I wrote a very timely introduction to digital security for investigative journalists for the Global Investigative Journalism Network. This guidance also applies to activists, lawyers, and anyone else doing at-risk work these days.

The UK’s National Cyber Security Centre recently published cybersecurity guidance for high-risk individuals. I looked at the guidance last week and shared my thoughts here, but I wanted to say a bit more about NCSC’s suggestion for managing access to shared accounts.

According to the guidance, you should “consider using a social media management service” for “any public social media accounts that you use in a professional context.” The idea here is that the service allows your team members to create posts for you, without you having to share the password. But in reality, the service may leave your account less secure than before because it changes how your team members log in.

Let’s say that you want to give Alice and Bob access to manage your account on X. You have secured the account with a good password and two-factor authentication. Maybe you’ve even set up a security key. You can then share your password and two-factor authentication; use a social media management service; or try out X’s new Delegate feature.

If you share your password and two-factor authentication, you give Alice and Bob full control over your account. Not only can they create posts for you, they can also hijack your account. Not ideal. 

If you use a social media management service, you first create an account with the service and secure it with a good password and two-factor authentication. You then link the service to your account on X. Alice and Bob create accounts with the service too. From there, you give Alice and Bob permission to create posts for you through the service. Rather than log in on x.com, they log in to the service and access your account there. And because their access is limited, they will not be able to hijack your account.

Sounds great, right? Well, here’s the catch. 

Your account on X still has a good password and two-factor authentication. But it’s now possible to log in another way—using the social media management service—and that is protected by your account, Alice’s account, and Bob’s account. If Bob has the password “password” and no two-factor authentication, that weakens the security of your account. While Bob can’t hijack your account, he—or someone using his account with the service—can create all sorts of embarrassing posts for you.

X launched the Delegate feature last year to make it easier for teams to collaborate on a single account. The concept is similar to using a social media management service, but without using a third-party platform. If you use this feature, you give Alice and Bob permission to create posts for you through their own X accounts. Your account still has a good password and two-factor authentication. But, as with the service, your account is now protected by your account, Alice’s account, and Bob’s account. If Bob does not secure his own account, then he also leaves your account less secure than it was before you gave him access.

In an ideal world, X should allow you to require that delegates match the security that you have on your account. If you have two-factor authentication, they should have that too. This challenge is not unique to X, however, or to social media. Earlier this week, I discovered that you can delegate access to a Google account enrolled in the Advanced Protection Program to a Google account with no two-factor at all. Turns out securing shared access is hard, no matter the platform. 

Last week, I wrote that “[w]hen considering a social media management service, I recommend that you look for one which–at the very least–supports two-factor authentication.” You want to make sure that your account remains secure, regardless of how you share access. That may mean sharing your password and two-factor authentication; using a service which allows you to require two-factor authentication; or using X’s new Delegate feature and trusting your team members to keep their own accounts secure—just like you do.

In December, the UK National Cyber Security Centre published guidance to raise awareness of digital threats to high-risk individuals, democratic processes, and institutions. At the same time, the agency published an advisory warning that Star Blizzard, a hacking group linked to Russia, continues to target high-risk individuals and organizations with tailored phishing attacks. The Guardian reported that Star Blizzard “is part of an aggressive FSB unit that sought to stoke scandal over Brexit, and hamper European NGOs investigating war crimes in Ukraine.” The guidance is part of the UK’s efforts to advance the cybersecurity of civil society and support the communities at highest risk. The Cybersecurity and Infrastructure Security Agency, NCSC’s counterpart in the U.S., launched its high-risk communities webpage earlier this week. 

Crafting good security guidance is hard, especially for a large and diverse audience. You want to strike the right balance between giving the reader enough information to take action, but not so much that they become overwhelmed and give up. The guidance from NCSC is brief and to the point, covering best practices without being too technical or too scary. I appreciate that the agency highlights the importance of securing personal accounts; after all, securing a high-risk individual means securing a person and how they work, not just their corporate accounts and devices. There’s even a mention of Apple’s Lockdown Mode, a security feature designed to protect devices against sophisticated attacks–such as the use of commercial spyware. 

The guidance for high-risk individuals has a total of nine steps, split into protections for accounts and devices. Rather than aim to be as comprehensive as possible, NCSC prioritizes mitigations that are likely to make the biggest difference for someone’s personal security. I’m a bit confused as to why disk encryption is missing from the guide, though. The feature provides an extra layer of security by ensuring someone cannot gain access to the data on your computer without first entering the password. Disk encryption is especially helpful in the event your computer is lost, stolen, or seized. Also missing are any mentions of encrypted phone backups for Android and iOS; end-to-end encryption for iCloud; and end-to-end encryption for WhatsApp backups.

NCSC opted to recommend the password manager functions built into Android and iOS. These are easy and convenient options, but sadly lack features you’ll find in other password manager solutions–such as secure notes and the ability to securely share passwords. I think it would be helpful for this high-risk guidance to also mention that other solutions with more features exist, and perhaps elaborate on those features as well. 1Password is one such option which provides discounts to journalists and others helping to make the world a better place. 

For two-factor authentication, the agency is clear about authentication apps being “more secure and convenient than SMS.” The agency recommends using Google Authenticator and Microsoft Authenticator: two apps which sync to the cloud. I think NCSC ought to stress that if you do back up your two-factor codes with these apps, you must secure these accounts with two-factor authentication as well. NCSC should also include Google’s Advanced Protection Program (and Google should mention it more too). The program enables two-factor with security keys and is designed with high-risk individuals in mind.

For sharing access to a social media account, NCSC suggests that you “consider using a social media management service.” The idea is that using such a service allows your team members to create posts for you, without you having to share your password. The downside is that many (most?) focus solely on making scheduling and posting easier, without ensuring multiple individuals can securely share access to an account. When considering a social media management service, I recommend that you look for one which–at the very least–supports two-factor authentication. 

Overall, I think the guidance from NCSC is a good start and worth a read. I’m really looking forward to seeing what else the agency adds throughout the year.

The Norwegian Intelligence Service, the Police Security Service, and the Norwegian National Security Authority recently published their threat and risk assessments for 2024. The reports cover a range of different threats, including cyberattacks, disinformation, espionage, sabotage, and terrorism. The three agencies call out China, Iran, North-Korea, and Russia, in addition to Islamic and right-wing extremists. At the press conference in February, Minister of Justice and Public Security Emilie Mehl stressed the need for a whole-of-nation approach to defense that spans all stakeholders–both civilian and military. With that in mind, here are my takeaways for high-risk people and organizations–in Norway and elsewhere. 

Activists, dissidents, and refugees in Norway are likely to be targeted by authoritarian regimes in 2024. This may also include their family members back home. Prominent people, such as elected officials and high-net-worth individuals, are vulnerable too. The reports don’t mention news media or journalists, but I think it’s reasonable to assume that these two groups are–or can become–targets of state actors as well. 

Authoritarian regimes will attempt to identify, surveil, and silence individuals with tactics of fear and repression. According to the Police Security Service, such surveillance may occur at protests and on social media. Individuals, as well as their family members, are likely to face pressure, threats, and harassment–both online and offline. I think it’s worth adding that online attacks may include sophisticated, targeted phishing; relentless social media trolling; mis- and disinformation campaigns; and use of commercial spyware. I highly recommend using Apple’s Lockdown Mode and Google’s Advanced Protection Program.

