MILAN — Nothing about the sand-colored façade of the palazzo tucked behind Milan’s Duomo cathedral suggested that inside it a team of computer engineers were building a database to gather private and damaging information about Italy’s political elite — and use it to try to control them.   The platform, called Beyond, pulled together hundreds of thousands of records from state databases — including flagged financial transactions and criminal investigations — to create detailed profiles on politicians, business leaders and other prominent figures.  Police wiretaps recorded someone they identified as Samuele Calamucci, allegedly the technical mastermind of the group, boasting that the dossiers gave them the power to “screw over all of Italy.”  The operation collapsed in fall 2024, when a two-year investigation culminated in the arrests of four people, with a further 60 questioned. The alleged ringleaders have denied ever directly accessing state databases, while lower-level operatives maintain they only conducted open-source searches and believed their actions were legal. Police files indicate that key suspects claimed they were operating with the tacit approval of the Italian state.  After months of questioning and plea bargaining, 15 of the accused are set to enter their pleas at the first court hearing in October.   The disclosures were shocking, not only because of the confidentiality of the data but also the high-profile nature of the targets, which included former Prime Minister Matteo Renzi and Ignazio La Russa, co-founder of the ruling Brothers of Italy party and president of the Senate.  The scandal underscores a novel reality: that in the digital era, privacy is a relic. While dossiers and kompromat have long been tools of political warfare, hackers today, commanded by the highest bidder, can access information to exploit decision-makers’ weaknesses — from private indiscretions to financial vulnerabilities. The result is a political and business class highly exposed to external pressures, heightening fears about the resilience of democratic institutions in an era where data is both power and liability.  POLITICO obtained thousands of pages of police wiretap transcripts and arrest warrants and spoke with alleged perpetrators, their victims and officials investigating the scheme. Together, the documents and interviews reveal an intricate plot to build a database filled with confidential and compromising data — and a business plan to exploit it for both legal and illegal means.  On the surface, the group presented itself as a corporate intelligence firm, courting high-profile clients by claiming expertise in resolving complex risk management issues such as commercial fraud, corruption and infiltration by organized crime.   Banca Mediolanum, said it had paid “€3,000 to Equalize to gather more public information regarding a company that could have been the subject of a potential deal, managed by our investment bank.” | Diego Puletto/Getty Images Prosecutors accuse the gang of compiling damaging dossiers by illegally accessing phones, computers and state databases containing information ranging from tax records to criminal convictions. The data could be used to pressure and threaten victims or fed to journalists to discredit them.  The alleged perpetrators include a former star police investigator, the top manager of Milan’s trade fair complex and several cybersecurity experts prominent in Italy’s tech scene. All have denied wrongdoing.  SUPERCOP TURNED SUPERCROOK  When the gang first drew the attention of investigators in the summer of 2022, it was almost by accident.  Police were tracking a northern Italian gangster when he arranged a meeting with retired police inspector Carmine Gallo at a coffee bar in downtown Milan. Gallo, a veteran in the fight against organized crime, was a familiar face in Italy’s law enforcement circles. The meeting raised suspicions, and authorities put Gallo under surveillance — and inadvertently uncovered the gang’s wider operations.  Gallo, who died in March 2025, was a towering figure in Italian law enforcement. He helped solve high-profile cases such as the 1995 murder of Maurizio Gucci — carried out by the fashion mogul’s ex-wife Patrizia Reggiani and her clairvoyant — and the 1997 kidnapping of Milanese businesswoman Alessandra Sgarella by the ‘ndrangheta organized crime syndicate.  Yet Gallo’s career was not without controversy. Over four decades, he cultivated ties to organized crime networks and faced repeated investigations for overstepping legal boundaries. He ultimately received a two-year suspended sentence for sharing official secrets and assisting criminals.  When he retired from the force in 2018, Gallo illegally carted off investigative material such as transcripts of interviews with moles, mafia family trees and photofits, prosecutors’ documents show. His modus operandi was to tell municipal employees to “get a coffee and come back in half an hour” while he photographed documents, he boasted in wiretaps.  