Here at Motherboard, we are passionate about cybersecurity. We cover stories of hacking and information security every single day. Our goal is to tell you all the most important stories in the world of hackers. Unfortunately, we just can’t get to all the stories, and more often than not, other publications get to them before we do. And that’s OK! It’s how journalism works.

This year, we thought it’d be good to highlight some of those stories. We took inspiration from Bloomberg BusinessWeek Jealousy list, where the magazine highlights other people’s great work.

Call it Motherboard’s Cyber Jealousy list. A humble hat tip to our favorite stories from our fierce competitors. It’s a tribute to the journalists and the stories that gave us a bit of envy, pushed us to be better, and best served the public interest.

Without further ado, here’s a very incomplete list of our favorite stories about hacking and information security that we loved, and that we wish we had done ourselves.

Kaspersky's 'Slingshot' Report Burned An Isis-focused Intelligence Operation (Cyberscoop)

What is a cybersecurity firm’s responsibility around not exposing certain hacking operations? Here, Cyberscoop showed that sometimes companies do decide to unmask campaigns targeting arguably legitimate threats, such as terrorists. We also explored this dilemma in our feature on Kaspersky Lab a few weeks after Chis Bing and Patrick O’Neill’s scoop.

The CIA's Communications Suffered A Catastrophic Compromise. It Started In Iran. (Yahoo News)

The US government and its intelligence apparatus suffered a deadly blow in China in 2011 and 2012, when more than two dozen CIA sources and informants were killed. But it all started in Iran in 2009, when hackers broke into a CIA “internet-based covert communications system,” as revealed in this bombshell report by Zach Dorfman and Jenna McLaughlin.

How Persian Gulf Rivals Turned US Media Into Their Battleground (BuzzFeed News)

Sometimes the best weapon a hacker can use is not an exploit or phishing kit, but the media. If you can discredit your enemy through the relatively cheap method of enticing a journalist with a scoop, you’re onto a winning strategy. Just look at how Guccifier 2.0—a persona allegedly created by the Russian government—distributed the hacked Democrats material too.

Mysterious $15,000 'GrayKey' Promises To Unlock iPhone X For The Feds (Forbes)

This story broke open an entire avenue of reporting for us and others: finally, someone was selling relatively cheap tools for unlocking iPhones, which led to widespread proliferation of the tech not just among the three-letter intelligence agencies of the world, but also among state- and local law enforcement. This has ramifications for all sorts of things in the so-called Going Dark debate, and kicked off a new game of security cat-and-mouse between Apple and Grayshift.

FBI Repeatedly Overstated Encryption Threat Figures To Congress, Public (The Washington Post)

The FBI has been complaining about encryption...well, pretty much since the 1990s. And in the last few years, particularly after Apple refused to help unlock an alleged terrorist’s iPhone, the battle has intensified. This Washington Post scoop showed that the numbers trotted out by FBI officials when talking about how damaging strong encryption is during investigations were overstated and sometimes incorrect. In other words, encryption isn’t as much of an hurdle as the FBI would like us to believe.

Google Plans to Launch Censored Search Engine in China, Leaked Documents Reveal (The Intercept)

Ryan Gallagher not only broke the news that Google was developing a search engine for China, one that would censor terms around human rights and protests, but he’s also remained on top of the story. His reporting sparked widespread protests both internally at Google and among human rights organizations, questions at a Congressional hearing, and, just this week, he reported that Google has hit a major roadblock with the project as disputes have grown internally. This story reminded us—once again—that companies that have a good track record for caring about human rights don’t always stay that way, and that a handful of employees speaking up can change the course of a multi-billion company.

Google Is Helping the Pentagon Build AI for Drones (Gizmodo)

Speaking of Google employees standing up against a controversial program, this story about the internet giant’s secret Pentagon contract broke long before Googlers organized marches to protest their own company. Kate Conger’s relentless reporting on the story led to Google shutting down the program and was one of the original stories that helped kick off a new wave of protests by Silicon Valley employees against their own companies.

