The Spyware Ecosystem that Targets Human Rights
Your weekly dose of Seriously Risky Business news is written by Tom Uren and edited by Patrick Gray. It's supported by Lawfare with help from the William and Flora Hewlett Foundation. This week's edition is sponsored by Proofpoint.
You can hear a podcast discussion of this newsletter by searching for "Risky Business News" in your podcatcher or subscribing via this RSS feed.
A new report turns a harsh spotlight onto the commercial surveillance industry that markets spyware reportedly used by bad actors to target human rights defenders, dissidents and other 'high risk' users.
Published by Google's Threat Analysis Group (TAG), the report and accompanying blog describes what it calls a "lucrative industry" that sells governments and "nefarious actors" the ability to exploit vulnerabilities in consumer devices.
The report states that while spyware vendors point to their tools' "legitimate use in law enforcement and counterterrorism," analysis from Google and researchers from the University of Toronto’s Citizen Lab and Amnesty International uncovers the use of spyware against "high risk users" such as journalists, human rights defenders, dissidents and opposition party politicians.
TAG separates players in the commercial surveillance industry into four primary categories:
- Vulnerability researchers and exploit developers
- Exploit brokers and suppliers
- What Google calls commercial surveillance vendors (CSVs)
- Government customers
The report’s authors describe CSVs as:
private technology companies based all over the world. Rather than operating secretly like ransomware and extortion groups, many operate openly. Like any other software product company, they have websites and marketing materials, sales and engineering teams, job openings listed on their websites, publish press releases, and even attend conferences.
The number of CSVs around the globe is impossible to count, with new companies opening each year and existing ones reincorporating under new names. TAG currently tracks approximately 40 CSVs developing and selling exploits and spyware to government customers.
TAG then provides thumbnail sketches of five of these companies: Cy4Gate and RCS Lab, a company owned by Cy4Gate; Intellexa Alliance; Negg Group; NSO Group and Variston.
These sketches summarise public reports and information that describes how these companies' products have been used across the world.
The TAG report also cites an example of how some CSV services are marketed to potential clients, based on a 2021 pitch document for the Intellexa Alliance's Nova system, reported by the New York Times:
For €8 million the customer receives the capability to use a remote 1-click exploit chain to install spyware implants on Android and iOS devices, with the ability to run 10 concurrent spyware implants at any one time. In this example, while the spyware can only run on 10 different devices concurrently, it can be switched between devices or re-infect the same device for up to 100 infections.
A number of optional features were available at extra cost, according to the pitch document. For example, a base offering limited infections to local SIMs, but targeting phones in another five countries was available for an extra €1.2m. Having implants persist when victims rebooted their phones was available for an additional €3m.
The most impactful part of the TAG report examines the experiences of three people—a human rights advocate and two journalists—who, the report says, were targeted with Pegasus, spyware developed by NSO Group.
These stories are worth reading. Separately, Pegasus has reportedly been linked to harms to civil society all over the world. (Although NSO Group has pushed back against this reporting.)
More narrowly, the industry plays a significant role in cyber security. Google's report says CSVs are behind nearly half the 0day exploits it has identified from mid-2014 through 2023.
The report also provides a small illustration of the cut and thrust that takes place between CSVs and Google's product patching:
On April 14, 2023, Chrome released patches for CVE-2023-2033 and CVE-2023-2136, which Intellexa were using in a 0day exploit chain to install their spyware. Following the Chrome security update, TAG saw a dip in activity by Intellexa’s customers for over 40 days, followed by a spike in activity at the end of May when Intellexa released a new 0day exploit for the next version of Chrome. It took Intellexa roughly 45 days to develop and deploy a new 0day exploit for Chrome 113. TAG quickly discovered the new exploit and Chrome released a fix for the new 0day within four days. Intellexa’s customers were only able to use the new exploit for less than a week, as Chrome patched the bug, tracked as CVE-2023-3079, in an update released on June 5.
The report points out that these groups "pivot and persist" despite legal action and public reporting.
NSO Group continues to operate and is lobbying to be removed from a US blacklist. Other companies have changed names multiple times.
So, what to do about commercial spyware then?
Last week, a group of international governments and stakeholders launched the Pall Mall Process, "an ongoing globally inclusive dialogue to address the proliferation and irresponsible use of commercial cyber intrusion tools and services".
Interestingly, in its declaration, the Pall Mall process recognises that "many of these tools and services can be used for legitimate purposes". That's right, but it's something that Google's report gives short shrift to.