Still, Gallo’s work ethic remained relentless. In 2019, he co-founded Equalize — the IT company that hosted the Beyond database — with his business partner Enrico Pazzali, presenting the firm as a corporate risk intelligence company.  Gallo’s years as a police officer gave him a unique advantage: He could leverage relationships with former colleagues in law enforcement and intelligence to get them to carry out illegal searches on his behalf. Some of the information he obtained was then repackaged as reputational dossiers for clients, commanding fees of up to €15,000.  Gallo also cashed in his influence for favors, such as procuring passports for friends and acquaintances. Investigators recorded conversations in which he bragged of sourcing a passport for a convicted mafioso under investigation for kidnapping, who planned to flee to the United Arab Emirates.  The supercop-turned-supercriminal claimed that Equalize had a full overview of Italian criminal operations, extending even to countries like Australia and Vietnam.  When investigators raided the group’s headquarters, they found thousands of files and dossiers spanning decades of Italian criminal and political history. The hackers even claimed to have — as part of what they called their “infinite archive” — video evidence of the late Prime Minister Silvio Berlusconi’s so-called bunga bunga parties, which investigators called “a blackmail tool of the highest value.”   Enrico Pazzali cultivated close ties to right-wing politicians, including Attilio Fontana, president of the Lombardy region, and maintained a close association with high-level intelligence officials. | Alessandro Bremec/Getty Images Gallo’s sudden death of a heart attack six months into the investigation stirred unease among prosecutors. They noted that while an initial autopsy found no signs of trauma or injection, the absence of such evidence does not necessarily rule out interference. Investigators have ordered toxicology tests.  ‘HANDSOME UNCLE’  Gallo’s collaborator Pazzalli, a well-known businessman who headed Milan’s prestigious Fondazione Fiera Milano, the country’s largest exhibition center, was Equalize’s alleged frontman.  Pazzali, through his lawyer, declined to comment to POLITICO about the allegations.  The Fiera, a magnet for money and power, made Pazzali a heavy hitter in Milanese circles. Having built a successful career across IT, energy and other sectors, and boasting a full head of steely gray hair, he was known to some by the nickname “Zio Bello,” or handsome uncle.   Pazzali cultivated close ties to right-wing politicians, including Attilio Fontana, president of the Lombardy region, and maintained a close association with high-level intelligence officials. He would meet clients in a chauffeur-driven black Tesla X, complete with a blue flashing light on the roof — the kind typically reserved for high-ranking officials.  Since 2019, Pazzali held a 95 percent stake in Equalize. If Gallo’s role was sourcing confidential information, Pazzali’s was winning high-profile clients, the prosecutors allege. Leveraging his reputation and political connections, he helped secure business from banks, industrial conglomerates, multinationals, and international law firms, including pasta giant Barilla, the Italian subsidiary of Heineken, and energy powerhouse Eni.   Documents show that Eni paid Equalize €377,000. Roberto Albini, a spokesperson for the energy giant, told POLITICO that the firm had commissioned Equalize “to support its strategy and defense in the context of several criminal and civil cases.” He added that Eni was not aware of any illegal activity by the company.  Marlous den Bieman, corporate communications manager for Heineken, said the brewer had “ceased all collaboration with Equalize and is actively cooperating with authorities in their investigation of the company’s practices.”  Barilla declined to comment.  Italy’s third-largest bank, Banca Mediolanum, said it had paid “€3,000 to Equalize to gather more public information regarding a company that could have been the subject of a potential deal, managed by our investment bank.” The bank added, “Of course we were not aware that Equalize was in general conducting its business also through the adoption of illicit procedures.”  The group’s reach extended beyond Italy. In February 2023, it was hired by Israeli state intelligence agents in a €1 million operation to trace the financial flows from the accounts of wealthy individuals to the Russian mercenary network Wagner. In exchange, the Israelis promised to hand over intelligence on the illicit trafficking of Iranian gas through Italy — a commodity that, they suggested, might be of interest to Equalize’s client, the energy giant Eni.  