Summary:
The Guardian newspaper said that its internal systems were affected by a ransomware attack on December 20. The attack was probably launched via a phishing campaign. The paper said no personal data of subscribers or staff was leaked. However, employees were asked to work from home while the IT staff completed recovery procedures. There was no statement about whether or not a ransom had been paid.

[Ed. Perhaps the attack made The Guardian more aware of cybercrime than it had been previously. In looking over the news item we collected for this issue of Cipher, we noticed that all of them were from The Guardian during January. Let's hope the paper continues being a good source of security information.]

Summary:
Experts say that information about Twitter users was gathered at some indefinite past time and posted in early January of 2023. The data might be a year or two old. The correletion between Twitter handle and email address could be a significant headache for users who expected identity privacy. The sheer number of email addresses is significant, but the worst problem for the social media company might be the fallout from EU regulations about protecting user data.

Summary:
Sometimes the social media companies violate the privacy of their users, and sometimes they are pawns in a different game. Meta is suing a company, Voyager, that has used information from Facebook and Instagram accounts to predict crime, including terrorism, and to report those predictions to law enforcement. The Voyager tools accomplished their data collection through thousands of fake accounts that violated Meta's terms of use. The fake accounts are said to have been both passive and active. Some where controlled by police personnel observing or interacting with targeted people.

Voyager is not the only company producing tools that use social media for surveillance. The Guardian article opines that "tech firms working to offset the industry's slowing growth have increasingly answered law enforcement’s call for new surveillance and policing products." This is a dilemma for the social media companies because they are obligated in various ways to protect user privacy, but they are also platforms for covert surveillance by governments. Voyager's customer in this case, the Los Angeles Police Department, was delighted by the insights the tool gave them.

Summary:
The UK postal service's international service was rendered inoperative due to ransomware from a group known as Lockbit, probably originating from Russian hackers. The hackers threatened to publish unspecified stolen data unless the ransom was paid. The postal service's domestic operatons were unaffected.

The Royal Mail worked with the government's cybersecurity agencies to try to cope with the damage.

Summary: Two weeks after a ransomware attack, the UK Royal Mail reported that it had nearly dug itself out of the damage and would be able to resume international operations. There was no word on whether or not the ransom had been paid, though given the length of the downtime, one suspects that it was not.

Noting that ransomware attacks are becoming more frequent, the article goes on to note this depressing assessment of the effect on businesses and governements: "British government sources dealing directly with the ransomware issue told The Record they saw no light at the end of the tunnel ..."

Summary:
For several months the FBI has been keeping tabs on the server for a notorious ransomware site called The Hive. They were able to help some victims get the decryption keys for freeing their data without paying ransom, but attacks continued. the international coalition of law enforcement agencies finally infiltrated the server. Though details of the legal exploit are public, it seems that the server was the command and control center for the ransomware software. By seizing the site, they got access to the software that generated the encryption and decryption keys.

The FBI worked with victims to learn about how the software affected their systems, and they were finally able to devise a method for gaining full access to the server, which now displays a web page announcing the seizure and the agencies that cooperated in the operation.