Authenticity

In-line with the ISO/IEC 27000:2018 authenticity is the property that an entity is what it claims to be, basically an identity control proving that a person or a system is who it says it is. When data is authentic, it is verified that it was actually created, sent, or otherwise processed by the entity who claims responsibility for the action, and subsequently unaltered. Authenticity is crucial in today’s digital environment where identity theft and impersonation are common threats, even increasingly so with AI. It ensures that the origin of data or the identity of a user can be verified and trusted.

One famous example of a confidentiality breach is the breaking of the German military’s Enigma cryptographic machine during World War II. Already in the 1930s Marian Rejewski, a Polish mathematician, started to make some progress in breaking the Enigma code, initially the commercial variant. With the invasion of Poland by Nazi Germany in 1939, Polish intelligence shared their findings with the British and French intelligence services. The findings included details of the Bomba, the electro-mechanical device used in the Polish Enigma break attempts, and methods. This information laid the foundation for further breakthroughs by the British. In 1940, the British Government’s Code and Cypher School (later known as GCHQ *) set up a center at Bletchley Park, where British cryptanalysts, led by Alan Turing, began working to break the more complex versions of the Enigma used by the German military. Alan Turing and his team developed the Bombe machine, which could automate the process of testing multiple Enigma settings to find the correct ones much faster than manual methods. The Bombe used mathematical patterns in Enigma’s settings to exploit weaknesses in the German operators’ behavior, such as common letter pairs or predictable messages. In the end the Allies were able to decrypt German military intelligence. Special focus were the German Navy’s submarine locations but also to confirm that the Germans believed that Pas de Calais, not Normandy, was the invasion point for D-Day. The breach of the Enigma machine was a devastating blow for the German military forces, and in the end potentially shorten the war with a few years saving as many as 14-21 million lives.

(*) Note: Part of today’s GCHQ is the National Cybers Security Centre in UK (NCSC). Beside NATO, NCSC is an independent third-party organ that have successfully audited and certified Cryptify’s communication system – Cryptify Call – for usage up to the specified information security level.

Links for more information:

• https://en.wikipedia.org/wiki/Cryptanalysis_of_the_Enigma
• https://en.wikipedia.org/wiki/Enigma_machine
• https://www.britannica.com/place/Bletchley-Park

WhatsApp discovered a zero-click vulnerability being exploited to install Pegasus – a spyware developed by the Israeli NSO Group. The attackers placed a call inside WhatsApp, which sent the Pegasus software to the recipient. Even without response to this call, Pegasus was installed on the WhatsApp account´s phone. It affected both Android and iOS versions of WhatsApp, specifically how it handled SRTP (Secure Real-time Transport Protocol). Pegasus gave complete access to the WhatsApp user’s messages and other data, even if they were end-to-end encrypted, but also to the phones’ microphone, camera, GPS, and other system-level functions. In December 2024 a U.S. judge ruled that through Pegasus, the NSO Group violated U.S. hacking laws and WhatsApp’s terms of service by targeting 1,400 phones globally, including the President of France’s phone and phones belonging to the murdered Saudi Arabian journalist Jamal Khashoggi’s associates. The Israeli firm faces a jury trial in 2025 to determine damages.

Links for more information:

• https://www.theguardian.com/world/2019/may/18/israeli-firm-nso-group-linked-to-whatsapp-spyware-attack-faces-lawsuit
• https://therecord.media/pegasus-spyware-infections-detailed-whatsapp-lawsuit
• https://thehackernews.com/2024/11/nso-group-exploited-whatsapp-to-install.html

Vectra, a cybersecurity company with headquarter in California, discovered in 2022 that Teams stores access tokens in plaintext on Windows systems. Teams is built on Electron and it stores authentication tokens in cleartext in the local app data folder. An attacker with local or remote access to the filesystem (e.g., via malware or session hijacking) could steal those tokens and use them to access the user’s messages and Teams environment without logging in. The tokens used by Teams were long-lived and could also be reused inside Electron environments, which opened up for trivial lateral movements further into the IT infrastructure of Teams users’ organizations, without any need of passwords.

Links for more information:

• https://www.vectra.ai/blog/undermining-microsoft-teams-security-by-mining-tokens
• https://www.uctoday.com/collaboration/what-is-the-vectra-vulnerability-in-microsoft-teams/
• https://www.microsoft.com/en-us/security/blog/2022/11/16/token-tactics-how-to-prevent-detect-and-respond-to-cloud-token-theft/

Russian attackers targeted Ukrainians, mainly known officials and military personnel, exploiting the feature in Signal to link two different devices to the same Signal account. The main tactic involved tricking the victim into scanning a malicious QR code that would link their Signal account to the attacker’s device. The QR codes were disseminated via phishing messages, often masquerading as group invitations or security alerts. Once the victim scanned the QR code, they were unknowingly granting the attacker access to their Signal account, giving the attackers the ability to read messages, monitor and control communication etc. Signal has later tried to mitigate this risk, e.g. after a new device is linked Signal now issues warnings to inform users of the addition.

