data tracking, users can specifically opt out of Venntel data collection.

There's not enough information identifying other contracts DHS might have with other vendors selling location data. The ACLU did not comment on the next steps to retrieve the rest of the DHS documents the organization requested, but its initial FOIA request asked for all contracts “concerning government access to or receipt of data from commercial databases containing cell phone location information.” That information may come in a future document dump, as the ACLU lawsuit states, but history proves DHS is not always prompt to respond. The ACLU waited nine months for a response before suing and noted at that time that “DHS has even refused to provide its legal memorandum about these practices to US senators who have requested it.”

The Fourth Amendment Is Not for Sale Act was introduced in Congress in April last year, where it was read twice and then referred to the Committee on the Judiciary. A request for an update on the bill's progress from one of its most vocal authors, Senator Ron Wyden, Democrat of Oregon, did not yield an immediate response. The ACLU advises that officials act sooner rather than later, saying, "Lawmakers must seize the opportunity to end this massive privacy invasion without delay. Each day without action only allows the government's covert trove of our personal information to grow."

_This story originally appeared on_ _Ars Technica__._

The DHS Bought a ‘Shocking Amount’ of Phone-Tracking Data

Under increased scrutiny, certain period-tracking apps are seeing a surge of new users. Which are as safe as they claim to be?

This not only shifts the burden of risk assessment to individual users, but also makes evaluating the privacy and security of apps difficult to begin with. To do so, we consulted evaluation frameworks pioneered by the Beth Israel Deaconess Medical Center (MIND) and The Digital Standard to arrive at four core questions to guide our study.

\*A score of (0) = the app did not fulfill the privacy requirement, (1) = the app partially fulfilled the privacy requirement, (2) = the app fulfilled the privacy requirement, and (3) = the app fulfilled the privacy requirement well

\*\*’Clear specification’ is defined here as an index of third-party companies and the data they receive.

Local vs. Cloud Storage

Understanding _where_ companies store your data is pivotal to assessing the privacy risk that comes with using their products. Most popular mobile apps store user data in the cloud—across multiple servers in multiple locations—which allows them to process large amounts of easily recoverable information. It also means that your data is more vulnerable to bad actors. This is why organizations like Givens’ prefer apps that store information directly on users’ devices. If an app stores data directly on your mobile phone, you’ll have more complete control of it. None of the apps reviewed above gave users the option to store their data locally, but Euki and Mozilla Foundation-backed Drip do.

Third-Party Sharing

If you’ve used Facebook to log in to a website or app recently, you’re already familiar with some of the ways that app developers share information with third parties. Understanding which third parties a company works with and what type of data is passed on to them is a helpful way to evaluate your level of protection. For example, Period Tracker’s privacy policy admits to sharing users’ device IDs with advertising networks, which is quite risky. It also expresses their willingness to sell or transfer user data as a result of a corporate merger or sale. Typically, apps who lay out plainly who they’re providing info to and why—like Clue does —are more trustworthy.

It’s also helpful to know whether data is routinely anonymized (stripped of identifying user information) before being shared with these third parties. However, this isn’t a panacea. Stripped-down data can still lead back to individual users under certain conditions. Machine learning makes this threat even more real, since the technology can speed up shady “re-identification” processes. Despite vowing to refrain from sharing user data themselves, Clue passes on anonymized data to certain third-party research groups. While Stardust expresses a commitment to limiting the information they share with third parties, their policy states it could share information in order to “comply with or respond to law enforcement,” or to protect the “security of the Company.” Ideally, apps are extremely selective with which third-parties they’re willing to share info with—or they don't share with third-parties at all.

Data Deletion

Every app should have established protocols that allow users to delete their personal data from the developers’ systems at will. While many US-based apps include these protocols to comply with the EU’s General Data Protection Regulation (GDPR) or the California Consumer Privacy Act (CCPA), users should look out for privacy policies that _clearly_ extend these erasure privileges to all users, regardless of location. Even so this can be tricky, says Givens: “If you’re not a resident of the jurisdiction that the law is covering, there’s no guarantee that they are going to honor it.”

Even apps that invite data deletion requests may not always execute them in a timely or complete fashion. Flo, whose security practices placed them under FTC scrutiny in 2021, states specifically in their privacy policy that upon deletion of their app, they “retain your personal data for a period of 3 years in case you decide to re-activate.” Period Tracker admits to retaining users’ mobile device IDs “for up to 24 months” after receiving a request. The safest apps should retain your data for 30 days or less, and ideally submit deletion requests to third parties on your behalf, like Clue does.

Location Tracking

If an app explicitly stores location data (like Period Calendar and Period Tracker do) it presents a greater privacy issue. While three out of the five apps analyzed here didn’t appear to save location data explicitly, each app saves users’ IP addresses, which can be used to determine someone’s general location. Flo, for example, explicitly shares IP addresses with third-parties such as AppsFlyer.

Stardust’s practices decouple users’ IP addresses from their health data, which increases security. But critics say their methods fall short of true end-to-end encryption. Regardless, when IP addresses are combined with outside data, such as a user’s search history or even other publicly available information about the user, they can easily reveal that person’s identity and their activities. The CDT and other privacy advocates have warned that users’ text messages and search histories have already been used against them in legal proceedings involving their reproductive health, and the practice is likely to expand.

The Bottom Line

At the end of the day, a period-tracking app like Clue presents users with slightly less risk than apps like Flo, Stardust, Period Calendar, and Period Tracker. However, all five of these apps, chosen for their outsize popularity, falter when compared with more secure options like Euki and Drip, as corroborated by Consumer Reports. Insofar as it’s possible for users to analyze _all_ of their apps according to standards set forth in The Digital Standard, Mhealth Index, and elsewhere, users can make educated decisions about which companies to align with—but evaluating the risks of using specific apps is an imperfect science. In addition to being extremely time consuming and often confusing, it’s nowhere near a suitable replacement for a lack of widespread legal privacy protections available for all Americans.

