Srsly Risky Biz: Friday June 17

Why the NSO/L3Harris deal will probably fall over...

Your weekly dose of Seriously Risky Business news is written by Tom Uren, edited by Patrick Gray and supported by the Cyber Initiative at the Hewlett Foundation, AustCyber and founding corporate sponsors CyberCX and Proofpoint.

Russia May Fear Cyber Campaigns Will Trigger Article 5

Your correspondent participated in the Lowy Institute's Frontier Rules conference in Canberra this week, which is why this newsletter is a day late.

One interesting discussion at the conference concerned the Russian attack on Viasat's KA-SAT network. This newsletter previously wrote:

The Russians seem to have focussed their attack on terminals in spot beams that serviced Ukraine rather than disabling KA-SAT entirely, so there is an argument to be made that this was a proportionate attack on a legitimate military target.

Some countries, including the US, UK and Australia, have tried to educate adversaries by  defining what responsible cyber operations look like. Could these efforts be described as a success because Russia didn't wipe all the KA-SAT terminals? Some panellists thought the attack might be permissible under international law, but didn't go so far as to declaring possible respect for the West's red lines as a win.

Dr Michael Fischerkeller, of the Institute for Defense Analyses and one of the leading proponents of US Cyber Command's strategy of persistent engagement, thought that Russian forces might have avoided further attacks on critical infrastructure for fear of inadvertently hitting NATO countries. He hypothesised that after observing (perhaps unexpected) spillover effects from the Viasat operation, Russia may have stepped back from further critical infrastructure attacks that could motivate NATO to invoke Article 5 ("an armed attack against one or more… is considered an armed attack against them all..")

This newsletter understands that NATO considered whether the Viasat attack triggered Article 5, but of course wiping satellite modems isn't the same thing as an armed attack. And of course even if Article 5 is invoked in response to a cyberattack any response would have to be proportionate. Still, it's likely an escalatory path Putin is keen to avoid.

Either way, investments in encouraging responsible behaviour and collective defence agreements both seem worthwhile and Russia's recent restraint might prove it.

It's Not Selling Out, It's Buying In!

Since the onset of the Ruso-Ukrainian war, pro-Ukrainian hacktivists have been extremely active and released vast quantities of data they've stolen from Russian organisations. But as times go by and the data piles up, more and more experts are now reaching the conclusion that hacktivist data dumps are not really helping Ukraine that much. That said, there are ways to convert this nationalistic fervour into a useful state capability.

In the early days of the war, the Ukrainian government issued a callout on social media for volunteers to form an "IT Army of Ukraine," with tasking to be issued via Telegram. The Ukrainian Ministry of Digital Transformation provides regular updates on IT Army successes and the IT Army has certainly caused some disruption via denial of service attacks.

In addition to these directly disruptive attacks it has also been responsible for many data breaches. However, an excellent National Interest article from Stefan Soesanto points out there's a difference between "data leaks" and the types of "data dumps" we're seeing from the Ukraine IT Army. Leaks are information-rich with sensitive data ("a letter containing specific information"), and dumps are large but information-poor ("a truckload of household garbage"). The article continues:

Hack and leak operations against Russian entities have emerged as one of the most misunderstood activities during the war in Ukraine. The sheer amount and frequency of data dumps and information leaks have culminated in a never-ending data flood that has overwhelmed journalists and analysts alike. Few are willing to spend their time wading through this ocean of data in the hopes of stumbling upon something interesting and meaningful. But not all data dumps are created equal. In fact, their quality, impact, and usefulness can differ depending on the source, size, type, structure, availability, and other factors that facilitate the data dump ecosystem.

Soesanto suggests that there are ways to sort the wheat from the chaff, such as looking at  where and for how long data is hosted and the reputation of the group that stole it.

So are there ways for Ukraine itself to extract more value from the hacktivism being carried out in its name?

One approach may simply be to make the data more easily accessible. The ALPHV/BlackCat ransomware group is exploring exactly this innovation by making data searchable and available on the public internet instead of only on the Tor network. The idea here is that the employees or customers of victim companies can search for themselves and then apply pressure on the affected firm. That might help to speed up some payment negotiations but it's unlikely that a similar approach from Ukraine would help tilt things to its advantage in the war.

It's telling that when asked about the value of the IT Army, Ukrainian President Volodomyr Zelensky told Wired that it "did a lot for the cyberdefense of institutions that were heavily attacked… Our IT Army worked well here". Recent media reporting covering Ukrainian military IT units shows that they are focussed not on audacious cyber attacks, but on far more mundane tasks like tech support, identifying the best technology to counter Russian drone operations and fundraising to pay for it.

There are options to make better use of the IT Army. A more direct approach would be to use it as a talent pool and identify the most talented operators for more precise operations more closely controlled by the state.