Equalize rapidly grew into a formidable private investigation operation. Police reports noted that Pazzali recognized data as “a weapon for enormous economic and reputational gains,” adding, “Equalize’s raison d’être is to provide … Pazzali with information and dossiers to be used for the achievement of his political and economic aims.”  During the 2023 election campaign for the presidency of the Lombardy region, Pazzali ordered dossiers on close affiliates of former mayor of Milan, Letizia Moratti, who was challenging his preferred candidate, the far-right Fontana.  Prime Minister Matteo Renzi warned of a deeper political risk associated with the gang. | Vincenzo Nuzzolese/Getty Images A spokesman for Fontana called the allegation “science-fiction” and said “nothing was offered to the president of the region, he did not ask for anything, and he certainly did not pay anything.”   In 2022, Pazzali was in the running to manage Italy’s 2026 Winter Olympics as chief executive. Wiretaps suggested he ordered a dossier on his competitor, football club AC Milan’s Chairman Paolo Scaroni, but found nothing on him.  Business was booming, but Pazzali and Gallo were thinking ahead. They had become reliant on cops willing to leak information, and those officers could be spooked — or caught in the act. That was a vulnerability.  They started to envisage a more sophisticated operation: a platform that collated all the data the group had in its possession and could generate the prized dossiers with the click of a button, erasing the need for bribes and cutting manpower costs — a repository of high-level secrets that, once operational, would give Pazzali, Gallo, and their team unprecedented power in Italy.  Pazzali declined to comment on the investigation. He is due to plead before a judge at a preliminary hearing in October. ‘THE PROFESSOR’ AND THE BOYS   Enter Samuele Calamucci, the coding brain of the operation.  Calamucci is from a small town just outside Milan, and before he began his career in cybersecurity, he was involved in stonemasonry.   Unlike his partners Gallo and Pazzali, Calamucci wasn’t a known face in the city — and he had worked hard to keep it that way. He ran his own private investigation firm, Mercury Advisor, from the same offices as Equalize, handling the company’s IT operations as an outside contractor.  Calamucci knew his way around Italian government IT systems, too. In wiretapped conversations, he claimed to have helped build the digital infrastructure for Italy’s National Cybersecurity Agency and to have worked for the secret services’ Department of Information for Security.  Known within the gang as “the professor,” Calamucci’s role was to recruit and manage a team of 30 to 40 programmers he called the ragazzi — the boys.  With his best recruits he began to build Beyond in 2022, the platform designed to be the digital equivalent of an all-seeing eye.  To populate it, Calamucci and his team purchased data from the dark web, exploited access through government IT maintenance contracts and siphoned intelligence from state databases whenever they could, prosecutors said.  Beyond gave Pazzali, Gallo, and their gang a treasure trove of compromising information on political and business figures in a searchable platform. Wiretaps indicated the plan was to sell access via subscription to select clients, including international law firm Dentons and some of the Big Four consultancies like Deloitte, KPMG, and EY. | Aleksander Kalka/Getty Images In one police-recorded conversation, Calamucci boasted of a hard drive holding 800,000 dossiers. Through his lawyer, Calamucci declined to comment.  “We all thought the requested reports served the good of the country,” said one of the hackers, granted anonymity to speak freely. “Ninety percent of the reports carried out were about energy projects, which required open-source criminal records or membership in mafia syndicates, given that a large portion concerned the South.” Only 5 percent of the jobs they carried out were for individuals to conduct an analysis of enemies or competitors, he added.  The hackers were also “not allowed to know” who was coming into Equalize’s office from the outside. Meetings were held behind closed doors in Gallo’s office or in conference rooms, the hacker told POLITICO, explaining that the analysts were unaware of the company’s dynamics and the people it associated with.  Beyond gave Pazzali, Gallo, and their gang a treasure trove of compromising information on political and business figures in a searchable platform. Wiretaps indicated the plan was to sell access via subscription to select clients, including international law firm Dentons and some of the Big Four consultancies like Deloitte, KPMG, and EY.  Dentons declined to comment. Deloitte and EY did not respond to a request for comment. Audee Van Winkel, senior communication officer for KPMG in Belgium, where one of the alleged gang members worked, said the consultancy did not have any knowledge or records of KPMG in Belgium working with the platform.   ‘INTELLIGENCE MERCENARIES’  In Italy’s sprawling private investigation scene, Equalize was a relative newcomer. But Gallo, Pazzali and their associates had something going for them: They were well-connected.  One alleged member of the organization, Gabriele Pegoraro, had worked as an external cybersecurity expert for intelligence services and had previously made headlines as the IT genius who helped capture a fugitive terrorist.  Pegoraro said he “carried out only lawful operations using publicly available sources” and “was in the dark about how the information was used.”  According to wiretaps, Calamucci and Gallo had worked with several intelligence agents to provide surveillance to protect criminal informants.   On one occasion, Calamucci explained to a subordinate that the relationship with the secret services “was essential” to continue running Equalize undisturbed. “We are mercenaries for [Italian] intelligence,” he was heard saying by police listening in on a meeting with foreign agents at his office.   The services also helped with data searches for the group and created a mask of cover for the gang, prosecutors believe. A hacker proudly claimed that Equalize had even received computers handed down from Italy’s foreign intelligence agency, while law enforcement watched from bugs planted in the ceiling.  THE PROSECUTION  In October 2024, the music stopped.  Prosecutors placed four of the alleged gang members, including Gallo and Calamucci, under house arrest and another 60 people under investigation. They brought forward charges including conspiracy to hack, corruption, illegal accessing of data and the violation of official secrets.  Franco Gabrielli, a former director of Italy’s civil intelligence services, warned that even the toughest of sentences are unlikely to put an end to the practice. | Alessandro Bremec/Getty Images “Just as the Stasi destroyed the lives of so many people using a mixture of fabricated and collected information, so did these guys,” said Leonida Reitano, an Italian open-source investigator who studied the case. “They collected sensitive information, including medical reports, and used it to compromise their targets.”  News of what the gang had done dropped like a bombshell on Italy’s political class. Foreign Minister Antonio Tajani told reporters at the time that the affair was “unacceptable,” while Interior Minister Matteo Piantedosi warned the parliament that the hackers were “altering the rules of democracy.”  The Equalize scandal “is not only the most serious in the history of the Italian Republic but represents a real and actual attack on democracy,” said Angelo Bonelli, MP and member of the opposition Green Europe.  Prime Minister Renzi warned of a deeper political risk associated with the gang. “It is clear that Equalize are very close to the leaders of the right-wing parties, and intended to build a powerful organization, although it is not yet certain how deep an impact they had,” he told POLITICO. Renzi is seeking damages as a civil plaintiff in the eventual criminal trial.  Equalize was liquidated in March, and some of the alleged hackers have since taken on legitimate roles within the cybersecurity sector.  There are many unresolved questions around the case. Investigators and observers are still trying to determine the full extent of Equalize’s ties to Italian intelligence agencies, and whether any clients were aware of or complicit in the methods used to compile sensitive dossiers. Interviews with intelligence officials conducted during the investigation were never transcribed, and testimony given to a parliamentary committee remains classified. Police documents are heavily redacted, leaving the identities of key figures and the full scope of the operation unclear.  While Equalize is unprecedented in its scale, efforts to collect information on political opponents have “become an Italian tradition,” said the political historian Giovanni Orsina. Spying and political chicanery during and after the Cold War has damaged democracy and undermined trust in public institutions, made worse by a lethargic justice system that can take years if not decades to deliver justice.   “It adds to the perception that Italy is a country in which you can never find the truth,” Orsina said.  Franco Gabrielli, a former director of Italy’s civil intelligence services, warned that even the toughest of sentences are unlikely to put an end to the practice. “It just increases the costs, because if I risk more, I charge more,” he said.   “We must reduce the damage, put in place procedures, mechanisms,” he added. “But, unfortunately, all over the world, even where people earn more there are always black sheep, people who are corrupted. It’s human nature.” 

