Crimephones Are a Cop's Best Friend

Your weekly dose of Seriously Risky Business news is written by Tom Uren, edited by Patrick Gray with help from Catalin Cimpanu. It's supported by the Cyber Initiative at the Hewlett Foundation, and this edition is brought to you by Proofpoint.

Crimephones are back in the news after a legal challenge against the UK's National Crime Agency's Encrochat operation failed and it emerged that the Calabrian mafia have embraced a secure communications device from a company named No. 1 Business Communication.

The recent news is a good excuse to look back on the recent history of crimephones and the law enforcement operations that have rendered them worse than useless to criminals.

If you're not au fait, "crimephone" is the Risky Business HQ term for dedicated encrypted devices that are marketed in criminal networks to help facilitate illegal activity. Typically these devices offer a hardened (in theory) OS, a pre-loaded encrypted messaging app, can only communicate with other similar devices in a closed network, and are sometimes stripped of extraneous functionality such as GPS, camera and microphone.

In addition to thwarting law enforcement efforts with strong encryption, the removal of sensors such as cameras and GPS also prevents the generation of data that could be used as evidence in court.

Phantom Secure, one of the earlier crimephones was launched in 2008 and although initially it was marketed to privacy-conscious people pretty it quickly found product-market fit in the criminal underworld. In those early days these platforms did hinder police investigations, but it's 2023 and the whole thing has been turned on its head. In fact, these days we'd argue these devices are a boon to law enforcement rather than criminals. Since 2016, law enforcement has infiltrated or taken down all the following platforms:

• Ennetcom in 2016 by the Dutch police
• PGP Safe in 2017 by the Dutch police
• Phantom Secure in 2018 by the FBI
• Encrochat in 2020 by the Dutch police
• Sky ECC in 2021 by the Dutch police
• An0m in 2021 by the FBI and AFP
• Exclu in 2023 by the Dutch police

PGP Safe and Phantom Secure were minor successes in that police operations dismantled the communications networks themselves but only charged the owners or administrators with whatever crimes police had enough evidence to prosecute.

Phantom Secure's chief executive was charged with conspiracy to distribute narcotics and RICO Act violations, for example, while the PGP Safe suspects were charged with money laundering.

The rest of these operations were spectacularly successful and provided law enforcement with access to the messages between criminals. This access was obtained in a variety of different ways.

Sometimes the encryption keys that protect users' messages are just left lying around. Dutch crimephone company Ennetcom, for example, stored encryption keys on its server, which was located in Toronto. Canadian authorities handed the servers over to the lead investigators, the Dutch police, who were able to decrypt millions of messages exchanged between criminals.

In other operations law enforcement appear to have exploited encryption flaws that allow messages to be decrypted regardless of key security. In the case of Sky ECC the investigating police said they'd managed to "crack" or "unlock" the encryption.

Even when these platforms handle their encryption and network security well, hands-on access to their infrastructure can be used to push spyware to user devices. EncroChat, for example, used the open source Signal protocol. But authorities with access to the server in France were able to push spyware software to its end users.

Our favourite, of course, is An0m, which was marketed to criminals in the aftermath of the shutdown of Phantom Secure. Unfortunately for its users, the FBI itself was covertly running the platform in a partnership with the Australian Federal Police. The encryption An0m used was solid, but police were blind cc'd on every message users would send. Adding insult to injury, the system even geotagged all these intercepted messages with the suspects' precise locations.

Why the Australian partnership? Because running wholesale spying operations like this against American criminals is legally fraught. The FBI essentially gifted the An0m operation to the Australian Federal Police because of this. Thanks, guys! In the end, the FBI was only able to arrest people for distributing the phones. "The indictment charges 17 alleged distributors of the FBI’s devices and platform." Lol.

These regular successes make us wonder if the rise of these devices has actually been a net boon for law enforcement over the longer-term. Every press release about one of these operations announces hundreds of arrests, tonnes of drugs seized and hundreds of millions of messages intercepted.

There's even evidence these operations have provided deeper insight into criminal networks than was previously available. Talking about anti-crimephone operations, two senior Europol officers, Frenchman Jean-Philippe Lecouffe and Finn Jari Liukku, told The New Yorker:

Neither could remember another breakthrough in which they had learned so much so quickly. For one thing, Liukku said, the phone busts had apprised them of important figures in organised crime who had been "completely unknown" to them and who must have felt "untouchable." Now these men — it was almost always men — were active targets.

Lecouffe told me that, before the encrypted-phone stings, police forces were "a bit in the dark" about how organised crime functioned from day to day, even if the occasional successful investigation provided faint illumination on a group or an activity. Suddenly, it was [as] if somebody had switched on thousands of klieg lights, and "we could not only take a picture but a movie."

Unsurprisingly, the criminals who've found themselves facing serious charges, backed by slam-dunk evidence, aren't very happy about this. They've been challenging the operations, questioning either the legality of how the data was collected, because it relied on potentially opaque authorised hacking, or the scope of the authorisation. So far, these challenges have been unsuccessful.