Facebook Is Giving Advertisers Access to Your Shadow Contact Information (Gizmodo)

It wasn’t a great year for Facebook’s bosses either. Cambridge Analytica, a constant struggle to moderate content, and some embarrassing breaches affecting millions of people, among a slew of seemingly endless scandals. You may have missed or forgotten this story, but it’s worth your time. Kashmir Hill, with the help of a team of smart researchers, proved how Facebook mines your cell phone’s contact data to suggest new friends on the social network, and to serve you better targeted ads.

Your Apps Know Where You Were Last Night, and They’re Not Keeping It Secret (The New York Times)

Speaking of apps that know too much...there are only a few outlets with the resources, reach, and dedication to take a story and present it in such a way that the general public can really understand a security issue. This is one of those stories—the sharing of location data lifted by apps may not be a new phenomenon, but the Times team produced the definitive piece tangibly explaining what this means for the privacy of everyone with a smartphone.

Thermostats, Locks and Lights: Digital Tools of Domestic Abuse (The New York Times)

We’ve extensively covered how malware is used in cases of domestic violence, stalking, and abuse. This Times piece looked at the next step in that use of technology at home: the Internet of Things. Definitely worth a read if you are concerned with how technology can impact the lives of ordinary, non-technical people. And if you don’t, why are you reading a post about cyber articles?

Russian Troll Farm Hijacked American Teen Girls’ Computers for Likes (The Daily Beast)

As a hacker, Kevin Poulsen brings some of the coolest technological approaches into journalism. Here, Poulsen found a dodgy browser extension belonging to Russia’s controversial troll army, the Internet Research Agency. He then bought the domain linked to it, letting him see what sort of data it was collecting, and from where. He found the IRA’s software on computers all over the place. A great reminder to think how can journalists approach a story from a different, technological angle.

A Quebecer Spoke Out Against The Saudis—Then Learned He Had Spyware On His iPhone (CBC)

What’s the point of writing about malware, spyware, and hacking if you can’t show readers how the technology affects real people? Every great infosec story should have a human angle. This is a great example of that. Former Motherboard editor Matt Braga visited one of the latest victims of government-sponsored hacking, a growing problem that’s putting regular people all over the world in danger.

Gray Hat—Marcus Hutchins’ Profile (New York Magazine)

The security researcher better known as MalwareTech helped stop WannaCry, one of the most virally infectious malware outbreaks ever. Months later, the FBI arrested him for a crime he’s accused to have committed when he was a teen. This in-depth profile tries to answer a universal question in the world of cybersecurity: does a hacker hero always have to have a past? And if so, what should authorities do with them?

Service Meant to Monitor Inmates’ Calls Could Track You, Too (The New York Times)

File this under “companies you probably never heard of doing sketchy things that can affect us all.” The Times scored another huge scoop revealing that Securus Technologies, a firm that provides and monitors inmates phone calls, was letting pretty much anyone track people’s cell phones for a fee. Thanks to Securus, anyone “can find the whereabouts of almost any cell phone in the country within seconds,” according to the investigation. As we found out later, and rather unsurprisingly, Securus wasn’t securing this data at all.

The Crisis of Election Security (The New York Times)

You’ve heard about election hacking for years. Everyone is worried about it, but seemingly no one is doing anything to prevent it. Veteran infosec reporter (and Motherboard contributor) Kim Zetter goes deep into the history and crisis of election security, writing perhaps the definitive piece about the subject. A must-read for anyone who cares about democracy and the integrity of the elections.

The Untold Story Of NotPetya, The Most Devastating Cyberattack In History (Wired)

The outbreak of destructive malware NotPetya never got the attention it deserved, perhaps because it came a few weeks after the headline-grabbing WannaCry ransomware outbreak. Andy Greenberg makes it justice in this thrilling tale, part of his upcoming book, on how NotPetya crippled the largest shipping company in the world. The only downside of this story is that it will make you want to read more, but you’ll have to wait until the book comes out.

