Strategic insights for leaders from tactical cyber observers.

As the world becomes increasingly dependent on the internet and cyberspace remains a contested environment, leaders must monitor geopolitical and cybersecurity risks more than ever. LookingGlass presents the Cyber Monitor – a weekly rollup of analysis and trending topics in cybersecurity for executives to keep abreast of threats, incidents, and risks to their organization and national security.

TABLE OF CONTENTS

EDITOR’S HIGHLIGHTS

In a break from precedent, Russia’s financially motivated Trickbot threat group has been systematically attacking targets in Ukraine, apparently in support of Russian government interests in the region. IBM researchers uncovered two campaigns – and analyzed four others that Ukraine’s Computer Emergency Response Team (CERT-UA) disclosed – where Trickbot went after targets in Ukraine. The campaigns began after Russia’s invasion in February and have targeted Ukrainian state authorities, government organizations, specific individuals, and the general population. Several of the attacks have involved phishing emails with various themes designed to grab the attention of Ukrainian users. The attacks highlight an unprecedented shift for Trickbot, a threat group that has not been known to target Ukraine before the Russian invasion. IBM said it had observed Trickbot distributing several known malware tools such as IcedID, Cobalt Strike, AnchorMail, and Meterpreter in its attacks on Ukrainian targets. Some of the attacks involved the use of new tools such as a malicious Excel downloader, a self-extracting archive for dropping various malware payloads, and a new malware encryption and obfuscation tool. Trickbot is a highly successful threat group that has been around since 2016. The group initially used its malware to steal credentials to banking accounts. But over the years, the group evolved into a sort of initial access broker and a distributor for several ransomware and malware tools, most notably Conti, Ryuk, and Emotet. Trickbot is used variously for stealing data, enabling crypto mining, enumerating systems, and other malicious activities. Dark Reading

Analyst Comment: The Trickbot malware operation has been controlled by the Conti gang since at least February 2022. Shortly after the beginning of Russia’s full-scale invasion of Ukraine, Conti pledged allegiance to Russia in their blog. This activity by the Trickbot threat group is not surprising. Chat logs exposed by ContiLeaks Twitter handle suggest that Conti group coordinated some activity with the Russian government. Although there is no evidence that recent Trickbot activity was coordinated with the Russian government, a recent shift of the group’s TTPs and targeting is worth monitoring.

A campaign linked to China started targeting Russia-linked organizations in June with malware designed to collect intelligence on government activities. According to endpoint security firm SentinelOne, the attacks use purported government advisories sent as Rich Text Files (RTFs) to convince victims to open the documents, thus allowing a remote code execution (RCE) exploit in Microsoft Office to be run. SentinelOne stated in an analysis that the contents of the documents appear as security warnings written in Russian, claiming to warn agencies and infrastructure providers of potential attacks and advise them of compliance requirements under Russian law. The recent campaigns have used two pieces of malware linked to Chinese APTs: a toolkit used to build malicious documents known as Royal Road and a custom remote access Trojan (RAT) known as Bisonal used by Chinese actors. While China and Russia have targeted each other in the past, the pace of attacks – especially by the purported threat actor, Tonto Team – has grown following the Russian invasion of Ukraine, according to Tom Hegel, senior threat researcher at SentinelOne. China, which has profited significantly from economic relations with Western nations, has mainly pursued non-military approaches to international relations and used cyber operations for acquiring intellectual property and conducting espionage. According to Hegel, treating Russia as any other adversary is consistent with this trend. Dark Reading

Analyst Comment: According to LookingGlass research, multiple China-linked threat actors, Tonto Team, TA428, Goblin Panda, Rancor and Tick, have used the Royal Road Rich Text Format (RTF) to exploit CVE2017-11882 and CVE-2018-0802 as part of phishing activity since 2017. Later in 2018, these groups were observed using CVE-2018-0798 instead to exploit the Microsoft Equation Editor (EE) vulnerability. CVE-2017-11882 and CVE-2018-0802 are frequently discussed on underground forums. Various actors with different countries of origin have been selling the weaponizers and tutorials of CVE-2017-11882. Notably, APT34, a suspected Iranian group, allegedly used the CVE-2017-11882 exploit to target a Middle East organization. On the other hand, CVE-2018-0798 is not widely reported or discussed. LookingGlass assesses that these China-linked groups may be sharing the exploit warehouse for their campaigns and could sell the exploits after they are exposed. The recent attacks highlight how China continues to use remote cyber operations to acquire intellectual property and conduct espionage, which is in line with their usual approaches.

