Srsly Risky Biz: Thursday July 7

Your weekly dose of Seriously Risky Business news is written by Tom Uren, edited by Patrick Gray and supported by the Cyber Initiative at the Hewlett Foundation, AustCyber and founding corporate sponsors CyberCX and Proofpoint.

China Gonna China

If recent reporting from the Financial Times is anything to go by, the Chinese government approaches cyber espionage very differently from Western intelligence agencies.

An FT report this week describes the hiring practices of Hainan Xiandun, a front company that provides translation services for the Chinese cyber espionage group known as APT40.

This group has carried out operations on behalf of the PRC's Ministry of State Security (MSS) Hainan State Security Department (HSSD). And it's a group that's tangled with the US Government. Three HSSD officials and a Hainan Xiandun hacker were indicted by the US Department of Justice in July 2021 for a "campaign to hack into the computer systems of dozens of victim companies, universities and government entities in the United States and abroad between 2011 and 2018".

The Financial Times investigation managed to acquire a "leaked list of candidates compiled by security officials in the region" and contacted potential translators who had responded to job adverts at Hainan Xiandun. It turns out that candidates were not told what work they would be doing, but the application process included translation tests on "sensitive documents obtained from US government agencies," and also open source research into potential intelligence targets. One candidate told the Financial Times "it was a very weird process," another that "it was very clear that this was not a translation company".

Recruitment for these front companies is still ongoing, so one lesson may be that despite official attribution efforts from the US and other governments, the MSS just doesn't care that people know.

From the point of view of Western intelligence agencies, these recruitment practices look unprofessional, if not bizarre. Western agencies recruit from universities too, but candidates understand what they are applying for and the selection and vetting processes are rigorous.

In this case the apparently lax personnel vetting for these translation and open source research jobs may simply be appropriate for the PRC's needs. It steals intellectual property at scale and rigorous vetting just slows things down. It may also be acceptable for the level of secrecy that APT40 operates at.

Alex Joske, an independent researcher studying Chinese Communist Party interference and espionage and author of an upcoming book on the MSS, told Seriously Risky Business that what looked strange to us is "typical of the way [Chinese] bureaucracy works in general" and that "the nature of cyber adds to that". When it comes to recruiting translation talent, he pointed out that "it is not like a Chinese student will look up [the company's] name on Intrusion Truth before taking a job".

Joske pointed out "it is very common for every significant [PRC] government ministry to run its own companies". Illustrating just how common this is, Joske said that In the late 1990s a government divestiture push resulted in the MSS closing 112 companies and handing another 144 over to other agencies where they would be more relevant, including government trade and asset-management bodies.

When it comes to cyber security specifically, Joske says the MSS has invested in building links to universities and cyber security researchers for decades. In his research, Joske found "evidence that they were embedded [in research and universities] from the very beginning". For example, the founder of Shanghai Jiaotong University's cyber security school was a former vice minister in the MSS. Shanghai Jiaotong was subsequently linked to the Operation Aurora hacks of the late 2000s. It's also not uncommon for MSS officers to hold academic posts at universities.

At one level, the US government understands this. In response to the mass compromise of Microsoft Exchange Servers in early 2021, US Secretary of State Antony Blinken said the "PRC’s Ministry of State Security has fostered an ecosystem of criminal contract hackers who carry out both state-sponsored activities and cybercrime for their own financial gain".

Blinken's statement says that this is a bad thing, and implies that he wants it to stop, but this is just the way the Chinese government rolls. Its cyber espionage efforts have been incredibly successful and Joske thinks that given that it is business as usual for the PRC "there's no way we can credibly impose costs" to get them to stop.

Instead, Joske thinks, we should learn from the model where China has built an ecosystem over decades so that it is now "a strength of their intelligence system". He sees various intelligence agency university collaborations in Western countries as "a good start".

Dirty Deeds, Done Dirt Cheap

Reuters' Chris Bing and Raphael Slatter have an eye-opening report into the use of Indian hacking-for-hire services to influence legal battles. The report covers the activities of just three firms with shared infrastructure and staff, BellTrox, Appin and CyberRoot. Citizen Lab first described BellTrox in 2020 in one of the first reports on the hack-for-hire industry.

Reuters obtained a database of more than 80,000 emails sent by the Indian hacking firms from their email providers, who gave "the news agency access to the material after it inquired about the hackers' use of their services".

The database contained 13,000 targets, including over 1,000 attorneys at 108 different law firms. Reuters found "at least 75 U.S. and European companies, three dozen advocacy and media groups and numerous Western business executives were the subjects of these hacking attempts".

Reuters provides further details and context by interviewing targets, private investigators, and litigants swept up in some of these phishing campaigns. The whole thing is worth reading.

