Three House Democrats questioned the Department of Homeland Security on Monday over a reported Immigration and Customs Enforcement contract with a spyware provider that they warn potentially “threatens Americans’ freedom of movement and freedom of speech.”
Their letter follows publication of a notice that ICE had lifted a stop-work order on a $2 million deal with Israeli spyware company Paragon Solutions, a contract that the Biden administration had frozen one year ago pending a review of its compliance with a spyware executive order.
Paragon is the maker of Graphite, and advertises it as having more safeguards than competitors that have received more public and legal scrutiny, such as NSO Group’s Pegasus, a claim researchers have challenged. A report earlier this year found suspected deployments of Graphite in countries across the globe, with targets including journalists and activists. WhatsApp also notified users this year about a Paragon-linked campaign targeting them. The tool can infect phones without its target having to click on any malicious lure, then mine data from them.
“Given the Trump Administration’s disregard for constitutional rights and civil liberties in pursuit of rapid mass deportation, we are seriously concerned that ICE will abuse Graphite software to target immigrants, people of color, and individuals who express opposition to ICE’s repeated attacks on the rule of law,” the three congressional Democrats, two of whom serve as ranking members of House Oversight and Government Reform subcommittees, wrote Monday.
The trio behind the letter are Reps. Summer Lee of Pennsylvania, top Democrat on the Subcommittee on Federal Law Enforcement; Ohio Rep. Shontel Brown, ranking member of the Subcommittee on Cybersecurity, Information Technology and Government Innovation; and Rep. Yassamin Ansari of Arizona.
Their letter pointed to two Supreme Court rulings — Riley v. California from 2014 and Carpenter v. United States from 2018 — that addressed warrantless surveillance of cellular data. “Allowing ICE to utilize spyware raises serious questions about whether ICE will respect Fourth Amendment protections against warrantless search and seizure for people residing in the U.S.,” the lawmakers wrote.
The trio also asked for communications and documents about ICE’s use of spyware, as well as legal discussions about ICE using spyware and its compliance with the 2023 Biden executive order. They also sought a list of data surveillance targets.
ICE’s surveillance tactics have long drawn attention, but they’ve gained more attention in the Trump administration, which has sought to vastly expand the agency. ICE has conducted raids that have often swept in U.S. citizens. Other federal contracting records have pointed to ICE’s intentions to develop a 24/7 social media surveillance regime.
DHS and ICE did not immediately answer requests for comment about the Democrats’ letter. ICE has not provided answers about the contract in other media inquiries.
404 Media is suing for information about the ICE contract.
The post House Dems seek info about ICE spyware contract, wary of potential abuses appeared first on CyberScoop.
Microsoft has disabled services to a unit within the Israeli military after a company review had determined its AI and cloud computing products were being used to help carry out mass surveillance of Palestinians.
The post Microsoft Reduces Israel’s Access to Cloud and AI Products Over Reports of Mass Surveillance in Gaza appeared first on SecurityWeek.
Ambitious, suspected Chinese hackers with a slew of goals — stealing intellectual property, mining intelligence on national security and trade, developing avenues for future advanced cyberattacks — have been setting up shop inside U.S. target networks for exceptionally long stretches of time, in a breach that the researchers who uncovered it said could present problems for years to come.
Mandiant and Google Threat Intelligence Group (GTIG) researchers described the campaign as exceptionally sophisticated, stealthy and complex, calling those behind it a “next-level threat.” But they don’t yet have a full handle on who the hackers are behind the malware they’ve dubbed Brickstorm, or how far it stretches. A blog post the company posted Wednesday sheds light on the group.
The primary targets are legal services organizations and tech companies that provide security services, the researchers said. But the hackers aren’t limiting their interest to the primary targets, since they’ve used that access to infiltrate “downstream” customers. The researchers declined to describe those downstream customers, or say whether U.S. federal agencies are among those targeted. A great many of them don’t know yet that they’re victims, they said.
By stealing intellectual property from security-as-a-service (SaaS) firms, the hackers aim to find future zero-day vulnerabilities, a kind of vulnerability that is previously unknown and unpatched and thus highly prized, in order to enable more attacks down the line, the researchers from Mandiant and its parent company Google said.
The researchers declined to comment on possible Chinese government agency connections. But they see overlap with Chinese hacking groups like the one they’ve labeled UNC5221 — perhaps best known for exploiting Ivanti flaws, and a group that Mandiant and GTIIG described as the “most prevalent” Chinese-centered threat group right now — and the one Microsoft calls Silk Typhoon, which researchers warned recently has been ramping up its attacks this year, with targets including IT supply chains and the cloud. Silk Typhoon is believed to be Chinese government-sponsored.
The company has also developed a tool for potential victims to discover if they’ve been affected by Brickstorm activity, which Google experts indicated is a distinct possibility that could impact scores of organizations over the coming weeks.
“We have no doubt that organizations will use our tools to hunt for this adversary, and they will find evidence of compromise in their environments,” Charles Carmakal, chief technology officer at Mandiant Consulting, told reporters briefed on the blog post. “And it may be active compromises, it might be historic compromises, but many of our organizations are going to discover that they were dealing with this adversary.”
The campaign’s average “dwell time” is 400 days, they said, compared to dwell times more commonly measured in days or weeks.
Several features obscure Brickstorm activity. “It’s very hard to detect them and to investigate them,” said Austin Larsen, principal threat analyst at GTIG.
The hackers target systems that don’t support defenses for finding and tracking threats on endpoints, such as laptops or cell phones. Examples of target systems that don’t support that kind of endpoint detection and response (EDR) include email security gateways or vulnerability scanners. They consistently target VMware vCenter and ESXi hosts, according to the blog post.