China and Iran will continue to stifle criticism of its policies and actions, both online and offline. In November, I wrote about how China targets civil society abroad with impersonation; intimidation; mis- and disinformation; attacks using DDoS, phishing, and malware; and even fake bomb threats in Oslo and The Hague. Last week, the U.S. Department of Justice charged seven members of the Chinese hacking group APT31 with “targeting U.S. and foreign critics, businesses, and political officials” for 14 years. The indictment also describes how the group in 2018 targeted the Norwegian government and Visma, a managed service provider, in response to U.S. lawmakers nominating Hong Kong’s Umbrella Movement for the Nobel Peace Prize. 

Elected officials will remain targets of foreign intelligence services, they are also likely to face threats and harassment throughout the year. Last month, VG reported that a group of pro-Palestine activists had confronted the leader of the Progress Party, Sylvi Listhaug, outside her place of work. The group, unhappy with Listhaug’s support for Israel, had shouted “shame on you” and “children in Gaza are dying.” The Police Security Service is currently investigating the incident. A week later, NRK and TV2 reported that their journalists had been attacked and prevented from covering a pro-Palestine rally in Skien. The Committee to Protect Journalists has published guidelines on how reporters can stay safe while covering marches and rallies.

Pro-Russian hacktivists will continue to target Norwegian websites with denial-of-service attacks over Norway’s support to Ukraine. While past attacks have had limited success, the Norwegian Intelligence Service warns that future attacks may cast doubt on the ability of public institutions to deliver services. Earlier this year, Prime Minister Jonas Gahr Støre reiterated that Norway’s “support to Ukraine is a long-term commitment.” Cloudflare and Google both offer free services that defend news, human rights, and elections-related sites from this type of attack.

The Norwegian National Security Authority warns about the impact of rapid technological change, including the use of AI to create mis- and disinformation. The agency highlights a 2023 incident in Slovakia where fact-checkers scrambled to deal with a fake audio recording of a political candidate days before the election. False information shared at the right time, in the right way, can shape public opinion. With more than 50 countries holding high-stakes elections throughout the year, it’s even more crucial that we support fact-checking organizations such as Faktisk.no. 

Other interesting mentions include: Russia’s desire to build a science center in Pyramiden, the world’s northernmost ghost town; the transition of the Arctic Council leadership from Russia to Norway; and threat actors exploiting zero-days in Ivanti last summer to target the online platform used by 12 different ministries. 

I plan to write more about security for journalists and other high-risk communities this year, as part of my work with Granitt. (Feedback and ideas are always welcome!) If you have questions about how to best protect yourself and your organization, please do get in touch. 

In November 2021, two Norwegian journalists investigating conditions for migrant workers in Qatar ahead of the 2022 FIFA World Cup were arrested and detained for more than 30 hours shortly before their flight home. The authorities said the journalists, Halvor Ekeland and Lokman Ghorbani with the Norwegian Broadcasting Corporation (NRK), were detained “for trespassing on private property and filming without a permit.” The journalists were questioned for eight hours in separate rooms, while their equipment was seized and thoroughly searched. When the authorities finally returned the equipment three weeks later, the photos and videos had been deleted and the memory cards had been formatted. 

Norwegian Prime Minister Jonas Gahr Støre tweeted that the arrest was “unacceptable” and that “a free press is crucial to a functioning democracy.” In a perfect world, the arrest would not have happened; the equipment would not have been seized; the material would not have been deleted. But journalism is inherently risky work, and these are just some of the challenges that reporters around the world face on a daily basis. There’s a lot we can learn from this incident in Qatar, especially around digital security and source protection. I have previously used this story as a case study in my course on threat modeling for the Source Protection Programme together with the Centre for Investigative Journalism and the Freedom of the Press Foundation.

Ekeland and Ghorbani transferred some data to Norway prior to their arrest, but lost most of the raw material when their equipment was seized. The timeline provided by NRK suggests the two had a slow morning on the day of the arrest, though it’s unclear if they had time to transfer more material before heading out for another interview. Transferring material can be an easy process, assuming you have a strong and stable internet connection, but it can be quite time consuming. Not to mention the time spent confirming the transfer was successful, then finding and deleting any sensitive material stored on your memory card. But this step could have helped the journalists protect the subjects they interviewed in the labor camp. 

In 2016, the Freedom of the Press Foundation published a letter to leading camera manufacturers, including Canon, Nikon, and Sony, asking them “to build encryption features” into their products to help protect the journalists who use them. The letter was signed by over 150 filmmakers and photojournalists from around the world, including award winners such as Lynsey Addario, Laura Poitras, and Brian Knappenberger. Sadly not much has happened since then. 

Journalists often carry multiple memory cards with them on assignment, some swapping cards around when they film or photograph specific people and places. If you are not able to transfer the material, you can at least move it from the memory card to a folder on your computer or an external drive. You can then encrypt the folder or the drive using FileVault on macOS or BitLocker on Windows. A more technical option is VeraCrypt, which supports the creation of hidden volumes and allows you to access the encrypted material on both macOS and Windows. This can be an easy process, assuming you have the folder or drive ready to go. You should still spend some time finding and deleting any sensitive material stored on your memory card.

According to NRK, Ekeland and Ghorbani followed a communications plan while in Qatar and checked in with colleagues in Oslo twice a day, once in the morning and once in the evening. It’s unclear if they developed a similar plan for how they would secure the material they were gathering. This would of course not have prevented the arrest or the seizure of their equipment, but could have helped keep their material confidential and their sources safe. It seems the main challenge here was not the lack of tools, but the lack of process.  

In my threat modeling course, I often stress that a good plan for any high-risk assignment must account for physical, digital, legal, and emotional risk. You need to identify the right tools to use, when to use them, and how to use them. If your plan to rely on the hotel internet falls apart, you want to make sure you know how to encrypt a folder to store your material in. After all, it’s this plan that will help you safely do the work you set out to do – and allow you to be flexible in how you do it.

It’s been more than six years since Google launched the Advanced Protection Program, a free security feature designed for high-risk individuals. The goal of the program, which anyone can sign up for, is to make it harder for an attacker to gain access to your account. To achieve this, Google requires that you use physical keys for two-factor authentication, such as the YubiKey. The use of physical keys helps defend against phishing too, since there’s no SMS message or notification that you can be tricked into sharing or taking action on. The program also provides extra protection from harmful files, malicious third-party apps, and impersonation attempts. 

The Advanced Protection Program is great. It’s a shame Google rarely mentions it.

When I worked for The New York Times in 2017, I told a journalist that “I don’t see a reason why you shouldn’t turn this on.” I stand by that. The program is especially helpful for people targeted by government-based attackers. Meduza, a Russian independent media outlet exiled in Europe, shared last week that Google recently alerted staff of multiple, targeted attempts to compromise their accounts. In September, Access Now and Citizen Lab reported that Meduza’s co-founder and publisher, Galina Timchenko, had been targeted with the Pegasus spyware, though neither attributed the attack to a specific government.

