Despite Cyber Army of Russia’s claims of swaying US “minds and hearts,” experts say the cyber sabotage group appears to be hyping its hacking for a domestic audience.

When the activities of Russian hacker groups are exposed in a major public report and tied to a government agency—such as the Russian military's Sandworm unit, which has targeted Ukrainian electrical utilities to trigger three blackouts over the past decade, or the Russian foreign intelligence service's APT29, which is believed to have carried out the notorious SolarWinds supply chain attack—they tend to slink into the shadows and lay low until their next operation.

When the cybersecurity firm Mandiant last month highlighted the Cyber Army of Russia, by contrast, noting its haphazard attacks on Western critical infrastructure and the group's loose ties to the Russian military, the hackers took a very different approach. “Comrades, today the collective rotten West recognized us as the most reckless hacker group 🏆, on which I actually congratulate all of us 🎉," the group posted in Russian to its Telegram channel, along with a screenshot of WIRED's article about the hackers, in which we had described them with that “most reckless” superlative. “As long as they are afraid of us, let them hate us as much as they want.”

After that initial, less-than-friendly exchange of ideas, WIRED reached out to Cyber Army of Russia's Telegram account to continue the conversation. So began a strange, two-week-long interview with the group's spokesperson, “Julia," represented by an apparently AI-generated image of a woman standing in front of Red Square's St. Basil's Cathedral. Over days of intermittent Telegram messages, often interspersed with unsolicited Russian nationalist political talking points, Julia answered WIRED's questions—or at least some of them—laid out the group's ethos and motivations, and explained the rationale for the hackers' months-long cyber sabotage rampage, which initially focused on Ukrainian networks but has more recently included an unprecedented string of attacks hitting US and European water and wastewater systems.

An apparently AI-generated profile photo for “Julia,” the spokesperson for the Cyber Army of Russia on Telegram, whom WIRED interviewed.

Courtesy of RUSSIAN CYBER ARMY TEAM via Telegram

“We have united with the goal and mission of protecting our country in the information space against the background of unprecedented pressure from the United States, the European Union and Ukraine,” Julia wrote in a long opening statement in response to WIRED's questions.

“Our movement finds and hits the vulnerabilities of the Internet resources of both Ukraine and the countries that openly support the gang of terrorists and extremists, led by Zelensky, who are entrenched in power in Kiev,” Julia continued, using a typical Russian government description of the Ukrainian regime that has, in fact, led the defense against a brutal and unprovoked Russian invasion since 2022 that has led to close to 500,000 dead or wounded. “The most important battle is going on here and now for the minds and hearts of people, both living in Russia and Ukraine, and outside the warring countries. And the main weapon in this battle is information technology.”

**Sending a Message to … Muleshoe?**

Whether or not it's winning hearts and minds, Cyber Army of Russia—which also at times calls itself the Cyber Army of Russia Reborn or People's Cyber Army of Russia—seems to at least be getting some of the attention it seeks. Last week, a group of government bodies including the US National Security Agency, the FBI, the Cybersecurity and Infrastructure Security Agency, the UK's National Cybersecurity Center, and several others issued a joint report warning of “Russian hacktivists” targeting so-called operational technology targets like control systems for water and wastewater utilities. The report warned that victims had “experienced minor tank overflow events” and other disruptions—although it noted the effects were temporary, and the hacktivists had historically exaggerated their hacking's impact.

Those agencies didn't name Cyber Army of Russia. But their warning followed another report from Mandiant that had highlighted the group by name, as well as its attacks on civilian critical infrastructure targets including multiple US-based water utilities and a Polish wastewater utility. In the case of the small West Texas town of Muleshoe, _The Washington Post_ subsequently reported that the group's manipulation of control systems had gone so far as to cause a leak of tens of thousands of gallons of water. In that case and several others, Cyber Army of Russia even posted to the group's Telegram account a screen-capture video of the hacking. In their attack on the Polish wastewater facility, for instance, they set the video to a _Super Mario Bros_. soundtrack.

So what is the endgame of the group's trollish acts of sabotage? “Our actions on attacks and hacks of websites and computer systems for remote control of mechanisms … is a really powerful and in some cases very effective method of influencing (and not only psychological) the authorities of the countries of Europe and the USA, as well as their regional authorities,” Cyber Army of Russia's representative Julia told WIRED. “With these attacks we are trying to send the following message to the US authorities: If you continue to supply military equipment and make financial injections into the leadership of Ukraine … be prepared for the fact that in any of your settlements, in any industrial system or at a critical infrastructure facility, something may suddenly fail.”

Yet as unprecedented and disturbing as it may be for a Russian hacker group to trigger a significant water leak at a US utility, Cyber Army of Russia still seems at times to comically overestimate the clarity of its threat against Ukraine's allies. In response to a question about the Muleshoe water utility attack specifically, Julia noted that the group's operation is intended to persuade “mainly representatives of the Democratic Party \[because\] their support for Ukraine is the most significant"—a head-scratching statement given that Muleshoe is in a Texas congressional district that hasn't elected a Democratic representative since 1982.

In other hacking operations like its targeting of a Polish wastewater utility, cybersecurity researchers who watched the video of the attack told WIRED that Cyber Army of Russia appeared to be arbitrarily changing values in the utility's control system software, with no actual disruptive effect. In another case, the hackers posted a video to their Telegram channel claiming that, in response to French president Emmanuel Macron's threat of sending French military personnel to Ukraine, it had hacked a French hydroelectric dam and caused it to stop generating power. In fact, French newspaper _Le Monde_ reported, the group had actually hacked a water mill in a small village and caused its water level to drop by 20 centimeters.

