Hacker dumps thousands of sensitive Mexican embassy documents online

A hacker stole thousands of documents from Mexico’s embassy in Guatemala and posted them online.

The hacker, who goes by the online handle @0x55Taylor, tweeted a link to the data earlier this week. The data is no longer available for download after the cloud host pulled the data offline, but the hacker shared the document dump with TechCrunch to verify its contents.

The hacker told TechCrunch in a message: “A vulnerable server in Guatemala related to the Mexican embassy was compromised and I downloaded all the documents and databases.” He said he contacted Mexican officials but he was ignored.

In previous correspondence with the hacker, he said he tries to report problems and has received bounty payouts for his discoveries. “But when I don’t get a reply, then it’s going public,” he said.

More than 4,800 documents were stolen, most of which related to the inner workings of the Mexican embassy in the Guatemalan capital, including its consular activities, such as recognizing births and deaths, dealing with Mexican citizens who have been incarcerated or jailed and the issuing of travel documents.

More than a thousand passports — including identification issued to diplomats — were stolen. (Image: supplied)

We found more than a thousand highly sensitive identity documents of primarily Mexican citizens and diplomats — including scans of passports, visas, birth certificates and more — but also some Guatemalan citizens.

Several documents contained scans of the front and back of payment cards.

One of the diplomatic visas issued to a Mexican diplomat stolen in the files. (Image: supplied)

The stolen data also included dozens of letters granting diplomatic rights, privileges and immunities to embassy staff. Diplomatic rights grant employees of the foreign embassy certain protections from their host country’s government and law enforcement. Diplomatic immunity, for example, allows staff to be granted safe passage in and out of the country and are generally safe from prosecution. Other documents seen by TechCrunch were signed off personally by Mexico’s ambassador to Guatemala, Luis Manuel López Moreno, and were instructed to be transported by diplomatic bag, which foreign missions use to transport official correspondence between countries that cannot be searched by police or customs.

Many of the files were marked “confidential,” though it’s not known if the hacked data included anything considered by the Mexican government to be classified or secret. Other files were internal administrative documents relating to staff medical expenses, vacation and time off and vehicle certifications.

When reached Friday, Gerardo Izzo, a spokesperson for the consul general in New York, said it is taking the matter “very seriously” but did not immediately have comment.

Friday is a national holiday in Mexico.

Related stories:

How do you hire a great growth marketer?

Editors Note: This article is part of a series that explores the world of growth marketing for founders. If you’ve worked with an amazing growth marketing agency, nominate them to be featured in our shortlist of top growth marketing agencies in tech.

Startups often set themselves back a year by hiring the wrong growth marketer.

This post shares a framework my marketing agency uses to source and vet high-potential growth candidates.

With it, early-stage startups can identify and attract a great first growth hire.

It’ll also help you avoid unintentionally hiring candidates who lack broad competency. Some marketers master 1-2 channels, but aren’t experts at much else. When hiring your first growth marketer, you should aim for a generalist.

This post covers two key areas:

  1. How I find growth candidates.
  2. How I identify which candidates are legitimately talented.

Great marketers are often founders

One interesting way to find great marketers is to look for great potential founders.

Let me explain. Privately, most great marketers admit that their motive for getting hired was to gain a couple years’ experience they could use to start their own company.

Don’t let that scare you. Leverage it: You can sidestep the competitive landscape for marketing talent by recruiting past founders whose startups have recently failed.

Why do this? Because great founders and great growth marketers are often one and the same. They’re multi-disciplinary executors, they take ownership and they’re passionate about product.

You see, a marketing role with sufficient autonomy mimics the role of a founder: In both, you hustle to acquire users and optimize your product to retain them. You’re working across growth, brand, product and data.

As a result, struggling founders wanting a break from the startup roller coaster often find transitioning to a growth marketing role to be a natural segue.

How do we find these high-potential candidates?

Finding founders

To find past founders, you could theoretically monitor the alumni lists of incubators like Y Combinator and Techstars to see which companies never succeeded. Then you can reach out to their first-time founders.

You can also identify future founders: Browse Product Hunt and Indie Hackers for old projects that showed great marketing skill but didn’t succeed.

