So much jamming is taking place in northeastern Norway, regulators no longer want to know.

From the ground, northeastern Norway might look like fjord country, peppered with neat red houses and dissected by snowmobile tours through the winter. But for pilots flying above, the region has become a danger zone for GPS jamming.

The jamming in the region of Finnmark is so constant, Norwegian authorities decided last month they would no longer log when and where it happens—accepting these disturbance signals as the new normal.

Nicolai Gerrard, senior engineer at NKOM, the country’s communications authority, says his organization no longer counts the jamming incidents. “It has unfortunately developed into an unwanted normal situation that should not be there. Therefore, the \[Norwegian authority in charge of the airports\] are not interested in continuous updates on something that is happening all the time.”

Pilots meanwhile, still have to adapt, usually when they are above 6,000 feet in the air. “We experience this almost every day,” says Odd Thomassen, a captain and senior safety adviser at the Norwegian airline Widerøe. He claims jamming typically lasts between six and eight minutes at a time.

A map of GPS jamming over Europe on 17 October 2024.

Map: Courtesy of Benoit Figuet, Michael Felux and Raphael Monstein of SkAI Data Services and the Zurich University of Applied Sciences. Data sourced from the OpenSky Network.

When a plane gets jammed, warnings flash on cockpit computers and the GPS system used to warn pilots of a potential collision with terrain, such as mountains, stops working. Pilots are still able to navigate without GPS if they can communicate with ground stations nearby, explains Thomassen. But they are left with an eerie sense they are flying without the support of the latest technology. “You're basically \[going\] 30 years back in time,” he says.

Since Russia’s full-scale invasion of Ukraine in 2022, jamming has dramatically increased across Europe’s eastern edges, and authorities in Baltic countries openly blame Russia for overloading GPS receivers with benign signals, meaning they can no longer operate. In April, a Finnair plane trying to land in Tartu, Estonia, was forced to turn back 15 minutes before landing because it could not get an accurate GPS signal.

Over the past decade, GPS systems have been considered so dependable that many smaller, more remote airports have started to rely on it completely instead of maintaining more expensive ground-based equipment, says Andy Spencer, a pilot and international flight ops specialist at OpsGroup, a member organization for pilots and others in the airline industry.

“In Norway, you're probably looking at a lot of airports that only have GPS approaches,” he says, referring to the phase of the flight where planes descend to the runway. “If there is an issue with GPS signals, these airports can become off limits.”

In Finland, even tractors capable of operating automatically have been disrupted. In May, the Finnish transport agency said the problem had intensified since Ukraine began targeting Russian energy infrastructure with drones, suggesting the jamming could be a side effect of Russia’s new drone defense systems. That same month, the agency changed its guidelines so that airlines have to report only GPS interference that has “exceptional effects.”

NKOM also attributes jamming above northeastern Norway to Russia. “In Finnmark, the interference is Russian jamming of several GNSS bands \[systems that help satellites and ground stations communicate\], not only GPS, originating from some place on the Russian side of the border,” Gerrard tells WIRED. Pilots aren’t the only people affected, he stresses. Across Norway, there have been cases of fishing boats unable to carry out certain tasks and diggers on construction sites no longer able to dig precisely, he says. The Russian embassy in Oslo did not respond to WIRED’s request for comment.

NKOM’s decision to stop tracking jamming in Finnmark sets a dangerous precedent, says Melanie Garson, a professor focused on international conflict resolution at University College London. “By not reacting, how do you enforce a deterrent effect?” she asks, adding it is still unclear whether the government is going to find a solution to the jamming problem or leave it to the industries that are affected.

NKOM does try to “eliminate” GPS jamming when its source is inside Norwegian territory, says spokesperson Gerrard. The agency is also among several government departments that organizes the annual event Jammerfest, held on the Norwegian island of Andøya, to experiment with countermeasures. Since 2022, representatives from industry and government travel to the arctic circle to test how their systems respond to jamming and the more serious GPS spoofing, where GPS signals are faked to deceive a plane or other device about its own location.

