Boeing Hit by Cyberattack, Says Jetliner Production Not Affected

Boeing Hit by Cyberattack, Says Jetliner Production Not Affected

Updated on

  • Planemaker says it ‘detected a limited intrusion of malware’
  • Seattle Times cites memo on problem ‘metastasizing rapidly’

Boeing Co. said it was hit by a cyberattack, following a Seattle Times report that some manufacturing equipment used to build its 787 Dreamliner and newest 777 wide-body jets could be crippled.

Aircraft production and deliveries aren’t affected, the Chicago-based planemaker said Wednesday. Some reports on the attack “are overstated and inaccurate,” said Linda Mills, a spokeswoman at Boeing’s commercial airplane division.

“Our cybersecurity operations center detected a limited intrusion of malware that affected a small number of systems,” Mills said in an emailed statement. “Remediations were applied and this is not a production and delivery issue.”

The assembly lines potentially affected by the software problem include those of Boeing’s 787 Dreamliner North Charleston, South Carolina, and the 777X Composite Wing Center, the Seattle Times report indicated.

“It is metastasizing rapidly out of North Charleston and I just heard 777 (automated spar assembly tools) may have gone down,” Boeing engineer Mike VanderWel wrote in a memo cited by the newspaper. VanderWel said he was concerned that the virus would hit equipment used to test jetliners before they roll out of the factory for their initial flight and potentially “spread to airplane software.”

The automated spar assembly refers to a state-of-the-art new tool at Boeing. Robotic machines there lay down rows of carbon-fiber tape over what will become the 108-foot-long spar that runs down the center of the wing for the 777X, an upgraded jetliner due to debut in 2020.

A cyberattack last year compromised companies such as FedEx Corp. and Nissan Motor Co. and crippled parts of the U.K.’s state-run National Health Service.

Boeing rose less than 1 percent to $321.55 in late trading.

Read more: https://www.bloomberg.com/news/articles/2018-03-28/boeing-hit-by-wannacry-ransomware-attack-seattle-times-says

How One Woman’s Digital Life Was Weaponized Against Her

The first time the police arrived on her doorstep, in March of 2015, Courtney Allen was elated.

She rushed to the door alongside her dogs, a pair of eager Norwegian elkhounds, to greet them. “Is this about our case?” she asked. The police looked at her in confusion. They didn’t know what case she was talking about. Courtney felt her hope give way to a familiar dread.

Three days earlier, Courtney and her husband, Steven, had gone to the police headquarters in Kent, Washington, a suburb of Seattle, and reported that, for the past few months, they had been the victims of a campaign of online harassment. They had found a fake Facebook page under Steven’s name with a profile picture of Courtney, naked. Emails rained down in their inboxes; some called Courtney a cunt, whore, and bitch, and one they felt was a death threat. Her coworkers received emails with videos and screenshots of Courtney, naked and masturbating. The messages came from a wide range of addresses, and some appeared to be from Steven.

There were phone calls too. One to Steven’s grandmother warned that her house might burn down, with her in it, if she didn’t stay out of the Allens’ lives. There were so many calls to the dental office where Courtney worked that the receptionists started to keep a log: “Called and said, ‘Put that dumb cunt Courtney on the phone,’ ” one of them wrote in neat, bubbly handwriting. “I said, ‘She is not here at the moment, may I take a message?’ ” At one point Courtney created a Google Voice number to ask, “If I talk to you, will you leave me alone?” Instead, dozens of voicemails poured in: “Do you think I’m ever going away?” one said. “Now that my private investigator went and got all the tax information? There’s no job either one of you guys can have that I won’t know about and be there.”

The Kent police officer who took the Allens’ statement seemed unsure of what to make of their story. Courtney and Steven told him who they believed was behind the harassment: a man in Arizona named Todd Zonis with whom Courtney had an online relationship that she had recently broken off. She says she told the officers that she had sent Zonis the videos of herself while they were still involved and that he had sent ones of himself to her, but that she had deleted their exchange. In a report, the officer noted that, while Courtney and Steven insisted that his role was obvious, Zonis’ name barely appeared in the folder full of printouts and CDs that they had with them. The officer assigned them a case number and advised them not to have any more contact with Zonis.

Now, three days later, the two officers on Courtney’s doorstep explained why they had come: An anonymous tipster, who claimed to work with Steven, had left a report on the Crime Stoppers website. It said that Steven “had been telling everyone for months that his wife was leaving him but he had a plan to beat her into staying.” The tipster added that he had noticed “a lot of bruises.” When prompted for more information on the suspect, the informant wrote that the Allens had a “large gun collection” and two big dogs. (One detective later noted that some of the reports seemed designed to trigger “a large/violent police response.”)

December 2017. Subscribe to WIRED.

Rebecca Benderite/Eyeem/Getty Images

The police left after interviewing Courtney, but three days later, two detectives knocked on the Allens’ door in the early afternoon. Courtney wondered, more cautiously this time, if she would now get a response to her complaint. But no—the detectives were investigating another anonymous tip. This one was about an alleged incident at a park involving Steven and the Allens’ 4-year-old: “His son screamed and he smacked him repeatedly on the back, butt, legs, and head, but not the face,” the tipster wrote. “He then berated his wife, calling her ‘whore’ and worse … She covers for him when the abuse is to her, but abuse to the child I don’t know what will happen.”

In her report of the visit, detective Angie Galetti wrote that the Allens’ son “came downstairs and appeared to be happy and healthy.” She described how Courtney had to coax her nervous son into showing his skin to the detectives: “There was no suspicious bruising or marks of any kind,” she wrote. He “appeared appropriately attached to his mother and Detective Lorette and I had no concerns.”

But Courtney’s concerns were mounting. The day before, she had gotten an email to an account she only used for spam. “How did you even GET this email address?” Courtney wrote back. “Leave me and my family alone!” A reply came accusing Steven of also using unsavory cybertactics to find out about Courtney’s online behavior, but added: “I am MUCH better at it. For example. Your Jetta, in the driveway”—and yes, that’s where it was. The message included the car’s vehicle identification number. Courtney had started having nightmares; just going outside made her afraid. She felt violated by the images of her that were circulating who knew where, and anxious about what might come next.

