Security News This Week: Russian ‘Ghost Ships’ Identified Near the Nord Stream Blasts

In December 2020, security giant Mandiant revealed it had been hacked. Its disclosure was the first public sign of the SolarWinds hack, a Russian-orchestrated supply chain attack that's widely regarded as one of the biggest espionage hacks ever. Among its victims were the US Departments of Homeland Security, Energy, and Justice. This blow-by-blow retelling of the historic SolarWinds attack, from Kim Zetter, charts the ways the hackers pulled off the attack—and how they were eventually caught.

Anti-abortion group the American College of Pediatricians (ACPeds) suffered a significant data breach this week. The doctors' organization, which sued the US government to ban the abortion drug mifepristone, left an unsecured Google Drive on its website, exposing a decade's worth of email exchanges, financial and tax records, and more sensitive data. The details give an unprecedented view of the organization, which has been described as a “hate group” for its views on LGBTQ people.  While ACPeds—which is not a school at all—characterizes itself as a “scientific organization,” leaked records show its deeply evangelical Christian mission.

Security experts have promised a future where passwords will cease to exist for the best part of a decade. However, that reality took a big step forward this week—really!—as Google launched passkey logins for billions of people. The technique uses cryptographic keys that are stored on your devices to replace your old, insecure passwords.

Elsewhere, cops in the US, Europe, and nine other countries have arrested 288 people for their involvement in the dark web drug markets, including the site Monopoly Market, which was quietly taken offline in 2021. Facebook owner Meta has added new tools to its business accounts in an attempt to thwart bad actors abusing them, including who can become account administrators and access lines of credit.

But that’s not all. Each week, we round up the news we didn’t report in-depth ourselves. Click on the headlines to read the full stories. And stay safe out there.

Russian ships with underwater operations equipment have been identified as being near the sites of the Nord Stream gas pipeline explosions in the days before the blasts, according to a joint investigation from national broadcasters in Denmark, Norway, Sweden, and Finland. Journalists at the publications combined intercepted radio broadcasts from the ships with satellite images to pinpoint their locations and track their paths. It is the latest example of investigators piecing together different sources of data, from varying unconnected sources, to reveal new details about real-world events.

Three ships, according to the investigation, sailed from naval bases in Russia to near the blast sites in June and September 2022. All of the ships had turned off their location tracking AIS services, an act often described as “going dark” and commonly used for disguising activity. Among the vessels were the navy research ship Sibiryakov and a tugboat called SB-123, which is said to be capable of launching mini-submarines. (In November 2022, WIRED reported on the presence of “ghost ships” around the time of the explosions, but had no information on their identity.)

Separately, another Russian vessel, the SS-750, was near the pipelines four days before they were blown up. In response to a public records request, the Danish Defense Command confirmed to the Information, a Danish news site, that it had 26 photos of the SS-750 near the sites.

Since the explosions at the Nord Stream 1 and 2 pipelines in September, there has been no official confirmation, with supporting evidence, of who may have been behind the blasts. The investigation from the Nordic journalists says the ships’ behavior was unusual but does not conclude what they were doing near the Nord Stream sites. Russia has denied being involved in the attacks, pointing fingers at both the UK and US. Other reports have claimed a pro-Ukranian group may have conducted the attack, which Ukraine has denied. Official investigations into the blasts are still ongoing in multiple European countries and the exact cause of the explosions is still unclear.

The US Federal Trade Commission is planning to impose a “blanket ban” on Meta and its companies—Instagram, Messenger, Facebook, WhatsApp, and VR firm Horizon Worlds—from making money from the data of people under 18. This could potentially mean the company would not be able to use data from these users to show them targeted advertisements and could only use the information it collects for providing its services or security purposes. The FTC also says that Meta would not be able to start using data collected before people turned 18 for commercial purposes.

The proposal comes as the FTC alleged Meta hasn’t complied with a previous 2020 privacy order it agreed to as part of a $5 billion settlement. In a statement, the FTC says Meta has “misled parents about their ability to control with whom their children communicated through its Messenger Kids app, and misrepresented the access it provided some app developers to private user data.” The proposed changes would be a modification to the FTC’s previous order, and it says it may also limit how Meta uses face recognition technology and require it to provide extra protection for users. Mark Zuckerberg’s firm has 30 days to respond to the FTC, which then may alter its plans.

How do you know if you are being stalked with an AirTag? If you have an iPhone running a newish version of iOS, then you should receive push notifications if an AirTag that doesn’t belong to you is following you around. However, if you own an Android device, you have to go through the extra step of downloading an app to discover if you are being tracked—a high burden for people in potentially abusive situations. Apple and Google said this week they are now working together to create a common standard for all phones to detect Bluetooth trackers that are being used to stalk or harass people. The proposal is also backed by Samsung and Bluetooth tracker manufacturers. The plan comes years after Apple’s cheap devices were first released without the additional privacy protections Apple added after the AirTags launch.

In 2017, the NotPetya cyberattack—the most devastating in history—caused more than $10 billion in damage to the companies and organizations it impacted. Among them was pharmaceutical giant Merck, which lost hundreds of millions of dollars as a result of the malware. This week, a New Jersey court ruled that Merck's insurers have to cover losses from the cyberattack. The insurers had argued the use of the malware, which has been linked to Russia, should be considered a warlike act and, as a result, would not fall under insurance policies.

The judges didn't agree. “The exclusion of damages caused by hostile or warlike action by a government or sovereign power in times of war or peace requires the involvement of military action,” they wrote in a decision. “Coverage could only be excluded here if we stretched the meaning of 'hostile' to its outer limit.” The decision comes as US president Joe Biden's administration looks to shift the liability for security issues to companies that are impacted.

Whether you know it or not, your car is a data goldmine. Within a few minutes, it is possible to "fingerprint" you based on the data your vehicle collects. Some consider the amount of data that vehicles grab a national security threat. A new free tool, from vehicle privacy company Privacy4Cars, aims to reveal how much data your car and its manufacturer can collect about you. Entering your vehicle identification number (VIN) into the tool will tell you whether your car collects "identifiers, location data, biometrics, and data synced from mobile phones," as well as what data manufacturers sell to third parties, such as data brokers.