The Department of Justice announced Monday that it had recovered a majority of the ransom paid by Colonial Pipeline to hackers who shut down its operations last month and caused massive fuel shortages and price hikes.
The DOJ said that it had recovered $2.3 million worth of bitcoin out of the $4.4 million ransom that Colonial had paid to Darkside, the group behind the hack.
How did the government pull it off?
The FBI had what was effectively the password to a bitcoin wallet that Darkside had sent the ransom money to, allowing the FBI to simply seize the funds, according to the DOJ.
‘Following the money’
Despite cybercriminals’ increasingly sophisticated use of technology to commit crimes, the DOJ said it used a time-tested approach to recover Colonial’s ransom payment.
“Following the money remains one of the most basic, yet powerful tools we have,” Deputy Attorney General Lisa Monaco said in the DOJ’s press release.
Colonial told the FBI that Darkside had instructed it to send 75 bitcoin, worth about $4.3 million at the time, according to an affadavit from an FBI special agent involved in the investigation.
The FBI agent then used a blockchain explorer – software that lets users search a blockchain, like bitcoin, to determine the amount and destination of transactions – to figure out that Darkside had tried to launder the money through various bitcoin addresses (similar to bank accounts), according to the affadavit.
Eventually, through the blockchain explorer, the FBI agent was able to track 63.7 bitcoin to a single address that had received an influx of payments on May 27.
Fortunately for the FBI, according to the agent’s affadavit, the agency had the private key (effectively the password) for that very address.
Bitcoin addresses rely on a two-key encryption system to keep transactions secure: one public and one private. The public key is shared openly so anybody can send money to that address. But once the sender has encrypted their payment with the recipient’s public key, only the recipient’s private key can decrypt and gain access to that money.
That’s why private keys are meant to be closely held secrets, stored in a secure place. As of January, $140 billion in bitcoin – around 20% of existing bitcoin – were held in wallets where people had forgotten or lost their private keys.
In Darkside’s case, the FBI managed to gain access to its public key, and after getting a seizure warrant from a federal court, the agency used the key to access Darkside’s address and swipe 63.7 bitcoin, or around $2.3 million.
The FBI didn’t say how it had managed to obtain the key, but said it sent a warning to other potential ransomware hackers.
“Ransom payments are the fuel that propels the digital extortion engine, and today’s announcement demonstrates that the United States will use all available tools to make these attacks more costly and less profitable for criminal enterprises,” Monaco said in the release.
Hello! This story is from today’s edition of Morning Brew, an awesome daily email read by 2.9 million next-generation leaders like you. Sign up here to get it!
Over the weekend, hackers hit the only piece of American infrastructure more critical than the Colonial Pipeline: the burger supply.
JBS, the world’s largest meat processor, had to shut down North American and Australian operations Monday following a coordinated ransomware attack. The company told the White House that it believes a criminal organization based in Russia is behind the hack.
In the US, which accounts for half of JBS revenues, nearly 20% of beef production was impacted by temporary plant shutdowns.
It does appear to be temporary, though. JBS said that the “vast majority” of its facilities would be operational today due to progress it made in resolving the attack.
If operations had remain paused for days or weeks, the hiccup could’ve turned into a real headache for JBS customers like supermarkets and fast-food chains that require a continuous supply of meat.
Extra bad timing
While wholesale meat prices remained mostly stable yesterday, extended disruption from the cyberattack threatened to send meat prices-already on the rise-soaring even higher.
Compared to 2020, April’s pork and beef prices were up 4.8% and 3.3%, respectively, due to labor shortages, restaurant reopenings, rising grain and transportation costs, and high demand for meat exports. And Memorial Day weekend just kicked off the summer grilling season, which means even more demand for meat in the US.
Zoom out: As a greater proportion of corporate operations are tied to IT systems, hackers are presented with more opportunities to prey on links in critical supply chains. The JBS incident comes just weeks after hackers forced the shutdown of the Colonial Pipeline and disrupted gas supplies up the East Coast.
This story is from today’s edition of Morning Brew, a daily email publication. Sign up here to get it!
iPhone hacks aren’t incredibly common, but they can still occur if you aren’t careful.
From malware and trickster apps downloaded from the App Store to targeted attacks on a specific device, your information can be stolen in myriad ways.
Here we’ll break down the common types of hacks, how to tell if you’ve been hacked, and what to do about it.
How an iPhone can be hacked
Hacking occurs when someone else gains access to private information on your device or controls it without your consent. It’s a broad term, and lies on a gradient of bad to very serious. Some hackers want to make a quick buck selling advertising. Others want to hurt you.
Experts said there are a few main types of iPhone hacks:
Suspicious websites or links
Just like on your computer, your iPhone can be hacked by clicking on a suspicious website or link. If a website looks or feels “off” check the logos, the spelling, or the URL.
Try to avoid connecting to a password-free public Wi-Fi network, which opens the possibility of a hacker accessing unencrypted traffic on your device or redirecting you to a fraudulent site to access login credentials.
Messages from numbers you don’t recognize are also suspect.
Fortunately, modern smartphones are good at resisting malware and ransomware.
