In Moldova, the pro-European president failed to secure victory in the first round, but the referendum, which will enshrine Moldova’s pursuit of EU membership in the country’s constitution, narrowly passed with 50.38%.  

In Georgia, the country’s pro-Western path is already ingrained in the constitution but the ruling Georgian Dream party, led by a pro-Russian oligarch Bidzina Ivanishvili, has turned increasingly anti-Western and threatens to reverse it. Tens of thousands of protesters waving EU flags in the Georgian capital, Tbilisi, worry they are about to lose the promise of independence that generations prior have fought and died for.  

“The subsequent days and possibly weeks in Georgia is something that sometimes generations pass without experiencing. The quest to save your country is a terrifying responsibility, a debilitating endeavor, a great privilege, and an unparalleled sense of fulfillment,” writes opposition supporter Marika Mikiashvili.

Polls have consistently shown that around 80% of Georgians want the country to join the European Union and NATO. The ambition of being part of the European family is seen as the only way to protect Georgia from Russia, whose military already occupies a fifth of Georgia’s internationally recognized territory.

The results of the second round in Moldova and the upcoming Sunday election in Georgia are also part of a larger context determined by the election cycle in the US. The U.S. election result will have a direct effect on the war in Ukraine, which in turn determines the future of the entire region. Moscow is cheering for Trump. This week, the Russian state media widely quoted former president Medvedev who praised Trump as “the most significant US figure to admit Vladimir Zelensky’s responsibility for the Ukrainian conflict” 

Zooming out: Left and increasingly far right-leaning forces in the West often argue that Russia should have the control of their backyard and that Washington and Brussels need to stop interfering in the region. This argument is in itself colonial: just like in Ukraine, Moldova’s and Georgia’s fight for independence is also the fight against historic racism and colonial attitudes aimed at non-ethnically Russian people who have been forced into the Russian Empire and then the Soviet Union. Read this piece for context.

Connecting the Dots: Georgia and Moldova (as well as Ukraine) are where the Kremlin mastered its election interference skills, including the strategies used in the 2016 election in the US. Tactics like mechanisms of vote buying or hacking, used by the Kremlin are often adopted by authoritarians elsewhere. Paired with an information system built to manipulate and spread lies, such tactics erode democracy worldwide. Some of the more egregious tactics used in elections in Moldova and Georgia include: 

• Open vote buying: The Kremlin has been openly paying voters in Gagauzia region of Moldova, a region known for separatist sentiments. 
• Voter fraud scheme: a large-scale scheme that involved $15 million being transferred to 130,000 Moldovans, financed by Moldovan oligarch Ilan Shor, who currently resides in Russia. According to Moldova’s incumbent president, 300,000 votes were bought, plenty to sway an election in the country.
• Pushing Fear: the pro-Russian side launched a propaganda campaign that has framed Moldova’s EU integration as a path to war with Russia. This tactic has been effective in influencing votes, with pro-Russian figures promising to shield Moldova from conflict in exchange for abandoning its EU ambitions.

Fear has been a big weapon for the anti-EU side in Georgia too. The ruling party uses posters comparing bombed sites in Ukraine to newly constructed buildings in Georgia, suggesting that without their leadership, Georgia will face a similar fate. 

Already, the alarm bells of autocracy can be heard: foreign journalists looking to cover the decisive election are being denied visa and entry by the Georgian Dream. In what definitely does not seem like a coincidence, the campaign video for the Georgian Dream is a direct lift of Putin’s 2018 election video. 

Bloomberg recently uncovered documents revealing the scope of a previously unknown Russian cyberattack on Georgia ahead of its 2020 elections.Between 2017-2020, hackers infiltrated the country's foreign and finance ministries, other government departments, central bank, key energy and telecommunications providers, oil terminals and media platforms.One of the goals of the attack seemed to be obtaining the capability to tamper with Georgia’s vital infrastructure services in case the election results were not seen as favorable for the Kremlin.

This story was originally published as a newsletter. To get Coda’s stories straight into your inbox, sign up here. 

