Strategic insights for leaders from tactical cyber observers.
As the world becomes increasingly dependent on the internet and cyberspace remains a contested environment, leaders must monitor geopolitical and cybersecurity risks more than ever. LookingGlass presents the Cyber Monitor – a weekly rollup of analysis and trending topics in cybersecurity for executives to keep abreast of threats, incidents, and risks to their organization and national security.
TABLE OF CONTENTS
- EDITOR’S HIGHLIGHTS
- NATION STATE ACTIVITY
- CRITICAL INFRASTRUCTURE
→ A former Apple engineer pleaded guilty to stealing proprietary information from the company while preparing to work for a Chinese startup that makes self-driving cars. Zhang Xiaolang, who was arrested in July 2018 on his way to catch a one-way flight to China, admitted to a single count of trade-secret theft at a hearing on Monday, August 22 in a federal court in San Jose, California, according to the court’s electronic docket. US prosecutors accused Zhang of downloading a 25-page Apple document to his wife’s computer that included schematic drawings of a circuit board design for a portion of an autonomous vehicle. Apple hired Zhang in 2015 to work as a hardware engineer in its autonomous car project (the Apple Car), which has yet to generate a commercial product. In April 2018, Zhang announced his intention to resign, saying he wanted to return to China to be near his ailing mother and that he intended to take a job at Xpeng. He isn’t the only one accused of stealing Apple’s automotive trade secrets or attempting to transfer sensitive materials to XPeng. In January 2019, federal prosecutors charged Jizhong Chen, another Apple engineer, with stealing proprietary information from the company’s self-driving car project while applying for a job with a Chinese competitor. According to an FBI affidavit, a search of Chen’s hard drive turned up thousands of sensitive documents as well as 100 photos taken inside the company’s self-driving facility. The engineer told Apple that he was going to China to see his ailing father, but he was arrested before boarding his direct flight. Chen has pleaded not guilty, and the case remains open. That same year, Tesla stated a former employee had uploaded source code relating to its Autopilot system to his iCloud account and then took that information to XPeng. Bloomberg The Verge
→ Bitcoin ATMs around the world have been hacked after an unknown threat actor discovered a zero-day vulnerability in the ATM’s web-based admin management panel. The attacks, which appear to have begun at the beginning of the month, appear to have targeted Bitcoin ATMs managed by Crypto Application Server (CAS), a cloud-based system developed by General Bytes. According to a security alert issued by the company, the attackers scanned the internet for CAS servers before accessing a left-over URL from the CAS installation process. This URL allowed them to re-register the admin panel’s default admin user with their own credentials, which they later used to change ATM settings so that every time a user sent money to an ATM to be picked up in-person, the funds were automatically redirected to the attacker’s wallets. All CAS servers released in the last two years are vulnerable (since CAS version 20201208), according to General Bytes. Patches have been released that should address the vulnerability exploited in the attacks. According to BleepingComputer, 18 General Bytes CAS servers were still accessible online last week, but more are believed to be hidden behind firewalls since the attacks were first reported. The attacks on General Bytes ATMs began three days after the company added a “Help Ukraine” feature to its machines earlier this month. Risky Biz
Analyst Comment: General Bytes detailed the security incident, providing an 11-step process that allows the company’s customers to remediate the issue. This is not the first vulnerability discovered in General Bytes’ ATMs. Last year Kraken Security Labs discovered multiple hardware and software vulnerabilities affecting a commonly used cryptocurrency ATM. While Bitcoin ATMs can offer a convenient way to purchase cryptocurrency, this may come with a risk of being affected by multiple security vulnerabilities that have not been discovered yet.
→ According to the minutes of a closed-door meeting, Russia’s cyberattack in February impacted critical emergency services in France. The July 17 meeting, held by Stéphane Bouillon, Secretary General of Defense and National Security for the French Parliament’s National Assembly, detailed the recent scope of cyberattacks. Bouillon recalled Russia’s attack against VIASAT on February 24, the same day Russian troops invaded Ukraine, sparking a large-scale European war. He stated that the attack affected ambulance, fire, and other emergency services, without providing any additional details on the attack. British, American, European, and other allies also claim that the Kremlin was behind the cyberattacks against European wind farms. While the statement does not specify who the victims were, several Germany-based wind farm operators have been hit since Russia started the war in Ukraine. Wind farm operators Deutsche Windtechnik and Nordex suffered from what is believed to be ransomware attacks. Another wind turbine operator, Enercon, had the company’s remote controls knocked out in relation to the attack on VIASAT’s network. Cybernews
Analyst Comment: While multiple reports initially suggested that a relative lack of cyber operations during early stages of Russian invasion of Ukraine, LookingGlass observed cyber activity likely associated with Russian threat actors leading up to the war and early in the conflict. A lot of this activity, however, remains unattributed, which indicates threat actor sophistication and an ability to evade detection.
