Axios Codebook

A master lock with ones and zeroes instead of the regular numbers.

January 27, 2023

๐Ÿ˜Ž TGIF, everyone. Welcome back to Codebook.

  • Not sure about y'all, but I'm relieved Friday is here. What a week!
  • ๐Ÿ“ฌ But first: Have thoughts, feedback or scoops to share? [email protected]

Today's newsletter is 1,433 words, a 5.5-minute read.

1 big thing: NSO tries to make its case in D.C.

Photo illustration of NSO chief executive Yaron Shohat with images of the NSO logo and the Capitol Building

NSO chief executive Yaron Shohat. Photo illustration: Sarah Grillo/Axios. Photo courtesy of NSO

Embattled Israeli spyware company NSO Group is trying to make a crime-fighting case in Washington, but it faces a near-impossible challenge to get skeptical U.S. lawmakers and human rights activists on board.

Driving the news: NSO chief executive Yaron Shohat spoke with Axios this week during a trip to Washington to push the narrative that the company's spyware tools are a boon in the fight against terrorism and crime.

  • But during the three-day trip, NSO representatives said they didn't plan to meet with any Biden administration officials. At least one skeptical Democratic congressional office told Axios they didn't get any outreach from the company.

Zoom out: NSO's Pegasus phone-hacking spyware gained widespread attention in 2021 following an investigation from a consortium of news organizations detailing the ways governments have used the tool to spy on journalists, human rights activists and high-ranking politicians.

  • Unlike typical forms of malware, Pegasus is "zero-click," meaning it can sneak onto a target's device without them even having to click on a malicious phishing link.
  • Since 2021, the company has been placed on a U.S. trade blacklist, inspired a UN call for a global moratorium on spyware sales, and was nearly the subject of a Supreme Court case.

The big picture: NSO's Washington tour comes as the administration pieces together a forthcoming spyware executive order, and shortly after lawmakers gave the intelligence community new powers to protect against certain commercial spyware.

  • But Shohat told Axios that he believes NSO can still win over skeptics with a simple argument: "Our product saves lives around the world," he said.

Catch up quick: Shohat started as CEO in August as part of a larger company restructuring following years of scrutiny of the Israeli spyware firm's product use.

Details: Shohat told Axios that NSO is now cash-flow positive due to its mostly Western European government customers that use the tool to track down terrorists, child sex abusers and other criminals.

  • NSO has now terminated 10 customer contracts for abusing the tool following internal investigations, he said, and the company will continue to investigate any other reports claiming its customers are spying on journalists and dissidents.
  • NSO, which claims to sell only to government customers, says it has tweaked its products and internal auditing programs to better flag abusive use, although the company declined to say how it has done so to protect the product from hackers and criminals.

Between the lines: NSO argues that its tools are preferable to alternatives that are far more dangerous, like mercenary hacking firms and spyware coming out of Russia and China.

  • "The government that buys it, they are the ones operating it, theyโ€™re the ones deciding who to target, they are the one who is getting the intelligence gathered from the devices," Shohat told Axios.
  • "We are not a part of it; we are not exposed to it. Thatโ€™s part of the misconception that exists," he added.

The other side: Without specifics about how exactly NSO is preventing abuse or providing retribution to victims, the new CEO's arguments aren't budging human rights activists and researchers.

  • "The cat is out of the bag: The world now knows that a major use of Pegasus is to monitor journalists and human rights groups," John Scott-Railton, a senior researcher at the University of Toronto's Citizen Lab who closely monitors NSO's work, told Axios. "Itโ€™s a tool of espionage that has nothing to do with crime or terror."
  • Brett Solomon, the head of Access Now, agreed that governments have started to recognize the threats posed by spyware and begun to take action. "Spyware has not been solved, but I do think we have been able to collectively put this issue much more on the global agenda," he told Axios at the World Economic Forum in Davos, Switzerland, last week.
  • "If we look at the direct record of the company, thatโ€™s just patently untrue," said Roman Gressier, an American journalist working for Salvadorian outlet El Faro who was targeted with Pegasus, about NSO's claims that it focuses solely on crime and terrorism. "How can anyone take them at their word?"

Yes, but: The U.S. isn't completely averse to using commercial spyware. The New York Times reported last month that the Drug Enforcement Administration is using spyware from a different Israeli company.

What they're saying: "This kind of technology is a must to provide public safety and protect it," Shohat said.

  • "But it should be done in the right way."