When WIRED pointed out this mistake to Julia, she acknowledged the error but wrote that the group was undeterred by the setback. “It would be correct to consider it experimental,” she wrote of the attempted dam-hacking operation. “In other words, as it often happens in life, the real result did not match the expectation at all. However, we are not very saddened by this fact, there are many hydroelectric power plants in France, so we will still have the opportunity to gain more experience to commit more large-scale sabotage.”

Despite this relatively amateurish track record, Mandiant pointed in its report to evidence linking Cyber Army of Russia to the hacker group known as Sandworm, a cyberwarfare unit of Russia's military intelligence agency the GRU tied to many of Russia's most disruptive cyberattacks of the last decade. Cyber Army of Russia's short-lived YouTube channel, for instance, was created from a computer with an IP address that Mandiant—itself a subsidiary of YouTube's owner Google—had previously tied to Sandworm. Over the last year, Cyber Army of Russia also repeatedly dumped data to its Telegram channel that appeared to have been stolen from Ukrainian hacking targets breached by Sandworm not long before.

When WIRED asked about those ties to Sandworm and the GRU, Julia denied them without directly addressing Mandiant's evidence. “Hundreds of people of different ages, different nationalities, different professions (not related to IT), different levels of computer literacy, different levels of financial wealth and political beliefs joined the ranks of the Cyber Army,” Julia wrote. “We emphasize that despite the fact that there are individual representatives of the Russian security forces in our ranks and some of our participants are professionals in the field of information security, we are a completely people's project that has nothing to do with the GRU, or with any other military special forces, or with hacker groups like Sandworm.”

She later added, somewhat confusingly, that “the Sandworm hacker group does have something in common \[with us\] … This is the commander-in-chief of our Cyber Army.” It wasn't clear, however, whether that comment was referring to a shared leader overseeing the two groups—or even a kind of imagined ideological leader such as Russian president Vladimir Putin—or whether Julia meant that Sandworm itself gives the Cyber Army its orders, in contradiction to her previous statements. Julia didn't respond to WIRED's requests for clarification on that question or, in fact, to any questions following that comment.

**A Hacktivist Hype Machine**

Russian information warfare and influence operations experts with whom WIRED shared the full text of the interview noted that, despite Cyber Army of Russia's claims of acting as an independent grassroots organization, it closely adheres to both Russian government talking points as well the Russian military's published information warfare doctrine. The group's rhetoric about changing “minds and hearts” beyond the front lines of a conflict through attacks targeting civilian infrastructure mirrors a well-known paper on “information confrontation” by Russian military general Valery Gerasimov, for instance. Other portions of Julia's comments—an unprompted polemic against “non-traditional sexual relations” and a description of Russia as a conservative cultural “Noah's Ark of the 21st century”—echo similar statements made by Russian leaders and Russian state media.

None of that proves that Cyber Army of Russia has anything more than the thin ties to the GRU that Mandiant uncovered, says Gavin Wilde, a Russia-focused senior fellow at the Carnegie Endowment for International Peace. He argues instead that the group's comments appear to be an attempt to score points with a potential government sponsor, perhaps in the hopes of gaining a more official relationship. “They're really trying to hone their messaging, but not for a Western audience, necessarily, so much as to try to put points on the board domestically and with potential political or financial benefactors in Moscow,” he says.

At one point in the interview with WIRED, in fact, Julia explicitly voiced that request for more official government support. “I really hope that the People's Cyber Army of Russia will have great prospects, that our government agencies will not just pay attention to us, but support our actions, both financially and through the formation of full-fledged cyber troops as part of the Russian Armed Forces,” she wrote.

Outside of the conversation with WIRED, Cyber Army of Russia posts to its Telegram channel in Russian, not English—a strange move for a group that claims to be trying to influence Western politics in its favor. Other Russian influence operations created by the GRU itself, such as the Guccifer 2.0 and DCLeaks fronts created to influence the 2016 presidential election, wrote in English. Even other “hacktivist” groups targeting civilian critical infrastructure, such as Israel-linked Predatory Sparrow, take credit for their attacks in the language of their targets—in Predatory Sparrow's case, posting to Telegram in Persian in an apparent attempt to influence Iranians.

All of that suggests that, despite its claims, Cyber Army of Russia may be currently functioning more as a cheerleading campaign for Russians domestically than a real influence operation targeting the West, says Olga Belogolova, a Russia-focused influence operations researcher at the Johns Hopkins School of Advanced International Studies. If the group is as grassroots and decentralized as it claims to be, it may not even be aware of that disconnect. “These patriotic keyboard warrior types are going to try to curry favor with the government, but they also might be true believers of these talking points,” says Belogolova, adding that the group's Telegram account “feels like a marketing exercise or a tech bro hype machine.”

She points out, though, that the group's exposure by Mandiant and an alert from a half-dozen government agencies suggests that, regardless of the group's intended audience, it's now on Americans' radar, too. As it gains the West's attention, she notes, we shouldn't overblow the threat it represents—and in doing so succumb to its hit-and-miss attempts at instilling fear through its disruptive hacking.

“The more time I spend working on Russia and Russian influence operations,” Belogolova says, "the more I've become a believer that they're very into just hyping themselves up. And then we sometimes fall for the hype, too.”

A (Strange) Interview the Russian-Military-Linked Hackers Targeting US Water Utilities

Law enforcement officials say they’ve identified, sanctioned, and indicted the person behind LockBitSupp, the administrator at the heart of LockBit’s $500 million hacking rampage.

“He did not simply take money for himself, but he reinvested it into developing his operation and making it more desirable to criminals,” DiMaggio says. Throughout the lifecycle of the LockBit group, two major updates and releases of its malware happened, with each more capable and easier to use than the last. Analysis from the law enforcement operation by security company Trend Micro shows it was working on a new version too.

