The Cyberespionage Gig Economy

Your weekly dose of Seriously Risky Business news is written by Tom Uren and edited by Patrick Gray. It's supported by Lawfare with help from the William and Flora Hewlett Foundation. This week's edition is sponsored by Authentik.

You can hear a podcast discussion of this newsletter by searching for "Risky Business News" in your podcatcher or subscribing via this RSS feed.

Foreign intelligence services are experimenting with new ways of using domestic proxies to facilitate overseas operations. 

In the Netherlands, two teenagers have been arrested after reportedly being recruited by pro-Russian hackers on Telegram to assist with cyber espionage operations. Dutch authorities allege that the pair were tasked with Wi-Fi collection along a route in The Hague that went past Europol, Eurojust and the Canadian embassy.  

Russian intelligence agencies have been recruiting locals across Europe since at least 2022. They've been hired for sabotage, surveillance and, bizarrely, spray painting graffiti. Recruiting locals for cyber espionage, however, is new. But it makes sense.

Cyber espionage is typically conducted from a distance, although Russian intelligence has a history of travelling to carry out on-site operations when remote compromise is unsuccessful. Being within walking distance can be great. But it does come with greater risk.

Back in 2018 four Russians from Unit 26165 of the GRU were arrested by Dutch authorities while attempting to hack into the Wi-Fi of the Organisation for Prohibition of Chemical Weapons (OPCW) located in The Hague. At the time the OPCW was investigating the chemical weapons attack on Sergei Skripal and his daughter. The GRU has also targeted US and international anti-doping and sporting organisations with on-site operations in Rio de Janeiro, Brazil and Lausanne, Switzerland. 

The aim of these operations was to get initial access to targets, typically by subverting the Wi-Fi networks victims were using. If access was obtained, longer term collection was passed off to a team in Russia. 

We doubt that Dutch teenagers are a competent replacement for skilled Russian hackers. But using them is cheaper, less risky, and perfectly fine for some tasks. Employing lackeys to map Wi-Fi networks in areas of interest could give the GRU a head start with more intricate remote operations.

A good example would be what has been dubbed a "nearest neighbour attack". In 2022, Russian GRU hackers gained access to their victim via Wi-Fi after daisy-chaining through multiple organisations located nearby. Ground truth on the Wi-Fi networks surrounding a target would be helpful for these types of attacks. 

Although Russian operations have been caught twice in the Netherlands, we think that is less about its high-value targets and more because the nation has an effective counterintelligence service. We expect the recruitment of pawns for cyber espionage is occurring in other countries, too.

Meanwhile, in New York… 

A foreign intelligence service appears to have taken advantage of what looks like a spam service in New York state. 

Last week the US Secret Service dismantled a network in the tristate area consisting of more than 300 SIM boxes and 100,000 SIM cards. 

The Secret Service's announcement of the bust said the network had been used to send threats to senior US government officials and highlighted the potential for telecommunications disruption. Still, we expect the main purpose of the network was criminal. 

It was far too large for a state-backed operation targeted at VIPs for swatting or spearphishing. At the same time it was too small for a telecommunications disruption operation, given the size of New York and its multiple mobile networks. 300 SIM boxes and 100,000 SIMs, however, is just the right size to send lots and lots of spam.

So it is a bit surprising the Secret Service said initial forensic analysis indicated "cellular communications between nation-state threat actors" as well as to criminals known to federal law enforcement, including cartel members. 

This sounds like a covert communications system where threat actors stymie law enforcement telecommunications interception capabilities by constantly using different SIMs to send messages. Piggybacking on this network could mean that threat actors were hiding in a sea of spam.  The Secret Service hinted at this, saying that the network could be used for anonymous encrypted communications.

Western intelligence agencies are control freaks, so for them it would be unthinkable to outsource functions as important as covert comms or cyber espionage. But some foreign intelligence agencies think differently. Chinese cyber espionage, for example, is routinely carried out by commercial enterprises. Their intelligence agencies are willing to forgo tight operational control in return for some level of plausible deniability and a lot more intelligence. 

With that kind of approach to risk, why not outsource covert comms too? It appears at least one country is trying. 

It's a DOGE's Breakfast

A new report by Senate Democrats has accused the Department of Government Efficiency of operating outside of federal law and putting Americans' most private data at risk. 

These types of oversight reports usually come after significant hacks. They're valuable because they provide authoritative information and behind-the-scenes breakdowns of the incidents. Inevitably, governance failures are key contributors to major hacks. Reports on Conti ransomware's hack of Ireland's public health system and the 2015 pillaging of the US Office of Personnel Management are great examples of the valuable information gained through this type of reporting. 

This report is different in that it hasn't been instigated by a major cyber incident and instead appears motivated by a dislike for DOGE. Although it pulls together information from visits to federal agencies, whistleblower disclosures, public media reports and legal filings it is hard to know quite what to make of the report. 

