Best Infosec-Related Long Reads for the Week of 5/4/24

A peek into the Cyber Army of Russia's motivations, Russia is exploiting the campus protests, MAGA Republicans swallow state-backed misinformation, How a college kid got rich off tracking ID scams, ByteDance execs call the shots for US TikTok employees, Is Project Texas still real?, Murdoch may have used phone hacking to boost business interests

Metacurity is pleased to offer our free and premium subscribers this weekly digest of the best long-form (and longish) infosec-related pieces we couldn’t properly fit into our daily news crush. So tell us what you think, and feel free to share your favorite long reads via email at info@metacurity.com.

A (Strange) Interview With the Russian-Military-Linked Hackers Targeting US Water Utilities

Wired’s Andy Greenberg managed to snag an interview on Telegram with “Julia,” a representative of the Cyber Army of Russia, a group loosely tied to the Russian military which has launched haphazard attacks on Western critical infrastructure, resulting in a somehat confusing exchange about the group's ethos and motivations and rationale for its months-long cyber sabotage rampage.

Whether or not it's winning hearts and minds, Cyber Army of Russia—which also at times calls itself the Cyber Army of Russia Reborn or People's Cyber Army of Russia—seems to at least be getting some of the attention it seeks. Last week, a group of government bodies including the US National Security Agency, the FBI, the Cybersecurity and Infrastructure Security Agency, the UK's National Cybersecurity Center, and several others issued a joint report warning of “Russian hacktivists” targeting so-called operational technology targets like control systems for water and wastewater utilities. The report warned that victims had “experienced minor tank overflow events” and other disruptions—although it noted the effects were temporary, and the hacktivists had historically exaggerated their hacking's impact.

Those agencies didn't name Cyber Army of Russia. But their warning followed another report from Mandiant that had highlighted the group by name, as well as its attacks on civilian critical infrastructure targets including multiple US-based water utilities and a Polish wastewater utility. In the case of the small West Texas town of Muleshoe, The Washington Post subsequently reported that the group's manipulation of control systems had gone so far as to cause a leak of tens of thousands of gallons of water. In that case and several others, Cyber Army of Russia even posted to the group's Telegram account a screen-capture video of the hacking. In their attack on the Polish wastewater facility, for instance, they set the video to a Super Mario Bros. soundtrack.

So what is the endgame of the group's trollish acts of sabotage? “Our actions on attacks and hacks of websites and computer systems for remote control of mechanisms … is a really powerful and in some cases very effective method of influencing (and not only psychological) the authorities of the countries of Europe and the USA, as well as their regional authorities,” Cyber Army of Russia's representative Julia told WIRED. “With these attacks we are trying to send the following message to the US authorities: If you continue to supply military equipment and make financial injections into the leadership of Ukraine … be prepared for the fact that in any of your settlements, in any industrial system or at a critical infrastructure facility, something may suddenly fail.”

Yet as unprecedented and disturbing as it may be for a Russian hacker group to trigger a significant water leak at a US utility, Cyber Army of Russia still seems at times to comically overestimate the clarity of its threat against Ukraine's allies. In response to a question about the Muleshoe water utility attack specifically, Julia noted that the group's operation is intended to persuade “mainly representatives of the Democratic Party [because] their support for Ukraine is the most significant"—a head-scratching statement given that Muleshoe is in a Texas congressional district that hasn't elected a Democratic representative since 1982.

A Russian Influence Campaign Is Exploiting College Campus Protests

Wired’s David Gilbert, using data from Antibot4Navalny, a collective of anonymous Russian researchers who track the Russian influence operation, reveals how a Russian disinformation campaign operated by the Kremlin-aligned network Doppelganger is attempting to sow division in the US around the college campus protests.

The covert Doppelganger campaign echoed narratives pushed by overt Russian channels, including Telegram groups and state-run media, which have spent the past week highlighting the “threat of deadly police violence against demonstrators” and linking the current protests to the Kent State protests in 1970 when four students were shot and killed by the National Guard. While there have been over 2,000 arrests at campus protests in the US so far, protests have largely been peaceful, and no one has been killed.