Back to the top

NATION STATE ACTIVITY

The Axie Infinity Ronin Bridge hack in March was executed by the North Korean group Lazarus using a fake job offer. The hack cost approximately $540M and caused many players to leave the world’s most popular NFT-based online game; it is also considered the Ethereum ecosystem’s biggest loss this year. Reportedly, a senior engineer at Axie Infinity was tricked into applying for a job that did not exist. People allegedly posed as representatives of a fake company and approached staff at Axie Infinity in the early part of 2022, enticing them to apply for jobs. The “approaches” were apparently made via LinkedIn, according to a report. Following a series of interviews, a senior engineer at developer Sky Mavis received an offer with a large compensation package. The offer was sent via a pdf document, which the recipient downloaded, enabling the hackers’ spyware to get into the Axie Infinity system. With the spyware in place, malicious actors, which the US government later identified as Lazarus, took over four of nine validators of the Ronin network, leaving them one validator short of full control. A blog released by Sky Mavis following the hack confirmed that the compromised employee no longer works with them. International Business Times

Analyst Comment: LinkedIn is a powerful networking tool. However, it is also a platform that is commonly used by threat actors who target information technology professionals and security researchers. To mitigate the risk, LinkedIn users should maintain awareness of potential threats, including suspicious profiles and phishing lures.

HACKTIVISM

Russian hacktivists are causing havoc far beyond Ukraine, with the pro-Russian group Killnet declaring “war” on ten countries that are supporting Ukraine. While security experts have repeatedly warned that Russian attacks could target Western countries, the efforts of volunteer hacktivist groups can have an impact even if they are not officially backed or carried out by the state. There may be some connections among Russian hacker groups themselves. They have cross-posted about the work of other groups on their Telegram channels on multiple occasions, according to an analyst. These groups are advancing Russian interests abroad, whether in Ukraine or elsewhere, but they are also heavily promoted in Russian media as displays of patriotic volunteers who embody support for Russian government decisions, the analyst added. Moreover, outside of Ukraine, hacktivist groups such as Anonymous have launched cyberattacks against Russia. Analysts have consistently stated that Russia would retaliate against countries that support Ukraine with “deniable tools” and groups. DDoS attacks, while not sophisticated, contribute to this effort. And, as attacks by hacktivist groups become more sophisticated, there is a greater possibility that they will cause more damage or escalate the conflict. WIRED

Analyst Comment: From the early stages of the war in Ukraine, LookingGlass observed that most of KillNet’s victims are located outside of Ukraine. Another pro-Russian hacktivist collective XakNet appears to focus on victim targets located in Ukraine. Both groups mostly conduct DDoS attacks, defacement, and exfiltration operations. While DDoS is not a particularly sophisticated tactic, the effects are noticeable and can have a psychological effect on the general population.

CYBERCRIME

According to Flashpoint, as Russians leave home in droves, a threat actor called “Royal Bank” is offering alleged immigration services to the US or Canada for $5k. The service – also called “Royal Bank” – is offered on the Russian-language forum XSS. Rapidly worsening economic and political outlooks in Russia have prompted an exodus of dissidents and younger professionals. Estimates differ on how many IT specialists have left Russia following the February 2022 invasion of Ukraine, but experts agree that the number is in the tens of thousands. In 2019, Flashpoint reported on a darknet seller who was offering “refugee status” in several member states of the EU within 10-15 days. The vendor then claimed to be able to rely on “people in the government” with whom they had built relationships. The service advertised on XSS could use similar connections, although the vendor has revealed little about their methods and did not mention law enforcement or government contacts. Instead, it appears that they provide falsified Russian documents to support asylum claims, likely based on leaked official documents. In possibly related activity, Flashpoint intelligence analysts are aware of a Russian-language Telegram group where members shared advice on entering the US via Mexico. The advice included information about “helpers” near the border. Flashpoint