Yet Widerøe pilots are concerned that this issue might feel remote to the American companies that make a lot of the equipment inside their planes. They believe it is the American Navstar satellite system being targeted because other devices like iPads—which can pick up signals from multiple satellite constellations—still work throughout periods of jamming.

“The providers of the navigation computers, they are mainly American,” says Rolf Fossgård, deputy VP of flight operations at Widerøe. He’s worried that if American businesses are not affected themselves, they might not be motivated to upgrade their systems to be jamming-resistant. “For a lot of European operators or Middle East operators, they are in need of this kind of equipment.”

It's unclear how the situation in the skies above Finnmark is going to evolve. Since 2022, most interference has hit planes above 6,000 feet—suggesting the device that is causing the jamming is located on the ground, and that the more sensitive part of a plane's journey, at lower altitudes, is protected by the curvature of the Earth.

But in April, Thomassen claims, he encountered his first case of jamming as he attempted to land. Flying into Båtsfjord, on Norway’s northern tip, his plane suffered jamming as it approached the runway. “We were able to land just fine based on visual contact with the airport,” he explains, adding that his company Widerøe is yet to verify why this case of jamming took place at such low altitudes.

Luckily the surrounding area is very flat, he says. “Norway is a mountainous country, so if the jamming were in other parts of the country, operational impact would be significant.”

GPS Jamming Is Screwing With Norwegian Planes

Security researchers created an algorithm that turns a malicious prompt into a set of hidden instructions that could send a user's personal information to an attacker.

When talking with a chatbot, you might inevitably give up your personal information—your name, for instance, and maybe details about where you live and work, or your interests. The more you share with a large language model, the greater the risk of it being abused if there’s a security flaw.

A group of security researchers from the University of California, San Diego (UCSD) and Nanyang Technological University in Singapore are now revealing a new attack that secretly commands an LLM to gather your personal information—including names, ID numbers, payment card details, email addresses, mailing addresses, and more—from chats and send it directly to a hacker.

The attack, named Imprompter by the researchers, uses an algorithm to transform a prompt given to the LLM into a hidden set of malicious instructions. An English-language sentence telling the LLM to find personal information someone has entered and send it to the hackers is turned into what appears to be a random selection of characters.

However, in reality, this nonsense-looking prompt instructs the LLM to find a user’s personal information, attach it to a URL, and quietly send it back to a domain owned by the attacker—all without alerting the person chatting with the LLM. The researchers detail Imprompter in a paper published today.

“The effect of this particular prompt is essentially to manipulate the LLM agent to extract personal information from the conversation and send that personal information to the attacker’s address,” says Xiaohan Fu, the lead author of the research and a computer science PhD student at UCSD. “We hide the goal of the attack in plain sight.”

The eight researchers behind the work tested the attack method on two LLMs, LeChat by French AI giant Mistral AI and Chinese chatbot ChatGLM. In both instances, they found they could stealthily extract personal information within test conversations—the researchers write that they have a “nearly 80 percent success rate.”

Mistral AI tells WIRED it has fixed the security vulnerability—with the researchers confirming the company disabled one of its chat functionalities. A statement from ChatGLM stressed it takes security seriously but did not directly comment on the vulnerability.

**Hidden Meanings**

Since OpenAI’s ChatGPT sparked a generative AI boom following its release at the end of 2022, researchers and hackers have been consistently finding security holes in AI systems. These often fall into two broad categories: jailbreaks and prompt injections.

Jailbreaks can trick an AI system into ignoring built-in safety rules by using prompts that override the AI’s settings. Prompt injections, however, involve an LLM being fed a set of instructions—such as telling them to steal data or manipulate a CV—contained within an external data source. For instance, a message embedded on a website may contain a hidden prompt that an AI will ingest if it summarizes the page.