According to privacy experts like Givens, period-tracking apps represent the tip of the iceberg when it comes to digital privacy and security post-_Roe_. The CDT recommends that people assess their own risk level in order to determine whether using a period-tracking app is even worth it. In the meantime, taking steps to secure your personal information like text messages and search histories is probably more worthwhile.

For those looking to make a difference, experts recommend advocating directly to tech companies, especially precedent-setting organizations like Google and Meta (formerly Facebook) to demand better individual protections. It’s these corporations that will eventually have to respond to requests from law enforcement for user data, and many already promise to curtail their surveillance (but also lobby aggressively against privacy legislation and regulation). To pave the way for better policy, tech companies should aim to take serious inventory of the data they’re collecting, file transparency reports regularly, and, most importantly, take public stances in defense of privacy rights early and often.

The Most Popular Period-Tracking Apps, Ranked by Data Privacy

Despite alerting Meta months ago, feminist groups say tens of thousands of fake accounts continue to bombard them on the platform.

IRANIAN women’s rights groups have for months faced a deluge of bots following their Instagram accounts and disrupting their digital outreach operations. Activists say that while they have repeatedly asked Meta, Instagram’s parent company, to stymie the flood of junk followers, more keep coming, totaling in the millions across dozens of organizations operating in Iran and elsewhere around the world.

The targeted bot campaigns, in which a group receives tens of thousands of new followers in as little as a single day, have gained momentum as the Iranian government works to counter broad dissent focused on an array of pressing social issues, including economic hardship. Women’s rights activists say they have faced a particularly aggressive crackdown from the government in recent months, with some surveilled by law enforcement and arrested. As the National Day of Hijab and Chastity approached last Tuesday, women around the country participated in #No2Hijab actions, in which they pushed back their hijabs, revealing their hair, or removed them altogether. Authorities label participants “bad-hijab women.” 

Through it all, Instagram has served as a crucial communication platform for feminist organizers because it is one of the few international platforms accessible and uncensored in Iran’s tightly controlled digital landscape.

“More and more people are pushing back against hijab right now; it’s unprecedented and I think the government is feeling threatened by the women’s rights movement,” says Firuzeh Mahmoudi, executive director of United for Iran, one of the organizations that has faced bot targeting on its Instagram page. “So whatever is going on with these bots that have been purchased systematically to target Instagram pages is definitely not a coincidence, in my opinion. We’ve seen about 30 women’s rights groups inside Iran and 40 outside targeted in this way.”

The bot campaigns align with the interests of the Iranian regime, but the actors behind them haven’t yet been identified. The attacks are in some ways subtle because they don’t involve a flood of malicious comments or attempts to take down entire pages. Instead, activists say, their Instagram pages—which often have just a few thousand followers—suddenly gain tens of thousands more in the span of a few hours. The new follower accounts seem to be named using long, systematic strings of unintelligible consonants and numbers. In one example, Mahmoudi says that a United for Iran page jumped from consistently averaging around 27,000 followers to 70,000 overnight. Other activists shared similar stories of their accounts gaining tens of thousands of followers in a few hours in recent weeks and then gaining and losing followers a few thousand at a time after that. 

These massive spikes and fluctuations skew administrators’ metrics, making it hard to determine whether they are reaching legitimate followers with their posts and stories. Activists also note that the bot accounts will individually report specific posts to Instagram as abusive to get them wrongly taken down.

“It’s not consistent, but it hasn’t stopped since April,” says Shaghayegh Norouzi, founder of Me\_Too\_Movement\_Iran. “For example, if we are working on a sexual assault report from someone with strong connections to the government, we get a lot of fake followers. In the past 10 days, over 100,000 fake accounts have been added to our public account. They repeatedly report our posts, so Instagram removes our posts. These attacks specifically affect our performance to spread our message and be in contact with women and minorities who need our help.”

Despite having known about the issue for months, Meta tells WIRED that its investigation into the bot attacks is ongoing and not yet complete. “We want everyone to feel safe on Instagram—particularly activists, both in Iran and around the world,” a company spokesperson said in a statement. “We are continuing to investigate the activists’ concerns and will take action on any accounts that break our rules.”

The company says it has been receiving updates about the issues from Iranian women’s rights activists since April and had taken down hundreds of Instagram accounts in connection with the activity prior to this week. Meta describes the bot bombardments as adversarial but says it has not found evidence of automated or scripted activity. When asked what else could explain the patterns the activists have been seeing on their accounts, the company declined to comment on the record.

After WIRED reached out to Meta for comment, the company initially said it “checkpointed” a few hundred more accounts, a protective measure in which potentially suspicious accounts are blocked unless their owner can confirm their identity. Moments prior to publication, a Meta spokesperson said the company was taking down an additional 18,000 accounts that have targeted Iranian women’s rights groups. The company says that, in contrast to the activists’ reports, it does not see evidence that individual posts are being falsely reported and taken down.

Me\_Too\_Movement\_Iran’s Norouzi says her organization has been forced to create a private Instagram page in addition to its public one in an attempt to create a safe space for legitimate users. But multiple page administrators tell WIRED that it is difficult and time-consuming to screen followers and noted that, of course, creating a private page limits who can see posts.

At the end of June, a consortium of activists released a statement with AccessNow about the attacks on Iranian women’s groups, urging Meta to take action against the bots. 

“The fake followers have built a campaign of harassment by using high numbers of comments to intimidate and silence these users,” the groups wrote. “The fake followers have also damaged the credibility of the accounts they have targeted, resulting in a significant loss in engagement, likes, and viewership. This campaign is essentially drowning out the real engagement and outreach these accounts previously had.”

Last month, digital rights and security nonprofit Qurium released an analysis of the campaigns targeting Iranian feminist groups. The researchers found that the bots used in April and May seemed to be purchased from a few specific social media marketing companies based in Pakistan. The firms advertise services through which a customer could spend about $50 to purchase 10,000 bot followers or about $1,500 for up to 1 million fake accounts.

