Third-party payroll system with names and bank details of armed forces staff hacked, reports say.
Britain’s Ministry of Defence has been the target of a large-scale cyberattack, a government minister confirmed to British media.
On Tuesday, Work and Pensions Secretary Mel Stride told Sky News, which first reported the hack, that the attack was on a system run by an outside firm but was still a “very significant matter”.
It targeted a third-party payroll system used by the Defence Ministry and included the names and bank details of current and former service personnel of the armed forces, Sky News and the BBC reported.
Defence Secretary Grant Shapps is expected to give further details to parliament later in the day.
“The MoD [Ministry of Defence] has acted very swiftly to take this database offline. It’s a third-party database and certainly not one run directly by the MoD,” Stride told Sky. The ministry first discovered the cyberattack several days back.
Tobias Ellwood, a former minister in the Conservative government, said the incident has the hallmarks of a Chinese cyberattack.
“Targeting the names of the payroll system and service personnel’s bank details, this does point to China because it can be as part of a plan, a strategy to see who might be coerced,” the former soldier and ex-chairman of a parliamentary defence committee told BBC Radio.
Meanwhile, Stride said the government was not currently pointing the finger at Beijing.
“That is an assumption … we are not saying that at this precise moment,” he added.
Shapps is to confirm that a hostile state was the culprit, according to British media reports, but the government is not expected to publicly name China.
China refutes claims as ‘utter nonsense’
China’s Ministry of Foreign Affairs spokesperson Lin Jian said Beijing opposed all forms of cyberattacks and rejected any attempt to use the issue of hacking for political ends to smear other countries.
“The remarks by relevant British politicians are utter nonsense,” Lin said on Tuesday. “China has always firmly opposed and cracked down on all types of cyberattacks.
The two countries have increasingly sparred over the issue of hacking, with Britain saying in March that Chinese hackers and a Chinese entity were behind two high-profile attacks in recent years – the targeting of parliamentarians critical of China, and an assault on the country’s electoral watchdog.
It has strained ties as Britain sought to strike a delicate balance between trying to neutralise security threats posed by China while maintaining or even enhancing engagement in some areas such as trade, investment and climate change.
But there has been growing anxiety about its alleged espionage activity in Britain, particularly before general elections expected later this year, and some British politicians have become increasingly vocal over the threat that they say China poses.
Germany has blamed “state-sponsored” Russian hackers for an “intolerable” cyberattack on members of the Social Democratic Party (SPD) and warned there would be consequences.
On Friday, Foreign Minister Annalena Baerbock said a German federal government investigation into who was behind the 2023 cyberattack on the SPD, a leading member of the governing coalition, had just concluded.
“Today we can say unambiguously [that] we can attribute this cyberattack to a group called APT28, which is steered by the military intelligence service of Russia,” she said at a news conference in the Australian city of Adelaide.
“In other words, it was a state-sponsored Russian cyberattack on Germany, and this is absolutely intolerable and unacceptable and will have consequences.”
APT28, also known as Fancy Bear or Pawn Storm, has been accused of dozens of cyberattacks around the world.
The attack on German Chancellor Olaf Scholz’s SPD was made public last year and blamed on a previously unknown vulnerability in Microsoft Outlook.
Germany’s Federal Ministry of the Interior said German companies, including in the defence, aerospace and information technology sectors, as well as targets related to Russia’s war in Ukraine were also a focus of the attacks.
German Interior Minister Nancy Faeser said the campaign was orchestrated by Russia’s military intelligence service GRU and began in 2022.
A German Federal Foreign Office spokesperson said on Friday that the acting charge d’affaires of the Russian embassy in Berlin has been summoned.
The cyberattack showed “that the Russian threat to security and peace in Europe is real and enormous”, the spokesperson said.
Russia has denied past allegations by Western governments of being behind cyberattacks. On Friday, its embassy in Germany said it “categorically rejected the accusations that Russian state structures were involved in the given incident … as unsubstantiated and groundless”.
The Czech Republic’s Ministry of Foreign Affairs said on Friday that the country’s institutions had also been targeted by APT28 by exploiting a vulnerability in Microsoft Outlook from 2023.
“Cyberattacks targeting political entities, state institutions and critical infrastructure are not only a threat to national security but also disrupt the democratic processes on which our free society is based,” the ministry said. It didn’t provide details about the targets.
The European Union condemned the “malicious cyber campaign conducted by the Russia-controlled Advanced Persistent Threat Actor 28 (APT28) against Germany and Czechia”.
NATO said APT28 targeted “other national governmental entities, critical infrastructure operators” across the alliance, including in Lithuania, Poland, Slovakia and Sweden.