→ Accusations from a former Twitter executive that the social network had lax data protections have sparked concerns among lawmakers and cyber experts that the alleged vulnerabilities pose a threat to national security. Former security chief Peiter Zatko, also known as “Mudge,” filed a whistleblower complaint with US authorities, citing “egregious deficiencies” in the social media company’s ability to repel attackers. The most disturbing claims made by Zatko suggest that the company relied on outdated software and that executives were unaware of the level of access employees had to user accounts. Also, Zatko suggested that Twitter is vulnerable to foreign government espionage and that some employees may be working for government intelligence agencies. “These allegations could have serious national security, privacy and election security implications and must be aggressively investigated,” Representative John Katko, a Republican from New York, said in a statement. In perhaps the most astonishing claim, Zatko claimed that roughly half of the company’s workforce had deep access to Twitter’s controls, allowing insiders to manipulate the site or access user information with little or no oversight. In an interview with the Washington Post, which, along with CNN, Zatko expressed concern that such a flaw could have given a Twitter employee sympathizing with January 6, 2021 insurrectionists the ability to go rogue. According to the complaint, Twitter also knowingly hired Indian government agents who would have had unsupervised access to “vast amounts of Twitter’s sensitive data.” Furthermore, according to Zatko, the company misrepresented on its transparency reports that it was aware of Indian government representatives on its payroll. Zatko also claimed that more than half of the company’s 500k servers were running outdated operating systems that didn’t support basic privacy and security features. Furthermore, top Democrats and Republicans in Congress are now looking into the whistleblower complaint, bringing new political scrutiny to the social network’s data security practices and counter-foreign-influence defenses. Bloomberg
→ Meta and Twitter have shut down a network of fake accounts that posed as independent media outlets, promoted memes, launched online petitions, and attempted to start hashtag campaigns, according to new findings. The fake accounts were on Twitter, Facebook, Instagram and five other social-media platforms, according to a report published Wednesday, August 24 by the social media analytics company Graphika and Stanford University’s Internet Observatory Cyber Policy Center. The accounts in question used deceptive tactics to promote pro-US stories in the Middle East and Central Asia. What makes this campaign different from similar efforts is that the messaging was pro-American, researchers stated. Previously, such online campaigns have overwhelmingly been linked to authoritarian regimes such as Russia, China and Iran. The activity includes what appears to be a series of covert campaigns, as opposed to one operation, that spanned almost five years. The accounts heavily criticized Russia for the deaths of innocent civilians and other atrocities following its February invasion of Ukraine, according to the report. They also shared articles from US government-funded media outlets like Voice of America and Radio Free Europe, as well as links to US military-sponsored websites. The Central Asian accounts included 12 Twitter accounts, 10 Facebook pages, 15 Facebook profiles, and 10 Instagram accounts, in addition to connected activity on Telegram, YouTube, and Russian social-media platforms. They aimed their messages at Russian-speaking Central Asian audiences, praising US assistance to the region while criticizing Moscow. Despite the magnitude of the effort, the researchers said the vast majority of the posts and tweets they reviewed received no more than a handful of likes or retweets. It was the first foreign-focused pro-US network of its kind, according to Meta. Bloomberg
Analyst Comment: LookingGlass assesses the recent pro-US information campaigns are likely less effective than perceived. The recently identified campaigns resemble similar tactics and strategies as previously reported disinformation campaigns by the People’s Republic of China (PRC). Based on LG’s analysis of previous PRC-attributed disinformation campaigns on Facebook and Twitter, the fake accounts used in the 2019 and 2020 operations were poorly developed due to a lack of followers and bios in their profiles. And batches of accounts were created around the same time with similar bio patterns. Most accounts had fewer than ten followers, and the majority of the followers were actually part of the botnet. Additionally, many accounts switched between several languages for different campaigns. Overall, despite the magnitude of effort in creating botnets and thousands of accounts, the PRC-attributed disinformation campaigns were not effective. Similarly, the posts pushed out by the recent pro-US information campaigns received very few likes and retweets, suggesting a limited influence spread.
