The CIA is Too Stupid To Know It's Stupid

Your weekly dose of Seriously Risky Business news is written by Tom Uren and edited by Patrick Gray with help from Catalin Cimpanu. It's supported by the Cyber Initiative at the Hewlett Foundation and founding corporate sponsor Proofpoint.

A report from Reuters and a short statement from Citizenlab published last week shed more light on the compromise of a CIA "covert" communications (COVCOM) system by Chinese and Iranian counterintelligence agencies in the late 2000s. According to the two reports, this covert system was mind-blowingly bad, and its compromise led to the death of dozens of agency sources in both China and Iran.

The CIA COVCOM compromise was originally reported in 2018 after the loss of CIA sources in Iran and China from 2009 through to 2013. Zach Dorfman, who initially reported the system's compromise, has a good overview of the entire story with links to various media reports.

While reporting on the CIA's broader Iran effort, Reuters learned of a specific website — iraniangoals[.]com — that an Iranian asset had used to communicate with the CIA. Reuters asked Bill Marczak of the University of Toronto’s Citizen Lab and Zach Edwards of Victory Medium to examine the site to see what they could find in artefacts recorded by the Internet Archive’s Wayback Machine.

Marczak and Edwards pulled the whole thing apart with some very simple analysis. By viewing the source of the iraniangoals[.]com website they were able to reveal hidden messaging functions like "message" and "compose". From there, the duo were able to enumerate a network of hundreds of similar websites dating back to 2004 and ostensibly devoted to beauty, entertainment and fitness. From Reuters:

Each fake website was assigned to only one spy in order to limit exposure of the entire network in case any single agent was captured, two former CIA officials told Reuters.

But the CIA made identifying those sites easy, the independent analysts said. Marczak located more than 350 websites containing the same secret messaging system, all of which have been offline for at least nine years and archived. Edwards confirmed his findings and methodology. Online records they analyzed reveal the hosting space for these front websites was often purchased in bulk by the dozen, often from the same internet providers, on the same server space. The result was that numerical identifiers, or IP addresses, for many of these websites were sequential, much like houses on the same street.

Citizenlab says that by spidering out from iraniangoals[.]com, it "identified a network of 885 websites and have high confidence that the United States (US) Central Intelligence Agency (CIA) used these sites for covert communication".

The websites included similar Java, JavaScript, Adobe Flash, and CGI artefacts that implemented or apparently loaded covert communications apps. In addition, blocks of sequential IP addresses registered to apparently fictitious US companies were used to host some of the websites. All of these flaws would have facilitated discovery by hostile parties.

Reuters reports these websites appear to have been present in "in at least 20 countries, among them China, Brazil, Russia, Thailand and Ghana".

From the perspective of a former intelligence professional, this is all horrifying. It very much feels like the COVCOM system a new engineering graduate would create in their first three months at the agency that somehow, mystifyingly, ended up as an operational system without proper security assessment and review.

We don't even think that the fundamental premise of the entire system — that purpose-built fake websites are a good front end for a COVCOM system — is correct. The problem here is that potential COVCOM websites and their users can be detected by answering two relatively straightforward questions. Which websites get very few visits? Who visits them?

These questions may not be tractable for an entire country, at least not in the early 2000s and possibly not today, at least in some places. But they are definitely questions counterintelligence services could answer when they have a small number of suspect individuals. For any individual CIA asset whose internet use is being monitored, the COVCOM site they use will stick out like a sore thumb, regardless of its purported cover and name.

Far better to hide in the noise of a service commonly used by real people than in a pretend website that nobody except a spy visits. Russian cyber espionage group Turla has, for example, communicated via comments on Britney Spears’ Instagram account (although in fairness to the CIA, Instagram wasn't created until 2010).

Despite this horrendous failure, however, this newsletter doesn't buy the narrative that the CIA was reckless or cavalier with agent safety — we think they were simply too incompetent to know that what they were doing was stupid.

A former HUMINT agency officer told this newsletter that these organisations' paramount desire is to keep sources safe for completely selfish reasons. Not only does it protect people in the field — both agents and officers — but also the agencies' credibility. Getting agents killed or arrested drastically limits the ability to recruit sources in the future.

So you'd think that for a COVCOM system getting some expert outside perspectives — from NSA, for example — would be the obvious thing to do, but we have absolutely no doubt that this didn't occur here. The flaws are too many and too varied for that to have occurred.

We wonder if HUMINT agencies' overwhelming desire to protect sources was counterproductive in this case. Perhaps the CIA didn't share details of its system more widely in a misguided attempt to protect its methods?

Although the officer we spoke with agreed that outside review was the obvious thing to do, he also wasn't surprised that the CIA had struggled in this case. Early 2000s HUMINT agencies were not particularly internet savvy and were struggling with the fundamental shift from cold war to internet technologies.

There is definitely organisational failure here, but rather than it being in the way it treated and cared for assets, we believe that at heart the problem was the CIA's inability to recognise and adapt to change. It wasn't even able to recognise that what it was doing was woefully inadequate. We are sure that the designer of this COVCOM system had no idea that thanks to Internet archives the entire system would be laid bare by a university-based research lab a decade after it was decommissioned.

