Srsly Risky Biz: Thursday, September 2

If It Looks Like a Hacktivist and Quacks like a Hacktivist

Your weekly dose of Seriously Risky Business news is written by Tom Uren, edited by Patrick Gray and supported by the Cyber Initiative at the Hewlett Foundation, AustCyber and founding corporate sponsors CyberCX and Proofpoint.

If It Looks Like a Hacktivist and Quacks like a Hacktivist

As this newsletter speculated in mid-August, there's mounting evidence an ongoing cyber campaign in Belarus is the work of genuine hacktivists. What's missing from all the media coverage we've seen, however, is a history lesson on all the hacktivism that wasn't.

State actors have an established record of pretending to be hacktivists and misattribution is common, at least initially. Structured analysis is useful when trying to understand what is actually going on.

Understanding motives is the first step. Why do states so often pretend to be activists? What are they seeking to achieve? We had a long chat with The Grugq, cyber and influence operations researcher and Chair of the Glasshouse Center, about sorting the hacktivist wheat from the state sponsored chaff.

"There are only three types of cyber operator as far as anyone is concerned: nation state spies, criminals, [and] hacktivists/hackers,'' he told Seriously Risky Business. Pretending to be another nation state "is very seldom useful, and criminals never, not if you want credibility."

So why bother with a hacktivist ruse? One reason is dressing up operations as activism can eliminate the "taint" of self-interest, Grugq says.

That appears to be the thinking behind Russia's Guccifer 2.0 persona, which claimed responsibility for hacking the Democratic National Convention (DNC) and leaked documents to the media via Wikileaks.

Guccifer 2.0's cover as a "hacktivist" was pretty thin -- he claimed to be Romanian but could only speak the language at an online-translator level -- and the persona was later identified as an invention of a Russian GRU operation. However, the cover story did allow some media outlets to at least pretend to believe in it, shielding themselves from accusations they were furthering the aims of a foreign intelligence agency operation. Merely dumping the data online with no explanation -- via Wikileaks for example -- would have complicated newsroom discussions on how to handle the material. Thus, Guccifer 2.0 was born.

Beyond merely hiding self-interest, posing as hacktivists also allows states to supply their own narrative and framing when leaking material, and ladles on additional credibility by making the leak appear secret. "Wikileaks and Snowden... along with the media in 2012 created the public perception that hacktivist leaking provides access to secret data... everyone believes that secrets are more valuable than public info," Grugq says.

When it comes to assessing whether a "hacktivist" group is genuine, he uses multiple criteria.

1. Politics

First, Grugq says you should see if a group's words match its actions over time.

"You can [only] fake being a vegan for only so long. Some Sunday morning you’re gonna get up and have bacon and eggs because f..k another goddamn gluten free sawdust toast breakfast," Grugq says.

When the "Guardians of Peace" hacked Sony Pictures Entertainment, stole data and wiped computers in 2014, its actions and politics did not align. It initially didn't appear to have any particular political agenda and leaked confidential data including emails and unreleased movies, but also warned Sony off releasing The Interview, a satirical movie about the attempted assassination of Kim Jung Un, North Korea's ruler. The group's focus on The Interview was telling, as it was inconsistent with a criminal or hacktivist group. This focus was consistent, however, with subsequent technical analysis that tied the hack to other North Korean operations.

But when the rhetoric, actions and political motivations align, you could be dealing with the real thing.

In contrast to the Guardians of Peace, Phineas Fisher, for example, hacked spyware makers Hacking Team and Gamma Group and released internal documents to embarrass them. Both companies sold their products to law enforcement and attacking them was consistent with Fisher's anarchist, anti-establishment ethos. It seems unlikely that a foreign intelligence service would have a strong interest in disrupting surveillance-ware companies.

2. Operational and technical sophistication

Next, look to see if the demonstrated capability is consistent with a hacktivist group, considering both technical and operational sophistication. The Grugq highlighted the release of security camera footage from Iran's Evin prison recently as having "sophisticated operational design and planning". Effectively leaking to achieve impact in the media required a lot of information and planning. "Knowing where to look. Knowing what to show. How to edit it. How to find the right footage."

The more sophisticated the operation, the more likely a state actor is responsible.

