Carnegie Report Takes Wind Out of Cyber War Sails

PLUS: Bad Times Continue for NSO Group

Your weekly dose of Seriously Risky Business news is written by Tom Uren, edited by Patrick Gray with help from Catalin Cimpanu. It's supported by the Cyber Initiative at the Hewlett Foundation and founding corporate sponsor Proofpoint.

Shortly after our last edition was published, the Carnegie Endowment  released an in-depth report on Russia's Wartime Cyber Operations in Ukraine in an effort to bridge conventional and cyber-specific analysis of the war.

Jon Bateman, the author, is cautious about how much it is possible to know right now and writes the "paper’s tentative insights represent one reasonable interpretation of fragmentary, conflicting, and evolving data". Despite this, we think it does a good job triangulating what might be true from these sources — it tells a plausible and internally consistent story, if not one that will turn out to be totally correct over time.

Some of the key points:

  • Russian cyber "fires" (disruptive or destructive attacks) may have contributed modestly to Moscow’s initial invasion, but since then they have inflicted negligible damage on Ukrainian targets.
  • Cyber fires have neither added meaningfully to Russia’s kinetic firepower nor performed special functions distinct from those of kinetic weapons.
  • Intelligence collection — not fires — has likely been the main focus of Russia’s wartime cyber operations in Ukraine, yet this too has yielded little military benefit.

Overall the report reinforces our belief that cyber operations should be used in wartime as a force multiplier. Although the Russian disruption of ViaSat's satellite communications on the day of the invasion has been well reported, Bateman's report also mentions a less well-covered incident — a major Ukrainian ISP was also victim of a cyber attack at the same time. Disrupting both satellite communications and an ISP at the same time as conventional forces are invading is exactly the kind of coordination that we think could provide a significant advantage.

As it turns out, of course, Russian forces weren't able to gain a decisive advantage despite these operations, even though they appear to have successfully caused some disruption. A key question that isn't yet resolved is how Russian conventional forces intended to take advantage of this disruption. Was it even possible to take advantage of these cyber fires to gain a decisive advantage?

The report notes:

To put these few cyber fires in context, Ukrainians have experienced dozens of significant internet service disruptions due to physical attacks on telecoms equipment and power supplies. Russian cyber fires thus amount to an occasional and secondary threat to Ukrainian connectivity.

Our favourite part of the report, of course, is where Bateman agrees with our belief that Microsoft has, at times, overstated the level of coordination between cyber and conventional military action.

At this point, Russian forces are well past the point of diminishing returns from investing in disruptive war-related cyber operations and will achieve more by focussing on intelligence collection.

Bad Times Continue for NSO Group

The US Supreme Court has declined to hear an appeal from NSO Group, allowing WhatsApp to continue pursuing its lawsuit against the firm for using Pegasus spyware against its users.

NSO Group had attempted to claim sovereign immunity by arguing that it was acting as an agent of a foreign government and therefore had the protections that sovereign governments have from US lawsuits. The Supreme Court 'decision' — to not even bother to look at NSO Group's appeal — comes after two lower court decisions rejected NSO Group's argument.

WhatsApp filed suit against NSO Group way back in October 2019, in the aftermath of NSO Group attempting to infect around 1,400 WhatsApp users with its Pegasus malware. WhatsApp is seeking an injunction blocking NSO Group from accessing its computer systems, which would effectively end NSO Group's ability to target WhatsApp users.

There are billions of active WhatsApp users around the world, so 1,400 isn't a huge number of users in the grand scheme of things. So at first glance NSO Group’s claim that its "technology is licensed to authorised government agencies for the sole purpose of fighting crime and terror" seems plausible. The claims fell apart pretty quickly, though, as WhatsApp found that "at least 100 human-rights defenders, journalists and other members of civil society across the world" were targeted with NSO's technology. And there has been a regular stream of reporting documenting Pegasus abuses ever since then.

These ongoing revelations, which included allegations Pegasus was used against journalist Jamal Khashoggi prior to his 2018 murder by the Saudi government, have changed the political environment. It's hard to imagine a new company retreading NSO Group's footsteps and reaching the same level of success.

