Trump campaign hack-and-leak appears like a rerun of 2016. This time, media outlets are responding differently

This weekend, Politico dropped a news bombshell: A person who only goes by “Robert” had shared with the news organization documents allegedly stolen from the Donald Trump presidential campaign. 

Since then, we have learned that The New York Times and The Washington Post have also heard from the same person and received some stolen documents. The document dump has the hallmarks of a hack-and-leak operation, which typically involves malicious hackers stealing sensitive information and strategically leaking it with the goal of hurting the target of the hack. The FBI has said it is investigating the hack. Trump himself has accused the Iranian government of the breach. Longtime Trump confidante Roger Stone said his email account was compromised, which is likely where the whole operation began, according to anonymous people who spoke to The Washington Post.

If this all sounds familiar it’s because a near-identical hack-and-leak operation ahead of a U.S. election happened before and will inevitably happen again. It’s worth going back in time to a previous hack-and-leak operation to highlight what we learned then, and how those lessons apply now. 

In the summer of 2016, a hacker who identified themselves by the moniker Guccifer 2.0 and described themselves as a Romanian “hacker, manager, philosopher [and] women lover,” claimed to be behind the hack of the Democratic National Committee. This came as a surprise because cybersecurity firm CrowdStrike had accused a Russian intelligence agency of being behind the hack. In what is now an ironic twist, Roger Stone at the time publicly revealed he was in touch with Guccifer 2.0 and piggybacked on the hacker’s claims to attack the Democrats. 

But as it turned out, once I started asking Guccifer 2.0 some pointed questions back in 2016, their mask quickly started to fall off. Two years later, the FBI confirmed that Guccifer 2.0 was indeed no lone Romanian hacker, but a persona controlled by two agents working for Russia’s military intelligence unit, the Main Intelligence Directorate or GRU. While I pat myself on the back, I also want to be clear that, in a way, it was easy for me to focus on Guccifer 2.0 and their identity and motivations rather than the documents they were leaking, simply because I was (and still am) a cybersecurity reporter, not a political reporter. 

At this point and in this recent case, it’s unclear who “Robert” really is. But early signs point to a repeat of the Guccifer 2.0 situation.

Just a day before Politico’s report on the Trump hack, Microsoft revealed that an Iranian government-backed hacking group “sent a spear phishing email in June to a high-ranking official on a presidential campaign from the compromised email account of a former senior advisor.” Microsoft did not say which campaign it was, nor did it name the “former senior advisor” who was targeted, but sources have since told The Washington Post and Politico that the FBI has been investigating the Trump campaign hack since June. 

In a new report out Wednesday, Google’s Threat Analysis Group, which investigates government-backed hackers and threats, concurred with much of Microsoft’s assessment. Google said it has evidence that Iran-backed hackers were behind the targeting of personal email accounts of about a dozen individuals affiliated with President Biden and former President Trump as early as May.

To recap: It looks like Iranian government hackers may have compromised Stone, used his email account to then target and infiltrate the Trump campaign, stole some documents (for now we only know of files related to the vetting process of Republican vice presidential candidate J.D. Vance) and, finally, used a persona — Robert — to contact journalists, hoping they would cover the leaked documents. 

Contact Us
Do you have more information about the Trump campaign hack? Or other politically motivated hacks? From a non-work device, you can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, or via Telegram and Keybase @lorenzofb, or email. You also can contact TechCrunch via SecureDrop.

What is different from what happened in 2016 is how the media is covering this whole story. 

At the time, countless media outlets took the Guccifer 2.0 documents — and later those stolen from Hillary Clinton’s then-campaign chairman John Podesta — and ran stories that essentially amplified the message that the Russian government wanted the American public to focus on, namely claims of corruption and malfeasance. Kathleen Hall Jamieson, a University of Pennsylvania professor who wrote a book about the 2016 hacking campaigns, told the Associated Press this week that in 2016 the media misrepresented some of the leaked material in a way that was more damaging to Clinton than it should have been. 

This time, the early coverage of the Trump campaign hack-and-leak has focused on the hack-and-leak operation itself, and not so much on what was leaked, something that disinformation experts have praised.

“Politico and [its journalist] Alex Isenstadt deserve significant credit for turning this story into a story about a (poor, it appears) foreign disinformation attempt, instead of covering the leaked Trump campaign documents as such,” said Thomas Rid, a professor at Johns Hopkins and someone who closely followed the 2016 Russian hacking and disinformation campaign. 

It’s important to note that this all might change, perhaps if or when “Robert” decides to leak something that the media considers more newsworthy. It’s also important to remember that, as my former colleague Joseph Cox wrote a few years ago, there have been many cases of hackers leaking information that was in the public interest. The data in those hacks and leaks deserved to be covered and reported on. That may still prove to be the case this time, too. 

Regardless, it’s important that journalists give the whole context behind hack-and-leak operations, no matter if they are launched by hackers working for governments trying to undermine elections or certain presidential candidates, or hacktivists with good intentions.  