There are thousands of promising founders who’ve left a mark on the web. Their failure is not necessarily indicative of incompetence. My agency’s co-founders and directors, including myself, all failed at founding past companies.

How do I attract candidates?

To get potential founders interested in the day-to-day of your marketing role, offer them both breadth and autonomy:

  • Let them be involved in many things.
  • Let them be fully in charge of a few things.

Remember, recreate the experience of being a founder.

Further, vet their enthusiasm for your product, market and its product-channel fit:

  • Product and market: Do their interests line up with how your product impacts its users? For example, do they care more about connecting people through social networks, or about solving productivity problems through SaaS? And which does your product line up with?
  • Product-channel fit: Are they excited to run the acquisition channels that typically succeed in your market?

The latter is a little-understood but critically important requirement: Hire marketers who are interested in the channels your company actually needs.

Let’s illustrate this with a comparison between two hypothetical companies:

  1. A B2B enterprise SaaS app.
  2. An e-commerce company that sells mattresses.

Broadly speaking, the enterprise app will most likely succeed through the following customer acquisition channels: sales, offline networking, Facebook desktop ads and Google Search.

In contrast, the e-commerce company will most likely succeed through Instagram ads, Facebook mobile ads, Pinterest ads and Google Shopping ads.

We can narrow it even further: In practice, most companies only get one or two of their potential channels to work profitably and at scale.

Meaning, most companies have to develop deep expertise in just a couple of channels.

There are enterprise marketers who can run cold outreach campaigns on autopilot. But, many have neither the expertise nor the interest to run, say, Pinterest ads. So if you’ve determined Pinterest is a high-leverage ad channel for your business, you’d be mistaken to assume that an enterprise marketer’s cold outreach skills seamlessly translate to Pinterest ads.

Some channels take a year or longer to master. And mastering one channel doesn’t necessarily make you any better at the next. Pinterest, for example, relies on creative design. Cold email outreach relies on copywriting and account-based marketing.

(How do you identify which ad channels are most likely to work for your company? Read my Extra Crunch article for a breakdown.)

To summarize: To attract the right marketers, identify those who are interested in not only your product but also how your product is sold.

Other approaches

The founder-first approach I’ve shared is just one of many ways my agency recruits great marketers. The point is to remind you that great candidates are sometimes a small career pivot away from being your perfect hire. You don’t have to look in the typical places when your budget is tight and you want to hire someone with high, senior potential.

This is especially relevant for early-stage, bootstrapping startups.

If you have the foresight to recognize these high-potential candidates, you can hopefully hire both better and cheaper. Plus, you empower someone to level up their career.

Speaking of which, here are other ways to hire talent whose potential hasn’t been fully realized:

  • Find deep specialists (e.g. Facebook Ads experts) and offer them an opportunity to learn complementary skills with a more open-ended, strategic role. (You can help train them with my growth guide.)
  • Poach experienced junior marketers from a company in your space by offering senior roles.
  • Hire candidates from top growth marketing schools.

Vetting growth marketers

If you don’t yet have a growth candidate to vet, you can stop reading here. Bookmark this and return when you do!

Now that you have a candidate, how do you assess whether they’re legitimately talented?

At Bell Curve, we ask our most promising leads to incrementally complete three projects:

  • Create Facebook and Instagram ads to send traffic to our site. This showcases their low-level, tactical skills.
  • Walk us through a methodology for optimizing our site’s conversion rate. This showcases their process-driven approach to generating growth ideas. Process is everything.
  • Ideate and prioritize customer acquisition strategies for our company. This showcases their ability to prioritize high-leverage projects and see the big picture.

We allow a week to complete these projects. And we pay them market wage.

Here’s what we’re looking for when we assess their work.

Level 1: Basics

First — putting their work aside — we assess the dynamics of working with them. Are they:

  • Competent: Can they follow instructions and understand nuance?
  • Reliable: Will they hit deadlines without excuses?
  • Communicative: Will they proactively clarify unclear things?
  • Kind: Do they have social skills?

If they follow our instructions and do a decent job, they’re competent. If they hit our deadline, they’re probably reliable. If they ask good questions, they’re communicative.

And if we like talking to them, they’re kind.

