That's not all that happened this week, though! Google shed some new light on the Iranian hacking group known as APT35, or Charming Kitten, and how they use Telegram bots to let them know when a phishing lure has a nibble. Speaking of Telegram, a new report shows just how poor a job the messaging service has done keeping extremism off the platform.
There was good news for Cloudflare this week, as a judge ruled that the internet infrastructure company isn't liable when one of its customers infringe copyright designs on their websites. And there was bad news for humanity, as the governor of Missouri has threatened repeatedly to sue a journalist for responsibly disclosing a security flaw on a state website that he uncovered.
And there's more! Each week we round up all the security news WIRED didn’t cover in depth. Click on the headlines to read the full stories, and stay safe out there.
In February, someone tried to poison a Florida city's water supply by hacking into its control system and dramatically increasing the amount of sodium hydroxide. In 2020, a former employee at a Kansas water facility accessed and tampered with its controls remotely. And that's before you even get to the four ransomware attacks that intelligence officials documented this week, in a joint warning about the ongoing threats that hackers pose to US water and wastewater facilities. The alert notes that water treatment plants tend to invest in physical infrastructure rather than IT resources, and tend to use outdated versions of software, both of which leave them susceptible to attack. Disgruntled insiders have ample access to wreck havoc, and ransomware attackers always like a target that can't afford to stay offline for any significant period of time. While this isn't necessarily surprising—we sounded the same warning back in April—the joint FBI/CISA/NSA/EPA memo gives new detail into how many confirmed attacks have taken place in recent months, and it offers some guidance for critical infrastructure operators on how not to be the next victim.
A comprehensive hack of Twitch recently included source code, gamer payouts, and more, causing quite a stir among streamers especially. But it's not the biggest hack in Twitch history. That distinction belongs to a 2014 compromise, detailed by Motherboard this week, that was devastating enough that Twitch had to "rebuild much of its code infrastructure," according to the report, because so many of its servers had likely been compromised. Inside Twitch, the hack became known as “Urgent Pizza” because of how much overtime engineers had to work—and dinners the company had to feed them—to mitigate the attack. It's well worth a full read.
Chances are you've heard this story by now, but it's still worth including a case with allegations this wild. The Department of Justice has charged Navy nuclear engineer Jonathan Toebbe and his wife with trying to give state secrets to a foreign country; the people on the other end of the line turned out to be FBI agents. Toebbe allegedly participated in several “dead drops” of sensitive information; court documents say he hid data cards in everything from a peanut butter sandwich to pack of gum. He allegedly offered up thousands of documents, asking for $100,000 of cryptocurrency in return.
It's always a good idea to update all of your devices all of the time—automatically, even—but especially so when that update is specifically designed to fix a so-called zero-day bug. In this case, a security researcher had gotten so tired of Apple not crediting his submissions that last month he posted a proof-of-concept exploit and full details for four separate iOS security flaws. This is the second one to be patched, which leaves two to go. Hopefully Apple will give him a proper hat tip when it gets around to fixing those.