Seriously Risky Business

When Israeli National Security Trumps US Lawsuits

Tom Uren

10 min read
When Israeli National Security Trumps US Lawsuits
God of justice holding a smartphone, Stable Diffusion

Your weekly dose of Seriously Risky Business news is written by Tom Uren and edited by Patrick Gray. It's supported by Lawfare with help from the William and Flora Hewlett Foundation. This week's edition is sponsored by Tines.

You can hear a podcast discussion of this newsletter by searching for "Risky Business News" in your podcatcher or subscribing via this RSS feed.

‎Risky Business News: Srsly Risky Biz: When Israeli national security trumps US lawsuits on Apple Podcasts
‎Show Risky Business News, Ep Srsly Risky Biz: When Israeli national security trumps US lawsuits - 31 July 2024
Apple Podcasts
God of justice holding a smartphone, Stable Diffusion

An apparent leak from its Ministry of Justice suggests the Israeli government seized documents and computers from NSO Group to prevent potentially damaging material from being provided to litigants in a US court case. 

WhatsApp filed suit against NSO Group in 2019 after the company discovered that NSO Group had targeted about 1,400 of its users with Pegasus malware, which has been used to facilitate human rights violations around the world. WhatsApp is seeking an injunction blocking NSO Group from accessing its computer systems, which would effectively end NSO Group's ability to target WhatsApp users. 

The court process includes a formal discovery phase in which parties to a case exchange relevant information, including otherwise sensitive documents. 

The Guardian examined documents from the Ministry of Justice leak relating to the WhatsApp lawsuit discovery process:

The leaked emails reviewed by the Guardian suggest that senior Israeli officials met NSO’s representatives "to discuss issues related to disclosure" a day after WhatsApp’s requests for production of documents were received by the company.
Three days later, in mid-July 2020, Israel made a significant but secret intervention. At an urgent meeting with NSO, Israeli officials presented the company with an order issued by a Tel Aviv court granting the government powers to execute a search warrant at its office, access its internal computer systems and seize files.
The court order prohibited NSO from disclosing or transferring any documents or technical materials to "any external person or entity" without the authorisation of Israeli authorities. The order itself was also made secret; a gag order has prevented the government's actions being made public in Israel.
The leaked documents and emails appear to have been stolen in a hack of Israel's Ministry of Justice. Although the Ministry found "no infiltration of the ministry's systems" it didn't deny the authenticity of the documents in the leak. 

A journalism non-profit, Forbidden Stories, which collaborated with The Guardian on the  story, says it was able to "confirm the main findings" regarding the seizure of documents from NSO Group "through background sources, an additional official Israeli document and forensic analysis of some of the leaked files". 

A spokesperson for the Ministry of Justice told The Guardian it "rejects the claim that it has acted in any manner as to harm or obstruct the [US] legal proceedings". 

Some of the documents Forbidden Stories reviewed hint at what was at stake for the Israeli government:

Another document seen by Forbidden Stories and that seems to have been accessed by officials at the Ministry of Justice shows that in 2020, NSO’s legal team believed that sensitive documents, such as its full customer list including "U.S. customers," contracts, or even information related to "the Jeff Bezos hack or Khashoggi killing" could be among the files that might fall under the discovery.

To be fair, that's not to say that NSO Group actually had sensational documents relevant to those matters. But it is fair to assume that WhatsApp's lawyers did a thorough job asking for any document that could potentially embarrass NSO Group and possibly, by extension, the Israeli government. 

Forbidden Stories also found evidence that the Israeli government was involved in NSO Group's court case. These include that the justice ministry appears to have "pushed NSO to remove language from court filings that implied Israel is a customer of NSO and uses Pegasus technology", and that government officials reviewed and suggested changes to documents authored by NSO Group lawyers before they were filed in court. 

Cooperation between NSO Group and the Israeli government on a matter that could be damaging for both is not really a surprise. In 2021 the Financial Times described how the Israeli government had used NSO Group's spyware as a "diplomatic calling card" in its regional diplomatic efforts. Haaretz reported the government also actively assisted NSO Group's efforts to market its products in the region.  