NATION STATE ACTIVITY
→ The Russian intelligence-linked APT group Cozy Bear has adopted a variety of newer TTPs targeting Microsoft 365 environments, according to new intelligence published by Mandiant. According to Mandiant’s team, the group has been extremely prolific in recent months, particularly in targeting organizations influencing NATO policy. They stated Cozy Bear’s persistence and aggressiveness were indicative of tasking by the Russian government. According to researcher Douglas Bienstock, one of Cozy Bear’s new TTPs includes disabling elements of its targets’ Microsoft 365 licenses to obscure their targeting. Bienstock’s team also started to observe the group trying to take advantage of the self-enrolment process for multi-factor authentication (MFA) within Azure Active Directory (and other platforms). This technique exploits the fact that Azure AD’s default configuration lacks strict enforcement on new MFA enrolments – meaning that anybody with a valid username and password can access an account to enroll, as long as they are the first person to do so. In other areas, Cozy Bear continues to exhibit “exceptional opsec and evasion tactics,” such as operating from its own Azure virtual machines (VMs) that it has either bought itself or compromised somehow so that its activity now emanates from trusted Microsoft IP addresses and is less likely to raise red flags. The group has also been observed mixing some benign admin actions among its malicious ones to confuse anyone who might be on its trail. Computer Weekly
Analyst Comment: Cozy Bear (also known as APT29 and Nobelium) was previously responsible for multiple high-profile attacks, including the Solarwinds hack in 2020. This activity reinforces their sophistication and strong OPSEC. Cozy Bear has been associated with the Russian Foreign Intelligence Service (SVR). This association with Russian intelligence often leads them to target organizations that may have an influence on NATO policy, amid the ongoing Russian invasion of Ukraine.
→ The use of wiper malware is increasingly expanding beyond the Ukraine conflict, according to research by Fortinet, with new variants emerging at an unprecedented rate. According to Fortinet security researcher Gergely Révay, wiper malware is increasingly reaching targets outside of Ukraine. While versions of wiper malware have previously been seen in Ukraine, Japan, and Israel, it only recently became a global phenomenon. Révay said Fortinet detected wiper malware in 24 countries in the first half of the year. The group found at least seven major new wiper variants in the first six months of 2022 that were used in various campaigns against government, military, and private organizations. That amount nearly equals the total number of variants that were publicly detected between 2012 and 2021. The Record
Analyst Comment: In recent years, data has become the world’s most valuable resource. Threat actors, ranging from financially motivated attackers to nation states, have been increasingly targeting data in recent years. From ransomware groups that not only encrypt files, but also try to steal as much data as possible, to nation state actors, which have used both data exfiltration and data destruction techniques, including wiper malware, attackers benefit from targeting data. Any loss of data can have a serious negative effect on operations for both government and commercial organizations, making the recent uptick in wiper malware a concerning trend.
→ A suspected Iranian threat activity cluster has been linked to attacks aimed at Israeli shipping, government, energy, and healthcare organizations as part of an espionage-focused campaign that commenced in late 2020. Cybersecurity firm Mandiant is tracking the group under its uncategorized moniker UNC3890, which is believed to conduct operations that align with Iranian interests. Mandiant’s Israel Research Team noted the data collected may be used to support activities such as hack-and-leak, or even kinetic warfare attacks like those observed on the shipping industry in recent years. Intrusions mounted by the group lead to the deployment of two proprietary pieces of malware: a “small but efficient” backdoor named SUGARUSH and a browser credential stealer called SUGARDUMP that exfiltrates password information to an email address associated with Gmail, ProtonMail, Yahoo, and Yandex. Also employed is a network of command-and-control (C2) servers that host fake login pages impersonating legitimate platforms such as Office 365, LinkedIn, and Facebook that are designed to communicate with the targets as well as a watering hole that’s believed to have singled out the shipping sector. The watering hole, as of November 2021, was hosted on a login page of a legitimate Israeli shipping company, Mandiant pointed out, adding the malware transmitted preliminary data about the logged-in user to an attacker-controlled domain. The Hacker News