The post Ground Zero of Russian Interference appeared first on Coda Story.

But on March 26, Domozhifoff was blocked. He wasn’t surprised. 

“This is another bad sign in a series of bad signs,” he said. 

Online censorship in Russia is escalating at breakneck speed. Russia has clamped down on access to Twitter, Facebook, and Instagram since the country invaded Ukraine Feb. 24. This has narrowed online social media choices to homegrown options like VKontakte, also called VK. With a dominant position in Russia –80% of Russians online use VK– the winnowing of competitive options is an opportunity for VK, but as Domozhiroff discovered, domestic platforms have moved quickly to squelch any criticism of Kremlin policy.  

The latest expulsions of foreign social media occurred suddenly, but for years the Russian government had been diminishing the role of platforms like YouTube and Facebook, where media-savvy political opposition leaders like Alexei Navalny encouraged dissent and promoted protests. 

The Kremlin’s dedication to establish a sovereign internet, which would allow authorities to monitor and censor online traffic in and out of the country, vacillated and was sometimes tepid. LinkedIn was banned from the country in 2017, but that platform had only 6 million Russian users at the time. In 2017, the Russian communications watchdog Roskomnadzor threatened to block Facebook unless the company complied with a law requiring the storing of Russian personal data on servers physically located in the country. But when Facebook refused to comply, it was hit with a miniscule $53,000 fine. Roskomnadzor also went after Twitter last year by slowing down access to it in Russia. 

The Kremlin’s bid to control social media is no longer indecisive. Since February 24, Facebook, Twitter, Instagram, and YouTube were blocked in rapid succession. Roskomnadzor classified Meta, the corporation that owns Facebook and Instagram, an extremist organization. Meanwhile, the last of Russian independent media,TV-Rain and Ekho Moskvy radio, liquidated their operations in Russia, and access to foreign media like the BBC was restricted. 

The Kremlin’s hope was that by blocking foreign social media, “people would turn to local options which are easier to police and control,” said Tanya Lokot, an associate professor in Digital Media and Society at Dublin City University.

To some extent, it worked. From February 24 to March 15, VKontakte, used by over 50 million people, saw an increase of 4 million users.

The U.S. has sanctioned VK, which was bought by a company that is partly owned by the state and partly owned by a close associate of Putin. 

VK “is a digital playground for whoever controls the company,” said Lukas Andriukaitis, associate director of DFRLab, a disinformation think tank. 

As with the banning of foreign social media sites, the invasion of Ukraine has accelerated a crackdown on speech occurring on domestic social media that run counter to the Kremlin’s approved narratives. “VK censorship is escalating,” warned Lokot. 

On March 10, the VK blocked the pages of Voice of America’s Russian service, Radio Free Europe/Radio Liberty’s Russian service, and Current Time, a 24-hour Russian-language television and digital news network. On March 22, Navalny, who is imprisoned, and opposition politician Ilya Yashin’s pages were blocked for VKontakte users in Russia because of anti-war messages. 

The logic behind which pages get blocked has been unclear. “We do not have extensive knowledge on how exactly VK censorship works. It is pretty much a wild wild west out there,” said Andriukaitis. Certainly, posts about the war in Ukraine are especially risky, and using banned language to describe the conflict, such as “war,” is punishable by up to 15 years in prison. 

With accurate news on VK about the war nonexistent, Russians are turning to VPNs to access blocked social media and news sites. A VPN or “virtual private network” is a digital tool that masks your online activity, so that it can’t be tracked or blocked at the local level. Russians have used the services to continue to access some foreign social media. Instagram, the most popular Western platform in Russia, still had on March 24 around 34 million daily users, only a 16% decrease since it was blocked the day before. 

But in most of the country, the severing of foreign social media has been effective. “Even though those tech-savvy urban dwellers will most likely be able to bypass the restrictions using VPN, they are not the majority of Russia,” said Andriukaitis.

In the past, the Kremlin has been able to prevent Russians from accessing VPNs. It had successfully banned six popular VPNs, and regulated others.

