Hackers targeting groups involved in COVID-19 vaccine distribution, IBM warns

By Raphael Satter

WASHINGTON (Reuters) – IBM is sounding the alarm over hackers targeting companies critical to the distribution of COVID-19 vaccines, a sign that digital spies are turning their attention to the complex logistical work involved in inoculating the world’s population against the novel coronavirus.

The information technology company said in a blog post published on Thursday that it had uncovered “a global phishing campaign” focused on organizations associated with the COVID-19 vaccine “cold chain” – the process needed to keep vaccine doses at extremely cold temperatures as they travel from manufacturers to people’s arms.

The U.S. Cybersecurity and Infrastructure Security Agency reposted the report, warning members of Operation Warp Speed – the U.S. government’s national vaccine mission – to be on the lookout.

Understanding how to build a secure cold chain is fundamental to distributing vaccines developed by the likes of Pfizer Inc and BioNTech because the shots need to be stored at minus 70 degrees Celsius (-94 F) or below to avoid spoiling.

IBM’s cybersecurity unit said it had detected an advanced group of hackers working to gather information about different aspects of the cold chain, using meticulously crafted booby-trapped emails sent in the name of an executive with Haier Biomedical, a Chinese cold chain provider that specializes in vaccine transport and biological sample storage.

The hackers went through “an exceptional amount of effort,” said IBM analyst Claire Zaboeva, who helped draft the report. Hackers researched the correct make, model, and pricing of various Haier refrigeration units, Zaboeva said.

“Whoever put together this campaign was intimately aware of whatever products were involved in the supply chain to deliver a vaccine for a global pandemic,” she said.

Messages sent to the email addresses used by the hackers were not returned.

IBM said the bogus Haier emails were sent to around 10 different organizations but only identified one target by name: the European Commission’s Directorate-General for Taxation and Customs Union, which handles tax and customs issues across the EU and has helped set rules on the import of vaccines.

In a statement, the European Commission said it was aware that it had been targeted by a hacking campaign.

“We have taken the necessary steps to mitigate the attack and are closely following and analyzing the situation,” the statement said.

IBM said other targets included companies involved in the manufacture of solar panels, which are used to power vaccine refrigerators in warm countries, and petrochemical products that could be used to derive dry ice.

Who is behind the vaccine supply chain espionage campaign is not clear.

Reuters has previously documented how hackers linked to Iran, Vietnam, North Korea, South Korea, China, and Russia have on separate occasions been accused by cybersecurity experts or government officials of trying to steal information about the virus and its potential treatments.

IBM’s Zaboeva said there was no shortage of potential suspects. Figuring out how to swiftly distribute an economy-saving vaccine “should be topping the lists of nation states across the world,” she said.

(Reporting by Raphael Satter; editing by Grant McCool and Rosalba O’Brien)

Exclusive: Hackers test defenses of Trump campaign websites ahead of U.S. election, security staff warn

By Jack Stubbs

LONDON (Reuters) – Hackers have stepped up efforts to knock Trump campaign and business websites offline ahead of the U.S. election, in what a security firm working for the campaign said could be preparation for a larger digital assault, according to emails seen by Reuters.

The security assessment was prepared by staff at U.S. cybersecurity firm Cloudflare, which has been hired by President Donald Trump to help defend his campaign’s websites in an election contest overshadowed by warnings about hacking, disinformation and foreign interference.

Cloudflare is widely used by businesses and other organizations to help defend against distributed denial-of-service (DDoS) attacks, which aim to take down websites by flooding them with malicious traffic.

Internal Cloudflare emails sent to senior company managers – including CEO Matthew Prince – on July 9 state that the number and severity of attacks on Trump websites increased in the preceding two months and reached record levels in June. The emails did not give the total number of attacks.

“As we get closer to the election, attacks are increasing in both numbers (and) sophistication” and succeeded in disrupting access to the targeted websites for short periods of time between March 15 and June 6, the assessment said.

