America's Leaky Data Rattles the US Intelligence Community
Your weekly dose of Seriously Risky Business news is written by Tom Uren and edited by Patrick Gray. It's supported by Lawfare with help from the William and Flora Hewlett Foundation. This week's edition is sponsored by Material Security.
You can hear a podcast discussion of this newsletter by searching for "Risky Business News" in your podcatcher or subscribing via this RSS feed.
The US intelligence community is seriously concerned about the foreign intelligence risks that stem from its porous data ecosystem, according to the newly released 2024 US National Counterintelligence Strategy.
The 2024 strategy calls for robust action to counter what it calls foreign intelligence entities (FIEs). It describes an "unprecedented" array of threats:
An expanding array of actors are attempting to steal national secrets, sensitive data, intellectual property, and technical and military capabilities, and undermine and disrupt U.S. foreign policy and intelligence operations. FIEs are positioning themselves to compromise or damage infrastructure critical to U.S. health, safety, and economic activity, and are attempting to influence U.S. policy and public opinion and undermine our democracy. They blend sophisticated techniques with traditional approaches while employing technical and cyber tools that are increasingly potent, widely available, and easy to use. These activities represent immediate threats to our national security, economic well-being, physical safety, democratic processes, and societal cohesion.
It says that the PRC and Russia represent the most significant threats and that:
Our leading adversaries view themselves as already engaged in an intense, multifaceted competition with the United States. As such, their intelligence services frequently conduct more aggressive operations that fall in the “gray zone,” a space between war and peace that encompasses intelligence activities that push the boundaries of accepted norms, such as covert influence, political subversion, and operations in cyberspace.
We also see our leading adversaries cooperating more frequently with one another, enhancing the threat they pose to the United States.
The strategy's key goals are to protect the United States' people, democracy, critical technologies and economic security, critical infrastructure and supply chains. These are captured under the umbrella goal or 'pillar' of "Protect America's Strategic Advantages" and are 'bread and butter' counterintelligence goals.
Relative to the 2020 strategy, a new element of this pillar is an explicit focus on protecting individuals, detailed in a goal to "Protect Individuals Against Foreign Intelligence Targeting and Collection". This includes not only American citizens but also "foreigners affiliated with the U.S. Government at home and abroad, and political dissidents, defectors, resettlees, or other high-risk individuals in the United States".
In explaining this goal, the strategy's authors note the range of data about people that could be used against them:
Moreover, as part of a broader focus on data as a strategic resource, our adversaries are interested in personally identifiable information (PII) about US citizens and others, such as biometric and genomic data, health care data, geolocation information, vehicle telemetry information, mobile device information, financial transaction data, and data on individuals' political affiliations and leanings, hobbies, and interests. PII—such as genomic and health care data—can be especially valuable, providing adversaries not only economic and R&D benefits, but also useful CI information, as hostile intelligence services can use vulnerabilities gleaned from such data to target and blackmail individuals.
One logical response to the easy availability of too much personal information would be to enact a federal privacy law that reins in the worst excesses of the US data ecosystem. However, promising initiatives in recent years have so far come to naught.
For most individual Americans, most of the time, the downsides of weak privacy laws are more theoretical than practical. From a national security perspective, however, foreign intelligence agencies have the means, motive and opportunity to take advantage of the smorgasbord of data to harm America's interests.
The strategy commits the government to "expanding engagement… to inform decisionmaking", which is at least another step in raising awareness and hopefully encouraging action from lawmakers.
The 2024 strategy complements basic counterintelligence objectives with a proactive or even combative approach. This is described in the first pillar of the strategy, which is to "Outmaneuver and Constrain Foreign Intelligence Entities" (FIEs).
Some of the goals contained under this pillar of the strategy include to:
- discover, illuminate, and neutralise adversary FIEs' non-traditional assets and enablers to degrade their operational capabilities and hinder future activities
- Work with partners and allies to conduct integrated, scalable, prioritised, proactive counterintelligence activities to counter FIE cyber operations, introduce uncertainty, and increase costs to FIEs.
We love the ambitious and combative nature of the strategy and like goals that promise some action. However, too many of its goals are to 'increase engagement', 'increase data sharing', 'facilitate information sharing', or 'improve processes'. These are the default actions that appear in strategy documents when people haven't actually come up with good ideas.
The strategy has spelt out the problem, which is aggressive FIEs operating in a loose data environment to gain strategic advantage over the US. But while the US government has decided to tackle FIEs directly, it is only tackling half the problem and doesn't yet know what to do about PII data protection.
Putin Wants his Cybercriminals Back
Two cyber criminals were returned to Russia last week in the largest international prisoner exchange since the Cold War. Perhaps surprisingly, it looks like they were actually just garden variety criminals and didn't have any direct links to Russian intelligence services.
Russia released 16 people, including journalists and political activists, and received eight people in exchange. In addition to the two cybercriminals, these included five convicted or alleged spies and a former FSB officer and assassin. These prisoners were released from the US, Poland, Slovenia, Norway and Germany.
Ars Technica has a good examination of the two cybercrooks who were released. Vladislav Klyushin started a supposed cyber security company called M-13 that made money by stealing public company Securities and Exchange Commission filings and trading on their information prior to the reports being made public.
Roman Selznev was an infamous carder, which is almost mundane in the world of cybercrime, but his father is Valery Seleznev, a member of Russia's Duma (parliament) and described by The New York Times as a close political ally of Vladimir Putin.
As for the others, Andrei Soldatov, a specialist in Russian security services, told Russia-focused investigative outlet Meduza that the assassin released in the swap, Vadim Krasikov, was valuable to Putin because his return sends very different messages to two key audiences.
Soldatov noted that Krasikov is "first and foremost a hitman" and his release is intended to send a message to those who oppose the Kremlin that they are not safe.