Suspicious apps on the App Store
Apple devices exist in a much more closed and monitored digital ecosystem when compared to Android devices.
The company has a vetting process for apps on its store, but it’s not bulletproof.
Ning Zhang, who leads the Computer Security and Privacy Laboratory at Washington University in Saint Louis, said to watch out for apps that ask for more information than they’ll need to function.
For example, if you’ve downloaded a wallpaper or flashlight app and it’s asking for your location or contact list, camera, or microphone, that’s a red flag. Likely, the developers are tricking you into giving out this information so it can be sold.
“I’d be a little bit skeptical about it and consider if I really want that wallpaper app,” he said. “Being vigilant, even with official apps, is helpful. If we are able to do that, I think for the average person, you should be fairly safe.”
Intimate partner hacks
Abusive partners can grab your phone and download spyware (or stalkerware) when you’re not looking. This malicious software can be used to track your location, or make private information like texts, your call history, and emails accessible to them.
All they need is your password and physical access to your phone. Experts we spoke to said that this is unfortunately common. This abuse can be psychologically traumatizing and devastating to someone’s personal and public life. If you notice apps that you don’t remember downloading, this could be a sign – although many times the spyware app is invisible on the home screen.
Sadly, this problem isn’t easy to fix. Victims can risk their safety by deleting the apps or checking for malware if and when abusers notice these actions.
The average person probably won’t be singled out and remotely targeted by hackers because it’s expensive, sometimes costing millions for hacks of newer phones, said Matthew Green, an associate professor at the Johns Hopkins Internet Security Institute.
Journalists and activists are most at risk for this kind of hack.
One form of a targetted hack works like this: Hackers exploit unknown flaws in the iOS programming that even its developers don’t yet know about. With this knowledge, hackers can install malware to get data from targetted sources.
“This is a very sophisticated set of hacks and oftentimes you won’t even know this happened to you,” Green said. “If it’s someone who is really sophisticated, they’ll send you an invisible text message and then your phone is going to be compromised for awhile.”
The bugs are known as “zero-day” exploits, corresponding with the fact that Apple will find out about a possible security issue in their software on the same day it’ll work to patch it. The minute the world knows, it’s only a matter of time before the hack is obsolete. That’s why these pricey hacks are often kept under wraps by the people, or governments, who purchase them, Green said.
Ways to protect yourself from an iPhone hack
iPhones can absolutely be hacked, but they’re safer than most Android phones.
Some budget Android smartphones may never receive an update, whereas Apple supports older iPhone models with software updates for years, maintaining their security. That’s why it’s important to update your iPhone.
Apps on the App Store are also vetted for malware (though there are questionable apps that go unnoticed).
However, if you’re considering “jailbreaking” your iPhone – removing the software restrictions imposed on iOS – you’re opening yourself up to potential vulnerabilities in the software because you’ve eliminated some of Apple’s existing security measures. It is possible to download incompatible spyware or malware apps on a jailbroken phone, and this is also how remote takeovers can occur with iPhones. A jailbroken phone should be avoided as it can dangerously allow malicious apps to go undetected.
If you backup your phone in iCloud, make sure to have a strong password. If someone gets ahold of your password, they don’t even need to hack your phone because they can download a backup from the cloud.
Vyas Sekar, a professor of electrical and computer engineering at Carnegie Mellon University, said staying safe is all about “good digital hygiene.”
“Install apps from trustworthy sources and unless you know what you’re doing, you probably don’t want to jailbreak your phone,” Sekar said. “Be careful. Don’t click on attachments you don’t want to open and keep your phone up to date.”
How to tell if your iPhone has been hacked
You can’t always tell if your iPhone has been hacked, Sekar said. But you may notice a few things.
Your phone is unusually hot, or frequently dying.
Your phone is sluggish when trying to load websites.
The battery is draining even when you’re not touching your phone.
These symptoms indicate the phone is running all the time, even when you’re not using it. Sometimes, the best indicators come from the outside, such as when friends say they’re getting odd messages from you. However, the most sophisticated hacks can be somewhat invisible.
There’s no definite way to check for every type of hack. Experts told us that one reliable way to investigate is to download a mobile security app called iVerify, which scans your phone’s operating system for suspicious behavior and can also detect if your phone has been jailbroken.
What to do when your iPhone has been hacked
If you know your phone has been hacked, you have a few options depending on what happened.
For minor problems, like an app stealing your information, delete the app and update your software.
Finding an expert for inspection may be the best solution. Green from Johns Hopkins said your phone can’t always be cured.
“I hate to say this, but if you really, really need to be safe, get a new phone,” Green said. “If somebody actually gets on your phone, and it’s a really high barrier for iPhones, they can install stuff like keyloggers, which means every key press, every letter you type in is being sent to somebody. Until you’re sure that’s gone, you can’t be sure you have any privacy.”
If you can’t get a new phone right away, a hacked iPhone is likely not safe to use, so you’re best to leave it turned off.
Hackers may have obtained sensitive tax information on employees at Atlantic Media, the company said Wednesday.