Cloudflare did not respond directly to questions about the emails or their contents. The company said it was providing security services to both U.S. presidential campaigns and declined to answer further questions about the nature or details of its work.

“We have seen an increase in cyber attacks targeting political candidates. We will continue to work to ensure these attacks do not disrupt free and fair elections,” it said in a statement when asked about the emails.

A spokesman for the Trump campaign did not respond to a request for comment. The Biden campaign declined to comment on its work with Cloudflare or any attacks on its websites.

A spokeswoman for the Trump Organization said no Trump websites had been taken offline by cyber attacks. She did not respond to further questions about the attacks or Trump’s work with Cloudflare.

Cloudflare’s security team did not comment on the identity of the hackers and Reuters was not able to determine who was responsible for the attacks.

DDoS attacks are viewed by cybersecurity experts as a relatively crude form of digital sabotage – easily deployed by anyone from tech-savvy teenagers to top-end cyber criminals.

But seven of the attacks on Trump websites, including donaldjtrump.com and a Trump-owned golf course, were judged to be more serious by the Cloudflare security team, the emails show.

The increasing number and sophistication of attempts suggested the attackers were “probing” the website defenses to establish what would be needed to take them fully offline, the security assessment said.

“We therefore cannot discount the possibility that there are attackers using this as an opportunity to collect information for more sophisticated attacks,” it added.

The Cloudflare team said they would continue to monitor the attacks and carry out “a further round of security hardening” to better protect the websites.

(Additional reporting by Joseph Menn in SAN FRANCISCO; Editing by Jonathan Weber and Edward Tobin)

North Korea hacking threatens U.S., other countries, international financial system: U.S. State Department

WASHINGTON (Reuters) – U.S. government officials warned on Wednesday about the threat of North Korean hackers, calling particular attention to banking and other finance.

The reason for the advisory – which was jointly issued by the U.S. Departments of State, Treasury, and Homeland Security, and the Federal Bureau of Investigation – was unclear. North Korean hackers have long been accused of targeting financial institutions, and the content of the warning appeared to draw on material already in the public domain.

Requests for comment sent to the U.S. agencies were not immediately returned. The North Korean mission to the United Nations in New York did not immediately respond to a request for comment.

North Korea is alleged to be behind an ambitious, years-long campaign of digital theft, including siphoning tens of millions of dollars in cash from ATMs, carrying out gigantic thefts at major banks, extorting computer users worldwide, and hijacking digital currency exchanges. The global money-grab has been a topic of increasing international concern.

Last year, for example, a U.N. report said that North Korea had generated an estimated $2 billion for its weapons of mass destruction programs using “widespread and increasingly sophisticated” hacking efforts.

In Wednesday’s advisory, U.S. officials said North Korea’s online activities “threaten the United States and countries around the world and, in particular, pose a significant threat to the integrity and stability of the international financial system.”

(Reporting by Lisa Lambert, Tim Ahmann, and Raphael Satter in Washington. Additional reporting by Michelle Nichols in New York. Editing by Steve Orlofsky)

Exclusive: Iran-linked hackers pose as journalists in email scam

By Raphael Satter and Christopher Bing

WASHINGTON (Reuters) – When Iranian-born German academic Erfan Kasraie received an email from The Wall Street Journal requesting an interview, he sensed something was amiss.

The Nov. 12 note purportedly came from Farnaz Fassihi, a veteran Iranian-American journalist who covers the Middle East. Yet it read more like a fan letter, asking Kasraie to share his “important achievements” to “motivate the youth of our beloved country.”

“This interview is a great honor for me,” the note gushed.

Another red flag: the follow-up email that instructed Kasraie to enter his Google password to see the interview questions.

