TikTok Manipulation Report Is Too Little Too Late
Your weekly dose of Seriously Risky Business news is written by Tom Uren and edited by Patrick Gray. It's supported by Lawfare with help from the William and Flora Hewlett Foundation. This week's edition is sponsored by SpectreOps.
You can hear a podcast discussion of this newsletter by searching for "Risky Business News" in your podcatcher or subscribing via this RSS feed.
TikTok Manipulation Report Is Too Little Too Late
TikTok has released a report covering covert influence operations on its platform, but this will do precisely nothing to allay fears the video sharing application is insulated from PRC influence.
TikTok's report described influence campaigns it had detected and disrupted from January through April this year. The 15 campaigns spanned 3,000 accounts and reached millions of followers. A domestically targeted pro-Ukrainian campaign reached 2.6 million followers and a domestically-aimed Iraqi campaign nearly 500,000, but the rest of the campaigns reached a relatively small number of followers. The report even called out a Chinese campaign that targeted a US audience with positive narratives about Chinese policy and culture.
The report said:
We assess this network operated from China and targeted a US audience. The individuals behind this network created inauthentic accounts in order to artificially amplify positive narratives of China, including support for the People’s Republic of China (PRC) policy decisions and strategic objectives, as well as general promotion of Chinese culture. This network utilised accounts impersonating high-profile US creators and celebrities in an attempt to build an audience.
However worthy TikTok’s actions are, it is the organisation’s tremendous cultural influence, combined with the Chinese Communist Party (CCP)’s ability to coerce its China-based owners to act in its interests, that poses a significant risk to US sovereignty. The risk is not 'Chinese operations fool TikTok's algorithm' so much as the 'Chinese government controls TikTok’s algorithm'.
Still, the report provides valuable insights into the types of campaigns being run. For example, an Iran-based campaign also targeted US and UK audiences with pro-Iranian narratives. TikTok also identified domestically focused campaigns in Indonesia, Venezuela, Equator, Serbia, Guatemala, Germany and Bangladesh.
These campaigns are similar to those previously reported by companies such as Meta, Google, and Twitter.
TikTok also released information on how it counters covert influence operations, which it defines "as coordinated, inauthentic behaviour where networks of accounts strategically work together to mislead people or our systems and influence public discussion". It says it looks for evidence that:
- They [accounts] are coordinating with each other. For example, they are operated by the same entity, share technical similarities like using the same devices, or are working together to spread the same narrative.
- They are misleading our systems or users. For example, they are trying to conceal their actual location, or using fake personas to pose as someone they’re not.
- They are attempting to manipulate or corrupt public debate to impact the decision making, beliefs and opinions of a community. For example, they are attempting to shape discourse around an election or a conflict.
Each one of these campaigns was detected by TikTok's own investigations.
We should expect transparency reports from all large technology companies that are, in effect, media companies. But if TikTok's management was hoping this report would do anything to repair its reputation among western lawmakers it will be sorely disappointed.
US Cyber Command Is a Half-Ripe Melon
Observers are divided about the need for a US Cyber Force, but agree US Cyber Command needs to change.
In the US House of Representatives, legislation amended last week would require the National Academy of Sciences to study the implications of creating a Cyber Force. In Defense News, US House Representative Morgan Luttrell summarised his motivation for the amendment:
Cyber warfare requires a unique approach to recruiting, retaining, and compensating service members. It requires a robust research and development apparatus and an exemplary ability to train personnel. These tasks are difficult, and they’re only made harder when fragmented across multiple services, which are already challenged with wider recruitment and modernization objectives. When the Chief of Naval Operations is struggling to recruit the numbers required to fill crews for the surface fleet, it’s understandable that Navy isn’t prioritising its requirements for cyber operations.
Also last week, former Defense Secretary Jim Mattis at DefenseTalks argued that a US Cyber Force was not required. Instead, cyber agencies within the Department of Defense needed the authority to operate domestically in the event of a serious cyber security incident.
Mattis argued that while adversaries operate inside the United States, the majority of the country's cyber capabilities reside in organisations that are not empowered to operate inside the country.
"If you look at my job as a secretary of defense, I had 95% of the country’s cyber defense and cyber offense under me… yet I have no authority to operate inside this country. None whatsoever."
Mattis and Luttrell are highlighting two very different problems, and we sympathise with both arguments. Each needs to be addressed.
On the 'demand' side of the equation, although cyber operations are unlikely to be decisive in any conventional conflict, until there is a real war they are one of the primary avenues for adversary nations to try to gain advantage.
Scattered Spider Is The Hollywood of Cybercrime
The group of young cybercriminals known as Scattered Spider is made up of about 1,000 people, according to Bryan Vorndran, assistant director of the FBI's Cyber Division.