When Politico asked the hacker about how they got the documents, Robert reportedly said: “I suggest you don’t be curious about where I got them from. Any answer to this question, will compromise me and also legally restricts you from publishing them.”

Perhaps Robert himself knows that, this time, journalists have learned the lessons.

Read More

The biggest data breaches in 2024: 1 billion stolen records and rising

We’re over halfway through 2024, and already this year we have seen some of the biggest, most damaging data breaches in recent history. And just when you think that some of these hacks can’t get any worse, they do.

From huge stores of customers’ personal information getting scraped, stolen and posted online, to reams of medical data covering most people in the United States getting stolen, the worst data breaches of 2024 to date have already surpassed at least 1 billion stolen records and rising. These breaches not only affect the individuals whose data was irretrievably exposed, but also embolden the criminals who profit from their malicious cyberattacks.

Travel with us to the not-so-distant past to look at how some of the biggest security incidents of 2024 went down, their impact and. in some cases, how they could have been stopped. 

AT&T’s data breaches affect “nearly all” of its customers, and many more non-customers

For AT&T, 2024 has been a very bad year for data security. The telecoms giant confirmed not one, but two separate data breaches just months apart.

In July, AT&T said cybercriminals had stolen a cache of data that contained phone numbers and call records of “nearly all” of its customers, or around 110 million people, over a six-month period in 2022 and in some cases longer. The data wasn’t stolen directly from AT&T’s systems, but from an account it had with data giant Snowflake (more on that later).

Although the stolen AT&T data isn’t public (and one report suggests AT&T paid a ransom for the hackers to delete the stolen data) and the data itself does not contain the contents of calls or text messages, the “metadata” still reveals who called who and when, and in some cases the data can be used to infer approximate locations. Worse, the data includes phone numbers of non-customers who were called by AT&T customers during that time. That data becoming public could be dangerous for higher-risk individuals, such as domestic abuse survivors.

That was AT&T’s second data breach this year. Earlier in March, a data breach broker dumped online a full cache of 73 million customer records to a known cybercrime forum for anyone to see, some three years after a much smaller sample was teased online.

The published data included customers’ personal information, including names, phone numbers and postal addresses, with some customers confirming their data was accurate. 

But it wasn’t until a security researcher discovered that the exposed data contained encrypted passcodes used for accessing a customer’s AT&T account that the telecoms giant took action. The security researcher told TechCrunch at the time that the encrypted passcodes could be easily unscrambled, putting some 7.6 million existing AT&T customer accounts at risk of hijacks. AT&T force-reset its customers’ account passcodes after TechCrunch alerted the company to the researcher’s findings. 

One big mystery remains: AT&T still doesn’t know how the data leaked or where it came from. 

Change Healthcare hackers stole medical data on “substantial proportion” of people in America

In 2022, the U.S. Justice Department sued health insurance giant UnitedHealth Group to block its attempted acquisition of health tech giant Change Healthcare, fearing that the deal would give the healthcare conglomerate broad access to about “half of all Americans’ health insurance claims” each year. The bid to block the deal ultimately failed. Then, two years later, something far worse happened: Change Healthcare was hacked by a prolific ransomware gang; its almighty banks of sensitive health data were stolen because one of the company’s critical systems was not protected with multi-factor authentication.

The lengthy downtime caused by the cyberattack dragged on for weeks, causing widespread outages at hospitals, pharmacies and healthcare practices across the United States. But the aftermath of the data breach has yet to be fully realized, though the consequences for those affected are likely to be irreversible. UnitedHealth says the stolen data — which it paid the hackers to obtain a copy — includes the personal, medical and billing information on a “substantial proportion” of people in the United States. 

UnitedHealth has yet to attach a number to how many individuals were affected by the breach. The health giant’s chief executive, Andrew Witty, told lawmakers that the breach may affect around one-third of Americans, and potentially more. For now, it’s a question of just how many hundreds of millions of people in the U.S. are affected. 

Synnovis ransomware attack sparked widespread outages at hospitals across London 

A June cyberattack on U.K. pathology lab Synnovis — a blood and tissue testing lab for hospitals and health services across the U.K. capital — caused ongoing widespread disruption to patient services for weeks. The local National Health Service trusts that rely on the lab postponed thousands of operations and procedures following the hack, prompting the declaration of a critical incident across the U.K. health sector.

A Russia-based ransomware gang was blamed for the cyberattack, which saw the theft of data related to some 300 million patient interactions dating back a “significant number” of years. Much like the data breach at Change Healthcare, the ramifications for those affected are likely to be significant and life-lasting. 

Some of the data was already published online in an effort to extort the lab into paying a ransom. Synnovis reportedly refused to pay the hackers’ $50 million ransom, preventing the gang from profiting from the hack but leaving the U.K. government scrambling for a plan in case the hackers posted millions of health records online. 