“So far, Meta has been slow to investigate this problem, even though the fake followers violate Meta’s ‘inauthentic behaviour policy,’” the groups wrote at the end of June. “They do not depict typical bot-like behaviour, and are potentially being operated by real humans from paid-for troll farms. Despite these complexities, Meta has enough documentation and evidence … to warrant swift action.”

For weeks, numerous groups have been communicating with Meta about the issue. Tord Lundström, Qurium’s technical director, tells WIRED that he has been trying to provide concrete suggestions to the company on how to investigate and identify the bots Qurium discovered in its analysis. 

“The response from Facebook can be summarized as follows: ‘We are looking into it, it is very difficult to solve, we have lots of people working on it,’ but nothing happens,” Lundström tells WIRED. “The fake followers, likes, and reviews industry has been camping inside Facebook for years. We have identified dozens of portals inside Facebook providing these services. It takes seconds to find them, but it seems that Facebook has difficulties stopping this market. Why?"

Milad Keshtan, program lead at United For Iran, expressed similar frustrations. “We have really clear action items that Meta could take to help us mitigate these campaigns, but we haven’t seen any response from them, even though we have reached out to them directly,” he says.

Meta emphasized that its investigation is ongoing and that multiple teams within the company are analyzing the activity. But the company did not comment on the record about why it hasn’t specifically acted on the researchers’ recommendations.

And it is a particularly urgent moment for comprehensive action to safeguard the accounts of Iranian women’s rights organizers.

“The Me Too movement in Iran started about three years ago and has grown exponentially in the past six months,” Me\_Too\_Movement\_Iran’s Norouzi says. “Of course, government and anti-feminist movements in Iran do not like this growth and awareness. And it’s not only us as feminist activists, but also whoever has collaborated with us who have experienced these attacks on Instagram. We are in shock that Instagram is letting people use their platform to shut down voices of women and minorities.”

Instagram Slow to Tackle Bots Targeting Iranian Women’s Groups

Plus: A wild Indian cricket scam, an elite CIA hacker is found guilty of passing secrets to WikiLeaks, and more of the week's top security news.

The websites you visit can reveal (almost) everything about you. If you are looking up health information, reading about trade unions, or researching details around certain types of crime, then you can potentially give away a huge amount of detail about yourself that a malicious actor could use against you. Researchers this week have detailed a new attack, using the web’s basic functions, that can unmask anonymous users online. The hack uses common web browser features—included in every major browser—and CPU functions to analyze whether you’re logged in to services such as Twitter or Facebook and subsequently identify you.

Elsewhere, we detailed how the Russian “hacktivist” group Killnet is attacking countries that backed Ukraine but aren’t directly involved in the war. Killnet has launched DDoS attacks against official government websites and businesses in Germany, the United States, Italy, Romania, Norway, and Lithuania in recent months. And it’s only one of the pro-Russian hacktivist groups causing chaos.

We’ve also looked at a new privacy scandal in India where donors to nonprofit organizations have had their details and information handed to police without their consent. We also looked at the new “Retbleed” attack that can steal data from Intel and AMD chips. And we took stock of the ongoing January 6 committee hearings—and predicted what’s to come.

But that’s not all. Each week we round up the news that we didn’t break or cover in-depth. Click on the headlines to read the full stories. And stay safe out there!

For years, Amazon-owned security camera firm Ring has been building relationships with law enforcement. By the start of 2021, Amazon had struck more than 2,000 partnerships with police and fire departments across the US, building out a huge surveillance network with officials being able to request videos to help with investigations. In the UK, Ring has partnered with police forces to give cameras away to local residents.

This week, Amazon admitted to handing police footage recorded on Ring cameras without their owners’ permission. As first reported by Politico, Ring has given law enforcement officials footage on at least 11 occasions this year. This is the first time the firm has admitted to passing on data without consent or a warrant. The move will raise further concerns over Ring’s cameras, which have been criticized by campaign groups and lawmakers for eroding people’s privacy and making surveillance technology ubiquitous. In response, Ring says it doesn’t give anyone “unfettered” access to customer data or video but may hand over data without permission in emergency situations where there is imminent danger of death or serious harm to a person.

In 2017, the Vault 7 leaks exposed the CIA’s most secretive and powerful hacking tools. Files published by WikiLeaks showed how the agency could hack Macs, your router, your TV, and a whole host of other devices. Investigators soon pointed the finger at Joshua Schulte, a hacker in the CIA’s Operations Support Branch (OSB), which was responsible for finding exploits that could be used in the CIA’s missions. Schulte has now been found guilty of leaking the Vault 7 files to Wikileaks and is potentially facing decades in prison. Following an earlier mistrial in 2018, Schulte was this week found guilty on all nine charges against him. Weeks ahead of his second trial, _The New Yorker_ published this comprehensive feature exploring Schulte’s dark history and how the CIA’s OSB operates.

Hackers linked to China, Iran, and North Korea have been targeting journalists and media outlets, according to new research from security firm Proofpoint. Alongside efforts to compromise the official accounts of members of the press, Proofpoint says, multiple Iranian hacking groups have posed as journalists and tried to trick people into handing over their online account details. The Iranian-linked group Charming Kitten has sent detailed interview requests to its potential hacking targets, and they have also tried to impersonate multiple Western news outlets. “This social engineering tactic successfully exploits the human desire for recognition and is being leveraged by APT actors wishing to target academics and foreign policy experts worldwide, likely in an effort to gain access to sensitive information,” Proofpoint says.

In any company or organization, items will go missing from time to time. Usually these are misplaced phones, security passes, and files occasionally being left at bus stops by mistake. Losing any of these things may open up security risks if devices are insecure or if sensitive information is made public. Less commonly lost are desktop computers—unless you’re the FBI. According to FBI records obtained by VICE’s _Motherboard_, the agency lost 200 desktop machines between July and December 2021. Also lost, or in some cases stolen, were pieces of body armor and night-vision scopes.