That still leaves Telegram. The messaging platform played an important role for both dissenters and government-affiliated actors in the 2021 civil strife in Myanmar and during protests against the dictatorship of Alexander Lukashenko in Belarus in 2020. Telegram has been a pivotal channel in Russia too, where the number of users increased by 46% between February 24 and March 15. It remains one of the last independent news sources. Groups fearful of getting shut out of VKontakte are posting in Telegram channels.

Telegram’s position, however, is tenuous. Roskomnadzor tried to block the platform in 2018, only to lift the ban two years later. Rashid Gabdulhakov at the University of Groningen in the Netherlands warns that Telegram faces a grim future.

“The most important question, of course, is what will happen once everyone moves their activities to Telegram? Will the state deem it extremist also or will it use the opportunity to spy on everyone?” said Gabdulhakov.

Domozhiroff, the local opposition politician, is not optimistic. “I think that unblocking and resuming full-fledged work is possible only after a radical regime change and the restoration of Russia's democratic path of development,” he said.

The post Russians face grim options on social media appeared first on Coda Story.

Until recently. 

In 2021, several incidents featured attackers demanding ransom, but their behavior ran counter to typical ransomware heists and suggested that lurking beneath the surface, they had different goals. They made their demands with extroverted gusto, like they intended their crime to be a public act. The targets were mainly mid-sized companies such as dating apps and insurance companies, large enough to cause public concern but not large enough to spark action from the Israeli state. Most telling, the groups behind the attacks have been linked to Iran to varying degrees. 

“I call this a hybrid threat. There are attacks that are considered political-cyber-offensive, which are by states or by non-state actors but with a political agenda,” said Gabi Siboni, the head of the cyber security program at The Jerusalem Institute for Strategy and Security. “And there are cyber criminals. But what you can see is that it's getting mixed.”

This new generation of ransomware attacks underscores how a new front in the conflict between Iran and Israel is developing. Ostensibly financial crimes, ransomware has become a tool of statecraft with the geopolitical aim to damage the social bonds of Israeli society and public trust in the country’s institutions, rather than to damage infrastructure or extract a financial bounty.

While the Israeli Cyber Directorate has issued multiple recommendations and warnings about this new “wave of attacks,” the responsibility to protect private computer systems still rests with companies. The advent of geopolitical ransomware exploits a structural vulnerability: a route to damage the social cohesion of a country via geopolitical attacks that bypass state defenses.

Last October, in what is called the “Atraf” hack, Black Shadow, a group with links to Iran, hacked into the servers of CyberServe, an Israeli hosting company, accessing websites and applications of the company’s customers.

Among its customers was the LGBTQ dating app, Atraf. The application’s databases were not encrypted, making it easier for hackers to get their hands on very sensitive personal information. Before asking for the ransom, the group dumped tens of thousands of records from the various sites it had penetrated. The leak included a thousand user profiles in Atraf’s customer database that disclosed information such as names, sexual orientations, unencrypted passwords, locations and HIV status.

The attackers demanded $1 million in exchange for the encryption key and threatened to leak more information.

Ransomware’s parallels with disinformation are striking. While most high-profile ransomware attacks are in the U.S., U.K., and Europe, the vast majority of attacks are in countries facing political instability, like in Latin America and Africa.

Many digital hostage-taking organizations originate from the same hotbeds where disinformation campaigns are generated, like Russia, Ukraine, North Korea, and the Philippines. Ransomware travels the same political divisions as disinformation campaigns, trafficking in the exploitation of economic inequality, fear of immigrants, and racial resentments to undermine public trust in institutions and belief in social stability.

Where disinformation uses noise and incoherence to sow doubt and spread division, ransomware does something similar: it, too, is an agent of chaos. It may look like just a way to make a crypto-buck, but its effects, very often intentional, are much more profound.

The CyberServe hack had little resemblance to a classic ransom attack. Everything was very public. The group used Telegram and RaidForum for their announcements instead of directly establishing communication with the company. Typically, financially motivated actors seek private negotiations, but the Telegram groups run by Black Shadows look like a public campaign — complete with drop countdowns and cheery messages.

