A monthslong WIRED investigation published this week revealed the inner workings of the Trickbot ransomware gang, which has targeted hospitals, businesses, and government agencies around the world.
The investigation stemmed from a mysterious leak publish on X (formerly Twitter) last year by an anonymous account called Trickleaks. The document trove contained dossiers on 35 alleged Trickbot members, including names, dates of birth, and much more. It also listed thousands of IP addresses, cryptocurrency wallets, email addresses, and Trickbot chat logs. Armed with this information, we enlisted the help of multiple cybersecurity and Russian cybercrime experts to paint a vivid picture of Trickbot’s organizational structure and corroborate the real-world identity of one of its key members.
Last weekend, someone (more on that later) successfully disrupted more than 20 trains in Poland. The incidents were originally described as a “cyberattack,” but it was actually something much simpler: a radio hack. Using equipment that can cost as little as $30, the attack exploited the trains’ unencrypted radio system to cause them to perform an emergency stop.
Over on the dark web, cybercriminals are making money in an unexpected way: writing contests. With total prizes reaching as high as $80,000, the competitions enlist hacking forum members to craft the best essays, many of which explain how to carry out cyberattacks and scams.
Last December, Apple officially killed its controversial photo-scanning tool for detecting child sexual abuse material (CSAM) on iCloud, a tool the company launched in August 2021 before un-launching it a month later after backlash from cybersecurity experts, civil liberties advocates, and others who argued that the tool would violate users’ security and privacy. But the issue is far from resolved. This week, a new child safety group called Heat Initiative demanded that Apple reinstate the tool. Apple responded with a letter, which it shared with WIRED, detailing for the first time its full reasoning behind terminating the tool. Heat Initiative’s push comes amid international pressure to weaken encryption for law enforcement purposes.
Elsewhere, we detailed the big security patches you need to install to keep your devices safe (looking at you, Google Chrome and Android users). And we dove into the supremely nerdy world of a code-cracking competition that had contestants racing to decode a German U-boat cipher from World War II. One team had a secret weapon.
But that’s not all. Each week, we round up the security and privacy news we didn’t cover in depth ourselves. Click the headlines to read the full stories. And stay safe out there.
When more than 20 trains in Poland were bought to a halt last weekend in what was described as a “cyberattack,” all eyes turned to Russia. After all, Poland’s rails serve as a key piece of infrastructure for supporting Ukraine’s war effort. But as we reported a day later, the disruption had been caused not through any sophisticated cyber intrusion but through a simple radio hack that sent a “radio stop” command to the Polish trains over an unencrypted and unauthenticated system. “The frequencies are known. The tones are known. The equipment is cheap,” Polish-speaking cybersecurity researcher Lukasz Olejnik told WIRED. “Everybody could do this. Even teenagers trolling.”
Well, not teenagers exactly, but twentysomethings. This week, Polish police arrested a 24-year-old man and a 29-year-old man, both Polish citizens, who allegedly carried out the radio train hack. One of the two men, based in the city of Bialystok near the border with Belarus, was a police officer. Amateur radio equipment was found in one of their apartments, according to Poland’s RMF Radio, where the younger man was found (reportedly in a drunken state).
The motives for the two men’s train sabotage is still far from clear—especially given that between “radio-stop” commands they also broadcast the Russian national anthem and a clip of a speech by Russian president Vladimir Putin. It’s too early to rule out Russian government involvement. But it’s also very possible that the hack was an extremely ill-advised political statement or prank.
The FBI and United States Department of Justice announced this week that they’d ripped offline a major cybercriminal network—the Qakbot botnet that had infected more than 700,000 computers worldwide, including 200,000 in the US. Qakbot’s operators had used that network to provide initial access as a service to ransomware crews, whom the Justice Department says had received $58 million in payments in 40 ransomware attacks over the past 18 months alone. The FBI managed to redirect control of Qakbot to the bureau’s own command-and-control server, then use it to install software on the victim machines that would delete Qakbot’s code. The FBI also managed to access the Qakbot operators’ cryptocurrency wallets and seize $8.6 million. For the FBI, the Qakbot operation is the biggest cybercriminal botnet takedown in years, though it has more recently carried out similar botnet hijackings that targeted malware used by state-sponsored Russian groups like Sandworm and Turla.
Russia’s military intelligence hackers, known as Sandworm, have carried out some of the most reckless and disruptive cyberattacks to ever target civilian critical infrastructure, from Ukraine’s electric grid to the 2018 Winter Olympics. Now, the US government and English-speaking allied intelligence agencies known as the Five Eyes have warned that Sandworm has turned its focus to a more traditional target: Ukrainian military devices. Echoing an earlier announcement from Ukraine’s security service, the SBU, a joint alert this week—from the Cybersecurity and Infrastructure Security Agency, the NSA, the FBI, the UK’s National Cybersecurity Center, and others—cautioned that Sandworm has sought to penetrate Ukrainian military networks. To do so, the hackers worked to install a piece of malware rhR the agencies are calling Infamous Chisel on Android tablets used in the war effort. The malware was designed to steal photos, text files, and other data from the tablets over the Tor anonymity network, and IT likely depended on the lack of malware detection in the Android operating system to avoid detection.
Mysterious hacking incidents targeting the National Science Foundation’s National Optical-Infrared Astronomy Research Laboratory in early August have led to the weekslong shutdown of two major scientific telescopes: the Gemini North Telescope in Hawaii and Gemini South Telescope in Chile. The NSF has said very little about the nature or origin of the breaches that led to those shutdowns. But they occurred just days before a bulletin from the US National Counterintelligence and Security Center warned of the threat of foreign hackers and spies targeting US astronomy and space operations. “They see US space-related innovation and assets as potential threats as well as valuable opportunities to acquire vital technologies and expertise,” the bulletin reads.
What do you do if the targets of your espionage are using a messenger app whose encryption you can’t break? Trick them into using a spoofed look-a-like app that intercepts all their messages before encrypting and sending them. Spies of apparent Chinese origin did just that, managing to slip fake versions of both Signal and Telegram encrypted messenger apps into Google’s Play store. The spy apps were designed to intercept all of the users’ messages before they were encrypted and sent—invisibly interacting with the real Signal and Telegram networks—and also to read all the decrypted messages received on phones. The cybersecurity firm ESET, which discovered the fake apps, points out similarities in the code of the Signal app and the malware previously used to target individuals in China’s Uyghur minority group, suggesting that they may have been the target of this operation too. Google removed the fake apps from its Play store. Samsung, which also hosted the spy apps in its app store, has also removed the apps after months of warnings.
Update 11:35 am, September 6, 2023: A Samsung spokesperson says the company has now removed the fake messaging apps from its app store.