The phony request was in reality an attempt to break into Kasraie’s email account. The incident is part of a wider effort to impersonate journalists in hacking attempts that three cybersecurity firms said they have tied to the Iranian government, which rejected the claim. The incidents come to light at a time when the U.S. government has warned of Iranian cyber threats in the wake of the U.S. air strike that killed Iran’s second most powerful official, Major-General Qassem Soleimani.

In a report https://blog.certfa.com/posts/fake-interview-the-new-activity-of-charming-kitten published Wednesday, London-based cybersecurity company Certfa tied the impersonation of Fassihi to a hacking group nicknamed Charming Kitten, which has long been associated with Iran. Israeli firm ClearSky Cyber Security provided Reuters with documentation of similar impersonations of two media figures at CNN and Deutsche Welle, a German public broadcaster. ClearSky also linked the hacking attempts to Charming Kitten, describing the individuals targeted as Israeli academics or researchers who study Iran. ClearSky declined to give the specific number of people targeted or to name them, citing client confidentiality.

Iran denies operating or supporting any hacking operation. Alireza Miryousefi, the spokesman for the Islamic Republic’s mission to the United Nations, said that firms claiming otherwise “are merely participants in the disinformation campaign against Iran.”

Reuters uncovered similar hacking attempts on two other targets, which the two cybersecurity firms, along with a third firm, Atlanta-based Secureworks, said also appeared to be the work of Charming Kitten. Azadeh Shafiee, an anchor for London-based satellite broadcaster Iran International, was impersonated by hackers in attempts to break into the accounts of a relative of hers in London and Prague-based Iranian filmmaker Hassan Sarbakhshian.

Sarbakhshian – who fled the Islamic Republic amid a crackdown that saw the arrest of several fellow photojournalists in 2009 – was also targeted with an email that claimed to be from Fassihi. The message asked him to sign a contract to sell some of his pictures to The Wall Street Journal. Sarbakhshian said in an interview that he was suspicious of the message and didn’t respond.

Neither did the ruse fool Kasraie, an academic who frequently appears on television criticizing Iran’s government.

“I understood 100 percent that it was a trap,” he said in an interview.

That’s not surprising given the hackers’ sloppy tactics. For instance, they missed the fact that Fassihi had left the Journal last year for a new job at The New York Times.

The Journal declined to comment. Fassihi referred questions to The Times, which in a statement called the impersonation “a vivid example of the challenges journalists are facing around the globe.”

U.S. officials and cybersecurity experts see Iran as a digital threat. Earlier this month, the U.S. Department of Homeland Security and the Federal Bureau of Investigation (FBI) issued alerts about the threat of Iranian cyberattacks following the controversial U.S. attack that killed Soleimani. Microsoft, which tracks attempts to undermine election security, in October accused Charming Kitten of targeting a U.S. presidential campaign; sources told Reuters https://reut.rs/38a9rEM at the time that the campaign was Donald Trump’s.

Homeland Security and FBI spokespeople declined to comment on the recent impersonations identified by Reuters. Certfa, ClearSky, and Secureworks said they could be tied to Charming Kitten through a study of the tactics, targets, and digital infrastructure involved – including servers, link shortening services, and domain registration patterns.

“This activity does align with prior Iranian cyber operations,” said Allison Wikoff, a Secureworks researcher who has tracked Charming Kitten for years.

In early 2019, the United States indicted Behzad Mesri – who ClearSky has linked to Charming Kitten through emails and social media activity – on charges of recruiting a former U.S. Air Force intelligence officer to spy on behalf of Iran. Mesri remains at large and could not be reached for comment.

Other impersonated journalists included CNN national security analyst Samantha Vinograd, whose identity was stolen in August and used in attempts to break into email accounts in Israel, ClearSky said. Another was Michael Hartlep, a Berlin-based videojournalist who has done freelance assignments for Deutsche Welle and Reuters. ClearSky found his name on an email inviting recipients to a bogus Deutsche Welle webinar on Iran’s role in the Middle East. The firm did not find evidence that the Reuters name was used in hacking attempts.