Level 2: Capabilities

A level higher, we use these projects to assess their ability to contribute to the company:

  • Do they have a process for generating and prioritizing good ideas? 
    • Did their process result in multiple worthwhile ad and landing page ideas? We’re assessing their process more so than their output. A great process leads to generating quality ideas forever.
    • Resources are always limited. One of the most important jobs of a growth marketer is to ensure growth resources are focused on the right opportunities. I’m looking for a candidate that has a process for identifying, evaluating and prioritizing growth opportunities.
  • Can they execute on those ideas? 
    • Did they create ads and propose A/B tests thoughtfully? Did they identify the most compelling value propositions, write copy enticingly and target audiences that make sense?
    • Have they achieved mastery of 1-2 acquisition channels (ideally, the channels your company is dependent on to scale)? I don’t expect anyone to be an expert in all channels, but deep knowledge of at least a couple of channels is key for an early-stage startup making their first growth hire.

If you don’t have the in-house expertise to assess their growth skills, you can pay an experienced marketer to assess their work. It’ll cost you a couple hundred bucks, and give you peace of mind. Look on Upwork for someone, or ask a marketer at a friend’s company.

Recap

  • If you’re an early-stage company with a tight budget, there are creative ways to source high-potential growth talent.
  • Assess that talent on their product fit and market fit for your company. Do they actually want to work on the channels needed for your business to succeed?
  • Give them a week-long sample project. Assess their ability to generate ideas and prioritize them.

Russian hacked ‘at least one’ Florida county prior to 2016 election

Russian operatives successfully targeted and hacked “at least one” Florida county government in the run up to the 2016 U.S. presidential election, according to new findings by the Special Counsel Robert Mueller.

The report, published Thursday by the Justice Department, said the county was targeted by the Russian intelligence service, known as the GRU. The hackers sent spearphishing emails to more than 120 email accounts used by county officials responsible for administering the election, the report said.

According to the findings:

In August 2016, GRU officers targeted employees of [REDACTED], a voting technology company that developed software used by numerous U.S. counties to manage voter rolls, and installed malware on the company network… the spearphishing emails contained an attached Word document coded with malicious software (commonly referred to as a Trojan) that permitted the GRU to access the infected computer.

The findings are a significant development from previous reporting that said Florida’s election systems were merely targets of the Russian operatives.

Sen. Bill Nelson (D-FL) was derided after he claimed just days before his eventual re-election that hackers had gained access to the state’s election systems. According to NBC News, some of Nelson’s assertions were based off classified information that was not yet public.

Nelson’s remarks came almost a year after The Intercept published a classified document — later discovered to have been sent by since-jailed NSA whistleblower and Reality Winner — showing that intelligence pointed to a concerted effort by the GRU to target election infrastructure. The NSA said the hackers sent emails impersonating voting technology company VR Systems to state government officials.

The Orlando Sentinel confirmed Thursday following the release of Mueller’s report’s that Volusia County was sent infected emails containing malware, suggesting Volusia County — north of Orlando — may have been the target.

Mueller’s report confirmed that the FBI investigated the incident.

The office of Florida’s secretary of state said that Florida’s voter registration system “was and remains secure,” and “official results or vote tallies were not changed.”

Two years later following the 2018 midterm elections, the Justice Department and Homeland Security said there was “no evidence” of vote hacking or tampering.

Working backwards to uncover key success factors

If you’re a SaaS business — you’re likely overwhelmed with data and an ever-growing list of acronyms that purport to unlock secret keys to your success. But like most things — tracking with you do has very little impact on what you actually do.

It’s really important to find one, or a very small number, of key indicators to track and then base your activities against those. It’s arguable that SaaS businesses are becoming TOO data driven — at the expense of focussing on the core business and the reason they exist.

In this article, we’ll look at focusing on metrics that matter, metrics that help form activities, not just measure them in retrospect.

Most of the metrics we track, such as revenue growth, are lagging indicators. But growth is a result, not an activity you can drive. Just saying you want to grow an extra 10% doesn’t mean anything towards actually achieving it.