When it comes to lawful hacking, we're all for appropriate transparency. Courts should be presented with evidence that the techniques police used generated reliable evidence, even though some technical details need to be protected to preserve capabilities.

As for scope, there is solid evidence that criminals actually self-select to use crimephones. After the An0m bust, FBI agent Suzanne Turner told reporters at a news conference that "each and every device in this case was used to further criminal activity". And let's be honest, law-abiding citizens won't pay thousands of dollars in subscription fees to use a device that can only communicate with criminals.

It is possible that some criminal defence lawyers have their own crimephone, so after its takedown of the Exclu service, Dutch police provided an opt-out email address for users who can invoke legal privilege "such as lawyers, civil-law notaries, doctors or clergy". If the opt-out was found to be legitimate, police would delete the data.

It's worth repeating here that this type of thing would not work in the USA. Intercept first and delete later isn't really something they can do there.

The dilemma for criminals is real. They can't migrate to mass market smartphones with regular E2EE apps like Signal because that's how you wind up with defence contractor-grade spyware on your iPhone. But they shouldn't trust off the shelf crimephones, either.

There is a third, even stupider way forward for criminals seeking secure comms, and this is the direction we think they're likely to choose. We think the larger criminal organisations will probably start developing their own, homegrown crimephones, rather than purchasing off the shelf. The companies that make crimephone have been financed by criminals in the past, so this is a logical next step. Take it in-house!

It's been done before, and the results have been spectacularly awful.

In the late 2000s Mexican drug lord and former leader of the Sinaloa cartel Joaquín Guzmán, aka "El Chapo", hired his own IT specialist to set up an encrypted communication network. Christian Rodriguez started out working for Geek Squad in Medllín, Colombia, but ended up building an encrypted VoIP network for the Sinaloa cartel.

He did other security jobs for Guzmán like installing FlexiSPY spyware on the phones of Guzmán's wife and mistress.

Regrettably for El Chapo, Rodriguez was recruited by the FBI and helped it access both the VoIP network and also the FlexiSPY accounts. Recorded conversations and messages featured prominently in Guzmán's trial.

We've seen other attempts at home-grown secure comms networks more recently. Former hotdog vendor turned war criminal Evgeny Prighozin built a "secure" phone network for the employees and partners of his business interests, which include the Wagner Group private military contractor.

It didn't go well.

Thankfully, crooks are slow learners who also make bad technology choices.

In the interim, the slowest gazelles in the criminal herd are currently gravitating towards No. 1 BC. They may want to reconsider. Vice Motherboard reports a "noteworthy message" was posted to the company's website in January regarding updated signing certificates. No. 1 BC administrators wrote "we are distributing our new and improved No.1 Live application that will replace the No.1 BC Live application".

Don't worry guys. We're sure it's nothing to worry about.

Listen to Patrick Gray and Tom Uren discuss this edition of the newsletter in the Seriously Risky Business podcast:

Three Reasons to be Cheerful this Week:

1. Cyber wardens to the rescue: In its most recent budget the Australian government provided funding to train in-house "cyber wardens" for small business. It's hard to know what will fill the small business cyber security gap so it would be good to get an accounting of what difference the program makes over time.
2. Spanish Scalper Bot Crime Network Arrests: Spanish authorities have arrested members of a cybercrime gang that was using a bot to book and then resell appointments for Spain's migrant and asylum seeking-services. The free appointments were being resold for anywhere from €30 to €200. This newsletter examined "scalper bots" last year. [more coverage at Risky Biz News]
3. Safe Browsing API gets faster: Google announced a number of security improvements at its Google I/O conference. One that caught our eye was that Safe Browsing is getting a new API that will do real-time checks for low reputation sites. Google has found that "a significant number of phishing sites only exist for less than ten minutes to try and stay ahead of block-lists" and expects real-time detection will block an additional 25% of phishing attempts every month.

Sponsor Section

Proofpoint, this week's sponsor, has published its 2023 edition of Voice of the CISO, a yearly report featuring insights and experiences from more than 1,600 CISOs from around the world. The report covers recent threat actor trends, insights into better defences, and the latest dynamics in board-CISO relations.

Also, check out Tom Uren's interview with Proofpoint's Selena Larson in this sponsor interview:

Shorts

Suing Our Way to Security Nirvana

This week Kronos, an HR services company, agreed to a USD$6m settlement with its employees over a 2021 ransomware attack where personal data was breached. Also this week, UMass Memorial Health, a Massachusetts health care provider that was affected by the Kronos ransomware attack, agreed to pay USD$1.2m to settle wage claims arising from a disruption after a ransomware attack affected its timekeeping system. Finally, Yum Brands, which operates or franchises restaurants such as KFC and Taco Bell, is facing class action lawsuits in several US states after a January ransomware attack.

