America Wants to Hack the Planet

Your weekly dose of Seriously Risky Business news is written by Tom Uren and edited by Patrick Gray. It's supported by Lawfare with help from the William and Flora Hewlett Foundation. This week's edition is sponsored by Okta.

You can hear a podcast discussion of this newsletter by searching for "Risky Business News" in your podcatcher or subscribing via this RSS feed.

Private sector cyber operators in the United States would be allowed to hack foreign cybercrime enterprises that target American citizens and infrastructure under new legislation being proposed by US Congressman David Schweikert (R). The legislation won't pass in its current form, but we like the idea of US private sector hacking capacity being let loose in some circumstances.

The Scam Farms Marque and Reprisal Authorization Act riffs on old-time letters of marque and reprisal. These were government licenses that authorised private operators (privateers) to attack and capture sailing vessels and goods from specified foreign states. Letters of marque were last issued by the US in 1815.

Since at least 2013, cyber letters of marque have regularly been suggested as a policy response to deal with rampant cybercrime and espionage. If we can't defend ourselves, let's make ourselves feel better by hacking back!

Scam farms are in its title, and section 2 says that "criminal enterprises that employ cybercrimes and coerced labor present an unusual and extraordinary threat to the economic and national security of the United States". 

But the power granted in the bill is wonderfully broad. It would allow the President to authorise private sector entities to:

employ all means reasonably necessary to seize outside the geographic boundaries of the United States and its territories the person and property of any individual or foreign government, as applicable, who the President determines is a member of a criminal enterprise or any conspirator associated with an enterprise involved in cybercrime who is responsible for an act of aggression against the United States

So basically a license to hack anything from anyone the President thinks is a crook targeting the US, as long as it's outside the USA. 

The bill is a bit vague on some critical points. For example, it doesn't specify whether retrieved funds would be returned to victims or pocketed by the privateer. This feels like an important detail. 

The last bill to cover similar territory was the Active Cyber Defence Certainty or ACDC Act in 2019. It would have allowed victim companies to hack back for specific purposes, like disrupting unauthorised activity against the victim's network and monitoring attacker behaviour. 

The ACDC Act applied to any company in the US that was the victim of a cyber attack. Because so many threat actors attack US interests, in practice this would have meant that everyone from run-of-the-mill commodity cybercriminals all the way up to top-tier state groups would be legitimate targets of the private sector.

By contrast, the Scam Farms Act is more specific because the President has to identify the groups to be targeted. This should be a far shorter list, but would depend on the President's appetite to build a cyber hit list.   

Some of the key concerns regarding authorised private sector hacking are as relevant now as they were in 2019. Namely, getting attribution correct so the wrong party isn't hacked in retaliation, escalation risk when hacking state actors, and ensuring nobody is stepping on NSA, Cyber Command or FBI toes by targeting the same entities. Given the vast range of victims the ACDC Act covered and therefore the number of legitimately targetable threat actors, it was impossible to address those concerns. So, the ACDC Act did not progress. 

The Scam Farms Act could address these attribution and deconfliction concerns if it was more tightly scoped to the actual thing it is named after. That is the industrial-scale scam compounds that often use forced labour to run internet scams. 

A narrower focus would mean the targeting of a single, albeit large, crime industry, rather than potentially … everyone. It would be possible to come up with an allowlist for targeting. It would be a lengthy list, sure, but at least it would be focussed.  

Deconfliction with state-backed operations would be less of a problem, too. 

Joshua Stiefel co-chair of the Commission on Cyber Force Generation told Seriously Risky Business that while scam compounds could be targeted if the administration prioritises them, Cyber Command's "plate was pretty full with nation state stuff".

Scam compounds cause tremendous harm, but we suspect they aren't good targets for state action. They are massive decentralised ecosystems rather than targets like ransomware gangs or drug cartels that are run by a small number of key individuals. There is no single point of leverage where a disruptive cyber operation or intelligence collection would result in a significant win. 

Stiefel and other sources we spoke to thought the bill had little chance of passing. We'd describe it as a "messaging bill", one that has little chance of going anywhere but furthers a political message.

The Trump administration has signalled it wants to be more aggressive in cyberspace and Nextgov reported in May that the government had discussed privateering contracts with industry partners. A person familiar with the closed-door discussions told Nextgov "the general consensus from [US government] officials on the topic is that we aren't going to apply a 200 year-old [privateering] authority to the cyber domain". 

So this 'hack anyone the President doesn't like' bill has no chance. But the message that scammers are good targets for privateers will fall on receptive ears. 

Microsoft's Bad China Decisions Are Catching up to It

Microsoft has scaled back Chinese security firms' access to its bug disclosure early warning program. The move came after investigating whether a leak led to hacks exploiting vulnerabilities in its SharePoint software. But Microsoft still has a long way to go to untangle itself from the China web it finds itself in.

That bug disclosure program, the Microsoft Active Protections Program or MAPP, shares vulnerability details with trusted vendors ahead of patches being publicly released. Microsoft spokesperson David Cuddy told Bloomberg that MAPP access would now be limited for participants in countries that require firms to report vulnerabilities to the government, including China. Per Bloomberg:

Microsoft will no longer provide MAPP participants affected by the change with "proof of concept" code demonstrating flaws. Instead, it will issue them "a more general written description" of the vulnerabilities, which it would send at the same time as patches to fix the weaknesses are released.

Cuddy did not comment on the findings of Microsoft's investigation into a potential leak from MAPP, but told Bloomberg there were "multiple working theories on the cause". 

One possibility that occurs to us is that Microsoft engineers themselves leaked the vulnerabilities to China's hackers. ProPublica reported at the beginning of this month that "support for SharePoint is handled by a China-based engineering team that has been responsible for maintaining the software for years".  