I strongly condemn #Russia’s malicious cyber activities against #NATO Allies, incl. #Germany & #Czechia. NATO remains committed to countering the substantial, continuous & increasing cyber threat. Read the statement:https://t.co/fDkRqLDemz
“We are determined to employ the necessary capabilities in order to deter, defend against and counter the full spectrum of cyberthreats to support each other, including by considering coordinated responses,” said the North Atlantic Council, the political decision-making body within NATO.
‘Concrete signs’ of Russian origin
The EU’s computer security response unit, CERT-EU, last year noted a German media report that an SPD executive had been targeted in a cyberattack in January 2023, “resulting in possible data exposure”.
It said there were reportedly “concrete signs” it was of Russian origin.
Baerbock spoke after a meeting with Australian Foreign Minister Penny Wong, who said: “We have previously joined the United States, UK, Canada and New Zealand in attributing malicious cyberactivity to APT28.”
It is not the first time that Russian hackers have been accused of spying on Germany.
In 2020, then-Chancellor Angela Merkel said Germany found “hard evidence” that Russian hackers had targeted her.
One of the most high-profile incidents so far blamed on Russian hackers was a cyberattack in 2015 that paralysed the computer network of Germany’s lower house of parliament, the Bundestag, forcing the entire institution offline for days while it was fixed.
An international investigation has found that at least four Israeli-linked firms have been selling invasive spyware and cyber surveillance technology to Indonesia, which has no formal diplomatic ties with Israel and is the world’s most populous Muslim nation.
The research by Amnesty International’s Security Lab – based on open sources including trade records, shipping data and internet scans – uncovered links between official government bodies and agencies in the Southeast Asian country and Israeli tech firms NSO, Candiru, Wintego and Intellexa, a consortium of linked firms originally founded by a former Israeli military officer, going back to at least 2017.
German firm FinFisher, a rival to the Israeli companies and whose technology has been used to allegedly target government critics in Bahrain and Turkey, was also found to have sent such technologies to Indonesia.
Amnesty said there was little visibility about the targets of the systems.
“Highly invasive spyware tools are designed to be covert and to leave minimal traces,” it said in the report. “This built-in secrecy can make it exceedingly difficult to detect cases of unlawful misuse of these tools against civil society, and risks creating impunity-by-design for rights violations.”
It said this was of “special concern” in Indonesia where civic space had “shrunk as a result of the ongoing assault on the rights to freedom of expression, peaceful assembly and association, personal security and freedom of arbitrary detention”.
Concerns about human rights have intensified in Indonesia since former general Prabowo Subianto was elected president in February at his third attempt. Prabowo, who will formally take office in October, has been accused of serious rights abuses in East Timor and West Papua, where Indigenous people have been fighting for independence from Indonesia since the 1960s. He denies the allegations against him.
The report said it had discovered “numerous spyware imports or deployments between 2017 and 2023 by companies and state agencies in Indonesia, including the Indonesian National Police [Kepala Kepolisian Negara Republik] and the National Cyber and Crypto Agency [Badan Siber dan Sandi Negara]”.
Amnesty said the Indonesian police declined to respond to its queries over the research findings, while the National Crypto and Cyber Agency had not responded to its questions by the time of publication.
The investigation noted that several of the imports passed through intermediary firms in Singapore, “which appear to be brokers with a history of supplying surveillance technologies and/or spyware to state agencies in Indonesia”.
Over an investigation lasting several months, Amnesty collaborated with Indonesian news magazine Tempo, Israeli newspaper Haaretz, and news and research organisations based in Greece and Switzerland.
“The murky and complex ecosystem of suppliers, brokers, and retailers of spyware and surveillance, as well as complex corporate structures, allow this industry to evade accountability and regulation easily,” Amnesty International Indonesia director, Usman Hamid, was quoted as saying in Tempo.
It is not the first time that Indonesia has been linked to Israeli spyware, with Tempo reporting in 2023 that traces of NSO’s Pegasus spyware, which can infect targeted mobile phones without any user interaction, had been found in Indonesia.
In 2022, the Reuters news agency said more than a dozen senior Indonesian government and military officials had been targeted the year before with Israeli-made spyware.
Fake websites
Amnesty found evidence that, unlike Pegasus, much of the spyware required the target to click a link to lead them to a website, usually imitating the sites of legitimate news outlets or politically critical organisations.
Researchers found links between some of the fake sites and IP addresses linked to Wintego, Candiru (now named Saito Tech) and Intellexa, which is known for its Predator one-click spyware.
In the case of Intellexa, the fake sites mimicked Papuan news website Suara Papua as well as Gelora, which is the name for a political party but also an unrelated news outlet.
Amnesty also found Candiru-linked domains imitating legitimate Indonesian news sites, including the state news agency ANTARA.
