Neutering Volt Typhoon to Deter China
Your weekly dose of Seriously Risky Business news is written by Tom Uren and edited by Patrick Gray. It's supported by Lawfare with help from the William and Flora Hewlett Foundation. This week's edition is sponsored by Resourcely.
You can hear a podcast discussion of this newsletter by searching for "Risky Business News" in your podcatcher or subscribing via this RSS feed.
Corporate leaders and elected officials often ask, "What will it take to deter Volt Typhoon's operations?", but we think that is the wrong question. Perhaps a better question is "Could disrupting Volt Typhoon's operations deter China's military activities?"
Sentinel One argues the Chinese group known as Volt Typhoon cannot be deterred from its mission of compromising US critical infrastructure to enable future disruption operations in the event of a conflict with the PRC.
Per Sentinel One:
The US cannot deter Chinese hacking operations against critical infrastructure precisely because the PRC views such hacking as their best path to avoid military defeat. PRC strategists believe attacking civilian critical infrastructure would persuade both the American public and political leaders to stay out of any future conflict. Their belief is predicated on the deterrent effect of nuclear, cyber, and space capabilities, which the PLA argues is China’s best strategy over superior US forces. Of the triad of deterrent capabilities the PLA believes it has, cyber requires the lowest level of commitment. Space capabilities can have unwanted destructive effects if managed poorly, especially kinetic ASAT platforms. Nuclear deterrence is an ever-present last resort. Cyber has comparatively few downsides and is the cheapest option. If China sees Volt Typhoon’s hacking operations as one of the country’s few military advantages, then US efforts to deter China’s use of hacking will fail.
In other words, there is no way to deter Volt Typhoon because the PRC believes the group may be the magic bullet that could help beat the US in a conventional conflict. In other words, the US cannot impose a cost that matches the potential benefit to the Chinese government.
But the real question is this: could the US response to Volt Typhoon reduce the likelihood of the PRC invading Taiwan?
Convincing the PRC that Volt Typhoon's operations are not a game changer that can swing the outcome of a conventional conflict would be a positive thing to do.
So rather than asking 'what can the government do to deter the PRC?', we might ask 'how can government and enterprise neuter Volt Typhoon in order to deter conflict?’. If Chinese leadership loses faith in its magic cyber bullet, then that might cool things down, if only by a little.
Musk's X and Durov's Telegram Wilt Under Pressure
After decades of tension, social media and technology companies are capitulating to state power around the world.
For example, in Brazil, Elon Musk’s X has effectively conceded to the judicial system in a long-running dispute.
The Guardian describes the history of the dispute:
Musk has been at loggerheads with supreme court justice Alexandre de Moraes since April after he ordered the company to take down more than 100 social media accounts that had been questioning whether the far-right president Jair Bolsonaro had really lost the election in 2022.
By mid-August, Musk had closed down X's offices in Brazil, leaving it without a legal representative in the country, a legal requirement for firms to operate there. Moraes responded by ordering Brazil’s mobile and internet service providers to block access to X. Musk had used his platform to attack Moraes, describing him as an "evil tyrant" among other things.
Reducing the firm's legal 'attack surface' by firing staff and shutting offices wasn't a successful tactic for X. Moraes ordered that X be blocked in Brazil and ruled that fines applied to it would fall to Starlink, the satellite internet service provider owned by Musk's SpaceX.
X paid the fines, appointed a legal representative in Brazil, and took down the user accounts as ordered.
Meanwhile, in the wake of the recent arrest of its CEO, Pavel Durov, messaging service Telegram has altered its privacy policy to indicate that it "may disclose your IP address and phone number to the relevant authorities" when presented with a valid court order.
Durov was detained in France and charged in a criminal investigation into illegal activity on the app.
These cases demonstrate that states can bend companies to their will, in X's case by cutting off access to consumers and in Telegram's case by applying pressure to its CEO.
When it comes to the Russian invasion of Ukraine, the Russian government has leverage over Telegram and looks to have used it to its advantage.