I think too many articles about spyware lack guidance for high-risk communities. The same can be said about posts from Google’s Threat Analysis Group. Don’t get me wrong, the research is good, but the posts often stop short of recommending any defensive measures. For example, it would have been easy for Google to mention Apple’s Lockdown Mode in this post about 0-days exploited by a surveillance vendor in Egypt. Or mention the Advanced Protection Program in this post about a Russian actor focused on phishing against high-profile individuals in NGOs. I think both are missed opportunities to raise awareness of these features. 

One could argue that the Threat Analysis Group writes for a technical audience: the analysts, researchers, and technologists whose job it is to stay informed and suggest next steps in their own organizations. But, as I argued in my keynote at MITRE’s ATT&CKcon last year, the challenge is that high-risk individuals and communities often don’t have these people. It falls to the individuals themselves to learn about potential threats and necessary mitigations, on top of doing their day jobs. That’s an incredibly difficult task.

Those who risk harassment by government-based attackers would greatly benefit from learning about Lockdown Mode and the Advanced Protection Program, ideally before they are first targeted. I’d love to see Google consider these people part of the audience that they write for and include not just the technical nitty gritty, but also information about the very good, very usable defenses that exist today. I’m confident that’ll go a long way in helping high-risk individuals secure themselves and continue to do their work safely.

Last year, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) asked the Cybersecurity Advisory Committee (CSAC) and the Technical Advisory Council (TAC) subcommittee, chaired by Jeff Moss, to write a report with recommendations for its High-Risk Community Protection initiative. I’ve been part of the Technical Advisory Council since 2022 and contributed to the report, which you can read here. Earlier this month, I wrote about how CISA’s partner in Norway, the Norwegian National Security Authority (NSM), supports high-risk communities through a project called Operation Pro Bono.

Over the last few years, Norway has actively participated in domestic and international efforts to combat election interference; prevent the proliferation of commercial spyware; and defend civil society groups under threat of transnational repression. Documents obtained through a public records request last week illustrate how the Norwegian National Security Authority (NSM) has supported elected officials, political parties, and non-profit organizations since early 2017. 

In an email to the U.S. Cybersecurity and Infrastructure Security Agency (CISA) in September, following a discussion about existing initiatives to protect high-risk communities, NSM detailed its own efforts and takeaways NSM reached out to elected officials and political parties ahead of the general election in 2017. The purpose of the outreach, according to NSM, was not to tell anyone what to do or how to work, but simply to offer guidance on digital security, general risks and threats, and to raise awareness. The agency has had “an ongoing dialogue with the parties” since then, with “an extra effort ahead of the elections in 2019 and 2021.” (And in 2024.)

In March 2021, NSM launched a new effort dedicated to civil society organizations titled “Operation Pro Bono.” The agency modeled this project after the election dialogues, with the same focus on security best practice and awareness. Sharing how the agency selected which organizations to reach out to, NSM wrote “[t]he main criterion for the selection was voluntary organizations which are of great importance to society and which must be expected to be of interest to foreign state threat actors.”

NSM said it received “an immediate and positive response” from 16 organizations.

The agency wrote that “all organizations wanted to meet” and “there has been a consistently light and free tone, even though the themes are of course serious.” The topics covered include information about NSM, general risks and threats, security culture and behavior, travel, mobile, and social media. (I hope this project continues with a holistic approach and mention of free tools for high-risk individuals, such as Apple’s Lockdown Mode.)

In early September, CISA’s advisory council/committee delivered a report with recommendations for the agency’s High-Risk Community Protection (HRCP) initiative. (I contributed to this report.) Among other things, the report encourages CISA to engage directly with high-risk communities, individuals who have been targeted by nation states, and those who support them. Doing so will help CISA learn more about their concerns and needs – and how the agency can best assist them. NSM told CISA that its outreach helped convince a board to prioritize the implementation of two-factor authentication.

Reflecting on the impact of Operation Pro Bono, NSM said that “[m]any of the organizations have been surprisingly open about their security challenges. In one case, the general manager was able to say that our planned visit was what made the board finally agree that the organization should adopt multi-factor authentication. Professionals in the organization had recommended this for a long time, but did not gain traction.”

NSM found that while “safety is high on the agenda,” the organizations “have varying degrees of resources and expertise to improve security.” I’m not surprised, I’ve seen the same in my work with high-risk groups over the years. Civil society organizations frequently have to do a whole lot with very little. (I’ve also written about the need for more guidance for high-risk communities.)

In a statement published in late September, CISA highlighted that the U.S., U.K., and Norway have all established initiatives dedicated to securing high-risk communities. Other nations have invested in security awareness campaigns and training materials for society as a whole. According to the agency, Estonia, Canada, New Zealand, and Australia aim to reach high-risk communities “by translating materials into multiple languages which reflect the diversity of each country.” 

NSM, for its part, concluded that its outreach in Norway was a success. 

“Operation Pro-Bono is a low-cost offer from NSM which, judging by the feedback, provides significant value for the organizations we have visited.”

The story of the woman found dead in Isdalen near Bergen, Norway in November 1970 has been told through countless articles, a documentary, and a podcast. The body, found by two young girls and their father out on a Sunday hike, had been exposed to strong heat and had considerable burns. The labels on her clothes had been removed and trademarks scrubbed from items at the scene. When police located her suitcases three days later, they found more of the same: clothes without tags, cosmetics without labels. The investigation also turned up a coded notepad and multiple identities, some wondered if she may have been a spy.

More than 50 years later, the authorities still don’t know who she was or what she was doing in Bergen. But records obtained through the Freedom of Information Act last month show that the police in Oslo requested assistance from the U.S. Federal Bureau of Investigation in identifying the unmarked cosmetics found in the woman’s suitcase. 

Two months into the investigation, the Central Criminal Police in Oslo wrote a letter to the FBI with background information and “two photographs of cosmetic tubes found in the luggage of the unknown subject.” The response, sent a few weeks later, was disappointing: “[e]fforts were made to identify the cosmetic containers shown in the color photographs by examination of the photographs and by exhibiting them to cosmetics buyers in the three largest Washington, D.C. department stores. None of the individuals contacted were able to identify the containers.”

But one of the buyers pointed out that many cosmetic products are packaged by firms in New York. Perhaps the bureau could speak to someone there? “It was suggested that the company of the magazine ‘Beauty Fashion’ at 60 East 42nd Street, New York, should be able to furnish information regarding the companies that do packaging for cosmetic products since many of these companies advertise in this magazine.”

And so the the two color photographs and a copy of the letter from Oslo was sent from Washington, D.C. to New York.

In early March 1971, New York reported that contacts were made at Beauty Fashion, Garrett Hewitt International, and Kolmar Cosmetic Specialities. “The results were negative.” A special agent spoke with two individuals at Beauty Fashion and Kolmar who “advised that, in their opinion, the cosmetics in question were not produced in the United States.” They both “expressed their puzzlement as to why the labels were scratched” off. 