Indonesia does not currently have laws that govern the lawful use of spyware and surveillance technologies but has legislation safeguarding freedom of expression, peaceful assembly and association, and personal security. It has also ratified multiple international human rights treaties, including the International Covenant on Civil and Political Rights (ICCPR).
Amnesty urged the Indonesian government to institute a ban on such highly invasive spyware.
Citing sources it did not name, Haaretz said NSO and Candiru were not currently active in Indonesia.
It reported that Singapore had summoned a senior Israeli official in the summer of 2020 after “authorities there had discovered that Israeli firms had sold advanced digital intelligence technologies to Indonesia”.
In responding to Friday’s findings, NSO cited human rights regulations in response to questions from Haaretz.
“With respect to your specific inquiries, there have been no active geolocation or mobile endpoint intelligence systems provided by the NSO Group to Indonesia under our current human rights due diligence procedure,” it was quoted as saying by the newspaper, referring to a framework it introduced in 2020.
Intellexa was founded by former Israeli military officer Tal Dilian [File: Yiannis Kourtoglou/Reuters]
Candiru, meanwhile, told Amnesty that it operated in accordance with Israeli defence export rules and could neither confirm nor deny the questions posed by the organisation.
Wintego did not respond to requests for comment on the research findings, Haaretz said.
Israel’s defence exports body declined to comment on whether it had approved sales to Indonesia.
It told Amnesty the sale of cyber surveillance systems was authorised only for government entities for “anti-terror and law enforcement purposes”.
The United States blacklisted NSO in 2021 over concerns its phone-hacking technology had been used by foreign governments to “maliciously target” political dissidents, journalists and activists. The designation makes it harder for US companies to do business with it.
Candiru and Intellexa are also subject to the US’s trade control rules.
In March, the US imposed sanctions on Intellexa for “developing, operating, and distributing commercial spyware technology used to target Americans, including US government officials, journalists, and policy experts”.
The officers treated journalist Saint Mienpamo Onitsha as if he was violent and dangerous. Guns drawn, they arrested him at the home of a friend, drove him to the local police station in Nigeria’s southern Bayelsa State, and then flew him to the national capital, Abuja.
A week later, they charged Onitsha under the country’s 2015 Cybercrimes Act and detained him over his reporting about tensions in the oil-rich Niger Delta region. This was in October 2023. He was released on bail in early February and is due to appear before a court on June 4.
The Cybercrimes Act is tragically familiar to Nigeria’s media community. Since its enactment, at least 25 journalists have faced prosecution under the law, including four arrested earlier this year. Anande Terungwa, a lawyer for Onitsha, described the law to me as a tool misused to “hunt journalists”.
For years, media and human rights groups had been calling for the act to be amended to prevent its misuse as a tool for censorship and intimidation. Then, in November last year, Nigeria’s Senate proposed amendments and held a public hearing to help shape changes. The Committee to Protect Journalists (CPJ), alongside other civil society and press groups, submitted recommended reforms.
On February 28, Nigerian President Bola Tinubu signed amendments to the act, including revisions to a section criminalising expression online, according to a copy of the law shared with me by Yahaya Danzaria, the clerk of Nigeria’s House of Representatives. The changes, which have yet to be published in the government gazette, have buoyed hopes for improved press freedom, but the law continues to leave journalists at risk of arrest and surveillance.
“It’s better, but it’s definitely not where we want it to be,” Khadijah El-Usman, senior programs officer with the Nigeria-based digital rights group Paradigm Initiative, told me in a phone interview about the amended law. “There are still provisions that can be taken advantage of, especially by those in power.”
One of the primary concerns has been Section 24 of the law, which defines the crime of “cyberstalking”. It is this section that authorities repeatedly used to charge journalists, and it is one of the sections that was amended.
Under the previous version of the law, Section 24 criminalised the use of a computer to send messages deemed “grossly offensive, pornographic or of an indecent, obscene or menacing character”, and punished such offences with up to three years in prison and a fine. The same punishment applied for sending knowingly false messages “for the purpose of causing annoyance” or “needless anxiety”. In practice, this meant journalists risked jail time based on highly subjective interpretations of online reporting.
The amended version maintains the heavy penalty, but refines the offence as computer messages that are pornographic or knowingly false, “for the purpose of causing a breakdown of law and order, posing a threat to life, or causing such messages to be sent”. While the narrower language is welcome, the possibility for abuse remains.
“It could have been more specific in wording,” Solomon Okedara, a Lagos-based digital rights lawyer, told me after reviewing the amended section. He said it was an improvement because the burden of proof to bring charges is higher, but still leaves room for authorities to make arrests on claims that certain reporting has caused a “breakdown of law and order”.