In Leaked Chats, Wikileaks Discusses Preference For Gop Over Clinton, Russia, Trolling, And Feminists They Don’t Like (The Intercept)

WikiLeaks and Julian Assange’s fall from grace has been documented over the last few years, but this report built on a treasure trove of leaked chat logs, felt like the nail in the coffin. The Intercept revealed how the secret-spilling organization candidly talked about their preference for the Republican party to win the 2016 election, their thoughts on the “bright, well connected, sadistic sociopath” Hillary Clinton, and some unsavory comments about feminist activists.

Israeli Cyber Firm Negotiated Advanced Attack Capabilities Sale With Saudis, Haaretz Reveals (Haaretz)

The controversial and successful spyware vendor NSO Group has been in the headlines for a couple of years, after researchers caught government hackers using sophisticated hacking tools developed by the company to hack a Dubai-based human rights activist. This investigation by Israeli newspaper Haaretz exposed the behind the scenes story of how Saudi Arabia bought iPhone malware from NSO for more than $200 million.

Russian Hackers Posed As ISIS To Threaten Military Wives (Associated Press)

The threat of ISIS hackers has often been unjustifiably hyped up. But in this deeply reported story, people like Angela Ricketts show that the threat was real enough for some people. The AP’s Raphael Satter talked to several people targeted by ISIS sympathizers, putting a face to the victims of a scary online campaign. We need more stories that focus on the victims of hacking, this was a great example of that. And Satter and his colleagues at the AP have produced several more in the last few months that are also worth your time.

Living with Depression in Tech (Jonathan Zdziarski's personal blog)

Apple security researcher and forensic expert Jonathan Zdziarski here opened up about an incredibly important and often overlooked topic: mental health in tech. Zdziarski powerfully details his own struggle with depression, and at the same time offers a hopeful tale of overcoming it with a lot of hard work, introspection, and learning.

We look forward to more stories like these next year—not just on our own site, but on those of the competition. We’ll also try to have some of these reporters on CYBER, our new infosec podcast, to talk about their biggest stories.

Listen to CYBER, Motherboard’s new weekly podcast about hacking and cybersecurity.

Sophisticated hackers have long exploited flaws in SS7, a protocol used by telecom companies to coordinate how they route texts and calls around the world. Those who exploit SS7 can potentially track phones across the other side of the planet, and intercept text messages and phone calls without hacking the phone itself.

This activity was typically only within reach of intelligence agencies or surveillance contractors, but now Motherboard has confirmed that this capability is much more widely available in the hands of financially-driven cybercriminal groups, who are using it to empty bank accounts. So-called SS7 attacks against banks are, although still relatively rare, much more prevalent than previously reported. Motherboard has identified a specific bank—the UK's Metro Bank—that fell victim to such an attack.

The news highlights the gaping holes in the world’s telecommunications infrastructure that the telco industry has known about for years despite ongoing attacks from criminals. The National Cyber Security Centre (NCSC), the defensive arm of the UK’s signals intelligence agency GCHQ, confirmed that SS7 is being used to intercept codes used for banking.

"We are aware of a known telecommunications vulnerability being exploited to target bank accounts by intercepting SMS text messages used as 2-Factor Authentication (2FA)," the NCSC told Motherboard in a statement.

“Some of our clients in the banking industry or other financial services; they see more and more SS7-based [requests],” Karsten Nohl, a researcher from Security Research Labs who has worked on SS7 for years, told Motherboard in a phone call. “All of a sudden you have someone’s text messages.”

"This is not an isolated case."

Metro Bank, which launched in 2010, confirmed it had faced an SS7 attack, and said in a statement it has supported a law enforcement investigation into SS7 attacks across the industry.

“At Metro Bank we take our customers’ security extremely seriously and have a comprehensive range of safeguards in place to help protect them against fraud. We have supported telecommunication companies and law enforcement authorities with an industry-wide investigation and understand that steps have been taken to resolve the issue,” a Metro Bank spokesperson told Motherboard in an email.