One of the NHS trusts that runs five hospitals across London affected by the outages reportedly failed to meet the data security standards as required by the U.K. health service in the years that ran up to the June cyberattack on Synnovis.

Ticketmaster had an alleged 560 million records stolen in the Snowflake hack

A series of data thefts from cloud data giant Snowflake quickly snowballed into one of the biggest breaches of the year, thanks to the vast amounts of data stolen from its corporate customers. 

Cybercriminals swiped hundreds of millions of customer data from some of the world’s biggest companies — including an alleged 560 million records from Ticketmaster, 79 million records from Advance Auto Parts and some 30 million records from TEG — by using stolen credentials of data engineers with access to their employer’s Snowflake environments. For its part, Snowflake does not require (or enforce) its customers to use the security feature, which protects against intrusions that rely on stolen or reused passwords. 

Incident response firm Mandiant said around 165 Snowflake customers had data stolen from their accounts, in some cases a “significant volume of customer data.” Only a handful of the 165 companies have so far confirmed their environments were compromised, which also includes tens of thousands of employee records from Neiman Marcus and Santander Bank, and millions of records of students at Los Angeles Unified School District. Expect many Snowflake customers to come forward. 

(Dis)honorable mentions

Cencora notifies over a million and counting that it lost their data:

U.S. pharma giant Cencora disclosed a February data breach involving the compromise of patients’ health data, information that Cencora obtained through its partnerships with drug makers. Cencora has steadfastly refused to say how many people are affected, but a count by TechCrunch shows well over a million people have been notified so far. Cencora says it’s served more than 18 million patients to date. 

MediSecure data breach affects half of Australia:

Close to 13 million people in Australia — roughly half of the country’s population — had personal and health data stolen in a ransomware attack on prescriptions provider MediSecure in April. MediSecure, which distributed prescriptions for most Australians until late 2023, declared insolvency soon after the mass theft of customer data.

Kaiser shared health data on millions of patients with advertisers:

U.S. health insurance giant Kaiser disclosed a data breach in April after inadvertently sharing the private health information of 13.4 million patients, specifically website search terms about diagnoses and medications, with tech companies and advertisers. Kaiser said it used their tracking code for website analytics. The health insurance provider disclosed the incident in the wake of several  other telehealth startups, like Cerebral, Monument and Tempest, admitting they too shared data with advertisers.

USPS shared postal address with tech giants, too:

And then it was the turn of the U.S. Postal Service caught sharing postal addresses of logged-in users with advertisers like Meta, LinkedIn and Snap, using a similar tracking code provided by the companies. USPS removed the tracking code from its website after TechCrunch notified the postal service in July of the improper data sharing, but the agency wouldn’t say how many individuals had data collected. USPS has over 62 million Informed Delivery users as of March 2024.

Evolve Bank data breach affected fintech and startup customers:

A ransomware attack targeting Evolve Bank saw the personal information of more than 7.6 million people stolen by cybercriminals in July. Evolve is a banking-as-a-service giant serving mostly fintech companies and startups, like Affirm and Mercury. As a result, many of the individuals notified of the data breach had never heard of Evolve Bank, let alone have a relationship with the firm, prior to its cyberattack.

Read More

CSC ServiceWorks reveals 2023 data breach affecting thousands of people

Laundry giant CSC ServiceWorks says tens of thousands of people had their personal information stolen from its systems after recently disclosing a cyberattack from 2023.

The New York-based laundry giant provides over a million internet-connected laundry machines to residential buildings, hotels, and university campuses around North America and Europe. CSC also employs more than 3,200 team members, according to its website.

In a data breach notification filed late on Friday, CSC confirmed that the data breach affected at least 35,340 individuals, including over a hundred people in Maine. 

News of the data breach is the latest security issue to beset CSC over the past year, after multiple security researchers say they found simple but critical vulnerabilities in its laundry platform capable of losing the company revenue.

In its data breach notice, CSC said an intruder broke into its systems on September 23, 2023 and had access to its network for five months until February 4, 2024, when the company discovered the intruder. It’s not known why it took the company several months to detect the breach. CSC said it took until June to identify what data was stolen.

The stolen data includes names; dates of birth; contact information; government identity documents, such as Social Security and driver’s license numbers; financial information, such as bank account numbers; and health insurance information, including some limited medical information.

Given that the types of data involved typically relate to the information that companies hold on their employees, such as for business records and workplace benefits, it’s plausible that the data breach affects current and former CSC employees, as customers are not typically asked for this information.

For its part, CSC would not clarify either way.

CSC spokesperson Stephen Gilbert declined to answer TechCrunch’s specific questions about the incident, including whether the breach affects employees, customers, or both. The company would not describe the nature of the cyberattack, or whether the company has received any communication from the threat actor, such as a ransom demand.

CSC made headlines earlier this year after ignoring a simple bug discovered by two student security researchers that allowed anyone to run free laundry cycles. The company belatedly patched the vulnerability and apologized to the researchers, who spent weeks trying to alert the company to the flaw.

