Newsletters

Romania's national security council (CSAT) has declassified two documents this week that reveal a coordinated propaganda campaign that boosted an obscure far-right and pro-Kremlin candidate into the country's first round of presidential elections.

The campaign, which mostly took place via TikTok, took Calin Georgescu from an unknown candidate who was only polling around 1% a month before the election to the winner of the first presidential election round, where he accounted for almost a quarter of all votes.

The documents did not formally attribute the operation, but in a subsequent statement this week, the US State Department said what every Romanian politician and regular citizen already said and knew—that this was Russia.

The 2016 US Presidential race has raised awareness of the role of hack and leak operations in election interference, but there is a far longer history of these operations affecting public policy.     

This week, Reuters reported that a consultancy working for Exxon Mobil was being investigated by the FBI over its alleged role in a hack and leak operation targeting environmental activists.

This is the latest instalment in Chris Bing and Raphael Satter's long-running Reuters investigation into the rise of the hack-for-hire industry and how it has been used to influence legal battles. Per Reuters:

The Polish government has detained and forcibly taken to testify in front of a parliamentary hearing over the former government's use of the Pegasus spyware.

Piotr Pogonowski led Poland's internal security agency, the ABW, from 2016 to 2020.

Under his watch, the agency bought and used the NSO Group's Pegasus spyware to spy on opposition leaders, journalists, and prosecutors investigating government corruption.

Russian authorities have arrested Mikhail Matveev, a high-profile ransomware affiliate known for his hacker name of WazaWaka.

Matveev's arrest was mentioned in a court case filed in Russia's Kaliningrad exclave, Russian state news agency RIA Novosti [archived] reported on Friday.

He was detained and charged with creating malware. The criminal case specifically mentions that WazaWaka wrote new ransomware in January this year.

The Tor Project says it urgently needs at least 200 new bridges by the end of December to ensure Russian users can continue accessing the Tor network.

The project says it specifically needs bridges that run the WebTunnel protocol, which disguises connections to Tor networks as mundane web browsing activity.

WebTunnel bridges are harder to detect and censor compared to normal Tor bridges.

The Australian Government has proposed legislation to retrospectively guarantee that evidence collected by the AN0M crimephone sting operation is admissible in court. (Crimephone is the Risky Business HQ term for dedicated encrypted devices that are marketed in criminal networks to facilitate illegal activity).

This is an extremely unusual move, but there is a lot at stake here. The Australian Federal Police (AFP) described the AN0M operation as the "largest organised crime investigation in the Southern Hemisphere" and if the evidence is ruled inadmissible there may not be another opportunity to strike such a large blow against organised crime. 

The Surveillance Legislation (Confirmation of Application) Bill 2024 is aimed squarely at evidence collected by AFP's Operation Ironside. This operation was jointly conducted with the FBI, which called it Operation Trojan Shield and is entertainingly chronicled in Joseph Cox's book Dark Wire. 

The developers of Banshee Stealer, an infostealer that targets macOS systems, have shut down their operation after an unidentified individual leaked their malware's source code online.

The incident took place earlier this week and was announced via hacking forums and Telegram channels.

The Banshee group launched its operation in August and is one of several macOS infostealers that were released this year.

Google has removed from its search and news index hundreds of domains that were operated by four Chinese-based PR firms that published pro-PRC propaganda to international audiences.

The companies ran two newswire services where they published articles and collectively pulled content to distribute through their own "independent" news websites.

The articles were low-quality rewordings of stories from Global Times, a PRC state-controlled media outlet, designed to push China's views on various topics through smaller news sites and give the impression of mass consensus and authenticity.

The US Department of Justice has unsealed charges against five suspected members of the Scattered Spider hacking group.

The five include four Americans and one British citizen.

Three of the five are confirmed to be in custody. Evans was arrested this week, Buchanan in June, and Urban in January.

A new report describes the evolution of China's cyber capabilities over the past 30 years, including the incorporation of independent hacktivists into state-linked groups and the rise of the Ministry of State Security (MSS) as a hacking force. Most interestingly, the report examines the reorganisation of the People's Liberation Army (PLA) and the decline in reports of operations linked to the country's military hackers since 2017. 

The report, from security firm Sekoia, describes three primary state actors that carry out cyber operations for the Chinese Communist Party (CCP): the MSS, the PLA and the Ministry of Public Security (MPS).

Several years ago, the PLA was China's major cyber espionage actor. Mandiant's groundbreaking 2013 report, for example, linked the operations of a prolific actor it dubbed APT1 to a specific element in the PLA's General Staff Department, Unit 61398. Mandiant said the unit was responsible for stealing hundreds of terabytes of data from nearly 150 organisations spanning 20 major industries, and tied the organisation to a specific 12-storey building in Shanghai.