Russian basketball player Daniil Kasatkin was arrested in France on a hacking charge at the request of the United States. U.S. authorities believe Kasatkin negotiated payoffs for a ransomware ring that hacked around 900 companies and two federal government entities in the U.S., demanding money to end their attacks, according to a report from AFP. Kasatkin, who was arrested on June 21, denies the allegations. His lawyer, Frédéric Bélot, told POLITICO that Kasatkin is a “collateral victim of that crime” because he bought a second-hand computer with malware.  “He’s not a computer guy,” Bélot said. “He didn’t notice any strange behavior on the computer because he doesn’t know how computers work.” A French court denied Kasatkin bail on Wednesday, and he remains in jail awaiting formal extradition notification from U.S. authorities, according to Bélot. Kasatkin had traveled to France to visit Paris with his fiancée and was detained shortly after arriving at the airport. He played collegiate basketball briefly at Penn State, then four seasons for the Moscow-based MBA-MAI team. Bélot said Kasatkin’s physical condition has deteriorated in jail, which he argued is harming his athletic career. Joshua Berlinger contributed to this report. 

TikTok has to pay €530 million in penalties because it sent the personal data of Europeans to China illegally and wasn’t transparent enough with users, Ireland’s powerful privacy regulator said Friday. The Irish Data Protection Commission (DPC) said TikTok breached the EU’s flagship data protection rules when it sent European user data to China because it couldn’t guarantee that the data was protected under China’s surveillance laws. Taking a stance on data transfers to China for the first time, the regulator said TikTok failed to adequately assess the implications of Chinese surveillance laws on Europeans’ data. Those laws — which give the Chinese government sweeping powers to order companies to hand over data — “materially diverge from EU standards,” TikTok acknowledged during the inquiry. The regulator also said TikTok breached transparency rules between 2020 and 2022 because it didn’t tell users that personal data was being transferred to China. It noted that TikTok updated its privacy policy in 2022 and is now “compliant.” The company has been fined €485 million for its data transfers to China and €45 million for the lack of transparency in its privacy policy. The fine is the third-largest ever for a breach of the EU’s General Data Protection Regulation. TikTok has its EU headquarters in Ireland, meaning the Irish DPC is the lead authority in charge of enforcing the EU rules. TikTok had for years claimed it did not store European or American user data on servers in China, but in April informed the regulator that it had discovered in February that “limited EEA User Data” had in fact been stored in China. Irish DPC Deputy Commissioner Graham Doyle said the regulator was taking this discovery “very seriously,” and while TikTok has said it deleted the data on Chinese servers, was considering “what further regulatory action may be warranted.” TikTok has been given six months to bring its data processing practices in line with the EU’s privacy rules, or suspend all data transfers to the country. TikTok said it “strongly contest[s]” the Irish DPC’s findings and plans to appeal in full. “Beyond the DPC’s failure to substantively consider the extensive safeguards [already implemented by Tiktok], we are disappointed to have been singled out despite relying on the same legal mechanism employed by thousands of other companies providing services in Europe,” said Christine Grahn, TikTok’s head of public policy and government relations for Europe, in a written statement. TikTok pointed to its €12 billion investment in Project Clover, which is rolling out data centers in Europe to store data locally in the EU, as well as other privacy safeguards. The Irish DPC acknowledged the project but said it was not enough to sway its decision. Grahn emphasized that TikTok has “never received a request for European user data from the Chinese authorities, and has never provided European user data to them.” She said that the Irish DPC ruling “risks setting a precedent with far-reaching consequences for companies and entire industries across Europe that operate on a global scale,” and “delivers a blow to the European Union’s competitiveness.”