Prompt injections are considered one of generative AI’s biggest security risks and are not easy to fix. The attack type particularly worries security experts as LLMs are increasingly turned into agents that can carry out tasks on behalf of a human, such as booking flights or being connected to an external database to provide specific answers.

The Imprompter attacks on LLM agents start with a natural language prompt (as shown above) that tells the AI to extract all personal information, such as names and IDs, from the user’s conversation. The researchers’ algorithm generates an obfuscated version (also above) that has the same meaning to the LLM, but to humans looks like a series of random characters.

“Our current hypothesis is that the LLMs learn hidden relationships between tokens from text and these relationships go beyond natural language,” Fu says of the transformation. “It is almost as if there is a different language that the model understands.”

The result is that the LLM follows the adversarial prompt, gathers all the personal information, and formats it into a Markdown image command—attaching the personal information to a URL owned by the attackers. The LLM visits this URL to try and retrieve the image and leaks the personal information to the attacker. The LLM responds in the chat with a 1x1 transparent pixel that can’t be seen by the users.

The researchers say that if the attack were carried out in the real world, people could be socially engineered into believing the unintelligible prompt might do something useful, such as improve their CV. The researchers point to numerous websites that provide people with prompts they can use. They tested the attack by uploading a CV to conversations with chatbots, and it was able to return the personal information contained within the file.

Earlence Fernandes, an assistant professor at UCSD who was involved in the work, says the attack approach is fairly complicated as the obfuscated prompt needs to identify personal information, form a working URL, apply Markdown syntax, and not give away to the user that it is behaving nefariously. Fernandes likens the attack to malware, citing its ability to perform functions and behavior in ways the user might not intend.

“Normally you could write a lot of computer code to do this in traditional malware,” Fernandes says. “But here I think the cool thing is all of that can be embodied in this relatively short gibberish prompt.”

A spokesperson for Mistral AI says the company welcomes security researchers helping it to make its products safer for users. “Following this feedback, Mistral AI promptly implemented the proper remediation to fix the situation,” the spokesperson says. The company treated the issue as one with “medium severity,” and its fix blocks the Markdown renderer from operating and being able to call an external URL through this process, meaning external image loading isn’t possible.

Fernandes believes Mistral AI’s update is likely one of the first times an adversarial prompt example has led to an LLM product being fixed, rather than the attack being stopped by filtering out the prompt. However, he says, limiting the capabilities of LLM agents could be “counterproductive” in the long run.

Meanwhile, a statement from the creators of ChatGLM says the company has security measures in place to help with user privacy. “Our model is secure, and we have always placed a high priority on model security and privacy protection,” the statement says. “By open-sourcing our model, we aim to leverage the power of the open-source community to better inspect and scrutinize all aspects of these models’ capabilities, including their security.”

**A “High-Risk Activity”**

Dan McInerney, the lead threat researcher at security company Protect AI, says the Imprompter paper “releases an algorithm for automatically creating prompts that can be used in prompt injection to do various exploitations, like PII exfiltration, image misclassification, or malicious use of tools the LLM agent can access.” While many of the attack types within the research may be similar to previous methods, McInerney says, the algorithm ties them together. “This is more along the lines of improving automated LLM attacks than undiscovered threat surfaces in them.”

However, he adds that as LLM agents become more commonly used and people give them more authority to take actions on their behalf, the scope for attacks against them increases. “Releasing an LLM agent that accepts arbitrary user input should be considered a high-risk activity that requires significant and creative security testing prior to deployment,” McInerney says.

For companies, that means understanding the ways an AI agent can interact with data and how they can be abused. But for individual people, similarly to common security advice, you should consider just how much information you’re providing to any AI application or company, and if using any prompts from the internet, be cautious of where they come from.

This Prompt Can Make an AI Chatbot Identify and Extract Personal Details From Your Chats

By Dmytro Korzhevin, Asheer Malhotra, Vanja Svajcer and Vitor Ventura. 