And now this. It was “one of the worst moments of my life,” she said later, hoping that help was coming but instead “having to lift up my son’s shirt and show them my son’s body to make sure he had no bruises.” When the detectives asked for her phone number, she realized she didn’t remember it—she had just changed it in an attempt to evade the endless calls. She found herself sobbing in front of the detectives. The harassment was so creative, so relentless, so unpredictable. Around the same time, at least 15 of her neighbors received a “community alert” in the mail warning them that they were living near a dangerous abuser, Steven Allen. It was postmarked from Arizona.

But the most frustrating thing was how hard it all was to explain or prove. Courtney was beginning to feel trapped in a world of anonymous abuse. She didn’t know if she would be able to convince anyone that what she believed to be happening was real.

It began, as relationships often do these days, online. From the start it was a strange and tangled story of exposure and distrust in the internet era.

In the fall of 2012, Courtney and Steven had been together for 12 years but had known each other for 20: They met in a high school biology class and reconnected later when Courtney was going through a divorce. The couple—now in their mid-thirties, with a house full of fantasy books and clay dragons that Courtney sculpted—were avid players of Grepolis, an empire- and alliance-­building browser game set in ancient Greece.

One day a player in an opposing alliance asked if he could join theirs. The small council that ran the alliance agreed. This was Courtney’s first introduction to Todd Zonis and she liked him from the start: “He was crude and rude and I thought it was actually kind of funny,” she says.

Courtney’s player name was sharklady76. As she recalls it, Zonis sent her a note on the game’s messaging service to say he had once owned a shark, and from there the conversation took off. They talked about gardening and pets. She shared pictures of her elkhounds; Zonis sent ones of his tortoise. The two progressed to video-chats. Both were married, but “it just kind of grew from there,” Courtney remembers. “It was a really strong friendship and then turned into not a friendship.”

At the time, Courtney was staying home with her toddler. She and Steven had made that decision together, but still, it was rough on their marriage: Steven was working long hours as an IT instructor and felt the stress of being the sole breadwinner. He often traveled for work. Courtney was a nervous new mother, afraid to let her son stay with sitters, which only increased her sense of isolation. She was often angry at Steven, whom she began to see as controlling and neglectful.

Zonis was a freelance sound engineer with a flexible schedule. The relationship with him offered “an escape,” Courtney says: “He was charming. He told me everything that I ever wanted to hear about how wonderful I was.” She adds, “I just thought the world of him. Because it was online, it was very easy to not see the faults someone has, to not see warning signs.” Eventually Courtney was spending a lot of time online with Zonis and pulling further away from Steven. She kept telling herself that they were just good friends, even when Zonis sent her a penis-shaped sex toy. One day, nearly a year after Zonis first joined the alliance, Steven noticed Courtney’s email open while updating her laptop. He read an exchange between her and Zonis. It was explicit, and it mentioned videos. He confronted Courtney. She was furious that he had read her emails but said she would stop communicating with Zonis. Instead, she moved the relationship to her tablet, behind a password; she also labeled Zonis’ contact information with a fake name.

She wanted to be sure Steven wasn’t the mastermind of a complex scheme.

Steven, sensing his marriage falling apart, turned to Google. He searched “adultery” and “online affair” and found a website called Marriage Builders that bills itself as “the #1 infidelity support site on the internet.” It was founded by Willard F. Harley Jr., a psychologist who encourages his readers to work to understand and meet their spouse’s needs but also recommends a radical response when a spouse won’t end an affair: making it public to the family of the people involved. Love, he writes, should be based not on trust but on transparency. “Imagine how little crime would be committed if everyone’s activities were videotaped.”

Steven tried to follow Harley’s advice for healing a marriage. He apologized for being distant and tried to get Courtney interested in answering the site’s questionnaires. But Courtney, often busy on her tablet, was leery of the Marriage Builders philosophy.

In November of 2014, just over a year after first seeing Courtney’s emails with Zonis, Steven noticed her tablet unlocked on the counter. She was in the shower, so he looked. He saw messages from a name he didn’t recognize but a writing style that he did. He then found more messages. The relationship hadn’t ended. His mind went to the advice from Marriage Builders: “Exposure helps prevent a recurrence of the offense. Your closest friends and relatives will be keeping an eye on you—holding you accountable.”

A few days later, Steven contacted his parents and Courtney’s parents and told them about the relationship. He found Zonis’ wife and wrote and texted her. He looked up Zonis’ parents on a people-finder site. “I would ask that you encourage your son to stop this affair before it completely ruins our family,” he wrote, adding that he had heard that the Zonises had an open relationship. “If you have any questions or would like to see some of the evidence, please email me.”

Courtney was livid. She told Steven not to come home that night; when he did, she took their son to her parents’ house. She returned the next day, but they slept in separate rooms and Courtney discussed divorce.

Zonis, too, was outraged. He saw the messages that Steven sent as an attack on his family, and one that was unjustified. Zonis tells the story of the relationship differently. After he joined the alliance, he says, he noticed Courtney talking about her husband in forums in a disturbing way, saying he was controlling and would punish her. He says Courtney reached out and became friends with him and his wife, Jennifer—“The two would chat, you know, for hours,” he says—though Courtney denies this. She asked a lot of questions about their marriage, he says, looking for advice. He denies that either he or Courtney ever sent explicit videos, or that they were more than friends.

To Zonis, calling his relationship with Courtney an “affair” was a false characterization and cost him dearly; Steven’s comment about an open marriage, he says, turned his parents against him. He claimed that his parents cut off contact and wrote him out of their will, which meant he would not inherit the “ancestral home.” In total, he says he lost an inheritance worth more than $2 million. Zonis began saving for a lawyer so he could take Steven to court. “He destroyed my family,” Zonis says, “just to basically keep his own wife in line.”

After the “exposure,” the Allens received barrages of virulent emails from Zonis’ account. He later denied writing both the anonymous emails and some that came from his account, speculating that perhaps someone to whom he’d told his story had taken it upon themselves to punish the Allens, or that the Allens were harassing each other and blaming him. He didn’t much care, he says, because he considered the harassment trivial: “My rights were violated and nobody cares, and we’re still talking about what happened to poor Courtney?”

After exposing the affair, Steven continued asking for advice from other people on the Marriage Builders site. He even posted emails between Courtney and Zonis, and a copy of a letter that he wrote to Courtney: “I am so very sorry I hurt you and hurt you so deeply for years, by not considering your feelings near as much as I should have, and by demanding and disrespecting your opinion to get what I wanted. I was abusive and controlling. I was so sure I was right, and getting what I wanted would help you too, that I didn’t realize the hurt I was causing you.” He didn’t realize that Zonis had found these posts and took them as Steven admitting to being an abuser.

