As the Biden administration moves on an ever-growing list of policy initiatives, the White House issued sanctions this week for a slate of Russian misdeeds, including interference in the 2020 election, the poisoning of dissident Aleksey Navalny, and the SolarWinds hacking spree that swept United States government agencies and many private-sector companies. The retaliatory move is complicated when it comes to SolarWinds, though, because it comprised the sort of espionage operation that would typically fall within geopolitical norms.
Elsewhere in the US government, the Justice Department took a drastic step this week to halt a Chinese hacking spree by authorizing the FBI to obtain a warrant and then directly delete attackers' hacking infrastructure from hundreds of victims' internal systems. Many in the security community lauded the effort, but the move also stoked some controversy given the precedent it could set for future US government actions that might be more invasive.
Over in the fraught world of internet-of-things security, researchers published findings on Tuesday that more than 100 million embedded devices and IT management servers are potentially vulnerable to attack, because of flaws in fundamental networking protocols. The devices are made by numerous vendors and used in environments from regular offices to health care and critical infrastructure, potentially exposing those networks to attack.
If you're trying to lock your accounts down and reduce your reliance on passwords, we have a guide to alternatives that'll walk you through on a number of platforms. And if you're feeling a general sense of existential dread about all manner of threats, you're not alone—the US Intelligence Community seems to be feeling the same way.
And there's more. Each week we round up all the news WIRED didn’t cover in depth. Click on the headlines to read the full stories. And stay safe out there.
In 2016 the US government famously tried to compel Apple to unlock the iPhone of one of the San Bernardino shooters. The case could have set a precedent that the government could demand that tech companies undermine the security protections in their products or insert “backdoors.” (Several law enforcement agencies and lawmakers around the world still advocate for that kind of access). But privacy advocates and security experts alike have said unequivocally and consistently that backdoors are dangerous and would expose people to unacceptable security and privacy risks. In the San Bernardino case, the FBI ultimately found a way into the device without Apple's help. Reports at the time indicated that the FBI paid about $1 million to use an iPhone hacking tool developed by a private firm. This week, The Washington Post revealed that the company that sold the tool isn't one of the better-known players, but instead a small Australian company known as Azimuth that is now owned by the US defense contractor L3Harris. The news provides a helpful detail as companies weigh resisting other such orders that may come from the US Justice Department or other governments in the future.
As part of this week's White House sanctions against Russia, the Biden administration called out a list of cybersecurity vendors that allegedly provided hacking tools and other services to the Russian government's offensive hackers. One of those companies, Positive Technologies, is a member of Microsoft's Active Protections Program, a group of nearly 100 software vendors who get advanced warning from Microsoft about vulnerabilities in Windows or Microsoft's other products before a patch is released. Microsoft sometimes shares proofs-of-concept that a vulnerability can be exploited maliciously in an effort to coordinate public disclosure of the flaw. The idea is for Microsoft's trusted security partners to get a jump on the inevitable flood of malicious activity that comes once patches are released and attackers everywhere can reverse engineer them to build their own hacking tools. If Positive Technologies was working closely with the Russian government, it could have leaked the information and allowed attackers to modify their techniques or weaponize flaws they didn't know about. The company strongly denied the allegations.
The European commissioner for budget and administration said this week that the SolarWinds hacking spree potentially compromised six European Union offices. In all, 14 EU agencies ran some version of the affected SolarWinds Orion software at the time of the hack. The EU's Computer Emergency Response Team did not say which six agencies downloaded the tainted update and did not elaborate on how many of the six were actually deeply compromised by Russian hackers. CERT-EU said, though, that for at least some of the six there was a “significant impact,” and “some personal data breaches occurred.”