The Three I's In Spyware

The Three I's In Spyware

Your weekly dose of Seriously Risky Business news is written by Tom Uren and edited by Patrick Gray. It's supported by Lawfare with help from the William and Flora Hewlett Foundation. This week's edition is sponsored by Sublime Security.

You can hear a podcast discussion of this newsletter by searching for "Risky Business News" in your podcatcher or subscribing via this RSS feed.

Srsly Risky Biz: The three I’s in Spyware
In this podcast Tom Uren and Patrick Gray talk about the structure of the spyware ecosystem. It’s concentrated, with lots of vendors in India, Israel and Italy.
A mythical creature, Stable Diffusion

A new report finds the global spyware market is concentrated in Israel, India and Italy and that a few individuals have founded a number of spyware vendors. 

Mythical Beasts and Where to Find Them, from the Atlantic Council's Digital Forensics Research Lab (DFRLab), attempts to map the global spyware market and identify links between firms, based on public reporting coupled with searches of corporate registries and databases. 

DFRLab found information on:

…forty-nine vendors along with thirty-six subsidiaries, twenty-four partner firms, twenty suppliers, and a mix of thirty-two holding companies, ninety-five investors, and one hundred and seventy-nine individuals, including many named investors.

Nearly 44% of the entities in the dataset clustered in Israel, including eight vendors (NSO Group, SaitoTech—formerly Candiru Ltd, Cognyte, Paragon Solutions, MerlinX, Quadream Inc./InReach Technologies Limited, Blue Ocean Technologies, and Interionet.). 

Connections between NSO Group, Quadream and Interironet. Source: DFRLab

Clusters in India and Italy are not as large, although are similarly interconnected. 

DFRLab found vendors often changed names and identities and that significant cross-border capital flows funded the industry.

The report is realistic that spyware is 'dual-use':

State surveillance, harassment, repression, and outright murder predate spyware, and there is little to suggest spyware “causes” these abuses. Measuring the human rights harms and national security risks of spyware against its value to law enforcement or intelligence activities is also challenging as these activities are, by their nature, even less visible. Few governments have sought to demonstrate the range of legitimate uses of spyware or its impacts. As a result, when considering spyware’s effects on society, there is a bias to what is known. 

The report's recommendations mostly focus on increasing transparency  including requirements to "Know Your Vendor" when buying spyware, improving information in corporate registries and improving the robustness of export licensing processes. 

Even if fully implemented, these recommendations won't 'fix' abusive spyware, but they are positive and realistic suggestions for improvement.

Tenet Interference Is The Tip of The Iceberg

A barrage of US government actions are exposing a sophisticated media influence and interference system controlled by the Russian government. However, the measures just scratch the surface of malign foreign influence efforts.

Our sister newsletter Risky Business News has a comprehensive breakdown of the US actions announced last week, which tackle different 'layers' of Russia's disinformation system, each of which performs different functions. 

One initiative involved taking down 32 domains used to host Kremlin propaganda on sites that mimicked legitimate news brands. This disinformation campaign has been previously reported as 'Doppelganger'. The US Department of Justice (DoJ) linked this campaign to senior Russian officials:

As alleged in an unsealed affidavit, the Russian companies Social Design Agency (SDA), Structura National Technology (Structura), and ANO Dialog, operating under the direction and control of the Russian Presidential Administration, and in particular First Deputy Chief of Staff of the Presidential Executive Office Sergei Vladilenovich Kiriyenko, used these domains, among others, to covertly spread Russian government propaganda with the aim of reducing international support for Ukraine, bolstering pro-Russian policies and interests, and influencing voters in U.S. and foreign elections, including the U.S. 2024 Presidential Election.  

On the same day, the DoJ indicted two RT employees (RT is a state media outlet formerly known as Russia Today) that it alleges secretly paid a US-based online media company to produce content that promoted Russian interests and narratives.

The indictment alleges RT employees Kostiantyn Kalashnikov and Elena Afanasyeva used fake personas to pay a Tennessee-based company USD$10m to create content for social media. The US company, which media reports have identified as Tenet Media, is alleged to have paid some right-wing influencers around $USD100k per video. The DoJ says that Kalashnikov and Afanasyeva exerted significant creative control at what the indictment calls 'US Company-1':

In order to carry out RT’s secret influence campaign in the United States, Kalashnikov and Afanasyeva operated under covert identities at U.S. Company-1. Posing as an outside editor, Kalashnikov edited U.S. Company-1 content, monitored U.S. Company-1’s funding and hiring, and introduced Afanasyeva as a member of his purported editing team. Using the fake personas Helena Shudra and Victoria Pesti, Afanasyeva posted and directed the posting by U.S. Company-1 of hundreds of videos. Afanasyeva also collected information from and gave instructions to U.S. Company-1  staff. For example, after the March 22, 2024, terrorist attack on a music venue in Moscow, Afanasyeva asked one of U.S. Company-1’s founders to blame Ukraine and the United States for the attack, writing: "I think we can focus on the Ukraine/U.S. angle. . . . [T]he mainstream media spread fake news that ISIS claimed responsibility for the attack yet ISIS itself never made such statements. All terrorists are now detained while they were heading to the border with Ukraine which makes it even more suspicious why they would want to go to Ukraine to hide." 