Steven had hoped the exposure would allow them to move on; it had the opposite effect. One of his coworkers received an email accusing Steven of assaulting Courtney. When Steven told Courtney that Zonis must have sent it, she refused to believe him. Zonis “had my ear,” she says. “I was listening to everything that he said, and I was assuming anything Steve said was a lie.”

Illustration by Yoshi Sodeoka/Science Photo Library/Getty Images

But she also felt cracks forming in her relationship with Zonis—she accused him of making the threatening call to Steven’s grandmother, which he angrily denied—and asked for space to try to get her head straight. She went back to work, seeking more independence. In an email to Zonis, the former sharklady described something she’d seen on TV: “There is a whale carcass. All the great whites gobble it up, ripping huge chunks out of it at a time. That is what I feel like … the whale.” “In my new world,” she wrote Zonis, “EVERYONE is lying to me. I don’t believe anyone anymore.”

In the meantime, Steven, angry about the message to his coworker, emailed Zonis, writing that he could “look forward to continued exposures to people in your life.” Zonis, who considered this a second attack, forwarded a copy of the email to Courtney, but when she read it she sensed something was wrong. The writer referred to their child as “her” son instead of “our” son, and a boast about his ability to manipulate her did not sound like her husband. (“I know Steven looks down upon people who try to manipulate,” she says. “It just didn’t fit with his character.”)

In a modern act of trust, she and Steven showed their emails to each other. She saw that the version Zonis sent to her had been edited—that Steven’s words had been changed. Courtney felt she finally knew whom to trust. “That,” she said later, “was when I turned to Steve and said, ‘I need help. I don’t know how to get myself out of this.’ ”

Courtney decided to ease Zonis out of her life. Her messages to him became short, bland, and infrequent, but still she received long, aggressive responses. Finally she began demanding to be left alone, then stopped responding at all. But emails and calls continued, as many as 20 in a single day; even Courtney’s mother was getting calls. Zonis said later that he was calling the Allens to get an apology, something that he could show to his parents. One email from his personal account said that the sender had just been in the Allens’ city —“VERY nice place”—and promised a visit to the area again soon. (Zonis denies writing the message.) There were also voicemails: “I will burn myself to the ground to get him. I told you, you’re going to lose him one way or the other.”

Emails arrived from other accounts too: Courtneythe­whore­sblog­@blogspot.com, Courtney­CallMe69@aol.com, CourtneysGotNoPrinciples@LyingCunt.com, ItsHOWsmall@babydick.com, urtheproblem@outlook.com, Youareaselfishcocksucker@noone­willeverreallyloveyou.com. There were dozens of others.

Some messages to the Allens’ neighbors and coworkers came from what appeared to be Steven’s email. Courtney’s boss got emails from “Steven” with subject lines such as “My Slut wife Courtney” and “Courtney is not who she seems to be.” One night, as Courtney worked on a sudoku puzzle in bed, she received an email that looked as if it had come from her husband, who was next to her reading a book. The next night, Steven’s cell phone dinged on the nightstand with a new email. He picked it up and turned to Courtney. “Apparently you hate me,” he said.

In March 2015, Courtney filed for a protective order against Zonis, which would make further contact a crime. Steven filed for a similar order for himself and their son the month after the “exposure,” but Courtney had believed that doing so would be too antagonizing. Zonis and his wife responded in kind by getting orders of their own. Two days after Courtney’s order was granted, she got an email from Zonis’ personal account: “Glad that bullshit symbolic gesture is out of the way,” it said. (Zonis denies writing this too.)

No charges were filed. The Kent police, while sympathetic, “weren’t really interested in something that was a misdemeanor protective order violation,” Steven says. The Allens got the sense that because Zonis was in Arizona, and because so much of the harassment was confusing and anonymous, it was hard for the police in Kent to act. At the end of March, Courtney and Steven walked into the FBI’s office in Seattle to present their case. (The Kent police, county prosecutor, and FBI all said they were unable to comment for this story.) Three months later the Allens got a letter stating, “We have identified you as a possible victim of a crime,” and informing them that the FBI was investigating. Months passed with no word. When they heard about the FBI’s involvement, the Kent police closed their own case. The Allens, not sure what else to do, continued to bring them evidence of new and ever more inventive harassment.

In early April the Allens received a package in the mail that was full of marijuana. After they reported it to the police, Detective Galetti informed the Allens that there had been more Crime Stoppers reports: allegations that they were selling drugs, that they were cutting them with butane, that their customers were high school kids.

The Allens began to consider a different option. Earlier that year, after Steven started a new job at the University of Washington, he told campus authorities about the harassment. Natalie Dolci, then a victim advocate with the campus police, referred him, as she had many others, to a pro bono program called the Cyber Civil Rights Legal Project at the prominent K&L Gates law firm. The project had been started a year earlier to help victims of what is variously known as sexual cyberharassment, cyberexploitation, and revenge porn. (Dolci prefers the terms “technology-enabled abuse” or “technology-enabled coercive control,” phrases broad enough to include things such as using spyware or hacking in-home cameras.) Often the cases didn’t go to court, meaning the public seldom heard their details. Most people just wanted to settle, get the harassment to stop, keep their images off the internet and their names out of public records.

Steven and Courtney weren’t eager to file a lawsuit, but they hoped the firm—a large one with a cyberforensics unit experienced in unraveling complex online crimes—would be able to help them unmask the harasser and prove their story to police. “We were just trying to get law enforcement to do something,” Steven said later.

On April 29, 2015, Steven and Courtney walked into a conference room overlooking Seattle’s port and Mount Rainier where they met David Bateman, a partner at K&L Gates and one of the founders of the Cyber Civil Rights Legal Project, and Breanna Van Engelen, a young attorney. A mock trial program in college convinced Van Engelen that she wanted to be a litigator—to stand up in court on behalf of clients she believed had been wronged—but she was fresh out of law school and had yet to try her first case.

The lawyers were skeptical of the Allens’ story at first. It was so outlandish that Van Engelen wondered if it was made up—or if one spouse was manipulating the other. Courtney’s fear seemed genuine, but so many of the emails did appear to come from Steven, who knew his way around computers. Van Engelen wanted to be sure that Steven wasn’t the mastermind of a complex scheme in which he hid his own abuse, impersonating Zonis impersonating him. She interviewed the Allens separately and then spent a week poring through the evidence: voicemails and social media profiles and native files of emails. By digging into how they were created, she found that emails from “Steven” had been spoofed—sent through anonymizing services but then tagged as if they came from his email or were sent from an untraceable account. Had Steven been the mastermind, it would have been “like robbing a bank but wearing a mask of your own face,” she said later. “It just doesn’t make any sense.” Van Engelen came to believe the Allens were telling the truth.

