FCC to Demand Telcos Improve Security
Your weekly dose of Seriously Risky Business news is written by Tom Uren and edited by Patrick Gray. It's supported by Lawfare with help from the William and Flora Hewlett Foundation. This week's edition is sponsored by Proofpoint.
You can hear a podcast discussion of this newsletter by searching for "Risky Business News" in your podcatcher or in the player below.
The US government and lawmakers are scrambling to deal with the ongoing compromise of US telecommunications companies by a Chinese espionage group dubbed Salt Typhoon.
In the US, the campaign has compromised at least eight telecommunications companies and been ongoing for a year or more. The Cyber Safety Review Board examination of the incident has kicked off, but we already know the rough shape of what has happened.
At some US telcos, the hackers were able to penetrate the portals used to submit court orders for interception requests, letting them see what phone numbers were being tasked.
This attack would be a counterintelligence boon as these portals were also used for foreign surveillance, so Chinese intelligence services would be able to see whether their activities were being watched.
All in all, it's pretty bad and to top it off, US officials said that they had not yet been able to evict the hackers.
So it is not surprising the US administration and lawmakers are lining up to impose security regulations on telcos.
At a press briefing last week, Anne Neuberger, the deputy national security advisor for cyber, said the White House wanted "minimum cybersecurity practices at telecoms, from secure configurations to architecting to monitor for anomalous behavior to strong key management".
An unnamed senior official at the briefing said "we believe that if the companies had in place minimum [security] practices … that would make it far riskier, harder, and costlier for the Chinese to gain access and maintain access.
"We believe that the voluntary approach has proved inadequate for the most critical companies that underpin our critical infrastructure", the official added.
Also last week, Federal Communications Commission (FCC) chairwoman Jessica Rosenworcel proposed a ruling that would interpret a section in the US's 1994 lawful intercept law (CALEA) as making it clear that carriers had a legal obligation to secure their networks against unlawful access and interception. The ruling would require that telcos create, update and implement cyber security risk management plans.
At a glance, simply requiring a cyber security plan seems like a good idea. However, it is only a first step towards a comprehensive regime. The UK's Telecommunications code of practice is highly detailed and includes specific security requirements spanning supply chain management, physical security, identity management and network architecture.
The code of practice grew out of the 2019 UK Telecoms Supply Chain Review, which was motivated by concerns about the involvement of Chinese firms such as Huawei and ZTE in UK critical infrastructure. The review determined that increasingly capable telecommunications services came with higher risk and therefore required more robust security.
That kind of detailed planning takes years and the code wasn't published until 2022, after new legislation was passed in 2021. The US is already in deep doo doo and doesn't have that time.
At the opposite end of the spectrum, Australian law simply requires that telcos 'do their best' to prevent unauthorised access or interference and protect confidentiality, integrity and availability. This positive obligation to protect security was introduced way back in 2017, which in retrospect seems amazingly farsighted. This grew out of a recognition by some key people in government that security at telcos wasn't as good as it should be and that telcos having an obligation to protect security was a good idea, as documented in this 2013 parliamentary committee national security review.
Although the approaches taken by the UK and Australia are very different, the underlying intent of these laws and regulations is simply to increase telecommunications companies’ attention to and investment in security. In that regard, requiring a cyber security risk management plan seems like a sensible first step, albeit one that should have been taken years ago.
Of course, another short term plan would be to just give up on making telcos secure and just use Signal and WhatsApp like the FBI and DHS suggest. Shrug.
Romania's TikTok Candidate
As the deadline for TikTok's forced divestiture from Chinese parent company ByteDance grows closer, the company has cruelled its chances of a reprieve by mishandling an influence campaign targeting the Romanian presidential elections.
Per my colleague Catalin Cimpanu writing in Risky Business News:
Romania's national security council (CSAT) has declassified two documents this week that reveal a coordinated propaganda campaign that boosted an obscure far-right and pro-Kremlin candidate into the country's first round of presidential elections.
The campaign, which mostly took place via TikTok, took Calin Georgescu from an unknown candidate who was only polling around 1% a month before the election to the winner of the first presidential election round, where he accounted for almost a quarter of all votes.
Catalin describes different elements of the campaign, including TikTok influencers being paid to promote Georgescu and the use of dormant propaganda accounts that sprang to life in the weeks leading up to the election. He also catalogues TikTok's shortcomings:
From the declassified documents, Romanian officials are pretty angry at TikTok for several reasons. The company failed to detect the propaganda accounts in time, failed to mark the Georgescu-themed posts as politically themed, and then refused to remove the content—only blocking it for Romania-based users but leaving it available to international audiences and the Romanian diaspora. Officials say this not only broke Romanian election laws but the company's own policies.
The Romanian security council says that while other Romanian political candidates labeled their TikTok content properly and saw a fraction of the coverage, Georgescu's obvious political posts were trending among Romanian audiences, and the company never intervened.
The Romanian top court annulled the first round of presidential elections.
TikTok cooperated with Romanian authorities in the investigation and there is no reason to believe TikTok was complicit in the campaign, but this is exactly the sort of foreign interference exercise that concerns governments. (The US State Department labelled the campaign as Russian interference).
TikTok must separate from ByteDance by January 19 or face a ban in the US, although the company is pursuing legal action to have the legislation reviewed by the Supreme Court. President-elect Donald Trump said he would not ban TikTok, but who knows?
With so much at stake for the company, TikTok's failure in Romania does not suggest it is capable of detecting and countering, say, Chinese influence operations.
APTs Behaving Badly
Sanctions and indictments do not seem to stop Chinese cyber espionage actors from crossing boundaries of acceptable behaviour.