→ In December 2021, Google’s Threat Analysis Group (TAG) discovered a novel Charming Kitten tool, named HYPERSCRAPE, used to steal user data from Gmail, Yahoo!, and Microsoft Outlook accounts. HYPERSCRAPE is not notable for its technical sophistication, but for its effectiveness in accomplishing Charming Kitten’s objectives. The Iranian government-backed group runs HYPERSCRAPE on their own machines to download victims’ inboxes using previously acquired credentials. TAG found that it was deployed against fewer than two dozen accounts located in Iran. The oldest known sample is from 2020, and the tool is still under active development. HYPERSCRAPE requires the victim’s account credentials to run using a valid, authenticated user session the attacker has hijacked, or credentials the attacker has already acquired. It spoofs the user agent to look like an outdated browser, which enables the basic HTML view in Gmail. Once logged in, the tool changes the account’s language settings to English and iterates through the contents of the mailbox, individually downloading messages as .eml files and marking them unread. After the program has finished downloading the inbox, it reverts the language to its original settings and deletes any security emails from Google. Google TAG
→ Several Russian “hacktivist” organizations have announced coordinated DDoS attacks on Moldavian targets. A visit by a Moldavian government official to Bucha, the site of one of Russia’s genocides in Ukraine, appears to have sparked the campaign. Risky Biz
Analyst Comment: Anatol Șalaru, a former Minister of Transport and Roads Infrastructure of Moldova recently visited Bucha, the town located immediately outside of Kyiv, Ukraine that became the place where some of the most high profile events of the war took place in March of 2022. LookingGlass observed some Telegram channels associated with pro-Russia hacktivist groups posting offensive content about Anatol Șalaru. He is not the first official who has visited Bucha since Russia withdrew its troops from the town. Previously, the President of Moldova Maia Sandu, as well as the Speaker of the Moldovan Parliament Igor Grosu also visited the town. While the recent attacks may have been triggered in part by the recent visit of Bucha by Anatol Șalaru, other factors, including Moldova’s support of Ukraine and the fact that Moldova has a frozen conflict zone of their own (Transnistria – a pro-Russian breakaway region) may have been the real inspiration for the attacks.
→ Meanwhile, Ukraine’s IT Army is conducting its own operations, which appear to be targeting Russian money transfer services this week. In addition, the “2402 team,” a newly formed pro-Ukraine hacktivist group, has allegedly leaked 550GB of Russian banking data. Risky Biz
Analyst Comment: This is not the first campaign, in which pro-Ukrainian hacktivists have targeted money transfer services. According to LookingGlass observations, money transfer services in Russia have been common targets of pro-Ukrainian hacktivists, along with delivery services, government organizations, TV and radio stations.
→ The BlackByte ransomware group, which has connections to Conti, has resurfaced with a new social media presence on Twitter and new extortion methods borrowed from the LockBit 3.0 gang. According to reports, the ransomware group is using various Twitter handles to promote the updated extortion strategy, leak site, and data auctions. The new scheme lets victims pay to extend the publishing of their stolen data by 24 hours ($5k), download the data ($200k), or destroy all the data ($300k). It’s a strategy the LockBit 3.0 group already pioneered. According to Nicole Hoffman, senior cyber-threat intelligence analyst at Digital Shadows, it is possible that BlackByte is trying to gain a competitive advantage or trying to gain media attention to recruit and grow its operations. She says although the original extortion model is not broken, this new model may enable threat actors to introduce multiple revenue streams. It allows smaller payments to be collected from victims who are almost certain they won’t pay the ransom but want to hedge for a day or two as they investigate the extent of the breach. Dark Reading
Analyst Comment:. BlackByte’s data leak site had been inactive for about a month until the new data leak site surfaced. This new site does not contain any of the ransomware group’s previously listed victims. LockBit has been the most prolific ransomware group throughout 2022 – even before Conti’s shutdown – and their advanced tactics are setting a bar for other groups.
On August 23, 2022 an operator for LockBit posted on a dark web forum thread that they are planning to start triple extortion attacks by adding DDoS attacks to their arsenal. Currently triple extortion attacks include targeting not only the company, but the individuals who would be impacted by the data being released such as employees, patients, users, etc. This shift in tactics to add DDoS attacks after the encryption and data leak stages is new to ransomware operations and one that will likely be adopted by other groups due to LockBit’s success.
