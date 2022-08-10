Comment on this story Comment Gift Article Share

Welcome to The Cybersecurity 202! Please enjoy this navel-gazing edition. Below: A jury convicts an ex-Twitter employee for spying, and prosecutors got Facebook messages to prosecute someone who got an illegal abortion. Wp Get the full experience. Choose your plan ArrowRight Ransomware gangs view journalists as another tool for advancing their goals In June, security journalists found themselves in a difficult position. A ransomware gang, LockBit, claimed it hacked one of the biggest cyber companies, Mandiant, and threatened to release stolen data. Mandiant answered that it saw no evidence of a breach.

Later that day, when the hacking group’s “countdown clock” expired, LockBit revealed its ruse: Instead of posting stolen files, the hackers slammed Mandiant for research it had published about the gang’s origins.

The position security journalists found themselves in with LockBit wasn’t an uncommon one. Ransomware gangs frequently seek to use journalists — and to some extent, security researchers — to advance their aims.

Advertisement

“A problem that a lot of reporters have privately wrestled with is, how do you report this which is important, without acting as a PR person for the ransomware groups?” Allan Liska, director of threat intelligence at cybersecurity firm Recorded Future, told me.

And separating truth from fiction when examining the boasts of ransomware gangs is no easy task, as they’re prone to bravado, even as they have rung up high-profile victims and raked in billions.

Some other notable ways ransomware gangs have seemingly sought to manipulate journalists:

What hackers want

Last week, dark-web intelligence firm Digital Shadows published a report on ransomware gangs’ shoddy relationship with the truth. While such gangs might sometimes use journalists to their own ends, it doesn’t mean they value them, Chris Morgan, senior cyberthreat intelligence analyst for the company, told me.

Advertisement

“There is a general disdain for security researchers and journalists on cybercriminal forums, with a common sentiment being that media mentions and interviews often result in additional law enforcement scrutiny,” he said via email.

And they’ve shown signs of growing more formidable in their use of those journalists, said Vlad Cuiujuclu, team lead for global intelligence Flashpoint. “One of the takeaways for us from the whole Groove story is that the ransomware operators know how to work the media better and better,” he told me.

Ransomware gangs have trolled journalists with hoaxes, used publicity to push a narrative and exploited news stories to pressure victims into paying.

Media manipulation can help with recruitment under the “ransomware-as-a-service” business model, where ransomware developers share their malware in exchange for a share of the profits.

Advertisement

“Ransomware-as-a-service is a lot like multilevel marketing,” Liska said. “The most successful model multilevel marketing campaigns show the leaders out there on their yachts, having fancy parties and having nice cars.”

What to do about it

The decision of when to publish a ransomware groups’ claims mirrors other dilemmas journalists have faced where they might inadvertently play into the hands of villains, from what to do with hacked emails in the 2016 campaign to whether to repeat disinformation while debunking it.

Liska’s own company has endured industry criticism for publishing interviews with ransomware hackers touting their achievements. Liska defended the practice, saying no one would come away from the interviews thinking anything other than “they're still awful people doing awful things.” The interviews can’t feature “hard questions” or the hackers wouldn’t likely participate, and they can reveal much about gangs’ thinking that could help victims deal with them better.

Advertisement

“For me, that’s always the calculus,” he said. “If I share information, am I going to help people protect themselves, or am I just puffing up the ransomware actors?”

Susan McGregor, a Columbia University scholar focused on the intersection of security and journalism, cautioned against “celebritizing” hackers. She advised journalists to consider the news value of reporting on an individual ransomware attack. The Colonial Pipeline hack was worth reporting as “millions and millions” of people depended on that system, but a ransomware attack on a site where people post personal fetishes probably wouldn’t warrant a story, according to McGregor.

McGregor, Liska and Cuiujuclu all advised that journalists contact the alleged victims of hacks, even as they acknowledged victims have a motive to lie about being attacked, too. That’s why journalists should also branch out to other potential sources to discuss a ransomware incident.

Advertisement

The last thing a journalist should do, though, is aid ransomware gangs, said U.K.-based author and investigative journalist Geoff White.

“If you’re a journalist, and you’re being cynically used by ransomware operators to put pressure on the victim, that’s different to just receiving the results of a data leak,” said White, who spoke on the ethics of covering hackers at the Black Hat Europe 2019 conference. “As a journalist, you’re almost a part of the system at that point.”