On Facebook, Sputnik wrote: “‘Land of the Free? How US Lawmakers Restrict Students’ Right to Peaceful Protest: US lawmakers have once again demonstrated where their sympathies lie in the Israeli-Palestinian conflict by cracking down on student protests against the bloodbath in the Gaza Strip.”

The coordinated campaign has also been taking place on Telegram, where Russian influencers with hundreds of thousands of subscribers have been amplifying content related to the protests. In one channel, a military blogger with over 800,000 followers posted videos showing police on campuses across the US claiming it showed “urban warfare training.” In one comment on the video, a subscriber asked when the conflict will begin: “North against South, crips against bloods, donkeys against elephants, and everyone against everyone.” The post has been viewed over 250,000 times.

The Telegram channels appear to coordinate around a narrative that accuses the US government of hypocrisy when it comes to freedom to protest and organize, according to analysis shared with WIRED by Logically, a company using artificial intelligence to track disinformation campaigns.

“As the 2024 US election nears, this is another example of signals emerging from Russian-language channels indicating Russia is turning its access to domestic US issues after nearly two years of focusing largely on Ukraine,” Kyle Walter, global head of investigative research and innovation at Logically, tells WIRED.

Russia is not alone in this. Together with China and Iran, state media in the three countries have produced nearly 400 articles in English about the campus protests in the space of two weeks, according to NewsGuard, an organization that tracks misinformation online. These governments have also used social media platforms in an official capacity to boost their narratives. A post on X from Nasser Kanaani, a spokesman for Iran’s Ministry of Foreign Affairs, depicted a student protester with the caption “Imprisonment of #freedom in the U.S.A.”

THE NEW PROPAGANDA WAR

The Atlantic’s Anne Applebaum takes a deep dive into the massive machinery of Russian, Chinese, Iranian and other state-backed misinformation and disinformation efforts, including Doppelganer, and how MAGA Republicans in the US and their affiliated news outlets are laundering these adversaries’ concocted news stories to spread fear and anti-democracy sentiment.

Not that everyone hearing these messages will necessarily know where they come from, because they often appear in forums that conceal their origins. Most people probably did not hear the American-biolabs conspiracy theory on a television news program, for example. Instead, they heard it thanks to organizations like Pressenza and Yala News. Pressenza, a website founded in Milan and relocated to Ecuador in 2014, publishes in eight languages, describes itself as “an international news agency dedicated to news about peace and nonviolence,” and featured an article on biolabs in Ukraine. According to the U.S. State Department, Pressenza is part of a project, run by three Russian companies, that planned to create articles in Moscow and then translate them for these “native” sites, following Chinese practice, to make them seem “local.” Pressenza denied the allegations; one of its journalists, Oleg Yasinsky, who says he is of Ukrainian origin, responded by denouncing America’s “planetary propaganda machine” and quoting Che Guevara.

Like Pressenza, Yala News also markets itself as independent. This U.K.-registered, Arabic-language news operation provides slickly produced videos, including celebrity interviews, to its 3 million followers every day. In March 2022, as the biolabs allegation was being promoted by other outlets, the site posted a video that echoed one of the most sensational versions: Ukraine was planning to use migratory birds as a delivery vehicle for bioweapons, infecting the birds and then sending them into Russia to spread disease.

Yala did not invent this ludicrous tale: Russian state media, such as the Sputnik news agency, published it in Russian first, followed by Sputnik’s Arabic website and RT Arabic. Russia’s United Nations ambassador addressed the UN Security Council about the biobird scandal, warning of the “real biological danger to the people in European countries, which can result from an uncontrolled spread of bioagents from Ukraine.” In an April 2022 interview in Kyiv, Ukrainian President Volodymyr Zelensky told The Atlantic’s editor in chief, Jeffrey Goldberg, and me that the biobirds story reminded him of a Monty Python sketch. If Yala were truly an “independent” publication, as it describes itself, it would have fact-checked this story, which, like the other biolab conspiracies, was widely debunked.