Scams don’t get much more elaborate than this. This week, police in India busted a fake “Indian Premier League” cricket tournament. A group of alleged scammers set up the fake league in the western Indian state of Gujarat and hired young men to play cricket matches, posing as professional teams while they livestreamed the matches for people to bet on. According to police, the group hired a fake commentator, created onscreen graphics showing real-time scores, and played crowd noises downloaded from the internet. To hide the fact that the matches took place on a farm instead of inside a large stadium, the videofeed only showed closeups of the action. Police said they caught the gang as a quarterfinal match was being played. Police believe the gang was potentially running multiple leagues and was planning to expand to a volleyball league, too. The match footage is worth watching.

Amazon Handed Ring Videos to Cops Without Warrants

Researchers have found a way to use the web's basic functions to identify who visits a site—without the user detecting the hack.

Everyone from advertisers and marketers to government-backed hackers and spyware makers wants to identify and track users across the web. And while a staggering amount of infrastructure is already in place to do exactly that, the appetite for data and new tools to collect it has proved insatiable. With that reality in mind, researchers from the New Jersey Institute of Technology are warning this week about a novel technique attackers could use to de-anonymize website visitors and potentially connect the dots on many components of targets’ digital lives.

The findings, which NJIT researchers will present at the Usenix Security Symposium in Boston next month, show how an attacker who tricks someone into loading a malicious website can determine whether that visitor controls a particular public identifier, like an email address or social media account, thus linking the visitor to a piece of potentially personal data. 

When you visit a website, the page can capture your IP address, but this doesn’t necessarily give the site owner enough information to individually identify you. Instead, the hack analyzes subtle features of a potential target’s browser activity to determine whether they are logged into an account for an array of services, from YouTube and Dropbox to Twitter, Facebook, TikTok, and more. Plus the attacks work against every major browser, including the anonymity-focused Tor Browser.

“If you’re an average internet user, you may not think too much about your privacy when you visit a random website,” says Reza Curtmola, one of the study authors and a computer science professor at NJIT. “But there are certain categories of internet users who may be more significantly impacted by this, like people who organize and participate in political protest, journalists, and people who network with fellow members of their minority group. And what makes these types of attacks dangerous is they’re very stealthy. You just visit the website and you have no idea that you’ve been exposed.”

The risk that government-backed hackers and cyber-arms dealers will attempt to de-anonymize web users isn’t just theoretical. Researchers have documented a number of techniques used in the wild and have witnessed situations in which attackers identified individual users, though it wasn’t clear how.

Other theoretical work has looked at an attack similar to the one NJIT researchers developed, but much of this past investigation has focused on grabbing revealing data that’s leaked between websites when one service makes a request to another. As a result of this prior work, browsers and website developers have improved how data is isolated and restricted when content loads, making these potential attack paths less feasible. Knowing that attackers are motivated to seek out techniques for identifying users, though, the researchers wanted to explore additional approaches.

“Let’s say you have a forum for underground extremists or activists, and a law enforcement agency has covertly taken control of it,” Curtmola says. “They want to identify the users of this forum but can’t do this directly because the users use pseudonyms. But let’s say that the agency was able to also gather a list of Facebook accounts who are suspected to be users of this forum. They would now be able to correlate whoever visits the forum with a specific Facebook identity.”

How this de-anonymization attack works is difficult to explain but relatively easy to grasp once you have the gist. Someone carrying out the attack needs a few things to get started: a website they control, a list of accounts tied to people they want to identify as having visited that site, and content posted to the platforms of the accounts on their target list that either allows the targeted accounts to view that content or blocks them from viewing it—the attack works both ways. 

Next, the attacker embeds the aforementioned content on the malicious website. Then they wait to see who clicks. If anyone on the targeted list visits the site, the attackers will know who they are by analyzing which users can (or cannot) view the embedded content.

The attack takes advantage of a number of factors most people likely take for granted: Many major services—from YouTube to Dropbox—allow users to host media and embed it on a third-party website. Regular users typically have an account with these ubiquitous services and, crucially, they often stay logged into these platforms on their phones or computers. Finally, these services allow users to restrict access to content uploaded to them. For example, you can set your Dropbox account to privately share a video with one or a handful of other users. Or you can upload a video to Facebook publicly but block certain accounts from viewing it. 

These “block” or “allow” relationships are the crux of how the researchers found that they can reveal identities. In the “allow” version of the attack, for instance, hackers might quietly share a photo on Google Drive with a Gmail address of potential interest. Then they embed the photo on their malicious web page and lure the target there. When visitors’ browsers attempt to load the photo via Google Drive, the attackers can accurately infer whether a visitor is allowed to access the content—aka, whether they have control of the email address in question. 

Thanks to the major platforms’ existing privacy protections, the attacker can’t check directly whether the site visitor was able to load the content. But the NJIT researchers realized they could analyze accessible information about the target’s browser and the behavior of their processor as the request is happening to make an inference about whether the content request was allowed or denied. 

The technique is known as a “side channel attack” because the researchers found that they could accurately and reliably make this determination by training machine learning algorithms to parse seemingly unrelated data about how the victim’s browser and device process the request. Once the attacker knows that the one user they allowed to view the content has done so (or that the one user they blocked has been blocked) they have de-anonymized the site visitor.

Complicated as it may sound, the researchers warn that it would be simple to carry out once attackers have done the prep work. It would only take a couple of seconds to potentially unmask each visitor to the malicious site—and it would be virtually impossible for an unsuspecting user to detect the hack. The researchers developed a browser extension that can thwart such attacks, and it is available for Chrome and Firefox. But they note that it may impact performance and isn’t available for all browsers.

Through a major disclosure process to numerous web services, browsers, and web standards bodies, the researchers say they have started a larger discussion about how to comprehensively address the issue. At the moment, Chrome and Firefox have not publicly released responses. And Curtmola says fundamental and likely infeasible changes to the way processors are designed would be needed to address the issue at the chip level. Still, he says that collaborative discussions through the World Wide Web Consortium or other forums could ultimately produce a broad solution.

“Vendors are trying to see if it’s worth the effort to resolve this,” he says. “They need to be convinced that it’s a serious enough issue to invest in fixing it.”