But that left another question. What if the case did go to trial? Even if she could convince a jury—which would mean explaining the complexities of how identity is both hidden and revealed on the internet—could she get them to care? Cyberharassment is still an unappreciated crime. Gary Ernsdorff, a prosecutor in King County, where the Allens live, said that people often don’t think it’s that big a deal—it’s just online, after all. Or they blame victims for sharing intimate images in the first place. What, Van Engelen wondered, would a jury make of the Allens’ saga? Would they think Steven had gone too far in exposing the affair? Would they blame Courtney for the videos? Though Van Engelen saw the Allens as victims, she realized a jury might not.

Many people assume that cyber­harassment is easy to avoid: They believe that if victims hadn’t sent a naked photo, then that person would have nothing to worry about. But experts say this assumption is essentially a comforting fiction in a world in which we’re all potential victims. A 2016 survey found that one in every 25 Americans online—roughly 10 million people—had either had explicit images of themselves shared online against their will or had been threatened with such sharing. For women younger than 30, it was one in 10. The same survey found that, photos or no, 47 percent of Americans who used the internet had been victims of online harassment of some kind.

Danielle Citron, a law professor at the University of Maryland and the author of Hate Crimes in Cyberspace, began studying cyberharassment in 2007. What she found reminded her of her past research on the shocking leakiness of information databases. Nearly all of us are giving away reams of sensitive information about ourselves without understanding how it might be used, whether by a stalker or an unscrupulous company. This includes what we share online—geotags on our photos, workout apps that generate maps to our houses, badly protected Facebook updates or lists that show family ties, or posts that reveal innocuous-­seeming facts, such as birthdays, that can be used to access other information. We also leave an enormous digital trail of personal and private information with every credit card purchase and Google search and ad click.

People are starting to understand “that the web watches them back,” says Aleecia McDonald, a privacy researcher at Stanford’s Center for Internet and Society. But we still don’t appreciate the extent to which it’s happening or what risks we might face in the future. McDonald suggests thinking of the internet as a backward-facing time machine that we are constantly loading with ammunition: “Everything that’s on file about you for the last 15 years and the next 40 years” may someday be used against you with technology that, at this time, we can’t understand or predict. And much of the information that we leave in our wake has no legal protection from being sold in the future: “We overcollect and we underprotect,” Citron says.

Even without access to intimate images, Van Engelen says, “if I was obsessed enough and motivated enough, I could mess up your life.” Many experts now agree that the solution to cyberharassment lies in changing the ways we respond to the release or misuse of private information: to stop trivializing it, to take it seriously as a crime, to show perpetrators that their actions have consequences.

“You can tell people, ‘Don’t do anything that you wouldn’t want to have go public,’ ” McDonald says. “But what kind of life is that?”

Illustration by Yoshi Sodeoka/Robert Daly/Getty Images

As Van Engelen prepared to take on the Allens’ case, she kept finding more social media profiles. There were accounts impersonating Courtney and Steven; one Google Plus account, which included the videos and Courtney’s contact information, birthday, and maiden name, had more than 8,000 views. There was an account for their son. A Facebook account in the name of “Jennifer Jones”—Courtney recognized one photo as Zonis’ pet tortoise—sent messages to her friends and family accusing Steven of abuse and of having sent “Jones” threatening emails and photos of his penis. (Zonis denies creating any of these accounts, saying: “I’ve never been on Facebook in my life” and “Who puts a picture of their pet on a secret account they’re trying to hide?”)

The Allens contacted Facebook, Google, YouTube, and other sites to have the accounts taken down, with mixed success. One of the hardest to remove was the Facebook page in their son’s name. When Courtney filled out a form indicating that she wasn’t the one being impersonated, the site suggested she alert that person to have it removed; there seemed to be no expectation that the targeted person might be a 4-year-old. The account stayed up despite repeated requests. (It was finally disabled in late October, after WIRED’s fact-checkers asked Facebook for comment.) But at least Facebook had a complaint option; other sites offered no recourse, and the most the Allens could do was ask search engines not to include them in results. Sites that specialize in posting revenge porn sometimes charge hundreds of dollars to remove images—what Ernsdorff calls “a business model of extortion.”

Van Engelen and her colleagues were subpoenaing tech companies to find out who was assigned IP addresses, but they kept having to send new subpoenas as new accounts kept popping up. According to court records, they found that many of the early emails—from addresses such as CourtneyCallMe69 and Dixienormousnu—could be traced to the Zonises’ house. In one case the same message was sent seven times by different accounts in just over a day. Some of the accounts were anonymous but traceable to the Zonises’ home IP address or a hotel where they stayed; one came from what appeared to be Steven’s email but with the tag “Douchebag” attached—it was routed from an anonymizing website based in the Czech Republic that sent email from fake accounts. Van Engelen interpreted this spree as evidence that Zonis was trying to get through spam filters, as well as proof that he used anonymizers and impersonation. Zonis counters that Steven was manufacturing evidence against him.

As time passed, the emails and social media accounts became harder to trace. Van Engelen found that many of the IP addresses, created and disguised with Tor software, bounced through layers of anonymous routing. More came from the Czech website or another anonymizer. The writing style changed too, as if, according to Van Engelen, the writer didn’t want the syntax or orthography to be analyzable: Sometimes they read as though they were written by someone with limited, fluctuating facility with English.

In the summer of 2015, the Allens found out that a new credit card had been opened in their names and that one of their existing cards had been used fraudulently. They could see that all the attempted charges were to access sites that might yield personal information: ancestry.com, a site that allows recovery of old W2s, a company that does background checks.

Courtney began seeing a counselor. Her fear had become “an absolute paranoia.” She had night terrors and panic attacks if she saw police in the neighborhood. Zonis had told her that he was able to fly for free because his wife worked for an airline; Courtney feared he might show up at any time. She stopped letting her son play outside. “It just changed who I was,” she says. “I wasn’t functioning.” Almost worse than the fear was the guilt about what was happening to the people in her life. “No one can say anything to me about the horrible things that I’ve done,” she says, “because I’ve already said them to myself.”