Online scammers are using the death of Pope Francis in attempts to steal data and scam people, according to research by cybersecurity firm Check Point shared with POLITICO.  Check Point said it had identified posts on social media platforms including Instagram and TikTok seeking to trick social media users into clicking on links embedded in the posts.  One example involved a link from a fake news story that led to a fake Google page promoting a gift card scam designed to get people to pay money or give sensitive info. Another post, on TikTok, claimed the news of the Pope’s death was a hoax, in attempts to spur online sharing. Other posts featured AI-generated images depicting the Pope. Campaigns of this type often pop up around major news events, when hackers elicit curiosity and emotional reactions to try to lure unsuspecting users to fraudulent websites.  “Cybercriminals thrive on chaos and curiosity,” said Rafa Lopez, a security engineer at Check Point. “Whenever a major news event occurs, we see a sharp rise in scams designed to exploit public interest.” Researchers have called this “cyber threat opportunism,” a phenomenon that spiked during the Covid-19 pandemic, when Google identified 18 million malware and phishing Gmail messages per day related to the pandemic.  Instagram’s parent company Meta and TikTok did not immediately respond to a request for comment.

A prominent European Parliament member was the victim of what is believed to be a cyber-espionage operation tied to her role as chair of the chamber’s Iran delegation, she told POLITICO. The office of Hannah Neumann, a member of the German Greens and head of the delegation spearheading work on European Union-Iran relations, was targeted by a hacking campaign that started in January, she said. Her staff was contacted with messages, phone calls and emails by hackers impersonating a legitimate contact. They eventually managed to target a laptop with malicious software. “It was a very sophisticated attempt using various ways to manage that someone accidentally opens a link, including putting personal pressure on them,” Neumann said. Neumann was made aware of the ongoing ploy four weeks ago by the German domestic intelligence service, she said. The group thought to be behind the attack is a hacking collective associated with the Iranian Revolutionary Guard, known as APT42, according to a report by the Parliament’s in-house IT service DG ITEC and seen by POLITICO. Another Iranian hacking group, called APT35 or Charming Kitten, was initially considered a culprit too. The two Iranian threat groups are closely related. Hackers as part of these groups were behind the operation that stole internal communication of Donald Trump’s presidential election campaign last year, leaking it to media including POLITICO. The Trump campaign later confirmed it was hacked, blaming Iran. Neumann’s office laptop was targeted by the hackers earlier this year, she said. Parliament’s IT services carried out an investigation and said in their report that no sensitive information was taken since “all attempts were blocked by EP defenses” and it had been an “incomplete infection chain.” Neumann said the Iranian regime “tried in many different ways to make me shut up and they haven’t succeeded. By infiltrating my office they hoped to get material they could use to [compromise] me.” INFECT, COLLECT DATA Google’s Mandiant Threat Intelligence service has previously found APT42 posing as journalists and event organizers to build trust with victims through ongoing correspondence, and to deliver invitations to conferences or legitimate documents, as a way to steal credentials and use them to gain access to cloud servers. According to DG ITEC’s report, the so-called spear-phishing attack on Neumann was an attempt to infect the laptop and collect credentials, “with the likely intent of exfiltrating sensitive information or executing further espionage actions.”  The specific fraudulent identity that was used to establish contact with Neumann’s office was that of Matthew Levitt, a former United States FBI and government official who had had several exchanges with Neumann before. The fake Levitt email asked for the German lawmaker to speak at a conference as part of his role at the Washington Institute for Near East Policy. It attached a link to download an alleged “highly confidential and thus encrypted” note. As chair of the Parliament delegation for relations with Iran, Neumann regularly engages with trade unions, civil society organizations, human rights lawyers and activists fighting for democracy in the country. Neumann previously sat on the Parliament’s special inquiry committee into the use of Pegasus and other spyware in Europe. “I work on spyware. I work with a lot of diaspora communities. So on a theoretical level I am always ready for something like this to happen. I check my phone regularly,” she said. The attacks were “another way to further intimidate me and show me how powerful they are,” she said. “It was clearly a message coming from the [Iranian] Revolutionary Guards to make me shut up, which they have tried in different ways before. The right answer is to speak up … I have a duty to speak up,” she said. Parliament spokesperson Delphine Colard said in a statement that the chamber’s services “constantly monitor cybersecurity threats as well as potential cyberattacks against its working environment and quickly deploy the necessary measures to prevent them or support the users. Due the sensitive nature of the activity, we do not provide further comment on [European Parliament] security or cybersecurity matters.”

