WIRED writer, author of SANDWORM and now TRACERS IN THE DARK: The Global Hunt for the Crime Lords of Cryptocurrency. Andy.01 on Signal. agreenberg
@wired
.com
I spent this year talking to the 3 young hackers behind Mirai, the malware that once broke the internet.
This is WIRED's resulting cover story—an epic, untold, 22,000-word tale of cybercrime, friendship, chaos, betrayal, paranoia, and redemption.
Read:
A wild, appalling story: A group of hackers fabricated evidence on the PCs of Indian human rights activists who were then arrested for terrorism and jailed. Now researchers have found a direct link between those hackers and the police making the arrests.
For weeks, observers of North Korea have noted that the country's internet seemed to be under attack, with all its websites down at times. This wasn't the work of US Cyber Command. It was a single hacker getting even after NK spies targeted him last year.
Three years ago today, Marcus Hutchins stopped WannaCry, an $8 billion cyberattack. Then the FBI arrested him.
Today we're publishing a 14,000-word cover story that finally tells his full, untold tale, from 15yo criminal to hero to convict to redemption.
For the last year, I’ve been reporting out what it felt like to be inside a company hit by NotPetya, the unprecedented $10 billion cyberattack. The result is this WIRED cover story: how Russian malware took down Maersk, the world’s largest shipping firm.
In 2011, RSA was hacked by Chinese spies, who stole the "seed" values used to generate codes on SecurID 2fa tokens, shocking the security world. Now, after 10 years, the NDAs of the staff involved have expired. This is the untold story they shared with me:
Big news: DOJ today unsealed charges against Sandworm, naming the Russian GRU hackers who have for 5 years crossed every red line in cyberwar from blackouts to disrupting the Olympics to unleashing the NotPetya worm that cost $10 billion. < Updates to come
Lots of well deserved remembrances of Ellsberg’s heroism today. I’ll just post my favorite passage from his incredible memoir, Secrets. He’s telling Henry Kissinger (who as many have noted is somehow still alive) what access to truly secret information can do to a person’s mind.
As a Jewish person, allow me to weigh in on antisemitism: If you're supporting the wholesale, ongoing, indiscriminate killing of children in Gaza by saying it's in defense of Jewish people, *that* is anti-semitism.
I interviewed
@DDoSecrets
cofounder Emma Best about
#BlueLeaks
, 269 gigs of files from 200+ law enforcement orgs, given to Best's secret-spilling group by a source aligned w/ Anonymous. Likely the most significant Anonymous operation in nearly a decade.
That link, somewhat amazingly, was that a Pune City Police official added his own email and phone number as the recovery contacts for three of the activists' hacked accounts, likely as a very crude way to maintain access, sometimes just months before the activists were arrested.
As simple as that giveaway might sound, finding it required
@SentinelOne
mapping out the whole hacking campaign, and one very badass source at an email provider coming forward with the key info.
On Friday I contacted Gab about a major breach of their backend. Their CEO responded with a blog post accusing me of "assisting the hacker in his efforts to smear our business." He followed up today w/ another post about "[transphobic slur] demon hackers."
All this Bellingcat-style attribution work is very fun and gratifying to be involved in. But the focus should remain on the defendants in the case, known as the Bhima Koregaon 16. Of those 16, 13 are in jail. One, 84-year-old priest Stan Swamy, died there. As
@juanandres_gs
says:
Last fall, Iowa contracted two white hat hackers to break into a series of courthouses as a security test. Then they were arrested and charged with felony burglary.
This is their full story, from Sneakers-style heist tricks to Kafkaesque legal nightmare:
Five years ago, Cody Wilson released files on the web for the first 3D printable gun. The government tried to stop him. He sued. Now he's won. So he's launching a new online library of gun files designed to let anyone download and build lethal DIY weapons.