Rather than crushing the industry, the declaration focuses on four 'pillars': accountability, precision, oversight and transparency. Those are the kinds of things you focus on when tools are dual-use and can be used for good or ill.
A pretty good collection of governments and regional bodies signed up including, interestingly, both Greece and Poland. These two countries have both been accused of abusing commercial spyware for political advantage.
Unfortunately, the declaration announcing the Pall Mall process made absolutely no commitment to actually do anything, either. Despite that, we are hopeful because there are governments that are genuinely dedicated to tackling the problem.
Ukraine Adopts US 'Defend Forward' Strategy
A Ukrainian government official has declared that the country's cyber forces have gone on the offensive.
At a conference held in Kyiv, Illia Vitiuk, the head of cyber security at Ukraine's security service (the SBU) said that the country had to "act proactively" according to The Record. Vitiuk likened this offensive strategy to US Cyber Command's defend forward strategy, which aims to 'disrupt malicious cyber activity at its source'.
The first indication of this change in strategy came in October last year, when an anonymous security service source linked the hack of a Russian bank with the SBU. Since then, the GUR, Ukraine's military intelligence agency, has:
- announced in mid-December that Ukrainian defence intelligence cyber units "completely eliminated" Russia's Federal tax service and disrupted the company that serviced its IT;
- claimed responsibility in late January for destroying "the entire IT infrastructure" of IPL Consulting, a company that provides IT services to the Russian defence-industrial complex; and
- said in early February it had disrupted the system Russian forces use to reprogram DJI drones for military operations.
These operations make sense because they aimed for outcomes that could not be achieved with conventional military force. It is also pretty straightforward to see how disruption in these cases could have significant—but not decisive—impacts on Russian military effectiveness.
However, it is not clear that these operations have, in fact, been effective. The Russian tax office denied that its systems had been disrupted and there haven't been widespread reports of tax collection problems, for example.
The SBU and GUR have also publicised the actions of purported Ukrainian hacktivist groups and said for some incidents, they've been 'involved' or even assisted the operations:
- the GUR published documents in November from the hack of Rosaviatsiya, Russia's civil aviation authority;
- the SBU said in early January it helped a Ukrainian hacktivist group known as Blackjack in its efforts to breach Russian ISP M9com in response to the destructive Kyivstar attack;
- the GUR said in early January it received about 100GB of data from the hack of Russia's Special Technological Center (STC) maker of Russian military equipment including the Orlan UAV;
- the GUR announced in mid-January Blackjack's breach of a Russian Ministry of Defence-linked construction enterprise and its theft (and subsequent deletion from Russian servers) of 1.2TB of data relating to Russian military facilities; and
- the GUR announced in late January a destructive attack by the 'BO Team' hacker group against Russia's State Research Center on Space Hydrometeorology.
Without singling out particular incidents, Vitiuk says intelligence gained by Ukraine's more proactive cyber efforts had helped ground operations, including attacks on Russian military infrastructure.
The intelligence Ukraine has gathered has also helped prevent cyber attacks. Vitiuk said about a year ago another telco operator had been the intended target of a Kyivstar-style destructive attack, but the attack was prevented when Ukrainian hackers learnt of the operation in advance.
Cyber operations are often kept secret, but in this case the Ukrainian government is actively publicising them.
One factor here is that once destructive operations are carried out there is no need for secrecy. If they have been effective, the Russians will already know about them. And Ukraine needs international support, so successful operations are a demonstration that the country is still fighting the good fight.
This shift in strategy by the Ukrainian government illustrates the usefulness of cyber operations in the context of a large-scale conventional war.
Why Banning Ransomware Payments Makes No Sense
Ransomware incident response firm Coveware's latest quarterly report comes out strongly against banning ransomware payments. This is a must-read for policymakers mulling the pros and cons of a ban.
Coveware assembles an array of arguments against banning payments, including that a ban would not reduce ransomware, but would instead place badly affected firms in an even worse position where they either break the law or potentially fail.
It would also, overnight, create a market of 'data recovery companies' that are actually ransomware operators masquerading as legitimate firms.
A ban would also discourage victims from reporting incidents, which would undercut the progress authorities have made fighting ransomware. Coveware instead argues for mandatory reporting of ransomware incidents.
Three Reasons to Be Cheerful This Week:
- Secret Rhysida decryptor: For nine months, incident response firm Emsisoft had the ability to recover files encrypted with Rhysida ransomware without a key, taking advantage of a vulnerability in the malware's random number generator. Unfortunately South Korean researchers have just published information about the vulnerability meaning that Rhysida will likely fix its malware. Risky Business News has a good examination of this incident.
