Srsly Risky Biz: Thursday June 30

Your weekly dose of Seriously Risky Business news is written by Tom Uren, edited by Patrick Gray and supported by the Cyber Initiative at the Hewlett Foundation, AustCyber, and founding corporate sponsors CyberCX and Proofpoint.

Israel's Implausible Deniability

A "hacktivist" group responsible for several destructive attacks in Iran is trying to establish norms of responsible behaviour even as it attempts to destroy steel plants.

On Monday, a group calling itself "Gonjeshke Darande" or Predatory Sparrow in English claimed on social media to have launched destructive cyber operations against three Iranian steel companies. On Twitter it posted evidence of the successful attack, including dramatic video footage of what it claimed was one of the attacks, along with still CCTV images and screenshots from what looks like industrial monitoring systems.

Predatory Sparrow claims that the steel firms were targeted because they were sanctioned by the US government. As a motivation for a destructive attack, sanctions alone feel a bit thin, so it is worth noting that one of the targeted firms, Mobarakeh Steel, is allegedly involved in the production of maraging steel, which is used to make uranium enrichment centrifuges. (Note: We understand maraging steel is considered old hat in nuclear wonk circles these days.)

There are conflicting reports of how successful these attacks were. Iranian media confirmed the attacks, although the CEO of Khuzestan Steel Company, one of the affected firms, claimed the "attack failed and no damage was done" despite the state-owned company acknowledging it was forced to halt production.

It's hard to know at this point precisely what damage has been done — both Predatory Sparrow and its victims have reasons to exaggerate or downplay the incidents, respectively. But we think it likely a significant attack has occurred. Predatory Sparrow has an impressive track record of disruptive attacks and Check Point Research has found technical evidence that links the current attack to previous attacks claimed by the group.

According to Check Point, the group first appeared as 'Indra' — referring to the Indian god of war — in 2019 and targeted a series of Syrian firms linked to Iran. From September 2019 through November 2020 these disruptive attacks targeted, among others:

• Alfadelex Trading, accused by Indra of being connected to the Quds Force, a wing of the Iranian Revolutionary Guards Corp (IRGC).
• Cham Wings, a private airline used by the IRGC, including by General Soleimani. The carrier flew him to Baghdad airport where he was assassinated.
• Arfada Petroleum, a subsidiary of the Katerji Group oil transport company that Indra claims has business with Hezbollah.

Interestingly both Cham Wings and the Katerji Group are also sanctioned by the US government. What a crazy coincidence!

Indra then disappeared after these attacks, but Predatory Sparrow, using similar TTPs and variants of the same malware, has since carried out attacks on Iranian train services and Iran's fuel subsidy payment system. In all these attacks, including the recent steel company ones, Predatory Sparrow has trolled the Iranian government by using screens on affected devices to tell people to contact 64411, the phone number of Supreme Leader Ali Khamenei's office.

For us the most interesting part of these attacks, as first reported in The Grugq's The Info Op newsletter, is the lengths to which Predatory Sparrow has gone to illustrate it is conducting responsible destructive cyber operations.

Hamid Kashfi, a Trail of Bits researcher with a special interest in Iran-related cyber activities, told Seriously Risky Business that Predatory Sparrow had been at pains to show it was acting responsibly.

"In the recent gas station attack, for example, they gave early warning to select emergency services commanders and staff so they wouldn't be affected by fuel shortages…. They kept how they got access vague, but they reported some legit vulnerabilities to the vendors."

"In the steel factory attacks they compromised… Telegram channels to send early warnings and also planned their attack so that nobody was injured."

Kashfi's not-yet published research into the gas station attack also shows that Predatory Sparrow could have caused much more damage if it had wanted to.

"They could literally cripple the system permanently, or cause chaos by tampering with customer data, as they had access to everything, including backup servers in data centres. But they chose to just brick pumps and erase some middle-tier servers."

This obviously doesn't feel like the work of hacktivists — why go to such lengths to show that you are operating responsibly? That behaviour seems more in keeping with a state trying to mitigate escalation risk and build norms of responsible behaviour.

The sophisticated targeting of IRGC-linked entities is consistent with Predatory Sparrow being a state group but the technical evidence to support this is mixed. Juan Andrés Guerrero-Saade, Principal Threat Researcher at Sentinel One, examined the malware used in the Iranian train hack. In February this year he told CYBERWARCON there was a mismatch between the sophistication of malware used in the operation vs the actual operation of the campaign. It was "a really smart toy that was given to a very dumb child… the operators clearly don't know what the functionality is," he said.

Whoever is responsible, the people behind Predatory Sparrow are clearly trying to send a variety of messages. Kashfi told us that "in at least one case, for instance, they wiped disks not with random data, but with classified information that only a forensics team and someone familiar with those data could understand. That is a heavy message to deliver!"