DiMaggio says the person he was speaking to privately using the LockBitSupp moniker was “arrogant” but “all business and very serious”—aside from sending cat stickers as part of chats. Publicly, on Russian language cybercrime forums where hackers trade data and discuss hacking politics and news, LockBitSupp was entirely different, DiMaggio says.

“The persona he amplified on the Russian hacking forums was a mix of a supervillain and Tony Montana from _Scarface_,” DiMaggio says. “He flaunted his success and money, and it rubbed people the wrong way at times.”

In addition to setting a bounty on their own identity, LockBitSupp’s more innovative and erratic side also organized an essay-writing competition on the hacking forums, offered a “bug bounty” if people found flaws in LockBit’s code, and said they would pay $1,000 to anyone who got the LockBit logo as a tattoo. Around 20 people posted pictures and videos of their tattoos.

Soon after law enforcement claimed to have revealed LockBitSupp’s identity, DiMaggio published new research about Khoroshev. Using a tip he received, plus open source intelligence and leaked information on the dark web, DiMaggio found social media profiles and extra personal information believed to be linked to the Russian national.

“He owns several legitimate businesses, also based out of Voronezh, drives a Mercedes, and previously owned a Mazda 6, not a lambo as he often boasts,” DiMaggio writes in the research. One of the email addresses included in the sanctions has links to a Russia-based e-commerce business registered in the name of Khoroshev, he writes. Several other emails and phone numbers were connected to these details, DiMaggio's research says.

LockBitSupp was banned from two prominent Russian-language cybercrime forums in January after a complaint was made about their behavior. “They’ve made partners, supporters, haters, and fans over the years,” says Victoria Kivilevich, director of threat research at security firm KELA.

Analysis of cybercrime forums by Kivilevich shows the Russian-language ecosystems had mixed responses, including surprise when LockBit was first compromised by law enforcement. “Users gloating that LockBit finally failed and got what he deserved, making references to his statements where he bragged how \[about how\] LockBit ‘RaaS’ is secure and better than any other operations,” Kivilevich says.

Other forum users questioned the technical decisions of LockBitSupp and whether they had collaborated with law enforcement, the researcher says. There were forum users who reacted neutrally, “mostly saying the operation won’t affect LockBit much and the operation will continue to exist,” Kivilevich says.

**Downfall**

After Operation Cronos took LockBit offline in February, it took LockBitSupp only five days to create replica versions of the group’s leak site. The website then started to be filled with apparent victims; it seemed like the LockBit group hadn’t been impacted by having all of its internal secrets accessed by police around the world.

These recently posted victims aren’t what they seem, though, multiple experts say. “The actual law enforcement intervention has been significant,” says Matt Hull, the global head of threat intelligence at cybersecurity firm NCC Group. The NCA says the number of LockBit affiliates has dropped to 69 since its February takedown, while the DOJ indictment says LockBit’s victim count has “greatly diminished” since then.

The Alleged LockBit Ransomware Mastermind Has Been Identified

By Waqas
UK Ministry of Defence (MoD) faces potential Chinese cyberattack. Learn more about the details of the alleged attack, China's role in cyberspace, potential consequences, and the importance of international cooperation in cybersecurity.
This is a post from HackRead.com Read the original post: China Suspected in Major Cyberattack on UK’s Ministry of Defence (MoD)

The United Kingdom’s Ministry of Defence (MoD) is reportedly under investigation for a suspected cyberattack originating from China. While the UK government has yet to point fingers officially, Sky News claims to have inside information attributing the attack to the Chinese state.

****Details of the Alleged Attack****

Sky News reports that the attack targeted MoD personnel, potentially compromising their personal data. The nature and extent of the breach remain unclear. However, concerns focus on the possibility of sensitive military and defence-related sensitive data, exposed names, addresses, and even bank details.

****China’s Role in Cyberspace****

China has long been accused of engaging in state-sponsored cyberattacks targeting governments, businesses, and critical infrastructure around the world. These attacks range from stealing intellectual property to espionage and disrupting operations.

On the other hand, the Chinese government maintains it does not engage in such activities, but the MoD incident adds to a growing list of accusations.

****Potential Consequences and Next Steps****

Even without confirmation of a data breach, the potential consequences are significant. Exposed personal information can be used for identity theft, financial fraud, and targeted phishing attacks. Additionally, if classified information was compromised, it could have national security implications.

The UK government needs to take immediate action. A thorough investigation is crucial to determine the source of the attack, the extent of the damage, and what data might have been compromised.

Furthermore, the MoD must prioritize reviewing and strengthening its cybersecurity measures. This includes implementing robust access controls, data encryption, and ongoing security awareness training for personnel.

****International Cooperation and Transparency****

The MoD incident highlights the importance of international cooperation in cyberspace. Sharing intelligence and best practices amongst allies can help to identify and prevent future attacks. Additionally, increased transparency from governments regarding cyberattacks fosters public trust and understanding.

Guy Golan, CEO and Founder of Maidenhead, England-based data security firm Performanta commented on the issue stating, “Be China, or another suspect altogether, the attack has been carried out with purpose, accessing the outsourced system and finding this way more efficient and successful than a full frontal attack, and what’s worrying that the MoD became so susceptible through an ‘external contractor’, a sign that their attack surface management and supply chains needs urgent examination.”

“For the APT group responsible, it’s a show of power as to how easy it was to access some of the UK’s most secure data. As with the cyberattack on the royal family website last year, it’s clear Nation-State cyber groups are playing a long game, one of consistent, targeted attacks designed to disrupt our democracy,” Golan explained.