But Yala News is not a news organization at all. As the BBC has reported, it’s an information laundromat, a site that exists to spread and propagate material produced by RT and other Russian facilities. Yala News has posted claims that the Russian massacre of Ukrainian civilians at Bucha was staged, that Zelensky appeared drunk on television, and that Ukrainian soldiers were running away from the front lines. Although the company is registered to an address in London—a mail drop shared by 65,000 other companies—its “news team” is based in a suburb of Damascus. The company’s CEO is a Syrian businessman based in Dubai who, when asked by the BBC, insisted on the organization’s “impartiality.”

Another strange actor in this field is RRN—the company’s name is an acronym, originally for Reliable Russian News, later changed to Reliable Recent News. Created in the aftermath of Russia’s invasion of Ukraine, RRN, part of a bigger information-laundering operation known to investigators as Doppelganger, is primarily a “typosquatter”: a company that registers domain names that look similar to real media domain names—Reuters.cfd instead of Reuters.com, for example—as well as websites with names that sound authentic (like Notre Pays, or “Our Country”) but are created to deceive. RRN is prolific. During its short existence, it has created more than 300 sites targeting Europe, the Middle East, and Latin America. Links to these sites are then used to make Facebook, Twitter, and other social-media posts appear credible. When someone is quickly scrolling, they might not notice that a headline links to a fake Spiegel.pro website, say, rather than to the authentic German-magazine website Spiegel.de.

Doppelganger’s efforts, run by a clutch of companies in Russia, have varied widely, and seem to have included fake NATO press releases, with the same fonts and design as the genuine releases, “revealing” that NATO leaders were planning to deploy Ukrainian paramilitary troops to France to quell pension protests. In November, operatives who the French government believes are linked to Doppelganger spray-painted Stars of David around Paris and posted them on social media, hoping to amplify French divisions over the Gaza war. Russian operatives built a social-media network to spread the false stories and the photographs of anti-Semitic graffiti. The goal is to make sure that the people encountering this content have little clue as to who created it, or where or why.

A Special Appeal

Thank you for reading Metacurity. It takes hours every day to produce each issue and we incur monthly costs to host our machine learning-based system that sifts through thousands of resources. If you value our work, please consider upgrading your subscription.

The Package King of Miami

In New York Magazine’s Intelligencer, journalist Ezra Marcus tells the tale of University of Miami student Matt Bergwall, a self-styled tech guru whose extravagant spending was fueled by his online Fake Tracking ID operation wherein scammers take advantage of online retailers’ generous return operations by shipping empty boxes back to the retailers with slightly wrong, undeliverable addresses in order to receive shipping companies’ proof-of-shipment scans and receive refunds.

Bergwall’s alleged refunding operation was fairly sophisticated. When his indictment was unsealed on November 9, it revealed he’d allegedly facilitated nearly 10,000 fraudulent returns between December 2021 and April 2022, which “resulted in more than $3.5 million in lost product and sales revenue to victim-retailers.” (More recent court filings list the total value at $5 million.) The indictment also alleged that Bergwall got high on his own supply, so to speak: He refunded a number of products for himself, including a “$41,000 Rolex President Day-Date watch, a $600 TeamGee H20 Electric Skateboard, a $350 Samsung 43-inch Smart UHD TV, and an $80 pair of Reebok shoes.” His alleged operation, called UPSNow, was run, like most refunding operations, on Telegram, where he went by the pseudonym MXB and worked alongside a number of unindicted co-conspirators. He specialized in FTID with a powerful edge: The government claims that Bergwall hacked into five employees’ back-end accounts at “a multinational shipping, receiving, and supply chain management company” confirmed by sources to be UPS.

