FCC Just Killed Net Neutrality—What Does This Mean? What Next?
17.12.2017 thehackernews  IT
FCC Just Killed Net Neutrality
Net neutrality is DEAD—3 out of 5 federal regulators voted Thursday to hand control of the future of the Internet to cable and telecommunication companies, giving them powers to speed up service for websites they favor or slow down others.
As proposed this summer, the US Federal Communications Commission (FCC) has rolled back Net Neutrality rules that require Internet Service Providers (ISPs) to treat all services and websites on the Internet equally and prohibit them from blocking sites or charging for higher-quality service.
This action repeals the FCC's 2015 Open Internet Order decision taken during the Obama administration.
What is Net Neutrality and Why Is It Important?
Net Neutrality is simply Internet Freedom—Free, Fast and Open Internet for all.
In other words, Net Neutrality is the principle that governs ISPs to give consumers access to all and every content on an equal basis, treating all Internet traffic equally.
Today, if there's something that makes everyone across the world 'Equal,' it is the Internet.
Equality over the Internet means, all ISPs have to treat major websites like Facebook and Google in the same way as someone's local shop website, and the wealthiest man in the world has the same rights to access the Internet as the poorer.
This is what "Net Neutrality" aims at.
Here's Why the FCC Repeals Net Neutrality Rules
FCC-Net-Neutrality
The FCC Chairman for the Trump administration, Ajit Pai, who has openly expressed his views against net neutrality, was previously quoted as saying that Net Neutrality was "a mistake."
Pai has previously argued that the 2015 regulations had discouraged internet providers from investing in their networks, as well as slowed the expansion of internet access.
On Thursday, the FCC's two Democrats voted to object the decision to repeal Net Neutrality, and the three Republican members, including Chairman Pai, Commissioner Brendan Carr, and Commissioner Mike O'Rielly, voted to overturn protections put in place in 2015.
Here's what all the three Republicans said in their remarks about their decision to repeal Net Neutrality:
"Prior to the FCC's 2015 decision, consumers and innovators alike benefitted from a free and open internet. This is not because the government imposed utility-style regulation. It didn't. This is not because the FCC had a rule regulating internet conduct. It had none. Instead through Republican and Democratic administrations alike, including the first six years of the Obama administration, the FCC abided by a 20-year bipartisan consensus that the government should not control or heavily regulate internet access," said Commissioner Carr.
"I sincerely doubt that legitimate businesses are willing to subject themselves to a PR nightmare for attempting to engage in blocking, throttling, or improper discrimination. It is simply not worth the reputational cost and potential loss of business," said Commissioner O'Rielly.
"How does a company decide to restrict someone's accounts or block their tweets because it thinks their views are inflammatory or wrong? How does a company decide to demonetize videos from political advocates without any notice?...You don't have any insight into any of these decisions, and neither do I, but these are very real actual threats to an open internet," said Chairman Pai.
Here's How the Internet & Tech Firms Reacted
Net-Neutrality
The response from the tech industry was swift and loud and predictable. The industry isn't happy with what is turning out to be the Trump administration's biggest regulatory move yet.
"We are incredibly disappointed that the FCC voted this morning – along partisan lines – to remove protections for the open internet. This is the result of broken processes, broken politics, and broken policies. As we have said over and over, we'll keep fighting for the open internet, and hope that politicians decide to protect their constituents rather than increase the power of ISPs," Mozilla said in a statement.
"Today's decision from the Federal Communications Commission to end net neutrality is disappointing and harmful. An open internet is critical for new ideas and economic opportunity – and internet providers shouldn't be able to decide what people can see online or charge more for certain websites," Sheryl Sandberg said, Chief Operating Officer of Facebook.
"We're disappointed in the decision to gut #NetNeutrality protections that ushered in an unprecedented era of innovation, creativity & civic engagement. This is the beginning of a longer legal battle. Netflix stands w/ innovators, large & small, to oppose this misguided FCC order," Netflix tweeted.
Obviously, Internet providers are more likely to strike valuable deals with large, established services and websites than relatively unknown companies or startups, which will be hit hardest by the repeal.
With no surprise, ISPs including Comcast, Verizon, and AT&T have welcomed the new rules, saying they will not block or throttle any legal content but may engage in paid prioritization.
Since the commission will take a few weeks to make final adjustments to the new rules, you will not see any potential change right away.
What Next? Can Net Neutrality Be Saved?
Net-Neutrality
Obviously, you cannot do anything overnight to repeal the decision.
Reportedly, attorney generals from across the country and consumer advocacy groups are considering suing the FCC in an attempt to reverse Thursday's repeal of net neutrality rules.
To overturn the FCC's order, critics and internet activists are also going to push for Congress to step in and pass a resolution of disapproval using the Congressional Review Act.
"This fight isn't over. With our allies and our users, we will turn to Congress and the courts to fix the broken policies," Mozilla said.
"We're ready to work with members of Congress and others to help make the internet free and open for everyone," Sheryl Sandberg said.
"We will continue our fight to defend the open Internet and reverse this misguided decision," Twitter said.
The FCC's repeal of net neutrality will take effect 60 days after publication in the Federal Register, which doesn't happen immediately and could take six weeks or even more after the FCC vote.
Once it become law, the repeal will return everything to the state it was before 2015.