Most of the influencers connected to Tenet Media have denied being aware that Russia or RT was the source of the funds. The indictment alleges the company's founders misled at least two of Tenet's commentators by creating a fictional Belgian investor. 

The US government also linked RT to Russian intelligence services. In its statement announcing sanctions in response to malign foreign influence operations, the US Treasury stated that RT's Deputy Editor-in-Chief, Anton Seregyvich Anisimov, "conducts activities on behalf of the Russian Federal Security Service (FSB)". 

The US government also took aim at the pro-Kremlin purported hacktivist group RaHDit (Russian Angry Hackers Did It). The State Department issued a USD$10m reward and the Treasury also sanctioned three members. Treasury's statement says:

Aleksey Alekseyevich Garashchenko (Garashchenko) is the head of RaHDit and was an FSB officer at the time he started leading the group. Garashchenko directly interacts with members of the Russian intelligence and security services, members of the Russian Presidential Administration, and employees from RT.

The State Department says RaHDIt "has previously engaged in election influence in other countries and is a threat to the 2024 U.S. elections, particularly through cyber-enabled influence operations". 

Although Doppelganger, RT's covert influence over domestic commentators, and RaHDit all perform separate functions, they are part of a larger disinformation or propaganda system.  

For example, RaHDit and Doppelganger can hack or falsify material respectively. Domestic commentators could then amplify and 'launder' or lend credibility to the material, as per standard Russian tactics, so that the narrative Russia favours takes root in mainstream discourse.  

Although the US's actions address a range of Russian activities and link them to the Russian government, these actions just show us the tip of the iceberg. 

When it comes to RT's covert efforts, for example, the indictment says Kalashnikov manages "multiple covert distribution channels in the United States". That makes sense to us. It's inconceivable that a program to co-opt American influencers to disrupt a presidential election focuses on a single US company and is run solely by a 31-year-old Deputy Chief (Kalashnikov) with some help from his 27-year-old producer (Afanasyeva). 

The US government also released documents and project proposals relating to the Doppelganger campaign. These documents contain goals such as to "to secure victory" for a particular candidate in the 2024 US Presidential election and "to increase the percentage of Americans who believe that the US 'has been doing too much to support Ukraine' to 51%". They suggest, without confirming, that a broader range of activity is taking place. 

Although the sanctions, indictments and rewards the US government has announced probably won't reap direct results soon, collectively they have tremendous educational value. This alerts influencers and journalists to the possibility that foreign manipulation comes with buckets of money. 

This story in Semafor, for example, describes a similar situation in which an influencer network was paid to promote misogynistic smears involving Vice President Kamala Harris. Although the incident occurred in July, the article was published shortly after the recent US actions were announced.

This network was organised over Zoom calls and email and payments made on the Zelle platform. But participants did not identify themselves by name and cameras were switched off during video calls. 

A bit weird, and Semafor says "the money was good: One participant made more than $20,000 for several weeks of boosting assigned messages, according to the Zelle receipts." 

To us, this amount of money is surprising, but perhaps this is normal? Per Semafor:  

Leading figures in the booming conservative influencer industry, meanwhile, said that the size of payments seemed consistent with their business — but said they’d never heard of this operation.

Compared to tracking money flows through front companies, countering manipulation on most social media platforms is easy given those companies have deep visibility of what occurs on their platforms. Because they can see all sorts of technical and behaviour patterns, they can successfully clamp down on unwanted behaviour. We’ve seen Russia move away from Meta properties, but some social media companies seem less motivated to tackle Russian propaganda.  

The opposite applies to influencers, front companies and money flows.   

The RT indictment notes that earlier this year RT's editor-in-chief spoke on Russian television of "an enormous network, an empire of covert projects that is working with the public opinion, bringing truth to Western audiences". Which leaves us wondering, just how much is Russia spending on this election? 

Watch Patrick Gray and Tom Uren discuss this edition of the newsletter:

Three Reasons to Be Cheerful This Week:

  1. Terrorgram Collective leaders arrested: The US Department of Justice announced it had arrested and charged two leaders of a transnational terrorist group that organised on Telegram. It is alleged the pair promoted a white supremacist ideology and solicited hate crimes including the shooting of three people outside of an LGBTQI+ bar in Slovakia and the stabbing of five people near a mosque in Turkey. 
  2. Durov pledges to improve moderation: Telegram's CEO, Pavel Durov said he would "significantly improve" moderation on the messaging app, just a week after being charged with complicity in crimes facilitated over Telegram. The service also removed multiple channels hosting explicit deepfake material of South Korean women, and apologised for its late response to the police request to do so. 
  3. CISA steps away from content moderation: CyberScoop says that Jen Easterley, director of the US Cybersecurity and Infrastructure Security Agency, told reporters last week that the agency would no longer flag misleading election information to social media platforms for content moderation or removal. The practice became politically controversial and any benefit gained simply wasn't worth the political grief. 

