ASD's Latest Operation: Charm Offensive

PLUS: Cyberespionage Doxxing Is the New Black

Your weekly dose of Seriously Risky Business news is written by Tom Uren, edited by Patrick Gray with help from Catalin Cimpanu. It's supported by the Cyber Initiative at the Hewlett Foundation and this week's edition is brought to you by Stairwell.

Photo by Thomas Bonometti on Unsplash

The Australian Signals Directorate (ASD), Australia's signals intelligence and cyber organisation, has opened up to an ABC documentary about a number of its offensive cyber operations.

One of them was "Operation Valley Wolf", ASD's cyber contribution to the safe passage of partner troops through the Tigris river valley to Mosul, then under Islamic State (IS) control. The broad outlines of this operation have been described before, but the documentary provides more colour and detail.

ASD studied IS's electronic communications, which included the use of a variety of encrypted messaging apps including Surespot, Wickr, WhatsApp and Telegram. It used an implant, "Light Bolt", that could be deployed to IS devices without user interaction and three different denial-of-service payloads that would disrupt internet access: "Rickrolling", "Care Bear" and "Dark Wall". These payloads all cut internet access, but with different degrees of permanence.

After deploying the "Rickrolling" payload, a device's internet access could be restored with a reboot. "Care Bear" could be overcome by someone with some technical nous, while "Dark Wall" was effectively permanent. Disappointingly, "Rickrolling" did not actually involve using Rick Astley's classic as an internet weapon.

ASD launched these effects "in a very clever, precise, timed way, in coordination with military manoeuvers", former ASD Director-General Mike Burgess told the ABC, in what he claims was a world-first.

There's a recognition here that, by itself, a denial-of-service type attack on a single device is not exactly the stuff of cyberwar dreams. But Dan Baker, a senior ASD cyber operator told the ABC that coordination with other military action is key to having a meaningful impact.

"So even though it was a simple cyber effect, using it tightly coordinated with partner forces created a disproportionate effect in some cases", Baker said.

For example, in some cases disrupting their internet access forced IS fighters to use radios, which could then be located and targeted using conventional military capabilities.

Baker says that Dark Wall was developed "very, very quickly on the fly" after the Care Bear payload was being reversed by pockets of IS fighters.

"So we were able to draw on many, many years of experience in building disruptive payloads in order to turn around a capability very, very quickly", Baker continued.

The Battle of Mosul started in 2016, so this hints that ASD has been in the cyber disruption game for many years now.

In another example, Operation Crystaldagger, ASD took action against criminals targeting Australians with Covid19-related scams and malware.

In the early days of the pandemic the Australian government launched covid support schemes that became a magnet for cybercriminals. ASD's approach here was methodical. First, it identified a particular trojan that was being used in many of the scams targeting Australians and it then set about destroying that malware vendor's business.

ASD bought the malware "for a few thousand dollars" and when examining it found a vulnerability that they could have used to disable the malware. Instead of relying only on technical disruption, they launched a two-pronged operation. One effort disrupted the malware — ASD doesn't say how — while a second effort leveraged that technical disruption to attack the vendor's reputation on criminal forums.

The thinking here is that simply disabling the malware wouldn't necessarily result in an enduring effect, whereas ruining the supplier's reputation would be more difficult to recover from. The secret sauce to the disruption was weaponised forum drama.

This is an excellent example of the kind of disruption that offensive cyber organisations can and should be conducting against criminals. Measures that are effective, but not necessarily flashy. ASD can do this thanks to a 2018 amendment to Australia's Intelligence Services Act which gives it a mandate to "prevent and disrupt, by electronic or similar means, cybercrime undertaken by people or organisations outside Australia".

These examples remind us of the UK's thinking on offensive cyber operations, laid out in a National Cyber Force paper titled "Responsible Cyber Power in Practice". The overall message here is that by cleverly integrating cyber effects with other activities you can achieve something more than the sum of the parts.

Although not an offensive cyber operation, a third operation cited in the ABC documentary is DSD's analysis of telephone records after the 2002 Bali bombings. (A quick note – until 2013 the ASD was named DSD, the Defence Signals Directorate.)

These terrorist bombings, which killed 202 people including 88 Australians, occurred on a single night across multiple locations in Bali, an Indonesian tourist destination.

Investigators were initially stymied by the sheer size of the blasts, which destroyed useful physical evidence, and by efforts the bombers took to cover their tracks, such as filing identifiers off the vehicles used to carry the bombs.

Australian Federal Police (AFP) investigators, who had been asked to assist by the Indonesian National Police (POLRI), believed that the bombs had been triggered by calls to mobile phones. Two pieces of information were key to unravelling the case. The IMEI of a Nokia 5110 phone was recovered at the site of the US consulate bombing, and the exact time of one of the blasts was known as it had been detected by seismic sensors.