Saying it became aware of a breach last month, the publisher – whose affiliated companies include The Atlantic and National Journal – announced an internal investigation had found “no evidence that any subscribers’, customers’, or clients’ financial or sensitive information was involved.”
Current and former employees were not so lucky. They were informed this week that “unauthorized actors” had gained access to a server with their tax forms, “which contain names and Social Security numbers.”
There is no evidence that the information has been exploited or publicly disclosed, the company said.
The statement did not identify any suspects. A company spokesperson, Anna Bross, told Insider that the statement reflects the “most complete information that we are making available.”
Small business-owner Andi Rosenberg lost tens of thousands of dollars last year when her Shopify account was hacked.
Starting on November 23, 2020, payments from her Shopify sales began being deposited in an unknown bank account without Rosenberg’s knowledge. On her Shopify account, Rosenberg could see the daily sales being paid out. But, her bank account, which she only checks once a month, wasn’t getting any of the payouts.
On December 29, a Shopify support specialist emailed her about “detected suspicious login activity,” and she needed to confirm her bank account and identity. That’s when Rosenberg checked her own bank account and saw she was missing thousands of dollars from her Shopify sales.
She was sick to her stomach, and has been since.
She confirmed her identity and her bank account with Shopify over the course of several days via emails, which were viewed by Insider. The company eventually gave her the payouts from December 30 to January 14, which had been frozen by Shopify until she could confirm her identity and account. The payouts added up to $22,816, based on payment confirmations provided to Insider.
But she was still missing $55,656 in payouts made to the hacker’s bank account for the pay period from November 23 to December 29. She said when the Shopify account was apparently first hacked in November, she never received a notification that her bank information was changed.
“I’m a small business; you could put me out of business,” she said she told customer service on the phone. “It’s just sickening.”
Rosenberg, owner of clothing and jewelry line Hipchik, has sold her products through department stores for years. In 2018, she opened a Shopify account and loved it.
As store sales dwindled, Shopify helped her get through the pandemic, and she had her best year yet online, selling nearly $1 million of merchandise.
Since the missing payments, she says she’s spoken to Shopify’s customer service and the legal team and even reached out to company executives on LinkedIn. In an email seen by Insider, a customer service representative said the legal team could not give Rosenberg advice. The representative added that, “At this point I recommend that you proceed with private legal counsel in order to work towards recovering missing funds, and moving in a productive direction with this investigation.”
She has been in talks with outside lawyers to see if they can help get her payments back, but she’s worried about the legal fees on top of the losses she already incurred.
Insider asked if Shopify knows how frequently sellers’ accounts are hacked, what security measures are in place, and how sellers can get their money back if it’s stolen. “At Shopify, we take the privacy and security of our merchants very seriously,” a spokesperson said. “We go to great lengths to help merchants manage their accounts more securely by providing guidelines and recommendations. We recommend that all merchants enable two-factor authentication to provide a more secure login process and to help prevent unauthorized access to a merchant’s admin.”
The company did not comment on Rosenberg’s case, or answer questions as to why it took several weeks to notice suspicious logins on her account and why the company has not reimbursed her for her lost payments.
Shopify, based in Ottowa, Canada, is an e-commerce company that’s known for helping small business owners attract customers online. Fakespot analyzed Shopify, which went public in 2015, and found that about a fifth of sellers deserved a “caution” or “warning” sign for activities like selling fraudulent products or not delivering items. Shopify told Insider that it has closed thousands of stores, and it regularly implements new measures to address fraud or other violations.
Shopify sellers have also faced fraud from buyers, who order personalized products and then ask for refunds. In 2018, Shopify rolled out a prevention system to protect sellers from these fraudulent buyers, TechCrunch reported.
If you’re a seller and believe you have lost money on Shopify because of a stolen or hacked account, reach out to the reporter of this article, Natasha Dailey at firstname.lastname@example.org.
One of America’s largest beer makers, Molson Coors, had to halt production this week the company said.
“Molson Coors experienced a systems outage that was caused by a cybersecurity incident,” the company said in a statement. That systems outage has led to a variety of issues for the company, including “brewery operations, production, and shipments,” according to an SEC filing.
In short: Hackers forced the maker of Coors to stop making beer.
Molson Coors is America’s second-largest beer producer, behind only Budweiser maker Anheuser-Busch, according to the Brewer’s Association. The company brews its namesake brands Molson and Coors, as well as Miller, Blue Moon, Leinenkugel’s, Redd’s Hard Apple, and Topo Chico Hard Seltzer, among others.
It’s unclear how much of the company’s beer production has been halted by the breach, nor is it clear how this will impact the company’s expected production.
A Molson Coors representative did not respond to request for comment as of publishing.
The SEC filing said Molson Coors, “is working around the clock to get its systems back up as quickly as possible.”
No timetable is given on when the company expects to return to normal production. Molson Coors has “engaged leading forensic information technology firms and legal counsel,” the filing said, and it’s investigating the breach.
Got a tip? Contact Insider senior correspondent Ben Gilbert via email (email@example.com), or Twitter DM (@realbengilbert). We can keep sources anonymous. Use a non-work device to reach out. PR pitches by email only, please.