It remains to be seen exactly how these changes will affect the cases of journalists and others previously charged under now-amended sections. “It is now for the lawyers to use,” Danzaria explained. “You cannot use an old law to prosecute somebody…if [the case] is ongoing, the new law supersedes whatever was in place.”
For Onitsha’s case, Terungwa said he would seek to incorporate the amendments into his defence in court. CPJ continues to call for authorities to drop all criminal prosecutions of journalists in connection with their work.
Another issue with the law – even after the recent amendments – is how it may permit surveillance abuses. Section 38 of Nigeria’s Cybercrimes Act fails to explicitly require law enforcement to obtain a court-issued warrant before accessing “traffic data” and “subscriber information” from service providers. This oversight gap is particularly concerning given how Nigeria’s police have used journalists’ call data to track and arrest them.
“I’m looking towards a future cybercrimes act that respects human rights,” El-Usman emphasised, noting the need for laws that guard against abuses, not just in Nigeria, but across the region. From Mali to Benin to Zimbabwe, authorities have used cybercrime laws and digital codes to arrest reporters for their work. Journalists’ privacy is also broadly under threat.
Nigeria’s lawmakers have proven they can act to improve freedom of the press and expression in their country, but journalists remain at risk. Those same lawmakers have the opportunity to make further reforms that would protect the press locally and send a rights-respecting message beyond their borders. Will they seize it?
The views expressed in this article are the author’s own and do not necessarily reflect Al Jazeera’s editorial stance.
From cyberattacks and assassinations to drone strikes, Israel-linked plots have targeted Iran and its nuclear programme for years.
Israel’s leaders have signalled that they are weighing their options on how to respond to Iran’s attack early Sunday morning, when Tehran targeted its archenemy with more than 300 missiles and drones.
Iran’s attack, which followed an Israeli strike last week on the Iranian consulate in Damascus, Syria, that killed 13 people was historic: It was the first time Tehran had directly targeted Israeli soil, despite decades of hostility. Until Sunday, many of Iran’s allies in the so-called axis of resistance — especially the Palestinian group Hamas, the Lebanese group Hezbollah, Yemen’s Houthis and armed groups in Iraq and Syria — were the ones who launched missiles and drones at Israel.
But if Israel were to hit back militarily inside Iran, it wouldn’t be the first time. Far from it.
For years, Israel has focused on one target within Iran in particular: the country’s nuclear programme. Israel has long accused Iran of clandestinely building a nuclear bomb that could threaten its existence — and has publicly, and frequently, spoken of its diplomatic and intelligence-driven efforts to derail those alleged efforts. Iran denies that it has had a military nuclear programme, while arguing that it has the right to access civil nuclear energy.
As Israel prepares its response, here’s a look at the range of attacks in Iran — from drone strikes and cyberattacks to assassinations of scientists and the theft of secrets — that Israel has either accepted it was behind or is accused of having orchestrated.
Assassinations of Iranian scientists
January 2010: A physics professor at Tehran University, Masoud Ali-Mohammadi, was killed through a remote-controlled bomb planted in his motorcycle. Iranian state media claimed that the US and Israel were behind the attack. The Iranian government described Ali-Mohammadi as a nuclear scientist.
November 2010: A professor at the nuclear engineering faculty at Shahid Beheshti University in Tehran, Majid Shahriari, was killed in a car explosion on his way to work. His wife was also wounded. The president of Iran at the time, Mahmoud Ahmadinejad, blamed the United States and Israel for the attacks.
January 2012: Mostafa Ahmadi Roshan, a chemical engineering graduate, was killed by a bomb placed on his car by a motorcyclist in Tehran. Iran blamed Israel and the US for the attack and said Ahmadi Roshan was a nuclear scientist who supervised a department at Iran’s primary uranium enrichment facility, in the city of Natanz.
November 2020:Prominent nuclear scientist Mohsen Fakhrizadeh was killed in a roadside attack outside Tehran. Western and Israeli intelligence had long suspected that Fakhrizadeh was the father of an Iranian nuclear weapons programme. He was sanctioned by the United Nations in 2007 and the US in 2008.
May 2022: Colonel Hassan Sayyad Khodaei of the Islamic Revolutionary Guard Corps (IRGC) was shot five times outside of his home in Tehran. Majid Mirahmadi, a member of Iran’s Supreme National Security Council, alleged the assassination was “definitely the work of Israel”.
Israel’s cyberattacks on Iran
June 2010:The Stuxnet virus was found in computers at the nuclear plant in Iran’s Bushehr city, and it spread from there to other facilities. As many as 30,000 computers across at least 14 facilities were impacted by September 2010. At least 1,000 out of 9,000 centrifuges in Iran’s Natanz enrichment facility were destroyed, according to an estimate by the Institute for Science and International Security. Upon investigation, Iran blamed Israel and the US for the virus attack.