Polri facilitated access to phone records from Telkomsel, Indonesia's state-owned mobile phone provider, which were handed to DSD.

DSD identified the number that had called the 5110, which POLRI was then able to link to the terrorist group's logistics man.

In an iterative process, on the ground police work was combined with network analysis to gradually reveal the full bombing network. At the time neither the AFP nor Polri had capabilities for this kind of data analysis at the scale required.

Ironically, the steps some of the bombers took in an attempt to avoid detection made them easier to find. The field commander of the terrorist group, Imam Samudra, for example, was "swapping SIM cards and turning his phone off and on when he needed to text or call, which only aided Indonesian and Australian data analysts in identifying suspicious activity".

This story is a good illustration of both the power and the limitations of using metadata for analysis — it provided important leads but at the same time needed to be complemented with real-world police work.

This documentary is just another example of SIGINT agencies being more public about what they actually do. It's long been time for these organisations to step out of the shadows, if only a little. And it must feel nice on their end being able to share some wins.

Cyberespionage Doxxing Is the New Black

The Russian Federal Security Service (FSB), claims to have uncovered an extensive NSA iPhone espionage campaign.

The FSB claims that thousands of devices used by Russian citizens as well as foreign diplomats based in Russia and the former Soviet Union were affected. The FSB said that America's NSA was responsible and that there had been "close cooperation" with Apple.

The FSB didn't provide any evidence to back up these claims, but on the same day Russian cyber security company Kaspersky announced that it had also been affected by the same campaign, which it is calling Operation Triangulation.

Eugene Kaspersky, the firm's CEO, revealed the campaign had affected "several dozen" employees in top and middle management. The CEO described the attack as "an extremely complex, professionally targeted cyberattack":

The attack is carried out using an invisible iMessage with a malicious attachment, which, using a number of vulnerabilities in the iOS operating system, is executed on a device and installs spyware. The deployment of the spyware is completely hidden and requires no action from the user. The spyware then quietly transmits private information to remote servers: microphone recordings, photos from instant messengers, geolocation, and data about a number of other activities of the owner of the infected device.

Kaspersky Labs said that the "oldest traces of infection" dated back to 2019, and that the campaign was still ongoing as of June 2023.

Eugene Kaspersky said he was "confident that Kaspersky was not the main target of this cyberattack". The announcements from Kaspersky and the FSB don't mention each other but are linked by common IOCs.

We don't know, of course, but it is certainly plausible that this was a US operation.

The FSB's announcement could be a straightforward tit-for-tat response to the recent US outing of the FSB's Snake malware, albeit a less effective one because it doesn't contain the same level of in-your-face technical detail.

It looks like it will be a new standard practice for China and Russia to out US cyber espionage operations in an attempt to emphasise the scale of American intelligence activities. If this is right, congratulations are in order. The US has finally managed to develop a new cyber norm that adversaries actually adhere to!

So far, however, Russian and Chinese efforts to expose US operations lack bite. The FSB's accusation that Apple is complicit also, in our view, diminishes the FSB's credibility. Apple has denied the accusation and issued a statement saying "We have never worked with any government to insert a backdoor into any Apple product and never will".

The announcement may also be part of a Russian government push to move government officials away from using iPhones. Per our sister publication Risky Business News:

News of the attacks come after, in March, the Kremlin's security team instructed presidential staff to dump their iPhones by April 1, 2023.

Employees were told to get an Android device, either from a Chinese vendor or one running Rostelecom's Aurora OS.

Kremlin officials cited security considerations for their decision, claiming iPhones were "more susceptible to hacking and espionage by Western experts compared to other smartphones."

We have our doubts that other vendors offer devices that are provably more secure than iPhones and we think it worth noting that Eugene Kaspersky believes that Lockdown mode would probably have prevented infection. This implies that none of the affected phones were running Lockdown mode, so it seems like a thing that should be applied by default for official devices.

However, Eugene makes a solid point when he complains about the opacity of Apple's iOS operating system:

This operating system is a "black box", in which spyware like Triangulation can hide for years. Detecting and analysing such threats is made all the more difficult by Apple’s monopoly of research tools — making it a perfect haven for spyware. In other words, as I’ve often said, users are given the illusion of security associated with the complete opacity of the system. What actually happens in iOS is unknown to cybersecurity experts, and the absence of news about attacks in no way indicates their being impossible — as we’ve just seen.

Kaspersky's CEO says that the vulnerabilities involved were 0days at the time but were patched back in February. Kaspersky Labs discovered the campaign at the beginning of the year, so we wonder if whoever was running this campaign disclosed the vulnerabilities they were using after it became obvious their operation had been detected.