"Me living was how I was going to beat him."

Courtney had come to see the internet as a danger to which the people around her were oblivious. “Nobody’s safe,” she says. “If you’re on the internet, you’re pretty much a target.” She was appalled at what she saw her friends post—vacation updates that revealed their locations, pictures of their young children. She asked other parents at her son’s school not to post pictures of him, and one asked her, “Aren’t you proud of your son?” When she offered to share the recommendations that the FBI had sent her about keeping information private, only one friend responded—and only to ask whether such precautions were really necessary. Courtney locked down her own social media and stopped giving out her phone number. “Privacy has become top priority to me,” she said. “Anonymity has become sacred.”

In late June 2015, K&L Gates filed the Allens’ lawsuit against Zonis, seeking damages and relief related to defamation, negligence, intentional infliction of emotional distress, electronic impersonation, and invasion of privacy. Two months later, Zonis filed his own suit in federal court in Arizona, making similar claims against Steven. The complaint included excerpts of harassing emails that Zonis alleged were sent to him by Steven: “Too bad your whore wife is still without a child … did I mention that I own [Mrs. Allen] again?” and “All I had to do was act like the benevolent husband, and let you do the work … I plan on continuing to cause you pain like you can’t even imagine.” It took more than a year of motions and replies for the cases to be combined and moved to Washington, where the first case was filed.

In August Courtney received an anonymous email that ended, “Easier if one help everyone and kill self.” She’d had suicidal thoughts before. If she did kill herself, she thought, that might finally make the harassment stop. Maybe this was how she could save her family. She went to get a gun that was kept in a safe. Her hands were shaking and she fumbled the combination to the lock. She began to think about all the things she’d miss if she pulled the trigger—teaching her son to drive, retiring with Steven, the books she would never read. At last, still unable to open the safe, she gave up. “I decided he wasn’t going to win,” she said later. “Me living was how I was going to beat him.”

The following month the Allens took a trip to Hawaii. While they were away there were calls and emails, but none of them mentioned the trip. To Courtney it seemed like a small miracle: one moment in her life that belonged only to her. “It was a breath,” she said later. She would hold onto that precious realization for a long time: “I can keep some things private.”

But it was only a breath. Emails had begun coming to Steven’s account at the University of Washington—a job he thought had gone unnoticed until he got an anonymous email referencing the school’s mascot: “Public record. all. done.” Soon dozens of accounts, from the IT department to the university president, were getting emails about the Allens, often with images of Courtney. According to court records, two preschools in the Kent area also got emails that appeared to be from Steven; they said that he planned to come in with a gun and start shooting.“It wasn’t me!” Steven cried when the police called him at work. “I’m here!”

Gradually the Allens grew somewhat inured to the videos and emails—“There’s no one that I know who hasn’t seen me in very intimate detail,” Courtney says. “He can’t hurt me that way anymore”—though she continued to worry that their son would find the videos one day.

As Halloween neared, the K&L Gates lawyers received a threat they considered credible enough to heighten security. Later that fall, two FBI agents appeared at the Allens’. The couple hoped again that their troubles were ending at last. But while the agents were aware of their case, they said they were required to tell the Allens to cease and desist because Zonis had contacted them with evidence that he said showed the Allens were committing credit fraud against him. Later, Zonis would produce documents that he said showed Steven mocking Jennifer, sending her pictures of his penis, and threatening retribution; in one post, it appears that Steven had asked his Marriage Builders friends to make the threatening call to his grandmother.

“Everything he’s done, he’s claiming I’ve been doing,” Steven said later.

“Every bit of everything that we were accused of was what he did to us,” Zonis says.

In January of 2017, the lawsuit’s discovery process finally ended. Van Engelen and her colleagues had been working on the case for nearly two years. By then Zonis, after cycling through several lawyers, was representing himself, with his wife assisting. Before trial, the parties were required to attempt mediation. The judge encouraged a settlement, telling the Allens that a jury looking at the mess of competing claims would see everyone involved as having unclean hands. The Allens and their lawyers sent an offer to the room next door, where the Zonises were waiting: They would dismiss their suit if Zonis dropped his counterclaim and left the Allens alone. Zonis instead asked them to pay a large sum for what he said he lost. The case proceeded to trial.

On Wednesday, March 22, 2017, the Allens, their lawyers, and the Zonises gathered in a courtroom. Van Engelen watched from her seat as a colleague began questioning potential jurors: How many of you have made a friend on the internet? How many of you have ever taken a selfie? If someone takes and shares intimate pictures and they get published online, is that their fault?

Many of the responses were exactly what Van Engelen had feared. She summed them up: “This is trivial. Why am I here? I don’t want to be part of someone’s Facebook dispute. This is high school.” More than one person thought that if you made explicit videos of yourself, it was your fault if they were shared. Others felt the Allens, with their table of lawyers, had an unfair advantage. Van Engelen listened with growing nervousness. That night she went home and cried in the shower. She kept thinking: “What if somebody just decided that they weren’t going to listen to any of the evidence and they’d already made up their minds?”

Before the trial, Steven created a timeline of the harassment. Bateman decided to present it to the jury during opening arguments; because it had so many details, the lawyers had to print it on a 10-foot-long poster so that the jurors would be able to see the entries. This isn’t trivial, Bateman told the jury, detailing the false police reports, the enormous number of emails, the videos. Van Engelen felt her anxiety ease. “Right away you could see the jurors’ faces change,” she says. “I think they got that this wasn’t what they thought coming in.”

Van Engelen played some of the voicemails aloud. Courtney wept. She told the story of trying to unlock the gun.

Van Engelen called Courtney as her first witness. Courtney described her relationship with Zonis and said that she thought the videos would be private. Zonis had filed a motion to have the images of Courtney withheld from court. (He said later that the images were unimportant “flash” intended to distract the jury from what he had been through.) Van Engelen feared their absence would make the jurors take the case less seriously. In her questioning she described them as clinically as possible, so that Courtney wouldn’t have to: “Do you orgasm?” she asked. “Do they show your inner and outer labia?” Courtney testified for more than a day, the whole time too ashamed to look at the jurors. Van Engelen asked her to read some of the emails and played some of the voicemails aloud; she then read from the Google Plus profile that bore Courtney’s name and image. “I am a real whore wife,” Van Engelen read, continuing, “and have suffered for years with unsatisfying sex with a husband who is hung like a cocktail frank.”

