Fool Me Once... Iran's Hack and Leak Falls Flat
Your weekly dose of Seriously Risky Business news is written by Tom Uren and edited by Patrick Gray. It's supported by Lawfare with help from the William and Flora Hewlett Foundation. This week's edition is sponsored by Corelight.
You can hear a podcast discussion of this newsletter by searching for "Risky Business News" in your podcatcher or subscribing via this RSS feed.
In sharp contrast to events during the 2016 US presidential election campaign, an apparent hack and leak operation targeting the Trump campaign is being treated responsibly by America’s mainstream media.
For us, 'responsible' behaviour means verifying the documents, assessing the material's newsworthiness, and giving readers context of the potential operation.
On Saturday, after being approached by news outlet Politico with leaked documents, the Trump campaign claimed it had been hacked in an attempt to interfere with the 2024 election.
Trump campaign spokesperson, Steven Cheung, said "these documents were obtained illegally from foreign sources hostile to the United States, intended to interfere with the 2024 election and sow chaos throughout our Democratic process".
Cheung cited a recent Microsoft report describing Iran's targeting of the 2024 US elections, which said Iranian intelligence had attempted to spearphish a high-ranking official in a presidential campaign.
An Iranian operation is plausible, based on recent warnings from a US intelligence official that Tehran wanted to damage Trump's election prospects. However, neither Microsoft nor the FBI have confirmed the Trump campaign was hacked, although the FBI said it was investigating the matter.
Politico's reporting on the contents of the material has been very cautious:
On July 22, POLITICO began receiving emails from an anonymous account. Over the course of the past few weeks, the person — who used an AOL email account and identified themselves only as "Robert" — relayed what appeared to be internal communications from a senior Trump campaign official. A research dossier the campaign had apparently done on Trump’s running mate, Ohio Sen. JD Vance, which was dated Feb. 23, was included in the documents. The documents are authentic, according to two people familiar with them and granted anonymity to describe internal communications. One of the people described the dossier as a preliminary version of Vance’s vetting file.
The research dossier was a 271-page document based on publicly available information about Vance’s past record and statements, with some — such as his past criticisms of Trump — identified in the document as "POTENTIAL VULNERABILITIES." The person also sent part of a research document about Florida Sen. Marco Rubio, who was also a finalist for the vice presidential nomination.
That is all Politico says about the content of the leaked documents. Its reporting has instead focussed on the hacking incident itself:
The person said they had a “variety of documents from [Trump’s] legal and court documents to internal campaign discussions.”
Asked how they obtained the documents, the person responded: "I suggest you don’t be curious about where I got them from. Any answer to this question, will compromise me and also legally restricts you from publishing them."
The Washington Post and New York Times were also given Trump campaign documents by 'Robert' from an AOL account. Their reporting has also focused on the hack and not the contents of the documents.
This stands in stark contrast to the 2016 reporting on the content of hacked Democrat materials, which were published by WikiLeaks and widely reported in mainstream media.
This all sounds like reason for optimism: US media organisations stand firm against foreign interference! Well done!
However, this is probably as good as 'responsible' reporting will get. Although news organisations have earned a gold star for at least thinking about the ethics of publishing hacked materials, it appears the leak was just a snoozefest and not really worth publishing after all.
A Politico spokesperson told The Washington Post's media reporter "the questions surrounding the origins of the documents and how they came to our attention were more newsworthy than the material that was in those documents". And The Washington Post's executive editor, Matt Murray, thought the material "didn't seem fresh or new enough".
In other words, even though media organisations are being more cautious about hacked material, if the leaked materials were newsworthy enough, they would have published them.
In 2016 the news cycle was gummed up with pointless stories about the inner machinations of the DNC. Moving the editorial threshold at which American media companies will publish stolen documents is a massive win. And there are other reasons for optimism.
When it comes to detecting the breach, The Washington Post reports the Trump campaign detected an email system breach "earlier this summer" even though it did not disclose it to the public or to law enforcement at the time.
In 2016, multiple compromises of organisations and individuals related to the Democratic party and Hilary Clinton's campaign went unnoticed by the victims. Even the FBI's initial efforts to inform the victims were fruitless and took months to break through.