This is essentially what happened in some of the world's current cyber powers – motivated hacktivists were recruited and co-opted into state activities.

In the PRC, for example, 2010-era writings on Chinese hacking culture describe a chaotic scene, with a community-based Red Hacker Alliance forming in response to 1998 ethnic anti-Chinese riots in Jakarta. By the late 2000s the Red Hacker Alliance had swelled in size to perhaps 300,000 people and there is evidence that patriotic hackers actively wanted to be recruited by the government at the time.

Nowadays, this seems quaint. Department of Justice indictments describe professional hackers working under the direction of the Ministry of State Security, even if they don't work directly for the agency. These operations are clearly state organised and directed and continue over years. One operation, for example, established a front company and coordinated with various university staff and professors to recruit both technical people and linguists.

In the IT Army this talent identification process is already happening. A late-March interview in The Record with an IT Army volunteer describes a loose vetting process where more competent operators are selected to join more focussed and effective groups.

The PRC took years to move from a loose affiliation with the hacker community to more professional activities, but in the blast furnace of war there’s motivation for Ukraine to move much faster.

Keep Your Enemies Closer

The US defence contractor L3Harris is reportedly in talks to acquire NSO Group, the controversial Israeli company behind the Pegasus mobile phone spyware. On first glance this is perplexing — what could an Israeli subsidiary of a defence contractor do?

The talks appeared to come as a surprise to the White House, with a senior official telling The Guardian that they had not been involved in "any way in this reported potential transaction". In a statement the official said "such a transaction, if it were to take place, raises serious counterintelligence and security concerns for the US government". L3Harris didn't deny the talks, a spokesperson saying "we are aware of the capability and we are constantly evaluating our customers’ national security needs. At this point, anything beyond that is speculation".

The Guardian reports:

One person familiar with the talks said that if a deal were agreed, it would probably involve selling NSO’s capabilities to a drastically curtailed customer base that would include the US government, the UK, Australia, New Zealand and Canada – which comprise the “five eyes” intelligence alliance – as well as some NATO allies.

This doesn't make sense for the most sensitive intelligence missions.

Ensuring a trusted workforce in Five Eyes defence contractors really has two elements. The first part is citizenship, which is really a way to find people that have an interest in contributing to (your country's) national security. Layered on top of citizenship, the clearance process also tries to ensure a level of trustworthiness. In other words, citizenship and clearances work together to produce a (mostly) trustworthy workforce that wants to improve its country's national security.

These contractors can conduct extremely sensitive work for the government, and the (very strict) security protocols in these work environments assume that most people have a shared interest in national security, but threats from cyber espionage and rogue individuals are still present.

Acquiring an Israeli company for the most sensitive work is a non-starter. NSO's people simply won't have the shared interest in the US's national security that is a prerequisite for that kind of work, especially when many have backgrounds in Israeli intelligence services. Layering a clearance process on top won't help, when for most NSO employees their overriding interest will be in advancing Israel's national interest. That sometimes (often?) aligns with US national interests. But not always.

Is there a SIGINT use case that would allow Five Eyes agencies to use NSO tools to conduct collection against less sophisticated targets? Well, yes. Not all government uses of spyware need the same kind of secrecy and exclusivity guarantees. NSO-developed exploits and tools could be used to target garden variety jihadis, for example. Or on targets in countries with poor counterespionage capabilities. 'Disposable' off-the-shelf capabilities that you don't really care about may be just the thing for these kinds of targets, so having an extra supply from whatever remains of NSO Group could contribute positively.

Is there another market that doesn't require that same level of shared interest in Five Eyes country national security? NSO Group was notionally focussed on the law enforcement market, so perhaps a real commitment to only service that market might make sense. And L3Harris, which already serviced that market with Stingray IMSI catchers, would have stronger incentives to make sure NSO Group behaved legally and ethically — they would have far larger government contracts on the line.

It's also worth pondering what happens if L3Harris doesn't buy NSO. Where do the intellectual property and people end up? The people there developed some valuable tools and they'll end up plying their trade… somewhere.

The objections emanating from the White House make us think this deal won't happen. It would need to be approved by the Israeli and US governments, and with NSO already under sanctions it's just hard to imagine it proceeding.

China Doxxing Two-Step

Chinese state media and its Ministry of Foreign Affairs (MFA) have again combined to warn of the dangers of US hacking. In this case, a Chinese-language security company report (based on information from Jurassic-era leaks) is amplified by the English-language Global Times and then used by the MFA to denounce US espionage. This is a clear trend, with The Global Times publishing several articles on various incidents since mid February.

Adam Segal, director of the Digital and Cyberspace Policy program at the Council on Foreign Relations and an expert on Chinese cyber security policy, told Seriously Risky Business this was a reaction to US and European pressure.

