Hello, and welcome to the latest edition of Codebook. This week, our thoughts are with those in Texas and elsewhere recovering from the recent storm.

Situational awareness: Federal investigators levied new charges Wednesday morning against North Korean computer programmers accused of wide-ranging cyberattacks, including the Sony Pictures hack and extorting more than $1.3 billion of money and cryptocurrency. Go deeper.

Today's newsletter is 1,316 words, a 5-minute read.

1 big thing: How countries amplify COVID disinformation

Illustration: Aïda Amer/Axios

China, Russia and Iran — drawing on one another’s online disinformation — amplified false theories that the COVID-19 virus originated in a U.S. bioweapons lab or was designed by Washington to weaken their countries, according to a nine-month investigation by AP and the Atlantic Council’s DFRLab.

Why it matters: Through a series of overlapping, if slapdash, efforts, America's global adversaries benefited from mutually reinforcing counter-narratives propagated online that aimed to falsely place responsibility for the pandemic on the U.S. and often to sow doubt on its actual origin within China.

  • The extensive use by these countries of each other's COVID-19 disinformation shows just how international — and mutually reinforcing — these online networks have become.
  • The investigation was “based on a review of millions of social media postings and articles on Twitter, Facebook, VK, Weibo, WeChat, YouTube, Telegram and other platforms,” says the AP.

Details: Although seemingly less coordinated than other such efforts, extensive anti-American COVID-19 disinformation efforts first popped up in Russia, according to the AP/ DFRLab report.

  • A Russian military media outlet was the first identified publication that ran a story advancing the claim that COVID-19 was American, not Chinese, in origin.
  • In the first few months of 2020, “more than 70 articles appeared in pro-Kremlin media making similar bioweapons claims in Russian, Spanish, Armenian, Arabic, English and German,” writes AP.

However, “it was China — not Russia — that took the lead in spreading foreign disinformation about COVID-19’s origins, as it came under attack for its early handling of the outbreak,” says the report.

  • By March 2020, Chinese state media outlets, as well as diplomats on social media, were pushing the conspiracy theory that COVID-19 was a biological weapon created by the United States at Fort Detrick in Maryland and brought to China during the 2019 Military World Games, which were held that October in Wuhan.
  • That month, “an anonymous petition appeared on the White House’s now-defunct ‘We the People’ portal. It urged U.S. authorities to clarify whether the virus had been developed at Fort Detrick and leaked from the lab. The petition was lavishly covered by China’s state media, despite getting only 1,426 signatures,” writes AP.
  • By May, Chinese state media broadcast “a slick documentary about Fort Detrick set to spooky music that has been viewed on its YouTube channel more than 82,000 times” and “played on China’s Bilibili platform 378,000 times.”
  • Chinese diplomats also began extensively posting COVID-related disinformation on Twitter, which is banned in China itself.
  • On popular social networks within China like Weibo, viral posts drew from Russian and Chinese disinformation to spread the false “U.S. bioweapons” theory of COVID-19.

Of note: Instead of using botnets or Russian IRA-type troll farms, the Chinese relied on their vast network of state-affiliated news outlets, as well as Chinese government accounts on social media, to propagate these false theories, writes DFRLab.

Iranian leaders, meanwhile, also began to push out false claims — Russian and Chinese in origin — that COVID-19 was a U.S. bioweapon designed to target Washington’s enemies.

  • The Iranians’ false allegations “were, in turn, amplified by Russian media and picked up in China, where they fueled further speculation,” writes AP.
  • An Iranian disinformation network active on Facebook, Google and Twitter also “activated a network of websites and covert social media accounts to accuse the U.S. of engineering the virus and praise[d] the leadership and benevolence of China,” writes the AP.

Yes, but: The DFRLab report also explores how a separate, earlier stream of disinformation — revolving around the false assertion that COVID-19 was purposefully leaked from a Chinese lab — spread online through U.S.-based far-right networks like QAnon and eventually bled into right-wing media more broadly.

  • “The traditional view about conspiracy theories is that they exist along the fringes of the information space, apart from the mainstream and official communications. However, in the United States, these conspiracy theories have permeated all layers of discourse, particularly being embraced by elements of mainstream media and individual conservative policymakers during the Trump administration,” writes DFRLab.
  • Chinese government disinformation pushing the false “U.S. bioweapons thesis” about COVID-19 followed this earlier U.S.-based conspiracy theory that COVID-19 was a Chinese bioweapon — paralleling and inverting it.