BRUSSELS — Russian hackers sure know their target audience. A hacking group previously linked to Russian intelligence services has in past months targeted European diplomats with invitations to fake wine-tasting events from a European foreign affairs ministry, new research released Tuesday showed. Cybersecurity firm Check Point said the Russia-linked group known as Cozy Bear had targeted European diplomatic entities with emails bearing subject lines like “Wine Testing [sic] Event” and “Diplomatic Dinner.” The emails contained malicious software to compromise victims’ security. Cozy Bear is one of Russia’s most notorious hacking groups. It is believed to have conducted major hacks like the intrusion into the United States Democratic National Committee in the run-up to the 2016 presidential election, as well as the recent massive hack of software firm SolarWinds, described as the largest attack ever. Western security services have previously linked Cozy Bear, also known as APT29 and Midnight Blizzard, to Russia’s SVR foreign intelligence service. The hackers behind the new campaign posed as a “major” European foreign affairs ministry, sending the fake invitations to targets, particularly foreign ministries, as well as to the embassies of non-EU countries located in Europe. The hackers behind the new campaign posed as a “major” European foreign affairs ministry, sending the fake invitations to targets, particularly foreign ministries, as well as to the embassies of non-EU countries located in Europe. | Tomohiro Ohsumi/Getty Images Rather than being steered to a full-bodied red or a crisp white, diplomats who opened the attachment in the emails would inadvertently download the malicious software. Check Point has been tracking the campaign since January. Sergey Shykevich, a researcher at the firm, declined to say which foreign affairs ministry the hackers had impersonated, saying only that it was “one of the big ones” in the European Union. Commenting on the choice of wine as a lure, Shykevich said: “Someone on the attacker side had a good idea.” Shykevich added that Check Point had not established whether the hacking attempts were successful. The firm said in its research that it had found indications that diplomats in the Middle East were also targeted. Two European diplomats told POLITICO they regularly get warnings about phishing attempts, but haven’t received one about this specific campaign. The attack is an updated version of a similar campaign previously identified by Google.

PARIS — French Foreign Affairs Minister Jean-Noël Barrot voiced his confusion over reports that the United States’ Defense Secretary Pete Hegseth has ordered a halt of offensive cyber operations against Russia. “I have a bit of trouble understanding [Hegseth’s decision],” Barrot told public radio France Inter Monday. The French minister said European Union countries “are constantly the targets” of Russian cyberattacks. Cybersecurity publication The Record on Friday reported that Hegseth had ordered U.S. Cyber Command to stand down from planning offensive cyber operations against Russia. The report was confirmed by other publications shortly after. Cyber Command is the U.S. Department of Defense’s section conducting cyberattacks and cyberdefensive operations. Hegseth’s move raised eyebrows in Europe, where Russia is seen as a main threat in cyberspace together with China. Both French diplomatic officials and President Emmanuel Macron have repeatedly accused Russia of engaging in hybrid warfare against France through cyberattacks. “Russia is attacking us on information, cyber,” Macron said last month, claiming that Moscow was seeking to “destabilize our democracies.” A report published on Feb. 24 by Viginum, the French digital interference service, said France was “the subject of a particularly aggressive and persistent targeting by Russian information threat actors.”