3. Technical consistency

Thirdly, was the quality of the code used in the operation consistent with a hacktivist group? In the recent Iran railway wiper attack, the malware was written "like someone very good was trying to pretend to be a n00b," which makes "perfect sense for someone impersonating a hacktivist," according to Grugq.

Tying it all together

When assessed by these three CCP criteria (Capability, Code and Politics) Phineas Fisher appears to be the genuine article. The Guardians of Peace? Not so much. The Cutting Sword of Justice? Nope. The "Cyber Caliphate" attack against TV5Monde? Again, no.

In this most recent case, however, the Belarusian Cyber Partisans have clear political motivations that match their actions. Their communications strategy and engagement with the media is consistent with their agenda, and they have even produced an English-language "victory plan". This "victory plan" isn't actually an operational plan -- it's a propaganda document for dissemination to build support amongst English speakers. No code is available to assess yet, but their cyber operations appear competent and consistent with the type of hacktivist organisation that has been reported. It also helps that other Belarusian activists say they're working with them and say they're the real deal.

Seriously Risky Business won't completely rule out the possibility of a state actor providing assistance to the Cyber Partisans, but for now it sure looks genuine.

Netflow Sharing is not a Privacy Disaster

Netflow data is invaluable to cyber security incident response and threat intelligence and its privacy risks are overblown.

Netflow is comprehensive summary data that captures how traffic flows across the internet. It records how much data flowed from one IP address to another and typically includes the protocol and port used, which can hint at the type of data being sent. Threat intelligence firms collect and aggregate netflow data from various sources including ISPs to produce a more comprehensive view of how traffic flows across the internet.

If the aggregated data covers a particular cyber security incident, researchers can drill down to see what traffic was occurring at a particular point in time. Joe Slowik, Principal Security Engineer at Gigamon, says netflow "can be exceptionally valuable in monitoring [command and control] C2 channels to go from victim-facing C2 nodes to actual adversary infrastructure. It can also serve as ground-truth data for exfiltration activity."

In the case of data exfiltration, for example, netflow can be used to see how much data was sent to or from particular locations. But netflow data isn't used in isolation. Analysts need to first determine specific locations via some other mechanism, such as IP addresses identified by incident responders.

The same applies to C2. Slowik says analysts "typically start with... third party intelligence, your own intelligence, or doing things like domain discovery... to kick things off, then see what links to objects from there. That allows you to get to 'new' or 'higher' connections as part of the C2 schema".

Importantly, netflow can also be collected independently of an affected organisation's own monitoring and logging. It can’t be deleted when intruders clean up logs to hide their activities.

From a privacy point of view, netflow doesn't include any user identifiers, so in isolation it can't be used to investigate and dox people. Just as we described in incident response scenarios, netflow data needs to be combined with other data to "kick things off".

The underlying problem is that the data broker and adtech ecosystem in the United States is a privacy nightmare. A wealth of "anonymous" and identifiable information can already be purchased and used to persecute and harass individuals.

Netflow data being used by incident responders isn't an unacceptable privacy risk. The benefits outweigh the risks by a wide margin. That said, it's probably worth some safeguards being put in place around this kind of metadata to stop it being abused by the adtech maniacs.

Election security research hijacked for disinformation

Cyber security research into election security has been hijacked to support the conspiracy theory that the 2020 US Presidential election was stolen. On reflection, should the disclosure of research into election security have been handled differently by our industry?

The fundamental dilemma for researchers is that to improve election security, they first needed to demonstrate how election system components are vulnerable. While we could spend several paragraphs navel gazing about how infosec could have raised its concerns without undermining trust in election systems altogether, handling disclosure differently might not have helped. According to Elise Thomas, a disinformation researcher at the Institute for Strategic Dialogue, it doesn't really matter how much care or context was applied.

"The election fraud narrative and the way supposed cybersecurity flaws are playing into that would probably have happened regardless of how responsibly the research was framed," she told Seriously Risky Business. "The discussions around voter fraud are more or less completely disconnected from the actual facts."