Theoretically, successful lawsuits that impose monetary costs on firms affected by ransomware should result in improved security as it encourages other companies to take steps to avoid those costs. We think directly affected firms will up their game, but we wonder how much of a broader effect this will have in practice. Of course the lawyers will do well — in the UMass agreement the plaintiff's lawyers said they plan to request up to USD$400k in attorney's fees and USD$8,500 per each named plaintiff, while the affected workers are expected to get USD$245 on average.

Tell Us About Ransomware, Pretty Please

The UK's NCSC and Information Commissioner's Office (ICO) have issued a coordinated call for more company transparency around cyber attacks saying that they are "increasingly concerned about what happens behind the scenes of the attacks we don’t hear about, particularly the ransomware ones".

The overall message is that firms will be better off if they tell officials what is happening and that paying a ransom doesn't make an incident go away. Gently asking firms is nice, but if it's worth asking nicely it probably makes sense to make it mandatory, at least for firms above a certain size.

Cybersecurity for Our Precious Fluids

Wired has a write up on lawsuits launched by attorneys general in several US states that are seeking to invalidate Environmental Protection Agency (EPA) cyber security regulations that cover water facilities. These regulations rely on a somewhat creative interpretation of existing legal authorities.

It is pretty stupid that cyber security standards have to be shoehorned into EPA regulations and it would be better to have explicit authorities. But there are layers of stupid here, and it'd be even dumber to have no regulation at all, especially given existing cyber threats to water systems.

Unfortunately, it seems to take a crisis to spur legislation. One recent cyber security improvement bill, the NOTAM Improvement Act, is sailing through Congress. In this case, an outage in the FAA's Notice to Air Mission system that caused widespread aviation disruption is the motivating force behind the bill.

Wazawaka is Under the Spotlight, But He Feels Fine

Mikhail Pavlovich Matveev, aka Wazawaka, a Russian ransomware operator, has been indicted by the US Department of Justice and an USD$10m reward offered for information leading to his arrest. The DoJ claims Matveev was responsible for multiple US law enforcement agency and healthcare sector ransomware attacks.

According to Krebs on Security, in 2021 Matveev wrote on a cybercrime forum that he did not plan to travel overseas.

"Mother Russia will help you," he wrote. "Love your country, and you will always get away with everything."

When approached by CNN this week for comment, Matveev responded with a video of a Russian man repeating the phrase, "I don’t give a f*** at all."

[Risky Biz News has further coverage]

The Limits of No Limits

LockBit has added the China Daily Hong Kong, a Chinese Communist Party propaganda outlet, to its victim site. A Seriously Risky Business guest post by Daniel Gordon looked at the PRC's ransomware headache and this makes us wonder how far the "no limits" friendship between the two Russia and China will extend. Arrests will be the proof in the pudding.

Intrusion Truth is Back

Intrusion Truth, the online group known for doxxing Chinese cyberespionage activities has published new reports examining the Kerui Cracking Academy and the careers of its graduates. Intrusion Truth has also published five reports on what it hints is APT31 activities [1, 2, 3, 4, 5].

Risky Biz Talks

In addition to a podcast version of this newsletter (last edition here), the Risky Biz News feed  (RSS, iTunesor Spotify) also publishes interviews.

In our last "Between Two Nerds" discussion Tom Uren and The Grugq discuss what the US government's disruption of FSB's Snake malware tells us about how the FSB operates.

From Risky Biz News:

EswatiniBank cyber-heist: A threat actor has breached the network of EswatiniBank, silently transferred 140 million emalangeni ($7.3 million) to several accounts, and then attempted to cash out the stolen funds via the bank's ATM network. EswatiniBank's manager Enock Mavimbela has confirmed the breach. Mavimbela says the bank detected the attack during the ATM cash-out phase, and it stopped the attack after the attackers liquidated only 700,000 emalangeni ($36,000) of the stolen funds. [Additional coverage in The Times of Swaziland]

Gmail will warn users when their email address appears on the dark web: Google is rolling out a new feature for Gmail users in the US that will notify them when their email address pops up on the dark web. The new feature is named the "Dark Web Report" and will be available in a Gmail account's security section. [Additional coverage of other security initiatives announced at Google's I/O conference at Risky Biz News]

PEGA blames Morocco: The EU's PEGA commission claims the Moroccan government most likely used the Pegasus spyware against Spanish government officials. The alleged hacking took place in July 2021 and targeted Prime Minister Pedro Sanchez, Minister for Defence Margarita Robles, and Minister of the Interior Fernando Grande-Marlaska. The hacks came to light at the same time Spain's own use of the Pegasus spyware against Catalan politicians—known as the CatalanGate scandal— was exposed and led to the firing of the country's head of intelligence services. Prior to this week's PEGA accusations, the Moroccan government was also accused of using the Pegasus spyware to spy on French President Emanuel Macron and other French ministers.