A group of Chinese hackers stole data from Belgian state security services between 2021 and 2023, in what is considered the biggest breach of the services ever, local newspaper Le Soir reported on Wednesday. The hacking group exploited a vulnerability in the email system of a U.S. software supplier, called Barracuda, that was previously reported in 2023 and was being used by Belgian intelligence as well as the Belgian Pipeline Organisation, which monitors pipelines in the North Sea. Cyber researchers at Google’s Mandiant previously said the group were very likely a cyberespionage service working for the Chinese state. Le Soir on Wednesday cited several sources close to the State Security Service (VSSE) saying an internal audit had found the hackers gained access to the external server for email exchanges. The report said the hacked data did not include classified information as it was saved on an internal server. But the hackers are believed to have obtained correspondence with the country’s prosecutors’ office, police, a ministerial cabinet and other institutions, as well as personal data of staff of intelligence service. VSSE did not immediately respond to a request for comment.

The European Parliament has asked lawmakers, parliamentary assistants and staff to use Signal, an end-to-end-encrypted messaging app, as an instant messaging tool for work-related communications, according to an internal email seen by POLITICO.  “Due to a recent increase in threat on commercial telecommunications infrastructure and following certain incidents targeting large telecommunications companies mainly in the U.S., the risk of interception or manipulation of unsecure communications via public networks has increased,” the email said. The advice comes after it was revealed that a China-linked hacking group called Salt Typhoon conducted large-scale intrusions on U.S. and global telecommunication providers. New research by cyber intelligence firm Recorded Future on Thursday showed the group had breached telcos as recently as January, including in Italy and the U.K., despite U.S. sanctions. Parliament’s email reminded lawmakers they should use “Parliament’s corporate solutions” Teams and Jabber when possible and only Signal if the two are unavailable. “The use of Signal is proposed as a safe alternative in cases where no equivalent corporate tool is available,”  the Parliament’s press service said in a statement, adding it couldn’t “comment further on security or cybersecurity measures or tools.”  In 2020, the European Commission gave a similar advice, telling its staff to switch to Signal for secure communications. In 2023, several EU institutions also banned the use of Tiktok on work-related devices, requesting that its staff — numbering about 32,000 — remove the app from officials’ devices and their personal devices with work-related apps installed. The decision sparked a wave of similar measures across European capitals. Signal’s application is favored by cybersecurity experts and privacy activists because of its end-to-end encryption and open-source technology. 

Russian intelligence agencies are relying more on cybercriminal groups loyal to the Kremlin to support the country’s disruption campaigns in Ukraine, Google said in a new report. “Russian intelligence services have increasingly leveraged pre-existing or new relationships with cybercriminal groups to advance national objectives and augment intelligence collection,” the researchers said in the report published Wednesday. Criminal tools are often easily available on the dark web at a low cost, and thus much cheaper and faster-developing than malware and tools designed by intelligence services’ hacking groups themselves, the researchers at Google’s Threat Intelligence group said. The report comes on the eve of the Munich Security Conference later this week, where cybersecurity officials will gather to discuss international efforts to defend countries against the growing barrage of cyberattacks, among other security issues. The new research showed an increasingly blurred line between state-to-state cyber aggressions on the one hand and defending governments and industry organizations against cybercrime on the other. The latter has traditionally been seen as more financially motivated. Other benefits are that it obfuscates who is behind a hack and that, if an operation using certain malware is discovered, the cost of developing a new tool does not fall with the intelligence agency, researchers said. As an example, Russia’s notorious military intelligence hacking unit APT44 (also called Sandworm) has used tools acquired from cybercrime gangs to conduct espionage and disrupt Ukrainian war efforts since the beginning of the war in 2022, researchers said. Crime gangs like CIGAR (also known as RomCom) were found to deploy ransomware to carry out undercover operations against the Ukrainian government, they added.