The findings prompted the company to set up a vulnerability disclosure program, allowing future security researchers to contact the company directly to privately report bugs or vulnerabilities. 

Last month, details of a new vulnerability found in CSC-powered laundry machines allowing anyone to also get free laundry were made public. Michael Orlitzky said in a blog post that the hardware-level vulnerability, which involves short circuiting two wires inside a CSC-powered laundry machine, bypasses the need to enter coins to operate the machine. Orlitzky is due to present his findings at the Def Con security conference in Las Vegas on Saturday.

Read More

Student raised security concerns in Mobile Guardian MDM weeks before cyberattack

A person claiming to be a student in Singapore publicly posted documentation showing lax security in a widely popular school mobile device management service called Mobile Guardian, weeks before a cyberattack on the company resulted in the mass-wiping of student devices and widespread disruption.

In an email with TechCrunch, the student — who declined to provide his name citing fear of legal retaliation — said he reported the bug to the Singaporean government by email in late May but could not be sure that the bug was ever fixed. The Singaporean government told TechCrunch that the bug was fixed prior to Mobile Guardian’s cyberattack on August 4, but the student said that the bug was so easy to find and trivial for an unsophisticated attacker to exploit, that he fears there are more vulnerabilities of similar exploitability.

The U.K.-based Mobile Guardian, which provides student device management software in thousands of schools around the world, disclosed the breach on August 4 and shut down its platform to block the malicious access, but not before the intruder used their access to remotely wipe thousands of student devices.

A day later, the student published details of the vulnerability he had previously sent to the Singaporean Ministry of Education, a major customer of Mobile Guardian since 2020.

In a Reddit post, the student said the security bug he found in Mobile Guardian granted any signed-in user “super admin” access to the company’s user management system. With that access, the student said, a malicious person could perform actions that are reserved for school administrators, including the ability to “reset every person’s personal learning device,” he said. 

The student wrote that he reported the issue to the Singaporean education ministry on May 30. Three weeks later, the ministry responded to the student saying the flaw is “no longer a concern,” but declined to share any further details with him, citing “commercial sensitivity,” according to the email seen by TechCrunch. 

When reached by TechCrunch, the ministry confirmed it had received word of the bug from the security researcher, and that “the vulnerability had been picked up as part of an earlier security screening, and had already been patched,” as per spokesperson Christopher Lee.

“We also confirmed that the disclosed exploit was no longer workable after the patch. In June, an independent certified penetration tester conducted a further assessment, and no such vulnerability was detected,” said the spokesperson.

“Nevertheless, we are mindful that cyber threats can evolve quickly and new vulnerabilities discovered,” the spokesperson said, adding that the ministry “regards such vulnerability disclosures seriously and will investigate them thoroughly.”

Bug exploitable in anyone’s browser

The student described the bug to TechCrunch as a client-side privilege escalation vulnerability, which allowed anyone on the internet to create a new Mobile Guardian user account with an extremely high level of system access using only the tools in their web browser. This was because Mobile Guardian’s servers were allegedly not performing the proper security checks and trusting responses from the user’s browser.

The bug meant that the server could be tricked into accepting the higher level of system access for a user’s account by modifying the network traffic in the browser.

TechCrunch was provided a video — recorded on May 30, the day of disclosure — demonstrating how the bug works. The video shows the user creating a “super admin” account using only the browser’s in-built tools to modify the network traffic containing the user’s role to elevate that account’s access from “admin” to “super admin.”

The video showed the server accepting the modified network request, and when logged in as that newly created “super admin” user account, granted access to a dashboard displaying lists of Mobile Guardian enrolled schools.

Mobile Guardian CEO Patrick Lawson did not respond to multiple requests for comment prior to publication, including questions about the student’s vulnerability report and whether the company fixed the bug.

After we contacted Lawson, the company updated its statement as follows: “Internal and third party investigations into previous vulnerabilities of the Mobile Guardian Platform are confirmed to have been resolved and no longer pose a risk.” The statement did not say when the previous flaws were resolved nor did the statement explicitly rule out a link between the previous flaws and its August cyberattack. 

This is the second security incident to beset Mobile Guardian this year. In April, the Singaporean education ministry confirmed the company’s management portal had been hacked and the personal information of parents and school staff from hundreds of schools across Singapore compromised. The ministry attributed the breach to Mobile Guardian’s lax password policy, rather than a vulnerability in its systems.

Do you know more about the Mobile Guardian cyberattack? Are you affected? Get in touch. You can contact this reporter on Signal and WhatsApp at +1 646-755-8849, or by email. You can send files and documents via SecureDrop.

Read More

Ecovacs home robots can be hacked to spy on their owners, researchers say

Malicious hackers can take over control of vacuum and lawn mower robots made by Ecovacs to spy on their owners using the devices’ cameras and microphones, new research has found.