Since 2020, I've been writing a book on how Bitcoin, once said to be untraceable, turned out to be the opposite. Today we're releasing an early, 15,000-word excerpt: Inside the crypto tracing case that took down the largest known child sex abuse site ever.
Citizen Lab's
@jsrailton
went a step further: He added the official's number as a contact in WhatsApp, and found his profile included a selfie pic. The face in the pic matched photos of the man at police press conferences and even a news photo taken at one the activist's arrests.
US gov agencies are warning of a new malware toolkit that can target industrial control systems (ICS) from power grids to oil & gas. Dragos calls it "Pipedream," and
@cnoanalysis
says it’s "the most expansive ICS attack tool anyone has ever documented."
To confirm the police official's identity,
@0xzeshan
then found the email and phone number the official had added to the hacked accounts in multiple breached/leaked databases and an archived version of the Pune Police website.
Three years ago I learned of a group of hackers hitting Ukraine with relentless, disruptive cyberattacks—with effects that would soon spread globally. Today, my book that tells the story of that first true cyberwar is out: SANDWORM. I hope you'll read it.
A tiny startup called Kytch hacks McDonald’s ice cream machines to make them break less. Now their work to fix McFlurry extruders has thrown them into an epic conflict with fast-food giants, complete with legal threats, private investigators, and betrayal.
Pigs in the US are increasingly slaughtered with CO2 gas chamber systems that can asphyxiate as many as 1,600 pigs an hour. The companies that sell and use them claim they're "stress-free" or "painless" for animals. Hidden spy cams reveal a darker reality.
Confirming
@briankrebs
reporting that Chinese group Hafnium has now exploited Microsoft Exchange zero-days to hack tens of thousands of networks. One researcher says 30k servers in the US alone, hundreds of thousands globally. "China just owned the world."
Incredible reporting on how WikiLeaks’ Vault 7 release of secret CIA docs in 2017 drove the agency to consider kidnapping Assange or even killing him. “Pompeo and other top agency leaders ‘were completely detached from reality…they were seeing blood.’”
My book Sandworm, on Russia's years-long cyberwar in Ukraine, has spiked in sales since Russia's full-scale invasion began. So I'm donating royalties for the first half of 2022 to Ukrainian victim aid non-profits. (ht to
@anneapplebaum
who set the example)
Huge shift: In 2015/2016, blackouts Russia's GRU hackers caused in Ukraine took US gov *years* to attribute publicly. NotPetya, GRU's global cyberattack that massively affected Americans in 2017, took 8 months. Now GRU sneezes and it's called out in days.
New: White House attributes DDoS attacks on Ukrainian organization this week to Russia's GRU -- Anne Neuberger said it from White House podium just now
We obtained an FBI notification to hacking victims sent out in May. It reveals that the Russian GRU hackers known as Fancy Bear or APT28 have been targeting US state and federal agencies, educational institutions and the US energy sector.
Florida local officials say hacker tried to dump caustic lye in a 15k-person city's water via access to the water plant's TeamViewer software. A rare public announcement of an industrial control system breach intended to have catastrophic consequences.
It's not really my job to say this, but when a reporter contacts you about a theft/leak of 70 gigabytes of your data including private posts, chats and passwords this is not the response I'd recommend.
Ars Technica's
@dangoodin001
is one of the most technically knowledgeable reporters I know. Now he's being sued by Keeper Security for writing up a report of Keeper's software vulnerabilities made by a Google researcher. This is gross, litigious bullying.
Researchers found that varying the intensity of a laser pointed at a smart speaker’s mic could trick it into behaving as if it were receiving voice commands—silently telling Alexa to make purchases or unlock doors via a window from hundreds of feet away.
How Mimikatz, a tool coded by a French government IT manager in his spare time, became the favorite password stealer of hackers worldwide (including the Russians who first tried to steal it from its creator's hotel room in Moscow)
Iran’s APT35 hackers left five hours of videos recorded from their own screens on an exposed server, where IBM researchers found them. The videos show the hackers demonstrating data theft techniques, sometimes on real victims’ email accounts.
