Srsly Risky Biz: Thursday, October 14

Tor, Protonmail, Monero and good encryption: Catching spies is getting harder

Your weekly dose of Seriously Risky Business news is written by Tom Uren, edited by Patrick Gray and supported by the Cyber Initiative at the Hewlett Foundation, AustCyber and founding corporate sponsors CyberCX and Proofpoint.

Biden Ransomware Summit

The Biden White House's ransomware summit kicked off today and it wasn't the empty stunt we expected it to be.

We had been wondering what prompted officials from the Netherlands, UK and Australia to signal a more aggressive, military and intelligence agency-backed response to the ransomware threat, and now we know: They were sharpening up their policy positions ahead of the White House-coordinated meeting.

The Dutch government made its stance clear in response to a parliamentary ransomware inquiry — it will use offensive operations to counter ransomware that is a threat to national security.

In the UK, Lindy Cameron, head of the NCSC, touched on ransomware during a speech at Chatham House and noted that offensive cyber operations are part of the standard response toolkit.

We are working to better integrate and deploy a wider range of levers, including our legal tools and powers, our diplomatic network, intelligence law enforcement, technical expertise, economic measures and of course our military capabilities. And working with the newly established National Cyber Force.

She also sheeted home blame to Russian actors:

In addition to the direct cyber security threats that the Russian state poses, we – along with the NCA – assess that cyber criminals based in Russia and neighbouring countries are responsible for most of the devastating ransomware attacks against UK targets.

The day before the summit Australia's government released its Ransomware Action Plan. "Disrupt and Deter" is a third pillar in the plan after "Prepare and Prevent" and "Respond and Recover". Key elements of the Disrupt and Deter pillar include establishing Operation Orcus, "a new multi-agency law enforcement operation led by the Australian Federal Police to crack down on the rising ransomware threat, both in Australia and overseas".

Orcus will investigate cybercriminals and provide targeting information to international law enforcement (where possible), or Australia's signals intelligence agency which will use its "offshore offensive cyber capabilities to disrupt foreign cybercriminals targeting Australian households and businesses".

On the summit's day one public session, Australia's Secretary of Home Affairs was characteristically, uhhh, pragmatic. Per Eric Geller:

Australia's Michael Pezzullo says the world should think of ransomware like piracy in the 17th and 18th centuries, when "concerted efforts" by imperial navies struck fear in the hearts of would-be scalliwags. "We should...take an unconstrained view as to what might be workable."

Interestingly, Australia is hosting tomorrow's closed door session on disrupting operations.

The Japanese representative was also supportive of an aggressive posture: “The nature of cyberspace is asymmetric, and there is an overwhelming advantage for the attackers. This means that it is also necessary to contain and deter attackers in advance.”

An aggressive response is, as we've been arguing for quite some time, justifiable. Some US officials were hopeful the problem would magically solve itself. It hasn't.

US critical infrastructure is still firmly in the targets of ransomware groups. Mandiant described a Russian-speaking ransomware group it calls FIN12 that has targeted companies with more than USD$300m in revenue, and although it attacks a broad range of sectors, hospitals and medical facilities make up 20% of its victims.

At least three US grain distributors have also been infected recently and CyberCX reported several ransomware attacks on the aged care sector in Australia (disclosure: CyberCX is a corporate sponsor of this newsletter).

We were expecting Biden's summit to be a nothingburger. But it has actually prompted some governments to stake out their positions, with many of them signalling that serious ransomware disruption will be met with a military response. Deterrence will obviously require follow through, not just signalling. Until then, talk of offensive cyber capabilities is just that — talk.

The Toebbes Were Caught, But Who's Getting Away With It?

We've long known that anonymising technologies can enable espionage, but now we have proof. A US nuclear engineer and his wife, Jonathan and Diana Toebbe, have been arrested after attempting to sell classified nuclear submarine technology to a foreign government. Toebbe made a dumb mistake and got caught, but flicking through the DoJ's criminal complaint it becomes painfully clear. If he had been less trusting of his purported foreign handlers, catching him would have been nigh on impossible.

