The Australian Government Will Shut Down AN0M Evidence Appeals

Your weekly dose of Seriously Risky Business news is written by Tom Uren and edited by Patrick Gray. It's supported by Lawfare with help from the William and Flora Hewlett Foundation. This week's edition is sponsored by Stairwell.

You can hear a podcast discussion of this newsletter by searching for "Risky Business News" in your podcatcher or subscribing via this RSS feed.

The Australian Government has proposed legislation to retrospectively guarantee that evidence collected by the AN0M crimephone sting operation is admissible in court. (Crimephone is the Risky Business HQ term for dedicated encrypted devices that are marketed in criminal networks to facilitate illegal activity).

This is an extremely unusual move, but there is a lot at stake here. The Australian Federal Police (AFP) described the AN0M operation as the "largest organised crime investigation in the Southern Hemisphere" and if the evidence is ruled inadmissible there may not be another opportunity to strike such a large blow against organised crime. 

The Surveillance Legislation (Confirmation of Application) Bill 2024 is aimed squarely at evidence collected by AFP's Operation Ironside. This operation was jointly conducted with the FBI, which called it Operation Trojan Shield and is entertainingly chronicled in Joseph Cox's book Dark Wire. 

In this operation, an encrypted smartphone application called AN0M was developed and marketed to criminals in the aftermath of the 2018 shutdown of the Phantom Secure crimephone. AN0M's encryption was legit, but police were blind cc'd on every message that its users sent. Better yet, the system geotagged messages with precise locations. Per the AFP's press release describing the operation: 

We built capability and computers that allowed law enforcement across the world to access, decrypt and read communications in an app called AN0M. Covertly run by the FBI, AN0M was installed on mobile phones that were stripped of other capability. The mobile phones, which were bought on the black market, could not make calls or send emails. They could only send messages to another device that had the organised crime AN0M app. Criminals needed to know a criminal to get a device.

The devices organically circulated and grew in popularity among criminals, who were confident of the legitimacy of the app because high-profile organised crime figures vouched for its integrity. These criminal influencers put the AFP in the back pocket of hundreds of alleged offenders.

The AFP said that as of August this year, in Australia alone, 392 offenders had been charged in relation to the operation and over 6600 kg of drugs and AUD$55.6m of cash seized. Although a number of people have already been sentenced, dozens of accused people have challenged the admissibility of evidence collected via AN0M. 

These defendants argue that although police had surveillance device and computer access warrants, what occurred with AN0M was actually telecommunications interception and should have been authorised with a Telecommunications (Interception and Access) Act (TIA Act) warrant. 

The South Australian Court of Appeal ruled in June this year that the evidence collected during Operation Ironside was legal. Although this was a favourable decision for police, it was possible the ruling could be overturned in Australia's High Court. The full judgement delves into questions about the distinction (or not) between a smartphone, an app on that smartphone, the Android operating system, and the telecommunications system. The court ultimately ruled that copying data on a device was not the same as it being 'passed or carried' over a telecommunications system, so interception hadn't taken place. 

The proposed surveillance legislation is designed to eliminate the possibility the ruling is overturned and essentially says 'nothing to see here, everything is good, it was all collected under a warrant bro and no, there wasn't any interception'. The bill is narrowly scoped, and applies to seven specific computer access or surveillance device AFP warrants and four specific search warrants, but applies retrospectively to all relevant civil or criminal proceedings

Greg Barns SC of the Australian Lawyers Alliance told Seriously Risky Business the proposed surveillance bill as "extraordinary legislation". He said that "governments should not be in the business of passing retrospective legislation that undermines the rights of an accused person". 

A King's Counsel we spoke to, Michael Whitten, was more philosophical. He agreed that the proposed legislation was "very unusual", but also pointed out that "the separation of powers ensures parliament supremacy when it comes to the making of laws or amending existing ones subject to constitutional limits". 

When viewed from this perspective, this is just the Australian parliament saying 'the way police gathered evidence in Operation Ironside was fine'. Of course, the normal course of affairs is that parliament issues or amends laws after the court's interpretations don't match its policy direction, not before. 