A New Attack Can Unmask Anonymous Users on Any Major Browser

The exploit can leak password information and other sensitive material, but the chipmakers are rolling out mitigations.

Some microprocessors from Intel and AMD are vulnerable to a newly discovered speculative execution attack that can covertly leak password data and other sensitive material, sending both chipmakers scrambling once again to contain what is proving to be a stubbornly persistent vulnerability.

Researchers from ETH Zurich have named their attack Retbleed because it exploits a software defense known as retpoline, which chipmakers introduced in 2018 to mitigate the harmful effects of speculative execution attacks. Speculative execution attacks, also known as Spectre, exploit the fact that when modern CPUs encounter a direct or indirect instruction branch, they predict the address for the next instruction they’re about to receive and automatically execute it before the prediction is confirmed. Spectre works by tricking the CPU into executing an instruction that accesses sensitive data in memory that would normally be off-limits to a low-privileged application. Retbleed then extracts the data after the operation is canceled.

Is It a Trampoline or a Slingshot?

Retpoline works by using a series of return operations to isolate indirect branches from speculative execution attacks, in effect erecting the software equivalent of a trampoline that causes them to safely bounce. Stated differently, a retpoline works by replacing indirect jumps and calls with returns, which many researchers presumed weren’t susceptible. The defense was designed to counter variant 2 of the original speculative execution attacks from January 2018. Abbreviated as BTI, the variant forces an indirect branch to execute so-called gadget code, which in turn creates data to leak through a side channel.

Some researchers have warned for years that retpoline isn’t sufficient to mitigate speculative execution attacks because the returns retpoline used were susceptible to BTI. Linux creator Linus Torvalds famously rejected such warnings, arguing that such exploits weren’t practical.

The ETH Zurich researchers have conclusively shown that retpoline is insufficient for preventing speculative execution attacks. Their Retbleed proof-of-concept works against Intel CPUs with the Kaby Lake and Coffee Lake microarchitectures as well as with AMD Zen 1, Zen 1+, and Zen 2 microarchitectures.

“Retpoline, as a Spectre-BTI mitigation, fails to consider return instructions as an attack vector,” researchers Johannes Wikner and Kaveh Razavi wrote. “While it is possible to defend return instructions by adding a valid entry to the RSB return stack buffer before executing the return instruction, treating every return as potentially exploitable in this way would impose a tremendous overhead. Previous work attempted to conditionally refill the RSB with harmless return targets whenever a perCPU counter that tracks the call stack depth reaches a certain threshold, but it was never approved for upstream. In the light of Retbleed, this mitigation is being re-evaluated by Intel, but AMD CPUs require a different strategy.”

In an email, Razavi explained it this way:

_Spectre variant 2 exploited indirect branches to gain arbitrary speculative execution in the kernel. Indirect branches were converted to returns using the retpoline to mitigate Spectre variant 2._

_Retbleed shows that return instructions unfortunately leak under certain conditions similar to indirect branches. These conditions are unfortunately common on both Intel (Skylake and Skylake-based) and AMD (Zen, Zen+ and Zen2) platforms. This means that retpoline was unfortunately an inadequate mitigation to begin with._

In response to the research, both Intel and AMD advised customers to adopt new mitigations that the researchers said will add as much as 28 percent more overhead to operations.

Retbleed can leak kernel memory from Intel CPUs at about 219 bytes per second and with 98 percent accuracy. The exploit can extract kernel memory from AMD CPUs with a bandwidth of 3.9 kB per second. The researchers said that it’s capable of locating and leaking a Linux computer’s root password hash from physical memory in about 28 minutes when running the Intel CPUs and in about six minutes for AMD CPUs.

Retbleed works by using code that essentially poisons the branch prediction unit that CPUs rely on to make their guesses. Once the poisoning is complete, this BPU will make mispredictions that the attacker can control.

“We found that we can inject branch targets that reside inside the kernel address-space, even as an unprivileged user,” the researchers wrote in a blog post. “Even though we cannot access branch targets inside the kernel address-space—branching to such a target results in a page fault—the Branch Prediction Unit will update itself upon observing a branch and assume that it was legally executed, even if it's to a kernel address.”

Intel and AMD Respond

Both Intel and AMD have responded with advisories. Intel has confirmed that the vulnerability exists on Skylake-generation processors that don’t have a protection known as enhanced Indirect Branch Restricted Speculation (eIBRS) in place.

“Intel has worked with the Linux community and VMM vendors to provide customers with software mitigation guidance which should be available on or around today's public disclosure date,” Intel wrote in a blog post. “Note that Windows systems are not affected given that these systems use Indirect Branch Restricted Speculation (IBRS) by default which is also the mitigation being made available to Linux users. Intel is not aware of this issue being exploited outside of a controlled lab environment.”

AMD, meanwhile, has also published guidance. “As part of its ongoing work to identify and respond to new potential security vulnerabilities, AMD is recommending software suppliers consider taking additional steps to help guard against Spectre-like attacks,” a spokesman wrote in an email. The company has also published a white paper.

Both the researchers’ research paper and blog post explain the microarchitectural conditions necessary to exploit Retbleed:

_**Intel**. On Intel, returns start behaving like indirect jumps when the Return Stack Buffer, which holds return target predictions, is underflowed. This happens upon executing deep call stacks. In our evaluation we found over a thousand of such conditions that can be triggered by a system call. The indirect branch target predictor for Intel CPUs has been studied in_ _previous work__._

_**AMD**. On AMD, returns will behave like an indirect branch regardless of the state of their Return Address Stack. In fact, by poisoning the return instruction using an indirect jump, the AMD branch predictor will assume that it will encounter an indirect jump instead of a return and consequentially predict an indirect branch target. This means that any return that we can reach through a system call can be exploited—and there are tons of them._

In an email, Razavi added: “Retbleed is more than just a retpoline bypass on Intel, specially on AMD machines. AMD is in fact going to release a white paper introducing Branch Type Confusion based on Retbleed. Essentially, Retbleed is making AMD CPUs confuse return instructions with indirect branches. This makes exploitation of returns very trivial on AMD CPUs.”