It's also a lot clearer how political parties and campaigns should protect themselves. Google's Advanced Protection Program, for example, didn't exist in 2016.
So there are better technical measures to prevent hacks, and the media’s response has improved. But a sensational leak is still a sensational leak. A hack and leak operation containing the right source material, could well have a significant impact.
The US Government's Foray Into Cyber Insurance Underwhelms
The US government is working on a policy that addresses insurance for catastrophic cyber incidents, reports The Record.
The idea here is to provide market certainty in the event of a catastrophic cyber incident while also improving organisations' cyber security. Government support in this context is often referred to as a 'backstop', where it would cover insurance costs for certain yet-to-be-defined catastrophic events.
Josephine Wolff, a cyber security professor and author of a book on cyber security insurance policy, spelt out the logic to this newsletter. She explained that insurers want the backstop so that for certain stipulated catastrophic events the government would ultimately pay out for successful claims. The government could tell insurance companies wanting this coverage that their policyholders must implement certain security measures.
So voila! Increased certainty with improved security.
Wolff said insurers were currently writing exclusions that "increasingly leave their policyholders on the hook to pay for various types of catastrophic cyber events". Lloyd's of London has drafted various war exclusions that exclude, among other things, "a cyber operation that has a major detrimental impact on the functioning of a state".
Wolff thinks that although figuring out the details of a backstop would be "pretty tricky", it could be a tool used by governments and insurers to improve security.
On the other hand, Daniel Woods, a cyber risk and insurance researcher at the University of Edinburgh told Seriously Risky Business he thought a backstop was unnecessary.
In a Lawfare piece last year Woods notes that government backstops are usually required when a lack of insurance results in economic activity grinding to a halt. After 9/11, for example, construction activity stopped because terrorism exclusions meant property insurance was prohibitively expensive for developers. The US government passed the Terrorism Risk Insurance Act in response.
This justification just does not exist in the cyber domain. It's not as if organisations are not engaging in online activity because they can't get insurance.
Woods also pointed to the rise of catastrophe bonds and insurance-linked securities covering cyber risk, which he described as the private sector equivalent of a backstop.
It's worth remembering that the large-scale catastrophe that the proposed backstop policy is intended to address has never occurred. Even the largest cyber and technology related disasters such as NotPetya, CrowdStrike's faulty update, and WannaCry, have not required intervention in insurance markets.
Given that there is no immediate economic imperative for a cyber insurance backstop, we wonder if this is the easiest, most bang-for-buck way to improve economy-wide security.
When Searching a Database is Unconstitutional
A US federal appeals court has ruled that geofence warrants are unconstitutional.
These warrants are used to identify devices within a specified area at a particular time and were used, for example, to identify thousands of potential suspects in the January 6 Capitol attack based on locations from their Android phones.
When it comes to geolocation data from smartphones, the decision may be academic anyway. Google announced late last year that it would store user location data on-device, rendering the case for geofence warrants moot.
However, UC Berkeley law professor Orin Kerr writes that the Fifth Circuit's ruling is still a huge deal. Kerr says the ruling states querying large databases is unconstitutional because any search requires the entire database to be scanned for matches. Kerr argues that this has far-reaching implications:
…the Fifth Circuit's ruling, although announced in a case that happens to be about geofence warrants, is about a lot more than that. It's about CSLI [cell-site location information]. It's about pen registers. It's about keyword searches. It's about pretty much all database queries. They all have this common feature that the Fifth Circuit found objectionable. Just create a data source big enough—how big, we don't know, but big—and then it can't be searched, even with a warrant.
Kerr says "the ruling is wrong, and that it is very important for it to be overturned".
Watch Patrick Gray and Tom Uren discuss this edition of the newsletter:
Three Reasons to Be Cheerful This Week:
- Dispossessor ransomware disrupted: The FBI announced the takedown of 24 servers and nine domains used by RADAR/Dispossesor ransomware in the US, UK and Germany. Risky Business News has more coverage, including the group's genesis in August 2023, its recent shift from data extortion to encrypting ransomware and the OPSEC failure that might have led to the takedown.