Analyst Comment: Immigration-related fraud operations in Russia have been conducted for decades. The “services” provided can range from providing documentation required for visa applications to attorney support. In 2021 Russian-speaking attorneys based in Brooklyn, New York were charged with coaching their clients to lie during immigration proceedings. As for the documentation, it is often purchased directly from underpaid Russian government clerks looking to make extra money. While “Royal Bank” does not mention having law enforcement or government contacts, LookingGlass has observed that they offer so-called “probiv” (look-up) services. “Probiv” services allow anyone to purchase any information (including government, phone, travel, geolocation, and financial records) about nearly any Russian resident. This data is usually provided to threat actors by employees of organizations belonging to telecommunications, financial services, and government sectors. The fact that “Royal Bank” offers “probiv” services suggests that they likely have some government contacts, which may also allow them to sell documentation required for visa applications.

Two ransomware gangs and a data extortion group have adopted a search function on their leak sites to make it easier to find victims and specific details – the strategy is meant to force victim companies to pay the threat actors to not leak stolen data. Last week, the ALPHV/BlackCat ransomware operation announced that they created a searchable database with leaks from non-paying victims. The hackers stated the repositories have been indexed and the search works when looking for information by filename or by content available in documents and images. BlackCat operators claim they do this to make it easier for other cybercriminals to find passwords or confidential information about companies. The gang already tried this strategy in mid-June, when they created a searchable site with data allegedly stolen in an attack at a hotel and spa in Oregon. The site allowed guests at the spa locations and employees to check if their personal information had been stolen during the ransomware attack. This is a step forward in the extortion business as it puts pressure on the victim to pay the ransom and have the data removed from the web. Separately, towards the end of last week, BleepingComputer noticed that LockBit offered a redesigned version of their data leak site that allowed searching for listed victim companies. Moreover, the Karakurt data extortion gang has implemented a search function on its leak site, yet BleepingComputer’s attempts to use the option showed that it did not work properly. Bleeping Computer

Analyst Comment: On Alphv’s data leak site, the new Collections tab allows overall searches across all victim datasets. The search feature will work with search strings such as quotation marks and asteriks to act as a wildcard. Individual collections can also be accessed to search specifically within just that one company’s data. Opening a specific collection set appears to redirect to its own unique TOR URL. These individual URLs have a “Search,” “Explore,” and “Meta” tab within them. The homepage states how many files and resources there are contained within that dataset. The Explore tab allows a user to browse through the victim data to see what is available if they do not have a specific search term. The Meta tab provides basic data for the collection with its size such as [.]lock and [.]txt files.

On Lockbit’s data leak site, there are 23 searchable victim datasets. The actor LockBitSupp posted links to the 9 mirrors for the main blog and 24 mirrors for the packaged victim data on the XSS forum on July 1, 2022. LockBitSupp states that all the old companies and a full amount of downloaded information can be found there. This suggests that the group is still working on adding more victim packaged datasets to their leak site.

French telecoms operator La Poste Mobile has alerted customers that their data may have been compromised in a July 4 ransomware attack that targeted the company’s administrative and management systems. The attack, attributed to the LockBit ransomware group, took the company’s systems offline as it attempted to minimize damage. The company’s website was still offline as of seven days later – visitors are greeted by a statement in French telling customers to be wary of targeted cyber-attacks. While La Poste Mobile’s mobile services continue to operate, it has asked customers to be on the lookout for phishing attempts or suspicious activity related to personal information the attackers may have accessed. The threat actor, LockBit group, was first identified in 2019 and has become one of the most prolific groups to offer ransomware-as-a-service. It sells its software to third-party criminals who deploy it in return for a share of the profits. In a recent report, cybersecurity company NCC Group said that LockBit was responsible for around 40% of ransomware attacks it saw in May 2022. Infosecurity

Analyst Comment: LockBit’s data leak site has published the first part of the La Poste Mobile data. The group announced that the second part of the data will be published on July 16, 2022 on their leak site.

