Srsly Risky Biz: Thursday January 27

Your weekly dose of Seriously Risky Business news is written by Tom Uren, edited by Patrick Gray and supported by the Cyber Initiative at the Hewlett Foundation, AustCyber and founding corporate sponsors CyberCX and Proofpoint.

Cyber War is a Pundit's Mirage

Cyber operations will play a role in a (god forbid) Russian invasion of Ukraine, but let's be clear: cyber war is Not a Thing.

Offensive cyber operations (those that degrade, deny, disrupt, destroy or manipulate) can at times be a force multiplier or achieve something you couldn't with conventional military force, but they simply can't replace the brutal consequences of blowing something up or killing people.

There is growing concern that Russia will invade Ukraine. Russia has moved around 100,000 troops to the border and US intelligence sources warn that Russia is planning a false-flag operation combined with a social media disinformation campaign to create a pretext for invasion.

There is no question Russia will send packets flying along with its artillery and bullets. It already has a track record of launching disruptive cyber operations against Ukraine. In both 2015 and 2016 Russia's Sandworm crew caused electricity blackouts and most significantly was responsible for the 2017 NotPetya wiper. The NotPetya attack disrupted the operation of Ukrainian power companies, banks, airports and government services, but also 'spilled out' of Ukraine and affected many multinational companies including Danish shipping company Maersk, American pharmaceutical giant Merck, and Mondelez International, which makes Cadbury chocolate.

There have already been some shenanigans this time around, but they don't amount to "war". While it hasn’t yet been definitively attributed to the Russian government, Ukrainian government systems were affected in a recent attack that defaced about 70 websites and deployed a destructive wiper. Kim Zetter has an excellent write up of the incident. According to the Ukrainian government, there was no significant information loss and that the attack vector was a combination of an OctoberCMS vulnerability combined with Log4j access.

A statement in Ukrainian, Russian and Polish was published on the defaced websites (roughly translated here):

Ukrainian! All your personal data has been sent to a public network. All data on your computer is destroyed and cannot be recovered. All information about you stab [sic] (public, fairy tale and wait for the worst. It is for you for your past, the future and the future. For Volhynia, OUN UPA, Galicia, Poland and historical areas.)

One possibility is that the defacements are intended to have psychological impact and erode Ukrainian's confidence in their government services. Another, floated by Serhii Demediuk, the Deputy Secretary of Ukraine’s National Security and Defense Council in his interview with The Record, was that the defacements were a "red herring to cover up for more destructive actions which, in my opinion, we will feel in the near future".

Demeduik thinks the Russians will attack the energy sector and mentioned "the active scanning and testing of the network infrastructure of energy enterprises". There are also other indications that Russia is targeting Ukrainian critical infrastructure. The US Treasury this week sanctioned four individuals for engagement in "Russian government-directed influence activities to destabilise Ukraine". One of the individuals, Volodymyr Oliynyk, "worked at the direction of the FSB to gather information about Ukrainian critical infrastructure".

None of these actions are likely to make a major difference to the looming conflict. Major General (retired) Marcus Thompson, the inaugural head of the Australian Defence Force's Information Warfare Division, told Seriously Risky Business that "cyber effects, in and of themselves, are unlikely to be decisive". Thompson described cyber capabilities as a "supporting act". "The actual decisive aspects of warfare occur on land. Why is that? That's because it is where the people live."

He added that cyber capabilities are still "critical, but need to be fully integrated into other effects and are at their best when they are integrated and nested with other effects, military and diplomatic, and other aspects of national power".

There are some examples of the Western use of offensive cyber capabilities (those that degrade, deny, disrupt, destroy or manipulate) in warfare. In the fight against ISIS, for example, cyber capabilities were used in an operation to identify previously undiscovered alternate command posts. Offensive cyber capabilities were used to disrupt communications at the primary command post, which forced fighters to move to alternate command posts. They were tracked as they made their way to the alternate sites, which were then destroyed. Cyber operations were also used outside Syria to disrupt ISIS propaganda efforts by locking out ISIS accounts and deleting files.

In both these cases, cyber operations didn't replace military use of lethal or destructive force but instead achieved different effects. Compared to Russia's historical disruption of Ukrainian electricity networks and the events of NotPetya, those Western actions were small in scale and tightly scoped.

Partly, this is Western governments choosing to share specific examples that demonstrate 'responsible' use of offensive cyber operations that are consistent with the 'laws of war'. It's likely that higher-impact operations are possible, but haven't been conducted because there has not yet been any pressing need to.