‘The nature of this wave of attacks is actually to seed fear and sense of terror in the Israeli people by attacking high-profile targets or ones that can generate enough media attention.’ said Lotem Finkelsteen from Checkpoint, a cybersecurity company. This explains the public behavior of the attackers. “They put more focus on echoing the attack, embarrassing the victim and developing expectations in the Twitter/Telegram followers than getting a financial payment.”

Iran and Israel are bitter foes. After the state of Israel came into existence in 1948, Iran was the second Muslim-majority country to recognize Israel as a sovereign state. Iran retracted recognition after its 1979 revolution and regularly threatens Israel with total annihilation. The cyber realm often reflects real-life tensions so, once high tech entered our lives, the two foes quickly picked up cyber weapons. 

The countries’ long-running cyber conflict has taken many turns but until recently, the tit-for-tat hacks have mainly concentrated on military infrastructure. This is changing. Both parties are increasingly targeting civilian infrastructure and private companies. Recent hacks attributed to Israel include attacks on the University of Tehran and on a system that allows millions of Iranians to use government-issued cards to buy fuel at a subsidized price. Iran has gone after Israel’s water. Last April, six facilities were targeted in an attempt to increase the amount of chlorine in the water supply to dangerously high levels. 

According to Boaz Dolev, the CEO of cybersecurity company ClearSky, Black Shadow’s previous attack on the Israeli insurance company, Shirbit, was also confounding. After stealing the company’s data, the attackers wiped the information off the servers instead of encrypting it. “This is not something a ransomware group does,” he said. After demanding $1 million in bitcoin, Black Shadow refused to give the company a four-hour extension past its deadline to provide a payment in full.

An Israeli cyber negotiator, who requested anonymity to maintain a nonpublic professional profile, also doubts Black Shadow’s motivation. “I'm not a cyber analyst, I'm a negotiator. What I can identify from the beginning is whether the motivation of the person is political, which means to cause havoc, uncertainty and to undermine public confidence in the system. With Shirbit it was very clear that it was a politically motivated attack rather than financially motivated one.”

This cyber negotiator recently had come across similar fishy attacks on Israeli companies. At one company, he started negotiating with the hacking group called “Pay2Key.” At first, it looked to him like a typical ransom attack, but then he noticed red flags. For example, the group was a previously unknown actor yet they used unusually aggressive language. 

Nevertheless, the company decided to pay the ransom. Pay2Key did not provide a data decryptor. To get to the top in the ransom industry, reputation matters. Taking the ransom and in return not providing the decryption key so that a company can retrieve its data is very bad for repeat business.

After several encounters with unusual ransomware actors, the cyber negotiator began looking more closely into the threat they posed. Technical analysis of the Pay2Key attack by Dolev’s cybersecurity company, ClearSky estimated “with medium to high confidence” that Pay2Key is a new operation conducted by an Iranian group called Fox Kitten, an Advanced Persistent Threat, the name for an opaque actor, typically linked to the government, which gains unauthorized access to a computer network and remains undetected. Pay2Key is believed to have begun a wave of attacks against dozens of Israeli companies in July and August, 2020.

The attacks are not limited to Israel. The FBI and the U.S. Cybersecurity and Infrastructure Security Agency recently identified a new Advanced Persistent Threat group associated with the Iranian regime involved in “data exfiltration or encryption, ransomware, and extortion” in the U.S. and Australia.

In fact, yet another group linked to Iran has had an unusual modus operandi. In June 2021, a group called Deus claimed that they had obtained 15 terabytes of data from Voicenter, a call center company. The data contained information belonging not only to Voicenter but also 8,000 companies that used their services. The hackers posted samples of the information, security camera and webcam footage, photos, ID cards, WhatsApp messages, emails and phone calls. 

They used public channels, raised their ransom demands every 12 hours, and announced that the data was for sale even before the negotiation period was over. In this way, Iranian advanced persistent threat groups play a ransomware poker game: trying to inflict maximum social and political damage without triggering state retaliation.  