There is a suite of different warrants that could have been relevant to the AN0M app — surveillance device, computer access and telecommunications interception warrants. Although the judgements in the AN0M-related court cases have been favourable to prosecutors so far, they show that the boundaries between these warrants are more ambiguous than perhaps people thought.  

Both the government and opposition support the proposed surveillance bill, so it will likely pass and solve this ambiguity when it comes to Operation Ironside. But it is past time to make sure that the boundaries between these warrants are more clearly defined for future operations. It won't be the last time that the techniques used in Ironside could be valuable.   

When Red Teamers Don't Tidy Up Afterwards 

CISA has published another sterling red team assessment report on its efforts against an unnamed US critical infrastructure organisation.  

Although CISA wasn't able to gain access via phishing (Hooray!), its team "gained initial access through a web shell left from a third party’s previous security assessment." (Doh!). To (very uncharitably) summarise the lessons learned, the organisation's leadership didn't care enough about security, its staff weren't trained or resourced to do a good job, and it didn't have enough technical controls to detect and prevent malicious activity.

In addition to a set of recommendations for network defenders within organisations, CISA notes that "insecure software is the root cause of many of these flaws and responsibility should not fall on the end user" and provides a set of recommendations for software manufacturers. 

These include eliminating default passwords, mandating MFA, and focus on making systems secure by default. Other recommendations feel more ambitious, such as "embed security into product architecture throughout the entire software development lifecycle" and "design products so that the compromise of a single security control does not result in compromise of the entire system". 

It's a good report, but it highlights the depth of the problem. Sigh. 

Microsoft Wants Trump to Try Harder on Cyber

Brad Smith, Microsoft's Vice Chair and President, has told the Financial Times (republished by Ars Technica) he hopes "that the Trump administration will push harder against nation-state cyber attacks, especially from Russia and China and Iran". 

"We should not tolerate the level of attacks that we are seeing today," he continued. 

That's a fine sentiment, but unfortunately there is no international relations magic bullet that will solve cyber espionage or destructive military cyber operations.

Our assessment is that Trump does not care about cyber security as an independent topic, but instead focusses on bigger issues such as 'competition with China'. And that's about right. When it comes to state competition, cyber operations are a means to an end and not an end in themselves, so cyber is secondary in the scheme of real-world geopolitics. 

Microsoft, meanwhile, might instead do well to look within. Many of the most serious state-backed cyber attacks target deficiencies in its products, and it's actually in a position to do something about that.

Watch Patrick Gray and Tom Uren discuss this edition of the newsletter:

Three Reasons to Be Cheerful This Week:

1. Operation Serengeti arrests 1,006: Authorities from 19 African countries have arrested over 1,000 suspects allegedly involved in a range of activities including ransomware, business email compromise, extortion and online scams. More than 35,000 victims were identified during the operation and cases linked to more than USD$193m in losses worldwide
2. Professional Liability Insurance for CISOs: Although the charges against SolarWinds CISO Timothy Brown were ultimately dismissed, it is probably a good idea to at least investigate professional liability insurance. And now it's available! 
3. UK to help allies with IR: The British government will launch a new capability to help partner countries deal with cyber incidents, particularly those affecting critical infrastructure. This mirrors efforts by the Australian government in the Pacific and the US's aid fund, so better late than never. 

Sponsor Section

Stairwell lets you know if, when, and where malware has ever been on your systems by collecting, storing, and continuously reassessing every executable file and indicator of compromise in your environment.

In this Risky Business News sponsored interview, Tom Uren talks to Mike Wiacek, CEO and founder of Stairwell, about the occasionally dysfunctional relationship between IT and security teams. Mike talks about how security vendors need to reach out to turn IT teams into allies.

Shorts

FTC Launches Microsoft Probe 

In late breaking news, Bloomberg is reporting that the US Federal Trade Commission (FTC) has opened an antitrust investigation into Microsoft. The investigation will cover Microsoft's software licensing practices, cloud computing business, cyber security offerings and AI products. 