A hacking collective claims to have breached security company Verkada, giving them access to live and archived footage from 150,000 security cameras inside Verkada customers’ facilities as well as its own offices, Bloomberg reported Tuesday.
According to Vice News, around 24,000 unique organizations use Verkada’s software, including private residences, malls, restaurants, nonprofits, and airports, revealing the extensive use of facial recognition and surveillance software.
Hackers successfully accessed feeds from Verkada customers including Tesla, Cloudflare, Equinox, Florida hospital system Halifax Health, Wadley Regional Medical Center in Texas, Tempe St. Luke’s Hospital in Arizona, Madison County Jail in Alabama, and Sandy Hook Elementary School in Connecticut, the site of the 2021 mass shooting, according to Bloomberg.
In some cases, a built-in feature of of certain cameras would have allowed the hackers to use the cameras to launch separate hacks into Verkada customers’ corporate networks, Bloomberg reported. Other cameras use facial recognition technology to identify individuals, according to Verkada’s website, potentially exposing sensitive personal information of patients, students, and employees of its customers.
“We have disabled all internal administrator accounts to prevent any unauthorized access. Our internal security team and external security firm are investigating the scale and scope of this issue, and we have notified law enforcement,” a Verkada spokesperson told Insider.
A person familiar with the company’s response told Insider Verkada has enlisted an outside security company to help it investigate, and said Verkada has notified customers about the breach.
A Cloudflare spokesperson told Insider the company had been made aware Verkada cameras monitoring its facilities “may have been compromised” and that “the cameras were located in a handful of offices that have been officially closed for several months.”
“As soon as we became aware of the compromise, we disabled the cameras and disconnected them from office networks. To be clear, this incident does not impact Cloudflare products and we have no reason to believe that an incident involving office security cameras would impact customers,” they said.
The Verkada customers named above did not immediately respond to a request for comment. A spokesperson for Steward Health Care, which operates Wadley Regional Medical Center and Tempe St. Luke’s, declined to comment.
Tillie Kottmann, one of the hackers who claimed credit for the breach, told Bloomberg the group’s goal was to expose how widespread surveillance has become and how easily it can be hijacked, adding that their motives were “lots of curiosity, fighting for freedom of information and against intellectual property, a huge dose of anti-capitalism, a hint of anarchism – and it’s also just too much fun not to do it.”
Hackers were able to view extremely sensitive footage, according to Bloomberg, including hospital staffers tackling a patient and police officers questioning criminal suspects, as well as detailed financial information about Verkada itself.
Verkada was previously scrutinized for security lapses in October after a report surfaced accusing male employees of using the company’s cameras to take photos of female employees and share them in a private Slack channel. After initially disputing the report, Verkada eventually fired the male employees involved, following a separate investigation by Vice News.
The Department of Justice said last month that North Korea has used cyberattacks to steal over $1 billion since 2015 to fund its nuclear weapons program.
Heavy sanctions, imposed by both the US and the UN, prevent North Korea from participating in the formal global economy. The regime often circumvents these sanctions, mostly through secretive ship-to-ship transfers of luxury goods, chemicals, and coal, which is North Korea’s primary export.
North Korea’s nuclear program is essential to the Kim regime, and it devotes all the resources it can to increasing and improving its arsenal. The rise of digital currencies has created new opportunities to acquire funds for that effort.
To understand how the regime perpetrates financial crimes online and the threat it poses, Insider spoke with Jason Bartlett of the Center for a New American Security.
Insider: Let’s start with an overview of how North Korea avoids sanctions. In my mind, there are three main ways: Through traditional over-land means, hacking, and cryptocurrency.
Jason Bartlett: Over the years we’ve seen a heavier focus on cyber-enabled financial crime that benefits North Korea’s nuclear weapons.
That includes hacking of cryptocurrencies like Bitcoin and more distribution of malware. There was the WannaCry cyber attack, there was the online bank heist in 2016 of a Bangladesh bank. South Korea experiences numerous cyber attacks against its ATMs and other financial institutions.
We’re also seeing reports coming out that North Korea may have been able to hack cryptocurrency through DeFi, decentralized finance platforms, which is a new field for them.
Insider: Has the proportion of sanctions evasions through online means, compared to overland and ship-to-ship transfers, increased recently, especially after coronavirus?
Bartlett: Time will tell. One of the issues with cybercrime is it is very high gains with low risk, because it is hard to be detected, as we see some of the most high-profile attacks. The SolarWinds attack, by allegedly Russia, we found out about that very late, so there might be other hacks that North Korea has already been doing that we’re unaware of.
I would not be surprised if we see that there has been an increase in North Korean state-sponsored cybercrime during coronavirus. One, because of the original track that North Korea was making already with increased online activity, increased cyber-enabled financial crime. Just because of the nature of the world today there’s more financial transactions, more people are shifting to conducting their business online and more financial institutions and services are adopting BitCoin and other cryptocurrencies.
But I’m sure that this shift has also been heavily contributed [to] by coronavirus in terms of people relying more on virtual transactions and digital currencies.
Insider: How does North Korea target crypto exchanges?