Security researchers Dennis Giese and Braelynn are due to speak at the Def Con hacking conference on Saturday detailing their research into Ecovacs robots. When they analyzed several Ecovacs products, the two researchers found a number of issues that can be abused to hack the robots via Bluetooth and surreptitiously switch on microphones and cameras remotely. 

“Their security was really, really, really, really bad,” Giese told TechCrunch in an interview ahead of the talk.

The researchers said they reached out to Ecovacs to report the vulnerabilities but never heard back from the company, and believe the vulnerabilities are still not fixed and could be exploited by hackers. 

Ecovacs did not respond to requests for comment from TechCrunch. 

The main issue, according to the researchers, is that there is a vulnerability that allows anyone using a phone to connect to and take over an Ecovacs robot via Bluetooth from as far away as 450 feet (around 130 meters). And once the hackers take control of the device, they can connect to it remotely because the robots themselves are connected via Wi-Fi to the internet.

“You send a payload that takes a second, and then it connects back to our machine. So this can, for example, connect back to a server on the internet. And from there, we can control the robot remotely,” said Giese. “We can read out to Wi-Fi credentials, we can read out all the [saved room] maps. We can, because we’re sitting on the operation of the robot’s Linux operating system. We can access cameras, microphones, whatever.” 

A dog seen through a hacked Ecovacs device. Image Credits: Dennis Giese and Braelynn

Giese said that the lawn mower robots have Bluetooth active at all times, while the vacuum robots have Bluetooth enabled for 20 minutes when they switch on, and once a day when they do their automatic reboot, which makes them a bit harder to hack.

Because most of the newer Ecovacs robots are equipped with at least one camera and a microphone, once the hackers have control of a compromised robot, the robots can be turned into spies. The robots have no hardware light or any other indicator that warns people nearby that their cameras and microphones are on, according to the researchers. 

On some models there is, in theory, an audio file that gets played every five minutes saying the camera is on but hackers could easily delete the file and stay stealthy, Giese said. 

“You can basically just delete or overwrite the file with the empty one. So the warnings are not playing anymore if you access the camera remotely,” said Giese.

Apart from the risk of hacking, Giese and Braelynn said they found other problems with Ecovacs devices.

Among the issues, they said: The data stored on the robots remains on Ecovacs’ cloud servers even after deleting the user’s account; the authentication token also remains on the cloud, allowing someone to access a robot vacuum after deleting their account and potentially allowing them to spy on the person who may have purchased the robot secondhand. Also, the lawn mower robots have an anti-theft mechanism that forces someone to enter a PIN if they pick up the robot, but the PIN is stored in plaintext inside the lawn mower so a hacker could easily find it and use it.  

The researchers said that once an Ecovacs robot is compromised, if the device is in range of other Ecovacs robots, those devices can be hacked, too. 

Giese and Braelynn said they analyzed the following devices: Ecovacs Deebot 900 Series, Ecovacs Deebot N8/T8, Ecovacs Deebot N9/T9, Ecovacs Deebot N10/T10, Ecovacs Deebot X1, Ecovacs Deebot T20, Ecovacs Deebot X2, Ecovacs Goat G1, Ecovacs Spybot Airbot Z1, Ecovacs Airbot AVA, and the Ecovacs Airbot ANDY.

Read More

How a cybersecurity researcher befriended, then doxed, the leader of LockBit ransomware gang

Earlier this year, an international coalition of law enforcement agencies took control of the dark web site of the notorious ransomware gang LockBit, replacing its content with the now-familiar message from the authorities: “This site is now under the control of law enforcement.” The operation didn’t disrupt the group’s operation for too long, with the gang launching a new site shortly after the takedown.

But then, on May 6, the authorities updated LockBit’s old site page and announced that they would be revealing the identity of LockBit’s administrator. “Who is LockBitSupp?” read a box on the site, which also included a 24-hour countdown. 

When cybersecurity researcher Jon DiMaggio saw the announcement, he immediately wondered: Do the cops have the same guy I have identified?  

A screenshot of the seized LockBit darknet website. Image Credits: TechCrunch / screenshotImage Credits: TechCrunch (screenshot)

For the last couple of years, DiMaggio, who is a researcher at the cybersecurity firm Analyst1, had developed a relationship with LockBitSupp — first pretending to be a budding cybercriminal interested in joining the gang, then as himself. And, in the end, DiMaggio was able to figure out LockBitSupp’s real identity before it was publicly revealed by the authorities. 

On Friday, in a talk at the hacking conference Def Con in Las Vegas, DiMaggio told the whole story of his relationship with LockBitSupp, detailing how he gained his trust using a made-up persona, and then kept the relationship going even after DiMaggio publicly revealed that he had infiltrated the gang and tricked LockBitSupp into giving up details of the operation to him.

“Our relationship had a bunch of ups and downs,” DiMaggio said during a preview of his presentation, which he gave to TechCrunch ahead of the conference.