Google's Threat Analysis Group also released a complementary report that confirms Reuters' reporting and also describes similar hack-for-hire outfits operating in Russia and the United Arab Emirates. We wrote about the Russian group, which calls itself RocketHack and is also known as "Void Balaur", back in November of last year.

It's a Coincidence, Brad

CyberScoop has an excellent piece examining shortcomings in Microsoft's updated report "Defending Ukraine: Early Lessons from the Cyber War". We strongly agree that the report overplays — or at least doesn't present enough evidence to support — claims of Russian integrated conventional and cyber operations in the invasion.

A particular example cited by experts CyberScoop consulted is Microsoft's claim that a conventional assault on a nuclear power plant was conducted with "combined cyber and conventional weapons". However, the report itself is pretty thin when it comes to backing the claim, stating:

On March 2, MSTIC identified a Russian group moving laterally on the nuclear power company’s computer network. The next day, the Russian military attacked and occupied the company’s largest nuclear power plant.

We think cyber operations in warfare should be measured by their contribution to combined arms warfare. How effectively are they integrated with other combat arms to achieve mutually complementary effects? Did this cyber operation aid the conventional military attack and make it more effective or easier? As described, the cyber component of the nuclear power plant attack sounds much more like intelligence gathering than use of "cyber weapons".

We already do have a great example of effective use of an offensive cyber operation to disrupt Ukrainian forces — the Russian disruption of KA-SAT. This affected Ukrainian military communications on the day of the invasion and although we don't know exactly how significant the impact was on Ukraine's warfighting ability, it's clear that disrupting command and control can affect the outcome of a conventional fight.

And we know what effective operations look like. Both the US military and the  Australian Signals Directorate (ASD) have spoken publicly about how cyber operations can complement on-the-ground fighting. In a 2019 speech to the Lowy Institute ASD Director-General Mike Burgess described an offensive operation against Daesh (aka ISIS) forces:

Just as the Coalition forces were preparing to attack the terrorists’ position, our offensive cyber operators were at their keyboards in Australia – firing highly targeted bits and bytes into cyberspace. Daesh communications were degraded within seconds. Terrorist commanders couldn’t connect to the internet and were unable to communicate with each other. The terrorists were in disarray and driven from their position – in part because of the young men and women at their keyboards some 11,000 kilometres or so from the battle. [...]

When it came to the day of the operation, our operators were in constant contact with deployed military elements to make sure the effects were carefully coordinated and timed to precision. Our effects were generated in support of and in coordination with ground manoeuvres. This operation marked a milestone for both Australia and our Coalition partners. It was the first time that an offensive cyber operation had been conducted so closely synchronised with the movements of military personnel in theatre. And it was highly successful. Without reliable communications, the enemy had no means to organise themselves. And the Coalition forces regained the territory.

The Russian "combined cyber and conventional weapons" as described by Microsoft look nothing like this.

The Ukrainian government also looks like it is happy to sustain the narrative that Russian cyber operations and its conventional military forces are acting in concert. This week Victor Zhora, a senior Ukrainian cyber security official, wrote on Twitter:

One more evidence of coordination of kinetic and cyber operations by russian aggressors. Ukrainian largest private energy company DTEK was cyberattacked simultaneously with shelling of thermal power plant of the same company in Kryvyi Rih. Both targets are 100% civilian.

DTEK's English-language statement on the matter is unclear about exactly what occurred, but it looks to us like simultaneous targeting rather than Russian cyber and conventional forces operating to achieve reinforcing effects. That is, artillery and (maybe) cyber operations were both trying to disrupt power supply, just in different locations at the same time. It doesn’t look like there was any useful coordination between the two actions.

The Russian group that claimed responsibility, XakNet, is reported to have links to Russian intelligence, so it is at least theoretically possible that there was coordination with conventional forces. Colour us sceptical.

Ukraine is a big country under attack from both conventional military forces and "hacktivist" groups, so there are bound to be some overlaps at times. Is Russia effectively combining cyber operations with conventional weapons? Solid evidence is sorely lacking right now.

Three Reasons to be Cheerful this Week:

1. AstraLocker ransomware shuts down: the developer of the malware released decryption keys by uploading an archive to VirusTotal telling Bleeping Computer "It was fun, and fun things always end sometime". A ReversingLabs report on AstraLocker from last week described its approach as "smash and grab". AstraLocker would encrypt files immediately upon targets opening the malicious file attachment rather than using initial malware as an entry point and working patiently to escalate privileges to deploy ransomware across the entire network. AstraLocker was hardly a significant player in the ransomware scene, but we'll take whatever wins we can get!
2. Apple announces Lockdown mode: Apple has announced that "Lockdown Mode" will be coming to iPadOS/iOS16 and Mac OS Ventura. This will considerably improve a device's security posture by disabling features to reduce attack surface. Some of the features lost will be more or less transparent to users, but some will impact usability  — in lockdown mode some videos in messages including iMessage and MMS will be blocked, for example. Apple says this is aimed at an extremely small number of users, so perhaps the measure for turning on Lockdown mode for an individual should be "is my personal safety worth more than getting video messages?" Kudos to Apple for doing this work to address the security needs of a small number of users.
3. Quantum-resistant cryptography is coming to a standard near you: The US National Institute of Standards and Technology has announced it has chosen four quantum computing resistant encryption algorithms for future standardisation. Great news, as now whenever someone talks about the challenges of the post-quantum encryption we can look smart by talking about dilithium crystals.