A third individual said their “reaction upon seeing that the labels were removed was that the victim may have had a business interest in cosmetics and was given the cosmetics as samples for analysis.” The individual from Kolmar “advanced the theory that possibly the victim removed the labels to avoid having it become known that she had been in a particular country, perhaps one behind the Iron Curtain.” 

The origins of the cosmetics remains unknown, though plenty of theories have surfaced in the Death in Ice Valley group on Facebook. Perhaps the bottles are from an airline or a hotel? If you happen to know more, I’d love to hear about it. 

On November 7, Binding Hook published an article by Sophie in ‘t Veld arguing that spyware is a clear and present danger to our democracies. Having led the European Parliament’s yearlong investigation into spyware, in ‘t Veld is well acquainted with the tools and their impact on victims around the world, not to mention the vendors, the NGOs who expose them, and the actors who knowingly spread disinformation about their research.

In ‘t Veld says that the only upside to this spyware debacle “is that it is covered with the correct amount of urgency by some of the finest journalists in Europe.”

“With many parliaments unaware of the problem and courts too slow or unable to push back, much now depends on the Fourth Estate. It is up to the press to keep the fire burning until more politicians wake up to the danger”, she writes.

But the fire has been burning for over a decade and not much has been done to curb the threat, despite the efforts of numerous journalists, technologists, and security researchers. I wrote more about that in an article for Binding Hook, published this morning. You can read it here.

On November 10, The Intercept reported that NSO Group is demanding an urgent meeting with U.S. Secretary of State Antony Blinken. Days earlier, Timothy Dickinson – a partner with the Los Angeles-based law firm Paul Hastings which represents NSO Group – sent an email and a letter to State Department officials, saying he wants “to reaffirm the importance of NSO’s technology” and discuss “the importance of cyber intelligence technology in the wake of the grave security threats posed by the recent Hamas terrorist attacks in Israel and their aftermath.”

Dickinson, unsurprisingly, argues that “NSO’s technology is supporting the current global fight against terrorism in any and all forms.” There is no mention of the hundreds of cases of abuse of the company’s Pegasus spyware, though Dickinson touts the company’s “comprehensive, industry-leading human rights compliance program. In June 2021, NSO Group published its “first annual transparency and responsibility report” – it appears to be the only one to date. (A month later, the company published a laughable response to the Pegasus Project, a large-scale investigation into abuse of the Pegasus spyware, saying enough is enough.)

In November 2021, the U.S. Commerce Department blacklisted NSO Group by adding it to the Entity List. Companies on this list are not completely prohibited from doing business in the U.S., but the designation makes it more difficult to do. The move came four years after Citizen Lab first reported that Stephanie Brewer, an American lawyer in Mexico, had been targeted with the company’s Pegasus spyware. 

The Commerce Department’s list was further enhanced with the addition of Intellexa and Cytrox this summer. The two companies are known for developing and selling Predator, sophisticated spyware which, like Pegasus, has been used against journalists and politicians around the world. In March, The New York Times reported that Predator had been used to target Artemis Seaford, a dual U.S.-Greek national working for Meta at the time of the attack. 

In December 2021, at the first Summit for Democracy, the United States, Australia, Denmark and Norway announced the Export Controls and Human Rights Initiative to counter misuse of technology that violates human rights. In a joint statement, the countries committed to “establish a voluntary, nonbinding written code of conduct around which like-minded states could politically pledge to use export control tools to prevent the proliferation of software and other technologies used to enable serious human rights abuses.”

The first version of the code of conduct was released in March, endorsed by more than twenty governments. (As I noted in June, this includes North Macedonia – home to Cytrox and the Predator spyware.) At the same time, President Biden signed an Executive Order restricting American government use of commercial spyware that could pose national security risks or be misused to imperil human rights globally.

Last week, Eileen C. Donaho, the State Department's Special Envoy and Coordinator for Digital Freedom in the Bureau of Cyberspace and Digital Policy, participated in an event at the Paris Peace Forum titled “Unpacking the Cyber Mercenaries' Phenomenon." On X, the department said Donaho “laid out the 🇺🇸’s unprecedented, government-wide effort to counter the misuse and proliferation of commercial spyware.”

Ever since the first Summit for Democracy, lawyers for NSO Group have argued – to lawmakers in both the U.S. and the U.K. – that the company “has much to contribute to policy discussions.” 

When Politico asked me if it’s morally dubious or wrong for NSO to be leveraging the war to ask the U.S. for sanctions relief, I said the company “will use every chance it gets to lobby” and “it should come as no surprise that the company is now leveraging the war for this purpose.” 

In response to my comment, an unnamed person “working with NSO Group” said it was “frankly offensive.” But what’s offensive is the company’s continued collaboration with authorities which repeatedly abuse Pegasus to target civil society – individuals who have no recourse and little to no ability to defend themselves. 

NSO likes to think of itself as an upstanding surveillance vendor, but has shown no desire to reckon with the harms it has caused since at least since 2014. A senior administration official told Politico that “revelations of misuse, specifically of NSO group software, have … continued unabated” since the Executive Order. At this rate, it’s looking like the company will remain on the government’s naughty list for quite some time. 

A number of states expanded protections for abortion providers and patients in the past year, following the June 2022 U.S. Supreme Court decision which removed the constitutional right to abortion. While shield laws to protect doctors and abortion medication have received plenty of attention, as noted by Abortion, Every Day, a seemingly underreported development is the expansion of address confidentiality programs to include those providing and receiving reproductive or gender-affirming care – as well as their family members.

Address confidentiality programs allow eligible participants to receive mail at a confidential address, while keeping their actual address undisclosed. This protects not only your driver’s license, but your voter registration too. A review of programs across the U.S. shows that 11 states offer address confidentiality to at least some groups of protected healthcare providers and patients: California, Delaware, Maryland, Massachusetts, Michigan, Minnesota, New Jersey, New York, Vermont, Washington, and Wisconsin. 

While some states specifically mention address confidentiality for those providing or seeking reproductive or gender-affirming health care services, others are more broad and stating that the program is available to “those who simply fear for their physical safety.” A few offer protections for election workers too. 

Earlier this year, the National Abortion Federation reported seeing a “sharp increase” in violence at abortion clinics in 2022, the year when Roe v. Wade was overturned. The federation said that “a disproportionate increase occurred in states that protect abortion rights.” Some attacks result in prosecutions by the Justice Department, which has a web page dedicated to recent cases on violence against reproductive health care providers. 

Justin Sherman spoke at length about the links between public records, data brokers, stalking and gendered violence on the Lawfare Podcast earlier this month. While such records have helped the online sleuths tracking down participants in the January 6th attack, they present a significant risk to the safety of doctors, nurses, election workers, and journalists. Female journalists have shared on social media that they don’t vote because doing so would make their home address available on people search sites.

I truly hope lawmakers soon wake up to the threat posed to at-risk individuals by data brokers, including the availability of voter registration records. In the meantime, let’s make sure those who qualify for existing address confidentiality programs are aware of their existence. 

Last month, the U.S. Department of Defense released its annual report on China’s military and its role in China’s broader foreign policy. The 212-page report details developments in the past year, such as rapid advances in Beijing’s plan to build a nuclear weapons arsenal. But, as The Washington Post noted, the report “also gives significant attention to China’s cyber capabilities” and what this could mean for a potential invasion of Taiwan.