Cisco Talos has observed a new wave of attacks active since at least late 2023, from a Russian speaking group we track as “UAT-5647”, against Ukrainian government entities and unknown Polish entities. 
UAT-5647 is also known

UAT-5647 targets Ukrainian and Polish entities with RomCom malware variants

Federal prosecutors in the U.S. have charged two Sudanese brothers with running a distributed denial-of-service (DDoS) botnet for hire that conducted a record 35,000 DDoS attacks in a single year, including those that targeted Microsoft's services in June 2023.
The attacks, which were facilitated by Anonymous Sudan's "powerful DDoS tool," singled out critical infrastructure, corporate networks,

Federal prosecutors in the U.S. have charged two Sudanese brothers with running a distributed denial-of-service (DDoS) botnet for hire that conducted a record 35,000 DDoS attacks in a single year, including those that targeted Microsoft's services in June 2023.

The attacks, which were facilitated by Anonymous Sudan's "powerful DDoS tool," singled out critical infrastructure, corporate networks, and government agencies in the United States and around the world, the U.S. Department of Justice (DoJ) said.

Ahmed Salah Yousif Omer, 22, and Alaa Salah Yusuuf Omer, 27, have been charged with one count of conspiracy to damage protected computers. Ahmed Salah has also been charged with three counts of damaging protected computers.

If convicted on all charges, Ahmed Salah faces a statutory maximum sentence of life in federal prison, while Alaa Salah faces a maximum sentence of five years in federal prison. The DDoS tool is said to have been disabled in March 2024, the same month the pair were arrested from an unknown country.

"Anonymous Sudan sought to maximize havoc and destruction against governments and businesses around the world by perpetrating tens of thousands of cyberattacks," said U.S. attorney Martin Estrada.

"This group's attacks were callous and brazen—the defendants went so far as to attack hospitals providing emergency and urgent care to patients."

Anonymous Sudan, which is tracked by Microsoft under the name Storm-1359, emerged at the start of 2023, orchestrating a series of Swedish, Dutch, Australian, and German organizations. While it claimed to be a hacktivist group, the indictments show that it was just a front for what they really were, a digital mercenary crew.

"After initially joining a brief pro-Russian hacktivist campaign, Anonymous Sudan conducted a series of DDoS attacks with apparent religious and Sudanese nationalist motivations, including campaigns against Australian and Northern European entities," Crowdstrike said.

"The group was also a prominent participant in the annual #OpIsrael hacktivist campaign. Throughout these campaigns, Anonymous Sudan also demonstrated a willingness to collaborate with other hacktivist groups like KillNet, SiegedSec and Türk Hack Team."

Court documents allege that the Anonymous Sudan actors and their customers used the group's Distributed Cloud Attack Tool (DCAT) to conduct thousands of destructive DDoS attacks and publicly claim credit for them, causing more than $10 million in damages to U.S. victims alone.

According to Amazon Web Services (AWS), DDoS services were offered to prospective customers for $100 per day, $600 per week, and $1,700 per month. The service allegedly permitted up to 100 attacks each day.

The DCAT tool, marketed in the criminal underground as Godzilla, Skynet, and InfraShutdown, has been dismantled as part of a court-authorized seizure of its key components, including servers that were used to launch the DDoS attacks, servers that relayed attack commands to a broader network of attack computers, and accounts containing the source code for the DDoS tools used by the group.

"These law enforcement actions were taken as part of Operation PowerOFF, an ongoing, coordinated effort among international law enforcement agencies aimed at dismantling criminal DDoS-for-hire infrastructure worldwide, and holding accountable the administrators and users of these illegal services," the DoJ said.

The development comes as the Finnish Customs office (aka Tulli) disrupted the Sipulitie darknet marketplace — a successor to Sipulimarket that was taken down by law enforcement in 2020 – which specialized in the sale of drugs and had been operational on the dark web since 2023.