- Dollars for Rust: Google is providing USD$1m to the Rust Foundation to support efforts to improve the ability of Rust code to integrate with legacy C++ codebases. Rust is less vulnerable to memory safety security issues, so this will hopefully avoid security issues in the longer term.
- JFK airport taxi dispatch hackers sentenced: Two Queens residents, Daniel Abayev and Peter Leyman, were sentenced to four and two years prison respectively for hacking New York JFK airport's taxi dispatch system. The pair charged taxi drivers $10 to skip the taxi holding queue at JFK that frequently required hours-long waits. The pair collaborated with two Russian hackers who are still at large.
Sponsor Section
In this Risky Business News sponsored interview, Tom Uren talks to Proofpoint Senior Threat Researcher Greg Lesnewich. Greg explains how a North Korean group is using DMARC spoofing in its efforts to gather strategic intelligence.
Shorts
For China, Evidence is Optional
Cyber security firm Sentinel One has published a report examining the PRC's media strategy over the last couple of years to push narratives of irresponsible US hacking.
Chinese allegations of US hacking started in 2021 and were weakly bolstered by technical details that were gathered from leaked intelligence documents. Since mid-2023, however, these allegations have been aired only in state media and are entirely evidence-free.
This shift away from providing any evidence just goes to show that for the PRC's purposes, proof is just unnecessary.
The Unintended Consequences of Cyber Regulation
In a parliamentary submission the Australian Signals Directorate (ASD) says it has observed a "decline in the quantity and quality of cyber security reporting to the ASD".
The ASD says it has observed "a decrease in the frequency and richness of cyber incident reporting from the private sector, particularly critical infrastructure operators".
Ironically, it thinks this stems in part from increasing regulation. It says that critical infrastructure operators in particular have become more "compliance-based" and look to regulatory rules to assess their reporting requirements.
From the GRU to Cyber Crime Attorney
Krebs on Security has an entertaining examination of an account on the Russian Mazafaka cybercrime forum using the handle 'Djamix', who claimed to be a licensed attorney and offered his legal services to forum members. Krebs links Djamix to an individual called Aleksei Safronov, whose Facebook profile shows him wearing a Spetsnaz GRU (special forces) uniform.
More On Volt Typhoon
Industrial cyber security firm Dragos has released its own report into Volt Typhoon, which it calls Voltzite.
This group is worrying because it appears to be targeting US critical infrastructure for disruption, and absolutely nothing in this report is reassuring. CyberScoop reported that Dragos' founder Robert Lee told a media briefing "it’s hitting the specific electric and satellite communication providers that would be important for disrupting major portions of the U.S. electric infrastructure".
Risky Biz Talks
You can find the audio edition of this newsletter and other fine podcasts and interviews in the Risky Biz News feed (RSS, iTunes or Spotify).
In our last "Between Two Nerds" discussion Tom Uren and The Grugq look at why authoritarian regimes seem to love the 'cyber magic wand'.
From Risky Biz News:
Ransomware passed $1 billion mark in 2023: Ransomware gangs made out like bandits last year, collecting an estimated $1.1 billion worth of cryptocurrency via ransomware payments, according to blockchain tracking company Chainalysis.
[We covered this briefly last week, but Catalin has more, including about the number of ransoms more than USD$1m and how big game hunting is now the dominant strategy for ransomware operations.]
Authorities take down Warzone RAT gang: An international law enforcement operation has led to the capture of two individuals believed to have created and operated Warzone RAT, a Malware-as-a-Service operation that has been running since at least 2019.
Authorities have detained Daniel Meli, a 27-year-old from Malta, and Prince Onyeoziri Odinakachi, a 33-year-old from Nigeria.
Meli allegedly created and sold the Warzone RAT through its official website at warzone.ws. Odinakachi allegedly worked as a customer support, providing help to the malware's buyers.
Officials say Meli has been allegedly involved in the malware underground since at least 2012 and also created and sold Pegasus RAT, a precursor of the Warzone RAT.
[more on Risky Business News]
Surveillance in Tibet: Chinese authorities are forcing Tibet residents to install an app named "National Anti-Fraud Centre" on their smartphones. The app has the ability to access call and SMS logs, read browser histories, and see what other apps are installed on a device. Pro-Tibet privacy groups say that the app could be used as a surveillance system to spy on China's Tibetan population. A similar system with government-mandated mobile apps is also used to track the Uyghur minority in China's Xinjiang province. [Additional coverage in Turquoise Roof and Tibet Watch's joint reports]