A year after Bloomberg's questionable spy chip story, a researcher has shown how those hardware implants aren't just possible, but potentially cheap: With $200 in gear, he hid a tiny chip in a Cisco firewall that gives him remote access. Would you spot it?
I traced the blow-by-blow of how four teams of researchers independently found flaws that would become Spectre/Meltdown at almost the same time. What does that strange synchronicity mean about bug rediscovery and the secret exploitation of zero-day flaws?
Weak encryption in the keyless entry system for Tesla’s Model S allowed security researchers to clone a key fob in seconds, open the car’s doors and drive it away.
We dug into the mystery of "Jia Tan," the polite, conscientious volunteer coder who inserted a surprisingly sophisticated backdoor into XZ Utils—and is most likely the persona of a state-sponsored hacking group based in an Eastern European time zone.
Twitter’s encrypted DM feature is technically flawed, opt-in, limited to 1-to-1 text-based messages, restricted to a small user base, and generally inferior in just about every way to encrypted apps like Signal and WhatsApp.
And all for just $8 a month.
Here are the six men charged. (You might recognize Kovalev from 2018, when he was charged along with 11 other GRU agents re: US election interference—he hacked US State Boards of Election. This indictment adds he also helped hack the 2017 campaign of France's President Macron)
Signal has used Brian Acton's $50m gift to staff up (from 3 people to 20) build tons of new features, and vastly scale up its ambitions. "I’d like for Signal to reach billions of users," says Acton. "I’d love to have it happen in the next 5 years or less."
A Reddit rumor was going around yesterday that hackers downloaded nearly all of Parler's data with a 2fa bug that let anyone create an admin account. Yes, hackers grabbed all of Parler's (public) data. But the truth of how they did it was far simpler:
Phone phreaker Will Caruana put together what may be the world's largest list of numbers for elevator phones. Anyone can call in to talk to elevator passengers, eavesdrop, or in many cases, reprogram the phones. (And yes, I called a few dozen myself.)
Just 2 months after an FBI-led "disruption" of ransomware group BlackCat, the hackers are on day 7 of an attack delaying prescriptions in hospitals across the US—and raising questions about the efficacy of law enforcement's operations against these groups.
Researchers at Dragos have defined a new APT group they call Kamacite, which at times works as the "access" team for Russia's GRU hackers known as Sandworm, at times independently. And they found Kamacite has targeted the US grid + oil and gas for years.
Hundreds of models of Gigabyte motherboards, used in gaming and other high-performance computers, have a backdoor in their firmware that invisibly downloads code to the machine at startup—and does so insecurely, leaving the feature open to abuse.
Eva Galperin, the head of EFF’s Threat Lab, has been pressuring antivirus firms to finally take seriously the threat of consumer spyware apps used for domestic abuse. Today, she got her first win: Kaspersky announced a new stalkerware crackdown:
Researchers checked 34 billion insufficiently random Ethereum keys, and found that 732 of the associated addresses had already been emptied, likely by thieves. One of those thieves had amassed a fortune that was at one point worth $54 million.
Kaspersky researchers found a puzzle inside a Central Asian country's embassy: Highly versatile spyware infecting its network, called TajMahal, with 80 distinct modules and no fingerprints of any known hacker groups. It had gone undetected for five years.
Last week’s news of an FBI operation against the Russian hacker group Turla offered an excuse to sketch out the 25-year history of these elite FSB cyberspies—and to try to capture why so many intel analysts and security researchers are obsessed with them.
Dutch police investigators detailed to me how they took over and ran one of the world’s top dark web drug sites for nearly a month, all while turning it into a massive surveillance trap for the site’s users:
At Defcon next week, two hackers will re-launch (after a years-long hiatus) PunkSpider, a search engine for hackable websites. It will publicly reveal hundreds of thousands of unpatched web bugs—in the hope of shaming site owners into fixing them.