This was a terrible intelligence catastrophe and it doesn't appear that any individual has been held accountable. But who is responsible when your entire organisation is living in the past? And where else might this become a problem?

An outdated mindset has implications beyond COVCOM. Back in December we wrote:

The PRC has also used stolen data (such as personnel clearance information and hotel and airline travel records) to identify and disrupt US intelligence operations. And creating a background or "legend" for operatives that passes scrutiny in this environment is extremely difficult.

HUMINT tradecraft alone is not enough to avoid being snapped by competent counter intelligence agencies. It also needs to be coupled with an absolutely top-notch understanding of how to operate safely in today's world where adversaries have access to troves of revealing data, operate extensive surveillance networks in their own territories and heavily use technologies like facial recognition.

In that article, we quoted a public speech by Richard Moore, the head of the UK's Secret Intelligence Service, aka MI6, in which he spoke of the need for MI6 to embrace technology to enable human intelligence. Moore said "we have traditionally relied primarily on our own capabilities to develop the world class technologies we need to stay secret and deliver against our mission". He didn't think that was good enough anymore, however, and continued "we must become more open, to stay secret".

Moore's speech is both a reason for optimism, in that he's delivering the right message, but  also a reason for pessimism as he's delivering it in 2021 (and not in 2014).

Since the CIA's COVCOM fiasco, the world, and the way that data and biometrics can be used to track and surveil people, continues to change and advance. Have the CIA and its sister agencies recognised that and adapted? Are they asking SIGINT agencies for their perspective? Let's hope so.

North Korea Has A Smartphone Hacking Scene

We missed it at the time, but Lumen, (not Lumen Technologies, rather a US non-profit organisation focussed on providing North Koreans with uncensored communications), published a deep-dive into North Korea's digital control system back in April.

North Korean smartphones use a customised version of Android that implements many different types of restrictions, including an in-your-face monitoring system:

The ubiquitous Trace Viewer (열람리력) app is a standard feature of every North Korean smartphone and is an ever-present reminder that big brother is watching when the phone is in use.

The software randomly snaps photographs [Ed: screenshots] while the phone is switched on and stores them in a directory where they cannot be erased.

Despite this attempt at state control, or perhaps because of it, the report finds there is a smartphone hacking scene in North Korea.

We interviewed two escapees who independently told us how groups of friends or associates would help each other to get around the state controls on smartphones. The scale of the hacking still appears to be minor, but recent changes to North Korean law indicate national authorities view it as a serious problem.

North Koreans root phones to bypass security protections and install different applications and media files that wouldn't otherwise be allowed. And sometimes just to install a different start-up screen, game, or photo filter.

Both escapees stressed that rooting is far from common in North Korea. Kim estimated less than 10 percent of people might have attempted it while Park estimated around 30 percent of the university students he knew had done it.

To us, 10 percent actually sounds like a huge number, relatively. The report believes that, ironically, the smartphone rooting scene is in part due to North Korean government efforts to educate programmers. These programmers are sent overseas to earn money for the state doing contract software development work or hacking, but in the process also learn enough to root phones.

Our thanks to our Risky.Biz colleague Catalin Cimpanu who flagged this report for us to look at.

Russia’s Cyber War Is Going About as Well as Its Land War

Lindy Cameron, the head of the UK's NCSC, has discussed the cyber dimensions of the Russia-Ukraine war in a public speech.

Cameron described the cyber conflict as "most sustained and intensive cyber campaign on record — with the Russian State launching a series of major cyber attacks in support of their illegal invasion in February".

She's clear that cyber operations are now a standard part of warfare.

"Both sides are using cyber capabilities to pursue their aims. Both sides understand the potential of integrating cyber and information confrontation with their military effort."

Cameron noted that Russian cyber attacks do not seem to have had the intended impact that Russia wanted:

In many ways, Russia has made Ukraine match fit over the last ten years by consistently attacking them…

But if the Ukrainian cyber defence teaches us a wider lesson — for military theory and beyond — it is that in cyber security, the defender has significant agency. In many ways you can choose how vulnerable you can be to attacks.

This activity has provided us with the clearest demonstration that a strong and effective cyber defence can be mounted, even against an adversary as well prepared and resourced as the Russian Federation.

Hope for us all, really.

Three Reasons to be Cheerful this Week:

1. Ransomware rewards bear fruit: Security firm Trellix has written about a disgruntled REvil insider who provided TTPs, internal relationships and information on the group’s operations. The insider offered to provide identifying information on high-level criminals in return for a reward and Trellix wrote "we were able [to] find the right law enforcement partner to act on the anonymous source. However, they needed some time to prepare before we could hand over the source." We are taking this as proof positive that various State Department ransomware rewards are bearing fruit.
2. US candidate wins ITU Presidency: Doreen Bogdan-Martin has been elected as the next International Telecommunications Union Secretary-General starting next year. It can be hard to see what is at stake in elections at these traditionally technically-focussed multilateral organisations, but this newsletter is glad we don't have to find out what happens when a Chinese or Russian representative is heading the ITU.
3. Netwalker ransomware affiliate gets 20 years: A Canadian man, Sebastien Vachon-Desjardins, has been sentenced to 20 years in prison for his involvement as an affiliate in the Netwalker ransomware scheme. Vachon-Desjardins made tens of millions of dollars in around a year and forfeited USD$21.5m as part of a plea agreement.