Perhaps more importantly, to the security services, Krasikov's return signals that Putin looks after his own and is "willing to pay any price for his guys who are fulfilling a sacred duty and get them out of any mess", said Soldatov.
Similarly to Krasikov, the five convicted or alleged spies were also working at the behest of the Russian government.
By contrast, there is no evidence that the two released cybercriminals did anything for the Russian government. The Department of Justice said Klyushin's M-13 company employed a Russian charged with interfering with 2016 US elections after he was indicted, but this doesn't strike us as evidence of state control.
Watch Patrick Gray and Tom Uren discuss this edition of the newsletter:
Three Reasons to Be Cheerful This Week:
- Microsoft makes security a priority for all: The Verge reports on an internal memo in which Microsoft's Chief People Officer Kathleen Hogan told all employees that security is one of its company-wide 'Core Priorities' and would therefore be a part of all performance reviews. Hogan repeated Microsoft CEO Satya Nadella's message that "when faced with a tradeoff, the answer is clear and simple: security above all else".
- More bug bounties: In its annual review of its bug bounty program Microsoft says it paid out over USD$16m in the last year up until the end of June, with the biggest single award being USD$200k. Samsung also published its bug bounty review and says it paid out USD$827k in the last year and that total bounties since 2017 were approaching USD$5m.
- Russian Coms phone spoofing platform shut down: The UK's National Crime Agency has shut down a phone number spoofing service, Russian Coms, that it says was used by hundreds of criminals to defraud victims across the world. The fraudsters would typically spoof the phone number of a reputable company such as a bank and convince victims to transfer money to another account using a variety of pretexts.
Sponsor Section
In this Risky Business News sponsor interview, Catalin Cimpanu talks with Rajan Kapoor, VP of Customer Experience at Material Security, on how threat actors view email inboxes as the targets of their attacks and not just an entry point into organisations.
Shorts
CrowdStrike's Root Cause Analysis
CrowdStrike has published (pdf) a root cause analysis of the recent widespread outage caused by a faulty update being pushed out to its customers.
The report lays out the chain of events and multiple independent testing failures that occurred during the creation and validation of the problematic configuration file distributed to customers. CrowdStrike's executive summary states "the sensor expected 20 input fields, while the update provided 21 input fields. In this instance, the mismatch resulted in an out-of-bounds memory read, causing a system crash."
Although CrowdStrike employed a cascading series of tests at different stages of its update process, it assumed that if updates it called 'channel files' successfully passed a suite of theoretically comprehensive tests they were good to go, despite never actually testing those files in a live environment.
Would Treating Ransomware Like Terrorism Fix The Problem?
CyberScoop has a good examination of the pros and cons of a Senate Intelligence Committee bill that would give the US government the same kinds of policy tools to tackle ransomware that it has used against terrorist groups.
In short, this boils down to labelling specific ransomware groups as "hostile foreign actors", naming and potentially sanctioning countries that are "state sponsors of ransomware", and raising the priority of ransomware within the US intelligence community.
Although increasing effort against ransomware actors would be great, we are sceptical that naming and shaming ransomware groups and their host countries will make much difference.
Why Affiliates Switch Between Ransomware Groups
Ransomware incident response firm Coveware reported last week a significant increase in attacks that aren't affiliated with particular ransomware groups or what it calls brands.
This matches other recent reporting, but Coveware also provides specific examples of why individuals working with Ransomware-as-a-Service gangs (ransomware affiliates) might switch between groups or brands. Beyond law enforcement disruption of specific Ransomware-as-a-Service groups, an individual might need the brand reach and infrastructure of an established leak site to threaten a victim with data extortion. Or the regular affiliate of one brand might jump to another brand when it attacks a high-profile target such as Colonial Pipeline or Change Healthcare. In that case, the attention the incident draws won't be focused on the affiliates' 'day job' ransomware group.
Risky Biz Talks
You can find the audio edition of this newsletter and other fine podcasts and interviews in the Risky Biz News feed (RSS, iTunes or Spotify).
In our last "Between Two Nerds" discussion Tom Uren and The Grugq discuss recent changes in a Chinese APT's tactics and how cyber security agencies have responded.
From Risky Biz News:
Ransomware attack hits Olympic venues: A ransomware attack has hit the IT systems of the French national museum network, crippling financial systems at over 40 museums, including two that were repurposed to host two Olympic events.
The attack hit over the weekend and took down an IT system that was aggregating financial data from Réunion des Musées Nationaux (RMN), an organisation under the French Ministry of Culture that manages museums around Paris, including the Louvre.
The incident also impacted Grand Palais and the Château de Versailles, two museums hosting events for the Paris 2024 Olympics.
The attack hit Grand Palais a day after the Fencing events had been completed at the facility and a day before Taekwondo events are scheduled to start on August 7
[more on Risky Business News]
Crypto-wallet service seized for helping ransomware gangs launder stolen funds: German and US authorities have seized a crypto-wallet service named Cryptonator on charges of money laundering and operating an unlicensed money service business.
The service allowed individuals to set up crypto-wallet funds that could receive and send funds from and to any type of blockchain service, effectively operating as a "personal cryptocurrency exchange" for each customer.
Officials say Cryptonator failed to implement anti-money laundering protections and knowingly allowed its service to be used for illegal activities.
[more on Risky Business News]
Las Vegas room searches: The Resort World Las Vegas hotel has told guests that it plans to search all guest rooms while the DEFCON security conference is taking place at its premises. Hotel management says the room searches are a result of the ransomware attacks that hit Caesar's and MGM Resorts in August of last year. Both hotels suffered major financial losses following the attacks. Both incidents were caused by intrusions from remote locations over the internet. [Additional coverage in 404 Media]