After Conti disbanded, LockBit quickly became the most active ransomware group with the highest number of victims posted to their leak site week after week. LockBit continues to evolve by creating version 3.0 and adding new features to their data leak site. Some of these features have been highlighted in previous Cyber Monitors such as a bug bounty program and data auctions, as well as general enhancements to the ransomware functionality. As we previously reported above, the group is also now offering a searchable function of packaged victim data. It is highly likely that LockBit will remain one of the most prolific ransomware groups throughout this year.

Back to the top

CRITICAL INFRASTRUCTURE

ENERGY

According to the Government Accountability Office (GAO), developing a cybersecurity risk management strategy would improve the Department of Energy’s (DOE) efforts to manage risks and protect the nation’s electric grid. GAO outlined 26 priority recommendations for DOE that fall into eight focus areas – including improving cybersecurity. The first open recommendation directs the Energy Secretary to consult with the Department of Homeland Security (DHS), the National Institute of Standards and Technology, and other sectors to develop methods for determining the level and type of cyber framework adoption by entities across their respective areas. The second open recommendation instructs the Secretary of Energy to develop a cybersecurity risk management strategy that includes the elements identified in GAO’s original report on the issue delivered in 2019. The last cyber-related recommendation directs the Energy Secretary to coordinate with DHS and other relevant stakeholders to develop a plan aimed at implementing the Federal cybersecurity strategy for the electric grid and ensure that the plan addresses key characteristics of a national strategy – including a full assessment of cybersecurity risks to the grid. MeriTalk

WATER

Hackers gained access to a wastewater facility after a local government failed to upgrade its system, prompting cybersecurity experts to warn that many of Israel’s critical infrastructure systems may be compromised due to a lack of security measures. The hackers uploaded a photo of the sewage pump control system’s graphic interface. An examination revealed that the interface was completely undefended, with no password required, and that the website did not use the HTTPS. This interface, according to the municipality, is only used to monitor the sewage system and does not permit actions that would harm the system. However, cyber experts confirmed that hackers could theoretically use this interface to take remote actions that could cause critical damage to the system. “The remote control units can carry out autonomic operations such as closing and opening the pumps and valves, according to specific parameters that the system monitors at this time, for example, the height of water in a tank,” an expert said. The risk comes against the backdrop of Iran and Israel’s growing cyberwar, in which the Iranians attempted and succeeded in hacking water plants in Israel over the last two years, according to Israel’s National Cyber Directorate. Haaretz

Analyst Comment: Local governments in the USA also face a serious risk of cyberattacks. Some of the challenges that local governments face include a lack of funding, a lack of cybersecurity talent, and an increased attack surface due to the number of IoT devices utilized by government organizations. These challenges can be addressed by an increase of funding, and development and enforcement of clearly defined security policies.

FINANCE

The financial sector continues to be vulnerable to sophisticated cyberattacks, with ransomware being the most significant and frequently used attack vector. In a February study, VMware surveyed 130 CISOs and security leaders about the evolving cybersecurity risks facing financial institutions. The study showed that 74% of respondents had been victims of one or more ransomware attacks, with 63% of those victims ultimately having to pay the ransom. The Conti ransomware group was also discovered to be the most prevalent in these attack campaigns, according to the study. In addition, phishing scams continue to be a major concern as an attack vector for compromising financial institutions. According to IBM’s 2020 X-Force Threat Intelligence Index Report, phishing scams accounted for 46% of attacks against the financial sector in 2021. One way the financial sector can strengthen its defenses is by ensuring that they can see the data before protecting it and all access points to it, according to an analyst. This entails protecting the organization’s websites, mobile apps, and APIs from automated attacks while not interfering with business-critical traffic, according to cybersecurity firm Imperva. Greater coordination amongst global regulators will also help strengthen the industry’s resilience against large systemic cyberattacks, according to Fitch Ratings. The emphasis on systemic risk is intended to improve industry readiness and cyber resilience, to reduce single points of failure, and, eventually, to decrease the detrimental impacts of cyberattacks. Growing geopolitical tensions are also pushing regulators, since a global cyberattack on the financial sector may have far-reaching consequences, the firm added. International Banker