SARS-CoV-2 not a bioweapon

The US intelligence community assessment on the origins of Covid-19 has been released. The community agrees that the SARS-CoV-2 virus was not a bioweapon, but is divided on how it came to infect humans. It assessed two scenarios as possible: natural exposure to an infected animal or a laboratory-associated accident.

It seems unlikely at this point that we'll ever know. The assessment states that China's cooperation is probably required but its government continues to "hinder the global investigation, resist sharing information and blame other countries, including the United States. These actions reflect, in part, China’s government’s own uncertainty about where an investigation could lead as well as its frustration that the international community is using the issue to exert political pressure on China."

Shorts

Well… that's one way to solve a crime

A victim of crypto currency has filed a civil lawsuit against two minors (at the time) and their parents for stealing 16.4 bitcoins. The stolen crypto currency is now worth USD$750,000, and the plaintiff's investigation took over a year and cost over USD$10,000, including the hiring of experts to trace cryptocurrency transactions.

This story illustrates some of the difficulties law enforcement faces when taking action against cyber crime. The expertise and time required to investigate cyber crime has a very high opportunity cost, especially when the perpetrator is outside the jurisdiction of investigating agencies.

The Department of Justice is aiming to address the expertise side of the equation by launching a "Cyber Fellowship" program designed to "develop the next generation of prosecutors with the training and experience necessary to combat the next generation of cyber threats".

WTF, Kuwait

If we think secrecy, non-disclosure agreements and legal privilege are bad in Western countries, check out what's happened in Kuwait. A security researcher there was prosecuted for tweeting about possible Indicators of Compromise that he discovered on VirusTotal. After the loss of USD$9m, Gulf Bank wanted to prosecute, apparently to demonstrate that it was protecting its reputation. The researcher was eventually acquitted.

Exchange Takes Another L

The Zero Day Initiative announced an authentication bypass bug in Microsoft Exchange that it called ProxyToken. ProxyToken allows unauthenticated attackers to configure arbitrary mailboxes to, for example, forward all email elsewhere.

Within hours of the announcement the vulnerability was being used in the wild; fortunately it was patched in April.

Given the free flow of recent Exchange bugs, it's nice that Microsoft is charging a bit less for Defender for Endpoint. Perhaps each critical Exchange bug should result in lower prices? Then again, in that scenario they'd probably wind up paying us to run their software. Lol.

Don't Fence Me In

Police in the US are increasingly using "geofence warrants" that allow police to get data from devices located within a certain area at a specific time. These warrants are useful for lead generation as they identify people that were potentially at the scene of a crime, but they also can gather data on large numbers of people acting lawfully. Police got data from phones near several locations around the Kenosha riots, even though many of the people whose data was swept up were likely protesting lawfully. Investigations into the US Capitol riot also used geofence warrant data.

At a minimum, Apple, Google, Uber and Snapchat have all received geofence warrant requests. More transparency on what happens after a warrant is issued -- such as how often they are fulfilled, what kind of data is provided, whether it leads to arrests and prosecutions, and how the data is protected -- would be fab.

Won't Someone Think of the... Stalkers?

The Federal Trade Commission has banned stalkerware vendor SpyFone and its CEO from the surveillance business. When these types of services claim to offer an ability to "monitor loved ones", that’s basically code for "enabling domestic abuse". Good riddance.

Rotate Your Cosmos

If you use Microsoft's Azure Cosmos DB we think you should pay attention to CISA's advice.

We Thinkst It's Great!

Thinkst Canary has re-launched ThinkstScapes, a quarterly round up of interesting security research. It's really, really good. (Disclosure: Thinkst is a Risky Business sponsor. But we included this because we think it's cool not because they sponsor our podcast.)

CISA Throws 1FA to the Lions

CISA added single-factor authentication for remote or administrative access to its list of Bad Practices. CISA's Bad Practices page catalogs practices that it thinks are exceptionally risky. The page is focused on critical infrastructure, but the practices are bad for any organisation. Right now it is a very small list, so you are really in bad company if your practices have been named and shamed.

Beers, Burgers, Sunshine and Ransomware

CISA and the FBI have warned about the threat of ransomware leading into the Labor Day weekend. They've observed a "increase in highly impactful ransomware attacks occurring on holidays and weekends—when offices are normally closed". So, um, have a good weekend!