The Defense Department said the People’s Republic of China (PRC) “has publicly identified cyberspace as a critical domain for national security and declared its intent to expedite the development of its cyber forces.” 

The department went on to stress that China’s armed forces, the People’s Liberation Army (PLA) “could also conduct a range of cyberspace, blockade, and kinetic campaigns designed to force Taiwan to capitulate to unification or compel Taiwan’s leadership to the negotiation table on the PRC’s terms.”

Sadly, neither the Defense Department’s report nor The Post’s newsletter said much about how these developments may impact civil society abroad.

A lot has been written about China’s high-tech oppression of its own people, including constant monitoring and control of digital communications, persistent crackdown of ethnic minorities with sophisticated exploits and suffocating surveillance, and mass arrests of those who use social media to criticize Chinese leader Xi Jinping and his government.

But what do we know about China’s tactics beyond its borders? As it turns out, quite a bit.

The Chinese government demonstrated sophistication, skill, and appetite for revenge when its hackers persistently attacked The New York Times in 2012, following an investigation into the financial wherewithal of the Chinese prime minister’s family. In the days following The Times’s article about the hack, Bloomberg News, The Wall Street Journal, and The Washington Post all said they too had been attacked by China. (Less than two months later, Mandiant published its now infamous report on APT1, a cyber espionage group linked to the PLA.)

In the years since, the threats against civil society have increased in both severity and scope. Attacks which were once reserved for China’s long-term, strategic goals may now be launched against anyone criticizing Beijing from anywhere in the world – impacting their physical, digital, emotional, and legal safety. In the past three years alone, China has targeted people outside of the country with impersonation, intimidation, mis- and disinformation, and attacks using DDoS, phishing, and malware.

Earlier this year, Reuters reported that someone was impersonating two of its journalists on social media to engage with Chinese activists. The accounts, which first appeared on Instagram and Telegram in November, posed as Shanghai bureau chief Brenda Goh and Hong Kong-based correspondent Jessie Pang. In at least one instance, the impersonator attempted to build trust by sharing a photo of Pang’s expired press ID. While Reuters said it “could not ascertain who was behind the fake journalist personas,” an administrator of Citizens Daily, a pro-democracy social media account, said they “suspected Chinese state involvement in the impersonations.”

Not long after, three journalists working for The New York Times and The Wall Street Journal reported that someone had registered Telegram accounts with their Chinese phone numbers. While it’s not clear who created accounts for Li Yuan, Lingling Wei and Wenxin Fan, or what they did next, it shows that journalists reporting from and on China should keep an eye out for accounts posing as them on social media.

Last summer, London's Metropolitan Police briefly detained Drew Pavlou, an Australian student and human rights activist, for “communicating false information to make a bomb hoax.” Pavlou told TIME “the bomb hoax email came from the drewpavlou99@protonmail.me email address.” That email prefix “is identical to an account he has with gmail, which he says was hacked in January 2021 by someone using a Chinese IP address.” 

In January, police officers in Melbourne arrested Andrew Phelan, a high-profile China watcher and commentator, after a woman said that she’d received an email from him threatening to rape and kill her. He hadn’t, but someone clearly wanted to send a message.

Jemimah Steinfeld, the editor-in-chief of Index on Censorship, wrote that “Phelan is part of a new and growing club of people whose names and identities are being hijacked and used for nefarious purposes. It’s a disparate group stretching across the globe and contains activists, journalists, academics and lawyers. All are tied together by one common thread — they criticize China.”

In April, Volkskrant journalist Marije Vlaskamp shared an even more elaborate impersonation plot. Bomb scares at Chinese embassies were made in her name in multiple European cities, including Oslo and The Hague. The areas were cordoned off and traffic diverted to keep cars, buses, and trams away. The newspaper said this may be “the first time that unknown persons are intimidating a Dutch journalist outside China on behalf of the Chinese state.”

Vlaskamp reported that someone attempted to use her phone number “to create various new accounts on Telegram and WhatsApp.” Threatening messages were sent to her source too, demanding that he shut down his social media and stop giving interviews.

Vlaskamp, a correspondent in Beijing for 18 years, said that she’s “learned enough to know how the Chinese operate if they want someone to shut up.” 

There have been reports of Chinese actors impersonating organizations as well. Recorded Future spent three years tracking a long-running phishing campaign targeting humanitarian, think tank, and government organizations. The 11-page report, published last year, said the actor had been “registering and weaponizing hundreds of domains spoofing organizations,” including Amnesty International and Radio Free Asia.

Recorded Future also highlighted that the actor has “displayed a particular interest in spoofing political, government, and think tank organizations in Taiwan,” such as the American Institute in Taiwan–the de facto U.S. embassy in Taipei.

In August 2020, authorities arrested Jimmy Lai, founder of the now shut pro-democracy paper Apple Daily, for alleged collusion with foreign powers under the new national security law, as well as fraud. While preparing for his trial, Lai’s lawyers from British Doughty Street Chambers said they “received anonymous e-mails warning them against travelling to the city to defend him.” The messages, which were sent “from a generic Gmail address,” warned that the lawyers “could be extradited…from other jurisdictions” if they refused “to abide by the laws of the Hong Kong Special Administrative Region (HKSAR).” 

"Threatening journalists, campaigners and lawyers within Hong Kong has been happening for some time," the lawyers told Reuters in an email.

A Hong Kong court sentenced Lai to 69 months in prison for fraud last December. His trial on national security charges is still pending.

In September, Doughty Street Chambers shared that while representing Jimmy Lai and his son Sebastian, its staff has been subjected to: “attempted online surveillance,” “repeated attempts to hack their e-mail accounts, devices and bank accounts, as well as impersonation e-mails … and emails threatening prosecution and extradition to HKSAR,” and “death threats, rape threats and threats to family members.”

A sarcastic post on X about President Biden’s supposed “plan for the destruction of Taiwan” sparked a wave of misinformation in February when it was amplified by Chinese authorities and supporters of unification with China. The Wire said that “a surprising number of people in Taiwan became utterly convinced that America is planning to destroy their island home.” The Ministry of Foreign Affairs even commented, saying “people should beware of false information designed to erode confidence in US commitments to defend Taiwan and damage Taiwan-US ties.”

Vincent Chao, a Taiwanese politician and former diplomat, told Dmitri Alperovitch on Geopolitics Decanted that “it just became this whole layered approach to disinformation that allowed this whole thing to proliferate in Taiwanese society for days if not weeks.” 

“These are things that happen all the time here in Taiwan,” Chao said, adding that “they exploit the free press, they exploit free speech, they exploit this idea of attaching nonsensical claims to people with purported legitimacy.”

Last year, Meta said it had removed coordinated inauthentic behavior from China. The operation “targeted primarily the US and the Czech Republic.” The company said that this was the first network it disrupted “that focused on US domestic politics ahead of the midterm elections and Czechia’s foreign policy toward China and Ukraine.” 

In January, Google said it “disrupted over 50,000 instances” of “a spammy influence network linked to China that has a presence across multiple platforms.” Microsoft later reported seeing an increase in “effective audience engagement” from Chinese influence operations.