“The MoD will need to reinstall public and private trust in the strength of its cybersecurity fast; it has quashed the threat which will now need to be identified and prevented in the future.”

****Looking Ahead: A Call for Action****

The suspected cyberattack on the UK MoD goes on the show how cybersecurity threats have evolved over the years. Governments must prioritize vital cybersecurity defences, while international cooperation is critical to combat cybersecurity threats.

Nevertheless, as the investigation unfolds, the MoD owes it to its personnel and the British people to provide clarity on the situation and implement necessary protection to prevent future attacks.

1.  Labour Party’s campaign sites hit by DDoS Attack
2.  UK Criminal Records Office Hit by Ransomware Attack
3.  British Cosmetics Retailer Lush Investigating Cyber Attack
4.  UK Student Records Exposed in School Software Server Leak
5.  AI Flagged as “Chronic Risk” in UK Government’s Risk Register Report

China Suspected in Major Cyberattack on UK’s Ministry of Defence (MoD)

By Deeba Ahmed
A massive data leak of 820,000 Dominicans' personal information (including COVID vaccination status) has been leaked online puting individuals at risk of identity theft, scams, and social engineering attacks.
This is a post from HackRead.com Read the original post: Hackers Leak COVID-19 Data of 820K Dominicans, Including Vaccination Info

A data breach has occurred, exposing the personally identifiable information (PII) of 820,000 individuals from the Dominican Republic with their COVID-19 vaccination statuses. This data has been leaked on Breach Forums, a notorious cybercrime and hacker forum.

This leak is critical for the sensitive nature of data exposed, including records from biotech giants Pfizer and SINOVAC BIOTECH LTD, creating a goldmine for cybercriminals and nation-state actors. 

****Source of the Leak****

According to Resecurity’s Cyber Threat Intelligence team, the data has been uploaded on the Breach Forums by ‘CiberInteligenciaSV,’ a strategy consistent with many high-profile Latin American (LATAM) data breaches. 

The possible actor behind the breach was tracked after a Breach Forums member “CTF” noted overlaps with caribetours.com.do leaked database.  Caribe Tours, a Dominican tourism company, was hacked by Kelvin Security in April 2022. The group, involved in over 300 cyberattacks since 2020, has targeted strategic industries in over 90 countries. Spanish authorities arrested its alleged leader in December 2023.

While CyberInteligenciaSV’s source for Dominican data is unclear, CTF has raised concerns about the accuracy of some of the leaked data, as users cross-referenced ID card numbers with official Dominican government portals and saw different names associated with them.

****Why is this Leak a Big Deal?****

The data dump contains key PII fields such as ID card number, name, gender, municipality, birth date, and vaccination data. The leak exposes the total doses, clinic location, vaccination date, and vaccine type administered to the patient.

Stolen personal information can be used for identity theft, targeted scams, and social engineering. Scammers can create fake IDs, open fraudulent bank accounts, or make unauthorized purchases. They can also launch convincing phishing attacks, claiming rewards for vaccination or manipulating public opinion, targeting unvaccinated individuals with misinformation

“Alternately, threat actors could also look to sell this data to third parties seeking health-related personal information, including advertisers and employers,” Resecurity researchers explained.

The LATAM region is urged to improve digital hygiene and take precautions against cyber risks. The Dominican government must investigate this data breach, notify affected individuals, and strengthen data security to prevent future attacks. This includes identifying the source, providing clear guidance on self-protection, and investing in robust encryption, access controls, and security awareness training for government employees.

1.  India’s COVID-19 surveillance tool exposed millions of user data
2.  Covid antigen test results of 1.7m Indian, foreign nationals leaked
3.  COVID-19 testing service in US exposes patients’ photos, passports
4.  Indonesian Govt’s COVID-19 test, trace app leak impacts 1.3m users
5.  Chinese COVID-19 detection firm hacked; source code sold on dark web

Hackers Leak COVID-19 Data of 820K Dominicans, Including Vaccination Info

By Deeba Ahmed
Cuckoo malware targets macOS users, stealing passwords, browsing history, crypto wallet details & more. Disguised as a music converter, it poses a major security risk. Learn how to protect yourself from this sophisticated infostealer.
This is a post from HackRead.com Read the original post: Cuckoo Mac Malware Mimics Music Converter to Steals Passwords and Crypto

Cybersecurity researchers from Mac security provider, Kandji, have discovered a new malware dubbed “Cuckoo” targeting macOS users. The malware is disguised as a music converter app like Spotify and can run on both Intel and ARM-based Apple Mac computers.

Researchers discovered a malicious Mach-O binary on April 24, 2024, exhibiting spyware and infostealer behaviour. Its examination revealed a file titled “DumpMedia Spotify Music Converter,” a universal binary on Intel or ARM-based Mac computers.

The malware was detected when the Spotify version was downloaded from dumpmediacom. Then it was found on other websites with both free and paid versions.

“So far, we have found that the websites tunesolocom, fonedogcom, tunesfuncom, tunefabcom are hosting malicious applications containing the same malware,” Kandji researchers revealed in their blog post.

****Cuckoo’s Deceptive Tactics****

Cuckoo deceives users by claiming to convert Spotify music to MP3 format. Once installed, it begins the data heist, targeting the macOS keychain, visual evidence, browsing history, messaging app data, cryptocurrency wallet details, and authentication credentials. 

It self-installs by requesting users to open an app, without a vetted signature or developer ID. It checks the user’s location and gathers host hardware information. If the user accepts further prompts, it gains access to the Finder, microphone, and downloads. 