Bartlett: As far as we know, North Korea has several different cyber-crime forces within its intelligence bureaus. There’s the Lazarus group, and there’s sub-units within that. Some are just cyber, and some within the cyber field focus more on things like espionage, compared to petty financial crime. We don’t know exactly which groups are primarily responsible for which ones – we have ideas.
When it comes to smaller transactions, there are so many loopholes in the cryptocurrency exchanges, and in DeFi because it is not regulated. These transactions never go through human hands or human scrutiny. Everything is automated. If you’re able to break into that system, and you’re able to manipulate the currency price, which is what North Korea allegedly did recently, then you’re able to hack as many of these transactions as you like, and you can up and lower the price of the cryptocurrency that you’re using to get as much money as possible.
The thing with smaller transactions is that it typically can be easier to steal, because there might not be as many eyes on it, as opposed to some large exchange in New York, or in Bangladesh, or South Korea … if you’re targeting hundreds and hundreds or even thousands of smaller transactions that are all happening at the same time, and then you’re able to just shift the currency as you’re hacking it for money laundering, it’s a very successful way to hack a lot of money at the same time while keeping it below a notification threshold, which is what North Korea tends to be doing.
Insider: How successful is North Korea with this?
Bartlett: They’re successful usually in the hack itself. With North Korea what tends to be more impressive is its money-laundering ability. Just because they hack a certain amount of money doesn’t necessarily mean they will have access to all of that. Sometimes we’re able to freeze the assets, [and] we’re able to get the exchange back.
So if North Korea were to steal $3 million in cryptocurrency, doesn’t necessarily mean that then they’ll be able to turn that into $3 million of cash that they can use for weapons. It needs to go through money laundering, and that’s when the signals can be more detectable. North Korea has gotten significantly better. It’s also received help from abroad. We have the case of the two Chinese nationals that were offering professional money laundering services on behalf of North Korea.
North Korea has incredibly sophisticated hacking techniques, but as a country in itself, economically and technologically, it is not advanced, yet it’s able to perform all these tasks. It’s very impressive, especially when it’s targeting more technologically advanced nations such as the US, the UK, and South Korea.
Insider: In what ways do other countries support these North Korean efforts?
Bartlett: This is also a developing field, but China has had a history of hosting North Korean hackers and hacking groups. There were several hotels in China allegedly hosting North Korean hackers until recently. They were apparently closed down and the hackers were repatriated. But that’s very difficult to check. China doesn’t necessarily abide by all the UN and US resolutions, especially the ones regarding North Korean sanctions.
Russia and China also have a history of evading sanctions targeting North Korean workers abroad. North Koreans have been able to circumvent sanctions, specifically a US resolution that took effect in December 2019 that required UN member states to repatriate all North Korean workers back to their country due to findings that their earnings were going to the nuclear development program.
But recent UN panels, expert reports have shown that these IT workers are still very active in China and Russia. And in the case of the WannaCry attack, there was a North Korean hacker, Park Jin Hyok, who worked in an IT company in China while he was also conducting these cyberattacks against the UK, the US, and various other nations on behalf of North Korea.
There’s also talk of technology exchange. Prior to Covid, there was a lot of student exchange between China and Russia, which obviously doesn’t necessarily mean that there will be information-sharing, but we see [it] at very high-level science and technology universities. China and Russia have a history of providing North Korea with technological infrastructure, internet connection, so there’s both direct and indirect facilitation.
Insider: How do we go from cryptocurrency to, for example, mid-range nuclear missiles?
Bartlett: Just because they hack a very substantial amount of cryptocurrency doesn’t mean they get all the cash. Typically, they’ll turn it into Bitcoin or very commonly used, commonly transacted cryptocurrency. Then they’re able to transfer that into funds, and then they take those funds out and it’s cash.
And from that money, after they go through different money-laundering services – which is basically a way of changing the currency and changing the tracking so that it’s harder to tell where the money’s coming from, where it’s going to, what currency is being used – they’re able to go through exchanges and withdraw that money in cash. Then they’re able to purchase nuclear weapons, pay off other countries or companies that are either helping ship their coal, helping ship some technology to them, or helping ship different parts or chemicals, and pay for oversea exchange.
There are also luxury goods, we see that a lot with Kim Jong Un having these, I think they’re some form of a white stallion, Mercedes-Benz, and things like that. It’s not just unique to North Korea. There’s also countries in Latin America and across the world that hide funds from money laundering in luxury goods that they’re able to keep and then sell.
I believe sometime last year, the Treasury issued one of its first statements about a North Korean art exhibit, and how some of this money that they were receiving for this art exhibit was then being used for its nuclear weapons, or they were hiding money in very expensive art. So it’s a way of holding onto … a reserve, and you can just sell this when you need more funds.
Insider: How are nations like the US, the UK, and the Five Eyes tracking these projects and these crimes?
Bartlett: The Treasury Department – so FinCEN – as well as the Department of Justice, have been working very hard to track the efforts and, for example, to issue charges against North Korean or other nationals that are supporting North Korea’s cyber-enabled financial crime. It’s very difficult, because cyber crime is directly connected to North Korea’s intelligence bureau and its nuclear development program, to know just how sophisticated and just how successful it is.