19 Million California Voter records held for ransom attack on a MongoDB instance
16.12.2017 securityaffairs Ransomware

Voter registration data for more than 19 million California residents stored in an unsecured MongoDB instance has been deleted and held for ransom.
Voter registration data for more than 19 million California residents that was stored in an unsecured MongoDB database has been deleted and held for ransom by attackers.

The incident was discovered by researchers at Kromtech, it is the last of a long string of ransom attacks targeting unsecured MongoDB database.

“In early December Kromtech security researchers discovered an unprotected instance of MongoDB database that appear to have contained voter data. The database named ‘cool_db’ contained two collections and was available for anybody with Internet connection to view and/or edit.

One was a manually crafted set of voter registration data for a local district and the other appeared to contain the entire state of California with 19,264,123 records, all open for public access.” reported Kromtech.

According to the LA Times California had 18.2 million registered voters in 2016 so this would logically be a complete list of their records.”

The attack sequence is similar to other hacks, the attacker scanned the internet for unsecured MongoDB databases, found this one containing the voter data, wiped the data in the archive and left a ransom request for 0.2 Bitcoin ($3,582 US at the current price).

Kromtech researchers were not able to identify the owner of the database because crooks deleted the content of the archive, they only analyzed stats data as well as a few records sample extracted from the database shortly before it has been wiped out.

It is impossible to determine if the attacker made a copy of the data before wiping the MongoDB database or if other hacker groups found and made a copy of the voter registration database before it was deleted.

“It is unclear who exactly compiled the database in question or the ownership, but researchers believe that this could have been a political action committee or a specific campaign based on the unofficial title of the repository (“cool_db”), but this is only a suspicion. Political firms assist campaigns in building voter profiles. This information of California voters is governed by state law that dictates what kind of information can be released, and for what purposes.” states Kromtech.

In June, security firm UpGuard found an Amazon S3 bucket containing the details of 198 million US voters.

Once in the hands of crooks, voter data could end up for sale on the Dark Web, in June 2016 a seller using the pseudonym of ‘DataDirect’ offered US voters’ registration records on the darknet marketplace “The Real Deal.”

Back to the case of the California Voter registration archive, Bob Diachenko, head of communications, Kromtech Security Center said:

“This is a massive amount of data and a wake up call for millions citizens of California who have done nothing more than fulfil the civic duty to vote. This discovery highlights how a simple human error of failing to enact the basic security measures can result in a serious risk to stored data. The MongoDB was left publically available and was later discovered by cyber criminals who seemed to steal the data, which origin is still unknown.”

If you are curious, like me, give a look at the transactions for the wallet in the ransom note and see if someone has paid 😉
https://blockchain.info/address/1EPA6qXtthvmp5kU82q8zTNkFfvUknsShS

Triton malware was developed by Iran and used to target Saudi Arabia
16.12.2017 securityaffairs APT  ICS

CyberX who analyzed samples of the Triton malware believes it was likely developed by Iran and used to target an organization in Saudi Arabia.
Security experts from security firms FireEye and Dragos reported this week the discovery of a new strain of malware dubbed Triton (aka Trisis) specifically designed to target industrial control systems (ICS).

Both FireEye and Dragos would not attribute the Triton malware to a specific threat actor.

The Triton malware has been used in attacks aimed at an unnamed critical infrastructure organization, it caused a shutdown at a critical infrastructure organization somewhere in the Middle East.