According to recent research, the following are the top five cyber risks to financial critical infrastructure:

  1. Ransomware: The time it takes to recover an organization’s data is determined by the extent of the damage, the effectiveness of the disaster recovery plan, and the time it takes to respond to an attack. The average ransomware payment will be $570k in 2021, up 82% from the previous year, according to Palo Alto Networks’ Unit 42.
  2. Supply chain attacks: A supply chain attack enables cybercriminals to circumvent security controls by establishing access to sensitive resources via a third-party target provider. Furthermore, because third-party vendors store sensitive data about all of their customers, a single hack can impact hundreds of financial institutions.
  3. Phishing attacks: Cybercriminals are constantly honing their phishing attack skills and inventing new types of phishing scams. As phishing emails become more difficult to detect, they continue to be one of the most effective cybercriminal attacks in the financial sector.
  4. Distributed Denial-of-Service (DDoS) attacks: Cybercriminals carried out approximately 4.4M DDoS attacks in 2021, resulting in significant losses for the financial sector, according to NETSCOUT.
  5. Bank-drops: “Bank-drops” are fake bank accounts criminals create to store stolen funds. Threat actors steal personal and business information on the dark web. Using stolen credentials, threat actors open an account and order a card. The account must appear as legitimate as possible to fool the bank and authorities. Threat actors utilize another’s account to transfer or withdraw stolen funds.

Analyst Comment: An organization can face multiple risks mentioned above at the same time. For example, a ransomware group can use phishing or supply chain compromise as an initial vector of an attack. Some ransomware groups have also utilized DDoS attacks as an extortion technique. This means that a financial organization must consider most (if not all) of the risks mentioned above in order to protect their infrastructure from just one type of attack.

HEALTHCARE

Cybercriminal groups linked to North Korea have been using Maui ransomware to attack the US health sector. The FBI, CISA, and US Treasury issued a joint statement saying they had picked up on the cyber campaign after analyzing tactics, techniques, and procedures (TTPs) and indicators of compromise that led Bureau investigators back to North Korea. The ransomware attacks have been ongoing since at least May 2021; they have targeted electronic health records and diagnostic and imaging services. In some cases, services provided by victim organizations were “disrupted for prolonged periods,” the agencies stated. Maui ransomware (maui.exe) is designed for remote manual operation by a threat actor using a “command-line interface [T1059.008] to interact with the malware and to identify files to encrypt,” according to the statement. “Each encrypted file has a unique key and contains a custom header with the file’s original path, allowing Maui to identify previously encrypted files.” The authorities said the initial access vectors for the cyberattacks remained unknown but have urged the healthcare sector to take various security measures to prevent attacks and to report any breaches or ransom demands to the FBI or CISA. The agencies also discourage paying ransoms because it does not guarantee files and records will be recovered and it may pose a sanctions risk. Cybernews


Back to the top

GOVERNANCE

USG

Election officials preparing for the upcoming midterms face myriad threats as they look to protect voting systems while fighting misinformation. The nation’s top state election officials gathered Thursday, July 7 for the start of their annual summer conference with a long list of challenges beginning with securing their voting systems. CISA director Jen Easterly stated that Russia, China, and North Korea remain “very dynamic and complex cyber threats” and criminal gangs pushing ransomware are also a concern. But she noted election security officials could not afford to prioritize one over the other. CISA has been conducting physical assessments for state and local election officials, which include site visits and reviews of security procedures such as video surveillance and access controls. While physical security has always been a concern, an onslaught of threats since 2020 targeting election officials has added urgency to the effort. State and local election officials have reported being harassed in person and receiving death threats over social media and text messages. The agency has also issued guidance on how to mitigate insider threats, which emphasizes the importance of chain of custody rules. Moreover, the guidance suggests the use of bipartisan teams when accessing sensitive equipment to ensure voting systems are protected. At the local level, state election officials have also been focused on boosting cybersecurity defenses where staffing and resources are often limited. Security Week