- UN cybercrime treaty passes: The UN passed its first cybercrime treaty last week. Cybercrime is a global problem, but previous treaties such as the Budapest Convention have not included China, Russia, India or Brazil.
- Understanding open source use in critical infrastructure: The White House has announced the launch of the Open Source Software Prevalence Initiative, an effort to understand the use of open source software in critical infrastructure. This includes use in the healthcare, transportation and energy sectors, the idea being to understand what open source software is most important from a security and resilience perspective.
Sponsor Section
In this Risky Business News sponsored interview, Tom Uren talks to Brian Dye, CEO of Corelight about a string of recent CISA advisories. These advisories address specific technical issues, but when examined together Brian says there is an underlying message about addressing security holistically.
Shorts
When Government Deception is a Win
The NCSC has announced that it is planning to deploy a suite of cyber deception technologies within the UK at scale including what it calls tripwires, honeypots and breadcrumbs. It is not doing it willy-nilly, however, but instead wants to figure out whether these technologies actually help keep the country safer. We like that this will result in evidence-based, rather than buzzword-based decision making.
DEF CON Franklin Will Protect America's Effluence
Launched at the recent DEF CON conference, a new project called DEF CON Franklin aims to harness hacker talent to protect organisations in need of cyber security assistance, including water and wastewater facilities.
Airbnb: How Hackers Stay Ahead of Kidnappers
404 Media reports hackers are 'Airbnb hopping' using false identities to avoid being located by violent criminals who want to threaten or kidnap them. Yikes!
Risky Biz Talks
You can find the audio edition of this newsletter and other fine podcasts and interviews in the Risky Biz News feed (RSS, iTunes or Spotify).
In our last "Between Two Nerds" discussion Tom Uren and The Grugq discuss what it would mean to be in a golden age of OSINT and whether we are in one.
From Risky Biz News:
State Dept puts $10 million bounty on IRGC-CEC hackers: The US State Department is offering a $10 million reward for any information on six Iranians behind Cyber Av3ngers, an Iranian hacktivist group that has repeatedly attacked critical infrastructure across the US and other countries.
The six were identified as members of an Iranian cyber unit known as the Iranian Islamic Revolutionary Guard Corps Cyber-Electronic Command (IRGC-CEC).
The six were sanctioned by the US Treasury in February this year, but this marks the first time the US has formally linked the six to the Cyber Av3ngers persona.
The group emerged at the end of last year when it used default passwords to access PLCs from Israeli company Unitronics and deface control panels with anti-Israel and pro-Gaza messages.
The group focused its attacks on countries allied with Israel, with the most prominent of these hitting the water authority in Aliquippa, Pennsylvania.
[more on Risky Business News]
Russia and Venezuela block Signal: The governments of Russia and Venezuela have blocked access to the Signal secure messaging service. Russia's communications watchdog says it blocked the service because it was being used for terrorist and extremist purposes. The block in Venezuela comes days after the Maduro regime also blocked Twitter. Protests broke out across Venezuela after President Maduro claimed victory in the country's election without providing any evidence that he actually won. Tens of protesters have been killed by the military in the streets and more than 1,000 protesters have been arrested in their homes. Former President Maduro claimed victory in recent elections with what appeared to be a bogus votes tally. Signal has asked affected users to enable a feature named "Censorship Circumvention" to get around the block.
Midnight Blizzard hacks: The Russian hackers who breached Microsoft last year have stolen emails from email systems managed by the UK government. The breach impacted Home Office inboxes, according to a report from The Record. The UK government is the most well-known victim of the hack, besides Microsoft itself. Microsoft disclosed the hack earlier at the end of last year and said a Russian espionage group known as Midnight Blizzard breached its internal corporate network. The group stole emails from the inboxes of its management and security teams. Microsoft has tried to keep the hack and its aftermath and has been silently notifying affected customers—many of which remain unknown. Just days before The Record's report, security researcher Kevin Beaumont claimed the hack of Microsoft itself was much larger than previously disclosed. Beaumont said that Midnight Blizzard stole data on all security flaws reported to Microsoft's team for the past decades and that Microsoft failed to detect this bigger breach until January 2024, months after it disclosed the initial hack. Three days later, Beaumont's LinkedIn profile was mysteriously banned.