“Did you write that about yourself?” she asked. “Did your husband write this about himself?” “No,” Courtney replied. Van Engelen continued her questions. Courtney wept. She told the story of trying to unlock the gun.

Zonis gave an opening statement. His wife cross-examined Courtney and later testified as her husband questioned her. Together the couple set out their version of the story: that they were Courtney’s friends who had tried to rescue her from an abusive husband. They said that Todd wasn’t romantically interested in Courtney and that Steven had been the one harassing them. The Zonises introduced emails and posts that they said were written by the Allens. But they were paper printouts with no metadata or digital trail to prove authenticity. When the lawyers requested a forensically sound copy of Zonis’ data, Zonis replied that his computer had malfunctioned—he blamed spyware that he claimed Steven had installed via an image file—and he had sold it; that he had copies of the files on CDs but Jennifer had thrown them out by mistake.

On the stand, Steven denied writing most of the emails or posts Zonis claimed were from him. The Allens had kept digital copies of emails that appeared to come from Steven, and the K&L Gates team showed the jury how those had been spoofed. They also showed that the email formatting on some posts didn’t match that of the Allens’ computer and that the time zone was not Pacific but Mountain, where Zonis lived. It appeared, the lawyers suggested, that Zonis had created the posts himself.

Zonis later countered that the discrepancies were proof that Steven had used spyware to steal the emails. The Zonises hired an expert witness to testify over Skype. He said that it was theoretically possible that the forensic trails leading back to Zonis could have been faked—though he conceded that he had never seen it done and had not reviewed the evidence.

The lawyers called Andreas Kaltsounis, a cyberforensics expert who used to work with the FBI and the Department of Defense. He explained to the jury how Tor networks and IP addresses function. He then presented a map showing that many of the seemingly separate accounts from which the Allens had received anonymous harassment were actually linked by overlapping IP addresses. One of the linked accounts was the Facebook page for “Jennifer Jones,” the account that used a picture of a tortoise. It could have been, as Zonis argued, an account that Steven, or some unknown person, created. But the lawyers were prepared. One day, months before the trial, as Van Engelen searched painstakingly through IP addresses associated with logins on the Jones account, she made a discovery: Among the many addresses, there had been one apparent slipup, a login not through Tor but from the Zonises’ home IP address. When she found it Van Engelen ran into Bateman’s office, yelling: “We’ve got him!” It would have been unheard of for someone to fake a login using Zonis’ IP address, Kaltsounis told the jury, because of a safeguard called the three-way handshake that requires hosts to establish a connection with the IP address belonging to the account before any information can be sent.

By the end of arguments, the Allens’ legal team had introduced 1,083 exhibits into evidence. The chart Van Engelen made just to organize the emails was 87 pages long. It was a level of scrutiny that few cyberharassment cases ever receive—and an illustration of what victims face when dealing with such a complicated case, especially if they don’t have access to pro bono help. K&L lawyers and paralegals had spent thousands of hours digging through the evidence. The value of Van Engelen’s time alone was in the ballpark of $400,000.

Zonis never took the stand. He blamed the lawyers for purposefully taking up too much time questioning Courtney and Jennifer, and introducing endless emails that he said had nothing to do with him. Van Engelen was disgusted: “He got his one big chance to tell his side of the story, and he didn’t take it,” she says. “This is somebody who’s very strong behind a keyboard. And when the opportunity arises to actually prove himself and be vindicated, he just folds like a flower.”

On Thursday, March 30, Van Engelen stood up to deliver her closing argument. It was the first time she’d ever done so in a real court.

She began by playing one of the voicemails that Zonis had admitted to leaving—“How does it feel to know that I’m never, ever, ever going to stop?” Then she turned to the jury: “Someone needs to tell him to stop.” She described Courtney’s lowest moment: going for the gun. She reminded them of a message promising isolation, shame, and ridicule, and the email from Zonis’ personal account after Courtney got a protective order: “Glad that bullshit symbolic gesture is out of the way.”

It was impossible to trace all of the harassment directly to Zonis with cyberforensics, Van Engelen told the jury, so she encouraged them to also consider repetition of details (like the sex toy he had sent) that were in both the anonymous messages and voicemails from Zonis. She talked about the problems with the evidence that Zonis had introduced.

“Do not,” Van Engelen concluded, “let this be another bullshit symbolic gesture. Tell him to stop, hold him liable.”

In his own closing statement, Zonis reiterated that “the stuff doesn’t trace back to me,” talked about the difficulty of being cut off from his parents, and cast himself as a scapegoat: “And what if I’m not the devil? Then what do you do? Oh, my God, we were wrong. We can’t have that, can we?” He told the jury that not testifying wasn’t his choice; the judge said this wasn’t true.

The K&L lawyers had not asked for a specific amount of compensation. The Allens told their lawyers that their goal wasn’t money but simply an end to the harassment.

The next afternoon the jury came back with a decision.

The 12 jurors had been given forms to explain which of the Allens’ and Zonis’ claims they deemed true and which they rejected. For the first claim, “Did Todd Zonis electronically impersonate the Allens?” the presiding juror circled yes. The jury also chose yes for “Was the electronic impersonation a proximate cause of the injury or damage to the Allens?” The form offered a blank space to write in the total amount of damages warranted. The jury’s answer: $2 million.

And so it went. The jury found each of the Allens’ other claims against Zonis—intentional invasion of privacy, intentional infliction of emotional distress, and defamation—justified, and to each they affixed a boggling sum. The jury did agree with Zonis on one count: The Allens had “intruded upon the seclusion” of the Zonises, but they found that no harm had resulted. When the amounts awarded to the Allens were totaled, they added up to $8.9 million. It was a record for a cyberharassment case that didn’t involve a celebrity. The jury “didn’t believe it was trivial anymore,” Van Engelen said with satisfaction.

After the trial was over, the Allens and some of the jurors had the chance to meet outside the courtroom. One of the jurors came up to Courtney, gave her a hug, and said, “You’ve been through so much.” Neither the Allens nor their lawyers expect to actually see the award money, but that moment in the hallway felt just as valuable.

“The fact that other people can see it, and they see the crazy in it, helps me feel that I’m not insane,” Courtney said later. The Allens’ deepest hope, though, remained simple: that the harassment would stop.