2. Exclusive: Russian hackers target ambassadors

Illustration of a lock in the colors of the Russian flag.

Illustration: Maura Losch/Axios

Russian hackers tied to the government's intelligence service are seemingly targeting ambassadors and their staffs in a new malware campaign, according to a report out today shared first with Axios.

Driving the news: Researchers at Recorded Future's Insikt Group say they've found evidence that the threat group BlueBravo โ€” also known as APT29 and Nobelium โ€” sent a compromised website titled "Ambassador's schedule November 2022" around to targets in October.

  • While it's unclear how widespread or successful the campaign has been, researchers suspect that "the targets of this campaign are related to embassy staff or an ambassador."

The big picture: Russian hacking groups are more likely to use ambassador- or embassy-themed headlines and lures during heightened geopolitical tensions, such as the ongoing war in Ukraine, according to the report.

Details: BlueBravo took over a legitimate website where those tricked by the phishing email are sent to download a malicious zip file. The file auto-downloads as soon as someone visits the website.

  • However, the malware doesn't seem to infect the device until someone clicks on an apparent PDF in the zip file.

The intrigue: Researchers say BlueBravo is using the automation tools offered by popular productivity tool Notion to maintain records of which computers have been infected and to organize communications between infected devices.

  • Hackers often lean on one system โ€” known as a command-and-control server โ€” to retain communications with infected computers during a malware attack.
  • In previous attacks, BlueBravo also abused well-known tools, like Dropbox, Trello and Firebase, for the same purpose.

3. Charted: Nearly 2,000 data compromises

Data: Identity Theft Resource Center's 2022 Data Breach Report; Chart: Axios Visuals
Data: Identity Theft Resource Center's 2022 Data Breach Report; Chart: Axios Visuals

U.S. organizations faced a near-record number of data compromises in 2022, according to a recent report.

Driving the news: 1,802 U.S. companies reported a data compromise last year, just shy of 2021's record of 1,862, according to a report from the Identity Theft Resource Center this week.

  • The numbers are based on an analysis of publicly reported incidents in the U.S., including data breaches, data exposures and other issues.
  • But reported figures likely underestimate the full impact of these compromises: 66% of data breach notices filed with government offices this year lacked information about the number of victims and the type of attack companies faced.

Why it matters: Compromises in 2022 affected the personal data of more than 422 million people, according to the report, and included Social Security numbers, bank account information, health records and much more.

By the numbers: About two-thirds of compromises in 2022 exposed someone's Social Security number, per the report.

  • Nearly all of the incidents last year were the result of a hacker breaching the company to access its data, while 18 were the result of a company leaving the information exposed online.

Between the lines: The latest numbers were influenced by the late-2022 data compromise at Twitter that affected 221 million users.

  • If not for the Twitter email leak, "the estimated number of data compromise victims would have dropped by ~33 percent (33%) year-over-year."

4. Catch up quick

@ D.C.

๐Ÿ‘พ The FBI shut down back-end servers and websites tied to prolific ransomware gang Hive. (Axios)

๐Ÿ› TikTok details its proposal to the U.S. government to assuage data security and privacy concerns. (New York Times)

๐Ÿคซ Microsoft Office 365 Secret cloud is now available at a higher government security classification level. (Microsoft)

@ Industry

๐Ÿš” Leaked files from a little-known intelligence firm are shedding light on how cops rely on these secretive companies. (Bloomberg)

๐Ÿ” Serial entrepreneur Kevin Rose shares how he got duped by a phishing attack into giving away several valuable NFTs. (Axios)

@ Hackers and hacks

๐Ÿ‡ท๐Ÿ‡บ Russian hacktivists are planning to retaliate against Germany for its plans to send tanks to Ukraine. (Cado Security)

๐Ÿ‘€ Cybercriminals successfully tricked federal employees into downloading remote monitoring tools later used to scam victims. (CyberScoop)

๐Ÿ‡ฐ๐Ÿ‡ต North Korean state-backed hackers siphoned more than $1 billion in cryptocurrencies and other blockchain assets in 2022. (Dark Reading)

5. 1 fun thing

Screenshot of a tweet

Screenshot: @jorgeorchilles/Twitter

Congrats to everyone who had a talk accepted last night for the annual RSA Conference in April! Looks like it's shaping up to be a pretty good lineup in San Francisco.

โ˜€๏ธ See y'all on Tuesday!

Thanks to Peter Allen Clark for editing and Khalid Adad for copy editing this newsletter.

If you like Axios Codebook, spread the word.