Still, even when disregarding specific allegations of risky data-handling practices, the description of DOGE's governance practices are concerning. The report says there is no clear governance structure. When the report's authors asked federal agencies about DOGE's activities, access and authorities:

senior officials at SSA [Social Security Administration], GSA [General Services Administration], and OPM [Office of Personnel Management] all failed to provide information about who was in charge; what conduct DOGE teams were engaged in; and what data those teams had been given access to, including the authorities and restrictions guiding their access. None of the agencies could answer simple questions about organizational charts and employee roles. During oversight trips, GSA and OPM would not even directly acknowledge the existence of their DOGE teams – despite the fact that Executive Order 14158 requires each agency to have a DOGE team comprised of at least four people. At the OPM site visit, officials provided staff with information that directly contradicted court documents filed on the agency’s behalf.

From a security perspective, the fundamental problem with DOGE is that rapid change was prioritised over strong security. Given that mandate, we are not surprised that robust governance was lacking.

Will choosing speed over security result in a significant data breach? Let's hope not. 

Watch Amberleigh Jack and Tom Uren discuss this edition of the newsletter:

Three Reasons to Be Cheerful This Week:

1. Key Scattered Spider member arrested: Researchers believe that a core player in the cybercrime group has been arrested. Thalha Jubair, 19, was arrested in the UK in mid-September and US authorities say they seized USD$36 million from a server Jubair controlled. CyberScoop has further coverage. 
2. Record bitcoin seizure: The UK has seized nearly USD$7 billion in bitcoin from a Chinese national who pleaded guilty to money laundering offences. Zhimin Qian ran a fraudulent investment scheme in China between 2014 to 2017, then fled to the UK where she attempted to launder the stolen funds. 
3. African cybercrime operation arrests 260: Interpol announced that Operation Contender 3.0 had resulted in the arrest of 260 suspects across Africa. 

Sponsor Section

In this Risky Business sponsor interview, Authentik CEO Fletcher Heisler talks to Tom Uren about how identity providers (IdP) are fundamental to everything an organisation does. He explains how organisations are making themselves resilient by managing their redundancy and failover options.

Shorts

Cyber Security Reporter's Dream Job

BBC cybersecurity reporter Joe Tidy has amusingly described how he was asked to help ransomware his employer in exchange for a percentage of the ransom.

The ransomware actor, who called himself Syndicate, offered Tidy 25% of any ransom payment in exchange for login credentials and assistance bypassing MFA. What a deal!

Although it is easy for cyber security professionals to know that this won't end well, there are certainly employees in any reasonably sized firm that would accept these offers.  

Big Tech Needs Spyware Protection

A new Atlantic Council report has recommended that legal protections for technology companies would encourage them to be more proactive in detecting and preventing spyware.

We're a bit bemused here. Key companies such as Apple, Meta and Google already run robust threat hunting programs. And they're not facing a flurry of lawsuits because their products are vulnerable to spyware.

Of course, it's worth considering smaller but still important players like Signal. It's widely used amongst US officials, but does not have the same resources available to the tech giants. Would a safe harbour law change that? Not by much, we don't think.  

Risky Biz Talks

You can find the audio edition of this newsletter and other fine podcasts and interviews in the Risky Biz News feed (RSS, iTunes or Spotify).  

In our last "Between Two Nerds" discussion Tom Uren and The Grugq discuss the power of cyber. 

Or watch it on YouTube!

From Risky Bulletin:

Router APIs abused to send SMS spam waves: A mysterious threat actor is abusing Milesight industrial cellular routers to send SMS spam, also known as smishing , to users in several European countries.

According to French security firm Sekoia, the campaign has been silently going on without detection since at least February 2022.

The attackers are targeting a feature of Milesight routers that lets admins configure to receive SMS alerts. Such a feature is common in industrial routers that connect remote equipment to a larger network via a cellular modem, with admins receiving alerts when the equipment connection goes offline and may not be in a state where it can be managed.

[more on Risky Bulletin]

UK to bail out Jaguar Land Rover: The UK government has agreed to underwrite a £1.5 billion loan to Jaguar Land Rover to help the carmaker deal with the increasingly costly aftermath of a recent cyberattack that has crippled its production and shut down factories for almost a month.

The underwrite was approved on Sunday after a visit from UK Business Secretary Peter Kyle to the headquarters of JLR and its main supply chain firm Webasto this week.

JLR fell victim to a ransomware attack—supposedly from the HellCat group—on August 31. Production lines at all JLE factories have been shut down ever since, and are expected to last into October.

[more on Risky Bulletin]

EU users to get free Windows 10 extended security updates: Most European users will receive Windows 10 Extended Security Updates (ESU) for free.

These are security updates that Microsoft will provide to users after the Windows 10 operating system reaches end-of-life on October 14, less than three weeks away.

These ESUs are now "completely free," with no strings attached, for any user in the European Economic Area (EEA). This includes users living in EU member states, and three other countries, Iceland, Liechtenstein, and Norway.

[more on Risky Bulletin]