April 2011: A virus called Stars was discovered by the Iranian cyberdefence agency which said the malware was designed to infiltrate and damage Iran’s nuclear facilities. The virus mimicked official government files and inflicted “minor damage” on computer systems, according to Gholamreza Jalali, the head of Iran’s Passive Defense Organization. Iran blamed Israel and the US.
November 2011: Iran said it discovered a new virus called Duqu, based on Stuxnet. Experts said Duqu was intended to gather data for future cyberattacks. The Iranian government announced it was checking computers at main nuclear sites. The Duqu spyware was widely believed by experts to have been linked to Israel.
April 2012: Iran blamed the US and Israel for malware called Wiper, which erased the hard drives of computers owned by the Ministry of Petroleum and the National Iranian Oil Company.
May 2012: Iran announced that a virus called Flame had tried to steal government data from government computers. The Washington Post reported that Israel and the US had used it to collect intelligence. Then-Israeli Vice Prime Minister Moshe Yaalon did not confirm the nation’s involvement but acknowledged that Israel would use all means to “harm the Iranian nuclear system”.
October 2018: The Iranian government said that it had blocked an invasion by a new generation of Stuxnet, blaming Israel for the attack.
October 2021: A cyberattack hit the system that allows Iranians to use government-issued cards to purchase fuel at a subsidised rate, affecting all 4,300 petrol stations in Iran. Consumers had to either pay the regular price, more than double the subsidised one, or wait for stations to reconnect to the central distribution system. Iran blamed Israel and the US.
May 2020: A cyberattack impacted computers that control maritime traffic at Shahid Rajaee port on Iran’s southern coast in the Gulf, creating a hold-up of ships that waited to dock. The Washington Post quoted US officials as saying that Israel was behind the attack, though Israel did not claim responsibility.
Israel’s drone strikes and raids on Iran
January 2018: Mossad agents raided a secure Tehran facility, stealing classified nuclear archives. In April 2018, Israeli Prime Minister Benjamin Netanyahu announced that Israel discovered 100,000 “secret files that prove” Iran lied about never having a nuclear weapons programme.
February 2022: Former Israeli Prime Minister Naftali Bennett admitted in an op-ed published in The Wall Street Journal in December 2023, that Israel carried out an attack on an unmanned aerial vehicle, and assassinated a senior IRGC commander in February of the previous year.
May 2022: Explosives-laden quadcopter suicide drones hit the Parchin military complex southeast of Tehran, killing an engineer and damaging a building where drones had been developed by the Ministry of Defence and Armed Forces. IRGC Commander Hossein Salami pledged retaliation against unspecified “enemies”.
January 2023: Several suicide drones struck a military facility in central Isfahan, but they were thwarted and caused no damage. While Iran did not immediately place blame for the attacks, Iran’s UN envoy, Amir Saeid Iravani, wrote a letter to the UN chief saying that “primary investigation suggested Israel was responsible”.
February 2024: A natural gas pipeline in Iran was attacked. Iran’s Oil Minister Javad Owji alleged that the “explosion of the gas pipeline was an Israeli plot”.
At least 7.6 million existing AT&T account holders and 65.4 million former users hit by the breach, the company says.
Personal information belonging to millions of past and present AT&T customers has been leaked online, including Social Security numbers (SSNs), passcodes and contact details, the multinational company says.
In a statement on Saturday, the telecommunication network – the largest in the United States – said a recently discovered dataset on the “dark web” contained information for about 7.6 million current AT&T account holders and 65.4 million former users, totalling about 73 million affected accounts.
It is not known if the breach “originated from AT&T or one of its vendors”, the company said.
“To the best of our knowledge, the compromised data appears to be from 2019 or earlier and does not contain personal financial information or call history,” the statement added.
All 7.6 million existing account holders whose sensitive personal information was compromised were set to be notified about the breach AT&T. The company said it had already reset passcodes and was investigating the incident.
Thanks for reaching out. A number of AT&T passcodes have been compromised. Our teams are working with external cybersecurity experts to analyze the situation and we have reset passcodes. Learn more: https://t.co/tOZWNMOBen.
In addition to passcodes and SSNs, the hacked data possibly included email and mailing addresses, phone numbers and birth dates, AT&T added.
Reports of the breach first surfaced on a hacking forum nearly two weeks ago. It is unclear if the leak is linked to a similar breach in 2021 that was widely reported but that AT&T did not acknowledge.
A hacker at the time claimed to have access to data of 70 million AT&T customers, including their names, addresses, phone numbers, SSNs, and date of birth.
Auction data on a hacking forum revealed the hacker attempted to sell the stolen information for thousands of dollars.