Links for more information:

• https://cyberscoop.com/russia-threat-groups-target-ukraine-signal/
• https://therecord.media/signal-no-longer-cooperating-with-ukraine
• https://kyivindependent.com/russian-hackers-target-signal-accounts-in-growing-espionage-effort/

PRISM is a code name for a program under which mainly the U.S. National Security Agency (NSA) can collect data and communication from U.S. based companies*. PRISM is used by the U.S. government to gain direct access to the servers of major U.S. technology companies, including Microsoft, Yahoo, Google, Facebook, Apple, Verizon and others. This access enables the collection, control and usage of extensive data such as emails, video and voice chats, photos, and documents from users worldwide. The legal foundation for PRISM is Section 702 of the Foreign Intelligence Surveillance Act (FISA), which permits the U.S. government to target non-U.S. persons located outside the country for foreign intelligence purposes. However, this surveillance also incidentally collected data from U.S. citizens. Edward Snowden, a former NSA intelligence contractor, leaked classified documents in 2013 revealing the existence of global surveillance programs, such as PRISM. The U.S. Department of Justice claimed charges against Snowden related to espionage and theft of government property (June 21, 2013), followed by the Department of State revoking Snowden’s passport on June 22, 2013. Still Snowden managed to board a flight to Moscow and in 2022 Snowden was granted a Russian citizenship by President Vladimir Putin. After Snowden’s whistle blow, companies like Google, Facebook, Yahoo, Microsoft, and LinkedIn released data indicating that tens of thousands of user accounts were affected by FISA requests under the PRISM program.

As a follow up of Snowden’s exposure of PRISM, an Austrian lawyer called Max Schrems has brought to court trials the potential conflict between the European Union’s data privacy law and U.S. surveillance regulations. On one hand, the EU’s General Data Protection Regulation (GDPR) that aims to protect the personal data of EU citizens. On the other hand, the U.S. surveillance laws, including FISA, Executive Order 12333 (EO 12333), and the Clarifying Lawful Overseas Use of Data Act (CLOUD Act), that forces U.S. companies to hand over EU citizens’ information to the U.S. government, if so requested. EU and the U.S. has tried to handle this conflict, firstly via the Safe Harbor agreement, but the Court of Justice of the European Union (CJEU) ruled in 2015 that the Safe Harbor framework was invalid, as it did not provide sufficient safeguards for EU citizens. Secondly, after Safe Harbor, the EU and U.S. created the Privacy Shield, but Schrems challenged this too. Again, the CJEU ruled in 2020 that the U.S. surveillance laws lacked adequate safeguards, and that EU citizens had no effective legal remedies (Schrems-II).

(*) Note: Cryptify AB operates under Swedish legislation, ensuring that no information is subject to disclosure due to laws such as EO12333, FISA, Cloud Act etc.

Links for more information:

• https://en.wikipedia.org/wiki/PRISM

• https://www.infosecurity-magazine.com/news/operation-prism-nsa-and-fbi-monitoring-activity
• https://time.com/3902/tech-titans-reveal-new-data-about-nsa-snooping/
• https://en.wikipedia.org/wiki/Max_Schrems

Ames was a senior CIA counterintelligence officer with the main responsibility of catching Soviet spies. Ironically, he became one of the most damaging spies in American history, working for the KGB. Ames handed over the identities of CIA informants inside the USSR to the Soviet Union. He systematically used data integrity breach to cover his tracks and altered reports and data, redirected suspicion etc and where therefore not catched until 1994. As a result, at least 10 CIA assets were executed by the Soviets and the CIA’s Moscow network collapsed, leaving the U.S. effectively blind inside the Soviet Union for years.

Links for more information:

• https://www.fbi.gov/history/famous-cases/aldrich-ames
• https://en.wikipedia.org/wiki/Aldrich_Ames

In the early 1980s, the CIA discovered — through a French double agent codenamed “Farewell” (real name: Vladimir Vetrov) — that the KGB was systematically stealing Western technology. This technology could be anything from defense blueprints to industrial software. Instead of simply shutting down the espionage channels, the CIA deliberately used integrity sabotage as a tool and inserted altered information and garbled data into the kinds of tech the KGB was stealing. One piece of CIA-sabotaged software was used by the Soviets to operate a natural gas pipeline in Siberia. It caused a massive explosion — reportedly one of the largest non-nuclear blasts ever seen from space.