The mitigations will come at a cost that the researchers measured to be between 12 percent and 28 percent more computational overhead. Organizations that rely on affected CPUs should carefully read the publications from the researchers, Intel, and AMD, and be sure to follow the mitigation guidance.

_This story originally appeared on_ _Ars Technica__._

New ‘Retbleed’ Attack Can Swipe Key Data From Intel and AMD CPUs

Nonprofit donors had their information given to law enforcement without consent, highlighting limited data protections in the world’s largest democracy.

Prasanto K. Roy, a public policy consultant from New Delhi, is worried. In 2017 he began sending regular donations to the Indian fact-checking organization Alt News to support its work countering online misinformation. But on July 5 the nonprofit said that Indian payments gateway Razorpay, which it used to receive donations, had shared its donors’ data with New Delhi police following the arrest of Alt News cofounder Mohammed Zubair last month.

Roy is now hesitant to use Razorpay, saying he is concerned about tech companies handing over data—including his own—to law enforcement without consent. “When a payment gateway gives out donor databases on a police demand that is excessive, that information can be misused by the police or others it could reach,” he said. “India doesn’t even have privacy laws in place yet.”

The full extent of the data that Razorpay shared with police remains unclear, but Alt News said that the data it collects from donors includes phone numbers, email addresses, and tax IDs. A police official told the _Hindustan Times_ that the force is gathering data from banks to cross-reference with the Alt News data.

The investigation appears to be part of an ongoing probe to check whether Alt News received donations from outside of India, after police claimed that the organization’s parent received funds from several other countries, including Pakistan and Syria. Zubair, the cofounder of Alt News, was arrested on June 27 for a 2018 tweet that allegedly hurt religious sentiments, but is also being investigated for other charges, including receiving foreign funds under India’s Foreign Contribution (Regulation) Act, which restricts foreign donations to nonprofits.

While the arrest has spurred many Indians to fear that police are quashing internet freedom, it has also highlighted the limited legal protections on privacy in the world’s largest democracy, which lacks a comprehensive data protection law. The stakes are growing higher as more people in India use the internet for leisure, communications, and commerce. The country’s digital payments market—already at $3 trillion in value—is expected to skyrocket to $10 trillion by 2026, according to Boston Consulting Group.

Razorpay has faced social media backlash and threats of a boycott for sharing donor data without first informing Alt News. “Many donors and fundraisers said they wouldn’t use Razorpay again, and that was my initial reaction too,” said Roy, while adding that perhaps other companies would also have caved under the same pressure from police.

In a public statement on Twitter, Razorpay did not mention Alt News and said that the data shared was “restricted to what was within the scope of investigation.” Razorpay CEO Harshil Mathur tweeted that police were attempting to “determine whether there were any foreign donations or not” and claimed that donors’ tax IDs and addresses were not shared. Razorpay did not respond to a request for comment; Alt News cofounder Pratik Sinha declined to comment.

Indian police obtained the data from Razorpay under section 91 of the Criminal Procedure Code, which allows officials to seek documents or data connected to an ongoing investigation. But criminal lawyers told WIRED that the law gives police considerable flexibility, leaving room for overreach or misuse.

“Section 91 allows the police to make any request for information to any person during an inquiry, and it’s a standard investigative tool,” said Abhinav Sekhri, a criminal lawyer based in New Delhi. “Companies routinely receive such requests, at severe cost, because there are consequences for noncompliance, leaving them with no choice at times.” One such consequence could be an executive facing criminal action and potentially imprisonment, Sekhri says.

Meanwhile, financial technology experts say that even if Razorpay hadn’t complied with the demand to hand over Alt News data, the police could likely have retrieved it from other players in the payments ecosystem. “The source and destination information is stored across the entire chain,” said Srikanth Lakshmanan, a researcher who runs Cashless Consumer, a collective that works on consumer awareness of digital payments in India. “It’s not just Razorpay that will store this information, but also the card issuer and acquiring bank and payment network.”

This broad collection and sharing of data can make privacy in digital payments in India seem nigh on impossible. “The state of privacy in digital payments in India is nonexistent,” Lakshmanan says. The ease with which digital data can be shared and leaked makes privacy challenging around the world, but India’s centralized biometric identity system, Aadhaar, can add extra vulnerabilities, he says. “It's easy to look for more information in India where a whole range of data sets are cross-linked, giving a much richer profile.”

A Privacy Panic Flares Up in India After Police Pull Payment Data

The US House committee has already uncovered a more organized and sinister plot than many imagined. But history suggests the worst may be yet to come.

The House committee investigating the January 6 attack never promised a quiet summer, but when hearings started a month ago it certainly seemed like it might be a _quieter_ summer. Many of what were anticipated to be the biggest revelations appeared to have leaked before the hearings began, and the six to eight scheduled public sessions, expected to last only about two hours each, seemed to telegraph modest ambitions—especially in comparison to the 1973 Watergate hearings that stretched for 237 hours, or even the far less consequential 2015 Republican-led Benghazi hearings, where Hillary Clinton alone testified publicly for 11 hours.

But then the hearings began, and with them an emotional and tense multimedia roller coaster, exquisitely produced by former ABC News executive James Goldston to mimic a prestige TV series, in which each “episode” reveals deeper twists and turns and ever more corruption and outrage. Representative Liz Cheney and surprise witness Cassidy Hutchinson, an aide to former chief of staff Mark Meadows, emerged as the summer’s biggest breakout TV stars. 

The testimony so far has proven far more compelling, damning, and reputationally damaging to former president Trump than almost anyone imagined. The committee evidently has the goods and understands how to package them for maximum effect. They are now preparing to return from a brief summer break with two more hearings this week, one on Tuesday and a second prime-time hearing on Thursday.

For 18 months, the tick-tock of the Trump administration’s chaotic build to January 6 has trickled out in news reports, documentaries, and government documents, giving the public a sense of the scope of misdeeds and damage to American democracy. But the events had seemed akin to what the country (and the world) lived through during Trump’s four years as president—a disordered and noisy series of imprudent and haphazard pronouncements, ill-considered tweets, hasty policy choices, and reckless bluster.