An archive of the UPSNow Telegram channel shows the complexity of running a business like his. “Our infrastructure is that of a legitimate company,” MXB bragged in the channel. “We have 8 full time employees and have the ability to scale.” Still, there were challenges. Primarily that his customers seemed to be young scammers themselves — and could be incredibly demanding when it came to updates on their orders. Over time, they seemed to drive MXB up a wall. “I want to apologize for snapping at you guys, but please realize what is on our plate right now. We do not have the time to be asked ‘yo ETA on scans?’ or ‘r scans online?’” MXB posted in the channel in March 2022. “So, we will be continuing to be assholes to those who deserve it. Customer service skills are out the window until our service gets resolved. Sorry. Not here to make friends.” Or: “Oops i just woke up, late night at the clubs, will be going thru dms shortly.” MXB often seemed overwhelmed — not surprising given that he was allegedly overseeing a multimillion-dollar fraud ring while juggling school, VC networking, and a highly active social life. “Y’all mfs start assuming shit’s patched sooo fast,” he wrote on March 7, 2022, when customers were complaining about delays in service. (By “patched,” he meant UPS cutting off his insider access.) “Shit ain’t patched trust me i’d tell you if it was. give me a sec to finish giving the UPS ceo a handjob so we can get it back up and running.” A few minutes later: “wishing i was the ceo of ups 😔.”

Despite international hires, TikTok is Chinese at its core

Rest of World’s Caiwei Chen and Viola Zhou interviewed more than a dozen current and former US-based TikTok employees who say that ByteDance executives, and not Singapore-based chief executive Shou Zi Chew, manage the key departments where thousands of US-based TikTok employees work.

According to a 2023 statement TikTok posted on its Australian site, the company claims that Chew oversees “all key day-to-day and strategic decision making.” In a 2022 letter to U.S. legislators, TikTok said ByteDance did play a role in hiring key personnel at TikTok, but the company was led by Chew. In reality, employees say, many key strategic and personnel decisions at TikTok come from ByteDance executives.

Internally, employees and managers call the company “ByteDance” and “TikTok” interchangeably, as most tech teams work closely with China-based Douyin staffers. A senior TikTok engineer told Rest of World he estimates that the tech teams, which include software engineers, product managers, and user experience designers, have 40% to 60% of their members based in China.

“Because Douyin is so crazily successful, there’s a knee-jerk reaction to say, hey, we need to replicate that overseas,” Chris Pereira, founder of consultancy iMpact, which advises Chinese firms on global expansion, told Rest of World.

“Management talks about TikTok as if it is the underachieving sibling. It is clear that Douyin is the parents’ favorite.”

However, TikTok teams that interact with American clients, users, and regulatory bodies, according to three current and former employees, have fewer Chinese employees. The U.S. Data Security team, set up to protect American user data and address American national security concerns, exclusively hires U.S. citizens or permanent residents. Some new teams at TikTok launched after 2022 are completely U.S.-based, three sources told Rest of World.

Senior employees say that the reliance on ByteDance executives at TikTok is tied to the company’s desire to replicate Douyin’s staggering profitability within China. Although TikTok has achieved global commercial success, Douyin dwarfs TikTok in revenue and remains the company’s biggest moneymaker. The app, which is available only in China, now offers everything from shopping to food delivery and mobile games. Executives within ByteDance often cite Douyin when setting goals and strategies for TikTok. “Management talks about TikTok as if it is the underachieving sibling. It is clear that Douyin is the parents’ favorite,” a senior software engineer said.

Has TikTok Implemented Project Texas?

In Lawfare, Matt Perault, the director of the Center on Technology Policy at the University of North Carolina at Chapel Hill, recounts a briefing his team received from TikTok on the implementation of Project Texas, a project TikTok promised to mount to qualm the government’s concerns about data security and content manipulation, which could figure prominently in the lawsuit TikTok has filed to stop recently enacted legislation that could force TikTok owner ByteDance to divest itself of the popular video sharing service.