While big tech companies focus on shutting down accounts used for influence operations, the task of fact-checking and calling out mis- and disinformation often falls to journalists. 

Marianna Spring, the BBC’s first disinformation correspondent, has openly shared that in return for her work, she’s been “abused, slandered, threatened” (and, to be clear, she’s not alone.) In some cases, the online abuse hurled at her “contain physical threats,” which the BBC flag for further assessment. (Spring’s forthcoming book, Among the Trolls: Notes from the Disinformation War, elaborates on the risks that come with investigating mis- and disinformation.)

Ahead of House Speaker Nancy Pelosi’s visit to Taiwan in August last year, a series of DDoS attacks were launched at four key websites in the country, attempting to knock them offline: those of President Tsai Ing-wen, the National Defense Ministry, the Foreign Affairs Ministry and the country’s largest airport, Taiwan Taoyuan International. Doug Madory, director of internet analysis at Kentik, told NBC News the attacks were “big enough to be effective but not record-breaking.” Researchers said the attacks were likely launched by Chinese activists rather than the Chinese government. 

In July 2022, Proofpoint reported on how different state actors – including multiple Chinese actors – use phishing emails to target U.S. journalists. The researchers found that some of the emails contain web beacons designed to gather information about a journalist’s web browser and IP address, while others contain file attachments with malware. The report noted that one of the actors kicked off 2021 with targeting those covering U.S. politics, then – in the second half of the year – switched to targeting those “working cybersecurity, surveillance, and privacy issues with a focus on China.”

When China hacked The New York Times in 2012, it leveraged malware “that enabled them to gain entry to any computer on The Times’s network,” “stole the corporate passwords for every Times employee and used those to gain access to the personal computers of 53 employees.” China’s penchant for malware has only increased since then, aided by a law – passed two years ago – that requires discovered vulnerabilities to be reported to the federal government within 48 hours.

More recently, Volexity identified several long-running campaigns by a Chinese actor targeting Taiwanese individuals and organizations with fake Android applications containing malware. In August, ESET disclosed that a Chinese actor had distributed “espionage code through the Google Play store, Samsung Galaxy Store, and dedicated websites representing the malicious apps Signal Plus Messenger and FlyGram.” ESET researcher Lukas Stefanko told Forbes that the fake Signal app was designed to “spy on communications of the real app.”

“The PRC is sitting on a stockpile of zero-day vulnerabilities,” Morgan Adamski, the director of the NSA’s Cybersecurity Collaboration Center, told the audience at CYBERWARCON last week. 

“We know, through operations the last couple of years, that we are seeing an uptick in the amount of Chinese use of zero-day vulnerabilities to get into U.S. infrastructure, software and capabilities that we care about,” Adamski said. 

In my keynote at ATT&CKcon last month, I spoke about cybersecurity for civil society and the needs of both high-risk individuals and organizations. The U.S. Cybersecurity and Infrastructure Security Agency defines high-risk communities as ones targeted by advanced persistent threat actors; have limited capacity to provide for their own defense; and receive limited assistance from the U.S. government. The cases presented here certainly qualify. 

As these examples show, securing high-risk individuals and organizations requires a holistic approach – not just a focus on one type of threat or a set of corporate assets. To fully support high-risk communities, we must focus on securing identities — accounting for the devices and systems and workflows these people use every single day. With this in mind, we can begin to share guidance that is truly fit for purpose. 

Earlier this week, Apple notified a number of individuals that state-sponsored actors may be targeting their iPhones. Some shared their alerts on X, including journalists and politicians in India. Apple has previously sent alerts about targeting with NSO Group’s Pegasus spyware, though we don’t yet know what the recent notifications refer to or when the targeting took place. If you received an alert and want to know if your phone has been compromised, contact Access Now, Amnesty International, or Citizen Lab for assistance.

Apple’s threat notifications provide additional steps that people can take to protect their devices, including enabling Lockdown Mode. This feature was introduced in the fall of 2022, and is now available on your Apple phone, tablet, laptop, and watch. Since Lockdown Mode is still relatively new, here are four things you should know about it:

Lockdown Mode is not extreme, even if Apple says so. I think it’s more accurate to say the feature provides protection against extreme attacks, such as the targeting of an iPhone with sophisticated spyware. It’s easy to turn on and try: go to Settings, Privacy & Security, and tap Lockdown Mode. Your phone will restart and Lockdown Mode will be on. The feature will not delete any data. 

Lockdown Mode works, as long as you leave it on. Lockdown Mode is the best defense we have today against Pegasus and Predator. I have not seen any reports suggesting they can bypass this feature. Last month, Citizen Lab said Lockdown Mode would have blocked a recent attack with Predator in Egypt.

You can exclude apps and sites from Lockdown Mode, if needed. Some apps and sites may look different; perhaps icons appear as empty boxes or images don’t display as normal. Do not turn Lockdown Mode off, but exclude that specific app or website instead. If you have to do this, only exclude apps and sites you are familiar with. 

Turn Lockdown Mode on after restoring a backup, if needed. After restoring a backup, double-check that your phone is running the latest version of iOS and that Lockdown Mode is on.

Lockdown Mode works on a managed device, but you need to install the profile before you turn the mode on. If Lockdown Mode is already on, you need to turn it off; install the profile; then turn it back on again. (Bonus item added on April 11, 2024.)

If you try Lockdown Mode and find that it does not work for you, I’d love to hear about it. It may be that we can provide feedback to Apple and/or the creator of a specific app or site. Send me an email on runa@granitt.io.  

In December 2021, at the first Summit for Democracy, the United States, Australia, Denmark and Norway announced the Export Controls and Human Rights Initiative to counter misuse of technology that violates human rights. In a joint statement, the four governments committed to:

“... establish a voluntary, nonbinding written code of conduct around which like-minded states could politically pledge to use export control tools to prevent the proliferation of software and other technologies used to enable serious human rights abuses.”

Canada, France, the Netherlands, and the United Kingdom also expressed support.

The United States released the first version of the code of conduct this past March, at the second Summit for Democracy. Among other things, the code of conduct calls for governments to:

“Take human rights into account when reviewing potential exports of dual-use goods, software, or technologies that could be misused for the purposes of serious violations or abuses of human rights.”

Sounds great, right?

Well, here’s where things get interesting.

More than twenty governments have endorsed this code of conduct, including North Macedonia. The same North Macedonia which allows Cytrox to develop and sell its Predator spyware, despite research showing it has been used to target human rights defenders, journalists, and politicians in at least two countries since 2021.

Ten days before the release of the code of conduct, The New York Times reported that a former trust and safety manager with Meta, Artemis Seaford, had been targeted with Predator in September 2021. Seaford, a U.S.-Greek national, is one of dozens of alleged victims of Predator in Greece.

In her testimony to the European Parliament committee set up to investigate use of spyware, Seaford emphasized that victims still have no clear path to accountability. Speaking about the unfolding spyware scandal in Greece, Seaford said the victims have “no incentive to speak out, they have everything to lose and very little to gain."