“If they assess this and they made the wrong call on it, and we’ve had a course of years pass without them being able to notify impacted customers” then it’s likely the company will soon face class action lawsuits, cybersecurity expert Troy Hunt told The Associated Press news agency.
Troy, the creator of Have I Been Pwned? – a website that alerts subscribers to data breaches – said in a blogpost at least 153,000 of his customers were affected.
The Dallas-based company faced challenges earlier in February after an outage temporarily knocked out mobile phone service for thousands of users.
AT&T blamed the incident on a technical coding error, not a malicious attack. Other networks were also affected, but AT&T appeared to be the hardest hit.
Payments from crypto-related ransom attacks nearly doubled to a record $1 billion (roughly Rs. 8,304 crore) in 2023, blockchain analytics firm Chainalysis said on Wednesday.
Scammers targeting institutions such as hospitals, schools and government offices for ransom pocketed $1.1 billion (roughly Rs. 9,133 crore) last year, compared with $567 million (roughly Rs. 4,708 crore) in 2022.
However, losses stemming from other crypto-related crimes such as scamming and hacking fell in 2023, Chainalysis said.
Bitcoin, the largest cryptocurrency, has jumped 60 percent since the end of September to $43,134 (roughly Rs. 35,81,500) on enthusiasm about a new US Bitcoin ETF and on signs central banks around the world will begin trimming interest rates.
“An increasing number of new players were attracted by the potential for high profits and lower barriers to entry,” Chainalysis said.
“Big game hunting” has become the dominant strategy over the last few years, with a dominant share of all ransom revenue volume made up of payments of $1 million (roughly Rs. 8.3 crore) or more, Chainalysis added.
A group of digital extortionists named “cl0p”, which subverted a file sharing software MOVEit, made nearly $100 million (roughly Rs. 830 crore) in ransom payments, the analytics company said.
Hundred of organizations, including government departments, UK’s telecom regulator and energy giant Shell, have reported cybersecurity breaches involving the MOVEit software tool, which is typically used to transfer large amounts of often sensitive data, including pension information and social security numbers.
A report in November showed that cybercrime group “Black Basta” had extorted at least $107 million in bitcoin, with much of the laundered ransom payments making their way to the sanctioned Russian cryptocurrency exchange Garantex.
Cryptocurrency theft via cyberheists and ransomware attacks is also a significant source of funding for North Korea, according to UN reports.
Chainalysis’ figures undervalue crypto’s role in all crime as it only tracks cryptocurrency sent to wallet addresses identified as illicit. It does not include payments for non-crypto-related crime such as crypto used in drug trafficking deals.
A new forensic investigation by Amnesty International and The Washington Post has shown the use of the Israeli Pegasus spyware, likely by the Indian government, to surveil high-profile Indian journalists. A report detailing the findings was published on Thursday. Here is what we know.
What does the report say?
The report, published by Amnesty’s Security Lab, found continued use of the software to target high-profile Indian journalists including a journalist who had also previously been a victim of attacks of the same spyware.
Founding editor of The Wire, Siddharth Varadarajan, and South Asia editor at the Organized Crime and Corruption Report Project (OCCRP), Anand Mangnale, were among those recently targeted using Pegasus spyware on their iPhones. The latest attack was identified in October this year.
On October 31, Apple, the manufacturer of iPhones issued notifications to users worldwide who may have been targeted by “state-sponsored” attacks. Out of the users warned, over 20 were opposition leaders and journalists in India.
These included firebrand opposition legislator Mahua Moitra. Known for her sharp questions in parliament, Moitra was recently expelled over an allegation of misconduct after she had repeatedly raised questions about alleged benefits handed by the government to the Adani Group, a business house widely seen as close to Prime Minister Narendra Modi.
Received text & email from Apple warning me Govt trying to hack into my phone & email. @HMOIndia – get a life. Adani & PMO bullies – your fear makes me pity you. @priyankac19 – you, I , & 3 other INDIAns have got it so far . pic.twitter.com/2dPgv14xC0
Amnesty was able to find an attacker-controlled email address used to target Mangnale, who was working on a story about an alleged stock manipulation by a large multinational conglomerate in India at the time of the attack. It is currently unclear whether the attempted target succeeded in breaking into and compromising Mangnale’s phone.
The Washington Post article about the investigation said that Mangnale’s phone was attacked within 24 hours of reaching out to the tycoon Gautam Adani.
What a coincidence! Within 24 hours after @OCCRP sought comments from Adani for a story on his brother’s involvement in alleged violations of Indian securities law, Pegasus is planted in OCCRP journalist @FightAnand’s phone.
The same email address was used to target Varadarajan on October 16. There is also no indication as to whether this attack was successful so far.
These attacks come just months before India’s national elections, in which a broad coalition of opposition parties is taking on Modi’s Bharatiya Janata Party (BJP).