Since growth funnels are generally looked at from top to bottom, and in a historical context — a good exercise can be the other way around — go bottom-up, starting with the end result (the growth goal) and figure out what each stage needs to contribute to achieve it.

You can do this by looking at leading indicators. These are metrics that you can influence — and that as you act, and see them increase or decrease, you can be relatively certain of the knock-on effects on the rest of the business. For example — if you run a project management product, the number of tasks created is likely to be a good leading indicator for the growth of the business — more tasks created on the platform equals more revenue.

Chipotle customers are saying their accounts have been hacked

A stream of Chipotle customers have said their accounts have been hacked and are reporting fraudulent orders charged to their credit cards — sometimes totaling hundreds of dollars.

Customers have posted on several Reddit threads complaining of account breaches and many more have tweeted at @ChipotleTweets to alert the fast food giant of the problem. In most cases, orders were put through under a victim’s account and delivered to addresses often not even in the victim’s state.

Many of the customers TechCrunch spoke to in the past two days said they used their Chipotle account password on other sites. Chipotle spokesperson Laurie Schalow told TechCrunch that credential stuffing was to blame. Hackers take lists of usernames and passwords from other breached sites and brute-force their way into other accounts.

But several customers we spoke to said their password was unique to Chipotle. Another customer said they didn’t have an account but ordered through Chipotle’s guest checkout option.

Tweets from Chipotle customers. (Screenshot: TechCrunch)

When we asked Chipotle about this, Schalow said the company is “monitoring any possible account security issues of which we’re made aware and continue to have no indication of a breach of private data of our customers,” and reiterated that the company’s data points to credential stuffing.

It’s a similar set of complaints made by DoorDash customers last year, who said their accounts had been improperly accessed. DoorDash also blamed the account hacks on credential stuffing, but could not explain how some accounts were breached even when users told TechCrunch that they used a unique password on the site.

If credential stuffing is to blame for Chipotle account breaches, rolling out two-factor authentication would help prevent the automated login process — and, put an additional barrier between a hacker and a victim’s account.

But when asked if Chipotle has plans to roll out two-factor authentication to protect its customers going forward, spokesperson Schalow declined to comment. “We don’t discuss our security strategies.”

Chipotle reported a data breach in 2017 affecting its 2,250 restaurants. Hackers infected its point-of-sale devices with malware, scraping millions of payment cards from unsuspecting restaurant goers. More than a hundred fast food and restaurant chains were also affected by the same malware infections.

In August, three suspects said to be members of the FIN7 hacking and fraud group were charged with the credit card thefts.

A new state-backed hacker group is hijacking government domains at a phenomenal pace

A few months ago, researchers at Cisco’s Talos cybersecurity unit sounded the alarm after discovering a previously undiscovered hacker group targeting a core part of the internet’s infrastructure.

Their alarm was heard: FireEye quickly came out with new intelligence warning of a “global” domain name hijacking campaign targeting websites of predominantly Arab governments. The campaign, dubbed “DNSpionage,” rerouted users from a legitimate web address to a malicious server to steal passwords. Homeland Security warned the U.S. government had been targeted, and ICANN, the non-profit charged with keeping the internet’s address book, said the domain name system (DNS) was under an “ongoing and significant” attack and urged domain owners to take action.

Now, Talos researchers say they have found another highly advanced hacker group, likely backed by a nation-state, which they say has targeted 40 government and intelligence agencies, telecom firms and internet giants in 13 countries for more than two years.

“This is a new group that is operating in a relatively unique way that we have not seen before.” Craig Williams, Cisco Talos

“We assess with high confidence that these operations are distinctly different and independent from the operations performed by DNSpionage,” said the Talos report out Wednesday, seen by TechCrunch.

The group, which Talos calls “Sea Turtle” — an internal codename that ended up sticking — similarly targets companies by hijacking their DNS. That allows the hackers to point a target’s domain name to a malicious server of their choosing. This clever site-spoofing technique exploits long-known flaws in DNS that can be used to trick unsuspecting corporate victims into turning over their credentials on fake login pages, which the hackers can use for further compromise.

“This is a new group that is operating in a relatively unique way that we have not seen before, using new tactics, techniques, and procedures,” Craig Williams, director, outreach at Cisco Talos, told TechCrunch.