Analyst Comment: A lot of progress has been made in safeguarding elections since the 2016 Presidential Elections. However, threats have evolved too. One of the biggest challenges of securing the elections is the variety of threats faced by election officials and election infrastructure, which include cybercrime, APT groups, and insider threats, as well as physical threats.

An investment fund supported by the White House and partially funded by tech heavyweights Peter Thiel, Eric Schmidt, and Craig Newmark is working to advance “deep technologies” to give the US the edge over China – especially when it comes to cybersecurity. The US needs to do more to win the great power competition, according to Gilman Louie, CEO of the newly launched America’s Frontier Fund (AFF) and Chairman of LookingGlass.This will entail supporting innovation in AI, quantum computing, fusion, microelectronics, 6G cellular technology, advanced manufacturing, and synthetic biology. The White House recently named Louie, a gaming executive who became the venture capitalist behind In-Q-Tel, the CIA’s investment arm, to President Biden’s Intelligence Advisory Board, giving him a direct line to the president. AFF will be a hub for what Louie calls the Quad Investor Network (QIN), a partnership that AFF will lead with other global democracies to invest jointly in emerging technology. The White House announced the QIN effort in late May, about three weeks after it said Louie had been selected alongside three others for the intelligence advisory board. Cybersecurity has been a White House priority since Biden took office – the administration increased efforts to work alongside the private sector after the SolarWinds and Colonial Pipeline attacks during the president’s first term. But Louie’s work is also building on efforts started in the Trump administration. AFF appears to have grown out of work done by the Congressionally-chartered National Security Commission on Artificial Intelligence (NSCAI) led by Schmidt, the former Google CEO who is a key AFF donor. Louie was one of a handful of national security and technology leaders who worked under Schmidt to produce NSCAI findings last year. In addition to donations from Schmidt, Palantir co-founder Peter Thiel, and Craigslist founder Craig Newmark, the AFF is also supported by a board of directors that includes high-level veterans of national security and the tech industry. CyberScoop

GEOPOLITICS

The UK ICO and NCSC have asked British law firms to stop advising their customers to pay ransom demands in ransomware attacks in a joint letter signed by the two agencies. Paying ransoms to release locked data does not reduce the risk to individuals, is not required by data protection law, and is not regarded as a reasonable step to protect data, according to the ICO. The ICO has stated that it will not consider this as a mitigating factor when determining the type or scale of enforcement action. It will, however, take early engagement and cooperation with the NCSC into account when determining its response. In the event of a ransomware attack, there is a legislative requirement to alert the ICO, whereas the NCSC, the technical authority in cybersecurity, provides help and incident response in order to prevent harm and learn larger cybersecurity lessons. Risky Biz ICO

Analyst Comment: Most ransomware groups are primarily motivated by money, meaning that paying the ransom may motivate cyber criminals to continue committing crime. If organizations stop paying the ransom, financially motivated threat actors will be less motivated to conduct ransomware attacks. However, in some cases the cost of paying the ransom is cheaper for victim organizations than any other incident response and recovery option. Double and triple extortion techniques, which may include publishing data stolen from organizations on leak sites and contacting victim organizations’ employees add pressure on the victims forcing them to pay.