“Mandiant recently responded to an incident at a critical infrastructure organization where an attacker deployed malware designed to manipulate industrial safety systems. The targeted systems provided emergency shutdown capability for industrial processes.” reads the analysis published by FireEye.

“We assess with moderate confidence that the attacker was developing the capability to cause physical damage and inadvertently shutdown operations. This malware, which we call TRITON, is an attack framework built to interact with Triconex Safety Instrumented System (SIS) controllers.”

According to report published by ICS cyber security firm Dragos, which tracked the threat as “TRISIS”, the victim was an industrial asset owner in the Middle East.

The Triton malware is designed to target Schneider Electric’s Triconex Safety Instrumented System (SIS) controllers that are used in industrial environments to monitor the state of a process and restore it to a safe state or safely shut it down if parameters indicate a potentially hazardous situation.

TRITON is designed to communicate using the proprietary TriStation protocol which is not publicly documented, this implies that the attackers reverse engineered the protocol to carry out the attack.

Now, security experts at CyberX who analyzed samples of the malware provided further details on the attack, revealing that Triton was likely developed by Iran and used to target an organization in Saudi Arabia.

Iranian hackers are becoming even more aggressive, but experts always highlighted that they are not particularly sophisticated.

In October, the OilRig gang was spotted using a new Trojan in attacks aimed at targets in the Middle East.

OilRig is just one of the Iran-linked hacker crews, other groups tracked by security experts are APT33, Rocket Kitten, Cobalt Gypsy (Magic Hound), Charming Kitten (aka Newscaster and NewsBeef) and CopyKittens.

In February, researchers at Palo Alto Networks have discovered a new cyber espionage campaign linked to Iran that targeted several organizations in the Middle East.

The espionage campaign dubbed Magic Hound, dates back at least mid-2016. Hackers targeted organizations in the energy, government, and technology industries, all the targets are located or have an interest in Saudi Arabia.

Iran was responsible for destructive attacks on Saudi Aramco systems in 2012, and now CyberX is attributing the Triton malware to the Government of Teheran.

According to the experts, the shutdown was likely an accident during the reconnaissance phase conducted by the threat actors whose final goal was the sabotage.

Schneider Electric is investigating the attack to discover if the threat actors exploited any vulnerability in the Triconex product.

Schneider published a security advisory to warn its customers, it suggests avoiding leaving the front panel key position in “Program” mode when the controller is not being configured. The malicious code can only deliver its payload if the key switch is set to this mode.

“Schneider Electric is aware of a directed incident targeting a single customer’s Triconex Tricon safety shutdown system. We are working closely with our customer, independent cybersecurity organizations and ICSCERT to investigate and mitigate the risks of this type of attack.” reads the security advisory.

“The modules of this malware are designed to disrupt Triconex safety controllers, which are used widely in critical infrastructure. The malware requires the keyswitch to be in the “PROGRAM” mode in order to deliver its payload. Among others, the reported malware has the capability to scan and map the industrial control system environment to provide reconnaissance and issue commands directly to Tricon safety controllers.”

According to Phil Neray, VP of Industrial Cybersecurity for CyberX OT environments are ‘vulnerable by design’ for this reason they are a privileged target for hackers that could use them as an entry point in industrial environment.

“I think it’s a little comical that Schneider Electric felt obliged to state that the attack did not leverage any vulnerabilities in the Tritex product,” Phil Neray told SecurityWeek. “OT environments are ‘vulnerable by design’ because they lack many of the controls we now take for granted in IT networks such as strong authentication. As a result, once an attacker gets into the OT network — by stealing credentials or connecting an infected laptop or USB, for example — they have almost free reign to connect to any control device they choose, and then reprogram them with malicious ladder logic to cause unsafe conditions. Based on the FireEye report, this appears to be exactly what the TRITON attackers did, similar to the way Industroyer modified ABB configuration files to perform its attack on the Ukrainian grid.”

Lazarus APT Group targets a London cryptocurrency company
16.12.2017 securityaffairs APT

Security experts from Secureworks revealed the Lazarus APT group launched a spearphishing campaign against a London cryptocurrency company.
The dreaded Lazarus APT group is back and launched a spearphishing campaign against a London cryptocurrency company to steal employee credentials.

The activity of the Lazarus Group surged in 2014 and 2015, its members used mostly custom-tailored malware in their attacks and experts that investigated on the crew consider it highly sophisticated.