****What it Targets?****

Cuckoo targets macOS’s keychain, a repository for passwords, login credentials, and cryptographic keys, compromising online accounts and sensitive data access. 

It steals screenshots, and webcam snapshots, and targets messaging apps like WhatsApp and Telegram, revealing users’ online activities and posing a significant financial threat to digital asset owners. 

Researchers found Cuckoo copies files related to Safari, Notes, and Keychain to temporary locations and create paths to files of interest. It runs a launch agent every 60 seconds to maintain persistence on the machine.

****Who’s Behind Cuckoo?****

The campaign is not explicitly attributed to any particular threat actor, but researchers noted that it spares devices in Armenia, Belarus, Kazakhstan, Russia, and Ukraine. 

Moreover, it establishes persistence via LaunchAgent, a feature found in RustBucket, XLoader, JaskaGO, and a backdoor associated with Chinese threat actor ZuRu. The malware was signed with a legitimate Chinese developer ID (Yian Technology Shenzhen Co., Ltd (VRBJ4VRP), with all bundles (except those hosted on fonedogcom) signed.

To protect yourself from Cuckoo and other malware threats, download software cautiously, avoid untrusted sources, scrutinize emails and attachments, and use reliable antivirus and anti-malware solutions. Staying vigilant and maintaining scepticism is crucial for digital privacy and security.

1.  Hackers Targeting Apple’s M1 Chip with Mac Malware
2.  Simple tips to keep your Macbook secure from online threats
3.  Researchers bought MacBook for $1 using critical vulnerabilities
4.  UpdateAgent malware variant mimics legitimate macOS software
5.  EvilQuest ransomware hits Mac devices through pirated software

Cuckoo Mac Malware Mimics Music Converter to Steals Passwords and Crypto

Cybersecurity researchers have discovered a new information stealer targeting Apple macOS systems that's designed to set up persistence on the infected hosts and act as a spyware.
Dubbed Cuckoo by Kandji, the malware is a universal Mach-O binary that's capable of running on both Intel- and Arm-based Macs.
The exact distribution vector is currently unclear, although there are

New 'Cuckoo' Persistent macOS Spyware Targeting Intel and Arm Macs

Plus: An assassination plot, an AI security bill, a Project Nimbus revelation, and more of the week’s top security news.

This week, WIRED reported that a group of prolific scammers known as the Yahoo Boys are openly operating on major platforms like Facebook, WhatsApp, TikTok, and Telegram. Evading content moderation systems, the group organizes and engages in criminal activities that range from scams to sextortion schemes.

On Wednesday, researchers published a paper detailing a new AI-based methodology to detect the “shape” of suspected money laundering activity on a blockchain. The researchers—composed of scientists from the cryptocurrency tracing firm Elliptic, MIT, and IBM—collected patterns of bitcoin transactions from known scammers to an exchange where dirty crypto could get turned into cash. They used this data to train an AI model to detect similar patterns.

Governments and industry experts are sounding the alarm about the potential for major airline disasters due to increasing attacks against GPS systems in the Baltic region since the start of the war in Ukraine. The attacks can jam or spoof GPS signals, and can result in serious navigation issues. Officials in Estonia, Latvia, and Lithuania blame Russia for the GPS issues in the Baltics. Meanwhile, WIRED went inside Ukraine’s scrappy and burgeoning drone industry, where about 200 companies are racing to build deadlier and more efficient autonomous weapons.

An Australian firm that provided facial recognition kiosks for bars and clubs appears to have exposed the data of more than 1 million records of patrons. The episode highlights the dangers of giving companies your biometric data. In the United States, the Biden administration is asking tech companies to sign a voluntary pledge to make “good-faith” efforts to implement critical cybersecurity improvements. This week we also reported that the administration is updating its plan for protecting the country’s critical infrastructure from hackers, terrorists, and natural disasters.

And there’s more. Each week, we highlight the news we didn’t cover in depth ourselves. Click on the headlines below to read the full stories. And stay safe out there.

**How Israeli Weapons Firms Use Amazon and Google**

A government procurement document unearthed by The Intercept reveals that two major Israeli weapons manufacturers are required to use Google and Amazon if they need any cloud-based services. The reporting calls into question repeated claims from Google that the technology it sells to Israel is not used for military purposes—including the ongoing bombardment of Gaza that has killed more than 34,000 Palestinians. The document contains a list of Israeli companies and government offices “required to purchase” any cloud services from Amazon and Google. The list includes Israel Aerospace Industries and Rafael Advanced Defense Systems, the latter being the manufacturer of the infamous “Spike” missile, reportedly used in the April drone strike that killed seven World Central Kitchen aid workers.

In 2021, Amazon and Google entered into a contract with the Israeli government in a joint venture known as Project Nimbus. Under the arrangement, the tech giants provide the Israeli government, including its Israel Defense Forces, with cloud services. In April, Google employees protested Project Nimbus by staging sit-ins at offices in Silicon Valley, New York City, and Seattle. The company fired nearly 30 employees in response.

A mass surveillance tool that eavesdrops on wireless signals emitted from smartwatches, earbuds, and cars is currently being deployed at the border to track people’s location in real time, a report from Notus revealed on Monday. According to its manufacturer, the tool, TraffiCatch, associates wireless signals broadcast by commonly used devices with vehicles identified by license plate readers in the area. A captain from the sheriff’s office in Webb County, Texas—whose jurisdiction includes the border city of Laredo—told the publication that the agency uses TraffiCatch to detect devices in areas where they shouldn’t be, for instance, to find trespassers.