With so many of China's cyber fingers in Microsoft pies it is no wonder that potential leaks are hard to nail down!  

Last week ProPublica also reported that Microsoft had failed to disclose key details of its practice of using China-based engineers supervised by digital escorts to maintain US Department of Defense cloud systems. A copy of a 2025 Microsoft security plan submitted to the DoD and obtained by ProPublica "makes no reference to the company’s China-based operations or foreign engineers at all".

Microsoft has clearly made terrible decisions about who it can trust to carry out critical security-sensitive work.  

Over several years this newsletter has covered Microsoft's ongoing security snafus, the disappointing launch of its Secure Future Initiative in 2023, and a Cyber Safety Review Board report in 2024 that lashed the company for its "cascade of security failures". We were optimistic that the company had turned the corner after CEO Satya Nadella published an all-hands memo "prioritising security above all else". 

We still hope that memo has shifted Microsoft's culture to value security. But in retrospect it was too technically and operationally focussed. Nadella specifically called out three principles: secure by design, secure by default and secure operations. 

Unfortunately, Nadella didn't prioritise fixing dumb geopolitical trust decisions that were made when it didn't "prioritise security above all else". The China-based engineer digital escort system for DoD cloud, for example, dates back more than a decade. 

Redmond is learning, late and painfully, that it has to stop treating China like it's just another country. 

Watch Amberleigh Jack and Tom Uren discuss this edition of the newsletter:

Three Reasons to Be Cheerful This Week:

1. Operation Serengeti 2.0 nabs 1,200: Interpol has announced that authorities across Africa have arrested 1,209 cybercriminals. It says the crackdown recovered USD$97.4 million and it targeted illegal cryptocurrency mining, online investment frauds, scam centres and an inheritance scam in several African countries. 
2. Android developer verification: Google has announced that it will be rolling out stricter verification requirements for Android developers from 2026. These requirements will apply for any app that will be installed on certified Android devices, not just in the Google Play store.  
3. Hacking Kim: Online magazine phrack has published a write up of two ethical hackers who believe they've hacked a North Korean APT actor. As discussed on the Risky Business podcast, various threat intel sources believe it to be a Chinese actor. Regardless, it is our fourth favourite citizen hacker write up. Phineas Fisher holds positions one and two for hacking commercial spyware vendors Gamma Group and Hacking Team respectively. South American hacktivist group Guacamaya is in third position with its nearly 2.5 hour-long video covering its escapades in a mine in Guatemala. 

Sponsor Section

In this Risky Business sponsor interview Tom Uren talks to Brett Winterford, Okta's VP of Threat Intelligence about FastPass. Brett explains what it is, how Okta uses it and why threat actors avoid it.

Shorts

Google Meet Has Problems In Russia

Google Meet users in Russia are reporting problems with the app, in the wake of last week's news about the government blocking WhatsApp and Telegram voice calls. 

Google Meet became the second most popular free app in the Russian App Store following WhatsApp and Telegram service disruptions. The Record reports that a senior Russian official said "Applications that can spy on our citizens and send information to Western intelligence services may well be blocked". He did say Google Meet has not been banned yet. 

The most popular app? MAX, the national champion being promoted by the government. Unsurprisingly, an analysis of MAX finds it is a privacy nightmare and includes high-accuracy background location tracking. 

Risky Biz Talks

You can find the audio edition of this newsletter and other fine podcasts and interviews in the Risky Biz News feed (RSS, iTunes or Spotify).  

In our last "Between Two Nerds" discussion Tom Uren and The Grugq ctalk about how the teenage hacking groups Scattered Spider, Lapsus$, and ShinyHunters are collaborating.

Or watch it on YouTube!

From Risky Bulletin:

FCC removes 1,200 voice providers from US phone network: The US Federal Communications Commission has banned more than 1,200 voice service providers from the US telephone network after they failed to deploy robocall protections.

The number is almost half of the 2,411 voice providers the agency notified and ordered last year to become compliant with its new anti-robocall rules.

Voice providers had to deploy the STIR/SHAKEN protocol, provide accurate registration and ownership details, and a contact for reporting robocall abuse and issues.

STIR/SHAKEN deployment was the main issue here—a suite of telephony security protocols that use digital certificates and cryptography to authenticate callers and prevent caller ID spoofing.

Providers that filed all the needed paperwork were included in the FCC Robocall Mitigation Database, which verified their compliance with the agency's rules.

[more on Risky Bulletin]

Hackers sabotage Iranian ships at sea, again: For the second time this year, an Iranian hacktivist group has crippled the satellite communications systems on 64 Iranian ships at sea.

The incident took place last week and impacted 39 oil tankers and 25 cargo ships operated by the National Iranian Tanker Company (NITC) and the Islamic Republic of Iran Shipping Lines (IRISL).

The hack didn't target the ships directly, but Fannava, an Iranian tech company that provides satellite communication terminals for the ships. A group known as LabDookhtegan took credit for the attack in a Telegram post where they also released documents from Fannava's network.

According to an analysis of the leaked files, the group hacked the company's network, identified all maritime communications terminals in its MySQL database, and then deployed malicious code to each ship's satellite terminal that wiped its disk storage.

[more on Risky Bulletin]

A decade later, Russian hackers are still using SYNful Knock, and it's still working: Cisco and the FBI have asked "the public, private sector, and international community"—also known as "anyone willing to listen"—to patch their stupid end-of-life Cisco routers for an ancient 2018 vulnerability that's being "broadly" exploited by Russian hackers linked to the country's FSB intelligence service.

A group known as Static Tundra has been abusing a bug tracked as CVE-2018-0171 over the past year to install backdoors on old and outdated Cisco routers that are still haunting many corporate and government networks.

[more on Risky Bulletin]