Salt Typhoon Hack Turning Into A Nightmare 

The more we learn about the Chinese hack of US telecommunications firms, the worse it gets. Per The New York Times:

They have learned that the Chinese hackers got a nearly complete list of phone numbers the Justice Department monitors in its "lawful intercept" system, which places wiretaps on people suspected of committing crimes or spying, usually after a warrant is issued.

…

As a result, officials said, the penetration almost certainly gave China a road map to discover which of China’s spies the United States has identified and which they have missed.

When we first heard of this story, this was probably the worst case scenario. However, there is also increasing concern that the hackers will be difficult to evict. Yikes. 

You Can't Keep a Good Story Down

Reporters Without Borders has examined how interests associated with Appin, an Indian cyber security firm, have used legal action to shut down reporting on the company or its founder Rajat Khare. 

These actions affected Seriously Risky Business and partner Lawfare, where this newsletter is syndicated when we wrote about the topic. The good news is that the original Reuters article we referred to, which describes how Appin alumni are involved in a number of firms in India's hack-for-hire industry, was restored online on 25 October after a New Delhi court lifted its take down order.  

When Banning Two Million Is Not Enough

Meta says it has taken down over two million accounts linked to scam centres in Myanmar, Laos, Cambodia, the UAE and the Philippines this year. It is also rolling out protections including warnings about suspicious interactions or cold calls from people you don't know and providing contextual information about groups chats you are invited to join.

These efforts are good, but they are only really speedbumps for scammers. Meta notes that:

The scale and sophistication of this threat is unprecedented, with the US Institute of Peace estimating that up to 300,000 people are forced into scamming others around the world by these criminal groups, with about $64 billion stolen worldwide annually as of the end of 2023. 

Risky Biz Talks

You can find the audio edition of this newsletter and other fine podcasts and interviews in the Risky Biz News feed (RSS, iTunes or Spotify).  

In our last "Between Two Nerds" discussion Tom Uren and The Grugq talk about different views on attribution and why it still matters for sophisticated state-backed groups. 

From Risky Biz News:

Four PR firms are behind a Chinese propaganda network: Google has removed from its search and news index hundreds of domains that were operated by four Chinese-based PR firms that published pro-PRC propaganda to international audiences.

The companies ran two newswire services where they published articles and collectively pulled content to distribute through their own "independent" news websites.

The articles were low-quality rewordings of stories from Global Times, a PRC state-controlled media outlet, designed to push China's views on various topics through smaller news sites and give the impression of mass consensus and authenticity.

News stories covered the PRC's territorial claims over the South China Sea, Taiwan, controversies over the Xinjiang region, coverage of the COVID-19 pandemic, conspiracy theories, and even ad hominem attacks targeting regime critics.

[more on Risky Business News]

US charges five Scattered Spider members: The US Department of Justice has unsealed charges against five suspected members of the Scattered Spider hacking group.

The five include four Americans and one British citizen.

• Ahmed Hossam Eldin Elbadawy, 23, aka "AD," of College Station, Texas;
• Noah Michael Urban, 20, aka "Sosa" and "Elijah," of Palm Coast, Florida;
• Evans Onyeaka Osiebo, 20, of Dallas, Texas; and
• Joel Martin Evans, 25, aka "joeleoli," of Jacksonville, North Carolina.
• Tyler Robert Buchanan, 22, aka "tylerb," from the United Kingdom

Three of the five are confirmed to be in custody. Evans was arrested this week, Buchanan in June, and Urban in January.

[more on Risky Business News, including much more about background, targets and techniques used by Scattered Spider]

Banshee Stealer shuts down after source code leak: The developers of Banshee Stealer, an infostealer that targets macOS systems, have shut down their operation after an unidentified individual leaked their malware's source code online.

The incident took place earlier this week and was announced via hacking forums and Telegram channels.

The Banshee group launched its operation in August and is one of several macOS infostealers that were released this year.

[more on Risky Business News, including Banshee Stealer's high price and the possibility the leak was from an unsatisfied customer. ]