Several states require law enforcement agencies to obtain warrants before deploying devices that mimic cell towers to obtain data from the devices tricked into connecting to it. But in the case of TraffiCatch, a technology that passively siphons ambient wireless signals out of the air, the courts haven’t yet weighed in. The report highlights how signals intelligence technology, once exclusive to the military, is now available for purchase by both local governments and the general public.

**An Indian Assassination Plot in America**

_The Washington Post_ reports that an officer in India's intelligence service, the Research and Analysis Wing, was allegedly involved in a botched plan to assassinate one of Indian prime minister Narendra Modi's top critics in the United States. The White House said Monday that it was taking the matter "very, very seriously," while India's foreign ministry blasted the _Post_ report as "unwarranted" and "not helpful." The alleged plot to murder the Sikh separatist, Gurpatwant Singh Pannun, a dual citizen of the United States and Canada, was first disclosed by US authorities in November.

Canadian authorities previously announced having obtained "credible" intel allegedly linking the Indian government to the death of another separatist leader, Hardeep Singh Nijjar, who was shot to death outside a Sikh temple in a Vancouver suburb last summer.

**An AI Security Bill Emerges**

US lawmakers have introduced a bill aimed at establishing a new wing of the National Security Agency dedicated to investigating threats aimed at AI systems—or "counter-AI." The bipartisan bill, introduced by Mark Warner and Thom Tillis, a Senate Democrat and Republican, respectively, would further require agencies including the National Institute of Standards and Technology (NIST) and the Cybersecurity and Infrastructure Security Agency (CISA) to track breaches of AI systems, whether successful or not. (The NIST currently maintains the National Vulnerability Database, a repository for vulnerability data, while the CISA oversees the Common Vulnerabilities and Exposures Program, which similarly identifies and catalogues publicly disclosed malware and other threats.)

The Senate bill, known as the Secure Artificial Intelligence Act, aims to expand the government's threat monitoring to include "adversarial machine learning"—a term that is essentially synonymous with "counter-AI"—which serves to subvert AI systems and “poison” their data using techniques vastly dissimilar to traditional modes of cyberwarfare.

A New Surveillance Tool Invades Border Towns

If CEOs want to prevent their firm from being the next victim of a high-profile deepfake scam, they need to double cybersecurity funding immediately.

Source: Tenebroso via Alamy Stock Photo

COMMENTARY

In a recent open letter, high-profile names from across the business, academic, and scientific worlds called for governments to intensify their regulation of deepfakes.

While their aims are admirable, their efforts are misplaced — it's innovation, not regulation, that will shore up our defenses against the deepfake threat. 

The letter, titled "Disrupting the Deepfake Supply Chain," was signed by prominent thinkers, including Stephen Pinker, computer scientist Joy Buolamwini, US politician Andrew Yang, and the "godfather" of AI, Yoshua Bengio.

Specifically, the letter called for increased criminalization of deepfakes, the establishment of specific criminal penalties, and liability for software developers and distributors for the use of their products in deepfakes. 

The letter correctly identifies the symptoms. Deepfakes are proliferating at a rapid rate — more than 900% annually, according to The World Economic Forum. This is ratcheting up the threat level across society.

Deepfakes are already an established weapon in the hacker arsenal. One finance worker recently paid $25 million to malicious actors after they used a deepfake of the employee's CFO in a video conference call. This should serve as a warning shot across the bow for the corporate world, and the open letter is correct to raise the alarm about the relative lack of action.

However, delegating responsibility to governments will only leave corporations more exposed. CEOs cannot afford to sit back and rely on regulators to stem the flow of deepfakes. They must take action and build their own defenses as soon as possible — and they are already starting from behind. Catching up will mean doubling their investment in innovative technologies that can counteract deepfakes.

**Stone Age Policies**

But why aren't governments up to the task themselves?

Most governments' cybersecurity departments and policies are in the Stone Age compared with these hackers. By the time legislation is drawn up, debated, and rolled out, it's often already antiquated and behind the pace of technological development. 

Furthermore, relying on reactive regulation in one government also means trusting all governments to do the same. No matter how punitive the legislation in one country, hackers in another country won't worry about the penalties, so nations will have to work together to negate the threat of deepfakes. But right now, hoping the Chinese or Russian states will prevent hackers from disrupting business in the West is nothing short of naive. 

CEOs and senior management must step up to the challenge and take responsibility for ensuring that they aren't the next victim of a deepfake scam.

Fortunately, management has several technologies available that can be rolled out to shore up their deepfake defenses, including advanced authentication, detection AI, and content watermarking. 

CEOs can integrate enhanced authentication standards to insulate their firms from deepfake scams. Two-factor or multifactor authentication systems require users to provide additional verification beyond a password, adding information that deepfake scammers will need to access sensitive information.

**Fighting Deepfakes With AI**

Management must also deploy AI in the fight against deepfakes. AI tools can analyze media files for anomalies and inconsistencies that are evidence of tampering. They can also analyze the subjects of these files, such as facial expressions and vocal patterns, and then flag non-natural inconsistencies that the human eye may miss. They can even compare deepfakes against genuine employee biometric data to identify fake representations of company employees.

Another option available to corporations is content watermarking, which embeds invisible, unique identifiers into official company media files. This can be used to verify the authenticity and origin of media content that employees come into contact with. 

These are just some of the many digital tools that management can use to insulate themselves from deepfake scammers and hackers. But they come at a cost.

Currently, cybersecurity funding lags far behind the scale of the threat that deepfakes pose. As with the finance worker above, company funds are at risk. Deepfake scams could also be used to access sensitive IP and trade secrets. Deepfakes of employees can also damage a firm's reputation, harming investor and consumer confidence. 

