With just days to go until the 2024 presidential election in the United States, WIRED reported on documents that revealed US government assessments about multiple components of election security and stability. First obtained by the national security transparency nonprofit Property of the People, one report distributed by the US Department of Homeland Security in October assessed that financially motivated cybercriminals and ideologically motivated hacktivists are more likely than state-backed hackers to attack US election infrastructure. Another government memo warned of the risk to the election of insider threats, noting that such internal malfeasance “could derail or jeopardize a fair and transparent election process.”

With so much at stake in a hyper-polarized and combative climate, US elections have become increasingly militarized, with bulletproof glass, drones, defensive blockades, and snipers protecting election offices, and election officials bracing for the possibility of violent attacks. A WIRED investigation also revealed a successful CIA hack of Venezuela’s military payroll system that was part of a clandestine Trump administration effort to overthrow the country’s autocratic president, Nicolás Maduro.

In other cybersecurity news, WIRED did a deep dive into the firewall vendor Sophos’ five-year turf war to try to remove Chinese hackers running espionage operations on some vulnerable devices—and keep them out. And researchers warn that a “critical” zero-click vulnerability in a default photo app on Synology network-attached storage devices could be exploited by hackers to steal data or infiltrate networks.

As always, there’s more. Each week, we round up the security and privacy news we didn’t cover in depth ourselves. Click the headlines to read the full stories. And stay safe out there.

A Disney employee who was fired from the company and still had access to its passwords allegedly hacked into the software used by Walt Disney World’s restaurants, according to reporting by 404 Media and Court Watch. A criminal complaint against Michael Scheuer claims he repeatedly accessed the third-party menu-creation system created for Disney and changed menus, including changing fonts to Windings—the font made up entirely of symbols.

“The fonts were renamed by the threat actor to maintain the name of the original font, but the actual characters appeared as symbols,” the criminal complaint says. “As a result of this change, all of the menus within the database were unusable because the font changes propagated throughout the database.”

The allegations aren’t limited to whimsical font vandalism, however. The federal complaint also details how Scheuer allegedly changed menu listings to say that foods with peanuts in them were safe for people with allergies, tried to log into Disney employees’ accounts, locked 14 employees out of their accounts by trying to log in with an automated script, and maintained a folder of personal information about employees and turned up at one person’s home. A lawyer representing Scheuer did not comment on the allegations.

For the past few years, infostealers have become a popular tool of choice for hackers, from cybercriminals trying to make money to sophisticated nation state groups. The malware, which is often bundled into pirated software, uses web browsers to collect usernames and passwords, cookies, financial information, and other data you enter into your computer. This week, cops around the world took down the Redline infostealer, which has been used to grab more than 170 million pieces of information and has been linked to large-scale hacks. An almost identical infostealer called Meta was also disrupted. As part of Operation Magnus, US officials identified Russian national Maxim Rudometov as being behind the development of Redline. As TechCrunch reports, Rudometov was identified following a series of operational security errors, including reusing online handles and emails across social media apps and other websites. In its criminal complaint, the US Department of Justice pointed out Rudometov’s dating profile, which apparently has “liked” 89 other users and received no likes in return.

In January 2018, it emerged that GPS data from running and cycling app Strava could expose secret military locations and the movements of people exercising around them. Officials warned that it was a clear security risk. Years later, many seemingly haven’t paid attention. French newspaper Le Monde has revealed in a series of stories that US Secret Service agents are leaking their data through the fitness app, allowing the movements of Joe Biden, Donald Trump, and Kamala Harris to be tracked. Security staff linked to French president Emmanuel Macron and Russian president Vladimir Putin are similarly exposing their movements. Those exposing their data used public profiles and often posted runs starting or finishing at the locations they were staying during official trips. Included in the leaks were bodyguards linked to Putin who were running near a palace the Russian leader has denied owning.

Italian prosecutors placed four people under house arrest and revealed they are investigating at least 60 others after an intelligence firm in the country allegedly hacked government databases and gathered information on more than 800,000 people. Intelligence company Equalize allegedly gathered information about some of Italy’s most prominent politicians, entrepreneurs, and sports stars, Politico reported. It is alleged that the information accessed included bank transactions, police investigations, and more. The hacked information was reportedly sold or potentially used as part of extortion attempts, with those behind the scheme allegedly earning €3.1 million. The scandal, which has enraged Italian politicians, may also be wider than just its impact in Italy, with the latest reports suggesting Equalize counted Israeli intelligence and the Vatican as clients.