"Beijing does not like the trend of European countries joining in the joint attribution of Chinese cyber espionage, and this two step process — companies/Global Times with MFA repeating — allows China to remind Europe of NSA/Prism but not completely abandon [the] official position that attribution is hard."

Expect this trend to continue, but the real question is whether the PRC will start to reveal more recent operations. Will NSA OPSEC trump Chinese propaganda?

Three Reasons to be Cheerful this Week:

  1. Good News, More BEC!: Wired covers the argument that as governments crack down on ransomware and illicit cryptocurrency payments criminals may migrate from ransomware to Business Email Compromise. This makes sense as BEC is already more profitable than ransomware and could well be good news as it causes less operational disruption.
  2. Firefox upping privacy: Firefox is rolling out "Total Cookie Protection", which limits cookies, even for third-party content, to only the website that assigned that cookie. Mozilla says "this approach strikes the balance between eliminating the worst privacy properties of third-party cookies — in particular the ability to track you — and allowing those cookies to fulfil their less invasive use cases (e.g. to provide accurate analytics)". This is really the way it should have been all along.
  3. Optimism Pays Off: A hacker has returned 18m OP tokens (worth roughly  USD$14m) stolen from the Optimism Foundation crypto currency project. They managed to take possession of 20m tokens after they were deliberately sent to an address the intended recipient hadn't (yet) taken ownership of. The hacker kept 2m (about USD$1.6m) tokens as a "reward", so this is what winning in the cryptocurrency space looks like.

Save Time with a Risky.Biz Product Demo

Risky Business is publishing sponsored product demos to YouTube. They're a great way for you to save the time and hassle of trying to actually get useful information out of security vendors.

In our latest demo, Sergio Gonzalez shows Patrick Gray the ins and outs of Red Canary's Managed Detection and Response service.

You can subscribe to our product demo page on YouTube here.


Big Phish

Security firm PIXM has released a report on a massive and successful Facebook phishing campaign. The campaign used legitimate services such as and to redirect to phishing pages. Once phishing links on these services were detected and blocked, new ones were rapidly created at a new unique id. As these services were legitimate, Facebook wasn't able to block them en masse, and the person(s) responsible would use compromised Facebook accounts to send phishing links to contacts on Facebook Messenger.

PIXM discovered the campaign had openly available traffic monitoring statistics and they extrapolate the phishing sites in aggregate may have received around 400m sessions, although they believe they have seen only a fraction of the campaign. Bring on passwordless login systems.

Ransomware is Underreported

At the RSA conference this week, FBI and Department of Justice officials reported that only a quarter of NetWalker ransomware victims reported incidents to law enforcement. Officials were able to get comprehensive information about attacks and even build a decryptor after seizing NetWalker servers in Bulgaria in 2020.

From Risky Biz News:

Microsoft under fire: Amit Yoran, the CEO of vulnerability management platform Tenable, published a LinkedIn post on Monday accusing Microsoft of downplaying the severity of two Azure vulnerabilities his team reported to the company earlier this year, and only patching one of them…

But while this looks like a bungled bug report, both Yoran and Sebree say this is part of a larger trend and "repeated pattern of behaviour" where Microsoft intentionally tries to downplay or hide a security issue from its customers.

While the OS maker has gone through a period in recent years where it was far more open with security researchers and its patching process, they appear to be going back into their shell again and actively trying to hide the severity of certain security issues from its users. (continued here)

BPF malware is now a thing: Over the past several months, threat actors appear to have taken a liking to developing malware that abuses the Berkeley Packet Filter (BPF) as a way to silently backdoor Linux-based systems.

Created in the early 90s, the BPF is a technology on *NIX-based systems that can allow the OS and locally installed applications to intercept and analyse network traffic. In most cases, the BPF is enabled by default, especially on Linux and BSD systems used as servers, where the BPF plays a key role in firewalls and other security tooling….

But over the past year, several threat actors have also looked closer at BPF and have developed their own tools that abuse it in their attacks. (continued here)

Cloud middleware: Wiz, the cloud security firm that discovered the OMIGOD vulnerability last year, has continued its research into the types of middleware products installed by default on cloud servers. The company has published a GitHub repo with cloud middleware (aka cloud agents) installed and used across the major cloud service providers (Azure, AWS, and GCP). These agents — 13 right now — are usually installed without the customers' awareness or explicit consent.

Burkov case: A Forbes investigation discovered that US law enforcement agencies used secret court orders to force two of the world's largest travel companies — Sabre and Travelport — to continuously monitor the movements and travels of Aleksei Burkov, the Russian hacker behind the CardPlanet carding forum. The secret surveillance took place for two years until authorities detained Burkov during a vacation in Tel Aviv.