America's Private Sector Is Hacking for Godot

Your weekly dose of Seriously Risky Business news is written by Tom Uren and edited by Patrick Gray. It's supported by Lawfare with help from the William and Flora Hewlett Foundation. This week's edition is sponsored by Dropzone.

You can hear a podcast discussion of this newsletter by searching for "Risky Business News" in your podcatcher or subscribing via this RSS feed.

The US government must develop a strategy to more effectively use its private sector to scale up offensive cyber activities, according to a new report from Dartmouth's Institute for Security, Technology and Society.

The authors convened 30 experts from government, industry and academia to analyse the current state of play in "offensive cyber" and make recommendations. "Offensive cyber" was defined very broadly as pretty much anything including tool development, acquiring access, espionage and even disruptive or destructive operations. 

The report assumes that US policymakers want both a higher operational tempo of cyber operations and to more effectively take advantage of the country's private sector.  

One key finding is that "cyberspace dominance" (which the authors don't define, but we took to mean beating China in cyberspace) requires both high and low-end capabilities and the ability to take advantage of opportunities at scale. 

China, for example, conducts precise operations that target senior US policymakers. But it also regularly jumps on new opportunities to hack the planet, such as in the Microsoft Exchange and SharePoint incidents. By contrast, the US is one-dimensional and its cyber operations, whether conducted by intelligence, military or law enforcement organisations, are optimised for "deliberate, tightly scoped, top-down operations".

Although this is a capability gap, it's there because the US intelligence system is designed to feed a relative trickle of information it knows is highly valuable to a single customer: The government. Select first, steal later.

The Chinese system is the opposite: Steal everything and then figure out who wants what. Leaks from cyber espionage firm I-Soon showed that hackers would steal data based on loose priorities and see if they could find a paying customer after the fact. 

The report suggests that the private sector could close this capability gap because it's agile and can operate at scale. That's true, but we're not sure US national interests would benefit from significantly more stolen data, unless it was shared widely with customers beyond the government.

The report doesn't shed any light on how the US could take advantage of this type of China-style large-scale opportunistic hacking. Its first recommendation is that the US government develop a public offensive cyber strategy. This feels a bit Dr Strangelove to us: We cannot allow a collection volume gap!

More practically, however, the report recommends the government "authorise a pilot program for private sector operations against low risk actors". It identifies low risk actors as cryptocurrency scammers and ransomware gangs. It says vetted private sector operators should be authorised to seize stolen funds or disrupt ransomware infrastructure. 

To us, this seems like a better idea than immediately empowering private companies to conduct China-scale intelligence collection operations. A suck-it-and-see approach that targets ransomware actors and crypto thieves is a good first step.  

The Splintering Ransomware Ecosystem

A ransomware operator’s six-month journey from Ransomware-as-a-service (RaaS) affiliate to platform operator has been detailed in a new report by Analyst1's Chief Security Strategist Jon DiMaggio. It illustrates that as government ransomware disruption efforts bite, new ransomware strains will continue to bubble up.

DiMaggio has successfully engaged or infiltrated ransomware gangs in the past, sometimes using fake personas. But in this case, the operator, Devman, was aware DiMaggio was a security researcher documenting his activities. Still, he still regularly spoke with DiMaggio, including in voice calls. 

Devman first came to DiMaggio's attention in April this year, when the actor was working with the Qilin and DragonForce RaaS groups. He appeared competent enough, "but nothing distinguished him from dozens of other capable affiliates moving through the ecosystem". 

In July Devman took his first steps towards operating independently, using a modified version of leaked DragonForce code as his own variant. Over the next three months he created two different leak sites and advertised for affiliates. By the end of September he had launched his own formal RaaS site. 

The take home lesson here is that developing a minimum viable ransomware strain is not a huge task. Devman was able to do so in a matter of months by modifying an existing strain, despite not having particularly elite technical skills. An early version of his ransomware variant included some pretty fundamental implementation flaws, including encrypting its own ransom notes, making it impossible for victims to know who to pay.  

"Devman controls everything," wrote DiMaggio. His RaaS operation has a strict code of conduct, beyond what is typical.

For example, Devman insists on approving affiliate team members and prohibits behaviour unbefitting a professional extortionist, like insulting colleagues. He also reserves the right to take control of negotiations if affiliates fail to meet their obligations to victims or treat them unprofessionally.

While Devman like to exert control over affiliates, his targeting rules are relatively loose:

• Encrypting ransomware is allowed everywhere except for CIS countries (former USSR) and Serbia
• Critical infrastructure can and should be targeted 
• Targeting healthcare businesses related to children is forbidden as is the leaking of data belonging to people under 18 years of age

To us, these rules appear to be based on Devman's personal moral code, rather than being influenced by fear of law enforcement action. 