We'd describe 'acceptable behaviour' as being targeted at national security rather than economic interests, carrying out proportionate operations and avoiding unnecessary harm to third parties. Many cyber actors, including the US and allies, generally adhere to these behaviours, but others, including Chinese actors, do not.
This week the US government unsealed an indictment and levied sanctions against Chinese individuals and a company allegedly complicit in the exploitation of a Sophos firewall product in 2020. The US Department of Justice (DoJ) claims that Guan Tianfeng and other co-conspirators were involved in the development of an exploit that was subsequently used to deploy malware on tens of thousands of devices.
Mass deployment of malware is unacceptable because it causes unnecessary collateral damage — not the done thing for a responsible state program. To make matters worse, once Sophos had cottoned on to the intrusions, Guan and his colleagues allegedly altered their malware to make it more damaging, in a kind of scorched earth policy. If victims attempted to remove the malware, it would deploy encryption from the Ragnarok ransomware variant. We have no idea why attackers would do this or what benefit they would get from torching their victims’ infrastructure.
Thankfully, the ransomware deployment didn't work, but the Treasury's statement announcing the sanctions notes that:
…the potential impact of the Ragnarok ransomware attack could have resulted in serious injury or the loss of human life. One victim was a U.S. energy company that was actively involved in drilling operations at the time of the compromise. If this compromise had not been detected, and the ransomware attack not been thwarted, it could have caused oil rigs to malfunction potentially causing a significant loss in human life.
There is a total disconnect between what US and Chinese cyber operators consider to be acceptable norms of behaviour. At least so far, the US has had zero apparent impact on Chinese behaviour.
More on the Radiant Capital Hack
The USD$50m theft in October this year from decentralised finance platform Radiant Capital (that we covered here) has been linked to North Korean hackers by Mandiant.
The hackers masqueraded as a former trusted developer on Telegram and asked for feedback on a pdf document. The document, which contained malware, was shared with several Radiant developers, at least three of whom were hacked and their devices used to sign malicious multi-signature transactions.
The document analysed another cryptocurrency theft and it makes sense that this was interesting for cryptocurrency developers looking to avoid being hacked themselves. We wonder if this is the basis for a perpetual hack machine where each North Korean cryptocurrency theft provides material for another great lure document… for more North Korean hacks.
Radiant used what it thought were robust controls including "rigorous SOPs, hardware wallets… and careful human review". In retrospect, it says some of these controls were ultimately "superficial checks" because they relied on front-end verifications that could be spoofed and 'blind signing', where a transaction is approved without the authorising user seeing full transaction data.
Watch Patrick Gray and Tom Uren discuss this edition of the newsletter:
Three Reasons to Be Cheerful This Week:
- Finding mobile malware with an app: mobile device security firm iVerify has announced that the mobile threat hunting feature of its app has found seven previously unknown Pegasus malware infections (out of 2,500 scans). It has been difficult for regular users to identify malware infections on phones without specialist expertise and tools, so having an app that does it is good news. (Disclaimer: iVerify is spinoff company from Risky Business sponsor Trail of Bits.) Wired has further coverage.
- Snowflake shuts barn door: Cloud data analytics provider Snowflake has announced plans to roll out mandatory MFA from April next year. Snowflake was involved in rolling breaches throughout the year that MFA would likely have prevented, but better late than never.
- Money laundering disruption: The UK's National Crime Agency announced it had disrupted Russian money laundering networks known as Smart and TGR. The networks were linked to drugs, ransomware and espionage. The operation led to 84 arrests and the US Treasury announced sanctions aimed at the TGR group.
Sponsor Section
In this Risky Business News sponsor interview, Catalin Cimpanu talks with Proofpoint senior threat intelligence analyst Selena Larson about the rise of Attacker-in-the-Middle phishing and ClickFix social engineering campaigns.
Risky Biz Talks
You can find the audio edition of this newsletter and other fine podcasts and interviews in the Risky Biz News feed (RSS, iTunes or Spotify).
In our last "Between Two Nerds" discussion Tom Uren and The Grugq talk about how states have very different approaches to controlling cyber operations.
From Risky Biz News:
Improperly patched Cleo bug exploited in the wild: The Termite ransomware group is believed to be behind a wave of attacks exploiting an improperly patched vulnerability in Cleo file transfer products.
The attacks started on December 3 and have compromised at least ten organizations, according to security firm Huntress Labs.
The Termite group is exploiting a bug initially patched at the end of October that impacts Cleo file-transfer products such as Harmony, LexiCom, and VLTrader.
Tracked as CVE-2024-50623, the bug is an unrestricted file upload and download vulnerability that can lead to remote code execution attacks.
[more on Risky Business News]
Greece is close to burying its Predatorgate scandal: More than two years after it got caught spying on journalists and political rivals, the Greek government is still working at burying the investigation into what is now known as the Predatorgate scandal.
The incident, which rocked the Greek political scene, came to light in July 2022 when a security team of the European Parliament found traces of the Predator spyware on the phone of Nikos Androulakis, an EU MP and the president of Greece's second-largest opposition party (PASOK).
The surveillance operation was ordered by the ruling government, was conducted by the Greek national intelligence service, the EYP, and allegedly cost €7 million.
[more on Risky Business News about the steps the Greek government is taking to undermine the independent body investigating Predatorgate]
Turla hacked Pakistani APT infrastructure: A Russian cyber-espionage group has hijacked the infrastructure of a Pakistani APT group and used it to launch its own attacks for at least the past two years. Researchers at Lumen and Microsoft say Turla operators hacked the command and control servers of Pakistan's Transparent Tribe at the end of 2022. The group used the servers to push its own payloads to victims previously infected by Transparent Tribe. Microsoft says Turla has hacked at least six other APTs over the past seven years. The only previous public case is Iranian APT group OilRig in 2019.