But these types of actions are not limited to the realm of states. In an example of a non-state offensive cyber operation, the Belarusian Cyber Partisans (a hacktivist resistance group) this week used ransomware to disrupt the Belarus railroad network. The attack was partly an attempt to stop the transport of Russian troops to a 'joint exercise' taking place near the border with Ukraine, and an attempt to secure the release of political prisoners. The Partisans appear to have disrupted online ticketing and scheduling services, but say that "automation and security systems were NOT affected to avoid emergency situations". That the Partisans feel the need to issue a ransom demand, however, makes us think that the operation won't significantly disrupt Russian troop movements. Effective disruption works without needing an accompanying note. This action is also clearly not "war".

So what sort of cyber operations will we see if things kick off in Ukraine?

The Russian military hasn't yet shown itself capable of fully integrating offensive cyber operations with other military capabilities. But there is evidence of innovative cyber operations to provide tactically useful military intelligence. In 2016 an artillery targeting Android app used by Ukrainian forces was found by Crowdstrike to have (likely Russian) malware incorporated in it. It looks like the idea was to provide both the rough geolocation and also potentially with the communications of Ukrainian forces.

Thompson notes, "soldiers are always innovative, they are always looking for an advantage. No service person on the face of the planet is ever looking for a fair fight. They are looking for some overwhelming advantage".

If Russia invades Ukraine, will that advantage come from destructive cyber operations? Given that Russia already has an overwhelming military advantage, we don't think so. Using cyber means to gather intelligence to support tactical military operations is probably where the main advantage for Russia lies.

When "Foreign Interference" is Just a Regular Internet Farce

A string of borderline comedic events this week prove that unless you're a Chinese official, using a PRC-controlled app to communicate with constituents is a really bad idea.

Australian Prime Minister Scott Morrison lost control of his official WeChat account this week, with some media outlets claiming that it had been hacked (lol). Coalition Senator James Paterson, chair of the Parliamentary Joint Committee on Intelligence and Security, told Nine Radio that he believed the incident was foreign interference. "It is very clearly a Chinese government action in my view. What the Chinese government has done by shutting down the Prime Minister's account is effectively foreign interference in our democracy in an election year," he said.

But it seems that the truth may be more mundane, and to be honest, pretty funny.

On WeChat, official accounts for public figures must be operated by a Chinese national, so the Prime Minister's office used a Chinese agency to register the account. A gentleman named Mr Ji was the 'legitimate' account holder in China. He apparently sold Scott Morrison's account — with its 75,000 followers — to Mr Huang Aipang, the chief executive of an information technology company.

Huang told the ABC that he bought the account because it had lots of followers, but he didn't know at the time who had previously owned the account. "I don't even know who [Scott] Morrison is. I saw the account has a lot of followers, so we bought it."

Huang also told The Guardian "when I was first told that this account belonged to Morrison, I didn’t believe it at all. How could a big head of state have handed over his WeChat account to a single person to manage?”

Huang also denied allegations of foreign interference. "I’ve had absolutely no contact over here with any kind of government-related body," he said. The Chinese Foreign Ministry also said accusations of Chinese interference were "nothing but unfounded denigration and smear. We do not and have no interest in interfering in other countries".

Fergus Ryan, Senior Analyst at the Australian Strategic Policy Institute and author of a report on censorship on WeChat and TikTok, told Seriously Risky Business that while the story of the account sale is "a possibility," it isn’t the only one. Competing explanations could involve CCP direction or pressure. Ryan points out that Tencent, the owner of WeChat, usually assists foreign heads of state. So if claims the PM's office contacted Tencent to recover the account without joy are true, "whatever the scenario, this shows that it is open season on Scott Morrison and the Australian Government in China".

Morrison is not the only Australian politician using WeChat. Politicians are attracted to the platform as a way to reach Chinese Australians, with research indicating that Australian Mandarin speakers prefer to get their news via WeChat. The Guardian has even floated claims that a WeChat-based social media campaign was key to Liberal party success in marginal seats in the 2016 election.

But even if the hijacking of Morrison's account was not state-directed political interference, there are real risks for politicians using WeChat.

Case in point, after the release of the Brereton report into Australian special forces conduct in Afghanistan, Chinese Ministry of Foreign Affairs spokesperson Zhao Lijian tweeted a provocative artist's interpretation of war crime allegations. Morrison took offence and almost immediately held an emotionally charged press conference demanding the tweet be removed.

On WeChat, Morrison also responded in a more measured way, referring to Australia as a "free, democratic, liberal country" with an "ability to deal with problems in a transparent and honest way".

Zhao's tweet remains online, but Morrison's WeChat post was censored. It was replaced by a message from WeChat, indicating that the post used "words, pictures, videos" that would "incite, mislead, and violate objective facts, fabricating social hot topics, distorting historical events, and confusing the public".

