Spyware, fake news and more feature in investigation of reputation management firm


Welcome to The Cybersecurity 202! Ahhhhh, long weekends. Who doesn’t love ‘em? Thanks for having a birthday, George Washington. As a result of the holiday, we’ll see you next on Tuesday.

Reading this online? Sign up for The Cybersecurity 202 to get scoops and sharp analysis in your inbox each morning.

Below: The Technology Modernization Fund announces new million-dollar investments to secure federal agencies, according to details shared exclusively with The Cybersecurity 202, and we dive into a coordinated effort between the United States and Europe to dismantle Russian spy networks. First:

The Post and its media partners uncover depths of deceptive tactics at Spanish firm

A Spanish reputation management firm conducted online “information warfare,” in the words of one expert, to alter perceptions of its clients, according to an investigation out this morning.

The story, written by my Washington Post colleague Shawn Boburg as part of a project involving more than 100 journalists from 30 news organizations, has a smorgasbord of cyber and cyber-related elements, from allegations of hacking to an Italian spyware company.

At the center of the story is Eliminalia, a firm founded by Diego “Dídac” Sánchez that “employs elaborate, deceptive tactics to remove or drown out unflattering news stories and other content,” the investigation found.

“It’s hugely significant that this stuff is happening,” Adam Holland, a project manager at Harvard University’s Berkman Klein Center for the internet and Society, said in response to The Post’s findings. “This is information warfare.”

Eliminalia and Sánchez did not respond to questions for Shawn’s story. Eliminalia’s lawyers declined to provide answers to the questions in part because they concern “business secrecy or a request for information on customers about whom our client could not in any case answer.”

The investigation draws on nearly 50,000 internal documents, and is part of the “Story Killers” project of Forbidden Stories, a Paris-based journalism nonprofit organization.

One of the company’s tactics is to bury unflattering information about its clients under an avalanche of fake news websites in a bid to influence web searches, the story says.

One of the company’s more elaborate tactics employs links that capitalized on other websites’ security flaws to disguise themselves as being connected to reputable organizations, according to the story:

  • “The links had another feature that experts said appeared designed to make search engines give prominence to the fake news outlets. They were crafted to piggyback on the URLs of legitimate websites, including those of Stanford University, NASA and the Federal Highway Administration.”
  • “That was possible because of a security flaw within the websites of the reputable institutions that allows what is called an ‘open redirect,’ permitting anyone to modify an institution’s URLs by adding characters to them so they automatically redirect users to other specified webpages.”
  • “After The Post contacted them, Stanford, NASA and the Federal Highway Administration fixed the vulnerabilities in their websites. Representatives of all three said the entities respond quickly to reports that their websites are being misused.”

Another tool Eliminalia used exploits laws meant to protect privacy and intellectual property by filing takedown notices alleging copyright infringement or violations of privacy rules, the investigation found.

Working on behalf of former reality TV personality Carter Oosterhouse, who had been publicly accused of sexual misconduct, Eliminalia targeted a story with a legal notice to Cloudflare that was later forwarded to Amazon Web Services. (Amazon founder Jeff Bezos owns The Washington Post.) The notice said it originated from the “Brussels EU Commission” to claim Oosterhouse’s privacy rights had been violated, citing a California law.

Purported obscure media companies sent legal notices — actually crafted by Eliminalia — to the company that owns WordPress, Automattic. The notices said that a blogger had republished their content without permission. The blogger, 71-year-old Maryland retiree Geri Ungurean, had urged readers not to donate to a Chicago charity, the International Fellowship of Christians and Jews, saying that its executives received exorbitant salaries.

Here’s where the hacking allegations emerge:

  • “Automattic told Ungurean in emails she shared with The Post that its records showed that the blog post was deleted in January of last year by someone using her log-in credentials. Ungurean said she did not delete the post and believes that her account was hacked.”
  • “Automattic told Ungurean that it could not determine whether her account had been hacked because the company does not retain detailed data, such as the location of a log-in, after 30 days.”

Spyware and ‘data protection’

One of Eliminalia’s clients was Italian spyware company Area SpA. The firm had paid $100,000 to the U.S. Commerce Department in 2014 to settle charges that it had improperly sold U.S.-made spyware components to Syria.

Eliminalia’s disinformation services earned it millions of dollars, the internal documents show.