Now the country can see otherwise: There was a method to Trump’s madness. The events across the 10 weeks from early November to January 6 were far more organized and sinister than previously known.

Most importantly, the evidence of crimes and criminality has proved inescapable.

In fact, it seems there was a lot of crime in the days and weeks leading up to the riot at the Capitol on January 6—and Trump’s aides seemed to clearly understand that they were headed toward a criminal reckoning. As Hutchinson recounted White House counsel Pat Cipollone telling her, “We’re going to get charged with every crime imaginable if we \[let the President go to the Capitol on January 6.\]”

Altogether, the committee has painted a far more organized and coherent picture of the administration’s efforts than most imagined existed. The hearings have revealed a seven-part coordinated effort by the Trump White House—and the president personally—to weaponize every public, political, and governmental tool at his disposal to hold on to power in the face of a clear and convincing electoral loss. He and a small cadre of loyal aides tried to undermine the legitimacy of Joe Biden’s victory, encouraged states to overturn valid election results, attempted to install election-doubting loyalists at the Justice Department, and applied consistent pressure to Vice President Mike Pence to step outside his constitutional role and reject the electoral college certification. And then—when literally all else failed—Trump encouraged his supporters to flock to the Capitol and stood by—without taking any action to stop them—while they rampaged through the building and came close to harming Pence and lawmakers.

Trump knew what he was doing, was told by aides repeatedly and broadly that it was wrong, and continued his pressure campaign anyway. January 6 wasn’t a spontaneous riot; it was the final attempt at a coup that had failed at every step until then. And the fact that so many of the participants, from members of Congress to, according to Hutchinson, White House chief Mark Meadows himself, apparently sought presidential pardons for their actions in the Trump administration’s final days makes it clear there was what prosecutors call “mens rea,” a guilty mind. In the 18 months since the events at the Capitol, the Justice Department has brought charges against more than 800 people involved in the riots, including eye-opening charges of “seditious conspiracy” against some of the white nationalist militia members, like the Oath Keepers and the Proud Boys, who should figure prominently at this week’s congressional hearings. Precisely none of those yet charged have been within Trump’s inner circle.

That may soon change—and American democracy might very well hinge on whether it does.

While the chair, Representative Bennie Thompson, and vice chair Cheney maintain that their purpose is only to deliver a comprehensive accounting of the events around January 6, the outlines of a whole series of criminal actions are now evident. The technical crimes may feel somewhat obscure—wire fraud, theft of honest services, defrauding the United States, obstruction of justice, obstruction of an official proceeding of Congress—but the fact pattern seems to grow ever more clear. Moreover, the hearing that focused on the White House pressuring elected officials in the state of Georgia brought renewed attention to the possibility that even if the US Justice Department fails to act, state prosecutors might very well decide Donald Trump committed electoral crimes there.

The biggest shift in the national landscape from the January 6 committee, though, seems likely to be ahead of us.

It’s worth remembering too how much the political and factual landscape can change during hearings like this: The biggest revelation of the Watergate hearings—that Nixon had installed a taping system in the White House that would have captured all the key conversations of the conspiracy and cover-up—didn’t emerge until mid-July 1973, weeks into the hearings by Senator Sam Ervin’s Watergate select committee.

Perhaps similarly, there’s a growing sense that the blockbuster nature of the January 6 hearings—and the damaging testimony elicited thus far—is itself compelling further cooperation and testimony. For example, Hutchinson, who had long been represented by a Trump-paid attorney, changed counsel midstream and began cooperating. Friday, Cipollone—who had also resisted testifying—met with committee investigators for nearly eight hours. And the Justice Department announced in a court filing Monday that one of Trump’s attorneys had interviewed with the FBI, as part of Steve Bannon’s related criminal contempt process, testimony that could have wide-ranging implications and itself spur further targets to cooperate. (As part of that filing, the Justice Department rejected Bannon’s weekend public proclamation that he was willing to cooperate with the committee as insincere, saying, “The only thing that has really changed since he refused to comply with the subpoena in October 2021 is that he is finally about to face the consequences of his decision to default.”)

Prosecutors understand this phenomenon well: As evidence of crimes mount, cooperation among the conspirators often spreads. Conspiracies crumble as testimony builds and personal legal and criminal jeopardy rises with it. John Dean, the former White House counsel who originally helped architect the Watergate cover-up before turning states’ witness, became a star witness only after he realized how much—and how clearly—he’d participated in the obstruction of justice.

Other Trump aides seem to be listening to the January 6 hearings and making their own calculations as the committee reconvenes this week. Surely many of them will be uncomfortable with what they hear in the hours and days ahead.

The January 6 Insurrection Hearings Are Just Heating Up

The pro-Russian group Killnet is targeting countries supporting Ukraine. It has declared "war" against 10 nations.

The attacks against Lithuania started on June 20. For the next 10 days, websites belonging to the government and businesses were bombarded by DDoS attacks, overloading them with traffic and forcing them offline. “Usually the DDoS attacks are concentrated on one or two targets and generate huge traffic,” says Jonas Sakrdinskas, acting director of Lithuania’s national cybersecurity center. But this was different.

Days before the attacks started, Lithuania blocked coal and metal from being moved through its country to the Russian territory of Kaliningrad, further bolstering its support for Ukraine in its conflict with Russia. Pro-Russian hacker group Killnet posted “Lithuania are you crazy? 🤔” on its Telegram channel to 88,000 followers. The group then called on hacktivists—naming a number of other pro-Russian hacking groups—to attack Lithuanian websites. A list of targets was shared.

The attacks, Sakrdinskas explains, were continuous and spread across all areas of daily life in Lithuania. In total more than 130 websites in both the public and private sectors were “hindered” or made inaccessible, according to Lithuania’s government. Sakrdinskas says the attacks, which were linked to Killnet, have mostly dropped off since the start of July, and the government has opened a criminal investigation.