Last year, The New York Times and Inside Story reported that Predator had been sold to Madagascar and Sudan, both countries with a history of repression. And in April, Inside Story wrote that “local regulators in North Macedonia have turned a blind eye to Predator’s development in the country.” Turns out one of the owners of Cytrox, Ivo Malinkovski, is a member of a family well-known for making wine – and dealing arms. 

I have yet to see any meaningful response from other governments, though members of the European Parliament are asking questions about how the spyware ended up in Sudan. At the very least, I’d expect the four countries which created this human rights initiative to discuss the issue with their partners in North Macedonia.

While we wait for, let’s be honest—the next article about yet another Predator victim, here are some technical details about the Predator spyware from Cisco Talos for us to dig into.

When Apple announced a handful of new security features last year, I was excited. Very excited. We can make it more difficult to attack our phones, the messages we send our friends, and our Apple accounts and iCloud backups. The features are optional to use, which is fine considering the chaos that would ensue if Apple just turned them on. But lately I’ve been thinking that the language Apple is using to describe these features is pushing away the people who may need them the most. 

In October, Apple announced Lockdown Mode to help “protect devices against extremely rare and highly sophisticated cyber attacks.” No doubt in response to years of reporting on attacks against civil society with commercial spyware, such as Pegasus and Predator. Lockdown Mode does not guarantee that your device will never be hacked, but it does make attacks harder by reducing the attack surface. 

Apple has always described Lockdown Mode as “optional, extreme protection that’s designed for the very few individuals who, because of who they are or what they do, might be personally targeted by some of the most sophisticated digital threats.” It’s not wrong, but it doesn’t tell the whole story: that sometimes the people around these individuals are targeted too. Like the son of journalist Carmen Aristegui, the two partners of slain journalist Jamal Khashoggi, the go-to taxi driver of journalist Khadija Ismayilova.

Apple says “most people are never targeted by attacks of this nature,” and I agree. But calling Lockdown Mode “extreme” does not serve those who could benefit from using it–or the people who support them.

When Apple announced end-to-end encryption for iCloud in December, it called the feature Advanced Data Protection for your “most sensitive iCloud data.” When Google announced a similar feature for Android five years ago, it simply promised to “have your back by protecting your backups.” When WhatsApp announced end-to-end encryption for backups in 2021, it just wanted to give people “an extra, optional layer of security to protect” their data. 

Don’t get me wrong, Advanced Data Protection is great. But we don’t need to call it “advanced” or describe it as something limited to your “most sensitive” data. After all, Signal, Facebook, and WhatsApp describe end-to-end encryption as the technology that protects calls and messages, and allows people to speak freely. It doesn’t have to be more complicated than that. 

In that same December announcement, Apple said Security Keys will soon be supported for two-factor authentication when logging into your Apple account. Unfortunately, it also said this feature was “designed for users who, often due to their public profile, face concerted threats to their online accounts, such as celebrities, journalists, and members of government.” Meanwhile Google, Twitter, and Facebook just say it’s another way for people to keep hackers out of their accounts.

Supporting journalists and other at-risk groups requires proactive, contextual guidance. I even started a company last year to focus on that work. It’s hard to make this guidance land when Apple’s marketing language includes words like “extreme,” “most sensitive,” and “concerned threats.” To help those who support at-risk people, Apple should instead reframe its marketing to focus on what all these features enable: a way for everyone to enhance, improve, and level up their personal security.

Last week, Access Now, Amnesty International, Citizen Lab, and CyberHUB-AM jointly reported that members of civil society in Armenia had been hacked with NSO Group’s Pegasus spyware. The victims include human rights defenders, a United Nations official, and journalists with Radio Free Europe/Radio Liberty. The reports were quickly picked up and shared by numerous news outlets, including Forbes, the Guardian, NBC, Reuters, TechCrunch, and Wired. But sadly, the articles did not contain much guidance for at-risk communities.

And that’s a problem.

Journalists have written about the use of sophisticated spyware and hacking tools to target civil society for over a decade. Yet information about how to protect yourself against these attacks is frequently missing, leaving at-risk communities to figure things for themselves. That’s assuming they even know they’re at-risk, but that’s a topic for another day.

Maybe we are so focused on preventing attacks, or simply reporting on them, that we forget we can make attacks harder to achieve; notify victims they may have been targeted; and provide support to those who need it.

At least three of Citizen Lab’s spyware investigations began with victims reaching out to Access Now’s digital security helpline–Mexico, El Salvador, and Armenia. In one of those investigations, the victims reached out to Access Now after first testing their devices with the Mobile Verification Toolkit released by Amnesty International as part of the Pegasus Project in 2021. Considering the value provided by the helpline–for free, around-the-clock, since 2009–I’m surprised it does not get more attention.

This latest investigation into spyware in Armenia began when Apple sent threat notifications to victims in November 2021. Examples of notifications are easy to find on Twitter and Facebook; they look like this. Apple sent one to Lama Fakih with Human Rights Watch too. The notification did not say how she was targeted, with what, or by whom. But that message, and frankly that awareness, helped start an investigation. Together with Amnesty International, Human Rights Watch determined that Fakih, a U.S.-Lebanese national, had been targeted with Pegasus five times between April and August 2021. 

Last year, Apple introduced a new, opt-in security feature for macOS, iOS, and iPadOS called Lockdown Mode. While the feature does not guarantee that your device will never be hacked, it reduces the attack surface that could be exploited by sophisticated spyware. In short, Lockdown Mode makes attacks harder to achieve. When asked, Citizen Lab said it has not seen any cases of spyware compromising a device with Lockdown Mode on “with zero-click attacks,” suggesting the feature really does provide additional protection. 

We may not be able to prevent these attacks from happening. And if it’s not Pegasus, it will likely be something else. A part of that ongoing arms race between technology giants and spyware makers. But I believe there’s tremendous value in sharing what we do know with the people who need it the most. After all, isn’t that what journalism is all about?

The New York Times reported on Monday that Artemis Seaford, a former trust and safety manager at Meta, had been infected with the Predator spyware in the fall of 2021. Seaford, a dual U.S.-Greek national, was also under a yearlong wiretap by the Greek national intelligence service. Citizen Lab said Seaford’s phone had been hacked “for at least two months,” making her one of at least 38 individuals named as victims of Predator. This disclosure is the latest in a long and still unfolding surveillance scandal in Greece.

The Greek government has denied using Predator, and the article does not attribute the attack to any specific country or operator. In 2021, Citizen Lab said it “found likely Predator customers” in Armenia, Egypt, Greece, and a few other countries. Last year, The New York Times reported that the “spyware-detecting lab in Brussels at the European Parliament” found that MEP Nikos Androulakis had been targeted with Predator. “I never expected the Greek government to put me under surveillance,” Androulakis told The Times.

The Hellenic Data Protection Authority, an independent public authority, is investigating reports that Greek politicians and journalists have been targeted with spyware. Citizen Lab confirmed it “had a meeting with the Hellenic Data Protection Authority in November 2022 at their request.” Earlier this year, the head of the authority told the European Parliament’s PEGA Committee that it had “identified at least 300 text messages containing spyware-infected links…sent to around 100 individuals.”