In another case, the hackers appear to have invented a journalist – “Keyarash Navidpour” – to send out a phony invitation on Jan. 4 to an online seminar that it claimed Deutsche Welle would hold about the killing of Soleimani the day before. No such journalist works for Deutsche Welle, said the news organization’s spokesman Christoph Jumpelt.

Vinograd referred questions to CNN, which did not return messages seeking comment. Hartlep told Reuters he worried such stunts might give sources second thoughts about answering a reporter’s queries.

“If this becomes the usual way of tricking people,” he said, “definitely it makes our work very hard.”

(Reporting by Raphael Satter and Christopher Bing in Washington; Additional reporting by Michelle Nichols in New York and Parisa Hafezi in London; Editing by Chris Sanders and Brian Thevenot)

U.S. charges two Russians in international hacking, malware conspiracy

U.S. charges two Russians in international hacking, malware conspiracy
By Jonathan Stempel and Raphael Satter

WASHINGTON (Reuters) – Two Russian residents have been criminally charged in the United States over an alleged multi-year, international scheme to steal money and property by using malware to hack into computers, according to an indictment made public on Thursday.

Maksim Yakubets was accused of being the leader of a group of conspirators involved with Bugat malware and botnet, while his close associate Igor Turashev allegedly handled various functions for the conspiracy, the indictment said.

The indictment identifies Yakubets as one of the earliest users of a family of malicious software tools called Bugat — better known as Dridex — which has been bedeviling American banks and businesses for more than eight years.

Cybersecurity experts say the malware, which first appeared in late 2011, is responsible for millions of dollars in damages worldwide. Experts have long speculated that the malware is the brainchild of a Russian hacking group.

The conspiracy allegedly began around November 2011, and several entities – including a school, an oil firm, First Commmonwealth Bank – were among the defendants’ victims, according to the indictment filed with the federal court in Pittsburgh. Two of the transactions were processed through Citibank in New York, the indictment says.

The indictment is dated Nov. 12 but was unsealed on Thursday.

U.S. and British authorities are expected later Thursday to detail charges against a Russian national over allegations of computer hacking and bank fraud schemes, according to a U.S. Department of Justice statement.

That announcement characterized the Russian national as being “allegedly responsible for two of the worst computer hacking and bank fraud schemes of the past decade.”

Malware is a software program designed to gather sensitive information, such as passwords and bank account numbers, from private computers by installing viruses and other malicious programs.

Spokespeople for First Commonwealth Bank and Citibank did not immediately respond to requests for comment.

(Reporting by Susan Heavy, Lisa Lambert and Jonathan Stempel; additional reporting by Raphael Satter Editing by Steve Orlofsky and Nick Zieminski)

Facebook suspends Russian Instagram accounts targeting U.S. voters

FILE PHOTO: Silhouettes of mobile users are seen next to a screen projection of Instagram logo in this picture illustration taken March 28, 2018. REUTERS/Dado Ruvic/Illustration/File Photo

Facebook suspends Russian Instagram accounts targeting U.S. voters
By Jack Stubbs and Christopher Bing

LONDON/WASHINGTON (Reuters) – Facebook Inc. said on Monday it has suspended a network of Instagram accounts operated from Russia that targeted Americans with divisive political messages ahead of next year’s U.S. presidential election, with operators posing as people within the United States.

Facebook said it also had suspended three separate networks operated from Iran. The Russian network “showed some links” to Russia’s Internet Research Agency (IRA), Facebook said, an organization Washington has said was used by Moscow to meddle in the 2016 U.S. election.

“We see this operation targeting largely U.S. public debate and engaging in the sort of political issues that are challenging and sometimes divisive in the U.S. right now,” said Nathaniel Gleicher, Facebook’s head of cybersecurity policy.

“Whenever you do that, a piece of what you engage on are topics that are going to matter for the election. But I can’t say exactly what their goal was.”