“Of those customers impacted by this type of fraud, an extremely small number have been Metro Bank customers and none have been left out of pocket as a result. Customers should continue to remain vigilant and report any suspicious activity using the number on the back of their card or on our website,” the statement added.

UK Finance, a trade association for UK banks, told Motherboard in a statement that “The protection of customer accounts is an absolute priority for the industry. We are aware of reports of a small number of incidents and understand that immediate steps were taken by the relevant telecommunication bodies to resolve the issue.” Metro Bank is a member of UK Finance.

Major UK telco BT told Motherboard in a statement, “We’re aware of the potential of SS7 to be used to try to commit banking fraud. Customer security is our top priority so we’re always upgrading our systems and working with the industry and banks to help protect our customers.” This statement also applies to the telco EE, which is part of BT, the spokesperson added.

A Vodafone spokesperson told Motherboard in a statement, "We have specific security measures in place to protect our customers against SS7 vulnerabilities that have been deployed over the last few years, and we have no evidence to suggest that Vodafone customers have been affected. Vodafone is working closely with GSMA, banks and security experts on this issue." The GSMA is a trade group that represents mobile network operators.

O2 and TalkTalk did not provide statements in time for publication.

Got a tip? You can contact this reporter securely on Signal on +44 20 8133 5190, OTR chat on jfcox@jabber.ccc.de, or email joseph.cox@vice.com.

The fundamental issue with the SS7 network is that it does not authenticate who sent a request. So if someone gains access to the network—a government agency, a surveillance company, or a criminal—SS7 will treat their commands to reroute text messages or calls just as legitimately as anyone else’s. There are protections that can be put in place, such as SS7 firewalls, and ways to detect certain attacks, but room for exploitation remains.

In the case of stealing money from bank accounts, a hacker would typically first need a target’s online banking username and password. Perhaps they could obtain this by phishing the target. Then, once logged in, the bank may ask for confirmation of the transfer by sending the account owner a verification code in a text message. With SS7, the hackers can intercept this text and enter it themselves. Exploiting SS7 in this way is a way to circumvent the protections of two-factor authentication, where a system not only requires a password, but something else too, such as an extra code.

In 2017, German newspaper The Süddeutsche Zeitung reported that criminals had exploited SS7 to drain funds from bank accounts in Germany. The Metro Bank incident appears to be the first publicly reported case of a UK bank falling victim to an SS7 attack, however, and multiple sources confirmed the issue is broader in scope.

One source familiar with SS7 attacks across banks said the exploitation has targeted banks globally, but that American banks seem to be less impacted. The SS7 issue applies particularly to Europe, they added. Motherboard granted the source anonymity to talk more openly about sensitive incidents.

Nohl, the cybersecurity researcher who has worked on SS7, echoed that exploitation by financially-driven cybercriminals is more common than many may believe. Graeme Coffey, head of sales at cybersecurity firm AdaptiveMobile, which focuses particularly on SS7, told Motherboard in a phone call, “We have seen a diversity of continents that have been targeted.”

The NCSC statement added “While text messages are not the most secure type of two-factor authentication, they still offer a huge advantage over not using any 2FA at all.”

Multiple sources said the attacks are highly targeted; something that members of the general public don’t necessarily have to worry about. An SS7 attack is unlikely to be effective if the bank uses a form of 2FA that doesn’t rely on text messages, such as an authenticator app.

The news highlights the gaping holes in the world’s telecommunications infrastructure that the telco industry has known about for years despite ongoing attacks from criminals.

Over the past several years, Motherboard has collected examples of different criminals advertising alleged SS7 capabilities. In one from December 2017 sent over a direct message in a chat protocol commonly used by criminals, one hacker claimed to offer voice and text message interception as well as geolocation. Another message advertised a particular website claiming to sell bank token interception via SS7. A source with underground connections told Motherboard one SS7 reselling service was tested and did work. Some SS7 offerings are very likely fakes, however.