Israeli companies are reluctant to acknowledge cyber attacks from Iranian groups precisely because the publicity could generate nervousness and doubt about the hardness of Israel’s defensive shell against its powerful enemy. This lack of transparency, however, also creates vulnerability, say Israeli cyber security experts. “We still do not have enough information to link these groups to the Iranian government, but even if these direct links exist, the ransom tools used in these attacks are quite conventional and small,” said Einat Myron, a cybersecurity expert in Israel. 

“Medium-sized companies can certainly do a better job at protecting against them,” Myron said. “Maybe avoiding playing into foreign actor’s games could be the new motivation for business owners to start taking data protection seriously.”

Ransomware: The New Disinformation

The rise of the geopolitical hack

Erica Hellerstein

Ransomware could soon be about more than just money

Caitlin Thompson

Ransomware attackers are going after schools

Caitlin Thompson

The post In Israel, ransomware attacks against private companies pose a new kind of national security threat appeared first on Coda Story.

Over the holidays I put together a playlist of my favorite anti-surveillance songs. Here are the top six.

1. German band Kraftwerk predicted ubiquitous surveillance before face recognition, social media or the Internet of Things. Kraftwerk's "Computerwelt" raised an alarm about data collection in 1981. The lyrics are straightforward:

“Interpol and Deutsche Bank
FBI and Scotland Yard
Flensburg and the BKA
they all have our data” 

2. In 1985, Glen Chomik and Mark Woodlake released a single called "Don’t let computers grow." The lyrics are prophetic: "We go from Silicon Valley to the Valley of Death." Thirty-seven years later, Silicon Valley monetizes billions from violent content and misinformation. 

Computers controlling the state, stop the machines, before it’s too late.
Standard protection will never do, your PC is watching you.
I know, I know, don’t let computers grow.

3. American hip hop duo Dead Prez in the '90’s — never reticent about tackling social issues — tried to shed light on police violence, militarization, and state surveillance through a track called "Police State". 

“Red, Black and Green instead of gang bandanas
F.b.i. Spyin' on us through the radio antennas
And them hidden cameras in the streetlight watchin' society
With no respect for the people's right to privacy”

4. “Mac 10 Handle" from Prodigy's 2007 album Return of the Mac is another song on the surveillance beat. The “On Star” mentioned in the lyrics is a driver assistance tool developed by General Motors that enabled police to access cars. 

“Be careful where you pull that trigger they got you on film
They got eyes in the sky, we under surveillance
That On Star on your car track everywhere you've been
Gotta watch what I say, they tappin' my cell phone
They wanna sneak and peak inside my home
I'm paranoid and it's not the weed”

5. In 2013, electropop music group Yacht and the stand-up comedian Marc Maron were so concerned about the National Security Agency spying on Americans, they donated 100% of their earnings from "Party at the NSA” downloads to the Internet Frontier Foundation, a nonprofit organization defending civil liberties in the digital world.  

We don’t need no privacy.
What do you want that for?
Don’t you think it’ll spoil our fun
If you let that whistle blow?
P-P-P-Party at the NSA,
Twenty, twenty, twenty-four hours a day!

6. Numerous rappers including 2Pac and The Notorious B.I.G have dedicated bars to phone tapping. Rick Ross, one of my favorite rappers, went off in it in "Holy Ghost.” I am looking forward to future hip-hop tracks about current phone tapping superstar, Pegasus spyware. 

They wanna do it big? Pick a time tonight
Back to these bitches following my timeline
Back to these crackers following my timeline
Got the phone tapped, I think I'm being followed
Touch him with the Holy Ghost, can you hear me Father?

Related Articles

The Year in Conspiracy Theories, a 2021 Round-Up

Isobel Cockerell

Biggest surveillance investigations in 2021

Caitlin Thompson

Five Coda stories you definitely should not miss

Mariam Kiparoidze

The post Can’t take my eyes off you appeared first on Coda Story.