Even in the face of these ominous threats, firms continue to woefully underfund cybersecurity. The recent Cisco Cybersecurity Readiness Index highlights how only 3% of organizations have the "mature" level of readiness needed to be resilient against cyber threats. 

So, if CEOs want to prevent their firm from being the next victim of a high-profile deepfake scam, they need to double cybersecurity funding immediately. Relying on the government to do this for them only increases their exposure to the risk that deepfakes pose. With healthier financing, corporations can roll out authentication tools, AI identification systems, and content watermarking to properly insulate themselves from the deepfake threat. 

**About the Author(s)**

Founder & CEO, artius.iD

Michael Marcotte is one of the world’s pre-eminent experts in digital identity, cybersecurity, and business intelligence technology. He joined EchoStar, the multibillion-dollar satellite communications firm, in 2006, and was Global CIO, Global CDO, and president (Hughes Cloud Services). He was one of the very first people to serve as chief digital officer of a major international corporation. Michael left EchoStar in 2014 and currently is the founder and CEO of digital authentication firm artius.iD. He has applied his expertise at a range of firms in technology, cybersecurity, and venture capital. He is also co-founder of the National Cybersecurity Center (NCC) and was founder and chairman of the NCC's Rapid Response Center Board. He has been a senior adviser for several heads of state and US senators.

Innovation, Not Regulation, Will Protect Corporations From Deepfakes

The AI security startup's platform will allow organizations to define appropriate AI usage and enforce security policies.

Source: Ole CNX via Shutterstock

The past two years have seen unprecedented interest in generative artificial intelligence (AI), with companies across all industries integrating capabilities into their products and services. Organizations are adopting these tools to work faster and more efficiently. However, these AI applications also pose security challenges for organizations, with heightened risks of leaks of customer data and intellectual property. They also expand organizations' attack surface, potentially exposing them to malicious data injection and other AI-driven attacks.

This evolving threat landscape sets the stage for Apex, an AI security company that came out of stealth yesterday. Apex's security platform provides organizations with visibility of their AI activities. Organizations can define what AI usage should look like within their environments and enforce security policies accordingly. The platform can detect violations to company policies, as well as detect and respond to attacks, the company said.

The platform also includes a secure portal through which users can interact securely with the organization's AI tools. Apex works with public generative AI tools such as ChatGPT and Gemini, copilots such as the one from Microsoft, and the organization's own custom AI applications.

Founded in 2023, Apex currently has a few trials with Fortune 500 companies, the company told Reuters. Apex's co-founders are Matan Derman (CEO) and Tomer Avni (CPO).

As part of the launch, Apex raised $7 million in seed funding from Sequoia Capital, Index Ventures, and angel investors, including Sam Altman, CEO of OpenAI. The company plans to use seed funding for product development, grow its team, and go-to-market activities.

**About the Author(s)**

New AI Security Startup Apex Secures AI Models, Apps

“Yahoo Boy” cybercriminals are openly running dozens of scams across Facebook, WhatsApp, Telegram, TikTok, YouTube, and more.

Most scammers and cybercriminals operate in the digital shadows and don’t want you to know how they make money. But that’s not the case for the Yahoo Boys, a loose collective of young men in West Africa who are some of the web’s most prolific—and increasingly dangerous—scammers.

Thousands of people are members of dozens of Yahoo Boy groups operating across Facebook, WhatsApp, and Telegram, a WIRED analysis has found. The scammers, who deal in types of fraud that total hundreds of millions of dollars each year, also have dozens of accounts on TikTok, YouTube, and the document-sharing service Scribd that are getting thousands of views.

Inside the groups, there’s a hive of fraudulent activity with the cybercriminals often showing their faces and sharing ways to scam people with other members. They openly distribute scripts detailing how to blackmail people and how to run sextortion scams—that have driven people to take their own lives—sell albums with hundreds of photographs, and advertise fake social media accounts. Among the scams, they’re also using AI to create fake “nude” images of people and real-time deepfake video calls.

The Yahoo Boys don’t disguise their activity. Many groups use “Yahoo Boys” in their name as well as other related terms. WIRED’s analysis found 16 Yahoo Boys Facebook groups with almost 200,000 total members, a dozen WhatsApp channels, around 10 Telegram channels, 20 TikTok accounts, a dozen YouTube accounts, and more than 80 scripts on Scribd. And that’s just the tip of the iceberg.

Broadly, the companies do not allow content on their platforms that encourages or promotes criminal behavior. The majority of the Yahoo Boys accounts and groups WIRED identified were removed after we contacted the companies about the groups’ overt existence. Despite these removals, dozens more Yahoo Boys groups and accounts remain online.

“They’re not hiding under different names,” says Kathy Waters, the cofounder and executive director of the nonprofit Advocating Against Romance Scammers, which has tracked the Yahoo Boys for years. Waters says the social media companies are essentially providing the Yahoo Boys with “free office space” to organize and conduct their activities. “They’re selling scripts, selling photos, identifications of people, all online, all on the social media platforms,” she says. “Why these accounts still remain is beyond me.”

The Yahoo Boys aren’t a single, organized group. Instead, they’re a collection of thousands of scammers who work individually or in clusters. Often based in Nigeria, their name comes from formerly targeting users of Yahoo services, with links back to the Nigerian Prince email scams of old. Groups in West Africa can be often organized in various confraternities, which are cultish gangs.

“Yahoo is a set of knowledge that allows you to conduct scams,” says Gary Warner, the director of intelligence at DarkTower and director of the University of Alabama at Birmingham’s Computer Forensics Research Laboratory. While there are different levels of sophistication of Yahoo Boys, Warner says, many simply operate from their phones. “Most of these threat actors are only using one device,” he says.