This threat actor has been active since at least 2009, possibly as early as 2007, and it was involved in both cyber espionage campaigns and sabotage activities aimed to destroy data and disrupt systems. Security researchers discovered that North Korean Lazarus APT group was behind recent attacks on banks, including the Bangladesh cyber heist.

According to security experts, the group was behind, other large-scale cyber espionage campaigns against targets worldwide, including the Troy Operation, the DarkSeoul Operation, and the Sony Picture hack.

Many experts believe the WannaCry ransomware was developed by the Lazarus Group due to similarities in the attack codes. UK Government also linked the WannaCry attack that crippled NHS to North Korea.

Lazarus targets Bitcoin company

According to the experts at Secureworks, the Lazarus APT group is behind a targeted email campaign aiming to trick victims into clicking on a compromised link for a job opening for a chief financial officer role at a London cryptocurrency company.
“Those who clicked on the hiring link were infected by malicious code from an attached document in the email that installed software to take remote control of a victim’s device, allowing hackers to download further malware or steal data.” reported the Reuters.

“This malware shares technical links with former campaigns staged by the mysterious cybercrime group Lazarus, which Secureworks has labeled “Nickel Academy”. Secureworks did not say whether anyone who received the email actually clicked on the link.”

Researchers found many similarities between the TTPs (techniques, tactics, and procedures) observed in this attack and previous ones attributed to the Lazarus APT group.

“The so-called “spearphishing” attempt appears to have been delivered on October 25, but initial activity was observed by Secureworks researchers dating back to 2016. The researchers said in a statement they believe the efforts to steal credentials are still on-going.” reported the Reuters.

“Recent intrusions into several bitcoin exchanges in South Korea have been tentatively attributed to North Korea, it said.”

Secureworks found evidence dating back to 2013 of North Korean interest in bitcoin, when multiple states sponsored hackers used a collection of usernames originating from computers using North Korean internet addresses were found researching bitcoin.

The same internet addresses were linked to previous North Korean operations.

The researchers believe the Lazarus phishing campaign is still ongoing and is warning of potential effects.

“Given the current rise in bitcoin prices, CTU suspects that North Korea’s interest in cryptocurrency remains high and (it) is likely continuing its activities surrounding the cryptocurrency,” Secureworks said in a statement to Reuters.

Secureworks announced the publishing of a detailed report.

Avast releases open sources Machine-Code Decompiler (RetDec) to fight malware
16.12.2017 securityaffairs Hacker techniques

RetDec is the retargetable machine-code decompiler (RetDec) released by the anti-malware firm Avast to boost the fight against malicious codes.
The anti-malware company Avast announced the release of retargetable machine-code decompiler (RetDec) as open source in an effort to boost the fight against malicious codes.

RetDec, short for Retargetable Decompiler, was originally created as a joint project by the Faculty of Information Technology of the Brno University of Technology and AVG Technologies. Avast acquired AVG Technologies in 2016.

RetDec is now available for anyone on GitHub under the MIT license, this means that security experts can modify its source code and redistribute it.

RetDec is a retargetable machine-code decompiler based on LLVM that could be used by the experts to perform platform-independent analysis of executable files.

Avast decided to open-source the Retargetable Decompiler to provide “a generic tool to transform platform-specific code, such as x86/PE executable files, into a higher form of representation, such as C source code.”

The utility includes support for multiple platforms, different architectures, file formats, and compilers.

“The decompiler is not limited to any particular target architecture, operating system, or executable file format:

Supported file formats: ELF, PE, Mach-O, COFF, AR (archive), Intel HEX, and raw machine code.
Supported architectures (32b only): Intel x86, ARM, MIPS, PIC32, and PowerPC.”
The tool currently supports only Windows (7 or later) and Linux, but pre-built packages are available only for Windows.

RetDec

RetDec features are:

Static analysis of executable files with detailed information.
Compiler and packer detection.
Loading and instruction decoding.
Signature-based removal of statically linked library code.
Extraction and utilization of debugging information (DWARF, PDB).
Reconstruction of instruction idioms.
Detection and reconstruction of C++ class hierarchies (RTTI, vtables).
Demangling of symbols from C++ binaries (GCC, MSVC, Borland).
Reconstruction of functions, types, and high-level constructs.
Integrated disassembler.
Output in two high-level languages: C and a Python-like language.
Generation of call graphs, control-flow graphs, and various statistics.
Courtesy of an IDA (Interactive Disassembler) plugin, the utility is able to decompile files directly from the IDA disassembler.