When has Pegasus been used to attack Indian journalists before?
Amnesty previously discovered that Varadarajan’s phone was targeted and infected by Pegasus in 2018. His devices were analysed by a committee established by the Indian Supreme Court in 2021. The investigation was concluded in 2022 and its findings were not publicised.
“The court noted, however, that the Indian authorities ‘did not cooperate; with the technical committee’s investigations,” said the Amnesty report.
In 2021, leaked documents showed that the spyware was used against over 1,000 Indian phone numbers as New Delhi was accused of using Pegasus to surveil journalists, opposition politicians and activists. This list was shared with news outlets by Amnesty and Paris-based journalism non-profit, Forbidden Stories.
What is Pegasus and how exactly does it work?
Pegasus is a spyware that was developed by Israeli cyber-arms and intelligence company – Niv, Shalev and Omri (NSO) Group Technologies. It was launched in August 2016. NSO claims that the spyware is only used by governments and official law enforcement agencies to help with rescue operations and curb criminal or terrorist activity.
If a phone is attacked by Pegasus, the phone can turn into a surveillance device, allowing Pegasus to access text messages, phone calls, photos and videos. It can also access the phone’s camera, location and microphone, recording audio or video without the phone’s owner knowing.
Early versions of the spyware targeted users through phishing attacks. This means a malicious link was sent to targets through emails or text messages. If the targets clicked on the link, the spyware would be installed on their phones.
However, the technology has advanced since then and now Pegasus can be installed without the target having to click a malicious link. Instead, it can infect a device through what are known as “zero-click” attacks. This is done by exploiting vulnerabilities in phones’ operating systems that even the developers are unaware of.
Encrypted applications such as WhatsApp are not only compromised but are now being used to infect devices with the spyware. In 2019, WhatsApp confirmed that its platform was used to send malware to more than 1,400 phones, including several Indian journalists and human rights activists.
Users would get a WhatsApp call and the software would be installed on their phone even if they didn’t pick up the call. On iPhones, the iMessage software has also been used.
Due to the rapid advancements in the technology, it has become harder to detect the presence of Pegasus through telltale signs. While it is unlikely for regular phones to be under threat, phones belonging to activists and high-profile journalists are under threat of being surveilled through the spyware.
Is India suppressing freedom of speech?
Many journalists’ bodies and rights groups have warned that press freedom has dwindled under the Modi government, with several journalists arrested.
India has fallen to 161st in the World Press Freedom Index from 150th last year, its lowest ever. The Modi government rejects this index and questions its methodology, arguing that India has a free press.
In early October, Indian police carried out raids against dozens of reporters, arresting Prabir Purkayastha, editor of the independent and critical NewsClick website. Many other reporters from NewsClick had their devices and homes searched.
Investigation shows journalists in India face ‘threat of unlawful surveillance’ along with other ‘tools of repression’.
India’s government has used the highly invasive Pegasus spyware to target high-profile journalists, according to a new investigation by Amnesty International and The Washington Post.
The findings, published on Thursday, noted India’s repeated use of Pegasus against journalists, including one who was previously a victim of an attack using the same spyware.
Created by Israeli firm NSO Group, Pegasus can be used to access a phone’s messages and emails, peruse photos, eavesdrop on calls, track locations and even film the owner with the camera.
Watchdogs have documented widespread use of the spyware – which NSO says is only sold to governments or security agencies – against journalists and activists in dozens of countries, including India.
Amnesty said journalists Siddharth Varadarajan, founding editor of digital media outlet The Wire, and Anand Mangnale, South Asia editor at The Organized Crime and Corruption Reporting Project (OCCRP), had been targeted with the spyware on their iPhones, with the latest identified case in October 2023.
“Increasingly, journalists in India face the threat of unlawful surveillance simply for doing their jobs, alongside other tools of repression including imprisonment under draconian laws, smear campaigns, harassment and intimidation,” said Donncha O Cearbhaill, the head of Amnesty’s Security Lab.
“Despite repeated revelations, there has been a shameful lack of accountability about the use of Pegasus spyware in India which only intensifies the sense of impunity over these human rights violations.”
Amnesty said its Security Lab recovered evidence from Mangnale’s device that a zero-click exploit designed to covertly install Pegasus was sent to his phone.
A zero-click exploit refers to malicious software that allows spyware to be installed on a device without the user needing to click on a link.
‘Unlawful attack’
In October, Apple issued a new round of threat notifications globally to iPhone users who may have been targeted by “state-sponsored attackers”. More than 20 journalists, and opposition politicians in India were reported to have received the notifications.
Mangnale’s phone was targeted at a time when he was working on a story about an alleged stock manipulation by a large multinational conglomerate in India, Amnesty said.
