Welcome to The Cybersecurity 202! I hope you had a good Thanksgiving break, if you celebrate. I know I did. Yum.

Was this forwarded to you? Sign up here.

Below: A cyberattack on Texas hospitals is more widespread than previously known, and Ukraine detains a former top cyber official. First:

Spyware makes its debut with Serbian civil society groups, investigators find

Investigators say they found evidence of attempted spyware infections targeting two people representing civil-society groups in Serbia, believed to be the first abuse of spyware in that nation.

It follows a series of revelations about spyware aimed at organizations and individuals determined to hold governments to account, be they journalists or human rights activists. Recently revealed targets have even included members of the U.S. Congress.

Access Now, the University of Toronto’s Citizen Lab and Amnesty International came to identical conclusions when investigating the phones of the two Serbian civil-society representatives and are publishing the results of their investigation this morning.

Their investigations came after the targets received notifications from Apple that their iPhones may have been targeted by government attacks. The investigators reached no conclusion about the type of spyware used or who might have been responsible.

The Cybersecurity 202 is the first U.S. news outfit to report on the groups’ findings.

The Apple notifications arrived on Oct. 30. Investigators determined that the attempted infections of the two targets happened within approximately one minute of each other on Aug. 16.

One of the targets, who spoke on the condition of anonymity for security reasons, said they were somewhat surprised to find themselves targeted because they weren’t running for office or doing anything aimed at overthrowing the ruling government.

“I was shocked because I was reading about Pegasus and everything about it,” they told me, referring to NSO Group’s Pegasus spyware. “I was not really aware that it might happen to me.”

• “I was also not so shocked about it, because [shortly] before, there was a very nasty article about me in a pro-government tabloid,” they said. Of whoever was responsible for the spyware attack, they said, “I didn’t know that they would spend so much money targeting me personally.”

The targets approached the SHARE Foundation, a Belgrade-based digital rights organization, to share their phones for observation. The foundation first revealed the spyware targeting last week.

The target I spoke to suspected that two parties might try to infect their phone: the governments of Serbia and Russia. They said they had been critical of the Serbian government on things like its approach to the rule of law and its stances on Russia.

The head of the Serbian secret intelligence service, known as the BIA, recently resigned after the United States sanctioned him for alleged help to Russia’s “malign” activities.

The target told me they believe the attack fell short because they had updated their phones to prevent exploitation of the vulnerability the attackers sought to use.

The investigation, and perspective

The attackers tried to take advantage of the HomeKit functionality in certain iPhones, the groups investigating the targets’ phones said. HomeKit is used to configure smart homes.

“The tactics are consistent with those previously used by NSO Group’s Pegasus spyware, although given limited available forensic indicators on the targeted devices, we cannot confirm the exact type of spyware used in this attack,” the groups said.

When there’s no hard evidence of a successful infection, it can be difficult to identify the specific spyware used, said Bill Marczak, senior researcher at Citizen Lab. But NSO has shown signs of pursuing exploits involving HomeKit dating back to October of last year, he told me. 

Marczak said there’s no evidence that the attacks on the Serbian targets, which didn’t necessarily fail, worked.

Serbia’s government has been a likely Pegasus operator since 2021, Citizen Lab found. Either the government broadly or the BIA specifically has also dabbled with other spyware options — including Cytrox’s prominent Predator spyware — dating back to 2012, according to investigators, activists and leaked documents.

“We are seeing a concerning development that … very vocal civil-society actors in Serbia who are critical of the government are being targeted with spyware, and on the same day,” Natalia Krapiva, tech-legal counsel at Access Now, told me.  “It’s a worrying development for democracy, for rule of law, and given what we know about Serbia — that they have been a user of spyware or suspected user of spyware, and not just one type but multiple over the years.”

Despite the Serbian government’s history of exploring its spyware options, Marczak said it’s the first case he knows about of spyware abuses in Serbia — regardless of who’s responsible. It’s also possible that Serbia’s government has been using spyware for legitimate purposes like combating terrorism until now, he said, but noted that would be purely speculative.

From a government regulatory perspective, the United States has drawn guarded praise for its steps to combat spyware abuse, but spyware critics including European lawmakers have been exasperated with the approach in Europe.

The responses

Asked about the report and whether the NSO Group had a contract with the Serbian government, the company answered:

• “Citizens Lab and Access Now continue to push, by their own admission, inconclusive reports regarding Pegasus,” it said via email. “NSO technologies such as Pegasus save lives and keep the public safe.”
• “NSO does not operate its technology and is not privy to the collected intelligence,” it continued. “The company initiated the industry’s leading compliance and human rights policy, and investigates all credible and concrete allegations of misuse.”

Neither the Serbian Embassy in the United States nor the BIA responded to messages seeking comment.

A person familiar with NSO operations, who spoke with me in September on the condition of anonymity to discuss the matter, said the Russian government is not a client.

Cyberattack on Texas hospitals more widespread than previously known

A cyberattack targeting East Texas hospitals that caused ambulances to drive to other health-care facilities on Thanksgiving Day is more widespread than previously known, forcing ambulances linked to other hospitals in New Jersey, New Mexico and Oklahoma to reroute, CNN’s Sean Lyngaas reports. 

The report notes: “All of the affected hospitals are owned, or partly owned, by Ardent Health Services, a Tennessee-based company that owns more than two dozen hospitals in at least five states.”