Save Time with a Risky.Biz Product Demo

Risky Business is publishing sponsored product demos to YouTube. They're a great way for you to save the time and hassle of trying to actually get useful information out of security vendors.

In our latest demo, Scott Kuffer shows Patrick Gray the ins and outs of Nucleus Security. Nucleus is a platform that ingests the scan outputs from a number of vulnerability identification tools, normalises that information and then allows vulnerability management teams to do things like assign responsibility for certain types of bugs to the correct people.

You can subscribe to our product demo page on YouTube here.

Shorts

This Newsletter is Now a Podcast Too

There is now a podcast edition of this newsletter where Patrick Gray and Tom Uren discuss the main stories of the week with a policy angle. This week’s edition will appear in the Risky Business News feed available via RSS, iTunes or Spotify. The episode from last week is here.

We Cannot Allow an Ambiguity Gap

Israel's government may, in a roundabout way, have confirmed it is responsible for the destructive cyber attacks on Iranian steelworks that occurred last week. The Defense Minister Benny Gantz ordered an investigation into media leaks shortly after several television reports linked the Israel Defense Force's Unit 8200 with the steelworks attacks. A statement issued by Gantz's office said the investigation will look at "recent leaks from closed discussions… as well as leaks from operational events, in a manner that violates the ambiguity policy of Israel". As discussed on last week's Seriously Risky Business podcast, Israel often maintains a policy of ambiguity regarding its actions and capabilities.

China Sets New World Record!

A Shanghai National Police (SHGA) database containing information on more than a billion(!) Chinese nationals has been leaked and is for sale. The breach apparently occurred because the developer included the database's credentials in a post they made to the China Software Developer Network.

We wonder why the Shanghai police needed data on a billion people, but both CNN and the Wall Street Journal verified a (tiny tiny, lol) subset of the data. News of the leak is being censored on Chinese social media, which may be as close as we'll get to official confirmation.

Read more about this story in Risky Biz news.

You Can’t Cyber Your Way Across a River

Ciaran Martin, former head of the UK's NCSC has an excellent thread about how cyber capabilities fit into the structure of a Defence force, riffing off a speech by UK Chief of the General Staff General Sir Patrick Sanders. In short, even destructive cyber capabilities don't replace conventional military force but are instead complementary.

From Risky Biz News:

HackerOne discloses malicious insider incident: In a report published late Friday, just ahead of the July 4th extended weekend, and hoping the incident would not get extended media coverage, HackerOne disclosed the first incident of a rogue employee stealing a researcher's bug report. (continued)

FSB officer detained for stealing from a hacker: TASS reported last week that Russian authorities detained an FSB office on charges of stealing cryptocurrency from a hacker. The suspect, named Dmitry Demin, a lieutenant colonel for the FSB's Samara regional unit, was accused of stealing cryptocurrency funds during a search of a hacker's home in the city of Syzran last year. The FSB officer was detained from a complaint filed by the hacker himself, who estimated the losses at "several million rubles".

China to invest in its own OS: A group of ten Chinese tech companies have agreed to help Kylinsoft build a new project named openKylin, meant to help improve the open-source development of Kylin, China's national operating system. The move comes as western software companies, such as Microsoft and Apple, are pulling out of Russia and creating technical issues for the Russian government, which, just like China, is incredibly dependent on US-made operating systems.

Ransom payment back for a profit: The Maastricht University in the Netherlands will receive the ransomware payment they paid to hackers in 2019 back and with a profit. The university paid €200,000 in Bitcoin to the hacker three years ago, and they will receive their Bitcoin back after Dutch authorities tracked down the payment to a money launderer in Ukraine, who was detained last year. The positive side is that the Bitcoin is now worth €500,000, which the university said it plans to put in a fund meant to help struggling students, according to Dutch newspaper de Volkskrant [non-paywalled version in NOS].

The cyber-attack that wasn't: A Palestinian group of hackers known as Sabareen and Iranian media ran pompous reports on Monday about a cyber-attack that crippled Tel Aviv's metro system. The problem with the reports is that Tel Aviv doesn't have a functional metro system, which is still under construction, so the hackers didn't disrupt anything except some poor construction company's homepage.