Coffey from AdaptiveMobile said he believes the sort of criminal gangs that are carrying out these SS7 attacks are unlikely to resell that capability.

“These gangs—the guys who are really seriously coordinated, very, very targeted, and active—I don’t think they want to associate with anyone that is going to risk their operation,” Coffey added. “I think that is a very closed, small group of professionals.”

Coffey said criminals could have acquired access from legitimate providers, or are piggybacking off that access, making the SS7 requests appear somewhat more legitimate. Nohl pointed to how hackers could target someone who already has SS7 access. In 2017, this reporter went undercover as an SMS routing service and was successfully offered SS7 access for around $10,000.

“This is not an isolated case,” Nohl said.

Update: This piece has been updated to include a statement from Vodafone.

Subscribe to our new cybersecurity podcast, CYBER.

In what may be one of the largest attacks against iPhone users ever, researchers at Google say they uncovered a series of hacked websites that were delivering attacks designed to hack iPhones. The websites delivered their malware indiscriminately, were visited thousands of times a week, and were operational for years, Google said.

"There was no target discrimination; simply visiting the hacked site was enough for the exploit server to attack your device, and if it was successful, install a monitoring implant. We estimate that these sites receive thousands of visitors per week," Ian Beer, from Google's Project Zero, wrote in a blog post published Thursday.

Some of the attacks made use of so-called zero day exploits. This is an exploit that takes advantage of a vulnerability that the impacted company, in this case Apple, is not aware of, hence they have had "zero days" to find a fix. Generally speaking, zero day attacks can be much more effective at successfully hacking phones or computers because the company does not know about the vulnerability and thus has not fixed it.

iPhone exploits are relatively expensive and the iPhone is difficult to hack. The price for a full exploit chain of a fully up to date iPhone has stretched up to at least $3 million. This includes various vulnerabilities for different parts of the iPhone operating system, including the browser, the kernel, and others to escape an application's sandbox, which is designed to keep code running only inside the part of the phone it is supposed to.

Do you work at companies selling these sorts of exploits? Did you used to? We'd love to hear from you. Using a non-work phone or computer, you can contact Joseph Cox securely on Signal on +44 20 8133 5190, Wickr on josephcox, OTR chat on jfcox@jabber.ccc.de, or email joseph.cox@vice.com.

Beer writes that Google's Threat Analysis Group (TAG) was able to collect five distinct iPhone exploit chains based on 14 vulnerabilities. These exploit chains covered versions from iOS 10 up to the latest iteration of iOS 12. At least one of the chains was a zero day at the time of discovery and Apple fixed the issues in February after Google warned them, Beer writes.

Once the attack has successfully exploited the iPhone, it can deploy malware onto the phone. In this case "the implant is primarily focused on stealing files and uploading live location data. The implant requests commands from a command and control server every 60 seconds," Beer writes.

The implant also has access to the user's keychain, which contains passwords, as well as the databases of various end-to-end encrypted messaging apps, such as Telegram, WhatsApp, and iMessage, Beer's post continues. End-to-end encryption can protect messages from being read if they're intercepted, but less so if a hacker has compromised the end device itself.

The implant does not have persistence though; if a user reboots their iPhone, it will wipe the malware, Beer explains. But one infection can still of course deliver a treasure trove of sensitive information.

"Given the breadth of information stolen, the attackers may nevertheless be able to maintain persistent access to various accounts and services by using the stolen authentication tokens from the keychain, even after they lose access to the device," Beer writes. The information is also transferred to the server unencrypted, the post adds.

Previously documented attacks have been more targeted in nature, typically by a text message sent to the target, along with a link to a malicious site, sometimes just for that target. This attack appears to, or at least has the potential to be, broader in scope.

"This indicated a group making a sustained effort to hack the users of iPhones in certain communities over a period of at least two years," Beer added.

Apple did not immediately respond to a request for comment.

Update: This piece has been updated to include more information from Google's blog post.

Subscribe to our new cybersecurity podcast, CYBER.