For more than a month after the trial, it seemed they would get their wish. Then one afternoon Courtney logged on to her computer and found a new email. It read, “pun ish men t w ill soo n b han ded out to the wic ked. you rti me is sho rt. mis sin g fam ily we wil lno t. pri ce for act ion to be pai d y et it is.” More emails followed. Courtney felt a mixture of dread and exhaustion. It wasn’t over. “I’d love nothing more than for us to be left alone,” she says. “Do I expect that to happen? No. I expect this to be in our lives, in some capacity, forever.”

At the time this story went to press, law enforcement had not yet indicated whether criminal charges would be filed. Gary Ernsdorff, of the King County prosecutor’s office, allowed that he kept an eye on the case. Cyberharassment, especially with private images, “is dropping a bomb in somebody’s life,” he said.

After the trial Zonis filed a notice of appeal. He felt the trial was unfair and that the proceedings hadn’t paid enough attention to what he believed the Allens had done to him. His losses, he said, were real and numerous (to the list he added what he considered stress-­induced health problems), while the Allens’ were petty, just “flash” from a “hot-­button issue.” He still denied that his relationship with Courtney was an affair or that he had access to the videos of her or sent the anonymous emails. He also said, in a phone interview, “Anything that I said or did was reactionary” and “If they wanted me to plead guilty to harassment, no problem. What am I harassing them about?”

Soon after the trial, a blog appeared in Zonis’ name. In it he questioned the way the trial was run, disputed its findings, excoriated the people involved, and posted much of the same evidence against Steven that the lawyers discredited at trial. “My name is Todd Zonis and I lost my family, my home, my future, and probably my life, and while my life may not teach you anything, hopefully my death will,” the blog began. The evidence he posted included the images of Courtney and a note: “Please feel free to download any and all of the materials that I have posted here, and use or distribute them as you see fit.”


Brooke Jarvis (@brookejarvis) is a writer based in Seattle.

This article appears in the December issue. Subscribe now.

Listen to this story, and other WIRED features, on the Audm app.

Read more: https://www.wired.com/story/how-one-womans-digital-life-was-weaponized-against-her/

Equifax breach proves we cant leave it up to businesses to protect us

Equifax gets a cyber security score of zero.
Image: RHONA WISE/EPA-EFE/REX/Shutterstock

The Equifax data breach disaster is the last straw.

This can’t go on. 

We can’t let companies flout cyber security best practices and common sense, and we can no longer rely on Social Security numbers as a secure and discrete form of identification. Equifax hasn’t shared its own cybersecurity practices, but it’s fair to say even if they were indeed subpar, it’ll likely survive this storm longterm, even while victims suffer.

It’s time for some changes.

Equifax, a company best known for helping us check our credit scores and protecting consumers from identity theft(!) announced Thursday that it suffered a massive hack impacting 143 million Americans, that’s 44% of the population. The monumental security breach exposed millions and millions of personal data bits to hackers.

I would laugh if it weren’t so horrifying.

Equifax learned of the breach, which apparently came through its website (which is not nearly enough information about the cause), in late July, two months after it started. The company promises that the hackers did not access “core consumer or commercial credit reporting databases,” but they got everything that matters: Social Security numbers, birth dates, addresses and driver’s license numbers.

Holy hell.

There is, it seems, no end to these kinds of breaches. Hackers see every company as a target, and they’ve been wildly successful with Yahoo, Target, Sony, the Democratic National Committee, Verizon, HBO, Ashley Madison, and many others. 

Each time, the company (or group) apologizes, promises to fix it, protect their customers and do better. 

“This is clearly a disappointing event for our company, and one that strikes at the heart of who we are and what we do. I apologize to consumers and our business customers for the concern and frustration this causes,” said Chairman and Chief Executive Officer, Richard F. Smith in a statement.

Hahahahahahaha!

Disappointing? The heart of who you are? You’re a freaking identity protection company. Through your credit check business, you have access to much of our most precious financial information and then you ask us to pay more for identity protection. This event should destroy your business. It won’t, but it should.

You know why it won’t? Because these breaches haven’t shut down any of these businesses. Some face civil litigation and pay, some just endure a lot of public shaming. 

None of them face criminal prosecution. 

No one learns anything, certainly not the next company that will be hit. They just look on and breathe a sigh of relief that it’s not them.

Some new rules

Nothing will change here until we have national standards for data security and strong penalties for not applying the necessary technologies, checks, and balances.

Currently in the U.S., only a handful of industries, have federal, mandatory cyber security regulations. These include the Health Insurance Portability and Accountability Act (HIPAA) for healthcare and the 2002 Homeland Security Act, which was enacted in the wake of the 9/11 attacks, for the federal government. Even in finance, which has other strict federal mandates for financial disclosures and internal controls, legislators struggle to implement sweeping cybersecurity rules.

Truth in financial reporting seems like a worthy goal, no less so than safety in data security. And yet there is virtually nothing to encourage general business to clean up its cybersecurity act. By comparison, the Sarbanes-Oxley Act, which brought sweeping financial management and corporate governance regulation to U.S. businesses in 2002, put in place hefty fines and prison terms for those who don’t follow it. Put simply, Sarbanes-Oxley mandates that company management must certify the accuracy of all financial statements and enact expensive internal controls. 

One reason for the lack of cybersecurity rules is that data security and best practices in business is an intricate web of legacy hardware and software, byzantine practices, and bottom line concerns. 

Companies running old operating systems have long been prime hack targets. Most of them continue running old software because 1) it costs money to upgrade and 2) the vertical industries they serve use old legacy software that doesn’t run on the newest platform or hardware.

It’s not just the software, though. Companies like Equifax, Yahoo, the Democratic National Committee, and others don’t follow best practices when it comes to cyber security. They don’t protect or back up their databases off site, they don’t train their employees to not open unknown emails, click on random links, or how to identify a social engineering attack. 

Cyber-security regulations with the same power as Sarbanes-Oxley and penalties would change that. It would stop companies from sitting back and hoping they can dodge the bullet much like young people avoid the doctor because they believe they can never get sick. 

In 2016, 28 states either had or were considering cyber security legislation, but most of it only considers state-controlled systems and services and doesn’t look at the businesses that manage consumer data.

If you think the idea of force-feeding cyber security to business is draconian, look at Microsoft Windows 10. This platform no longer asks you if it can upgrade, it only allows you to specify when. Why? So, home users can have the most up-to-date and secure systems. Microsoft doesn’t even leave cyber security in the hands of third-party companies any more (you can still buy it if you want). Instead, there’s Windows Defender. It’s free, always up-to-date and running 24/7 on Windows 10 PC.