I dug into the terms of Binance's settlement with feds. The world's biggest crypto exchange is about to open its entire database of transaction records to US regulators and law enforcement for a "24/7, 365-days-a-year financial colonoscopy."
Read:
@SCFGallagher
@caitlin__kelly
Her best friend is a giant blue ox and she brushes her teeth with pine trees. Once she got so sad she dropped her ax and dragged it behind her, creating the Grand Canyon.
Israeli firm Check Point says an NSA zero-day exploit was replicated by Chinese hackers and used for years. (Long prior to its leak by Shadow Brokers) A source now confirms Lockheed Martin found the Chinese version of the tool being used on a US network.
Two months ago, Microsoft admitted Chinese hackers had obtained a cryptographic key that let them forge access tokens and get into 25 organizations' emails. Now they've revealed how they think it happened, and it is truly a Series of Unfortunate Events.
For the first time, Signal has released a breakdown of its costs, which will reach $50 million a year by 2025. Its president
@mer__edith
says this isn’t just an appeal for donations. It’s a way to highlight the surveillance profit model they’re up against.
Just when you start to worry that
@moxie
might have lost his cyberpunk edge as CEO of the relatively grown-up non-profit behind Signal, he lays hands on a Cellebrite device that "fell off a truck," hacks it and demos the bugs in a Hackers-themed video:
Feds have arrested the admin of Bitcoin Fog, the longest-running dark web Bitcoin-laundering service. It helped hide $336M over 10 years. How'd they find him? With exactly the follow-the-money techniques his service was meant to defeat. h/t
@SeamusHughes
!
Dutch researcher
@0Xiphorushas
has detailed a new physical access technique that could let hackers break into any of millions of PCs via their Thunderbolt ports. The good news is it requires unscrewing the case briefly. The bad news is it's unpatchable.
Signal is rolling out new settings today to finally let you create a username instead of revealing your phone number to everyone you communicate with. This is probably the most requested feature in Signal’s 10-year history.
I tested it out in beta:
Android phones aren't just slow to get security updates. They also sometimes lie to you about them. A new study of 1,200 Android phones' firmware finds that the phones lacked as many as a dozen patches even while telling users they're fully patched.
Wired is unionizing. We've been planning this for more than a year, but in the current economic crisis it's more urgent than ever. If we can gain a seat at the table and use it to protect our most vulnerable staff, we have a responsibility to do it now.
This weekend, pro-Russian saboteurs halted more than 20 Polish trains, possibly to hamper Ukraine's war effort.
@LukOlejnik
figured out how they did it: A "radio-stop" command anyone can broadcast at a certain frequency with as little as $30 of equipment.
Alex Stamos' plan for the Stanford Internet Observatory is...bold. Negotiate access to anonymized data from Facebook, Google, Twitter, etc. Scrape fringe sites like Voat, Gab, 4chan, 8chan. Offer it all up to social scientists studying bad behavior online.
Researchers found that anyone who controls a WhatsApp server (sophisticated hackers, a government coercing the company) can insert themselves into any group chat, undermining WhatsApp’s promises of end-to-end encryption
Google reveals a hacker group used five zero-day vulnerabilities (a lot!) in a phishing and watering-hole spy campaign against North Koreans last year. Kaspersky links the attacks to DarkHotel, a suspected South Korean hacking group.
I just realized: NotPetya, the Russian GRU-built worm designed to destroy Ukraine's digital infrastructure, hit on the 10-year anniversary TO THE DAY of the fourth Diehard movie's release in theaters...wherein bad guys carry out cyberattacks designed to hack all US infrastructure
For the 30th anniversary of The Cuckoo’s Egg, I interviewed Cliff Stoll and tried to capture the immense, unlikely influence this polymath planetary astronomer has had on the field of cybersecurity:
To mark the paperback release of SANDWORM this week, here's an excerpt that tells the blow-by-blow of a historic 2007 US government experiment known as Aurora. The goal: destroy a school-bus-sized, $300,000 diesel generator with malicious code alone.