It’s unique in that it’s one of the only cyber programs in the world that its main goal is not necessarily espionage – that’s only one of them. It’s more about funds for its nuclear program, because nuclear development is a key aspect of North Korea’s political identity.
I think there is starting to be more conversation regarding cyber within the counterproliferation field in the United States. It’s a little overdue, but it’s definitely a step in the right direction. I think, before then, it was separated, or maybe North Korea wasn’t taken as seriously because there’s cyber giants, like China and Russia, that have done successful election intervention and espionage attacks. But stealing money to build up nuclear weapons is a grave national-security concern … I think now [the] US government is beginning to get more research to focus on that field.
The private sector has continued to be very vigilant of North Korean cyber crime. They tend to also be a large target of it. Hopefully now, with this new presidency and a seemingly strong focus on cyber following the SolarWinds hack, following even the GameStop scandal, I think that’s something that the US government is going to be incredibly aware of and how important but how fragile and easy to manipulate virtual currencies can be if they don’t have the proper regulations and if there’s not proper consensus on how these transactions should be conducted.
Insider: How do we keep crypto out of the hands of malicious actors?
Bartlett: I think there needs to be a greater consensus of not just the threat but what resources we already have available to us. I’m not exactly sure how informed cryptocurrency exchanges and companies are of what resources they have available to them … The government and private sector need to come up with a stronger framework to train each other.
Training that financial institutions and banks that work with fiat currency have for anti-money laundering and hacking – I’m not exactly sure if cryptocurrency companies receive that same level of training, in terms of red-flag indicators of financial crime or suspicious activity, how to report, how to freeze, how to track. That would be the first thing, more of an assessment of what do you know, what can you do?
One of the bigger issues is compliance, having not just US companies but also foreign companies being compliant. If US companies are compliant with law, then North Korean actors and other illicit actors will just go to countries and regions that aren’t or don’t have the legal framework. …
Once we establish our own protocols and our own way of doing things, and strengthen our own collaboration with the private sector, then we can export that knowledge, not just to our common actors in the Five Eyes but also with countries predominantly in Southeast Asia where there’s a lot of North Korean hackers. I think it’ll be very difficult to persuade China and Russia to abide by UN and US sanctions, especially cyber, because you have plausible deniability.
Insider: Is there anything we’re doing in terms of retaliation?
Bartlett: A cyberattack against Russia’s online infrastructure in retaliation to SolarWinds, or in retaliation against China – and I’m not condoning this – I’m just saying that attacks like that would typically be a little bit more plausible because the countries are connected to the internet.
That’s not the case for North Korea. North Korea has an intranet; only select individuals, typically in Pyongyang, typically have access to this intranet and cell phones.
So, a direct attack on North Korea’s internet infrastructure won’t really have the same effect that it would on us. That’s not to say it wouldn’t have any effect, but it wouldn’t be as strong as it could against other countries. I think the majority of our retaliation efforts tend to be more of freezing funds and freezing assets, which then ultimately affect the economy, making it harder for North Korea to divest more resources into expanding its cyber crime.
Insider: It seems like North Korea is always working to stay a little bit ahead of sanctions, so assuming that regulations come in under this administration and security is much tighter, how are they going to get around that?
Bartlett: For the past couple years, the US has been playing catch-up with cyber crime, as opposed to “build up against,” so I’m very realistically optimistic in that now, because we have seen, over the years, that the various targets – so, not just North Korean, but Russian and Chinese actors – have on our cyberspace. It ranges from our financial institutions to the security of our citizens and our government, and this is a major threat.
And I think that COVID, because of the shift to more online transactions, more virtual interactions, more widespread adoption of virtual currencies as legitimate forms of payment, there will continue to be a large increase in North Korean cyber crime.
I’m not exactly sure how it will be possible for us to be more ahead of them, because this is a national initiative of North Korea … nuclear weapons, sanctions evasion, and cyber, because it’s high gains with very, very low risk, easy plausible deniability, and you can receive an enormous amount of funds very, very quickly, relatively easily. So I think the next step for us is to really reevaluate our cyber strategy in general, and our cybersecurity – what does cybersecurity really mean for the US …
On the DeFi platform, that is most likely going to be a new field that will have a high level of risk, because there is no human interaction, there’s no regulation, and it’s not surprising that North Korea has already started to exploit that, but it is shocking that they’re able to do so.
And it shows that North Korea’s also thinking ahead, so I wouldn’t be surprised if, in the coming months, there is at least talk of ways to introduce legislation or ways to regulate the DeFi platform, or try to have more coordination with the private sector and with the cryptocurrency companies. In terms of DeFi, in terms of SolarWinds, and as well as GameStop, I’m sure that now the US government is realizing that this is a major threat that we have to address now, because these illicit actors have already begun to exploit this.
This interview was edited and condensed for clarity.
By early 2021, it looks like Apple’s line of new computers has already been breached by a malicious set of software nicknamed “Silver Sparrow.” Just shy of 30,000 of Apple’s new computers have already been infected, according to the security firm Red Canary, primarily in the United States, United Kingdom, Canada, France, and Germany.