Sponsor Section

A new Proofpoint and Cybersecurity at MIT Sloan report examines boards of directors' perceptions about key challenges and risks. It finds that although cyber security is high on the agenda in board rooms there are some interesting differences in perception between CISOs and boards.

These differences cover the gamut from how likely a material cyber attack is, whether malicious insiders are a top concern and what the most important consequences of a cyber attack are.

Another significant concern is that awareness and funding do not translate into preparedness. Most respondents thought their board recognised cyber security risk, there was adequate investment and that data was protected, but despite that nearly half thought their organisations weren't prepared for a cyber attack.

Download the report here.

Analysing Files to identify threats with Stairwell's Inception platform

Risky Business publishes sponsored product demos to YouTube. They're a great way for you to save the time and hassle of trying to actually get useful information out of security vendors. You can subscribe to our product demo page on YouTube here.

In our latest demo, Mike Wiacek shows Patrick Gray how to hunt down and triage suspicious files within your enterprise using Stairwell's file analysis and threat detection platform.

Shorts

Google Launches "Hacking Google" Video Series

Google has released a new six-part documentary series profiling various Google security teams including the Threat Analysis Group and Project Zero among others.

We've seen Episode 000 so far and it's great fun. It covers the 2010 "Operation Aurora" hack from Google's perspective (although dozens of other US companies were also affected). This was a watershed moment in cyber security history and it resulted in both a significant change in Google's security posture and its relationship with China. Google's remarkably frank and norm-shattering press release on the hack from back then will get you primed for viewing.

The Tabloids Will Always Let You Down

Hacktivist group Guacamaya which we mentioned in late September is having some impact in South America, particularly in Mexico. Despite that, the group told The Record that it was not particularly happy that journalists had focused on Mexican President López Obrador's health rather than on the environmental impacts of Tren Maya, an intercity railway megaproject.

Someone Is Actually Using Stego In The Wild

The Witchetty espionage group has been hiding malware in an old Windows logo image. A Symantec report that covers the technique notes that:

Disguising the payload in this fashion allowed the attackers to host it on a free, trusted service. Downloads from trusted hosts such as GitHub are far less likely to raise red flags than downloads from an attacker-controlled command-and-control (C&C) server.

After gaining initial access to a network with Microsoft Exchange ProxyShell or ProxyLogon vulnerabilities, Witchetty moves laterally to other computers. It then installs malware on these machines by downloading the malicious Windows logo from a free trusted hosting service and extracting the backdoor steganographically hidden within the file.

Symantec reports that Witchetty has "targeted the governments of two Middle Eastern countries and the stock exchange of an African nation". Symantec doesn't speculate about attribution, but points out that Witchetty is the same as ESET's LookingFrog, which ESET believes is "loosely associated" with APT10. ATP10 is associated with the Chinese Ministry of State Security's Tianjin bureau.

Chinese Tor Users Decloaked

Kaspersky researchers identified a malicious Tor Browser installer infected with spyware that only infects Chinese Tor users. The OnionPoison implant doesn't collect passwords or cookies, but instead gathers information that can be used to identify victims such as social networking account IDs and WiFi network details along with browsing histories. The installer was promoted on a popular Chinese-language YouTube channel devoted to internet anonymity and the malware only activates on computers located in China. This suggests the targets of the campaign are Chinese VPN users who are accessing YouTube to get information on how to run Tor. (YouTube is blocked by The Great Firewall.)

Risky Biz Talks

In addition to a podcast version of this newsletter (last edition here), the Risky Biz News feed  (RSS, iTunesor Spotify) also publishes interviews.

In our last "Between Two Nerds" discussion Tom Uren and The Grugq discuss the ways in which even large cyber agencies such as NSA are constrained .

From Our Risky Biz News Newsletter:

Twitch limits browser logins as it deals with massive bot attack: Live streaming service Twitch dealt with a major bot attack this week and was forced to block logins from exotic browsers to prevent a threat actor from mass-creating new accounts to be used in future hate raids.

According to a developer who creates Twitch-centred software, more than 4 million new accounts were created over the course of roughly 30 hours between late Sunday and early Tuesday this week. (continued)

China blocks several protocols used to bypass the Great Firewall: The operators of China's Great Firewall have rolled out an update this week that has blocked several protocols that have been recently utilized by Chinese citizens to bypass the country's internet censorship system. (continued)

NSA, CISA, FBI advisory: The NSA, CISA, and the FBI issued a joint security advisory on Tuesday, warning about APT attacks against US Defense Industrial Base organisations. The advisory specifically mentioned the attacker's propensity to use an open-source tool named Impacket to gain an initial foothold inside orgs and the use of a private tool called CovalentStealer to exfiltrate data from the victim's systems.