Facebook also announced new steps to fight foreign interference and misinformation ahead of the November 2020 election, including labeling state-controlled media outlets and adding greater protections for elected officials and candidates who may be vulnerable targets for hacking.

U.S. security officials have warned that Russia, Iran and other countries could attempt to sway the result of next year’s presidential vote. Officials say they are on high alert for signs of foreign influence campaigns on social media.

Moscow and Tehran have repeatedly denied the allegations.

Gleicher said the IRA-linked network used 50 Instagram accounts and one Facebook account to gather 246,000 followers, about 60% of which were in the United States.

The earliest accounts dated to January this year and the operation appeared to be “fairly immature in its development,” he said.

“They were pretty focused on audience-building, which is the thing you do first as you’re sort of trying to set up an operation.”

Ben Nimmo, a researcher with social media analysis company Graphika who Facebook commissioned, said the flagged accounts shared material that could appeal to Republican and Democratic voters alike.

Most of the messages plagiarized material authored by leading conservative and progressive pundits. This included recycling comments initially shared on Twitter that criticized U.S. congresswoman Alexandria Ocasio-Cortez, Democratic presidential candidate Joe Biden and current President Donald Trump.

“What’s interesting in this set is so much of what they were doing is copying and pasting genuine material from actual Americans,” Nimmo told Reuters. “This may be indicative of an effort to hide linguistic deficiencies, which have made them easier to detect in the past.”

Attorneys for Concord Management and Consulting LLC have denied any wrongdoing. U.S. prosecutors say the firm is controlled by Russian catering tycoon Evgeny Prigozhin and helped orchestrate the IRA’s operations.

Gleicher said the separate Iranian network his team identified used more than 100 fake and hacked accounts on Facebook and Instagram to target U.S. users and some French-speaking parts of North Africa. Some accounts also repurposed Iranian state media stories to target users in Latin American countries including Venezuela, Brazil, Argentina, Bolivia, Peru, Ecuador and Mexico.

The activity was connected to an Iranian campaign first identified in August last year, which Reuters showed aimed to direct internet users to a sprawling web of pseudo-news websites which repackaged propaganda from Iranian state media.

The accounts “typically posted about local political news and geopolitics including topics like public figures in the U.S., politics in the U.S. and Israel, support of Palestine and conflict in Yemen,” Facebook said.

(Reporting by Jack Stubbs; Additional reporting by Elizabeth Culliford in San Francisco; Editing by Chris Reese, Tom Brown and David Gregorio)

U.S. imposes sanctions on North Korean hacking groups blamed for global attacks

FILE PHOTO: A North Korean flag flies on a mast at the Permanent Mission of North Korea in Geneva October 2, 2014. REUTERS/Denis Balibouse/File Picture

WASHINGTON (Reuters) – The U.S. Treasury on Friday announced sanctions on three North Korean hacking groups it said were involved in the “WannaCry” ransomware attacks and hacking of international banks and customer accounts.

It named the groups as Lazarus Group, Bluenoroff, and Andariel and said they were controlled by the RGB, North Korea’s primary intelligence bureau, which is already subject to U.S. and United Nations sanctions.

The action blocks any U.S.-related assets of the groups and prohibits dealings with them. The Treasury statement said any foreign financial institution that knowingly facilitated significant transactions or services for them could also be subject to sanctions.

“Treasury is taking action against North Korean hacking groups that have been perpetrating cyberattacks to support illicit weapon and missile programs,” said Sigal Mandelker, Treasury undersecretary for Terrorism and Financial Intelligence.

“We will continue to enforce existing U.S. and U.N. sanctions against North Korea and work with the international community to improve the cybersecurity of financial networks.”

The United States has been attempting to restart talks with North Korea, aimed at pressing the country to give up its nuclear weapons. The talks have been stalled over North Korean demands for concessions, including sanctions relief.

