If you're following the situation in Iran, this one is of interest to you.

Today, we're publishing a story that I find very important for many reasons.

We can prove how the regime in Iran is using facial recognition software to surveil its citizens. We have obtained videos showing the software in a live-scenario, at metro stations in Teheran. We have contracts, and we have had a look at the code, built by the Russian company Ntechlab whose algorithms are deemed to be best-in class.

We spoke with a dozen people who know the regime, either because they had to flee after being imprisoned or from a technical point of view.

All of this, and more, you can find in our reporting, #EyesOfIran. Here are the links:

SPIEGEL: https://www.spiegel.de/ausland/iran-so-gnadenlos-spaeht-regime-die-eigene-bevoelkerung-aus-ein-insider-packt-aus-a-7990ef28-3c9d-427b-be9a-5f46d06bea6c?giftToken=7fdb6b96-b2f1-4799-b8ff-e55fed5496d1

Standard: https://www.derstandard.at/story/3000000310751/ein-regime-im-ueberlebensmodus-leak-zeigt-irans-massive-ueberwachung-im-land?ref=niewidget

ZDF: https://www.zdf.de/play/magazine/frontal-das-magazin-100/datenleak-iran-ueberwachung-gesichtserkennung-software-100

Forbidden Stories: https://forbiddenstories.org/iran-regime-monitors-citizens/

So, Enisa, the cybersecurity agency of the EU, releases a yearly Threat Landscape. In the 2025 edition, they've used AI. And the AI introcuded loads of errors. Five percent of all the links end up 404

One of the researchers.(@wavehackr) told me: "You just had to click once", to check whether the links are valid or not. Upon closer inspection, you'd notice something was amiss just by looking, i.e., Enisa referenced a blogpost by MSFT. The link has "APT29" in it. Microsoft is very picky about those names.

They even have a blogpost about their naming convention (https://learn.microsoft.com/en-us/unified-secops/microsoft-threat-actor-naming) What other companies call APT29, MSFT calls "Midnight Blizzard". The AI apparently didn't dig those subtleties.

Here's the story
https://www.derstandard.at/story/3000000303214/peinliche-panne-bericht-der-eu-agentur-fuer-cybersicherheit-mit-ki-verfasst-und-fehlerhaft

"Die Zeit" reveals that German foreign intelligence, in a multi-year campaign, intercepted Barack Obama's phone calls while aboard Air Force One because the encryption was flawed. Angela Merkel didn't know about it.

https://www.zeit.de/politik/ausland/2026-01/bnd-barack-obama-air-force-one-angela-merkel

"The computer contained a complex system of individually encrypted hard drives with 33 terabytes of stolen data, carefully organized into more than 4,000 folders. "

https://www.bloomberg.com/features/2024-dutch-hacking-spree/?accessToken=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzb3VyY2UiOiJTdWJzY3JpYmVyR2lmdGVkQXJ0aWNsZSIsImlhdCI6MTczMTUxMTkxMCwiZXhwIjoxNzMyMTE2NzEwLCJhcnRpY2xlSWQiOiJTTTdGOVFUMEcxS1cwMCIsImJjb25uZWN0SWQiOiJENTY5QzIyNzE4NUM0NkM4OTgxMjBGMUI2QTBFNDIwQSJ9.qp8pWdoFyUk9Gk2N1nhayQCvrMhDQbk5RQK8ASZ2uMM

I’ve been writing a lot of stories about state-sponsored cyberespionage by China. The case we’re revealing today is a prime example of this, telling the story of a five-year campaign against one of the key players in 🇩🇪 the Volkswagen group

The hackers started back in 2010, with initial mapping of the infrastructure and then, until 2015, tried to siphon data out of VW networks – repeatedly and successfully so. Even though VW removed the hackers, they kept coming back.

Very often companies do not know what the hackers were after because the hackers have deleted their traces until the time anoybody notices their presence. In this case, it was different: Volkswagen CERT was able to restore RAR-archives, giving rare insight into the tasking.