That begs the question: Are there other Toebbes out there getting away with similar crimes?

Although some details seem bizarre — SD cards were hidden within peanut butter sandwiches and chewing gum packages  — Toebbe used a variety of freely available anonymising and encryption techniques to practice, in our view, very good OPSEC. He was only caught because he made one critical mistake: He allowed the "purchasing" side of his transaction to pick dead drop locations ahead of time.

Frankly, we think counterintelligence organisations will find this case alarming.

Toebbe initially contacted a foreign government by physically mailing a package containing sample data and instructions for further covert communication using Protonmail. "Please forward this letter to your military intelligence agency. I believe this information will be of great value to your nation."

This is the modern day equivalent of a Cold War "walk-in" — a potential agent who would walk in through the door of an embassy to volunteer information. A 1986 Senate Review of Counterintelligence and Security Programs identified walk-ins as particularly damaging:

In the final analysis, however, the most dangerous agents of all, who account for the greatest losses of the most highly classified information, are not those who are laboriously recruited, but those who walk in the door of a Soviet embassy somewhere and volunteer information for sale. For the "walk-in" as for the recruited agent, the motivating factors are usually greed or indebtedness plus an additional element of grievance or disgruntlement. The individual usually is dissatisfied with his or her job or harbors some grudge against his organization or both.

Aldrich Ames, Robert Hanssen, and John Walker were all tremendously damaging walk-ins; Ames and Hanssen compromised US agents working in the Soviet Union (these agents were often executed) and John Walker revealed US submarine capabilities. Walk-ins weren't all a US-to-Soviet phenomena though, Vladimir Vetrov gave up Soviet espionage secrets to the French, who graciously shared the resulting intelligence with their pals at the CIA.

Counterintelligence doesn't sit still, however, so nowadays literally walking into an embassy to offer your services for espionage is likely to get you caught, pronto. Mailing a package eliminates that risk, but substitutes it for another one: you don't really know who you're talking to.

That risk was realised here. Seven months after Toebbe mailed in, the package ended up with the FBI. It promptly launched a sting operation. (Btw, what was happening in those seven months? Did you lose the CIA switchboard number, Pierre???)

Toebbe's online communications OPSEC was good. To send messages via Protonmail he travelled away from his home and used Tor over public wifi and connected to Protonmail via its .onion service to avoid using exit nodes. He also arranged payment in Monero, a cryptocurrency designed to be anonymous and specified different addresses for each payment.

In one message to the FBI Toebbe also described how careful he had been about stealing the information in the first place.

This information was slowly and carefully collected over several years in the normal course of my job to avoid attracting attention and smuggled past security checkpoints a few pages at a time.

And in another,

We received training on warning signs to spot insider threats. We made very sure not to display even a single one. I do not believe any of my former colleagues would suspect me, if there is a future investigation

These OPSEC precautions strike us as pretty effective, and if Toebbe is accurately describing how careful he was, it's hard to see how he would have been detected as an insider threat.

Toebbe was also reluctant to use real-world dead drops and had a reasonable online alternative.

Face to face meetings are very risky for me, as I am sure you understand. I propose exchanging gifts electronically, for mutual safety. I can upload documents to a secure cloud storage account, encrypted with the key I have provided you. You can send me a suitable gift in Monero cryptocurrency to an address I will provide.

Toebbe was even awake to the possibility that he was possibly communicating with the FBI.

I must consider the possibility that I am communicating with an adversary who has intercepted my first message and is attempting to expose me.

His crucial mistake, however, was to convince himself he was talking to a foreign intelligence service when a signal was flown (presumably from their embassy) on Memorial Day in Washington DC. This "proof" was enough to convince Toebbe to ignore his own instincts and use dead drops specified ahead of time by the FBI, who then identified him by watching the locations.

If he'd stuck to his guns and avoided these dead drops, or even arranged his own ahead of time, Toebbe probably wouldn't have been caught.