At first, DiMaggio explained that he created a series of sockpuppet accounts to approach people who appeared to have direct relationships with LockBitSupp, as well as observe their interactions. The goal during this phase was to create a cybercriminal persona that had some sort of history and connections in the underground, which would make it easier to appear credible when reaching out directly to LockBit and its administrator. 

“The important part of this was monitoring those conversations that appeared irrelevant. The ones where they had their guard down, where they were just talking s—t with other hackers. It allowed me to see the things they liked and the things they disliked. It gave me some context into their political views,” said DiMaggio. “All those things that I needed to build before I could engage because if I just went into this, and I started asking questions related to attacks and their operation, it’d be pretty obvious that I was a researcher.”

DiMaggio said his initial attempt to join the gang was rejected, but he kept talking to LockBitSupp, with whom he started to have a direct and friendly relationship. From then on, DiMaggio said he focused on LockBitSupp, cracking jokes with him, casually posing questions about details of his operation, such as questions on different elements and types of attacks, how to choose among them, how to negotiate with victims, and how to establish what’s the right ransom demand depending on the victim company.

Then, in January 2023, DiMaggio wrote a long report about his findings during his undercover research, and essentially burned all his fake cybercriminal personas. DiMaggio said he thought this would be the end of his relationship with LockBitSupp. Instead, the criminal ringleader appeared to have taken it lightly, posting in forums that he wished DiMaggio had shown him on yachts with women, enjoying his life as a high-flying cybercriminal. That, itself, was interesting to DiMaggio.

“The person that I know, while he certainly is motivated by money, he is not a flashy person, he’s not the type of person I would expect to be obsessed with material items,” said DiMaggio. “So there was a vast contrast in his demeanor and persona that he presented on these forums versus the person that I talked to one on one.”

Then, DiMaggio said that LockBitSupp started using his LinkedIn photo as their avatar in hacking forums as a way to poke fun at DiMaggio. “This was very much a cat-and-mouse game, and honestly LockBit loved playing this game with me as much as I loved playing it with them,” said DiMaggio. 

At one point in early August of last year, DiMaggio decided to troll LockBitSupp in public. As a joke, he posted on X claiming he was going to release new research into the ransomware group, and that if LockBitSupp wanted to stop him, he could pay him $10 million. He made it seem like he was trying to extort the extortionists. Surprisingly, it seemed like some cybercriminals believed him, and were worried they would be exposed. 

“It just goes to show from a psychological aspect, you can really f—k with these guys,” said DiMaggio. “The mental aspect of this operation went much further than anything else that I did.”

Meanwhile, DiMaggio said that LockBitSupp went offline for around 12 days. When he came back, he seemed upset, but didn’t stop communicating with him. Around the same time, LockBit claimed responsibility for a cyberattack against a community hospital that treats children in Chicago, the second attack on a hospital after the one that hit Toronto’s SickKids hospital, another facility for children. 

These attacks, DiMaggio said, “really, really pissed me off.” And they almost convinced him to send an angry message to LockBitSupp, telling them to “f—k off,” and that he was coming for them. Eventually, DiMaggio said he decided against sending it, because “you cannot become emotionally invested with your target.”

Security researcher Jon DiMaggio. Image Credits: supplied / Bryce Durbin / TechCrunch

Then, law enforcement took down LockBit’s website, and at least temporarily disrupted the gang’s operation. DiMaggio said he decided to focus all his efforts on identifying LockBitSupp, putting the word out in the cybercrime underground, and with other researchers, that he was going after the gang’s leader.

“At this point, LockBit knew it, the hunt was on,” said DiMaggio. 

And that hunt was facilitated by an anonymous tip that someone sent DiMaggio. The tipster, DiMaggio said, gave him a Yandex email address allegedly owned by LockBitSupp. With that as a starting point, DiMaggio said he was able to unravel the mystery of LockBitSupp’s identity, leading him to someone named Dmitry Khoroshev. But as tantalizing as that finding was, DiMaggio couldn’t be completely sure.

But then, something happened that not even he expected. The authorities updated the seized LockBit website with the intention of revealing LockBitSupp’s identity. DiMaggio said that at this point he reached out to the FBI, with whom he’s had a relationship as a private industry partner, and told them he had identified Khoroshev as the LockBit’s administrator, and he planned to write a report revealing that. The goal, DiMaggio said, was to ask the FBI whether he should wait to publish his report or not. 

“If they told me to wait, then there was a pretty good chance I had the right guy. If they told me to do whatever I wanted, then I probably would have still waited because that might have been because I had the wrong guy,” DiMaggio said, who added that the FBI told him to wait. 

DiMaggio was on his way to the RSA cybersecurity conference in San Francisco, so “I packed my stuff, flew out to San Francisco, landed, I got to the hotel, and I spent the entire day, the entire night working and writing,” said DiMaggio. “I was writing everything I had on Dmitry. And I was going to wait for this timer to tick down. And when they published it, if we had the same guy, I was going to publish my report.”