In Monday’s article, Giannis Oikonomou, the government spokesman, is quoted as saying that “Greece was among the first countries in Europe that passed legislation banning the sale, use and possession of malware in December 2022.” What’s more interesting is what he’s not saying: that the legislation refers to the “private use of spyware,” but appears to legitimize the purchase or use by government agencies. And while the legislation bans “the sale of spyware,” it’s not clear how it would apply to Intellexa—the company behind Predator.

Oikonomou told The Times that “the alleged use of this software by nongovernmental parties is under ongoing judicial investigation.” Intellexa, for its part, sent a strongly worded legal notice to the PEGA Committee last month following its inquiries into use of the Predator spyware. Sophie in 't Veld, who sits on the Committee, tweeted that she is “very much looking forward to the exchange with Intellexa,” adding “plenty more new questions have arisen since” PEGA’s letters to the company last summer.

If you have followed technology news for a while, you will have heard of the Online Safety Bill in the UK. This bill, framed as “a new set of laws to protect children and adults online,” will make “social media companies more responsible” for what we see via their platforms. Introduced in the spring of 2021, the bill has been altered, altered again, put on hold, put on hold a second time, then altered some more. Experts have repeatedly condemned the bill, arguing that it represents a threat to internet safety. 

In short: it’s a disaster.

For example, the BBC recently quoted the UK government as saying: 

"The Online Safety Bill does not represent a ban on end-to-end encryption.” 

This is misleading. The Online Safety Bill does not “ban” end-to-end encryption. But it forces technology companies to change how their applications work, circumventing the end-to-end security that this encryption provides. Both Signal and WhatsApp, which provide end-to-end encrypted calls and messages, have said that complying with the bill would require them to weaken the overall security of their apps.

You cannot have both end-to-end security and government oversight. You are either surveilled, or you are not.

In the same article, the UK government goes on to say that:

"It is not a choice between privacy or child safety - we can and we must have both."

This is also misleading. The bill forces technology companies to weaken the security of their applications which presents a risk to online privacy; this in turn endangers child safety, not to mention the safety of the adults these children will grow up to become. The government is arguing that we will be more safe without the protections afforded to us by end-to-end security, and rather than give us privacy and child safety, the government is forcing us to compromise on both.

Let’s be clear; this bill was never about improving internet safety, but about the expansion of government control. 

Much of the recent debate about the Online Safety Bill has focused on technology, encryption, and how companies are responding. WhatsApp will leave, Signal will walk, Tutanota will wait for it to be blocked. Yes, this bill threatens encryption: it defeats what the encryption is meant to achieve. But we really need to talk more about what we — the adults and children — will be left without if this bill passes.

Alec Muffett wrote last year that the Online Safety Bill would leave his young daughter without “the kinds of privacy, assurance and integrity that to date we have all taken for granted.” Yes, the bill — and its peers in other countries, such as ChatControl in the EU — would impact journalists and their sources; lawyers and their clients; and activists and their missions. But it also leaves future generations without the tools to safely explore, learn, grow, and change the world as they see fit.

MITRE ATT&CK

The MITRE ATT&CK framework is a great way to document adversary tactics and techniques based on real-world observations. In writing this blog post, I also found that it's a helpful way to identify what you know and don't know about an adversary and/or a piece of malware. If you haven’t used ATT&CK before, check out the resources from CISA and MITRE.

Initial Access

The first tactic in the matrix is Initial Access, which consists of techniques used to gain entry to a system. As I wrote in the post for Objective-See, "we don't know how this implant makes it onto a target system; the type of system it’s used on; or the geographical location of a typical target." For that reason, we'll leave this blank.

Execution

The next tactic, Execution, focuses on techniques used to run the implant on the target system. Comparing MITRE's list with my post on Objective-See, we find that Green Lambert can:

• Use shell scripts for execution (Command and Scripting Interpreter: Unix Shell [T1059.004])

• Use Launchd for initial and recurring execution (Scheduled Task/Job: Launchd [T1053.004])

Persistence

Persistence is all about retaining access to the system across restarts, changed credentials, and other interruptions. If we look at the section about Entry Points in the Objective-See post, we find that Green Lambert can:

• Persist via a LoginItem (Boot or Logon Autostart Execution: Plist Modification [T1547.011])

• Persist via RC scripts (Boot or Logon Initialization Scripts: RC Scripts [T1037.004])

• Persist via LaunchAgent (Create or Modify System Process: Launch Agent [T1543.001])

• Persist via LaunchDaemon (Create or Modify System Process: Launch Daemon [T1543.004])

• Persist via shells (Event Triggered Execution: Unix Shell Configuration Modification [T1546.004])

• Use Launchd for initial and recurring execution (Scheduled Task/Job: Launchd [T1053.004])

Privilege Escalation

We have not seen Green Lambert gain elevated access, so we'll leave Privilege Escalation blank.

Defense Evasion

The Defense Evasion tactic looks at how an adversary avoids detection. In this case, that means:

• Use of custom routines to decrypt strings (Deobfuscate/Decode Files or Information [T1140])

• Ability to self-delete once installed (Indicator Removal on Host: File Deletion [T1070.004])

• Masquerade as GrowlHelper (Masquerading: Masquerade Task or Service [T1036.004])

• And as Software Update Check (Masquerading: Masquerade Task or Service [T1036.004])

• Decrypt strings in-memory, per CIA guidelines (Obfuscated Files or Information [T1027])

Credential Access

Credential Access looks at techniques used to steal credentials, such as account names and passwords. During initial triage of Green Lambert, we found a string that (at least) suggests the following technique.

• Use of SecKeychainFindInternet… (Credentials from Password Stores: Keychain [T1555.001])

Discovery

For Discovery, we'll look for ways that Green Lambert gains knowledge about the system. We don't have a lot of information to go on, just a few clues from our initial triage and what appears to be a configuration file and/or system survey. Green Lambert can:

• Determine the Linux version and system uptime (System Information Discovery [T1082])

• Determine proxy settings (System Network Configuration Discovery [T1016])

• Determine the current date and time (System Time Discovery [T1124])

Lateral Movement

We have not seen Green Lambert access remote systems, so we'll leave Lateral Movement blank.

Collection

We don't know how Green Lambert treats collected data, so we'll leave Collection blank.

Command and Control

Command and Control consists of techniques used for communication. Green Lambert can:

• Make a DNS request (Application Layer Protocol: DNS [T1071.004])

• Communicate with hostname and IP address (Fallback Channels [T1008])

• Use a proxy for communications (Proxy [T1090])

Exfiltration

We don't know how Green Lambert steals data from the system, so we'll leave Exfiltration blank.

Impact

We don't have any data to suggest Green Lambert destroys the target, so we'll leave Impact blank.

Let's visualize it!

Plugging (almost all) the information gathered into the ATT&CK Navigator, we get this visualization.

Conclusion

That's it! (I think. Please let me know if I've missed anything.) As the visualization above shows, there's a lot more to dig into here. For example, you can use @osxreverser's Delambert plugin to decrypt more strings. Or you can take a closer look at command line arguments. Or how the Green Lambert generates the victim ID. Or what the implant collects and how it exfiltrates data.

Happy hunting!