Earlier this month, North Korea denied U.N. allegations it had obtained $2 billion through cyberattacks on banks and cryptocurrency exchanges and accused the United States of spreading rumors.

The Treasury statement said Lazarus Group was involved in the WannaCry ransomware attack that the United States, Australia, Canada, New Zealand and the United Kingdom publicly attributed to North Korea in December 2017.

It said WannaCry affected at least 150 countries and shut down about 300,000 computers, including many in Britain’s National Health Service (NHS). The NHS attack led to the cancellation of more than 19,000 appointments and ultimately cost the service over $112 million, the biggest known ransomware attack in history.

The Treasury said Lazarus Group was also directly responsible for 2014 cyber-attacks on Sony Pictures Entertainment.

The statement cited industry and press reporting as saying that by 2018, Bluenoroff had attempted to steal over $1.1 billion from financial institutions and successfully carried out operations against banks in Bangladesh, India, Mexico, Pakistan, Philippines, South Korea, Taiwan, Turkey, Chile, and Vietnam.

It said Bluenoroff worked with the Lazarus Group to steal approximately $80 million from the Central Bank of Bangladesh’s New York Federal Reserve account.

Andariel, meanwhile, was observed by cyber security firms attempting to steal bank card information by hacking into ATMs to withdraw cash or steal customer information to later sell on the black market, the statement said.

Andariel was also responsible for developing and creating unique malware to hack into online poker and gambling sites and, according to industry and press reporting, targeted the South Korea government military in an effort to gather intelligence, it said.

(Reporting by David Brunnstrom and Lisa Lambert; Editing by Raissa Kasolowsky and Rosalba O’Brien)

Chinese government hackers suspected of moonlighting for profit

FILE PHOTO: An attendee looks on during the 2016 Black Hat cyber-security conference in Las Vegas, Nevada, U.S. August 3, 2016. REUTERS/David Becker/File Photo

By Joseph Menn, Jack Stubbs and Christopher Bing

LAS VEGAS (Reuters) – One of the most effective teams of Chinese government-backed hackers is also conducting financially-motivated side operations, cybersecurity researchers said on Wednesday.

U.S. firm FireEye said members of the group it called Advanced Persistent Threat 41 (APT41) penetrated and spied on global tech, communications and healthcare providers for the Chinese government while using ransomware against game companies and attacking cryptocurrency providers for personal profit.

The findings, announced at the Black Hat security conference in Las Vegas, show how some of the world’s most advanced hackers increasingly pose a threat to consumers and companies not traditionally targeted by state-backed espionage campaigns.

“APT41 is unique among the China-Nexus actors we track in that it uses tools typically reserved for espionage campaigns in what appears to be activity for personal gain,” said FireEye Senior Vice President Sandra Joyce.

Officials in China did not immediately respond to Reuters request for comment. Beijing has repeatedly denied Western accusations of conducting widespread cyber espionage.

FireEye said the APT 41 group used some of the same tools as another group it has previously reported on, which FireEye calls APT17 and Russian security firm Kaspersky calls Winnti.

Current and former Western intelligence officials told Reuters Chinese hacking groups were known to pursue commercial crimes alongside their state-backed operations.

FireEye, which sells cybersecurity software and services, said one member of APT41 advertised as a hacker for hire in 2009 and listed hours of availability outside of the normal workday, circumstantial evidence of moonlighting.

The group has used spear-phishing, or trick emails designed to elicit login information. But it has also deployed root kits, which are relatively rare and give hard-to-detect control over computers. In all, the group has used nearly 150 unique pieces of malware, FireEye said.

The most technically impressive feats included tainting millions of copies of a utility called CCleaner, now owned by security company Avast. Only a small number of specially selected, high-value computers were fully compromised, making detection of the hack more difficult.

Avast said that it had worked with security researchers and law enforcement to stop the attack and that no damage was detected. The company did not have any immediate further comment on Wednesday.