"The website in Finnish and English was used for criminal purposes, such as selling drugs under the cover of anonymity," Tulli said. "The website administrator has said on public forums that Sipulitie's turnover was 1.3 million euros."

Elsewhere, Brazil's Department of Federal Police (DPF) said it arrested a hacker in connection with a series of cyber attacks that breached its own systems and those belonging to other international institutions.

Codenamed Operation Data Breach, the effort saw the execution of a search and seizure warrant and a preventive arrest warrant against the defendant in the city of Belo Horizonte over allegations of leaking sensitive data associated with 80,000 members of InfraGard, a collaborative exercise between the U.S. government and critical infrastructure sectors.

The unnamed individual, who went by the names USDoD and EquationCorp, has also been accused of selling data from the Federal Police twice, on May 22, 2020 and February 22, 2022, as well as leaking data from Airbus and the U.S. Environmental Protection Agency (EPA).

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

U.S. Charges Two Sudanese Brothers for Record 35,000 DDoS Attacks

**What is the version information for this release?**

Microsoft Edge Version

Date Released

Based on Chromium Version

130.0.2849.46

10/17/2024

130.0.6723.59

CVE-2024-9956: Chromium: CVE-2024-9956 Inappropriate implementation in Web Authentication

CVE-2024-9955: Chromium: CVE-2024-9955 Use after free in Web Authentication

A MOIS-aligned threat group has been using Microsoft Exchange servers to exfiltrate sensitive data from Gulf-state government agencies.

Source: Daniren via Alamy Stock Photo

An Iranian threat actor has been ramping up its espionage against Gulf-state government entities, particularly those within the United Arab Emirates (UAE).

APT34 (aka Earth Simnavaz, OilRig, MuddyWater, Crambus, Europium, Hazel Sandstorm) is a group that has been previously tied to the Iranian Ministry of Intelligence and Security (MOIS). It's known to spy on high-value targets in major industries across the Middle East: oil and gas; finance; chemicals; telecommunications; other forms of critical infrastructure; and governments. Its attacks have demonstrated a sophistication befitting its targets, with suites of custom malware and an ability to evade detection for long periods of time.

Recently, Trend Micro has observed a "notable rise" in APT34's espionage and theft of sensitive information from government agencies, most notably within the UAE. These newer cases have featured a new backdoor, "StealHook," which uses Microsoft Exchange servers to exfiltrate credentials useful for escalating privileges and performing follow-on supply chain attacks.

**APT34's Latest Activity**

Recent APT34 attacks have begun with Web shells deployed to vulnerable Web servers. These Web shells allow the hackers to run PowerShell code, and download or upload files from or to the compromised server.

One tool it downloads, for example, is ngrok, legitimate reverse proxy software for creating secure tunnels between local machines and the broader Internet. APT34 weaponizes ngrok as a means of command-and-control (C2) that tunnels through firewalls and other network security barricades, facilitating its path to a network's Domain Controller.

"One of the most impressive feats we've observed from APT34 is their skill in crafting and fine-tuning stealthy exfiltration channels that allow them to steal data from high profile sensitive networks," notes Sergey Shykevich, threat intelligence group manager at Check Point Research, which recently uncovered an APT34 espionage campaign against Iraqi government ministries. In its prior campaigns, the group has mostly secured its C2 communications via DNS tunneling and compromised email accounts.

To obtain greater privileges on infected machines, APT34 has been exploiting CVE-2024-30088. Discovered through the Trend Micro Zero Day Initiative (ZDI) and patched back in June, CVE-2024-30088 allows attackers to gain system-level privileges in Windows. It affects multiple versions of Windows 10 and 11, and Windows Server 2016, 2019, and 2022, and received a "high" severity 7 out of 10 score in the Common Vulnerability Scoring System (CVSS). That rating would've been higher, but for the fact that it requires local access to a system, and isn't simple to exploit.

APT34's best trick, though, is its technique for abusing Windows password filters.

