At a glance.
- Hackers-for-hire pursue not just organizations and companies, but individuals as well.
- Contact-tracing wearable arouses privacy concerns.
- Final CCPA regulations undergo final review.
Hackers-for-hire pursue organizational, personal data.
The University of Toronto's Citizen Lab this morning released a report on a hacker-for-hire operation, "Dark Basin," which targeted "advocacy groups and journalists, elected and senior government officials, hedge funds, and multiple industries."
“We found that Dark Basin likely conducted commercial espionage on behalf of their clients against opponents involved in high profile public events, criminal cases, financial transactions, news stories, and advocacy,” Citizen Lab says. They initially thought Dark Basin might have been a state-sponsored group, but concluded instead that they were hired guns working for one side of a “contested legal proceeding, advocacy issue, or business deal.”
Citizen Lab is careful to say that it has no evidence that would enable it to identify who hired Dark Basin for action against climate change activists. Nor is there much to identify who hired Dark Basin to target campaigners for net neutrality, or to short sellers of particular stocks, or to energy or financial services companies, or simply to high-net worth individuals, particularly Eastern European oligarchs. It's a diverse set of targets, and that strongly suggests a purely mercenary operation.
Citizen Lab says Dark Basin is run by Delhi-based IT and cybersecurity firm BellTroX. BellTroX’s director and owner is Sumit Gupta. According to Citizen Lab, he’s the same Sumit Gupta whom the US Attorney for the Northern District of California charged in 2015 with “crimes related to a conspiracy to access the e-mail accounts, Skype accounts, and computers of people opposing” his co-conspirators in civil lawsuits. Thus the hackers-for-hire would seem to represent a threat to private individuals as well as organizations.
Mr. Gupta is still at large in India, and apparently still running BellTroX. The company’s website was up and accessible earlier this morning, but as of 1:00 PM Eastern Time the BellTroX site had been replaced with an “Account suspended” page.
The New York Times says US Federal prosecutors are investigating the latest Dark Basin activity. Citizen Lab draws this lesson from their research: large-scale, commercialized hacking is a serious and growing criminal threat.
Singapore's contact-tracing wearable arouses privacy concerns.
Singapore is beginning to supplement its contact-tracing app, TraceTogether, with a wearable device. The intention is to reach populations who haven't been enrolled in Bluetooth-based TraceTogether. That app couldn't be used by those without phones, and even those with phones experienced interoperability problems, Threatpost reports. The devices would be distributed to everyone in Singapore and would amount to an equivalent of TraceTogether, but with greater reach and fewer bugs. The proposed system has prompted popular objections: some 35,000 signing a petition “Singapore says ‘No’ to wearable devices for COVID-19 contact tracing.”
Final version of California Consumer Privacy Act regulations expected to take effect on July 1st.
The California Attorney General has submitted the final version of the California Consumer Privacy Act (CCPA) for review. As Cooley points out in their blog, the big remaining question is when the regulations will actually go into full effect, and that appears likely to be the first of next month. City and county attorneys as well as private plaintiffs have already been able to bring actions under the CCPA since it took effect on January 1st.