The researchers also never see overlap between the internet protocols of the attackers between victims, Larsen said, or another way of identifying attackers: “The hashes when they land on this are different for essentially every system.”
Brickstorm attackers also “clean up after themselves” at times, Carmakal said. “Brickstorm may not exist in a victim environment today, but it could have been there for a year and a half. It might have been deleted back in April this year, back in January this year,” he said.
Brickstorm also isn’t just about one goal. “It’s an intelligence operation, but not just an intelligence operation,” said John Hultquist, chief analyst at GTIG. “This is a long-term play.”
The hackers are primarily compromising victims through zero-days, but they’re aiming to uncover new ones, too, by going through companies’ proprietary source code. That gives them multiple ways to penetrate new victim networks.
The Brickstorm hackers “hit the SaaS providers, who either hold data for people, or they have some connectivity to downstream,” Hultquist said. Or he said the group can “get a hold of the technology source code and leverage that source code information to gain access or to build out exploits in that technology, which would then give [them] basically a skeleton key to that technology.”
But its victims can be even more precise than that. “As part of this campaign, we observed in some organizations — including some legal organizations — we observed the actor searching the emails of very specific individuals,” Larsen said. The hackers have focused on collecting espionage on international trade and national security from those organizations.
Google has been tracking Brickstorm for a while now. This spring, Belgian cybersecurity company NVISO also shined the spotlight on Brickstorm variants spying on European businesses. Google’s latest blog post identifies Brickstorm activity as far more extensive than previously described.
Mandiant and GTIG have notified U.S. federal agencies and international governments about the campaign.
The tool is a scanner script that can be used on Unix systems, even if YARA (a common security tool used to find and identify malware) isn’t installed. This script is designed to do the same type of search as a specific YARA rule by looking for certain words and patterns that are unique to the Brickstorm backdoor.
“The most important thing here is, if you find Brickstorm, you really need to do a very thorough enterprise investigation, because the adversary that’s dropping this is a very, very advanced adversary that is known for stealing intellectual property from organizations,” Carmakal said. “It’s known for using access from victim companies to get into downstream customer environments.”
It’s all a “very, very significant threat campaign [that’s] very, very hard to defend against in tech,” Carmakal said.
Updated 9/24/25: with additional information about past Brickstorm reporting.
The post Brickstorm malware powering ‘next-level’ Chinese cyberespionage campaign appeared first on CyberScoop.
The Secret Service said Tuesday that it disrupted a network of electronic devices in the New York City area that posed imminent telecommunications-based threats to U.S. government officials and potentially the United Nations General Assembly meeting currently underway.
The range of threats included enabling encrypted communications between threat groups and criminals, or disabling cell towers and conducting denial-of-service attacks to shut down cell communications in the region. Matt McCool, special agent in charge of the Secret Service’s New York field office, said the agency’s early analysis of the network indicated “cellular communications between foreign actors and individuals that are known to federal law enforcement.”
In all, the agency said it discovered more than 300 servers and 100,000 SIM cards spread across multiple sites within 35 miles of the U.N. meeting. The Secret Service announcement came the same day President Donald Trump was scheduled to deliver a speech to the General Assembly.
“The potential for disruption to our country’s telecommunications posed by this network of devices cannot be overstated,” U.S. Secret Service Director Sean Curran said in a news release.
McCool said in a video statement that the investigation was ongoing, but the threat the network posed had been neutralized.
“These devices allowed anonymous, encrypted communications between potential threat actors and criminal enterprises, enabling criminal organizations to operate undetected,” he said. “This network had the potential to disable cell phone towers and essentially shut down the cellular network in New York City.
“We will continue working toward identifying those responsible and their intent, including whether their plan was to disrupt the U.N. General Assembly and communications of government and emergency personnel during the official visit of world leaders in and around New York City,” McCool continued.
News outlets briefed on the operation reported that the network anonymously conveyed assassination threats against senior U.S. officials, that the agency had never seen such an extensive operation, that the investigation uncovered empty electronic safehouses rented around the area and that hackers, terrorists, spies and human traffickers could’ve made use of the network. The investigation reportedly began in response to swatting and bomb threats against U.S. officials.
Other participants in the investigation were the Department of Homeland Security’s Homeland Security Investigations, the Department of Justice, the Office of the Director of National Intelligence and the New York Police Department.
Some cybersecurity professionals reacted skeptically to elements of the Secret Service announcement.
“Super weird framing by the Secret Service,” Marcus Hutchins, the researcher known for stopping the 2017 WannaCry ransomware attack, wrote on BlueSky. “They found a SIM card farm, which is typically used by criminals to anonymously send calls and texts. They issued a press release claiming ‘it could have shut down the entire NY cell network during the UN general assembly’ which is some serious FUD,” he said, using the acronym for “fear, uncertainty and doubt.”
He added: “it’s possible they found an actual plot to cause widespread destruction, but way more likely they found some generic cybercrime service and have absolutely no clue what it’s for.”
Johns Hopkins cryptography expert Matthew Green wrote on the same social media platform that “I no longer know what we can trust from the Secret Service, especially when a ‘Trump speech’ is involved, and the mechanics of this thing are a little bizarre.”
Updated 9/23/25: to include reaction from cybersecurity professionals.
The post Secret Service says it dismantled extensive telecom threat in NYC area appeared first on CyberScoop.
Apple’s new Memory Integrity Enforcement (MIE) brings always-on memory-safety protection covering key attack surfaces — including the kernel and over 70 userland processes.
The post Apple Unveils iPhone Memory Protections to Combat Sophisticated Attacks appeared first on SecurityWeek.
Login