The infected machines range from the Mac Mini desktop to the latest version of Apple’s laptops. Both the latest MacBook Air and 13-inch MacBook Pro are powered by M1 chips.
Notably, security researchers have yet to observe the Silver Sparrow malware actually doing anything harmful.
“Though we haven’t observed Silver Sparrow delivering additional malicious payloads yet,” Tony Lambert, an analyst at Red Canary intelligence, wrote in a blog post. “Its forward-looking M1 chip compatibility, global reach, relatively high infection rate, and operational maturity suggest Silver Sparrow is a reasonably serious threat, uniquely positioned to deliver a potentially impactful payload at a moment’s notice.”
Got a tip? Contact Insider senior correspondent Ben Gilbert via email (firstname.lastname@example.org), or Twitter DM (@realbengilbert). We can keep sources anonymous. Use a non-work device to reach out. PR pitches by email only, please.
The Internet Research Agency, a Russian troll farm, used Facebook, Instagram, Twitter, and Cameo in a coordinated effort to get the suspected spy Maxim Shugaley released from a Libyan prison.
Charlie Sheen, Dolph Lundgren, and other actors on Cameo recorded supportive messages, which were shared on the pro-Shugaley Facebook pages in Libya.
Arrested in Tripoli in May 2019, Maxim Shugaley was charged in June 2020 with “actions that harmed the State’s security,” according to a statement from the Libyan government given to the Anadolu Agency news service.
Russian advocates for Shugaley’s release created a misinformation campaign, shooting a “documentary” about him for Russia Today, then distributing it via Facebook and Instagram in Libya, according to Facebook and the Internet Observatory.
After 18 months in Libyan prisons, alleged Russian spy Maxim Shugaley this month walked free, boarded a plane, and was greeted in Moscow as a returning hero.
During his long absence, Russia Today had aired an action thriller called “Shugaley” that dramatized his arrest, complete with explosions, gunfights, and torture scenes. The film claimed he’d been falsely imprisoned. It proved so popular that they released a sequel. Even Vladimir Putin, Russia’s longtime leader, had called for Shugaley to be released.
A roster of Hollywood actors also had recorded short supportive messages for him via the Cameo app. “Wall Street” star Charlie Sheen did one, speaking to Shugaley from the sparsely decorated kitchen where he did many of his Cameo videos.
As he shakes his fist at the camera, Cyrillic subtitles translate his message into Russian. “Freedom will come. We insist that freedom is – is – is – is in your future, on your horizon,” he said.
But internet security researchers in the US had an altogether different opinion of Shugaley, according to information about Russian troll networks released this week by Facebook and the Internet Observatory, a cyber policy research group at Stanford University.
To them, Shugaley – alternatively written as “Максим Шугалей” and “Maksim Shugalei” – had been a central figure in a Russian effort to spread misinformation in Libya.
He was affiliated with one of Saint Petersburg’s most well-known troll networks, the Internet Research Agency (IRA,) according to media reports and Stanford researchers. Investigator Robert Mueller, in his final report to the House Intelligence Committee, called the IRA a troll farm, saying it had worked to get President Donald Trump elected.
The Russia Today movie and Cameo spots were distributed in Libya as part of an IRA web of misinformation that included hundreds of Facebook and Instagram accounts.
“Although the people behind this activity attempted to conceal their identity and coordination, our investigation found links to individuals associated with past activity by the Russian Internet Research Agency,” Facebook’s Nathaniel Gleicher, head of security policy, and David Agranovich, global threat disruption lead, wrote in a blog post on Tuesday.
Arrested, held, and charged in Libya
Shugaley and his interpreter, Samir Seifan, were detained in May 2019 and charged as spies in June 2020. They were accused of “actions that harmed the State’s security,” according to a statement given to the Anadolu Agency news service.
Russian officials said the two were researchers with the Foundation for the Protection of National Values. But Libya said they were actually working for Wagner Group, a Russian military contractor. Libya said they’d been working with rebel groups to overthrow the government.
In public, Russian diplomats trying to free the pair were seeking talks with the head Libya’s Presidential Council, Fayez al-Sarraj.
“We regularly and insistently raise this topic at all meetings with representatives of the Tripoli authorities, demanding an immediate and unconditional release of the Russian citizens,” said Maria Zakharova, Russian Foreign Ministry spokeswoman, in July.
In private, members of the IRA were flooding Facebook and Instagram in Libya with positive images of the prisoner. Researchers at Facebook and Stanford detailed the “coordinated network” in Libya that helped get secure release.
A few days after the release, Mike Pompeo, US secretary of state, said Russia’s misinformation network in Libya amounted to “political shenanigans.”
“The Libyan government’s release of two Wagner operatives caught undermining Libyan politics is just another example of how Russia uses mercenaries and political shenanigans rather than open democratic means to advance its interests,” he said.
He noted that Russians had also printed counterfeit Libyan money, violated UN arms embargoes in Libya, and acted in “its own interests to the detriment of the entire region.”