We're expecting this disclosure from the FSB to be the first of many. Unpicking an adversary's espionage operation used to be done in the shadows, these days it's a perfect opportunity to engage in some tub-thumping, an activity Russian officials seem to enjoy. So brace for more.

Listen to Patrick Gray and Tom Uren discuss this edition of the newsletter in the Seriously Risky Business podcast:

Three Reasons to be Cheerful this Week:

  1. Microsoft SMB signing to stop NTLM relay attacks: Future versions of Windows 11 will require that SMB requests be signed. Despite being available since Windows 98 it has never been a default because it slows data transfers. A win for security over convenience.
  2. New Safety Features from Apple: Apple has announced a variety of new safety, security and privacy features that will arrive in the northern hemisphere fall. These include expanding on-device safety features for children that warn users about sending or receiving nude images, more protections in Lockdown mode, and also the ability to share passwords to a group via keychain.
  3. Passkeys for Google Workspaces: Google has announced that Workspaces and Google Cloud will support Passkeys.

In this Risky Business News sponsor interview, Catalin Cimpanu talks with Chris St. Myers, Threat Intelligence Lead at Stairwell, on how the company's Inception platform can be used for finding old or new threats that sometimes may go unnoticed.

Also check out this video demo of Stairwell's Inception platform:


InFraud Bribe Puts Russian Prosecutor InJail

One of the lead prosecutors in Russia's anti-corruption agency, the Investigative Committee of the Russian Federation, has been arrested for taking a USD$24m cryptocurrency bribe from the Infraud Organisation. [more coverage at Risky Business News]

Celebrating 25 Years of Derp

Lawfare has published a short review of 25 years of US White House cyber policies. It points out that the recent Biden National Cybersecurity Strategy is the only cyber policy that actually contains a real strategy, as opposed to a laundry list of possibly good ideas. This is one of the key reasons we like the strategy. Another observation is that public-private partnerships, in one form or another, have appeared in every policy since 1998.

Inside an APAC SMS Phishing Operation

We missed it at the time, but in late April Group-IB published a dissection of the operations of a Chinese-speaking SMS phishing group targeting Singapore and Australia. It's a readable explanation of not only how this particular scam works to trick people and also explains different approaches to analysing these types of scams.

Sekoia's Kitten Taxonomy

Security firm Sekoia has published a nice overview of Iranian threat actors.

Risky Biz Talks

You can find the audio edition of this newsletter and other fine podcasts and interviews in the Risky Biz News feed (RSS, iTunes or Spotify).

In our last "Between Two Nerds" discussion Tom Uren and The Grugq continue part II of their discussion about what it takes to be a cyber power and look at how countries leverage companies.

From Risky Biz News:

Twilio cracks down on SMS Traffic Pumping schemes: Communications platform Twilio will automatically reconfigure customer accounts in a crackdown against SMS traffic pumping schemes. The company will block customers from sending SMS messages to countries the user has no previous history, and the country is known to be a source of SMS traffic pumping schemes. The change will occur in three weeks, on June 21, 2023, according to emails Twilio has sent customers.

SMS Traffic Pumping is a scheme where fraudsters abuse a company's Twilio account and trick it into sending SMS messages to premium phone numbers where they generate a profit just by receiving the messages. [more on Risky Business News]

The role of security cameras in the war in Ukraine: The Ukrainian Security Service has asked citizens to shut off security cameras filming public spaces. The SSU says Russia is exploiting vulnerabilities in modern security cameras to access streams, launch missile attacks, and adjust targeting in real-time. After the SSU sent SMS messages to all citizens with this message last week, several Russian military bloggers thought the agency was trying to mask the movement of its troops for its impending counter-offensive.

Clop linked to MOVEit hacks, 100+ orgs breached so far: Microsoft has identified the threat actor behind the recent exploitation of MOVEit file-transfer servers as our "old friend," the Clop cybercrime group. Clop itself confirmed its involvement in the attacks in responses to email inquiries sent to Reuters and BleepingComputer reporters.

This is the same Russian cybercrime group that has previously exploited vulnerabilities in FTA Accellion and Fortra GoAnywhere, two other popular file-transfer appliances.

Just like before, the Clop gang is following the same playbook. The group did its own in-house research, identified a zero-day vulnerability in the MOVEit server (CVE-2023-34362, an SQL injection), and exploited it to backdoor servers by installing a webshell named LEMURLOOT.

The attacks were swift and coordinated. They appear to have started on May 27, over the US Memorial Day extended weekend, when most companies would have been running with skeleton security teams.

The group deployed the webshell and immediately started stealing massive amounts of customer data, grabbing everything they could before they could be detected. [more on Risky Business News]