Srsly Risky Biz: When Do Cyber Campaigns Cross a Line?

Your weekly dose of Seriously Risky Business news is written by Tom Uren and edited by Patrick Gray. This week's edition is sponsored by Mastercard Threat Intelligence.

You can hear a podcast discussion of this newsletter by searching for "Risky Business News" in your podcatcher or subscribing via this RSS feed.

A new paper from the Germany-based think tank Interface has attempted to define the threshold at which peacetime state cyber operations become irresponsible. 

The author thinks that more concrete definitions of responsible behaviour would help guide states and prevent dangerous conduct.  

It's a commendable effort, but we don't think the architects of cyber operations really care about norms, and a German think tank writing down its preferred rules on a piece of paper won't make any difference to state behaviour. 

Governments do, however, care about potential political costs and the risk of retaliation. One of the paper's goals is to provide a framework that makes it easier for victim states to flag irresponsible operations and respond appropriately. 

The paper defines seven principles-based "red flags" and gives examples of some real-world cyber operations that might have raised these flags.

The first red flag, "Causing physical harm, injury or death" is pretty straightforward. It's a threshold that states have observed and the paper does not list any cyber operations that it thinks have crossed the line. 

The most interesting red flag is "Lacking or losing operational control". The author argues that maintaining effective operational control "is essential", because risks increase when operations spiral out of control.

This can take two forms. One form is "technical loss of control" such as in the cases of NotPetya, WannaCry or even Stuxnet. At first glance, states seemed to have learnt their lesson, and there hasn't been another NotPetya-style disaster since the original was unleashed in 2017. 

The paper points out that AI "vibe coding" could make loss of control a problem again. Loosey-goosey software development risks introducing unpredictable behaviours. If operators don't even understand how their malware works, things could go wrong.

The second form is what the paper calls "organisational loss of control". This part of the paper takes aim at China's loosely controlled contractor ecosystems and the examples cited include I-Soon and other contractors, and the mass-exploitation of Microsoft Exchange.

This is a part of the report that could get some traction with policymakers. Governments want to make hay with cyber operations, but they don't want to accidentally cause some sort of drastic escalation because a contractor got excited.

The other five red flags are less likely to move the needle. The internal logic of why they are read flags makes sense, but some are already fairly common or there are practical reasons they are difficult to deter. 

For example, "Intervening in domestic political processes" being listed as a red flag makes sense. Internal political processes are fundamental to how a state functions. But interference is actually relatively commonplace, and we're yet to see a strong response. The paper cites direct interference in Ukrainian election architecture, and hack and leak operations to influence the US and French presidential elections as examples of this type of interference. 

The French response to election interference in 2017 was tactically very effective, in that Russian interference was neutered, in general responses have not been painful enough to deter adversaries. 

At least in part, that is because it can be practically difficult to respond robustly. During the 2016 US presidential election, for example, a domestic constituency benefited from interference and did not want to acknowledge that it had even occurred. 

So although the underlying logic of labelling interference in domestic political processes a red flag makes sense, there are practical reasons why it has historically been difficult to enforce. And we don't see these reasons disappearing any time soon.

Triggering physical disruption or destruction is listed as another red flag, with the paper citing the interruption of Ukraine's electricity network, Stuxnet and the disruption of a German steel mill as examples. If we were writing the report we'd add the Predatory Sparrow incidents in Iran to the pile.

Most of the destructive incidents we mentioned above are examples of stronger, more capable states punching down on relative minnows. It's the kind of things bigger states do when they think they can get away with it. An aggressor state might even argue that these destructive cyber operations are a good thing because they replace more destructive and escalatory kinetic attacks. 

Two of the other red flags fall into the category of mostly-observed-but-we'll-do-it-when -we-can-get-away-with-it operations. These are "Prepositioning for civilian disruption" and "Preparing the military battleground". 

The best example the paper cites here is Volt Typhoon, the Chinese government's effort to compromise US critical infrastructure. That example highlights the problem, though. The US absolutely does not want China's hackers rummaging around through its critical infrastructure getting up to no good. But what can it do? The US is already engaged in an on-again off-again trade war involving tariffs, critical minerals and AI technology transfer. Concerns about Volt Typhoon are lost in the noise.

The paper also briefly describes the "toolbox" of options that policymakers can use to respond. This isn't the paper's focus but it suggests "military posturing or operations" as an option.

The paper presents a framework to decide when cyber operations cross important thresholds that are worth responding to. As US policymakers are thinking about legislation aimed at deterring foreign cyber adversaries, this work could be useful.  

Iranians Share Deadly Cyber Intelligence With Proxies

Last month, AWS reported that state actors were "bridging cyber and kinetic warfare". Colour us totally unsurprised, although it is interesting that the two case studies AWS cites involve Iran. 

In one case study, a group controlled by the IRGC compromised the Automatic Identification System (AIS) maritime situational awareness systems of a number of ships. Access to those AIS systems was then used to locate a specific vessel  which was targeted by a missile strike from Houthi forces. 