SPIEGEL:
https://www.spiegel.de/netzwelt/web/volkwagen-vw-konzern-wurde-jahrelang-ausspioniert-von-china-a-f9971315-c342-42b5-b97b-8650b91d60d4 (€)

ZDF:
https://www.zdf.de/nachrichten/wirtschaft/volkswagen-china-hacking-industriespionage-emobilitaet-100.html

While working on #VulkanFiles, I received a tip: an interesting file had been dropped on Virustotal. It turned out to be the master’s thesis by Evgenii Serebriakov, the person who’s heading infamous Sandworm team, part of Russia's military agency GRU. Titled “Information confrontation in World politics”, Serebriakov lays out his worldview, describing how 🇷🇺 is on the defensive and has to protect itself against the West. Controlling flows of information is one way of doing that, he writes.

Story here
https://www.spiegel.de/netzwelt/netzpolitik/sandworm-der-mann-hinter-der-gefaehrlichsten-hackergruppe-der-welt-a-b56c715e-e856-4a21-9865-0ce17f1ba2a9

Thread here
https://twitter.com/hatr/status/1673653667734380546

Researchers with the Chaos Computer Club bought items on eBay that turned out to have stored iris scans of 2,632 people, mostly from people living in Iraq and Afghanistan. But also data from members of the U.S. Army:

From the NYT:
"detailed descriptions of individuals in addition to their photograph and biometric data, could be enough to target people who were previously unknown to have worked with U.S. military forces should the information fall into the wrong hands"

NYT has a writeup here: https://www.nytimes.com/2022/12/27/technology/for-sale-on-ebay-a-military-database-of-fingerprints-and-iris-scans.html?unlocked_article_code=AAAAAAAAAAAAAAAACEIPuonUktbfqYhlSlUZBCbJUNMnqBqCgvfeh7I7nDrlJSyYDDFEiukfCpnF8gLIZK5ie9IpznGXTcNIOrY0Sbl1wKpRPkpiRhOwuJqChI9AKiM57IOpX3hzxJnEW6t-8SPvaiPxDtZD84CFnkDMNimsU7rCgTZnfFw79Y1mcln53X1YlLPHErV2xtV_2vs-D814FiNRbHXZ6KXoXxooa9-Wf1qLvFlNLuJcWTzTnNOd6atRM1kBTAKbEw4spDo0-9heO9gIPK3gLBBGecv2hbQZCGwAP57-TtRqBNCSz-M2xOaL_R-cy8O2xeE0FLFXvd7Gu2W9PVUuQNCGLdh1nu1h24vFimy7MldCiUA (the utm ensures you can read the article without subscription)

My former colleagues at BR have been working on this story for many months now. If you understand the German language, I encourage you to listen to their hourlong feature on #biometry https://www.ardaudiothek.de/episode/ard-radiofeature/verraeterische-daten-doku-ueber-die-gefahren-der-biometrie/ard/12204469/ It includes the case of the military database but much more as well

Hey. got a quick announcement. Starting next month, i'll join "paper trail media", a german media startup focused on investigative journalism.

They're the ones who did
– Panama Papers
– Xinjiang Police Files
– Pegasus Project (NSO and hacking smartphones)

Their stories are mainly published with Der Spiegel. I'm incredibly excited.

I'll still write about cybersecurity. So, reach out to me anytime if you want to talk about attribution, intrusions, DFIR and all that.

Re-sharing this over here because it might be of interest to the people on this instance (also, it's sort of an introduction ​).

I recently gave a talk at the Virusbulletin-conference on how reporters find and fact-check stories on hacking incidents.

I'm talking about looking at PassiveDNS data to find relevant domains connected to ongoing hacking campaigns but also on re-discovering information that was made public years ago to connect it to a campaign that is still active.

Some of the answers might be obvious, others not so much (at least, that's what I was aiming for.)

The talk is titled: "Why are you telling me this?" and all I'm doing is to answer that question for 40 minutes

https://www.youtube.com/watch?v=rtlTF1Ajjdw

(I have posted this yesterday, but just now saw (I think!) that I've sent it to just myself, it popped up in my DMs. STILL LEARNING! Apologies if this shows up twice.)