Speaking on the Risky Business podcast this week, former NSA Cybersecurity Director Rob Joyce said Russia has a very strict lawful interception law (SORM) and it was "very clear he [Durov] reached some sort of agreement with the Russian government".
"Durov has a long history with the Russian government. He made a big deal of trying to stand up to the FSB way back in 2013 and departed Russia… when they were squeezing him, but he quietly returned to his home base in St. Petersburg in 2014. And he's been able to come and go from Russia ever since", Joyce said.
Joyce mentioned public statements from the Russian government saying that Telegram had installed equipment so that it can monitor 'all dangerous subjects'. He said he is "highly confident based on a lot of public information that… Telegram is absolutely cooperative [with the Russian government]".
So it is no surprise that Ukrainian authorities have banned the use of Telegram "on the official devices of government officials, military personnel, employees of the security and defence sector, as well as enterprises operating critical infrastructure". The decision was motivated by Kyrylo Budanov, the chief of Ukrainian defence intelligence, providing "substantiated evidence that Russian special services have access to personal correspondence of Telegram users, even deleted messages, as well as their personal data".
It’s just remarkable that Ukraine needed 'substantiated evidence' before it acted.
The Lesson In Microsoft's Security Turnaround
Microsoft has published an update on the progress of its Secure Future Initiative (SFI) that shows us just how bad things had gotten before the company committed to turning things around.
The announcement introducing the SFI in November 2023 was underwhelming, but a scathing Cyber Safety Review Board report released in April this year appears to have convinced the company to genuinely prioritise security. In May, the company's CEO, Satya Nadella, told staff in an all-hands memo that security was the company's top priority and that executive compensation would be tied to achieving security milestones.
One positive change described in this update is a Cybersecurity Governance Council comprising new Deputy CISOs positions created across the business "for key security functions and all engineering divisions". Microsoft has also created a Security Skilling Academy to provide tailored security training for all employees.
Microsoft has also provided metrics on some of its security remediation work. Charlie Bell, Executive Vice President of Security, wrote:
We completed a full iteration of app lifecycle management for all of our production and productivity tenants, eliminating 730,000 unused apps. We eliminated 5.75 million inactive tenants, drastically reducing the potential cyberattack surface.
There is no immediate payoff for removing unused apps and tenants, so it is understandable that they accumulated when security remediation work was not a top priority. However, this neglect substantially increased the company's risk.
In January this year Microsoft announced that Midnight Blizzard, a group attributed to Russia's SVR or foreign intelligence service, breached Microsoft's corporate emails by using "a password spray attack to compromise a legacy non-production test tenant account and gain a foothold".
There is a lesson here for all companies. If you don't prioritise security it will come back to bite you in the ass.
Watch Patrick Gray and Tom Uren discuss this edition of the newsletter:
Three Reasons to Be Cheerful This Week:
- US's Intellexa sanctions get more personal: The US government has imposed a new set of sanctions targeting five individuals and a company associated with Intellexa, the company behind Predator spyware. Entities associated with Intellexa were first sanctioned in March this year. This move ratchets up pressure against the people behind the spyware, but is an implicit admission that action so far has not been effective. Earlier this month security firm Recorded Future reported new Predator server infrastructure was reappearing after an apparent decline after the first round of sanctions. Further coverage in Risky Business News.
- The US State Department cyber office has money to spend: The US State Department's Bureau of Cyberspace and Digital Policy has more funding than in previous years and plans to spend around USD$35m in foreign aid for a range of projects. Further coverage in The Record, covering a rapid incident response capability and a project to better connect Pacific Islands with undersea cables.
- Sandvine changes tune: Sandvine, a Canadian company that has sold internet surveillance products to authoritarian regimes, has announced that it is changing its business practices and wants to be "a technology solution leader for democracies". It's easy to be cynical about this kind of announcement, but Sandvine says it has already exited 32 countries and is in the process of leaving another 24. Further coverage in TechCrunch.
Sponsor Section
In this Risky Business News sponsor interview, Catalin Cimpanu talks with Resourcely co-founder and CEO Travis McPeak about some of the hard and uncomfortable truths about the role of security teams inside a company.