The keys

Jury convicts former Twitter employee of spying for Saudi Arabia

Ahmad Abouammo could face between 10 and 20 years in prison after a jury found him guilty of charges including being a Saudi agent, money laundering, conspiring to commit wire fraud and falsifying documents, Bloomberg News’s Joel Rosenblatt and Robert Burnson report. Abouammo worked as a media partnership manager at Twitter in 2015, but prosecutors said he received expensive gifts from an aide to Saudi Crown Prince Mohammed bin Salman in exchange for information about Saudi critics’ Twitter accounts.

Advertisement

Jamal Khashoggi . U.S. intelligence agencies have concluded that the crown prince, who is Saudi Arabia’s de facto ruler, approved the operation killing of Washington Post contributing columnist

Prosecutors weren’t allowed to tell the jury about the crown prince’s involvement in cracking down on critics, but some witnesses hinted at the moves, Bloomberg News reports.

“Angela Chuang, a federal public defender representing Abouammo, told jurors the case was a product of a botched investigation, and Twitter’s careless handling of its users’ data,” Rosenblatt and Burnson report. “The U.S. allowed the real target of its investigation, Abouammo’s alleged co-conspirator, Ali Alzabarah, who worked at Twitter as an engineer, to flee to Saudi Arabia despite being under surveillance, Chuang said.” Abouammo and his legal team declined to comment to Bloomberg News on the verdict.

Russia finds holes in social media sites’ rules around propaganda

Russian propaganda and anti-Ukrainian posts continue to spread on social media platforms almost six months into the war, despite the platforms taking measures to limit it, Will Oremus and Cat Zakrzewski report.

Accounts belonging to Russian Embassies have racked up more engagement on Facebook and Twitter since the war began than before Russia invaded Ukraine, according to research by Advance Democracy, Inc., a nonpartisan research group. Those accounts have also exploited loopholes in social media platforms’ rules to spread pro-Russian propaganda.

Advertisement

“Russia already very well knows the vulnerability of the rules of some media platforms,” said Ukraine Deputy Minister of Digital Transformation George Dubinskiy. “We have a media war right now.”

Prosecutors got Facebook messages in Nebraska abortion case

The prosecutors’ case against Jessica Burgess and daughter Celeste Burgess, 17, relies on the data from Facebook, Motherboard’s Jason Koebler and Anna Merlan report. They’re accused of using abortion medication too late in Celeste Burgess’s pregnancy. She subsequently gave birth to a stillborn fetus that they disposed of, prosecutors say.

Local news outlets including the Norfolk Daily News previously reported on the case. Jessica and Celeste Burgess have pleaded not guilty, the outlet reports.

“While the court documents, obtained by Motherboard, allege that the abortion took place before the Supreme Court overturned Roe v. Wade in June, they show in shocking detail how abortion could and will be prosecuted in the United States, and how tech companies will be enlisted by law enforcement to help prosecute their cases,” Koebler and Merlan write.

Advertisement

But in a thread on Twitter, Facebook spokesman Andy Stone said the criminal investigation was focused on a stillborn baby who was burned and buried, and not on the use of medication abortion.

A statement from Meta on this case.



“Nothing in the valid warrants we received from local law enforcement in early June, prior to the Supreme Court decision, mentioned abortion. https://t.co/GNzdMP692H — Andy Stone (@andymstone) August 10, 2022

Both of these warrants were originally accompanied by non-disclosure orders, which prevented us from sharing any information about them. The orders have now been lifted.” — Andy Stone (@andymstone) August 10, 2022

Global cyberspace

Government scan

Daybook

Chris Krebs Former Cybersecurity and Infrastructure Security Agency director speaks at the Black Hat hacker conference today.

Chris Inglis and CISA Director Jen Easterly National Cyber Directorand CISA Director speak at the annual DEF CON hacking conference Friday.

Secure log off

Burt Macklin raids Mar-a-Lago pic.twitter.com/DIuqPkiR6X — Washington Post TikTok Guy 👴🏼 (@davejorgenson) August 9, 2022

Thanks for reading. See you tomorrow.

GiftOutline Gift Article