• It continues: “Among the hospitals currently unable to accept ambulances are a 263-bed hospital in downtown Albuquerque, New Mexico; a 365-bed hospital in Montclair, New Jersey; and a network of several hospitals in East Texas that serve thousands of patients a year.”
• Ardent Health in a Monday statement confirmed the incident as a ransomware attack, in which hackers hold a company’s sensitive data or operational equipment hostage until a ransom payment is made.

A nurse who works at one of the affected hospitals in New Jersey told CNN that staffers “are doing everything on paper” to manage commonly computerized medical records such as a patient’s lab work. The nurse spoke to the outlet on the condition of anonymity because they were not authorized to speak to reporters.

Additionally, Cybersecurity and Infrastructure Security Agency (CISA) officials told Ardent about possible malicious cyber activity in its networks the day before the incident began, Lyngaas writes, citing a person familiar with the matter.

• “Ardent Health spokesperson Will Roberts confirmed CISA officials contacted the company ‘to make us aware of information about suspicious activity in our system,’” according to the outlet.
• Hospitals in several other states have been acutely affected by cyberattacks throughout this year, CNN notes.

Voting machine glitches in Pennsylvania sound alarm ahead of 2024

Touch-screen voting machines that glitched in the Pennsylvania swing county of Northampton this month are raising concerns about voter confidence in the county ahead of what’s expected to be a high-profile 2024 presidential election, Politico’s John Sakellariadis reports.

The glitch follows a similar incident in 2019 during a county down-ballot judge’s race when the machines were introduced. A lawsuit ensued over the matter, with a nonprofit arguing that the machines should not have been certified to begin with.

“We’re at the peak of mistrust of one another, but until that subsides, counties like ours need to be nearly perfect, and I think this system allows us to do that,” County Executive Lamont McClure told Politico before Northampton certified the vote Tuesday, arguing that the glitch was related to human error.

• Sakellariadis writes: “The debate playing out in Northampton comes as election officials across the country are still contending with the consequences of Donald Trump’s 2020 fraud claims, which often centered around how votes are counted at the local level. With Trump a current front-runner for the Republican nomination, that skepticism could only mount.”
• The report adds: “The stakes are particularly high in Pennsylvania, which boasts 19 electoral votes and is expected to be a top battleground next year. Northampton is home to roughly 220,000 registered voters. Trump won the state by just 44,000 votes in 2016. He lost it by roughly 80,000 votes four years later.”

Ukraine detains former top cyber official Victor Zhora in alleged embezzlement probe

The Ukrainian government fired two former cyber officials last week on grounds of embezzlement. Now one of them is being detained, TechCrunch’s Lorenzo Franceschi-Bicchierai reports. 

• A judge ordered Victor Zhora, chief digital transformation officer at the State Service of Special Communications and Information Protection of Ukraine, to be detained as a preventive measure.
• The report says: “Ukraine’s senior cabinet official Taras Melnychuk announced the firings in a public post on Telegram last week. The two officials are Yurii Shchyhol, head of … SSSCIP, and his deputy … Zhora, who had become a staple at international conferences as the public face of Ukraine’s cybersecurity defenders.”
• His detention is expected to last until Jan. 22, with a bail of 10,000,584 Ukrainian hryvnia, or roughly $275,000, TechCrunch notes.

He wrote on X, formerly Twitter, on Nov. 24 that it was his last day working at SSSCIP. The post reads: “Thank you all for your support of our Service and our fight with enemy in cyberspace. Hope my successor will continue supporting all initiatives and international cooperation. Look forward to get back to you soon in my new mission.” 

He did not immediately return a request for comment from TechCrunch, and it was not immediately clear if he posted bail. Zhora previously told the outlet that he would defend his name and reputation in court. The SSSCIP did not immediately return the outlet’s request for comment.

Global cyberspace

Police dismantle ransomware group behind attacks in 71 countries (Bleeping Computer)

Inside U.S. efforts to untangle an A.I. giant’s ties to China (New York Times)

DP World says hackers stole Australian ports employee data (Reuters)

New crypto front emerges in Israel’s militant financing fight (Reuters)

SenseTime plunges after short seller alleges the Chinese AI firm inflated revenue (CNBC)

Sneakers and armored cars: How a shoe company empire allegedly used a Chinese money laundering ring (404 Media)

Shadowy hacking group targeting Israel shows outsized capabilities (CyberScoop)

Industry report

Fidelity National Financial investigating cyberattack that led to service disruption (Cybersecurity Dive)

Government scan

US and UK release joint guidelines for secure-by-design AI (Nextgov/FCW)

AI threat demands new approach to security designs -US official (Reuters)

Cyber insecurity

Cyberattack on Kansas courts leaves lawyers filing ‘everything by fax’ (Wall Street Journal)

KyberSwap recovers $4.7 million after exploit (The Block)

Privacy patch

Instagram’s algorithm delivers toxic video mix to adults who follow children (Wall Street Journal)

As online fraudsters run amok, U.S. response is lagging (Newsweek)

• Homeland Security Secretary Alejandro Mayorkas, CFPB Director Rohit Chopra and others speak at Axios’s AI+DC Summit beginning at 9:30 a.m.
• The Institute of World Politics holds a discussion on how partisan politics affects the U.S. intelligence community at 5 p.m.
• The House Oversight Committee holds a hearing on protecting federal software supply chains tomorrow at 2 p.m.

Secure log off

Thanks for reading. See you tomorrow.