The OCCRP published an investigation in August into the financial dealings of Indian tycoon Gautam Adani, a key ally of Indian Prime Minister Narendra Modi.
Mangnale told the AFP news agency that he was targeted “within hours” of sending questions to the Adani Group on behalf of the OCCRP.
Varadarajan – who was previously hacked with Pegasus spyware in 2018 – suggested to The Washington Post that he had been targeted for leading opposition to the detention of a prominent news publisher in New Delhi.
India’s government did not immediately respond to questions about the investigation.
In 2021, New Delhi was accused of using Pegasus to surveil journalists, opposition politicians and activists, with leaked documents showing the spyware had been used against more than 1,000 Indian phone numbers.
“Targeting journalists solely for doing their work amounts to an unlawful attack on their privacy and violates their right to freedom of expression. All states, including India, have an obligation to protect human rights by protecting people from unlawful surveillance,” Amnesty’s O Cearbhaill said.
Activists say press freedom in the world’s biggest democracy has suffered during Modi’s tenure. India has fallen 21 spots to 161 out of 180 countries in the World Press Freedom Index, compiled by Reporters Without Borders, since he took office in 2014.
Pyongyang is thought to use the money stolen in cyber-heists to fund its illegal weapons programmes.
South Korea has imposed sanctions on North Korea’s spy chief and seven other North Koreans for alleged illicit cyber activities, which are believed to fund their country’s nuclear weapons and conventional missile programmes.
Ri Chang Ho, the head of the Reconnaissance General Bureau, was sanctioned for his involvement in “earning foreign currency through illegal cyber activities and technology theft”, Seoul’s Foreign Ministry said in a statement on Wednesday.
His activities contributed to “generating revenue for the North Korean regime and procuring funds for its nuclear and missile activities”, it added.
Ri heads the agency that is believed to be the parent organisation for North Korean hacking groups Kimsuky, Lazarus and Andariel, which have been previously sanctioned by Seoul. A United Nations report earlier this year found North Korea was using ever more sophisticated techniques to target foreign aerospace and defence companies, and steal a record amount of cryptocurrency assets.
Pyongyang is already under international sanctions for its atomic bomb and ballistic missile programmes, which have seen rapid progress under leader Kim Jong Un who has moved ahead with his plan to modernise the military and acquire ever more advanced weaponry.
The sanctions’ announcement came weeks after Seoul, Tokyo and Washington launched new three-way initiatives encompassing measures to address North Korea’s cybercrime, cryptocurrency and money laundering activities, which are believed to fund the country’s nuclear and missile programmes.
Along with Ri, Seoul has sanctioned seven other North Koreans, including former China-based diplomat Yun Chol, for being involved in the “trade of lithium-6, a nuclear-related mineral and UN-sanctioned material for North Korea”.
Those blacklisted are barred from conducting foreign exchange and financial transactions with South Korean nationals without prior authorisation from Seoul, measures analysts say are mostly symbolic given the scant trade between the two countries.
Seoul has now blacklisted 83 individuals and 53 entities related to Pyongyang’s weapons programmes since October last year, its Foreign Ministry said.
North Korea has recently ramped up its nuclear and military threats, successfully launching a reconnaissance satellite on its third attempt in November and earlier this month testing the solid-fuel Hwasong-18, its most advanced intercontinental ballistic missile (ICBM), for the third time in 2023.
Kim said last week that Pyongyang would not hesitate to launch a nuclear attack if it was “provoked” with nuclear weapons.
“Our government has made it clear that North Korea’s provocations will inevitably come with a price,” Seoul’s Foreign Ministry said in its statement on Wednesday.
“Our government will continue to closely cooperate with the international community… to make North Korea realise this fact, cease provocations, and engage in dialogue for denuclearisation.”
According to Seoul, Tokyo and Washington, Pyongyang stole as much as $1.7bn in cryptocurrency last year alone and supported its weapons programmes in part by gathering information through “malicious cyber activities”.
In June, Seoul sanctioned a Russian national over allegedly founding a North Korean front company in Mongolia to assist Pyongyang in evading sanctions to secure financing for its banned weapons programmes.
The latest sanctions were announced as Kim opened a year-end meeting of the country’s ruling party.
Kim told delegates that 2023 had been a “year of great turn and great change” as well as one of “great importance”, according to the official Korean Central News Agency.
He also noted that the country’s new weapons, including its spy satellite, had “unswervingly put” North Korea “on the position of a military power”.
We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept”, you consent to the use of ALL the cookies.
This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.
Cookie
Duration
Description
cookielawinfo-checkbox-analytics
11 months
This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional
11 months
The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary
11 months
This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others
11 months
This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance
11 months
This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy
11 months
The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.