Windows allows organizations to implement custom password security policies — for example, to enforce good hygiene among users. APT34 drops a malicious DLL into the Windows system directory, registering it like one would a legitimate password filter. That way, if a user changes their password — a good cybersecurity practice to do often — APT34's malicious filter will intercept it, in plaintext.

To complete its attack, APT34 calls on its newest backdoor, StealHook. StealHook retrieves domain credentials that allow it into an organization's Microsoft Exchange servers. Using the targeted organization's servers and stolen email accounts, the backdoor can now exfiltrate stolen credentials and other sensitive government data via email attachments.

**Follow-On Risks of APT34 Attacks**

"The technique of abusing Exchange for data exfiltration and C&C is very effective and hard to detect," says Mohamed Fahmy, cyber threat intelligence researcher at Trend Micro. "It has been used for years in \[APT34's\] Karkoff backdoor, and most of the time it evades detection."

Besides exfiltrating sensitive account credentials and other government data, APT34 has also been known to leverage this level of access in one organization to carry out follow-on attacks against others tied to it.

For some time now, Fahmy says, the threat actor has "fully compromised a specific organization, and then used its servers to initiate a new attack against another organization (having a trust relationship with the infected one). In this case, the threat actor can leverage Exchange to send phishing emails."

He adds that government agencies in particular often relate to one another closely, "so the threat actor could compromise this trust."

**About the Author**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

Iran's APT34 Abuses MS Exchange to Spy on Gulf Gov'ts

A critical security flaw has been disclosed in the Kubernetes Image Builder that, if successfully exploited, could be abused to gain root access under certain circumstances.
The vulnerability, tracked as CVE-2024-9486 (CVSS score: 9.8), has been addressed in version 0.1.38. The project maintainers acknowledged Nicolai Rybnikar for discovering and reporting the vulnerability.
"A security issue

Vulnerability / Kubernetes

A critical security flaw has been disclosed in the Kubernetes Image Builder that, if successfully exploited, could be abused to gain root access under certain circumstances.

The vulnerability, tracked as **CVE-2024-9486** (CVSS score: 9.8), has been addressed in version 0.1.38. The project maintainers acknowledged Nicolai Rybnikar for discovering and reporting the vulnerability.

"A security issue was discovered in the Kubernetes Image Builder where default credentials are enabled during the image build process," Red Hat's Joel Smith said in an alert.

"Additionally, virtual machine images built using the Proxmox provider do not disable these default credentials, and nodes using the resulting images may be accessible via these default credentials. The credentials can be used to gain root access."

That having said, Kubernetes clusters are only impacted by the flaw if their nodes use virtual machine (VM) images created via the Image Builder project with the Proxmox provider.

As temporary mitigations, it has been advised to disable the builder account on affected VMs. Users are also recommended to rebuild affected images using a fixed version of Image Builder and redeploy them on VMs.

The fix put in place by the Kubernetes team eschews the default credentials for a randomly-generated password that's set for the duration of the image build. In addition, the builder account is disabled at the end of the image build process.

Kubernetes Image Builder version 0.1.38 also addresses a related issue (CVE-2024-9594, CVSS score: 6.3) concerning default credentials when image builds are created using the Nutanix, OVA, QEMU or raw providers.

The lower severity for CVE-2024-9594 stems from the fact that the VMs using the images built using these providers are only affected "if an attacker was able to reach the VM where the image build was happening and used the vulnerability to modify the image at the time the image build was occurring."

The development comes as Microsoft released server-side patches three Critical-rated flaws Dataverse, Imagine Cup, and Power Platform that could lead to privilege escalation and information disclosure -

*   **CVE-2024-38139** (CVSS score: 8.7) - Improper authentication in Microsoft Dataverse allows an authorized attacker to elevate privileges over a network
*   **CVE-2024-38204** (CVSS score: 7.5) - Improper Access Control in Imagine Cup allows an authorized attacker to elevate privileges over a network
*   **CVE-2024-38190** (CVSS score: 8.6) - Missing authorization in Power Platform allows an unauthenticated attacker to view sensitive information through a network attack vector

It also follows the disclosure of a critical vulnerability in the Apache Solr open-source enterprise search engine (CVE-2024-45216, CVSS score: 9.8) that could pave the way for an authentication bypass on susceptible instances.