In March, Kaspersky found the group hijacked Asus’ software update process to reach more than 1 million computers, again targeting a much smaller number of end-users. Asus said the next day it had issued a fix for the attack, which affected “a small number of devices.”

“We have evidence that at least one telecom company may have been the intended target during the Asus compromise, which is consistent with APT41’s espionage targeting over the past two years,” said FireEye spokesman Dan Wire.

But FireEye and Slovakia-based cybersecurity company ESET said the gaming compromises aligned with financial motives more than national espionage. Among other things, the group won access to a game’s production environment and generated tens of millions of dollars’ worth of virtual currency, FireEye said.

(Reporting by Joseph Menn, Jack Stubbs and Chris Bing; Editing by Greg Mitchell and Nick Zieminski)

Fake social media accounts spread pro-Iran messages during U.S. midterms: FireEye

FILE PHOTO: A staff member removes the Iranian flag from the stage after a group picture with foreign ministers and representatives of the U.S., Iran, China, Russia, Britain, Germany, France and the European Union during Iran nuclear talks at the Vienna International Center in Vienna, Austria, July 14, 2015. REUTERS/Carlos Barria

By Christopher Bing

(Reuters) – A network of fake social media accounts impersonated political candidates and journalists to spread messages in support of Iran and against U.S. President Donald Trump around the 2018 congressional elections, cybersecurity firm FireEye said on Tuesday.

The findings show how unidentified, possibly government-backed, groups could manipulate social media platforms to promote stories and other content that can influence the opinions of American voters, the researchers said.

This particular operation was largely focused on promoting “anti-Saudi, anti-Israeli, and pro-Palestinian themes,” according to the report by FireEye.

The campaign was organized through a series of fake personas that created various social media accounts, including on Twitter and Facebook. Most of these accounts were created last year and have since been taken down, the report said.

Spokespersons for Twitter and Facebook confirmed FireEye’s finding that the fake accounts were created on their platforms.

Lee Foster, a researcher with FireEye, said he found some of the fake personas – often masquerading as American journalists – had successfully convinced several U.S. news outlets to publish letters to the editor, guest columns and blog posts.

These writings displayed both progressive and conservative views, the report said, covering topics including the Trump administration’s designation of Iran’s Islamic Revolutionary Guard Corps (IRGC) as a terrorist organization.

“We’re assessing with low confidence that this network was organized to support Iranian political interests,” said Foster. “However, we’re not at the point where we can say who was doing it or where it’s coming from. The investigation is ongoing.”

Before the 2018 midterms election, the nameless group created Twitter accounts that also impersonated both Republican and Democratic congressional candidates. It is unclear if the fake accounts had any effect on their campaigns.

The imposter Twitter accounts often plagiarized messages from the politicians’ legitimate accounts, but also mixed in posts voicing support for policies believed to be favorable to Tehran. Affected politicians included Jineea Butler, a Republican candidate for New York’s 13th District, and Marla Livengood, a Republican candidate for California’s 9th District. Both Livengood and Butler lost in the election.

Livengood’s campaign called the situation “clearly an attempt by bad actors” to hurt her campaign, and noted that Livengood was “a strident opponent of nuclear weapons in Iran.”

Butler could not be immediately reached for comment.

Twitter said in a statement that it had “removed this network of 2,800 inauthentic accounts originating in Iran at the beginning of May,” adding that its investigation was ongoing.

Facebook said it had removed 51 Facebook accounts, 36 Pages, seven Groups and three Instagram accounts connected to the influence operation. Instagram is owned by Facebook.

The activity on Facebook was less expansive than that on Twitter and it appeared to be more narrowly focused, said Facebook head of cybersecurity policy Nathaniel Gleicher. The inauthentic Facebook accounts instead often privately messaged high profile figures, including journalists, policy-makers and Iranian dissidents, to promote certain issues.