From a narrow perspective the Israeli government document lockdown is working. Forbidden Stories points out that this month, in a court filing lawyers for WhatsApp complained about NSO Group's "continued refusal to meaningfully participate in discovery" and said they had "yet to receive any document discovery related to the relevant spyware". For its part, NSO Group can say that as a law-abiding company, it is merely complying with its Israeli legal obligations. 

It's worth keeping in mind that the seizure of NSO Group documents and computers occurred in 2020, before the Pegasus Project in July 2021 published a stream of stories about how Pegasus spyware was being used to facilitate human rights abuses. In November 2021, the US placed NSO Group on an export control list and we wrote that the Israeli government had to decide what it valued more—its relationship with the US or the benefits it gained from playing fast and loose with cyber espionage capabilities.

In 2020, protecting its reputation by preventing documents being handed over to a US court process might have seemed like an easy win for the Israeli government. In today's world, however, hiding those documents comes with a cost. It destroys whatever shreds of credibility the Israeli government has left as a responsible regulator of a spyware export industry. 

Good News! Election Interference Gets Professional

US intelligence officials warned this week that foreign actors are targeting the upcoming US presidential elections and will adjust their tactics as the campaign develops.

The media briefing on election interference was accompanied on the same day by the release of an election security update from the Office of the  Director of National Intelligence (ODNI).

Much of the briefing and update is unsurprising. Loosely paraphrasing, Iran hates Trump and the Republicans, Russia loves them, while China would so far rather just sow division instead of getting down and dirty in the election itself. The ODNI describes Russia as the "predominant threat to US elections". 

All this is more or less 'business as usual' nowadays. 

However, one notable shift the ODNI reports is that: 

Foreign actors are turning to commercial firms, such as marketing and public relations companies, to leverage these firms’ expertise in communications, technical sophistication, and to complicate attribution. These firms offer foreign states and other political actors an array of potential services and are often able to operate more nimbly and with fewer bureaucratic hurdles than government entities.

The ODNI says Moscow is using Russia-based influence-for-hire firms while the PRC government has collaborated with China-based technology companies. 

Although it sounds worrying, we are interpreting this as good news. 

When it comes to US presidential elections, money is the name of the game and the price of entry is very, very high. 

The Open Secrets non-profit that tracks money in politics, says that USD$5.7bn of legitimate money was spent on the presidential race in 2020, with another USD$8.7bn spent on congressional races, for a whopping USD$14.4bn in total. The Biden and Trump campaigns raised over USD$1bn and USD$774m respectively. 

Open Secrets says that candidates Hilary Clinton and Donald Trump raised nearly USD$1bn between the two of them in the 2016 election. By comparison, the Internet Research Agency (IRA), the Russian 'troll farm' that engaged in election interference in that year's presidential election had a budget of USD$1.25m per month in the lead up to election day. So, a drop in the ocean compared to the legitimate domestic spending on campaigns. 

Of course, money isn't everything. US authorities still need to be on the look out for tactics that aren't available to legitimate influence actors, like hack and leak campaigns. As does the mainstream media. 

In our view, engaging commercial services is a tacit admission that state-backed interference efforts haven't had a huge impact, so this is fundamentally a good news story!  

Watch Patrick Gray and Tom Uren discuss this edition of the newsletter.

Three Reasons to Be Cheerful This Week:

  1. Removing the PlugX botnet one country at a time: The country's authorities have taken up the offer from French security firm Sekoia to 'disinfect' PlugX malware from France. Sekoia discovered it could send commands to remove the malware from affected computers after it sinkholed the worm version of PlugX in September last year. There are potentially a large number of infections as around 100,000 unique IP addresses contact the sinkhole daily.  
  2. Financial sextortion takedowns: Meta announced that it had taken down 63,000 Instagram accounts in Nigeria targeting people with financial sextortion scams. It also took down associated Facebook assets also in Nigeria including 5,700 groups and 1,300 accounts. 
  3. More malware scanning in Chrome: Google has announced changes to its scanning of potentially malicious files in Chrome. For users who have opted in to Chrome's Enhanced Protection mode, the changes cover by default what it calls 'deep scans'. Chrome will also prompt these users to submit passwords for encrypted archives they download so that Google can scan them. Malware authors often distribute their software to potential victims in password protected archives to prevent scanning. In these cases the passwords are provided with the software archive, for example on the same page or in the file name. Makes sense to us, so we are bemused that this is controversial on Ars Technica

In this Risky Business News sponsored interview, Tom Uren talks to Thomas Kinsella, co-founder and Chief Customer Officer of Tines about figuring out what AI is really good for and taking advantage of it in automating workflows.