According to a Council on Foreign Relations report released Tuesday July 12, the US should abandon its long-running efforts to establish norms of good behavior for nation-states in cyberspace and adopt a new foreign policy to confront a fragmented and potentially dangerous digital realm. The report comes just months after the State Department established a Bureau of Cyberspace and Digital Policy to support the Biden administration’s efforts to improve digital assistance to allies and the US’ role in global cyber diplomacy. At the same time, foreign adversaries such as China and Russia have increased their efforts to control what information their respective populations can access online, including social media sites, particularly since Moscow’s invasion of Ukraine. The new report makes more than a dozen recommendations for federal leaders and policymakers to address the increasingly fractious digital space, such as establishing an international cybercrime center so allies can maintain pressure on gangs that target critical infrastructure; being more transparent about US Cyber Command’s “hunt forward” missions, which have been used to defend American elections from foreign interference; and holding states accountable if they fail to protect critical infrastructure. The Record

LAW & DATA PRIVACY

The Dutch secret service agencies, the MIVD and AIVD, have been given orders to delete a database that they created in order to store the personal information of millions of Dutch citizens. The database contained names, addresses, and other identifying information. Following a complaint from European Digital Rights (EDRi), a pan-European association of civil and human rights organizations, the country’s data protection supervisor determined that the database was illegally created and ordered the Dutch Ministries of Defense and Interior to delete it. EDRi is a European organization dedicated to the protection of civil and human rights. Risky Biz

The Dutch government recently doubled the maximum prison sentence for cyber espionage convictions. A provision in the text states that maximum prison sentences for computer crimes are increased by a factor of three if they are committed at the request of a foreign power. Risky Biz

The Italian data protection authority formally warned Chinese-owned TikTok on Monday, July 11, about an alleged violation of EU rules to protect user privacy. TikTok had informed users in recent weeks that it would begin delivering targeted advertising to them on July 13 without requesting consent to use data stored on their devices, according to the Italian watchdog. According to the Italian regulator, TikTok claimed it was acting in the legitimate interests of the company and its partners when it changed its privacy policy. However, the watchdog stated that such a legal basis was incompatible with EU privacy rules. The agency stated that it reserves the right to impose unspecified restrictions if TikTok, which has seen rapid growth globally, particularly among teenagers, does not withdraw its announced policy changes. It also expressed concern that inappropriate advertising could be directed at minors, citing TikTok’s difficulties in accurately monitoring the ages of its users. The agency has also notified Ireland’s Data Protection Commission about TikTok’s alleged violations of EU data rules. Due to the location of their regional headquarters in Ireland, the Irish body is the lead EU regulator for TikTok and other top internet firms. Reuters

Analyst Comment: TikTok has faced criticism for user data privacy concerns from various countries. The company’s recent practice of changing its privacy without requesting consent is consistent with TikTok’s usual neglect of user data privacy. Another example is that the company has promised that information gathered from American users would stay in the US. However, recently leaked audio from over 80 internal TikTok meetings show that employees of ByteDance, TikTok’s parent company in Beijing, have repeatedly accessed private data about US users from September 2021 to January 2022. TikTok announced that American users’ data is being routed to US-based servers owned by Oracle in June 2022, but it remains unclear whether the company will deliver as promised.

On Tuesday, July 12, Apple and Zoom were fined for allegedly refusing to store the data of Russian citizens on Russian territory. The court in Moscow’s Tagansky district fined Apple ~$34k, while Zoom and Ookla, which runs the internet performance tool Speedtest, were fined ~$17k each. Alphabet’s Google was fined ~$1k for a separate data-related offense. Reuters

Analyst Comment: Changes to the Personal Data Law of the Russian Federation, requiring companies to store data of Russian citizens on Russian territory were first introduced in 2015. Apple and Zoom are not the first companies that were affected by this law. Previously, fines were imposed on Facebook (Meta) and Twitter. Before the law was introduced, some Russian companies preferred to host data collected from users on foreign hostings as well, due to their accessibility and pricing. Changes to the Russian Personal Data Law happened at the same time as the Russian government established better control of social media in Russia, including taking over the largest Russian social media Vkontakte and forcing its founder Pavel Durov to leave Russia. Following protests in Ukraine in 2013-2014, Durov refused to provide data about those who organized protests against Russian law enforcement. After leaving Russia, Durov founded Telegram, marketing it as a more secure way to communicate.


Back to the top

Sign up for the Cyber Monitor