2. French authorities reveal Russian cyber espionage campaign

Russian state hackers executed a long-running spying campaign that “mostly affected information technology providers, especially web hosting providers” on a number of French targets, according to a new report by ANSSI, the French national cybersecurity agency.

Driving the news: The spying campaign, which dated from late 2017 through 2020, was the work of Russia’s Sandworm group, says ANSSI.

  • Sandworm, which analysts and U.S. officials say is associated with the Russian military intelligence agency commonly known as the GRU, is known for its aggressive and destructive cyber operations, including the 2017 NotPetya attack that began in Ukraine before spreading globally.
  • “The Command and Control infrastructure was known by ANSSI to be controlled” by Sandworm, states the report.

How it works: Like Russia’s SolarWinds hack, the campaign described by ANSSI involved a supply chain compromise — in this case of a French IT monitoring platform called Centreon.

  • The French agency “discovered the presence of a backdoor” that had been inserted onto Centreon servers, says the report.
  • Although ANSSI does not name any potential victims of the campaign, Centreon clients include “Airbus, Air France, Thales, ArcelorMittal, Électricité de France (EDF) and telecoms firm Orange among its clients, as well as the French Ministry of Justice,” according to Politico.

3. How COVID transformed the world of malware

The COVID-19 pandemic transformed the world — and the afflictions of malware evolved with it, writes the security company Malwarebytes in its 2021 State of Malware report.

Why it matters: “The story of malware in 2020 … is a story of how the tools and tactics of cybercrime and cybersecurity changed against a backdrop of enormous changes to ordinary life,” says the report.

One big trend was the “staggering rise” in the use of stalkerware, writes Malwarebytes, with the company detecting a 1,677% increase in spyware on its Android product from January through June 2020.

  • The use of other monitoring apps rose 780% over the same period on Android, says the report.
  • “As the world locked down in April 2020, a tool that was once the preserve of nation states and cybercriminals became something otherwise ordinary people used on each other,” writes Malwarebytes about the spyware epidemic.

Some industries saw a sharp increase in malware detections in 2020, while others saw significant decreases.

  • For instance, the agriculture industry saw a 607% increase in detections, while detections in the food and beverage industry rose by 67%.
  • Meanwhile, detections in the education field fell by 17%, in the health care field by 22%, and the automotive industry by 18%.

Of note: 2020 saw the advent of a new ransomware named Egregor, which was used in “attacks against Ubisoft, K-Mart, Crytek, and Barnes & Noble,” says the report.

4. Estonia warns of "silenced world dominated by Beijing"

Illustration: Aïda Amer/Axios

In its annual report released today, the Estonian Foreign Intelligence Service paints a stark picture of China's attempts to silence criticism and dominate key technologies in Estonia and other democracies, Axios’ Bethany Allen-Ebrahimian reports.

Why it matters: The small Baltic state has decades of experience in staring down Russia's authoritarian encroachment. China's actions in Estonia are now ringing similar alarm bells.

What the report says: "Implementing China's foreign policy doctrine, or creating a 'community of common destiny,' will lead to a silenced world dominated by Beijing. Faced with growing confrontation with the West, China's main goal is to create a divide between the United States and Europe."

  • The report warns that China's leadership "has a clear objective of making the world dependent on Chinese technology," mentioning 5G maker Huawei and navigation system BeiDou.
  • The report's section on China also highlights Beijing's growing ability to conduct influence operations in the West through economic leverage, surveillance of Chinese nationals abroad, and the cultivation of local elites.

Background: Russia has long been Estonia's greatest security concern, particularly the threat of military invasion. China doesn't pose a military threat to Estonia.

  • But throughout the 2010s, Estonia grew increasingly wary of Beijing's use of economic coercion for geopolitical ends, its cyber espionage, and its growing partnership with Russia. This year's foreign intelligence report uses the harshest language yet.

The big picture: Estonia, like the Czech Republic, is more outspoken in its criticism of China than larger European countries like Germany and France.

5. Odds and ends