And here are Travis McPeak's slides from an off-the-record conversation at this year's Blackhat Campfire Stories covering the same topic.
Shorts
Indonesia Launches Cyber Force
The Indonesian government has decided to create a cyber force as the fourth branch of its military. Indonesian news agency Antara reports the force will have more civilian personnel and that high school and university graduates will be recruited.
Indonesia is the world's fourth largest by population and has over 400,000 active military personnel. However, in previous 'cyber power' ranking exercises it has underperformed considering the country's size.
Dr Gatra Priyandita, an Indonesian foreign policy and cyber politics expert at the Australian Strategic Policy Institute, told this newsletter that recent major cyber attacks had placed cyber security back in the spotlight. He said there are genuine domestic concerns that the country's cyber defence capabilities weren't where they should be, especially given perceived vulnerabilities in critical infrastructure.
Beyond that, Priyandita thought that the military would like to expand its mandate over 'security' in cyberspace. Despite that, he didn’t expect a major increase in cyber defence spending.
So, developing a cyber force will on balance be good for the country, but not a game-changer.
German Cyber Security Office Chief Falsely Accused
Revisiting a story we wrote about in 2022, a court has reportedly found Arne Schönbohm, the former head of Germany's cyber security authority, was falsely accused by a television show of associating with Russian spies.
We wrote at the time that the evidence was thin, but the German government suspended Schönbohm and eventually moved him on to another federal post. In separate cases Schönbohm is suing the broadcaster ZDF for damages and his former employer for wrongful dismissal.
Sponsor Demo
In this sponsor demo, Resourcely CEO Travis McPeak demonstrates how to set up controls so that deploying cloud infrastructure is secure and repeatable from the get go.
Risky Biz Talks
You can find the audio edition of this newsletter and other fine podcasts and interviews in the Risky Biz News feed (RSS, iTunes or Spotify).
In our last "Between Two Nerds" discussion Tom Uren and The Grugq talk about new reports saying that Russia is creating new cyber groups made up of cyber criminals.
From Risky Biz News:
US says RT moved into cyber and intelligence-gathering territory: The US government says that RT (formerly known as Russia Today) has morphed from a news organization into a fully active intelligence asset for the Russian government.
The US State Department says that at the start of 2023, the Russian government embedded a Russian intelligence unit with cyber capabilities inside RT.
State officials did not explain the role of this unit but say that since then, RT has engaged in "information operations, covert influence, and military procurement" across Europe, Africa, and North and South America.
[more on Risky Business News]
China says Taiwan's military is behind a hacktivist group: China's main intelligence agency on Monday accused Taiwan of running an influence operation inside its borders using a fake hacktivist group named Anonymous 64.
China's Ministry of State Security says the group is run by a cyber warfare centre operating under Taiwan's military, inside its Information, Communications, and Electronic Force Command (ICEFCOM).
"The centre is responsible for implementing cyber cognitive warfare and public opinion warfare against the Mainland," officials wrote in a WeChat post.
MSS officials claim Taiwan operatives infiltrated China's national internet and hacked public websites, billboards, and streaming platforms to post disinformation about the Chinese government and its leadership.
[more on Risky Business News]
Tor Project plays down deanonymization attacks in Germany: The Tor Project says that regular Tor browser users are not affected by a deanonymization attack used by German law enforcement to catch the administrator of a dark web CSAM forum named Boystown.
German TV network NDR reported on Wednesday that German police had been secretly recording traffic entering the Tor network via nodes located in Germany over the past years.
According to technical documents obtained by NDR reporters and reviewed by security experts from Germany's infamous Chaos Computer Club (CCC), authorities used a "timing attack" to analyse traffic entering and leaving Tor nodes and correlate users visiting certain Tor sites to their real-life IP addresses.
German police then took this IP address, went to ISPs, and obtained the suspect's real name, which led to an arrest.
[more on Risky Business News, including the Tor Project's mitigations against timing attacks]
