The week was dominated by news that thousands of pagers, walkie-talkies and other devices were exploding across Lebanon on Tuesday and Wednesday in an attack targeting the militant group Hezbollah. At least 32 people were killed, including at least four children, and more than 3,200 people were injured. The covert campaign has widely been attributed to Israel, though none of the country’s government agencies have commented.
In addition to the carnage, the attacks have—seemingly by design—had the effect of sowing paranoia and fear, not just among members of Hezbollah but also in the general Lebanese public. Hardware and warfare experts say that the incident is unlikely to establish a global precedent that people’s most trusted communication devices and electronics, like smartphones, are rigged with explosives left and right. But it does create the potential to inspire copycats and puts defenders on notice that such attacks are possible.
Researchers say that China’s 2023 Zhujian Cup, a hacking competition with ties to the country’s military, took the unusual step of requiring participants to keep the content of the exercise secret—and they may have been targeting a real victim as part of the event. Apple’s new stand-alone app Passwords that launched with iOS 18 may help solve your login problems. And a now-deleted post from billionaire Elon Musk that questioned why no one has attempted to assassinate Joe Biden and Kamala Harris renewed concerns this week that Musk is willing to inspire extremist violence and is a national security threat in the United States.
And there’s more. Each week, we round up the privacy and security news we didn’t cover in depth ourselves. Click the headlines to read the full stories. And stay safe out there.
Last month, Microsoft, Google, and various media outlets issued warnings about an Iranian government-backed hacking group known as APT42. This group targeted the political campaigns of Joe Biden and Donald Trump, successfully extracting and later leaking emails from the Trump campaign. Recently, the FBI disclosed that these hijacked communications were also sent to the Democratic Party. However, there is no evidence that the Democrats requested or even received these emails from the Iranians.
Following these events, the Republican party drew parallels between these incidents and previous allegations of the Trump campaign colluding with Russian hackers from the GRU military intelligence, who infiltrated the Democratic National Committee and the Clinton Campaign in 2016. The Trump campaign has publicly demanded that the Democrats disclose any usage of the hacked material. In contrast, the Harris campaign asserts its non-involvement, stating to CNN that it has been collaborating with law enforcement and was unaware of any direct receipt of such emails, dismissing them as likely spam or phishing efforts. “We condemn in the strongest terms any effort by foreign actors to interfere in US elections, including this unwelcome and unacceptable malicious activity,” remarked Morgan Finkelstein, the national security spokesperson for the Harris campaign, in an interview with CNN.
The FBI recently reported the dismantling of a significant network of hacked devices secretly managed by a Chinese state-backed hacking entity known as Flax Typhoon. This network consisted of 260,000 routers and IoT devices. It is believed that a Chinese contractor named Beijing Integrity Technology Group, a rare example of a publicly known company, was operating these compromised devices for the Chinese government. Even after the takedown, the network still included 60,000 devices, making it the largest known Chinese government-backed network of this type, as per reports from the FBI and Black Lotus Labs security firm. This botnet was reportedly used for infiltrating U.S. and Taiwanese government agencies, defense contractors, telecom firms, and other targets.
On a recent Wednesday night, two young men were apprehended after allegedly pilfering several hundred million dollars in cryptocurrency, which they purportedly spent on lavish items like luxury vehicles, watches, jewelry, and designer bags. According to an indictment by the US Department of Justice, 20-year-old Malone Lam, also known online as “Anne Hathaway”, and 21-year-old Jeandiel Serrano, also known as “VersaceGod”, are accused of stealing $243 million in cryptocurrency and obscuring its origins using mixing services. More information on the indictment can be found here.
CoinDesk reported that the men allegedly tricked the heist’s victim, a creditor of the now-defunct trading firm Genesis, using a social engineering scam that led them to reset their Gemini two-factor authentication and transfer 4,100 bitcoin to a compromised wallet. An analysis of the transaction by blockchain investigator ZachXBT revealed that the $243 million was divided among multiple wallets and then distributed to over 15 exchanges.
On Thursday, TechCrunch reported that Apple’s latest desktop operating system update, macOS 15 (Sequoia), breaks some functionality of major security tools made by CrowdStrike, SentinelOne, and Microsoft. It’s unclear what specifically in the update is causing the issues, but social media posts and internal Slack messages reviewed by the tech outlet show that the update has frustrated engineers working on macOS-focused security tools.
A CrowdStrike sales engineer informed colleagues via Slack that the company would not be able to support Sequoia on day one, despite its usual practice of quickly supporting new OS releases. While they hope for a quick patch, they will likely need to scramble to resolve the issue with an update in their own code, assuming no immediate fix is available from Apple, which has not yet commented on the issue.
Cryptocurrency theft has become practically a common-garden form of cybercrime. But one brutal gang took that form of thievery to a new level of cruelty and violence, breaking into a series of victims’ homes to threaten and extort them into handing over their crypto holdings, sometimes even resorting to kidnapping and torture. This week, that disturbing story came to a close with the sentencing of the group’s ring leader, a Florida man named Remy St. Felix, to 47 years in prison. St. Felix is one of 12 members of the gang to have now been charged, convicted, and sentenced. Prior to the home invasions that St. Felix led, another member of the group named Jarod Seemungal allegedly stole millions with more traditional crypto hacking techniques. But St. Felix’s more violent, offline extortion attempts netted his gang only around $150,000 in cryptocurrency before they were caught and sentenced to years behind bars. The lesson: Crime doesn’t pay—or at least, not the physical kind.