The hackers first compromise an intended target using spearphishing to get a foothold on the network, then use known exploits to target servers and routers to move laterally and obtain and exfiltrate network-specific passwords. The hackers then use those credentials to target the organization’s DNS registrar by updating its records so that the domain name points away from the IP address of the target’s server to a server controlled by the hackers.

Once the target’s domain is pointing to the malicious server, the hackers can run a man-in-the-middle operation to impersonate login pages and scrape the usernames and passwords of the staff as a way of getting deeper access into the network. The hackers also used their own HTTPS certificate for the target’s domain from another provider to make the malicious server look like the real thing.

With the credentials for greater network access in hand, the hackers aim to obtain the target’s SSL certificates used across the corporate network, granting greater visibility into the organization’s operations. The attackers also stole the SSL certificates used in security appliances, like virtual private networks (VPN), which were used to steal credentials to gain access to the organization’s network from outside its walls.

Using this same technique, Talos said that the hacker group compromised Netnod, a DNS provider in Sweden and one of the 13 root servers that powers the global DNS infrastructure. In February, Netnod confirmed its infrastructure was hijacked. The successful attack allowed the hackers to steal the passwords of administrators who manage Saudi Arabia’s top-level domain — .sa — suggesting other Saudi-based companies could be in the hacker group’s crosshairs.

Williams said Talos can “conclusively” link the Sea Turtle hackers to the Netnod attack.

In another case, the hackers gained access to the registrar that manages Armenia’s top-level domains, allowing the group to potentially target any .am domain name.

Talos wouldn’t name the targets of the attacks nor name the registrars at risk, citing the risk of further or copycat attacks — and the researchers wouldn’t name the state likely behind the group, instead deferring to the authorities to attribute. But the researchers said Armenia, along with Egypt, Turkey, Swwden, Jordan, and the United Arab Emirates were among the countries where it found victims.

Given the eventual targets included internet and telecom infrastructure companies, foreign ministries, and intelligence agencies in the Middle East and Africa, Williams said the group’s primary motivations are to conduct espionage.

Sea Turtle are said to be “highly capable,” said the researchers’ findings, and the hackers are able to maintain long-term access by using the stolen credentials.

The researchers urged companies to begin using DNSSEC, a cryptographically more secure domain name system that’s far tougher to spoof, and employing two-factor on an organization’s DNS records.

“While this incident is limited to targeting primarily national security organizations in the Middle East and North Africa, and we do not want to overstate the consequences of this specific campaign, we are concerned that the success of this operation will lead to actors more broadly attacking the global DNS system,” the researchers said.

Scranos, a new rootkit malware, steals passwords and pushes YouTube clicks

Security researchers have discovered an unusual new malware that steals user passwords and account payment methods stored in a victim’s browser — and also silently pushes up YouTube subscribers and revenue.

The malware, Scranos, infects with rootkit capabilities, burying deep into vulnerable Windows computers to gain persistent access — even after the computer restarts. Scranos only emerged in recent months, according to Bitdefender with new research out Tuesday, but the number of its infections has rocketed in the months since it was first identified in November.

“The motivations are strictly commercial,” said Bogdan Botezatu, director of threat research and reporting at Bitdefender, in an email. “They seem to be interested in spreading the botnet to consolidate the business by infecting as many devices as possible to perform advertising abuse and to use it as a distribution platform for third party malware,” he said.

Bitdefender found the malware spreading through trojanized downloads that masquerade as real apps, like video players and e-book readers. The rogue apps are digitally signed — likely from a fraudulently generated certificate — to prevent getting blocked by the computer. “By using this approach, the hackers are more likely to infect targets,” said Botezatu. Once installed, the rootkit takes hold to maintain its presence and phones home to its command and control server to download additional malicious components. The second-stage droppers inject custom code libraries in common browsers — Chrome, Firefox, Edge, Baidu, and Yandex to name a few — to target Facebook, YouTube, Amazon, and Airbnb accounts, gathering data to send back to the malware operator.