Devman told DiMaggio that he permitted attacks on hospitals because he had "lost fate [sic]" in them. When sitting in on a hospital ransom negotiation with the Conti group, the hospital did not mute the call when talking to its insurance company. Devman said he overheard them counting and "comparing the ransom and payouts to dead people".  

"And I was like wtf are we the bad guys here?" 

He also linked the targeting of hospitals to NATO's 1999 bombing of a Belgrade hospital. Per DiMaggio's report:

The moral gymnastics were clear. If hospitals treat patients as balance sheet entries, and if Western military operations caused Serbian civilian casualties and infrastructure damage, why should he treat American hospitals differently from any other business? 

Devman is also fully aware of the risk of being a cyber criminal. He told DiMaggio that being involved means "you will never see your kid. You won't have a happy end". Despite that, he continues to develop his RaaS platform. 

Governments have a policy prescription that kinda works in the current ransomware environment, where a small number of relatively large RaaS platforms are responsible for most of the damage. It won't eliminate ransomware, but disrupting the biggest, baddest groups at least delivers bang for buck. 

Back in 2022, for example, LockBit was responsible for nearly 30% of ransomware incidents. Disrupting it in 2024 was clearly a huge win. 

Even as the ransomware ecosystem splinters, targeting top groups with government disruption will continue to make sense. But that still leaves a large pool of smaller groups that could in aggregate cause significant pain. 

So how do we tackle them? As discussed in the previous article, that's where the private sector can come in.

Watch Amberleigh Jack and Tom Uren discuss this edition of the newsletter:

Three Reasons to Be Cheerful This Week:

1. 2,500 scammer Starlink terminals disabled: SpaceX announced it had "proactively identified and disabled" over 2,500 Starlink kits in the vicinity of suspected scam compounds. This proactive move comes after a US Congressional committee announced last week that it was launching an investigation into Starlink's use at Myanmar scam compounds.  
2. European SIM box scamming network dismantled: Europol announced that it had disrupted a "cybercrime-as-a-service" SIM box network in Latvia being used to facilitate a wide range of scams. It offered telephone numbers registered to people from over 80 countries and allowed criminals to set up fake social media and messaging accounts, for example. About 40,000 SIM cards were being used in 1,200 SIM boxes and hundreds of thousands of other SIMs were also seized. 
3. Data breach fines in US, UK and Australia: In recent weeks insurance companies in New York, an outsourcing company in the UK and an Australian pathology business have all received fines for poor data practices that lead to data breaches. 

Sponsor Section

In this Risky Business sponsored interview, Tom Uren talks to Edward Wu, CEO and founder of Dropzone AI, about a study that measured how AI practically helps SOC analysts triage real-world problems. Analysts were faster, more accurate and got less tired with AI assistance. Edward thinks the technology won’t replace human analysts, but will speed their skill development.

Risky Biz Talks

You can find the audio edition of this newsletter and other fine podcasts and interviews in the Risky Biz News feed (RSS, iTunes or Spotify).  

In this edition of Between Two Nerds, Tom Uren and The Grugq talk to Joe Devanny, senior lecturer from King's College London, all about India's missing cyber power. It has the ingredients to become a cyber superpower, but so far, it hasn't shown the motivation.

Or watch it on YouTube!

From Risky Bulletin:

Clever worm hits the DevOps scene: Security researchers have spotted a second self-propagating worm that hit the DevOps space within the span of a month. The new threat is named GlassWorm and primarily targets the VS Code extensions space.

It is the second such threat after the Shai-Hulud worm that hit the npm JavaScript package repo in mid-September.

GlassWorm was spotted by Koi Security. It was first seen on the unofficial OpenVSX marketplace for VS Code extensions, but later spread to the official Microsoft VS Code store as well.

At the time of writing, the worm has spread and infected 15 extensions on OpenVSX and one on the official store. See this live infection status page.

[more on Risky Bulletin]

Prisoner hacks prison IT system, goes wild! A convict at a Romanian prison has hacked the country's prisoner management platform in a security breach that has rocked Romania's penitentiary agency.

The incident took place in August and continued through October.

From various reports in Romanian media and a statement released by the national penitentiary police union, the incident appears to have originated in the city of Dej, in Romania's Transilvania region, at a prison hospital complex, where prisoners are sent to treat illnesses and then return to finish their sentence at their normal jails.

[more on Risky Bulletin, including how an inmate modified commissary account balances and early-release records]

F5 says an APT stole source code, vulnerability reports: F5 (formerly F5 Networks), one of the largest US tech companies and a member of the S&P 500, has disclosed a security breach this week, in an incident that is in contention for the year's biggest hack award.

Details about the breach have been in flux since it was disclosed, so we put together a list with all we know happened so far.

• The company disclosed the breach via an SEC filing on Wednesday, October 15.
• The hack was detected in August, but disclosure was delayed at the request of the US DOJ, on the grounds of national security concerns.

[more on Risky Bulletin]