In this Risky Business News sponsored interview, Tom Uren talks to Josh Kamdjou, founder and CEO of Sublime Security, about the spectrum of attacks that are taking advantage of generative AI. These range from taking basic attacks with a pinch of AI pixie dust to more complex attacks where AI is used to construct message threads with multiple personas. Josh also talks about how different AI models can be used to identify these attacks even when they are novel.

Sponsored: Sublime Security on generative AI attacks in the wild
In this Risky Business News sponsored interview, Tom Uren talks to Josh Kamdjou, founder and CEO of Sublime Security, about the spectrum of attacks that are tak

Sublime Security shares a recent payroll fraud attempt likely produced by Generative AI.

Payroll Fraud via LLM-Generated Emails
Sublime Security Attack Spotlight: Attempts of payroll change fraud with subject and message body content likely generated by large-language models (LLMs).

Shorts

The Ten Million Dollar Self-Licking Ice Cream

Michael Smith, a North Carolina man, has been charged by the US Department of Justice (DoJ) with music streaming fraud that earned him over USD$10m in royalties. The DoJ alleges Smith earned unlawful royalties by using bots to generate billions of streams from hundreds of thousands of AI-generated songs Smith uploaded to streaming platforms such as Apple Music, Amazon Music and Spotify. 

Although stealing from Apple or Amazon may seem like a victimless crime, the indictment says that streaming services generally pay a percentage of revenue to rights holders. So streaming fraud doesn't hurt the platforms, but instead diverts funds from legitimate songwriters and musicians. 

When Phishing Is Deadly

Ukraine's CERT has warned that hackers are targeting Ukrainian defence personnel with Signal messenger links that appear to point to military systems mobile apps. The links contain malware or malicious code intended to steal credentials to access military systems and gather the GPS coordinates of the device. The CERT notes the "attacks are extremely dangerous and may have direct negative consequences for the life and health of military personnel". 

Risky Biz Talks

You can find the audio edition of this newsletter and other fine podcasts and interviews in the Risky Biz News feed (RSS, iTunes or Spotify).  

In our last "Between Two Nerds" discussion Tom Uren and The Grugq dissect an FBI advisory about North Korean groups targeting cryptocurrency firms with social engineering.

Between Two Nerds: Verify, but don’t trust
In this edition of Between Two Nerds Tom Uren and The Grugq dissect an FBI advisory about North Korean groups targeting cryptocurrency firms with social enginee

From Risky Biz News:

UK NCA "on its knees," bleeding staff, seriously underpaid: A UK anti-corruption organisation has published a report this week warning that the UK's top police investigative body—the UK National Crime Agency (NCA)—is close to a critical collapse, describing it's current state as "on its knees."

According to the Spotlight on Corruption, the NCA is dealing with huge staff turnover, recruitment issues, and chronically low pay. The study's results are below:

  • 9% of NCA roles are unfilled due to recruitment issues – more than double the average of 3.9% for the public sector and higher than the 4.8% in the voluntary sector.
  • Despite a 7% pay award last year, NCA officers' median pay has dropped by 16.3% in real terms since 2013/14, when the agency was established. The proposed 5% pay award for this year still leaves officers with a 13.9% real terms pay cut compared to over a decade ago. 
  • The NCA faces a major brain drain with a quarter of senior managers leaving annually, and the agency loses a third of its legal expertise annually.
  • 59% of NCA officers are stuck at the bottom of their pay range with no chance of pay or career progression.

[more on Risky Business News]

US charges GRU cyber unit members: The US government has charged five officers from a Russian military cyber unit involved in cyberattacks against Ukraine and NATO countries. Officials say the group launched the WhisperGate data-wiping malware ahead of Russia's invasion of Ukraine. The malware destroyed Ukrainian government systems in an attempt to delay its response to Russian invasion forces. The five allegedly worked with a sixth suspect, a Russian civilian the DOJ charged at the end of June. Officials say the five suspects are part of Unit 29155 in Russia's GRU military intelligence agency. The unit is considered one of the GRU's best and has also been involved in attempted coups, assassinations, and sabotage missions. The US State Department is also offering a $10 million reward for information on the unit and its members.

Source: State Department Rewards for Justice post on X

Two security enhancements coming to Windows (ActiveX, CLFS): Microsoft announced last week two changes to its products designed to boost the company's security posture.

Redmond plans to disable ActiveX in Office apps in October and then harden the Windows Common Log File System (CLFS) logging service against logic bugs in future versions of Windows 11.

Both are important steps that address some of today's biggest attack surfaces in Windows.

[more on Risky Business News, including why these changes are important and more detail on the steps being taken]