The Facebook network responsible for information about Shugaley was just one of three removed last week, but it was the biggest of them. The other two were focused on different regions, and one was based in France, according to Facebook.
The network supporting Shugaley had also been operating on Twitter, with about 30 accounts, according to Stanford researchers. One account had about 12,000 followers.
Twitter on Wednesday told Business Insider it was still investigating the network, but had taken action on a “small” number of accounts. “We do not have country-specific information to share at this time and our investigations are ongoing,” a Twitter spokesperson said via email.
How did the misinformation campaign work?
First, a production company run by Alexander Malkevich, head of the IRA, raised money to produce “Shugaley.” Yevgeny Prigozhin, who was mentioned in Mueller’s report on hacking in the US, was in charge of the company, Aurum LLC, that held the film’s copyright, according to last week’s report from Stanford researchers, who cited previous reporting on Shugaley and the IRA from The New York Times, Foreign Policy, Bloomberg News, and BBC Africa.
The movie aired on Russia Today’s RT Documentary Channel in May 2020. Shugaley is portrayed in a flattering light. In the film’s narrative, he was in Libya as an aid worker before being captured by terrorists, not the Libyan government. RT called it a “harrowing yet true story.”
Part of the RT summary reads: “Privy to information that could bear serious consequences for the puppet government, the researchers were subjected to torture and denied justice. The film pays tribute to these real-life heroes and raises awareness of their fate.”
The movie has a 9.72-star rating out of a possible 10.
Officially, it wasn’t a Russian government production, but the Foreign Ministry issued a press release to coincide with its launch. The ministry said in a statement at the time that diplomats “will continue using all available opportunities and channels to influence the Libyan authorities.”
Members of the IRA created fake Facebook and Instagram accounts in Libya. They pretended to be locals. They built an audience of millions, and sought to attract attention from local journalists.
In all, they created 211 Facebook accounts, and 125 pages, according to Facebook. They made 17 Instagram accounts, and 16 groups. Most criticized the Libyan government, some promoted Russian policy, and at least one Facebook page focused exclusively on Shugaley, according to a report released last week by Stanford researchers.
“The Facebook Page [about Shugaley] had 103 posts overall, and included regular updates detailing Malkievich and the Foundation’s efforts to pressure Libya into releasing Shugalei and Seifan, as well as quotes about the matter from prominent Russian figures such as Vladimir Putin and Alexander Dugin,” wrote Stanford researchers.
Facebook pages dedicated to “Shugaley” and its sequel, “Shugaley-2,” included screen shots and video links. As of this week, the trailer for “Shugalei” had about 390,000 views on YouTube. On Russian social media site vk.com, another version had 17.9 million views. The full movie, which was posted in its entirety on Russia Today’s Documentary YouTube channel, had about 750,000 views.
On Instagram, about 99,500 people followed the Russian’s accounts. The accounts asked Libyan influencers to tag themselves wearing “Shugalei” movie T-shirts.
The network also shared images of Maria Butina, a spy who’d infiltrated Washington, holding a one-woman protest outside the Libyan embassy.
Hollywood gets involved via Cameo
Sheen was just one of a few high-profile Hollywood names that sent warm wishes to Shugaley. “Snatch” actor Vinnie Jones and “Rocky IV” star Dolph Lundgren each recorded their own videos, which were later posted on vk.com. “Machete” star Danny Trejo shot one, too, as first captured on Shooting the Messenger.
“You’re a great guy,” said Lundgren. “You have our support. Never give up, and remember – freedom is the only way.”
At times, the actors appeared to stumble over Shugaley’s name in the scripts they read. It’s unclear who paid for the Cameo appearances, but the videos made their way to the network set up to distribute positive news about Shugaley in Libya, said Stanford researchers.
A Cameo spokesperson declined to comment.
About 5.7 million accounts followed at least one of the pages run by Russia in Libya, said Facebook. The page owners spent about $186,000 on ads, paying in dollars and rubles.
After eight months of Russia’s online campaign, the Libyan government agreed to release the two men.
On December 10, Shugaley and Seifan were driven to Tripoli’s airport. They were handed over to former Russian Ambassador Libya Ivan Molotkov, according to a short statement read that day by the the Foreign Ministry’s spokeswoman in Moscow.
Said Zakharova: “The Russian deputy minister expressed satisfaction with the decision of the Libyan authorities and thanked everyone who assisted the release of the Russian nationals.”
On Twitter, an official ministry account posted a photo of Shugaley stepping off a jet in Russia. It said: “Welcome Home!”
On arrival in Moscow, Shugaley and Seifan were reportedly each given 18 million rubles – about $246,420. The money came from a company owned by Prigozhin, who had been involved in the making of the “Shugaley” film and had ties to the Wagner Group, according to a report in The Moscow Times. The payment amounted to 1 million rubles for each month they’d been in prison.
Five days after they arrived, the IRA network was removed from Facebook, Instagram, and Twitter.
Have a tip? Send it to Kevin Shalvey by encrypted email at email@example.com or via Signal message at +44 7587 300383.
Reporter Kevin Shalvey worked at Facebook from 2018 to 2019.