Facebook also concluded the activity had originated in Iran.

(Reporting by Christopher Bing; editing by Rosalba O’Brien and Susan Thomas)

WhatsApp to refer security breach to U.S. authorities

FILE PHOTO: A logo of WhatsApp is pictured on a T-shirt worn by a WhatsApp-Reliance Jio representative during a drive by the two companies to educate users, on the outskirts of Kolkata, India, October 9, 2018. REUTERS/Rupak De Chowdhuri -

By Steven Scheer

JERUSALEM (Reuters) – Facebook’s WhatsApp said on Tuesday a security breach on its messaging app had signs of coming from a private company working on surveillance and it had referred the incident to the U.S. Department of Justice.

WhatsApp, one of the most popular messaging tools, is used by 1.5 billion people monthly and it has touted its high level of security and privacy, with messages on its platform being encrypted end to end so that WhatsApp and third parties cannot read or listen to them.

A WhatsApp spokesman said the attack was sophisticated and had all the hallmarks of a “private company working with governments on surveillance.”

“WhatsApp encourages people to upgrade to the latest version of our app, as well as keep their mobile operating system up to date, to protect against potential targeted exploits designed to compromise information stored on mobile devices,” a spokesman said.

“We are constantly working alongside industry partners to provide the latest security enhancements to help protect our users,” he said. WhatsApp did not elaborate further.

WhatsApp informed its lead regulator in the European Union, Ireland’s Data Protection Commission (DPC), of a “serious security vulnerability” on its platform.

“The DPC understands that the vulnerability may have enabled a malicious actor to install unauthorized software and gain access to personal data on devices which have WhatsApp installed,” the regulator said in a statement.

“WhatsApp are still investigating as to whether any WhatsApp EU user data has been affected as a result of this incident,” the DPC said, adding that WhatsApp informed it of the incident late on Monday.

Cybersecurity experts said the vast majority of users were unlikely to have been affected.

Scott Storey, a senior lecturer in cybersecurity at Sheffield Hallam University, believes most WhatsApp users were not affected since this appears to be governments targeting specific people, mainly human rights campaigners.

“For the average end user, it’s not something to really worry about,” he said, adding that WhatsApp found the vulnerability and quickly fixed it. “This isn’t someone trying to steal private messages or personal details.”

Storey said that disclosing vulnerabilities is a good thing and likely would lead to other services looking at their security.

INCOMING CALL

Earlier, the Financial Times reported that a vulnerability in WhatsApp allowed attackers to inject spyware on phones by ringing up targets using the app’s phone call function.

It said the spyware was developed by Israeli cyber surveillance company NSO Group — best known for its mobile surveillance tools — and affects both Android and iPhones. The FT said WhatsApp could not yet give an estimate of how many phones were targeted.

The FT reported that teams of engineers had worked around the clock in San Francisco and London to close the vulnerability and it began rolling out a fix to its servers on Friday last week and issued a patch for customers on Monday.

Asked about the report, NSO said its technology is licensed to authorized government agencies “for the sole purpose of fighting crime and terror,” and that it does not operate the system itself while having a rigorous licensing and vetting process.

“We investigate any credible allegations of misuse and if necessary, we take action, including shutting down the system. Under no circumstances would NSO be involved in the operating or identifying of targets of its technology, which is solely operated by intelligence and law enforcement agencies,” the company said.

Social media giant Facebook bought WhatsApp in 2014 for $19 billion.

Facebook co-founder Chris Hughes last week wrote in The New York Times that fellow co-founder Mark Zuckerberg had far too much influence by controlling Facebook, Instagram and WhatsApp, three core communications platforms, and called for the company to be broken up.

Facebook’s shares were up 0.8 percent at $183.02 in pre-market trading.

(Additional reporting by Ari Rabinovitch, Tamara Mathias and Padraic Halpin; Editing by Louise Heavens/Keith Weir/Jane Merriman)