Links for more information:

• https://www.cia.gov/resources/csi/studies-in-intelligence/1996-2/the-farewell-dossier/
• https://www.themoscowtimes.com/archive/cia-sabotage-helped-crush-soviet-economy
• https://www.afio.com/publications/eprints_2024/OLESON_Farewell_Dossier_AFIO_Intelligencer_Vol29_No1_WinterSpring_2024.pdf

A highly advanced malware, believed to be developed by the U.S. and Israel, specifically targeting uranium enrichment centrifuge systems used in Iran’s Natanz nuclear facility. The Stuxnet worm was spread via infected USB drives and utilized two zero-day exploits in Windows for spreading the worm inside the facility and two zero-day exploits in the Siemens Step7 PLC software. As soon as a someone plugged in an infected USB inside the Natanz facility, the Stuxnet worm started to spread via Windows and located Siemens Step7 PLCs, known to be used to control the uranium enrichment centrifuges. Subsequently the worm was designed to reprogram the centrifuge controllers to spin at damaging speeds while displaying normal readings to operators. The speeds were set to induce damage resulting in total failure over some time, making it harder for the Natanz technicians to suspect sabotage before the worm had spread widely inside the facility. In the end around 1000 uranium enrichment centrifuges was reportedly destroyed, which delayed Iran´s nuclear program by years.

Links for more information:

• https://www.wired.com/2014/11/countdown-to-zero-day-stuxnet/
• https://spectrum.ieee.org/the-real-story-of-stuxnet
• https://en.wikipedia.org/wiki/Stuxnet

In 2007, Estonia faced a massive cyberattack that targeted key national infrastructures, including government websites, banks, and communication systems. The attack came as a result of a political dispute with Russia, including the relocation of the Bronze Solider of Tallin monument, and its primary method involved distributed denial-of-service (DDoS) attacks. It also targeted secure communication channels within the government, making it difficult to coordinate between agencies during the attack since the government did not have any separate system for secure communication under their control. Public and private sectors were severely impacted, and sensitive national data was vulnerable. The intensity of the attacks began to subside after 3 weeks, with Estonia gradually restoring its digital services and implementing stronger cybersecurity measures. Estonia later became a pioneer in cyber defense and introduced advanced cybersecurity protocols as a countermeasure to ensure national communication systems were secure.

Links for more information:

• http://news.bbc.co.uk/2/hi/europe/6665145.stm
• https://stratcomcoe.org/cuploads/pfiles/cyber_attacks_estonia.pdf
• https://en.wikipedia.org/wiki/2007_cyberattacks_on_Estonia

WannaCry is a ransomware worm that was first observed on May 12, 2017. It is believed to be linked to the Lazarus Group, a state-sponsored hacking group tied to North Korean intelligence. WannaCry leveraged EternalBlue, a Windows Server Message Block (SMBv1) vulnerability, which was reportedly developed by the NSA in the U.S. and leaked by the Shadow Brokers hacking group in April 2017. Once deployed inside an organization the worm encrypted users’ files, rendering Windows computers unusable unless the ransom was paid. The attack is estimated to have infected 200,000+ computers across 150 countries. The National Health Service (NHS) of the United Kingdom was one of the major victims as the WannaCry caused cancelled surgeries, diverted ambulances, inaccessible records etc with an estimated £92 million in disruption and recovery costs. FedEx, Renault-Nissan and Deutsche Bahn are other known major victims of loss of availability. The end of the story is maybe surprising: A British researcher known as Marcus Hutchins (a.k.a. MalwareTech) discovered that WannaCry queried a specific domain name. Marcus registered the domain, unintentionally activating the WannaCry worm’s kill switch, as it turned out that the malware would terminate itself if the domain was live. Without the kill switch, it’s widely believed WannaCry could have caused far more catastrophic damage globally.

Links for more information:

• https://www.cbsnews.com/news/wannacry-ransomware-attacks-wannacry-virus-losses/
• https://www.nationalhealthexecutive.com/articles/wannacry-cyber-attack-cost-nhs-ps92m-after-19000-appointments-were-cancelled
• https://en.wikipedia.org/wiki/WannaCry_ransomware_attack

Fraudsters used AI voice synthesis to mimic the German CEO of a UK energy company. They called a subordinate, pretending to be the CEO, and urgently requested a transfer of €220,000 to a Hungarian supplier. The money was wired — and vanished through multiple international accounts. This was one of the first real-world deepfake voice scams that both stunned the cybersecurity community and triggered a wave of new authentication protocols in finance and telecom.