"A fake ending at the end of any Solr API URL path, will allow requests to skip Authentication while maintaining the API contract with the original URL Path," a GitHub advisory for the flaw states. "This fake ending looks like an unprotected API path, however it is stripped off internally after authentication but before API routing."

The issue, which affects Solr versions from 5.3.0 before 8.11.4, as well as from 9.0.0 before 9.7.0, have been remediated in versions 8.11.4 and 9.7.0, respectively.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Critical Kubernetes Image Builder Vulnerability Exposes Nodes to Root Access Risk

Brazilian police have arrested the hacker known as USDoD, responsible for high-profile breaches including the FBI’s InfraGard and…

Brazilian police have arrested the hacker known as USDoD, responsible for high-profile breaches including the FBI’s InfraGard and National Public Data breach which leaked personal details of billions.

The Department of Federal Police (DPF) has arrested a 33-year-old hacker from Belo Horizonte (MG), believed to be responsible for some of the most significant global cyberattacks on critical infrastructure.

While the police have not officially released the suspect’s name, it has confirmed that the individual was involved in the **FBI’s InfraGard breach**, a major security incident that leaked the personal details of 87,000 members on Breach Forums and Russian language cyber crime forum XSS.

The hacker behind the InfraGard breach was USDoD, also using the alias EquationCorp. This same hacker was also responsible for the massive **National Public Data (NPD) data breach**, which exposed the personal information, including Social Security Numbers (SSNs), of 3.9 billion people.

The DPF **press release** states that the hacker was arrested on Wednesday, October 16, 2024, as part of Operation Data Breach, an ongoing cybercrime crackdown. Authorities have seized several of his devices for further investigation.

It is worth noting that USDoD had managed to maintain his anonymity until July 2024, when he **publicly announced** the scraping and leaking of a 100,000-line Indicator of Compromise (IoC) list from the cybersecurity firm CrowdStrike.

USDoD hacker on Breach Forums (Screenshot credit: Hackread.com)

Following this, CrowdStrike began tracking his activities and, within a month, successfully uncovered his real identity. The company then shared the information with Brazilian authorities, leading to his arrest.

**_Hackread.com_** was the first and only publication to **interview USDoD** amid the allegations, during which he revealed his identity in a video message and confirmed that CrowdStrike’s claims about him were accurate.

****The United States and Brazil Extradition Treaty****

Although it is too early to speculate, given the hacker’s involvement in high-profile cyberattacks, the United States may seek his extradition under the Brazil-U.S. Extradition Treaty.

However, Brazil has a well-documented **history** of not extraditing its own citizens, which could complicate efforts to prosecute him in the U.S. If extradition is denied, the hacker may still face prosecution in Brazil under local cybercrime laws.

_This is a developing story. Stay tuned!_

1.  **Australian Man Arrested for “Evil Twin” Wi-Fi Scam**
2.  **Alleged ShinyHunters Hacker Group Member Arrested**
3.  **Feds Bust N. Korean Identity Theft Ring Targeting US Firms**
4.  **MIT Graduate Brothers Arrested for $25 Million Ethereum Heist**
5.  **Alcasec Hacker, aka “Robin Hood of Spanish Hackers,” Arrested**

Brazil arrests USDoD hacker tied to FBI, National Public Data breaches

But the time when quantum computers pose a tangible threat to modern encryption is likely still several years away.

Source: funtap via Shutterstock

Researchers at China's Shanghai University have demonstrated how quantum mechanics could pose a realistic threat to current encryption schemes even before full-fledged quantum computers become available.