Even if the WhatsApp suit succeeds we're past the point that it really matters. Lawsuits are useful for shaping the behaviour of companies that want to appear responsible and operate in big markets such as the US and Europe, but it's the sanctions hammer that's reshaped the spyware playing field in the last two years, not civil court actions. (Apple also filed a lawsuit in November 2021.)

In November 2021, the US added NSO Group and Candiru, another Israeli surveillance technology company, to a US export control list. In addition to the immediate effect of making US exports to the specified companies more difficult, it also resulted in considerable domestic political pressure. NSO Group's spyware had previously been used by the Israeli government as a kind of diplomatic calling card, but the firm was unceremoniously thrown under a bus.

NSO's CEO had reportedly asked the Israeli government to lobby the US to remove the company from the Entity List, but it seems that after initially being keen to lobby for NSO Group the Israelis ultimately decided to hold off. A senior Israeli official told Axios that "We want to talk to the US first in order to make sure that the NSO affair didn’t damage our bilateral relations. We would also want to hear from the US if they have any information we need to know about NSO".

For the Israeli government, NSO Group is a nice-to-have, but good relations with the US are a must-have.

It's pretty clear the Biden administration wants nothing to do with NSO Group. A plan by US defence contractor L3Harris to acquire the remnants of NSO Group to sell its capabilities to a "drastically curtailed" customer base, including the Five Eyes and some NATO allies, was shot down. The deal actually made sense to some degree, but it looks like senior officials were blindsided by news of the potential deal, and it was killed.

Beyond the White House, the US congress is concerned and has taken steps to rein in spyware proliferation. In July 2022 the Intelligence Authorization Act included a number of anti-spyware provisions. In late December 2022 the House Intelligence Committee chair began an inquiry into the government's use of foreign spyware.

By contrast, the European Union's PEGA committee has produced some worthwhile reports, but the EU itself has not actually taken any kind of substantive action. That may be because some of its member states are irresponsible users of spyware like Pegasus and just don't want to stop. PEGA committee rapporteur Sophie in 't Veld said that "[In] Poland and Hungary, [...] spyware is an integral element of a system; a system which is designed to control and even oppress the citizens — that is the critics of the government, the opposition, journalists, whistleblowers — and the whole system is very methodically set up".

Despite this uneven response across governments, the scrutiny and sanctions have had a drastic impact on NSO Group's business. In April last year it was even described as "valueless" in the Financial Times, although it still remains an ongoing concern and as of August 2022 was undergoing management restructuring.

We think the whole episode will serve as a warning to other firms thinking of developing spyware businesses. NSO Group showed that spyware is a lucrative market, but it's only a sustainable business if you are very, very careful about who you sell to.

Three Reasons to be Cheerful this Week:

  1. Ransomware decryptor successes: Romanian antivirus maker Bitdefender has developed and released a decrypter for MegaCortex ransomware that will allow victims to recover files at no cost. Japan's National Police Agency had also reportedly also been successful in decrypting LockBit ransomware over the last year.
  2. Better Late Than Never: AWS has moved in recent weeks to change defaults for S3 buckets. Data stored in S3 servers is now encrypted by default. Default public access will also be removed after April 2023.
  3. Killing Sacred Cows: The Biden administration's upcoming national cyber strategy is set to move beyond information sharing and public-private partnerships as the go-to answer for cyber security woes. One particular initiative we like is to shift liability "onto those entities that fail to take reasonable precautions to secure their software". We've railed before about "enterprise software vendors continue[ing] to churn out critically important products that contain absolutely idiotic vulnerabilities", and we think it absolutely makes sense that software vendors be required to do due diligence. Lawfare has further analysis of the issue.

Seriously Risky Business is supported by the Hewlett Foundation's Cyber Initiative and corporate sponsor Proofpoint.

Okta and Passwordless Authentication

Risky Business publishes sponsored product demos to YouTube. They're a great way for you to save the time and hassle of trying to actually get useful information out of security vendors. You can subscribe to our product demo page on YouTube here.

In our latest demo, Brett Winterford and Harish Chakravarthy demonstrate to host Patrick Grey how Okta can be used for passwordless authentication. These phishing resistant authentication flows — even if they are not rolled out to all users — can also be used as a high-quality signal of phishing attempts that can be used to trigger automated follow-on actions.


