Security News This Week: India Shut Down Cell Service for 27 Million During a Manhunt

Plus: The “Clop” gang’s ransomware spree, the DC Health Link breach comes into focus, and more.
Group of Sikh protestors holding up signs outside
Manpreet Singh, center, raises his fist while demonstrating against the Indian government outside the Indian Consulate in San Francisco on March 20, 2023.Photograph: NOAH BERGER/Getty Images

A US House of Representatives hearing this week about the social media app TikTok did little to clarify lawmaker's specific concerns about the potential national security risks associated with the wildly popular app, but it did vividly underscore the country’s lack of federal data privacy legislation. WIRED also discovered that TikTok paid for influencers popular on its platform to attend a DC rally in support of the service ahead of the hearing

Meanwhile, as a possible indictment of former US president Donald Trump looms in New York state, internet users began generating AI images of Trump being arrested, but there are ways to tell that they're fake. WIRED examined the increasingly aggressive and desperate tactics of Iran's government-backed hackers amid mass protest and unrest in the country. Citizen sleuths around the world are using open source intelligence to separate fact from fiction in the mystery of who sabotaged the Nord Stream pipeline. And vulnerabilities keep showing up in ultra-popular photo cropping tools, exposing a host of cropped images all over the world where some or all of the original image can be recovered.

Plus, if you want to know what it's like to be investigated by the US Secret Service—and how to avoid that particular pleasure—we have a full account.

And there's more. Each week, we round up the security news we didn’t cover in-depth ourselves. Click the headlines to read the full stories, and stay safe out there.

People living in the Indian state of Punjab grappled with an internet shutdown for days after police imposed a connectivity blackout while searching for the Sikh activist Amritpal Singh. Singh is a member of the Sikh Waris Punjab De movement and recently evaded arrest. More than 100 of his supporters have been arrested. Punjab's 27 million inhabitants faced mobile data and SMS blocking as well as traffic filtering on certain websites and services. For example, the government appeared to have blocked access to prominent Sikh Twitter accounts, including that of poet Rupi Kaur and the nonprofit United Sikhs. “Punjab Police India continued its crackdown on Waris Punjab De elements wanted on criminal charges,” the government of Punjab said in a Facebook post on Monday. “Amritpal Singh remains a fugitive, and efforts are being made to arrest him.” Protests have erupted in Punjab and around the world over law enforcement treatment of Sikh Waris Punjab De and the internet shutdown.

A vulnerability in file transfer software from Fortra known as GoAnywhere has been repeatedly exploited by the notorious, Russia-based Clop ransomware group to target dozens or possibly more than a hundred victims in recent days. The cybercrminal group has added entries on numerous organizations to its dark web site, where Clop attempts to extort money from victims by publishing samples of data they've stolen and threatening to leak more if targets don't pay. TechCrunch confirmed on Thursday that the City of Toronto is one of the victims of the spree. “Today, the City of Toronto has confirmed that unauthorized access to City data did occur through a third-party vendor. The access is limited to files that were unable to be processed through the third-party secure file transfer system," officials said in a statement. TechCrunch has also uncovered details about problems with Fortra's response to the discovery of the vulnerability.

The company that runs the Washington DC health insurance marketplace DC Health Link suffered a breach earlier this month that exposed sensitive and personal data from tens of thousands of area customers, including from some US lawmakers and congressional staff. The information included names, email addresses, dates of birth, mail addresses, Social Security numbers, and policy details. The DC Health Benefit Exchange Authority acknowledged the breach on March 7. The entity that has claimed credit for the breach, who goes by the handle “Denfur,” posted samples of data from the attack on BreachForums. Denfur subsequently posted “Glory to Russia!” and that the “intended target was US politicians and members of US government." In an interview with CyberScoop on an encrypted chat service, Denfur claimed not to be concerned about suffering repercussions from law enforcement. “If anything, I’m more worried about my country trying to do a favour for the US and myself or group becoming a sort of bargaining chip,” Denfur said. “The current time brings uncertainty.”

The alleged “pompompurin” administrator of the popular cybercriminal public square BreachForums—the same site Denfur used against DC Health Link—was arrested in New York state earlier this month, but a new leader known as “Baphomet” had come forward, claiming to have a plan to keep the platform going. On Tuesday, though, Baphomet changed course, claiming that someone had gained access to the BreachForums backend and that law enforcement may now control pompompurin's privileged administrator accounts. “This will be my final update on Breached, as I've decided to shut it down,” Baphomet wrote. “I'm aware this news will not please anyone, but it's the only safe decision now that I've confirmed that the glowies likely have access to Poms machine.”