The Yahoo Boys run dozens of scams—from romance fraud to business email compromise. When making contact with potential victims, they’ll often “bomb” people by sending hundreds of messages to dating app accounts or Facebook profiles. “They will say anything they can in order to get the next dime in their pocket,” Waters says.

Searching for the Yahoo Boys on Facebook brings up two warnings: Both say the results may be linked to fraudulent activity, which isn’t allowed on the website. Clicking through the warnings reveals Yahoo Boy groups with thousands of members—one had more than 70,000.

Within the groups—alongside posts selling SIM cards and albums with hundreds of pictures—many of the scammers push people toward other messaging platforms such as Meta’s WhatsApp or Telegram. Here, the Yahoo Boys are at their most bold. Some groups and channels on the two platforms receive hundreds of posts per day and are part of their wider web of operations.

After WIRED asked Facebook about the 16 groups we identified, the company removed them, and some WhatsApp groups were deactivated. “Scammers use every platform available to them to defraud people and constantly adapt to avoid getting caught,” says Al Tolan, a Meta spokesperson. They did not directly address the accounts that were removed or that they were easy to find. “Purposefully exploiting others for money is against our policies, and we take action when we become aware of it,” Tolan says. “We continue to invest in technology and cooperate with law enforcement so they can prosecute scammers. We also actively share tips on how people can protect themselves, their accounts, and avoid scams.”

Groups on Telegram were removed after WIRED messaged the company’s press office; however, the platform did not respond about why it had removed them.

Across all types of social media, Yahoo Boys scammers share “scripts” that they use to socially manipulate people—these can run to thousands of words long and can be copied and pasted to different victims. Many have been online for years. “I’ve seen some scripts that are 30 and 60 layers deep, before the scammer actually would have to go and think of something else to say,” says Ronnie Tokazowski, the chief fraud fighter at Intelligence for Good, which works with cybercrime victims. “It’s 100 percent how they'll manipulate the people,” Tokazowski says.

Among the many scams, they pretend to be military officers, people offering “hookups,” the FBI, doctors, and people looking for love. One “good morning” script includes around a dozen messages the scammers can send to their targets. “In a world full of deceit and lies, I feel lucky when see the love in your eyes. Good morning,” one says. But things get much darker.

The Yahoo Boys have been behind a recent wave of sextortion across the United States and elsewhere, says Paul Raffile, an intelligence analyst at the Network Contagion Research Institute who is closely tracking the criminals. Broadly speaking, during sextortion, a scammer will use intimate or explicit images to try to get someone to pay them money. “The Yahoo Boys are the principal threat actor behind the surge of sextortion that we’re seeing over the past 18 months,” Raffile says. “They are responsible for forcing dozens of teens to suicide.”

In a series of posts in one Telegram channel, highlighted by Warner, who is also involved in Intelligence for Good, one cybercriminal can be seen walking others through how to run a sextortion scam. They say they tricked people into sharing nude images—posting screenshots of the conversation—and explained ways other people can replicate it. “Hey I am posting your naked pictures on social media and Facebook,” says a sample message cybercriminals could use. “Am not just posting it am sending copies of it to your area,” the message says, before demanding $700.

While the scripts like these are shared on all social media channels, WIRED found at least 80 on the document-sharing service Scribd. The company removed them after WIRED got in touch, with a spokesperson saying there are limits on what people can upload and that the company has automated and manual reviews to remove content. “We’re actively building out new capabilities to broaden the scope of content moderation coverage to include a wider range of concerning text and image violations,” the spokesperson says. Some of the scripts had been online since 2020, and on pages where they were removed a “reading suggestions” section recommended other scam scripts.

Raffile says the Yahoo Boys have been able to “thrive” online “due to lack of moderation around all the illicit material” that they’re sharing. “They’re acting with impunity because they feel they will never get caught,” Raffile says.

Beyond the messaging platforms, the Yahoo Boys have a presence on TikTok and YouTube. “We design our app to be inhospitable to those who seek to exploit our community and we’ve removed this content for violating our policies,” a TikTok spokesperson says.

“Our policies prohibit spam, scams, or other deceptive practices that take advantage of the YouTube community,” a YouTube spokesperson says. “We also prohibit videos that encourage illegal or dangerous activities. As such, we have terminated the flagged channels for violating our policies and our terms of service.” They add that the company removed accounts for breaching policies about harmful content, spam, and generally violating its terms of service.

The accounts posted tutorials about how to scam people, link to groups on messaging apps, and promote technology for fake video calls. On TikTok, multiple accounts include carousels of images that the scammers can use in their efforts to create believable personas. Some of these include posts of elderly women for scammers who are in “need of grandma pictures for proof” of their fake identities and others for scammers who “need kids pics” for their victims.

As well as being a threat to thousands of people around the world, the Yahoo Boys can be quick to adopt new technologies. David Maimon, a professor at Georgia State University and the head of fraud insights at the identity-verification firm SentiLink, has monitored Yahoo Boys for years and says their techniques have evolved alongside new technologies.

“To build rapport with victims, the fraudsters first used text messages, then started sending recorded audio messages, to now using deepfake tools to communicate with victims live,” Maimon says. “On some of the markets we now also see the use of cloned voices. It is now accompanied with sending physical items to victims such as presents, food deliveries, and flowers.” Within some groups, they use “nudification” tools to turn photos of people clothed into nude photos, and deepfake video calls.

While the Yahoo Boys have been active for years, all the experts spoken to for this piece say they should be treated more seriously by social media companies and law enforcement. “It’s time that we start looking at Yahoo Boys as a dangerous organization, transnational organized crime, and start giving it some of those labels,” Raffile says.

Tag

#intel