“The motivations are strictly commercial… they are looking at advertising fraud by consuming ads on their publisher channels invisibly in order to pocket the profit.” Bitdefender's Bogdan Botezatu

Chief among those is the YouTube component, said Bitdefender. The malware opens Chrome in debugging mode and, with the payload, hides the browser window on the desktop and taskbar. The browser is tricked into opening a YouTube videos in the background, mutes it, subscribes to a channel specified by the command and control server and click ads.

The malware “aggressively” promoted four YouTube videos on different channels, the researchers found, turning victim computers into a de facto clickfarm to generate video revenue.

“They are looking at advertising fraud by consuming ads on their publisher channels invisibly in order to pocket the profit,” said Botezatu. “They are growing accounts that they have been paid to grow and helping inflate an audience so they can grow specific ‘influencer’ accounts.”

Another downloadable component allows the malware to spam a victim’s Facebook friend requests with phishing messages. By siphoning off a user’s session cookie, it sends a malicious link to an Android adware app over a chat message.

“If the user is logged into a Facebook account, it impersonates the user and extracts data from the account by visiting certain web pages from the user’s computer, to avoid arousing suspicion by triggering an unknown device alert,” reads the report. “It can extract the number of friends, and whether the user administrates any pages or has payment information in the account.” The malware also tries to steal Instagram session cookies and the number of followers the user has.

Other malicious components allow the malware to steal data from Steam accounts, inject adware to Internet Explorer, run rogue Chrome extensions, and collect and upload a user’s browsing history.

“This is an extremely sophisticated threat that took a lot of time and effort to set up,” said Botezatu. The researchers believe the botnet has tens of thousands of devices ensnared already — at least.

“Rootkit-based malware shows an unusual level of sophistication and dedication,” he said.

Hackers publish personal data on thousands of US police officers and federal agents

A hacker group has breached several FBI-affiliated websites and uploaded their contents to the web, including dozens of files containing the personal information of thousands of federal agents and law enforcement officers, TechCrunch has learned.

The hackers breached three sites associated with the FBI National Academy Association, a coalition of different chapters across the U.S. promoting federal and law enforcement leadership and training located at the FBI training academy in Quantico, VA. The hackers exploited flaws on at least three of the organization’s chapter websites — which we’re not naming — and downloaded the contents of each web server.

The hackers then put the data up for download on their own website, which we’re also not naming nor linking to given the sensitivity of the data.

The spreadsheets contained about 4,000 unique records after duplicates were removed, including member names, a mix of personal and government email addresses, job titles, phone numbers and their postal addresses. The FBINAA could not be reached for comment outside of business hours. If we hear back, we’ll update.

TechCrunch spoke to one of the hackers, who didn’t identify his or her name, through an encrypted chat late Friday.

“We hacked more than 1,000 sites,” said the hacker. “Now we are structuring all the data, and soon they will be sold. I think something else will publish from the list of hacked government sites.” We asked if the hacker was worried that the files they put up for download would put federal agents and law enforcement at risk. “Probably, yes,” the hacker said.

The hacker claimed to have “over a million data” [sic] on employees across several U.S. federal agencies and public service organizations.

It’s not uncommon for data to be stolen and sold in hacker forums and in marketplaces on the dark web, but the hackers said they would offer the data for free to show that they had something “interesting.”

Unprompted, the hacker sent a link to another FBINAA chapter website they claimed to have hacked. When we opened the page in a Tor browser session, the website had been defaced — prominently displaying a screenshot of the encrypted chat moments earlier.

The hacker — one of more than ten, they said — used public exploits, indicating that many of the websites they hit weren’t up-to-date and had outdated plugins.

In the encrypted chat, the hacker also provided evidence of other breached websites, including a subdomain belonging to manufacturing giant Foxconn. One of the links provided did not need a username or a password but revealed the back-end to a Lotus-based webmail system containing thousands of employee records, including email addresses and phone numbers.

Their end goal: “Experience and money,” the hacker said.

The right way to do AI in security

Artificial intelligence applied to information security can engender images of a benevolent Skynet, sagely analyzing more data than imaginable and making decisions at lightspeed, saving organizations from devastating attacks. In such a world, humans are barely needed to run security programs, their jobs largely automated out of existence, relegating them to a role as the button-pusher on particularly critical changes proposed by the otherwise omnipotent AI.