Ideal legislation to regulate cybersecurity would create the foundation for rating agencies to keep track of companies’ cybersecurity prowess. So Equifax would get an Equifax. The quality of a company’s cyber security across a wide variety of metrics (up to date systems, encrypted data, company wide training) would result in a score, much like one’s credit score; 1 would be the worst and 5 would be the best. Simple.

If I were writing this legislation, I would also tie it to the winding down of the Social Security number as an identity tool. Numbers are flat, discoverable things and the fact that we use a combination of nine digits as the skeleton key for life stuff should be a grave concern to everyone.

We have options. Biometric security is growing by leaps and bounds. Facial recognition on the level I have with Windows Hello can’t be fooled with a picture or someone who looks almost just like me. Iris scanning is even more foolproof and now on smartphones like the Samsung Galaxy S8 and Note 8. We have heartbeat sensors that might eventually be used to recognize the unique rhythm of each heart. 

A new Cyber Security Act, with some real regulatory teeth (read penalties) could set a timeline for retiring Social Security numbers, giving businesses and people five years to change systems and upgrade to biometrics.

Leaving these things to chance and the whims of business, which care more about money than they do about you, is no longer sustainable. 

This must end.

Read more: http://mashable.com/2017/09/08/equifax-hack-cyber-security-regulation/

North Korean hackers blamed for worldwide WannaCry cyberattack

Image: mashable

North Korean hackers are allegedly behind the widespread ransomware attack that hit the UK’s National Health Service, affecting computers and hospitals and doctors’ offices last month, according to the BBC.

The hackers belong to a group known as Lazarus, who is believed to have targeted Sony Pictures in 2014 as it planned to release the movie The Interview.

They used a ransomware program called WannaCry which hit multiple countries across the globe, locking up computers and ransoming access in exchange for large Bitcoin payments.

The NHS wasn’t specifically targeted in the attack and the attack affected organisations from across a range of sectors.

The claim that the ransomware attack originated from North Korea was originally made in May by Google security researcher Neel Mehta, who posted a cryptic set of characters on Twitter together with the hashtag #WannaCryptAttribution.

Kaspersky Lab researchers explained that Mehta has posted two similar code samples, one from an early version of WannaCry, and one originating from Lazarus.

Mehta allegedly found evidence that a variant of WannaCry shares code with the 2015 version of Cantopee, a backdoor used by Lazarus Group.

Moreover, WannaCry’s code contained a kill switch a way to stop the malware from spreading indicating that whoever is behind the attack is not (purely) financially motivated.

Another cybersecurity expert, Adrian Nish, who leads the cyber threat intelligence team at BAE, also noticed the overlap with previous code developed by Lazarus.

“It seems to tie back to the same code-base and the same authors,” Nish told the BBC. “The code-overlaps are significant.”

Lazarus Group is highly sophisticated and very active, according to Kaspersky, who in a blog post called the scale of the group’s operation “shocking”.

Britain’s National Cyber Security Centre (NCSC), who is part of the GCHQ, led the international investigation.

Read more: http://mashable.com/2017/06/16/wannacry-ransomware-attack-north-korea-lazarus-group/

A 22-year-old \

A map of the "unprecedented" WannaCry cyber attack.
Image: screenshot/malwaretech

Two 20-something cyber experts helped bring down the widespread ransomware attack that infiltrated networks at hospitals, banks, and government agencies in multiple countries.

A 22-year-old British researcher unintentionally found the so-called “kill switch” that authors of the malicious software left in the code. Later, he teamed up with a 28-year-old engineer in western Michigan to ultimately halt the infections, the Associated Press reported.

The unprecedented outbreak, which began last Friday, locked up computers and extorted users for large Bitcoin payments in nations as diverse as the U.S., Russia, Ukraine, Brazil, Spain, and India. It also hit the U.K.’s National Health Service, affecting computers in hospitals and doctors’ offices.

Britain’s National Cyber Security Center and others praised the 22-year-old researcher identified only as MalwareTech for killing the software, which reportedly blocked U.K. hospital schedules, patient files, and phone and email systems from access and rerouted emergency room patients.

MalwareTech belongs to a large global community of cybersecurity buffs who, working independently or for security companies, constantly monitor for attacks and collaborate to stop them. It’s fairly common for members to use aliases for privacy or to protect themselves from retaliatory attacks.

The young researcher explained in a blog post on Saturday how he “accidentally” stopped the global cyberattack

He said he returned from lunch with a friend on Friday and learned that a ransomeware attack had crippled Britain’s health system. A fellow researcher called Kafeine soon gave him a sample of the malicious software.

The malware, known as WannaCry or WannaCrypt, exploits a vulnerability in Microsoft Windows that was reportedly developed and used by the U.S. National Security Agency. Hackers in the group Shadow Brokers later leaked the exploit online.

In his analysis, MalwareTech noticed a hidden, unregistered web address in the code. He quickly registered the inexpensive domain to see if it would help him track or stop the software.

Meanwhile, across the pond in Michigan, Darien Huss was doing his own research. The engineer, who works for the cybersecurity firm Proofpoint, said he noticed the malware authors had included a kill switch. He took a screenshot of his finding and posted it on Twitter.

Huss and MalwareTech were soon communicating about their findings. By registering the domain name and redirecting attacks to his server, MalwareTech had apparently activated the kill switch, which halted the ransomware’s infections.

The duo’s actions may have saved companies and governments millions of dollars and slowed the outbreak before more U.S. computers were affected.

Huss praised his partner in non-crime for the discovery and said the security industry as a whole “should be considered heroes,” the AP reported. But he said he’s worried the authors of the malware could release a new and improved version without a kill switch, or that copycats could unleash similar attacks.

“I think it is concerning that we could definitely see a similar attack occur, maybe in the next 24 to 48 hours or maybe in the next week or two,” Huss told the AP. “It could be very possible.”

Security experts said the perpetrators of this attack remain unknown. The malicious software was identified in more than 70 experts, though Russia was hit the hardest.

European cybercrime experts are “working closely with affected countries’ cybercrime units and key industry partners to mitigate the threat and assist victims,” Europol, the European Union’s police agency, said on Saturday in a statement.

“The recent attack is at an unprecedented level and will require a complex international investigation to identify the culprits,” Europol said.

Associated Press contributed reporting to this story.

Read more: http://mashable.com/2017/05/14/20-somethings-cyber-attack-malwaretech/