→ Thieves stole over $100M worth of non-fungible tokens this year by July, according to blockchain research firm Elliptic. The NFT market surged in 2021 as crypto-rich speculators spent billions of dollars on the assets, hoping to profit as prices rose. But since cryptocurrency prices crashed in May and June this year, NFT prices and sales volumes have plunged. Scams remain prevalent in the NFT market even as it declines, with July seeing the highest number of NFTs reported stolen on record, according to Elliptic’s report. Security compromises via social media have surged, accounting for 23% of NFT thefts in 2022, it said. Also, thieves received on average $300k per scam; although the true scale of NFT thefts is likely to be even higher, given that not all crimes are publicly reported. Hacks and scams have long plagued the crypto industry, while regulators around the world are increasingly concerned about the use of crypto assets in cyber crime. Reuters
→ The US Department of Energy (DOE) has announced a plan for $45M in funding to create, accelerate, and test technology that will protect the electric grid from cyberattacks. The funding, announced on August 17, will support up to 15 research, development, and demonstration (RD&D) projects that will focus on developing new cybersecurity tools and technologies designed to reduce cyber risks for energy delivery infrastructure. Building strong and secure energy infrastructure across the country is a key component of reaching President Biden’s goal of a net-zero carbon economy by 2050. There are six proposed topic areas for the projects, which include:
- Automated Cyber Attack Prevention and Mitigation: Enabling energy systems to autonomously recognize and prevent cyber attacks from disrupting energy.
- Security and Resiliency by Design: Building cybersecurity and resilience features into technologies through a cybersecurity-by-design approach.
- Authentication Mechanisms for Energy Delivery Systems: Strengthening energy sector authentication.
- Automated Methods to Discover and Mitigate Vulnerabilities: Addressing vulnerabilities in energy delivery control system applications.
- Cybersecurity through Advanced Software Solutions: Developing software tools and technologies that can be tested in a holistic testing environment that includes a development feedback cycle.
- Integration of New Concepts and Technologies with Existing Infrastructure: Requiring applicants to partner with energy asset owners and operators to validate and demonstrate cutting-edge cybersecurity technology that can be retrofitted into existing infrastructure. HS Today
→ Greece’s national natural gas operator, DESFA, confirmed this weekend that it had been the victim of a cyberattack but stated that it will not negotiate with those responsible. The DESFA manages, exploits, develops, and operates Greece’s natural gas system. On August 19, the Ragnar Locker ransomware group added the organization to its leak site, saying no one had responded to its demands. The attack’s root cause is being investigated, and the organization has hired technical experts to assist with response and recovery. After the attack was discovered, DESFA deactivated most of its IT services and is gradually reactivating them. On Monday, the company did not respond to requests for comment. The attack has been reported to Greek law enforcement agencies, as well as the Ministry of Digital Governance and the Hellenic Data Protection Authority. The Record
Analyst Comment: LookingGlass analysts have been continuously monitoring activity of prominent ransomware groups, including RagnarLocker. The gang has been active since at least 2019 and became well-known after compromising high-profile organizations such as Capcom and Campari. More recently the group shifted its focus to targeting critical infrastructure sectors. Some of this activity was detailed in an FBI Flash alert that was released in March 2022.
→ The number of significant hacking attempts against Norges Bank Investment Management, Norway’s $1.2T oil fund, has more than doubled in the last two to three years, according to CEO Nicolai Tangen. The fund, which reported its largest half-year dollar loss last week after inflation and recession fears shook markets, suffers approximately 100k cyberattacks per year, more than 1k of which are classified as serious, according to its top executives. Top executives at the fund are even concerned that coordinated cyberattacks are becoming a systemic financial risk as markets become more digitized. Cyberattacks on the financial industry have increased dramatically in recent months. Malware attacks increased 11% globally in the first half of 2022, but more than doubled at banks and financial institutions, according to cybersecurity firm SonicWall. Ransomware attacks decreased by 23% globally, but increased by 244% against financial targets during the same time period. Perpetrators can range from private criminal groups to state-backed hackers. Russia, China, Iran and North Korea are the most active state backers of cyber aggression, according to Bill Conner, executive chairman at SonicWall. Financial Times
→ Following a spike in cyberattacks, lawmakers are urging the Biden administration to strengthen the federal government’s cyber defenses in the healthcare sector, which industry leaders see as a way to help protect a critical sector that stores sensitive information. Sen. Angus King (I-Maine) and Rep. Mike Gallagher (R-Wis) urged the Department of Health and Human Services (HHS) in a letter to better protect the health care and public health sectors from the growing number of cyber threats. “With cyber threats growing exponentially, we must prioritize addressing the [healthcare and public health] sector’s cybersecurity gaps,” wrote King and Gallagher, who both co-chair the Cyberspace Solarium Commission. The lawmakers additionally requested an urgent meeting with health officials in the Biden administration for an update on their current cyber posture. King and Gallagher added that they are also concerned about