The Chinese spy operation adds to the growing sense of a melee of foreign digital interference in the election, which has already included Iranian hackers’ attempt to hack and leak emails from the Trump campaign—with limited success—and Russia-linked disinformation efforts across social media.

Ahead of the full launch next week of Apple’s AI platform, Apple Intelligence, the company debuted tools this week for security researchers to evaluate its cloud infrastructure known as Private Cloud Compute. Apple has gone to great lengths to engineer a secure and private AI cloud platform, and this week’s release includes extensive detailed technical documentation of its security features as well as a research environment that is already available in the macOS Sequoia 15.1 beta release. The testing features allow researchers (or anyone) to download and evaluate the actual version of PCC software that Apple is running in the cloud at a given time. The company tells WIRED that the only modifications to the software relate to optimizing it to run in the virtual machine for the research environment. Apple also released the PCC source code and said that as part of its bug bounty program, vulnerabilities that researchers discover in PCC will be eligible for a maximum bounty payout of up to $1 million.

Over the summer, Politico, The New York Times, and The Washington Post each revealed that they’d been approached by a source offering hacked Trump campaign emails—a source whom the US Justice Department says was working on behalf of the Iranian government. The news outlets all refused to publish or report on those stolen materials. Now it appears that Iran’s hackers did eventually find outlets outside the mainstream media that were willing to release those emails. American Muckrakers, a PAC run by a Democratic operative, did publish the documents after soliciting them in a public post on X, writing, “Send it to us and we’ll get it out.”

American Muckrakers then published internal Trump campaign communications about North Carolina Republican gubernatorial candidate Mark Robinson and Florida Republican representative Anna Paulina Luna, as well as material that seemed to suggest a financial arrangement between Donald Trump and Robert F. Kennedy Jr., the third-party candidate who dropped out of the race and endorsed Trump. Independent journalist Ken Klippenstein also received and published some of the hacked material, including a research profile on Trump running mate and US senator JD Vance that the campaign assembled when assessing him for the role. Klippenstein subsequently received a visit from the FBI, he’s said, warning him that the documents were shared as part of a foreign influence campaign. Klippenstein has defended his position, arguing that the media should not serve as “gatekeeper of what the public should know.”

As Russia has both waged war and cyberwar against Ukraine, it’s also carried out a vast campaign of hacking against another neighbor to the west with whom it’s long had a fraught relationship: Georgia. Bloomberg this week revealed ahead of the Georgian election how Russia systematically penetrated the smaller country’s infrastructure and government in a yearslong series of digital intrusion operations. From 2017 to 2020, for instance, Russia’s military intelligence agency, the GRU, hacked Georgia’s Central Election Commission (just as it did in Ukraine in 2014), multiple media organizations, and IT systems at the country’s national railway company—all in addition to the attack on Georgian TV stations that the NSA pinned on the GRU’s Sandworm unit in 2020. Meanwhile, hackers known as Turla, working for the Kremlin’s KGB successor, the FSB, broke into Georgia’s Foreign Ministry and stole gigabytes of officials’ emails over months. According to Bloomberg, Russia’s hacking efforts weren’t limited to espionage but also appeared to include preparing for disruption of Georgian infrastructure like the electric grid and oil companies in the event of an escalating conflict.

For years, cybersecurity professionals have argued about what constitutes a cyberattack. An intrusion designed to destroy data, cause disruption, or sabotage infrastructure? Yes, that’s a cyberattack. A hacker breach to steal data? No. A hack-and-leak operation or an espionage mission with a disruptive clean-up phase? Probably not, but there’s room for debate. The Jerusalem Post this week, however, achieved perhaps the clearest-cut example of calling something a cyberattack—in a headline no less—that is very clearly not: disinformation on social media. The so-called “Hezbollah cyberattack” that the news outlet reported was a collection of photos of Israeli hospitals posted by “hackers” identifying as Hezbollah supporters that suggested weapons and cash were stored underneath them and that they should be attacked. The posts seemingly came in response to the Israeli Defense Forces’ repeating similar claims about hospitals in Gaza that the IDF has bombed, as well as another more recently in Lebanon’s capital city of Beirut.

“These are NOT CYBERATTACKS,” security researcher Lukasz Olejnik, the author of the books The Philosophy of Cybersecurity and Propaganda, wrote next to a screenshot of the Jerusalem Post headline on X. “Posting images to social media is not hacking. Such a bad take.”