Security News This Week: The Startup That Transformed the Hack-for-Hire Industry

Plus: The FBI’s baffling inaction on a ransomware group, a massive breach of Danish electric utilities, and more.
Smashed laptop
Photograph: Dennis Lane/Getty Images

If you work at a spy agency tasked with surveilling the communications of more than 160 million people, it’s probably a good idea to make sure all the data in your possession stays off the open internet. Just ask Bangladesh’s National Telecommunication Monitoring Center, which security researchers found connected to a leaky database that exposed everything from names and email addresses to cell phone numbers and bank account details. The data was likely just used for testing purposes, but WIRED confirmed at least some of the data is linked to real people.

A fight is brewing in the United States Congress over the future of a powerful surveillance program. Section 702 of the Foreign Intelligence Surveillance Act is set to expire at the end of the year. With the December 31 deadline quickly approaching, members of Congress and civil liberties groups are criticizing Section 702 for enabling the “incidental” surveillance of Americans’ communications and “abuses” by the FBI. While a privacy-preserving update to the program has been introduced in Congress, some 702 critics remain concerned that lawmakers will push through reauthorization using other, “must-pass” legislation.

The US Cybersecurity Infrastructure Security Agency this week rolled out its plan for implementing the Biden administration’s executive order on artificial intelligence. CISA’s efforts will focus on defending against weaponized AI and how to incorporate the technology for national security purposes.

Speaking of national security, WIRED spoke this week with Jacob Chansley, aka the Qanon Shaman, who plans to run for the US Congress after becoming a poster child for the US Capitol riot on January 6. Elsewhere in the world of unexpected political news, talk of 9/11 mastermind Osama bin Laden's “Letter to America” spread online this week—and was promptly used by far-right figures to push conspiracy theories.

For the first time, the Signal Foundation has revealed the cost of running its widely popular encrypted messaging app. With annual expenses set to hit $50 million by 2025, the nonprofit expects to rely more heavily on user donations to keep Signal going strong. “By being honest about these costs ourselves, we believe that helps provide a view of the engine of the tech industry, the surveillance business model, that is not always apparent to people,” Meredith Whittaker, president of the Signal Foundation, tells WIRED.

Speaking of surveillance business models, Meta has updated the way two-factor authentication works on Facebook. We’ve got a rundown on what you need to know. Speaking of multifactor authentication, Google has a new Titan Security Key that supports passkeys, pushing the long-used (and misused) password closer to its ultimate demise.

If you’re looking for a long read to while away your weekend, we’ve got you covered. First up, WIRED senior reporter Andy Greenberg reveals the wild story behind the three teenage hackers who created the Mirai botnet code that ultimately took down a huge swath of the internet in 2016. WIRED contributor Garrett Graff pulls from his new book on UFOs to lay out the proof that the 1947 “discovery” of aliens in Roswell, New Mexico, never really happened. And finally, we take a deep dive into the communities that are solving cold cases using face recognition and other AI.

That’s not all. Each week, we round up the security and privacy stories we didn’t report in depth ourselves. Click the headlines to read the full stories, and stay safe out there.

For years, mercenary hacker companies like NSO Group and Hacking Team have repeatedly been the subject of scandal for selling their digital intrusion and cyberespionage services to clients worldwide. Far less well-known is an Indian startup called Appin that, from its offices in New Delhi, enabled customers worldwide to hack whistleblowers, activists, corporate competitors, lawyers, and celebrities on a giant scale.

In a sprawling investigation, Reuters reporters spoke to dozens of former Appin staff and hundreds of its hacking victims. It also obtained thousands of its internal documents—including 17 pitch documents advertising its “cyber spying” and “cyber warfare” offerings—as well as case files from law enforcement investigations into Appin launched from the US to Switzerland. The resulting story reveals in new depth how a small Indian company “hacked the world,” as Reuters writes, brazenly selling its hacking abilities to the highest bidder through an online portal called My Commando. Its victims, as well as those of copycat hacking companies founded by its alumni, have included Russian oligarch Boris Berezovsky, Malaysian politician Mohamed Azmin Ali, targets of a Dominican digital tabloid, and a member of a Native American tribe who tried to claim profits from a Long Island, New York, casino development on his reservation.

The ransomware group known as Scattered Spider has distinguished itself this year as one of the most ruthless in the digital extortion industry, most recently inflicting roughly $100 million in damage to MGM Casinos. A damning new Reuters report—their cyber team has had a busy week— suggests that at least some members of that cybercriminal group are based in the West, within reach of US law enforcement. Yet they haven't been arrested. Executives of cybersecurity companies who have tracked Scattered Spider say the FBI, where many cybersecurity-focused agents have been poached by the private sector, may lack the personnel needed to investigate. They also point to a reluctance on the part of victims to immediately cooperate in investigations, sometimes depriving law enforcement of valuable evidence.

Denmark's critical infrastructure Computer Emergency Response Team, known as SektorCERT, warned in a report on Sunday that hackers had breached the networks of 22 Danish power utilities by exploiting a bug in their firewall appliances. The report, first revealed by Danish journalist Henrik Moltke, described the campaign as the biggest of its kind to ever target the Danish power grid. Some clues in the hackers' infrastructure suggest that the group behind the intrusions was the notorious Sandworm, aka Unit 74455 of Russia's GRU military intelligence agency, which has been responsible for the only three confirmed blackouts triggered by hackers in history, all in Ukraine. But in this case, the hackers were discovered and evicted from the target networks before they could cause any disruption to the utilities' customers.

Last month, WIRED covered the efforts of a whitehat hacker startup called Unciphered to unlock valuable cryptocurrency wallets whose owners have forgotten their passwords—including one stash of $250 million in bitcoin stuck on an encrypted USB drive. Now, the same company has revealed that it found a flaw in a random number generator widely used in cryptocurrency wallets created prior to 2016 that leaves many of those wallets prone to theft, potentially adding up to $1 billion in vulnerable money. Unciphered found the flaw while attempting to unlock $600,000 worth of crypto locked in a client's wallet. They failed to crack it but in the process discovered a flaw in a piece of open-source code called BitcoinJS that left a wide swath of other wallets potentially open to be hacked. The coder who built that flaw into BitcoinJS? None other than Stefan Thomas, the owner of that same $250 million in bitcoin locked on a thumb drive.