Such a vision is still in the realm of science fiction. AI in information security is more like an eager, callow puppy attempting to learn new tricks – minus the disappointment written on their faces when they consistently fail. No one’s job is in danger of being replaced by security AI; if anything, a larger staff is required to ensure security AI stays firmly leashed.

Arguably, AI’s highest use case currently is to add futuristic sheen to traditional security tools, rebranding timeworn approaches as trailblazing sorcery that will revolutionize enterprise cybersecurity as we know it. The current hype cycle for AI appears to be the roaring, ferocious crest at the end of a decade that began with bubbly excitement around the promise of “big data” in information security.

But what lies beneath the marketing gloss and quixotic lust for an AI revolution in security? How did AL ascend to supplant the lustrous zest around machine learning (“ML”) that dominated headlines in recent years? Where is there true potential to enrich information security strategy for the better – and where is it simply an entrancing distraction from more useful goals? And, naturally, how will attackers plot to circumvent security AI to continue their nefarious schemes?

How did AI grow out of this stony rubbish?

The year AI debuted as the “It Girl” in information security was 2017. The year prior, MIT completed their study showing “human-in-the-loop” AI out-performed AI and humans individually in attack detection. Likewise, DARPA conducted the Cyber Grand Challenge, a battle testing AI systems’ offensive and defensive capabilities. Until this point, security AI was imprisoned in the contrived halls of academia and government. Yet, the history of two vendors exhibits how enthusiasm surrounding security AI was driven more by growth marketing than user needs.

A powerful malware that tried to blow up a Saudi plant strikes again

A highly capable malware reportedly used in a failed plot to blow up a Saudi petrochemical plant has now been linked to a second compromised facility.

FireEye researchers say the unnamed “critical infrastructure” facility was the latest victim of the powerful Triton malware, the umbrella term for a series of malicious custom components used to launched directed attacks.

Triton, previously linked to the Russian government, is designed to burrow into a target’s networks and sabotage their industrial control systems, often used in power plants and oil refineries to control the operations of the facility. By compromising these controls, a successful attack can cause significant disruption — even destruction.

According to the security company’s latest findings out Wednesday, the hackers waited almost a year after their initial compromise of the facility’s network before they launched a deeper assault, taking the time to prioritize learning what the network looked like and how to pivot from one system to another. The hackers’ goal was to quietly gain access to the facility’s safety instrumented system, an autonomous monitor that ensures physical systems don’t operate outside of their normal operational state. These critical systems are strictly segmented from the rest of the network to prevent any damage in the event of a cyberattack.

But the hackers were able to gain access to the critical safety system, and focused on finding a way to effectively deploy Triton’s payloads to carry out their mission without causing the systems to enter into a safe fail-over state.

In the case of the August 2017 attack in which Triton was deployed, the Saudi facility would have been destroyed had it not been for a bug in the code.

“These attacks are also often carried out by nation states that may be interested in preparing for contingency operations rather than conducting an immediate attack,” said FireEye’s report. “During this time, the attacker must ensure continued access to the target environment or risk losing years of effort and potentially expensive custom [industrial control system] malware,” said the report. “This attack was no exception.”.

FireEye would not comment on the type of facility or its location — or even the year of the attack, but said it was likely to cause damage.

“We assess the group was attempting to build the capability to cause physical damage at the facility when they accidentally caused a process shutdown that let to the Mandiant investigation,” said Nathan Brubaker, senior manager, analysis at FireEye, in an email to TechCrunch describing the first incident, but wouldn’t comment on the motives of the second facility.

But the security firm warned that the attackers’ slow and steady approach — which involved moving slowly and precisely as to not trigger any alarms — showed they had a deep focus on not getting caught. That, they said, suggests there may be other targets beyond the second facility “where the [hackers] was or still is present.”

The security company published lists of hashes unique to the files found in the second facility’s attack in a hope that I.T. staff in other at-risk industries and facilities can check for any compromise.

“Not only can these [tactics, techniques and procedures] be used to find evidence of intrusions, but identification of activity that has strong overlaps with the actor’s favored techniques can lead to stronger assessments of actor association, further bolstering incident response efforts,” the company said.