HHS’s lack of timely information sharing about ongoing threats with industry partners. John Riggi, the national adviser for cybersecurity and risk at the American Hospital Association explained that cybercriminals target the healthcare sector because they understand that the priority for healthcare workers is to deliver care and save lives, which increases the likelihood that hospitals will pay ransoms to resume operations. According to a recent report from Kroll, an investigation and risk consulting firm, the number of attacks on healthcare organizations increased by 90% in Q2 of this year compared to Q1. Ransomware is the most common type of cyberattack used against the health care sector, followed closely by email compromise, according to the report. Riggi stated that his organization and the federal government strongly discourage hospitals from paying ransoms because doing so encourages criminals to continue attacking the healthcare sector and makes such attacks profitable for them. The Hill
→ House Democrats have asked social media platforms to provide information to federal law enforcement officials about threats and how they combat violent posts, according to letters sent to eight companies. House Oversight and Reform Committee Chair Carolyn Maloney (D-NY) and Rep. Stephen Lynch (D-Mass) demanded Meta, Twitter, TikTok, Truth Social, Rumble, Gettr, Telegram and Gab respond with details about their policies and data on the threats. The request comes after researchers discovered an increase in violent posts targeting FBI agents following the search at former President Trump’s Mar-a-Lago estate. The Democrats cited incendiary posts from Republican colleagues accusing the Justice Department of being “weaponized” against Trump and called to “defund” the FBI. They also claimed that violent posts from users advocating civil war and violence against federal law enforcement had “already resulted in” attacks, citing an attempted breach at an FBI field office in Cincinnati. The Hill
→ TikTok detailed its plan to combat election misinformation on its platform, building on lessons it learned from the 2020 election cycle. The company is ramping up efforts to educate the creator community about its rules related to election content, as well. On the policy side, TikTok says it will monitor for content that violates its guidelines, including misinformation about how to vote, harassment of election workers, harmful deep fakes of candidates, and incitement to violence. Depending on the violation, TikTok may remove the content or the user’s account, or ban the device. In addition, TikTok may choose to redirect search terms or hashtags to its community guidelines, as it did during the prior election cycle for the hashtags associated with terms like “stop the steal” or “sharpiegate,” among others. The company says it will use a combination of automated technology and Trust and Safety team people to help drive moderation decisions. TikTok acknowledges that the former can only go so far. While technology can be trained to identify keywords associated with conspiracy theories, only a human would be able to understand if a video is promoting conspiracy theory or working to debunk it. (The latter is permitted by TikTok guidelines.) Because TikTok is a wholly video-focused app that lacks the searchable text of a Facebook or Twitter post, tracing how misinformation travels on the app is challenging. And like the secretive algorithms that propel hit content on other social networks, TikTok’s ranking system is hidden, obscuring the forces that propel some videos to viral heights while others fail. TechCrunch
→ The governments of Poland and Ukraine signed a memorandum of understanding on cybersecurity defense cooperation on Monday, August 22. According to the new treaty, Poland and Ukraine will share best practices for countering cyberattacks, attend cybersecurity conferences, conduct joint training, share information about cyberattacks, and combat online disinformation. Risky Biz
→ On August 19, Russia’s state communications regulator announced retaliatory sanctions against five foreign IT companies for violating online content laws, which could force search engines to include a disclaimer about the violations. The regulator, Roskomnadzor, stated that it was imposing sanctions against TikTok, Telegram, Zoom, Discord, and Pinterest. Roskomnadzor stated in a statement that the measures were implemented in response to the companies’ failure to remove content that it had flagged as illegal, and that they would remain in place until they complied. Roskomnadzor did not specify what steps would be taken. For some other websites, Russia’s dominant Yandex search engine already displays a disclaimer that reads: “Roskomnadzor: website violates Russian law.” Reuters
→ A US privacy class action has been filed against Oracle’s “surveillance machine.” The suit, filed as a 66-page complaint in the Northern District of California, claims that the tech giant’s “worldwide surveillance machine” has amassed detailed dossiers on approximately 5B people, accusing the company and its adtech and advertising subsidiaries of violating their privacy. The key point here is that there is no comprehensive federal privacy law in the US — so the litigation faces a hostile environment to make a privacy case — hence the complaint references multiple federal, constitutional, tort, and state laws, alleging violations of the Federal Electronic Communications Privacy Act, the California Constitution, the California Invasion of Privacy Act, as well as competition law and common law, according to an analyst. The substance of the complaint, however, is based on allegations that Oracle collects vast quantities of data from unwitting Internet users, i.e. without their consent, and uses this surveillance intelligence to profile individuals, enriching profiles via its data marketplace and threatening people’s privacy on a massive scale — including, according to the allegations, by using proxies for sensitive data to circumvent privacy controls. TechCrunch