What lies ahead for Project Texas is uncertain. TikTok indicated that it is continuing to implement its plan and stated that several of the outstanding elements of Project Texas are moving toward completion. In the litigation—first in the district court and then on appeal, potentially including Supreme Court review—judges will assess the merits of Project Texas in addressing the U.S. government’s national security concerns and will examine how much it burdens speech relative to the U.S. government’s “divest or ban” legislation. As Alan Rozenshtein convincingly argued in Lawfare a few weeks ago, observers should expect judges to make determinations based on “their own open-ended balancing of the interests at stake.”

One question worth considering is whether Project Texas would survive a sale. Project Texas is expensive—in its lawsuit, TikTok maintains that it has spent more than $2 billion on Project Texas. And because of the complex and burdensome data storage design it requires, the project degrades the quality and performance of the app. In the January 2023 briefing and again in the briefing this week, TikTok conceded that Project Texas likely degrades app performance.

A potential purchaser would most likely seek to use other means—most likely, the U.S.-based location of the acquiring entity and the U.S. citizenship of the leadership of that entity—to assuage the U.S. government’s national security concerns. If it can do so, then it would almost certainly prefer to toss Project Texas to the side and instead employ a data storage and cybersecurity model more focused on reducing costs and increasing performance.

Will the United States be safer in that scenario? Depending on the outcome of the case TikTok filed this week, the answer may soon become clear.

Did the Murdoch empire hack MPs for commercial ends?

In Prospect magazine, investigative journalist Nick Davies argues that evidence has emerged that Murdoch’s News Corp used phone hacking not only to sell newspapers but also to interfere in the political process to advance Murdoch’s commercial interests. [This report is part of a collection of reports by Davies called “The Murdoch spy papers” on the UK’s phone hacking scandal published this month by Prospect.]

Now something much bigger begins to emerge—a previously hidden side of the phone-hacking saga that may yet prove to be its most important revelation. Namely, signs that the Murdoch company was using criminal means to spy on the heart of democracy, targeting politicians of every rank, right up to the level of the government’s own law officer, Dominic Grieve, in 2010; and for five years—from 2005 to 2010—Gordon Brown, when he was chancellor of the Exchequer and then prime minister.

A couple of years ago, when new information came his way, [the Liberal Democrats’ home affairs spokesman Chris Huhne] sued. Various court orders eventually allowed him to see a collection of the Murdoch company’s internal records about him—invoices for the private investigators who had targeted him, emails that referred to him and, above all, the record of calls that had been made over five years to his mobile phone from Murdoch HQ in east London. There were 222 of them—far more than he had ever received from Murdoch journalists, who would usually speak to press officers, not to him directly—and they were striking in three ways. First, 218 of them were made through “hub” numbers, which meant that there was no clue as to which individual was making the call; second, over and over again, the calls were brief—far too brief to be a journalist legitimately interviewing a politician; third, they were all coming from the Murdoch building, whereas if ever political journalists did call direct, they did so from their mobiles or from the press gallery in parliament. Huhne and his lawyers concluded that the overwhelming majority were attempts to hack into his voicemail.

In court, the Murdoch company has said that this conclusion is unreasonable, arguing that some of the calls will have been legitimate contacts by journalists, that some were brief because they were the receipt of text messages, that some had been double-counted, and that the arrests of Clive Goodman and Glenn Mulcaire—the former royal correspondent for the News of the World and a private detective, respectively—had deterred phone hacking. In December last year, they paid six-figure damages to settle Huhne’s case.

That was just the beginning. The claimants have now deployed in court a summary of more than 1,500 other calls from the Murdoch building to the mobile phones of 16 other Lib Dem politicians—many of them made after May 2010, when the party formed the coalition government with Cameron’s Conservatives. All of these politicians agree that they had received nothing remotely like this number of legitimate calls from Murdoch journalists. Similar evidence is beginning to emerge about hundreds of other suspect calls to some MPs from other parties who have opposed Murdoch interests. As with the hub calls to Huhne, the Murdoch company says it is not reasonable to infer that these were hacks.