Evil Bots

We briefly examined the possible cyber security threats presented by ChatGPT in our final newsletter edition of 2022 and since then new research has been published that explores how it could be used by criminals and how it actually is being used.

Security firm WithSecure examined various different potential criminal "use cases" such as social validation, phishing content and trolling, among others. ChatGPT can be used for all these and more, and the report says there "is no shortage of creative maliciousness".

Checkpoint research looked at how criminals are actually using ChatGPT right now and found that some unsophisticated individuals are using ChatGPT to help develop malware. Alex Holden of Hold security told Forbes he has found dating scammers trying to use ChatGPT to create convincing personas.

OpenAI, the company behind ChatGPT, has even collaborated in research to examine how the technology might be misused for disinformation. We'd also like to see some more research from OpenAI on the cyber security threat use cases that have been identified.

On the Twelfth Day of Christmas, My True Love Gave to Me…

Since our last edition in mid-December there have been breaches where encrypted password vaults were stolen from LastPass, source code was stolen from Slack, and the details of hundreds of millions of Twitter users were leaked online.

These Are Not the Chats You Are Looking For

The Record has an interesting article about the Belarusian Cyber Partisans creating an "indistinguishable alternative" to Telegram which wipes selected chats when accessed with an emergency code. This protects activists from the inspection of devices by pro-regime security forces, but of course doesn't protect from the compromise of Telegram itself

Cyber Bears Invade Space Tubes

CISA has found evidence that the Russian APT-28 or Fancy Bear group had penetrated a US satellite network. The space sector is not quite designated by the US government as critical infrastructure, but CISA has suggested that perhaps it should be. This week's Risky Business podcast has more coverage of the incident.

TikTok Spied on Journalist IP Addresses

On the Thursday before Christmas TikTok confirmed that employees at ByteDance, it's China-based parent company, tracked multiple US-based journalists covering TikTok in an effort to find the source of internal leaks. This included accessing IP address and user data, although it doesn't appear to include app-provided location data. We've covered how difficult it will be for TikTok to truly firewall US user data from China, so we are not particularly surprised that this could happen. However, we are surprised that it actually did happen. The day after the story broke, coincidentally, TikTok was banned from federal government devices in the USA. This is an entirely sensible move (and probably overdue), and TikTok hawks now have more ammunition to demand TikTok's separation from ByteDance. This was a massive own goal for ByteDance given the controversy over TikTok's ownership.

Got Milk?

The US government has warned that criminals are using business email compromise (BEC) to steal large quantities of food. Curiously, most of the incidents cited in the advisory involve whole or powdered milk, although we don't know why truckloads of milk products are particularly attractive.

Even More Russian Hacks

There has been a bunch of recent news about Russian activities outside Ukraine, including targeting of a NATO country petroleum refinery, infiltration of a US satellite network (discussed further below), and targeting of US nuclear scientists.

Risky Biz Talks

In addition to a podcast version of this newsletter (last edition here), the Risky Biz News feed  (RSS, iTunesor Spotify) also publishes interviews.

In our last "Between Two Nerds" discussion Tom Uren and The Grugq find that most countries' use of cyber capabilities makes sense. Except for the US. They are in a different position and the development of cyberspace as a domain of strategic competition is a net loss for them..

From Risky Biz News:

Robin Hood stuff: Ukrainian cybersecurity expert Alex Holden claims to have hacked Solaris, a dark web drugs market serving the Russian community, and stolen more than $25,000 worth of cryptocurrency from its users and administrators. Holden told Forbes he donated the stolen funds to charity organizations helping Ukrainians affected by Russia's invasion. [Non-paywall version here]

When one person's "highly profitable trading strategy" is a regulator's "market manipulation": The US has charged and detained cryptocurrency trader Avraham Eisenberg, an individual who exploited the Mango Market cryptocurrency platform in what he described as a "highly profitable trading strategy." Mango Market went insolvent after his "trades." Obviously, Mango Market and DOJ officials didn't view his "trading strategy" that way.

SugarCRM zero-day used to compromise roughly 10% of all internet-accessible servers: Almost 10% of all internet-accessible SugarCRM servers (representing 291 of 3,066 servers, based on Censys data) were hacked and compromised using a zero-day exploit published online in late December. (more on Risky Biz News).