Yes, the $3.6 billion crypto seizure is notable for one defendant's horrifying rap videos. But it's also a pretty remarkable display of IRS defeating crypto-laundering techniques like "chain-hopping," Monero and mixing via dark web market. I dug into it:
This piece, the longest Wired has published in the magazine in over a decade, is paywall-free for one more day.
(Also, hope it makes you want to subscribe to Wired so my colleagues and I can have jobs.)
I spent this year talking to the 3 young hackers behind Mirai, the malware that once broke the internet.
This is WIRED's resulting cover story—an epic, untold, 22,000-word tale of cybercrime, friendship, chaos, betrayal, paranoia, and redemption.
Read:
Apple walked me through the elaborate cryptography that allows the new Find My app to let you track down your lost, offline Macbook via Bluetooth signals it sends out, while still preventing anyone else from tracking you via those signals—including Apple.
After last week's $3.6B bitcoin seizure, (the largest financial seizure ever) I'm excited to reveal the title/cover for my next book, on the detectives who learned to trace cryptocurrency and their giant impact on digital black markets: TRACERS IN THE DARK
P4x wants to send a message not only to NK to stop targeting US hackers (see
@lilyhnewman
from last year ) but also to US agencies he feels have done little to support/protect targeted individuals: “If no one’s going to help me, I’m going to help myself."
One Tesla owner has released code for modding a Model S to pull video from its autopilot cameras and extract license plates/faces. His "surveillance detection scout," is intended to warn if someone is following you—and also raises major privacy questions.
In 2022, we at WIRED told the story of P4x, a hacker who singlehandedly took down the entire North Korean internet.
Now he's revealing his name—Alejandro Caceres—and his strange experience since then: trying to teach the US military to be more like him.
For the last year, the head of the cyberwar-focused Unit 74455 of Russia's GRU military intelligence agency, aka Sandworm, has been a hacker named Evgenii Serebriakov.
If that name sounds familiar, it's because he was busted in the Netherlands in 2018.
Big thing
#1
to me: After more than two years of silence from governments around the world on the "Olympic Destroyer" cyberattack that sabotaged the 2018 Winter Olympics in Korea () the US has finally (!) blamed Russia and condemned the attack.
A year ago, researchers broke the encryption of the Tesla Model S keyless entry system, showing hackers could wirelessly clone key fobs to steal cars. Tesla made new fobs. Now the same researchers found a bug in the new fobs and cracked them again.
The same "phone spear phishing" playbook used to hack Twitter in July has since been used against dozens of other companies, including banks, cryptocurrency exchanges and hosting providers, according to investigators tracking the new wave of attacks:
Wired has published another excerpt of my book SANDWORM, out 11/5. This piece tells the blow-by-blow story of how the most deceptive malware in history nearly crippled the 2018 Olympics—and how investigators ultimately tracked down the culprits behind it.
A new round of data-destroying fake ransomware attacks in Ukraine appears to be small-scale for now. But it's uncomfortably similar to Russia's escalating attacks from 2015-2017 that culminated in NotPetya's $10 billion devastation.
It's been almost exactly 5 years since the NSA was caught hacking targets' hard drive firmware to plant ultra-stealthy spy tools. Yet today, gazillions of computer parts' firmware, from webcams to trackpads to network cards, remains wholly unprotected.
Big thing
#2
: Three-plus years after Sandworm unleashed NotPetya, the worst cyberattack in history () the US has named 4 men directly involved, even noting how Andrienko & Pliskin "celebrated" afterwards. A kind of accountability that's long been lacking.
In an infamous incident at the Defcon hacker conference 15 years ago, Boston's transit agency sued a group of MIT hackers to stop them from revealing a method for getting free rides.
Today, four teenagers at Defcon picked up where they left off:
(thread)