RetDec is a powerful utility that allows optimizing reconstruction of original source code “by using a large set of supported architectures and file formats, as well as in-house heuristics and algorithms to decode and reconstruct applications.”

Avast also provides web service for decompilation in browser, an IDA plugin and REST API that allows the creation of apps that can interact with RetDec through HTTP requests.

The decompiler can be used via the API through retdec-python.

US Military wants cyber warriors along with soldiers on the Battlefield
16.12.2017 securityaffairs BigBrothers

Cyber warriors and soldiers will fight together on the battlefield, the US Army will soon send its cyber experts to support the conventional army.
The news was reported by officials this week, it confirms the strategic importance of Information warfare in the modern military. Cyber warriors will be engaged in the offensive against enemy computer networks.

The Army is investing in cyber capabilities training a new generation of cyber soldiers at a huge center in southern California.

According to Colonel Robert Ryan, who commands a Hawaii-based combat team, while the Army’s mission is generally to “attack and destroy,” the cyber troops will have a different and crucial role in the battle.

“Not everything is destroy. How can I influence by non-kinetic means? How can I reach up and create confusion and gain control?” he explained.

The involvement of cyber troops in military operations is not a novelty, cyber warriors have been integrated for six months in infantry units. Colonel William Hartman of the Army’s Cyber Command added that they will tailor operations according to commanders’ needs.

Hartman didn’t reveal details on cyber operations that will be assigned to cyber soldiers, he only referred that they would be involved in information gathering and intelligence.

In August, President Donald Trump ordered the US Military to create a separate cyber warfare command tasked with cyber warfare operations.

President was thinking of a separate command specialized on electronic and online offensive and defensive operations.

“This new Unified Combatant Command will strengthen our cyberspace operations and create more opportunities to improve our nation’s defense,” Trump said in a statement.

“The elevation of United States Cyber Command demonstrates our increased resolve against cyberspace threats and will help reassure our allies and partners and deter our adversaries.”

US cyber warriors have been involved also in counter-terrorism operations, according to the New York Times, CYBERCOM conducted missions to infiltrate and spy on Islamic State group networks. In some cases, the cyber troops alter commanders’ messages so they unwittingly direct ISIS militant to areas likely to be hit by drone or plane strikes.

The cybersecurity firm Fox-IT disclosed a security breach that affected its infrastructure
16.12.2017 securityaffairs Hacking

For Fox-IT disclosed a security breach that affected its infrastructure and demonstrated how to manage it in an outstanding way.
The cybersecurity firm Fox-IT, one of the top security companies currently owned by the UK giant NCC Group, disclosed a security breach that affected its infrastructure. According to the firm, on September 19 an unknown attacker carried out a Man-in-the-Middle (MitM) attack and spied on a limited number of customers.

“It’s become a widely accepted mantra that experiencing a cyber breach is a question of ‘when’ and not ‘if’. For Fox-IT ‘if’ became ‘when’ on Tuesday, September 19 2017, when we fell victim to a “Man-in-the-Middle” attack.” reads the security breach disclosure published by the company.

According to Fox-IT, the attackers hijacked the company’s domain name for 10 hours and 24 minutes and obtained an SSL certificate in Fox-IT’s name.

The hackers redirected the domain to a private VPS server under their control in order to power a MitM attack. In this position the attackers were able to receive traffic intended for the Fox-IT domain, using the SSL certificate to read the content of HTTPS connections, and then forward the traffic to the actual Fox-IT server.

According to Fox-IT, the attackers only targeted ClientPortal website by intercepting traffic for it. According to Fox-IT, hackers accessed any information sent to the Client portal, including login attempts and credentials, and files.

“the attacker was able to redirect inbound traffic to ClientPortal and emails going to the fox-it.com domain for a short period of time. At no stage did they have access to any external or internal Fox-IT system, or indeed system level access to our ClientPortal.” continues the breach notification.

Fox-IT promptly detected the domain hijacking and MitM attack after just 5 hours and disabled 2FA login process as a mitigation measure. The hackers only intercepted credentials for 9 users and a total of 12 files, none of the files were marked as “secret,” and did not contain sensitive information.

In response to the incident, Fox-IT notified affected customers and reset intercepted passwords, of course, it notified Dutch law enforcement of the incident.