When the 24-hour countdown struck zero, as promised, the U.S. Department of Justice accused Dmitry Khoroshev of being LockBit’s mastermind and administrator. At that point, DiMaggio could go live with his own report doxing Khoroshev.

“This was my first time doxing somebody. And well, they released his name, I released everything else on this dude. I had where he lived, I had his phone numbers, current and previous,” said DiMaggio. “And boy, it was difficult to not just call this guy up on the phone, having his legitimate phone number prior to the indictment, just to see if I had the right guy, but I didn’t.”

DiMaggio even published a message for Khorosehv, as a way to say goodbye and to tell him that he had to dox him before others did.  

“LockBitSupp, you are a smart guy. You said it’s not about the money anymore, and you want to have a million victims before you stop, but sometimes you need to know when to walk away. It is that time, my old friend,” DiMaggio wrote.

“You have always been real with me, and I want to be real with you. Take your money and go enjoy your life before you end up in a situation where you can’t. Much like REvil, you have pushed things too far. It’s time to move on. I don’t hate you; I hate what you do, and I did not enjoy putting you on blast today because we have known one another for a long time. The truth is if I didn’t do this today, someone else would. I have too much respect for you as an adversary to watch you get picked apart by some clown with an OSINT handbook, which is all it would take now that your identity is known. With our history, it needed to come from me. It’s time to move on,” he wrote.

Since then, DiMaggio said, he hasn’t heard back from Khoroshev. 

In talking openly about his operation, DiMaggio said he hopes to show how researchers can find out information about cybercriminals by infiltrating their groups, and not just collecting data from hacks or lurking on forums. But DiMaggio also said that he wants researchers to know that doing what he did could carry consequences, even though, for now, he has only rumors that Khoroshev would like to get retribution, though nothing has happened. 

“Nobody gets out of this unscathed,” said DiMaggio, “when you go f—k with criminals like this.”

Read More

Home security giant ADT says it was hacked

ADT confirmed this week that it was recently hacked, compromising some customer data.

The home security company did not say when the cyberattack and data breach occurred, but disclosed that the attackers accessed the company’s databases containing customer home addresses, email addresses and phone numbers.

In a brief regulatory filing published late Wednesday, ADT said it has “no reason to believe” that customer home security systems were compromised during the incident, but ADT did not say how it reached that conclusion. The statement said a “small percentage” of customers are affected, but did not provide a more specific number.

As of June 2024, ADT said it had six million customers. 

The disclosure comes a week after a seller on a known cybercrime forum, seen by TechCrunch, claimed in a post on July 31 to have more than 30,000 customer records stolen from ADT. TechCrunch could not immediately verify the authenticity of the claims.

Sarah Bellinger, a spokesperson for ADT via a third-party agency, declined to answer TechCrunch’s questions about the cyberattack and data breach.

ADT is one of the largest home security companies in the United States. It is currently owned by private equity giant Apollo Global Management, which also owns TechCrunch’s parent company, Yahoo.

Read More

Hackers could spy on cell phone users by abusing 5G baseband flaws, researchers say

A group of researchers say they have uncovered a series of security flaws in different 5G basebands — essentially processors used by cell phones to connect to mobile networks — which could have allowed hackers to stealthily hack victims and spy on them. 

The researchers from Pennsylvania State University presented their findings at the Black Hat cybersecurity conference in Las Vegas on Wednesday, as well as in an academic paper. 

Using a custom-made analysis tool they called 5GBaseChecker, the researchers uncovered baseband vulnerabilities made by Samsung, MediaTek, and Qualcomm, which are used in phones made by Google, OPPO, OnePlus, Motorola, and Samsung. 

The researchers are Kai Tu, Yilu Dong, Abdullah Al Ishtiaq, Syed Md Mukit Rashid, Weixuan Wang, Tianwei Wu, and Syed Rafiul Hussain. On Wednesday, they released 5GBaseChecker on GitHub so that other researchers can use it to hunt for 5G vulnerabilities. 

Hussain, an assistant professor at Penn State, told TechCrunch that he and his students were able to trick phones with those vulnerable 5G basebands into connecting to a fake base station — essentially a fake cell phone tower — and from there launch their attacks. 

Tu, one of the students, said that their most critical attack allowed them to exploit the phone from that fake base station. At that point, Tu said, “the security of 5G was totally broken.”

“The attack is totally silent,” Tu added. 

Tu explained that by taking advantage of the vulnerabilities they found, a malicious hacker could pretend to be one of the victim’s friends and send a credible phishing message. Or by directing the victim’s phone to a malicious website, the hacker could trick the victim into providing their credentials on a fake Gmail or Facebook login page, for example. 

The researchers were also able to downgrade a victim from 5G to older protocols like 4G or even older ones, making it easier to eavesdrop on the victim’s communications, said Tu. 