‎Risky Business News: Sponsored: How AI can train SOC analysts on Apple Podcasts
‎Show Risky Business News, Ep Sponsored: How AI can train SOC analysts - 28 July 2024
Apple Podcasts

Shorts

US DoD: Yes, We Were Vaccine Pricks

The US Department of Defense (DoD) has admitted to the Philippines government that it made "some missteps" in its Covid-related messaging. 

It's not quite an apology, but well, it's better than nothing and the US says it "has vastly improved oversight and accountability of information operations" since then.

A Reuters investigation published in June reported that the DoD launched an operation to discredit Chinese Covid vaccines during 2020 and 2021. The operation was launched as a response to Chinese efforts claiming Covid-19 originated in a US Army research facility.  

Recruiting Gets Riskier

US security firm KnowBe4 has published an incident report explaining how it was duped into hiring a North Korean IT worker into a software engineer role:

We posted the job, received resumes, conducted interviews, performed background checks, verified references, and hired the person. We sent them their Mac workstation, and the moment it was received, it immediately started to load malware.

The fake worker actually made his way through four separate video conference interviews that confirmed the potential employee matched the photo provided in his application. 

The report has some prevention tips including not relying on email references only and getting applicants to talk about the work they are doing over video.

Infostealer 101

Wired has a good explainer on infostealer malware and its current impact on the entire cyber crime ecosystem. 

In this video demo, Tines CEO and co-founder, Eoin Hinchy, demonstrates the Tines automation platform to host Patrick Gray.  

Risky Biz Talks

You can find the audio edition of this newsletter and other fine podcasts and interviews in the Risky Biz News feed (RSS, iTunes or Spotify).  

In our last "Between Two Nerds" discussion Tom Uren and The Grugq discuss what the widespread disruption caused by CrowdStrike’s faulty update tells us about how useful cyber operations are for war. 

‎Risky Business News: Between Two Nerds: What the CrowdStrike outage teaches us about cyber war on Apple Podcasts
‎Show Risky Business News, Ep Between Two Nerds: What the CrowdStrike outage teaches us about cyber war - 29 July 2024
Apple Podcasts

From Risky Biz News:

NVD backlog unlikely to get addressed by September: New numbers released at the end of last week suggest that US NIST is unlikely to make any significant progress in addressing a backlog of unprocessed vulnerabilities at the National Vulnerability Database (NVD).

The backlog began in February when NIST analysts slowed down the rate at which they were processing and enriching NVD entries, releasing many CVEs with little to no information about the nature of the security flaw, severity scores, and fixed or vulnerable software versions.

The slowdown had a major impact on the vulnerability management section of the cybersecurity community, which was relying on these entries to help inform customers about which bugs to patch first.

[more on Risky Business News]

AMI Platform Key leak undermines Secure Boot on 800+ PC models: The Secure Boot system on more than 800 motherboard models across 10 different vendors is basically useless now after an extremely sensitive cryptographic key was accidentally leaked online last year.

The key was leaked via a now-removed GitHub repository in 2023 and discovered earlier this year by firmware security firm Binarly.

It allegedly came from an (unnamed) Original Device Manufacturer (ODM), which in turn received it from American Megatrends International (AMI), a company known for developing BIOS/UEFI products.

Binarly named the entire event PKfail because the leaked key was a Platform Key (PK), one of the most important cryptographic keys that can reside on a computer.

[more on Risky Business News, including how Secure Boot is meant to work and how this incident undermines security for a significant percentage of PCs]

New DNS attack impacts a quarter of all open DNS resolvers: A team of Chinese academics has discovered a new type of DNS attack that impacts almost a quarter of all open DNS resolvers running on the internet.

Named TuDoor, the attack uses malformed DNS packets to trigger logic errors inside DNS software. The attack specifically targets the part of the DNS resolver that prepares DNS responses for user queries.

Academics say they can use a quick succession of malformed packets to poison a DNS resolver's cache, cause a denial of service, or increase a server's resource consumption.

[more on Risky Business News]

Read more