After incidents like these, counterintelligence and security organisations examine the details to see if they can learn anything to prevent and detect further cases. Often, these incidents result in changes to security protocols (hence the insider threat training Toebbe mentioned). We are left wondering what the lessons are for the FBI here. Maintain good relationships with intelligence adversaries so they pass on their walk-ins? Examine all mail sent overseas? Frisk all employees for records when they leave work?

Our pro tip for would-be spies: don't use dead drops arranged by someone else. As for pro tips to counterintelligence agencies looking to catch others using these modern digital techniques, we're drawing a blank. Sorry.

Three Reasons to be Cheerful this Week:

  1. Time for some grave dancing: Microsoft is disabling Excel 4.0 Macros. We're not saying this is as big a deal as scientists announcing they've created a vaccine for Malaria, but it's up there.
  2. Too bad you need to be a target to get the free stuff: Google is giving out 10,000 security keys to users at high risk of being targeted such as journalists, activists and elected officials.
  3. One less DDoSer: The Ukrainian Security Service arrested the operator of a 100,000 system DDoS botnet.


Twitch Got Owned... Quite A Lot

There's been a big breach at Twitch, the video game live-streaming service. Per the Video Games Chronicle, the leak includes all of Twitch’s source, creator payout reports, SDKs and a whole bunch of other stuff, but no credit card or password data, at least not yet. The leaker claimed to be acting in the best interests of competition. "To foster more disruption and competition in the online video streaming space, we have completely pwned them," they wrote.

Streamers on Twitch earn money from advertising and viewer tips, so the leak is an insight into the creator economy. The total payout for the top 10,000 streamers was around USD$1bn over two years and the top 80-odd earnt over USD$1m each in that time, but it drops off pretty quickly after that.

Finally: A Data Integrity Attack

A disgruntled former employee used her credentials to alter aircraft records belonging to the flight training school where she had worked. Among other things she changed some logs so that potentially unsafe aircraft were classified as airworthy and removed maintenance reminders.

Legacy Auth Stings O365 Users

Microsoft has detected Iran-linked groups targeting Office 365 tenants "with a focus on US and Israeli defense technology companies, Persian Gulf ports of entry, or global maritime transportation companies with business presence in the Middle East."  The group enumerates users by abusing Exchange features and then launches password spraying attacks via Tor. The attackers were brute forcing via ActiveSync, which is a hideously outdated protocol nobody should be using, let alone defence contractors or critical infrastructure operators. Geez.

Meanwhile Google sent warnings to 14,000 users that were being targeted after it detected and blocked a Russian (APT28) phishing campaign.

Go Deep!

ESET published research on a UEFI bootkit, only the fourth found in the wild. The malware has a surprisingly long heritage, dating back to 2012, and hasn't changed that much. I guess it must work pretty well…

Prosecuting an Expert Troll is Hard

The prosecution of Joshua Shulte for giving the CIA's Vault 7 material to WikiLeaks is still a massive cluster. It's amazing that someone was able to take over 180GB of material from the CIA after the Snowden disclosures.

Could You Like, Not Commit Crimes Plz?

Australian regulators and Dutch law enforcement are reaching out directly to dissuade potential criminals. The Australian Securities and Investment Commission (ASIC) warned users in a Telegram chat room that "pump and dump" activities are illegal. The Australian Stock Exchange lists lots of small and thinly traded companies whose shares are particularly susceptible to price manipulation by coordinated buying and selling.

In the Netherlands, police sent warning letters to customers of DDoS services warning against using them again.

Interesting Business Model

A botnet abused 4G-capable TP-Link routers to send SMS messages. The funny part is it looks like the attackers were making money off it by selling bulk SMS services to legitimate organisations.


A new threat actor, dubbed SnapMC by Fox-IT, steals data for extortion as quickly as possible, usually spending less than 30 minutes inside a network.

Huh. Not Israeli.

An Amnesty International report identifies links between Indian company Innefu Labs, hacking group Donot Team and targeting of a Togolese activist. Last year Citizen Lab identified an Indian hacking-for-hire company BellTroX, so it's possible that India's software industry is branching into hacking services.