Below is a detailed timeline of the cyber attack:

Sept 16 2017 First reconnaissance activities against our infrastructure that we believe are attributable to the attacker. These included regular port scans, vulnerability scans and other scanning activities.
Sept 19 2017, 00:38 The attacker changed DNS records for fox-it.com domain at a third party provider.
Sept 19 2017, 02:02 Latest moment in time that we have been able to determine that clientportal.fox-it.com still pointed to our legitimate ClientPortal server. This means that traffic destined for the ClientPortal was not being intercepted yet.
Sept 19 2017, 02:05-02:15 Maximum 10-minute time window during which the attacker temporarily rerouted and intercepted Fox-IT email for the specific purpose of proving that they owned our domain in the process of fraudulently registering an SSL certificate for our ClientPortal.
Sept 19 2017, 02:21 The actual MitM against our ClientPortal starts. At this point, the fraudulent SSL certificate for ClientPortal was in place and the IP DNS record for clientportal.fox-it.com was changed to point to a VPS provider abroad.
Sept 19 2017, 07:25 We determined that our name servers for the fox-it.com domain had been redirected and that this change was not authorized. We changed the DNS settings back to our own name servers and changed the password to the account at our domain registrar. This change will have taken time to have full effect, due to caching and the distributed nature of the domain name system.
Sept 19 2017, 12:45 We disabled the
second factorauthentication for our ClientPortal login authentication system (text messages), effectively preventing users of ClientPortal from successfully logging in and having their traffic intercepted. Other than that, we kept ClientPortal functional in order not to disclose to the attacker that we knew what they were doing, and to give ourselves more time to investigate. At this point, the MitM against ClientPortal was still active technically, but would no longer receive traffic to intercept as users would not be able to perform

two factorauthentication and

log in.

Sept 19 – Sept 20 2017 A full investigation into the incident was undertaken, along with notification of all clients that had files intercepted and the relevant authorities, including the Dutch Data Protection Authority. A police investigation was launched and is still ongoing. Based on the outcome of our investigation, we understood the scope of the incident, we knew that the attack was fully countered and we were prepared to re-enable two factor authentication on ClientPortal in order to make it fully functional again.
Sept 20, 15:38 ClientPortal fully functional again. Our internal investigation into the incident continued.

Germany – Court rules against foreign intelligence agency (BND) surveillance
16.12.2017 securityaffairs BigBrothers

According to a German court, the BND must not store the metadata of international phone calls for the purpose of intelligence analysis.
Just a week ago, we discussed the German Government is preparing a law that will force hardware vendors to include a backdoor in their products and to allow its unit to hack back, now German court rules against foreign intelligence mass communication surveillance.

According to the court, the German foreign intelligence agency (BND) must not store the metadata of international phone calls for the purpose of intelligence analysis.

In April 2016, the German government replaced the head of the external intelligence service after a barrage of criticism over the support offered by the Bundesnachrichtendienst (BND) to the NSA in spying activities on European targets.

In June 2016, the government of Berlin approved new measures to rein in the activities of BND agency after its scandalous support to NSA surveillance activity.

In June 2015, Wikileaks released another collection of documents on the extended economic espionage activity conducted by the NSA in Germany. The cyber the spies were particularly interested in the Greek debt crisis. The US intelligence targeted German government representatives due to their privileged position in the negotiations between Greece and the UE.

Germany had reacted with outrage when Snowden leaked documents that demonstrate the surveillance activity, in response, the Chancellor Merkel proposed the establishment of an external watchdog panel of jurists in order to evaluate the activities of the intelligence agency.

“Spying on friends is not on at all” said the Chancellor Merkel at the time.

“Surveillance is a sensitive issue in Germany after the abuses by the Gestapo during the Nazi era and the Stasi in Communist East Germany during the Cold War. Whistleblower Edward Snowden’s revelations about the United States spying on Germany also caused upset.” reports the Reuters Agency.

Source G-Data

In 2015, the Media freedom organization Reporters Without Borders filed a lawsuit against the BND accusing it to have breached the organization’s secrecy and harmed the partners and reporters it worked with.

“The verdict shows that it pays off when human rights organizations defend themselves against the mass storage of data by the BND,” said Christian Mihr, Reporters Without Borders director in Berlin.

The Reuters agency asked about the ruling and the BND said it would wait for the final verdict’s legal justification.