The researchers' paper describes how they developed a working RSA public key cryptography attack using D-Wave's Advantage quantum computer. Specifically, the researchers used the computer to successfully factor a 50-bit integer into its prime factors, thereby giving them a way to derive private keys for decryption.

**Significant Development**

Security researchers who have taken a look at the report generally don't consider the demonstration as posing any current threat to modern encryption systems, which typically use 2048-bit — or sometimes even larger — keys. Breaking these 2048-bit keys still remains computationally unfeasible, and the new research has not changed that fact.

What it does show, however, is the potential for quantum approaches to crack modern cryptography in a way that researchers have not considered before.

"Realistically, achieving the computational power necessary to break RSA-2048 encryption — which requires around 10,000 stable, error-corrected qubits — remains at least a few years away, given current technological limitations," says Avesta Hojjati, head of R&D at DigiCert.

But the Chinese research demonstrates significant progress in exploiting cryptographic weaknesses through specialized quantum techniques, rather than full-fledged universal quantum computers, Hojjati says. "It effectively illustrates that advancements in niche quantum methods could pose earlier, smaller-scale cryptographic risks, emphasizing a gradual rather than immediate progression toward large-scale quantum threats."

Almost everyone agrees the arrival of quantum computers in the next few years will completely undermine the protections of modern cryptography. They perceive quantum computers as easily breaking even the strongest current encryption protocols with their enormous computing power. Stakeholders, including governments, hardware makers, software developers, cloud service providers, and enterprises, all foresee the need for new quantum-resilient cryptography standards to protect against the threat and are collectively working toward developing those standards.

**A Different Approach to an Old Challenge**

One reason the Chinese research has attracted considerable attention is because it takes a different approach to harnessing quantum mechanisms for cryptography. Specifically, it involves a quantum approach called quantum annealing, which typically has been applied in processes like optimization and sampling, but not so much in factorization. A lot of the research around the implications of quantum computing on cryptography has instead focused on gate-based quantum computing. "D-Wave's quantum annealing, operating with fewer qubits than projected universal quantum computers for large-scale cryptography, succeeded in factoring with greater efficiency," Hojjati says. "By reimagining RSA's integer factorization as an optimization problem, the researchers showcase quantum annealing's potential to exploit cryptographic vulnerabilities ahead of the availability of universal quantum computers."

Rahul Tyagi, CEO of SECQAI, says the significance of the Chinese research lies in its innovative approach to quantum computing. It offers fresh insight beyond the well-explored paths of algorithms that are tailored to gate-based quantum computers. "The research emphasizes the importance of considering other computing paradigms, such as D-Wave, which may be better suited for certain types of algorithmic approaches," Tyagi says.

Importantly, this research does not appear to compromise existing cryptographic systems. It seems instead to present optimizations of existing methods while suggesting new ideas and approaches. "Ultimately, any research into new attack vectors is valuable, and this paper underscores the need to look beyond conventional methods and consider the broader quantum computing landscape."

Like Hojjati, Tyagi perceives significant advancements still remain before quantum computers break open encryption mechanisms. And that will likely take years. In the meantime, organizations should remain proactive by investing in quantum-resistant technologies and continuously updating their security protocols. From an academic perspective, the key question is how to redesign known attack vectors to exploit this emerging heterogeneous landscape of computational capabilities, Tyagi adds.

For the moment, what organizations must do is understand their own infrastructure, and establish what cryptography is being used and where. "Systems with a lifetime of 10 years or more need to be migrated ASAP to quantum-resilient encryption," Tyagi says. "Anything with a four-year time horizon is probably OK for now — however, a long-term road map needs to be created to define when the migration needs to occur."

Hojjati recommends that organizations enable visibility into current encryption practices so they can identify vulnerable algorithms and create pathways for swift transitions to quantum-safe options. "By developing crypto agility now," he advises, "organizations can efficiently deploy quantum-resistant encryption as standards evolve, reducing long-term risks and minimizing disruption."

**About the Author**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

Tag

#auth