This newsletter has previously covered the ongoing tit-for-tat cyber conflict taking place between Israel and Iran, and Predatory Sparrow is obviously trying to send a message. Will Iran listen and adjust its practices? Kashfi doesn't think so. "They go all in and destroy literally everything at their disposal regardless of how it might endanger civilians, and sometimes actually trying to do so!"

Scalper Bots Selling Access to Government Services

Akamai reports that scalper bots in Israel are snatching up and reselling appointments for government passport services. As governments move towards more use of digital services, these kinds of risks need to be considered up front.

As recreational travel resumed demand for Israeli passport renewals spiked and coupled with some supply-side problems, a months-long backlog developed. Some good samaritan developers built a free, third-party bot to secure appointments through MyVisit, the appointment scheduling system used by some Israeli government offices. Unfortunately, another group of developers then created a bot to scalp and sell MyVisit appointments for a range of Israeli government services including at the Ministry of Interior, the Ministry of Transport, National Insurance, Israel Post, and the Electricity Company. These appointments are selling for more than USD$100.

Sam Crowther, CEO of bot mitigation company Kasada, told Seriously Risky Business that organisations in both the public and private sector don't usually think about the risks of bots until they have a problem.

"And then it's, oh, we didn't realise this would be a problem. The amount of people we speak to where there is a market for accounts generated on their platform is huge, and their immediate response is 'Why would anyone want to generate accounts on our platform?'".

Anywhere there is demand, scalpers can swoop in and sell what would otherwise be free appointments. Crowther said that online Covid-19 vaccine appointments were a prime example. "Across the world in all different countries there were bots being used to book them and then resell them to people".

Even where there isn't huge demand, Crowther says, scalpers can still create artificial scarcity by booking all available appointments. As long as an attacker "is willing to scale up enough and create [their] own demand there are opportunities for money, which is scary".

There isn't any simple solution however, and mitigation is all about making the process of creating bot accounts more expensive than the money the accounts can be used to generate. Even requiring that accounts need verified official identity documents doesn't stop bots. "Tying [an account] to an ID is good, but the sort of person going after this probably already has IDs," Crowther says. Citing bank account fraud and even sports betting companies with know-your-customer requirements, Crowther says "absolutely government IDs are used already in the process of making accounts… bots have already gotten good at signing up for accounts that use third party validation services of passport photos and whatnot".

Basing accounts on verified identity documents is also hugely annoying for end users, so the benefits in making account creation more expensive for bots needs to be balanced against usability.

What's the answer? Crowther says that bot mitigation is just something that needs to be actively considered. "Why would someone want to do this to us? Is this going to cost us or our customers? What are we willing to do to prevent it?"

On Rare Earth Minerals Dominance, China Turns to Disinformation

Two reports this week, from Mandiant and the Australian Strategic Policy Institute (ASPI), show the PRC is using disinformation and influence campaigns to undermine efforts to diversify global rare-earth supply chains. The MIT Technology Review has good coverage that complements these reports.

The campaign, which Mandiant tracks as Dragonbridge, tried to motivate anti-mining sentiment targeting Australian, US and Canadian rare earth mining companies by stoking environmental concerns across social media including Twitter, Facebook and Instagram. The PRC sees its current control of a significant portion of global rare earths supply as a strategic asset, has threatened to halt their sale to the US, and even halted rare earth shipments to Japan in the wake of a 2010 maritime dispute. This influence campaign directly targets efforts by Western governments to develop projects to counterbalance China's dominance in rare earths.

ASPI believes this is the first time that a Chinese Communist Party-backed disinformation network has targeted a commercial entity for strategic purposes. They also think the same network "targeted the Quad and Japanese defence policy earlier this year and… is currently harassing high-profile Asian women working for Western media outlets and human rights organisations".

Although the campaign does not look to have been particularly successful in terms of engagement, Mandiant notes that the campaign "leveraged more nuanced tactics than what we typically see from pro-PRC information operations".

Dr Jacob Wallis, head of disinformation research at ASPI, told Seriously Risky Business that despite low engagement the campaign was still a "really significant shift". The campaign shows the CCP exploring how to create effects such as making particular mining projects more costly, and running this campaign in an internet environment that it doesn't directly control, unlike the Chinese domestic internet.

Wallis told us these campaigns are getting better and it "is more about the trajectory than about where they are now".

If it Ain't Broke, You Don't Fix it

Experiments in their business models indicate ransomware crews are getting at least a little bit desperate. Ransomware gangs have been innovative in the past, but they are now trialling new initiatives faster than before.

LockBit has implemented a Dutch auction where the prices to buy or destroy stolen data decrease over time. It looks like the idea here is to pressure the victim into paying at least something to destroy stolen information. As prices fall the likelihood that a third party will buy a victim company's data to use it maliciously increases, so perhaps at a low enough price Lockbit will find some takers who previously would have not paid.

LockBit is also experimenting with a "bug bounty" program, with rewards supposedly ranging from USD$1000 to USD$1m. The reward categories are focussed on improving the security and effectiveness of LockBit's operation, so this may indicate that ransomware operators are starting to see porous OPSEC as a problem. Good news, because effective OPSEC is not easy and slows operations.