The attacks are just the latest wave of pro-Russian “hacktivist” activity since the start of Vladimir Putin’s war in February. In recent months Killnet has targeted a growing list of countries that have supported Ukraine but are not directly involved in the war. Attacks against websites in Germany, Italy, Romania, Norway, Lithuania, and the United States have all been linked to Killnet. The group has declared “war” on 10 nations. The targeting often happens after a country offers support for Ukraine. Meanwhile XakNet, another pro-Russian hacktivist group, has claimed to have targeted Ukraine’s biggest private energy company and the Ukrainian government.

While security experts have frequently warned that attacks from Russia could target Western countries, the efforts of volunteer hacktivist groups can have an impact without being officially backed or conducted by the state. “They definitely have malicious intent when they conduct these attacks,” says Ivan Righi, a senior cyberthreat intelligence analyst at security firm Digital Shadows who has studied Killnet. “They're not working together with Russia but in support of Russia.”

Killnet started as a DDoS tool and was first spotted in January this year, Righi says. “They were advertising this app or this website, where you could hire a botnet and then use it to launch DDoS attacks.” But when Russia invaded Ukraine at the end of February, the group pivoted. The vast majority of Killnet’s efforts and those of its “legion” group—members of the public who are asked to join and launch attacks—have been DDoS attacks, Righi says, but he has also seen the group linked to some website defacements, and the group itself has made unverified claims that it has stolen data.

Its Telegram channel, where it makes political statements and talks about targets, was created at the end of February and has grown in popularity, with the number of members doubling since May. “They began to gain a lot of popularity from the public in Russia,” Righi says. Righi says it produces slick promotional videos and sells its own merchandise.

While DDoS attacks aren’t sophisticated, they “will still be able to create uncertainty in the population and give the impression that we are a piece in the current political situation in Europe,” said Sofie Nystrøm, the head of Norway’s NSM cybersecurity agency, in a statement after businesses in the country were targeted by DDoS attacks at the end of June.

Russia has long been home to cybercriminals such as ransomware groups, which the country has largely ignored as long as they don’t target companies in Russia. Simultaneously, Russian military hackers have stirred global chaos for years—causing electricity blackouts in Ukraine, hacking the Olympics, and conducting the worst cyberattack in history. Evidence against state-backed Russian hackers has been piling up since the start of the war, though Russia has consistently denied launching cyberattacks around the world. The Russian embassy in the United States did not immediately respond to a request for comment.

In April, cybersecurity officials in the US, Australia, Canada, New Zealand, and the UK warned against the potential damage that pro-Russian groups, including XakNet and Killnet, could cause. While it is not clear who is behind Killnet or whether the group is backed by the Russian state, one other notorious Russian hacktivist group has been linked to the Kremlin. At the end of June, US cybersecurity company Mandiant, as first reported by Bloomberg, said Russian intelligence operatives had passed stolen information to XakNet. Ukrainian officials have also pinned attacks on DTEK, the country’s largest private energy firm, on XakNet. (The group has posted about DTEK multiple times in its 36,000-subscriber Telegram channel.)

“We've seen a number of groups emerge in the context of the Russian invasion of Ukraine,” says Alden Wahlstrom, a senior analyst at Mandiant. “XakNet and Killnet both have questionable provenance.” Wahlstrom says any claims of hacktivism should be approached with “a healthy dose of skepticism” and that Russian intelligence agencies have an “established history of using cutout groups” for cyberactivities. Last week the Trickbot cybercriminal group—which is made up of multiple smaller groups like the Conti ransomware group, and has links to the Russian state—was spotted by IBM targeting Ukraine for the first time. IBM describes the move as a “huge shift” in the group’s behavior.

XakNet has claimed it is not being directed by the Russian government. In one Telegram post responding to Mandiant’s findings, it said it “fully” supports the Kremlin’s position and acknowledges its activities aren’t legal. It said it does not cooperate with Russia’s FSB security service “at the moment” but is “happy to provide data to those who ask.”

It is possible there are some connections among Russian hacker groups themselves. In multiple instances, Wahlstrom says, they have cross-posted about other groups’ work on their Telegram channels. For instance, when Killnet called for Lithuania to be targeted it posted a message asking for help from XakNet, Russian ransomware groups, and other pro-Russian hacking groups.

“XakNet and Killnet have given a decent amount of media interviews in the Russian media space, which is a reason to at least consider that there is a potential dual component to some of this activity,” Wahlstrom says. “They are helping to advance Russian interests abroad, either in Ukraine or further afield, but on the flip side they're being heavily promoted in the Russian media as groups that are displays of these patriotic volunteers that embody support for Russian government decisions.”

Killnet responded to a request for comment by saying it was “no longer friends” with XakNet. “Our enemy is your government bro,” the group says. “But we are not dangerous to ordinary people.”

DDoS attacks have been prominent in Ukraine, too. Officials there created a volunteer IT army, where people from around the world can help launch attacks against Russian targets. The IT army has claimed to take down, at least temporarily, the websites of Russian government departments, food delivery services, and banks—one of Putin’s speeches last month was delayed by an hour after the IT army attacks. Attacks against Russia have also come from hacktivist groups outside of Ukraine, such as Anonymous.

Ultimately, as Russia’s war against Ukraine continues, the activity of pro-Russian cyber groups continues to be in line with Russian aims. “Moscow has kept its relationship with Russia-based hacktivist groups deliberately ambiguous,” says Emily Harding, deputy director of the international security program at the Center for Strategic and International Studies, a US-based think tank. “Moscow’s security services know who these operators are and will use some form of leverage to force them to cooperate when needed.”

Harding says analysts have continuously predicted that Russia would use “deniable tools” and groups to react against countries that support Ukraine. While DDoS attacks may not be sophisticated, they contribute to this effort. And if attacks by so-called hacktivist groups become more advanced, there’s a greater chance they could cause more damage or risk escalation of the conflict. “The risk of miscalculation is real,” Harding says. “No one has yet really tested the limits of cyber operations without causing escalation.”

Source

Wired