Links for more information:

• https://www.forbes.com/sites/jessedamiani/2019/09/03/a-voice-deepfake-was-used-to-scam-a-ceo-out-of-243000/
• https://threatpost.com/deep-fake-of-ceos-voice-swindles-company-out-of-243k/147982/
• https://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/unusual-ceo-fraud-via-deepfake-audio-steals-us-243-000-from-u-k-company

The Trump administration accidentally shared highly sensitive military information through the Signal messaging app. Between March 11 and 15, 2025, a group of 19 national security officials, including Defense Secretary Pete Hegseth, Vice President JD Vance, and National Security Adviser Mike Waltz, engaged in a Signal group chat discussing plans for a military operation against the Houthis in Yemen. The journalist Jeffrey Goldberg was mistakenly added to this chat, leading to the unintended exposure of classified details.

Links for more information:

• https://www.theguardian.com/us-news/2025/mar/28/what-is-signal-the-messaging-app-at-the-heart-of-a-us-security-leak
• https://www.theatlantic.com/politics/archive/2025/03/trump-administration-accidentally-texted-me-its-war-plans/682151/
• https://en.wikipedia.org/wiki/United_States_government_group_chat_leak

Zoom was criticized for a slew of security issues during its surge in usage during the pandemic, including failure to secure authenticity. These are some examples:

• Users experienced “Zoom bombing”, meaning that uninvited persons joined random meetings as no passwords were required for meetings by default.
• Zoom wrongly claimed that they used end-to-end encryption but actually used Transport Layer Security (TLS) which is only implemented between a user and a server, not between two users, meaning Zoom’s servers could see call data and hereby anyone with access to the servers. (Zoom later released an upgrade claimed to include end-to-end encryption.)
• Some encryption keys were routed through servers in China, raising geopolitical alarms.
• A 2019 vulnerability let attackers auto-join users to Zoom calls and enable webcams.
• Default settings saved Zoom cloud recordings without strong access controls.

The identified security alerts triggered a global response where many governments and companies restricted or banned Zoom use.

Links for more information:

• https://www.tomsguide.com/news/zoom-security-privacy-woes
• https://cloudsecurityalliance.org/blog/2022/03/13/an-analysis-of-the-2020-zoom-breach
• https://www.forbes.com/sites/kateoflahertyuk/2020/06/05/zooms-security-nightmare-just-got-worse-but-heres-the-reality/

Twilio, a cloud communications company Signal uses for SMS verification in their authentication process, was compromised in a phishing attack. Attackers phished Twilio employees and gained access to Signal’s customer data. The attackers could also have re-registered Signal accounts to their devices, receiving messages intended for the victim. Around 1,900 Signal users were affected. SMS-based authentication is already a known weak link, which this attack proved once again.

Links for more information:

• https://support.signal.org/hc/en-us/articles/4850133017242-Twilio-Incident-What-Signal-Users-Need-to-Know
• https://techcrunch.com/2022/08/15/signal-phone-number-exposed-twilio/
• https://www.theverge.com/2022/8/15/23306949/signal-messaging-app-sms-twilio-data-breach-security-privacy

Twitter – Jack Dorsey (CEO, 2019)
Attackers hijacked Jack Dorsey’s phone number via SIM swap (when a fraudster convinces the telephone company to port the victim’s phone number to the fraudster’s SIM). Then the attackers used SMS 2FA to log in and tweet offensive content from the CEO’s Twitter account.

Reddit – SMS Interception via SIM Swap (2018)
Reddit is a big social media platform, in February 2025 it was claimed as the ninth most visited website in the world. Reddit’s employees had SMS-based 2FA on their admin accounts and the attackers used a SIM swap attack to hijack SMS messages and gain access to Reddit’s internal systems. A lot of data was breached, such as old user data, internal logs, and backup files. After the attack, Reddit publicly stated that “SMS-based authentication is not secure” and moved to stronger methods.

Coinbase Customers – SIM Swapping Target (Ongoing)
Crypto investors using SMS 2FA have been systematically targeted by attackers who SIM swap their phone numbers. Coinbase, running the second largest cryptocurrency exchange in the world, have many of its customers relying on SMS 2FA. Once their phone number is hijacked by a SIM swap, the attacker resets Coinbase credentials and drains wallets. Coinbase advice their customers to move to authenticator apps or hardware keys. Lawsuits have been filed (ongoing) in several cases, alleging Coinbase did not do enough to protect their accounts.

Links for more information:

• https://www.theguardian.com/technology/2019/aug/30/twitter-ceo-jack-dorsey-account-hacked
• https://krebsonsecurity.com/2018/08/reddit-breach-highlights-limits-of-sms-based-authentication/
• https://cointelegraph.com/news/crypto-sim-swap-how-easy-is-sim-swap-crypto-hack