The researchers said that most vendors they contacted have fixed the vulnerabilities. At the time of writing, the researchers identified and got patched 12 vulnerabilities in different 5G basebands.

Samsung spokesperson Chris Langlois said in a statement to TechCrunch that the company had “released software patches to affected smartphone vendors to address and resolve this matter,” while Google spokesperson Matthew Flegal also confirmed that the flaws were now fixed.

MediaTek and Qualcomm did not respond to a request for comment. 

Read More

UK data watchdog to fine NHS vendor Advanced for security failures prior to LockBit ransomware attack

U.K. data protection authorities have issued a provisional fine of more than £6 million to NHS vendor Advanced after finding that the company failed to properly secure the information of thousands of people later stolen in a ransomware attack.

In a statement, the U.K. Information Commissioner’s office (ICO) said it issued the fine after determining that the cybercriminals behind the August 2022 ransomware attack “initially accessed a number of Advanced’s health and care systems via a customer account that did not have multi-factor authentication.”

The cyberattack on Advanced led to widespread disruption to NHS services across the United Kingdom at the time, causing outages at the NHS non-emergency 111 line and forcing hospitals and medical practices to resort to pen and paper for weeks. Physicians at affected NHS trusts reported that they could not access patient records.

Mandiant, the incident response firm that helped to investigate the hack, said malware used by the LockBit ransomware gang was used in the attack; though, LockBit never publicly claimed responsibility for the cyberattack on its dark web leak site. That can be an indication that a hacked company may have paid a ransom. Advanced previously declined to say if it had paid one.

By October 2022, Advanced said in its post-incident report that the cybercriminals broke into Advanced’s network “using legitimate third-party credentials,” implying that there was no multi-factor authentication on the account. 

Now the ICO appears to be confirming that.

The ICO said it’s provisionally issuing a fine of £6.09 million ($7.75 million) after the watchdog said Advanced provisionally “breached data protection law in failing to implement appropriate security measures prior to the attack to protect the personal information it was processing.”

The watchdog also confirmed that the cyberattack led to the theft of data of close to 83,000 people in the United Kingdom, including phone numbers and medical records, and details of “how to gain entry to the homes of 890 people who were receiving care at home,” the ICO said.

The fine is provisional, the watchdog said, meaning the penalty may change. ICO Commissioner John Edwards said the watchdog made the decision to go public in this case in part to “avoid similar incidents in the future.”

“I urge all organisations, especially those handling sensitive health data, to urgently secure external connections with multi-factor authentication,” said Edwards.

Spokespeople for Advanced did not respond to a request for comment prior to publication.

Read More

Cyberattack knocks Mobile Guardian MDM offline and wipes thousands of student devices

A cyberattack on Mobile Guardian, a U.K.-based provider of educational device management software, has sparked outages at schools across the world and has left thousands of students unable to access their files. 

Mobile Guardian acknowledged the cyberattack in a statement on its website, saying it identified “unauthorized access to the iOS and ChromeOS devices enrolled to the Mobile Guardian platform.”

The company said the cyberattack “affected users globally,” including in North America, Europe and Singapore, and that the incident resulted in an unspecified portion of its userbase having their devices unenrolled from the platform and “wiped remotely.”

“Users are not currently able to log in to the Mobile Guardian Platform and students will experience restricted access on their devices,” the company said.

Mobile device management (MDM) software allows businesses and schools to remotely monitor and manage entire fleets of devices used by employees or students.

Singapore’s Ministry of Education, touted as a significant customer of Mobile Guardian on the company’s website since 2020, said in a statement overnight that thousands of its students had devices remotely wiped during the cyberattack. 

“Based on preliminary checks, about 13,000 students in Singapore from 26 secondary schools had their devices wiped remotely by the perpetrator,” the Singaporean education ministry said in a statement. 

The ministry said it was removing the Mobile Guardian software from its fleet of student devices, including affected iPads and Chromebooks.

TechCrunch has seen several posts on social media from U.S. school staff and students alike claiming that they are experiencing outages and unable to access their content. One post includes a photo of a pile of iPads on a desk in one Singaporean school’s IT department that have to be set up as a result of the Mobile Guardian cyberattack, according to the poster.  

Mobile Guardian is said to have more than 2,500 schools in over 50 countries worldwide as customers, according to a Singaporean government report from May responding to an earlier cybersecurity incident.

TechCrunch sent several questions to Mobile Guardian chief executive Patrick Lawson about the incident, including whether the company has received any communication from the apparent threat actor, and if the company has reported the incident to the U.K. data protection watchdog, the ICO. We also asked who, if anyone, at Mobile Guardian is responsible for cybersecurity.

Lawson fixed a typo in the company’s statement that we pointed out in our email requesting comment, but did not respond to our multiple inquiries.

Do you know more about the Mobile Guardian cyberattack? Are you affected? Get in touch. You can contact this reporter on Signal and WhatsApp at +1 646-755-8849, or by email. You can send files and documents via SecureDrop.

Read More