Ryan would like to see political parties abandon WeChat. "The Prime Minister being censored and then effectively de-platformed should be more than enough to make WeChat a big no-no," he said. But he's concerned that while some politicians have been "fairly consistent", others are more "politically expedient". He'd place Morrison in the latter camp.

"Morrison warned about TikTok and pointed out that the extension cord goes back to China, and yet a few months later he joined the platform," he said.

Perhaps Australian Defence Minister Peter Dutton summed it up best, as reported in The Guardian.

“The fact that a leader of a democratic country can’t have an uninterrupted presence on a major media platform, social media platform, I think says a lot about the approach of the Chinese government, and it’s unacceptable,” he said.

(Dutton didn't mention the elephant in the room, and lol, we're not going there either.)

This situation is unacceptable, but it’s folly to expect the attitude of the Chinese government to change by complaining about it. Here's some simple advice: if you are more worried about foreign interference than electoral advantage, don't use WeChat.

Three Reasons to be Cheerful this Week:

1. EU Bug Hunt: The European Commission Open Source Programme Office is funding a bug bounty program for five open source programs, including LibreOffice and Mastodon. Turns out the European Commission has an Open Source Software Strategy, although we'd like to see a stronger emphasis on improving security.
2. More ransomware diplomacy, enjoy it while it lasts: The Russian Federal Security Service (FSB) arrested a carding forum administrator. This follows on from last week's arrests of 14 REvil gang members, the first solid evidence of Russian cooperation against ransomware. The REvil arrests were described by friend of Risky Business Dmitri Alperovitch as "ransomware diplomacy… if you don’t enact severe sanctions against us for invasion of Ukraine, we will continue to cooperate with you on ransomware investigations".
3. Falcon Beats Terrier: Interpol announced that eleven members of Nigerian cybercrime group SilverTerrier were arrested by the Nigerian Police Force in Operation Falcon II, a cooperative multinational effort. SilverTerrier were one of the more successful BEC groups -  one of the arrested suspects had more than 800,000 potential victim credentials on his laptop. Palo Alto Networks, which contributed to the investigation along with Group-IB, said the Interpol operation "focused predominantly on the technical backbone of BEC operations by targeting the actors who possess the skills and knowledge to build and deploy the malware and domain infrastructure used in these schemes".

Paying the Bills

If you happen to subscribe to our new product demo page on YouTube we sure would appreciate it. We published two demos late last year. The first is with Remediant co-founder Paul Lanzi showing off their network-based (read: "actually deployable") PAM solution. The second is with Ryan Noon of Material Security. They make a product that secures and redacts email at rest, but it has a lot of other features too.

We'll be publishing some more video demos in the coming weeks.

Shorts

My Face is My Passport

The US Internal Revenue Service is moving to use an identity verification service for its online accounts. The identity service company, ID.me, validates the identity of users by requiring various identity documents and bills as well as a live video selfie.

The verification process, as experienced by journalist Brian Krebs, sounds a little Kafkaesque. It can also be disconcerting to provide so much sensitive information to a single, centralised service, when so many organisations are inevitably breached.

Stronger verification procedures do help reduce identity theft, and it seems likely we'll all eventually need to use them to access some government services. It would feel better if these were government-run services, not services run by private companies, but even then it's an open question as to whether our govvies are actually up to the task. It's not altogether reassuring that the Australian government has not one but two competing digital identity initiatives.

APT go Boing!

Kaspersky found UEFI firmware malware dubbed MoonBounce that can persist even if a computer's hard drive is formatted or replaced, attributing its use to Chinese group APT41. Other similar UEFI malware that lives on the motherboard's Serial Peripheral Interface flash memory has been found before, but APT41 is prolific. That suggests this type of malware is set to proliferate. What does corporate incident response do when you can't format drives to clean infected boxes? Flashing a clean SPI firmware is relatively difficult, but what is the alternative?

Nmap for n00bs

Scanning Made Easy, a collaboration between the UK NCSC and industry partners, plans to  provide validated Nmap scripts for defenders to scan for critical and otherwise painful vulnerabilities. The trial aims to provide trustworthy and reliable scanning scripts, as for any given vulnerability, they can be hard to find.

When Memes and Cold War Relics Intersect

Someone has been transmitting over the top of a Russian shortwave numbers station to transmit Gangnam Style and even trollface meme images that are visible when the radio frequency is viewed in a spectrum analyser waterfall display.

NSS Admins Will be Busy

A new White House memo aims to improve security of National Security Systems by rolling out, among other things, Zero Trust Architecture and multifactor authentication.