So, what to make of Eliminalia now? “The firm’s Barcelona office is in a high-end building in the city’s center, near the famed Las Ramblas boulevard,” the story reads. “A woman who answered the door at the office in January, after The Post and partner news organizations began contacting Eliminalia’s clients, told a reporter that the company had changed its name to iData Protection and that its new focus was data security.”

Exclusive: Agencies to double down on cybersecurity investments

The Technology Modernization Fund (TMF) today will announce fresh investments in the Social Security Administration, the Treasury Department and the U.S. Agency for Global Media (USAGM) to help the agencies update cybersecurity and other digital tools, according to details shared exclusively with The Cybersecurity 202. 

“With these new cybersecurity investments, TMF funding will increase the security of some of the nation’s most critical systems and sensitive data,” said Raylene Yung, executive director of TMF, which is overseen by technology leaders and charged with investing in nationwide projects to maintain an equitable and secure digital space.

The money will be spread broadly across the three federal departments, with: 

  • Roughly $23.3 million going to the Social Security office to build multi-factor authentication, improve customer data security and speed up public benefits processing.
  • Treasury will receive about $11.1 million to help maintain the reliability of its cloud operated national intelligence network, which shares classified information to other agencies, while tackling existing security challenges overseas.
  • USAGM is expected to get roughly $6.2 million to implement zero trust architecture that will protect the safety of journalists, their sources, and safeguard the integrity of its news reports in countries that typically impose strict media controls.  

U.S., Europeans work to cripple Russia’s spy networks

Western governments have been successfully waging a campaign to weaken Russia’s spy networks, with U.S. and European security officials cautioning that Russia retains significant capabilities but that its spy agencies have sustained greater damage over the past year than at any time since the end of the Cold War, The Washington Post’s Greg Miller, Souad Mekhennet, Emily Rauhala and Shane Harris report.

The magnitude of the campaign seemingly caught Russia off-guard, officials said, blunting its ability to carry out influence operations in Europe, stay in contact with informants or provide insights to the Kremlin on key issues.

Now, Russia has sought to compensate for its losses by relying more heavily on cyberespionage, Antti Pelttari, director of Finland’s foreign intelligence service, and other European officials said. 

Over the past month, for example, Lithuania has endured a wave of online operations targeting Ukrainian refugees. “The first involved ‘phishing’ emails that were sent out to local agencies, nonprofits and even hotels with attachments seeking the names and addresses of Ukrainians they had encountered,” Greg, Souad, Emily and Shane write. 

“The messages were falsely sent under the guise of Lithuania’s migration authority, prompting a scramble by public officials to disavow the emails and reassure Ukrainians there was no government effort to track them,” they added. 

Justice, Commerce departments create strike force to protect critical technology

The Justice and Commerce departments on Thursday unveiled a strike force intended to combat threats from adversaries like Russia and China, Jared Gans reports for the Hill

In a news release, the Justice Department said that the group, dubbed the Disruptive Technology Force, will assemble a team of experts from the FBI, Homeland Security Investigations, and 14 U.S. attorney’s offices from 12 cities. It will “target illicit actors, strengthen supply chains and protect critical technological assets from being acquired or used by nation-state adversaries,” the Justice Department said.

The strike force will be co-led by Assistant Attorney General Matthew G. Olsen of the Justice Department’s National Security Division and Assistant Secretary for Export Enforcement Matthew Axelrod of the Commerce Department’s Bureau of Industry and Security. 

“Advances in technology have the potential to alter the world’s balance of power,” Axelrod said. “This strike force is designed to protect U.S. national security by preventing those sensitive technologies from being used for malign purposes.”

Fox News hosts, execs privately doubted 2020 conspiracies shared on air (Jeremy Barr and Rachel Weiner)

The company helping the IRS go undercover online (Motherboard)

Google backs federal push for tech to embrace ‘secure by design’ (Cybersecurity Dive )

Hackers using Google ads to spread FatalRAT malware disguised as popular apps (The Hacker News)

German airport websites hit by suspected cyber attack (Reuters)

Hackers backdoor Microsoft IIS servers with new Frebniis malware (Bleeping Computer)

Hacker uncovers how to turn traffic lights green with flipper zero (The Drive)

  • The National Association of State Election Directors holds its winter conference in D.C. today through Saturday. 
  • The National Association of Secretaries of State holds its winter conference today through Saturday.

Thanks for reading. See you next week.