In another, a group operating on behalf of the Iranian Ministry of Intelligence and Security compromised Israeli IP security cameras to help target missiles and conduct battle damage assessments. This has become a workaday war hack. In early 2024 we wrote about Russia using essentially the same CCTV compromise technique to better target missiles in Ukraine. 

It is interesting to see Iran integrating its cyber espionage intelligence with its own forces and  its proxies, though.

Mr Claude Goes to Washington

Anthropic has been called to testify to Congress about a Chinese group using Claude Code in an AI-powered cyber espionage campaign. 

It is a positive that lawmakers are interested in understanding the implications of AI for cyber security. And they are interested in pretty sensible topics such as how other AI tools could be used in other similar attacks and how AI could be used defensively, as reported by Axios. 

We'd also be interested in how far behind Claude Code open source and Chinese models are. Is it just a matter of time before adversary threat actors migrate away from places where US AI companies have visibility?

So far, both OpenAI and Anthropic have released fairly regular threat reports despite there being no requirement for them to do so. 

Of course, these platforms being abused by China's Ministry of State Security is hardly a good news story, so there will no doubt be pressure from some forces within these companies to pull back efforts to detect and counter their malicious use. 

That'd be bad, so this hearing is a good opportunity to reinforce the expectation that AI companies devote effort to countering malicious users on their platforms. 

Watch Patrick Gray and Tom Uren discuss this edition of the newsletter:

Three Reasons to Be Cheerful This Week:

1. Cryptomixer bust: This week Europol announced that a law enforcement operation had taken down the cryptocurrency mixing service Cryptomixer. It obfuscated currency flows by pooling deposits for a long time, and then redistributing funds after a randomised time delay. The service was available on both the clear and dark web. Europol says it was the "platform of choice for cybercriminals". It claims that €1.3 billion has been mixed through the service since 2016. 
2. Browser opt-out is coming: A new California law set to come into effect in 2027 will require browsers to have a single setting for users to opt-out of data sharing when visiting sites. The law applies only to California residents, but effectively has a global impact because it does so even if they are travelling or using a VPN. It's an idea whose time has come and the European Union is moving in a similar direction. 
3. Myanmar scam site takedown: The US Department of Justice announced it had taken down a website used by a Myanmar scam centre that was spoofing that of the legitimate forex and commodities trading platform TickMill. A single site is a small victory, but it is a good sign of increased US government focus on Southeast Asian scam syndicates.   

Sponsor Section

In this Risky Business News sponsor interview, Mike Lashlee, CSO of Mastercard talks to Tom Uren about why the company got into threat intelligence.

Mike talks about bringing together payments insights with threat intel to get strong signals about fraud or crime, the benefits of international collaboration and when it makes sense for your CSO to also be the CISO.

In this sponsored Soap Box edition of the Risky Business podcast, host Patrick Gray chats with Mastercard's Executive Vice President and Head of Security Solutions, Johan Gerber, about how the card brand thinks about cybersecurity and why it's aggressively investing in the space.

Shorts

Asian Scam Centres Are Still Growing

A few weeks back we were optimistic that reports of the demolition of the KK Park scam compound were actually good news, but experts now believe that it was mostly a PR exercise by the Myanmar government. It's not all peaches in Cambodia, either. Cyber Scam Monitor notes that "Cambodian government crackdowns appear to be short-lived and targeted mostly on smaller scam compounds. Larger sites appear to have been untouched, some are "massively" expanding and new ones are still popping up. 

Disappointing. 

China: The World's Most Innocent and Fluffy Cyber Bunnies

Late last month the Chinese government released a white paper on arms control, and we thought one of the cyber-related sections was a good laugh. A short excerpt: 

China opposes attempts to "own the domain" from a position of strength and carry out large-scale, systemic and indiscriminate theft and cyberattacks around the globe. It condemns a certain country's wanton targeting of other nations' critical infrastructure in cyberattacks, which places global critical infrastructure at grave risk. 

It is reassuring to know that the PRC condemns Salt and Volt Typhoon!

Risky Biz Talks

You can find the audio edition of this newsletter and other fine podcasts and interviews in the Risky Biz News feed (RSS, iTunes or Spotify).  

In our last "Between Two Nerds" discussion Tom Uren and The Grugq wonder whether it is possible to deter states from cyber espionage with doxxing and other disruption measures. 

Or watch it on YouTube!

From Risky Bulletin:

Evil twin hacker sentenced to 7 years: An Australian man was sentenced to seven years in prison for setting up fake WiFi networks to steal personal data. Michael Clapsis, 43, from Perth, ran fake free WiFi access points at the Perth, Melbourne, and Adelaide airports, during multiple domestic flights, and at work. He used evil twin attacks to redirect users to phishing pages and capture credentials. He then accessed personal accounts and collected intimate photos and videos of women. Clapsis also hacked his employer and accessed emails between his boss and police after his arrest. [ABC]

CCTV hackers detained in South Korea: South Korean authorities have arrested four individuals who hacked more than 120,000 security cameras, downloaded footage, and sold the data on adult-sharing portals. [ChosunBiz]