Ransomware gangs, including LockBit but also ALPHV/BlackCat and Cl0p, are also experimenting with letting customers and employees of victim organisations search for their own data in stolen material. Presumably this is another tactic to apply pressure to victim companies.

Taken together, these initiatives smack of desperation. Brett Callow, threat analyst at Emsisoft told Seriously Risky Business that "times are tough for ransomware actors, or at least a bit tougher than they once were. Insurers are requiring MFA and better cyber practices, making networks harder to penetrate. We’re seeing more arrests and more disruptions, and international law enforcement agencies are getting ever better at whack-a-mole. And it’s not only the ransomware gangs that are being whacked, it’s also the services they rely on — marketplaces where stolen credentials are traded and crypto mixing services, for example. What we’re seeing now is the gangs responding to the changed market conditions. Their conversion rates are down and they're a/b testing strategies to get them back up."

Three Reasons to be Cheerful this Week:

1. A bipartisan data privacy bill: A group of US Senators has proposed a bill this week that would ban the sale of sensitive US personal data to foreign adversaries. CyberScoop has good coverage of the issues and loopholes.
2. A decryptor for you! And for you!: South Korea's cyber security agency released a free decryptor for Hive ransomware. And so did security firm Avast for Harditem ransomware.
3. Good faith research will be OK in UK: Legislators in the UK have proposed amendments to the Product Security and Telecommunications Infrastructure (PSTI) bill that would give good faith cyber security researchers some legal protections.

Save Time with a Risky.Biz Product Demo

Risky Business is publishing sponsored product demos to YouTube. They're a great way for you to save the time and hassle of trying to actually get useful information out of security vendors.

In our latest demo, Scott Kuffer shows Patrick Gray the ins and outs of Nucleus Security. Nucleus is a platform that ingests the scan outputs from a number of vulnerability identification tools, normalises that information and then allows vulnerability management teams to do things like assign responsibility for certain types of bugs to the correct people.

You can subscribe to our product demo page on YouTube here.

Shorts

This Newsletter is Now a Podcast Too

There is now a podcast edition of this newsletter where Patrick Gray and Tom Uren discuss the main stories of the week with a policy angle. This week’s edition features special guest Dmitri Alperovitch and will appear in the Risky Business News feed available via RSS, iTunes or Spotify. The first episode from last week is here.

Think Tanks Drained

For the think tankers in the audience, this article from The Record is a nice reminder of why you are likely a cyber espionage target, especially since you are reading this newsletter. Tl;dr: Think tanks are great targets.

Influence Operations a Regular in War

Microsoft has released an updated report on Russian cyber operations involved in its invasion of Ukraine. Just as the PRC is using influence operations to try to maintain rare earths dominance, a significant portion of the report deals with what Microsoft calls Russian Cyber Influence Operations. These operations are a standard tool of statecraft for China and Russia.

FCC Commissioner TikTok Letter All Hot Air

After last week's story on TikTok access from China, FCC Commissioner Brendan Carr has asked Google and Apple to remove TikTok from their app stores. Carr is the guy who described DJI drones as "Huawei with wings". He's also a Republican on an agency controlled by Democrats and the FCC doesn't have the power to regulate app stores anyway.

From Risky Biz News:

US critical infrastructure needs better cyber insurance coverage: A report published last week by the US Government Accountability Office (GAO) has found that critical infrastructure organisations may not receive full cyber insurance coverage, especially if incidents result in "catastrophic financial losses." (continued)

Google TAG tracks 30 surveillance vendors: In a blog post on Thursday, the Google Threat Analysis Group (TAG), the Google security team that tracks advanced threats, revealed that they are aware of and currently tracking more than 30 organisations selling surveillance capabilities to government-backed threat actors.

This quite large number highlights that while the public's attention has been captured by a few vendors like Hacking Team, Gamma Group, NSO Group, and Candiru, there are far more entities that engage in similar operations in an industry that has been loosely regulated over the past decade.

The latest Google TAG report adds new information about RCS Lab, an Italian company that used to be a reseller for the old HackingTeam, but has now moved into creating and selling its own tools. (continued)

FBI warning on deepfakes: The FBI's Internet Crime Complaint Center has published a security advisory warning that some threat actors are using stolen personal data and deepfake technology to pose as legitimate persons and apply for remote work positions in companies. If they get hired, the threat actors use these positions to steal financial data, intellectual property, or other corporate data from the victim company.

Hacker-for-hire scene is changing but booming: A report from MIT Technology's Patrick Howell O'Neill looks at the changing landscape of the surveillance and hacker-for-hire sector, which, despite sanctions imposed on Candiru, NSO Group, CSIS, and Positive Technologies, appears to be thriving. While some companies have gone under, more are taking their place. In addition, O'Neill also reports that governments from states like Saudi Arabia, Bahrain, Qatar, and Singapore are also building up local companies, following in the UAE's work with DarkMatter.