Speaking at the Sleuthcon conference, Vorndran described the group as "expansive" and dispersed and said many members did not know each other directly.
Scattered Spider is prolific and infamous for involvement in disruptive attacks on MGM and Caesars' casinos. It is what we call 'Lapsus$-like', in that it is characterised by the use of relatively novel techniques to break through organisations standard cyber security practices.
Given its size and the very loose affiliations between members, we don't think it makes sense to talk about Scattered Spider as a 'group', so much as a community that shares a collection of techniques, with members who occasionally team up for particular projects. It's more like Hollywood rather than Sony Pictures Entertainment.
Law enforcement efforts against Scattered Spider have been criticised. According to Reuters in November last year:
For more than six months, the FBI has known the identities of at least a dozen members tied to the hacking group responsible for the devastating September break-ins at casino operators MGM Resorts International and Caesars Entertainment, according to four people familiar with the investigation.
Industry executives have told Reuters they were baffled by an apparent lack of arrests despite many of the hackers being based in America.
Although arrests would be nice, we don't think they'll put any kind of a dent into the problems that Scattered Spider are causing. Would arresting the cast of Oppenheimer stop Hollywood from making movies?
Three Reasons to Be Cheerful This Week:
- US sanctions residential proxy IP botnet operators: The US Treasury has sanctioned three Chinese nationals for involvement with the '911 S5' botnet. The botnet enabled paying users to proxy their internet connections through compromised computers. Treasury says the botnet compromised around 19 million IP addresses, was used in fraud that cost the US government "billions of dollars"and was also "linked to a series of bomb threats made throughout the United States in July 2022".
- AI not destroying elections: At an MIT Technology Review's EmTech conference, Meta's president of global affairs, Nick Clegg, said that at least "so far" there has been relatively little AI-generated misinformation based on elections that have occurred so far this year in Indonesia, Taiwan and Bangladesh. Clegg said it was present, but described it as a "manageable amount". This is consistent with the amount of content on Rest of World's AI elections tracker which aims to document the most noteworthy AI content used in elections this year.
- Stalkerware hack leads to shutdown: The founder of the pcTattletale stalkerware, Bryan Fleming, told TechCrunch that he has shut down the service in the wake of a breach. The shutdown comes shortly after a hacker defaced the company's website and published internal data including customer databases. Based on these databases, the company had 138,000 users.
Sponsor Section
In this Risky Business News sponsored interview, Tom Uren talks to Justin Kohler, VP of the Bloodhound team at SpectreOps about ‘attack paths’, the ways that malicious actors maneuver through Active Directory to elevate their privileges. They discuss how and why they arise and what you can do about them.
Shorts
How Cyber Operations Are Just Different
In the Click Here podcast, Jacquelyn Schneider from the Hoover Institute describes how people treat cyber operations differently from conventional threats. Schnedier says that after she started running war games that contained cyber elements:
I realised people react in very unusual ways to cyber operations. I would run experiments and wargames, and I would find that individuals don't respond to cyber operations like they would when faced with a physical threat.
Instead, they treat cyber operations in this kind of anxiety-inducing way, where the uncertainty about cyber operations actually creates this kind of buffer area where they don't feel an impetus to respond violently to cyber.
Recovering a USD$2m password
Kim Zetter in Wired has an interesting story about the recovery of USD$2 million of cryptocurrency after the owner lost the 20-character password when the encrypted file it was stored in was corrupted. The recovery effort took advantage of a flaw in the password generation algorithm of RoboForm software when it was used in 2013 to create the password.
Insurance Info With Bite
Insurance company Coalition has published a report looking at claims data that quantifies the risk of running certain internet-facing boundary devices. It found that in 2023, for example, businesses with internet-exposed Cisco ASA devices were almost five times as likely to experience a claim compared to organisations without internet-exposed ASA devices. Those running Fortinet devices were twice as likely, and those with internet-exposed RDP were 2.5 times more likely.
Sponsor Video
Justin Kohler, VP of Product at SpecterOps, shows how BloodHound Enterprise can be used to find and fix Active Directory (mis)configurations that could let attackers easily own your entire enterprise.
Risky Biz Talks
You can find the audio edition of this newsletter and other fine podcasts and interviews in the Risky Biz News feed (RSS, iTunes or Spotify).
In our last "Between Two Nerds" discussion Tom Uren and The Grugq talk about the role of the state in tackling ransomware. They discuss why action has been slow and ineffective, and what it will take to truly change the situation.
From Risky Biz News:
IR reports are not protected documents, multiple judges rule: Courts in three countries have now ruled that incident response and forensic reports are not protected legal documents and must be made available in other court cases or to authorities on request.
Legal precedents now exist in Australia, Canada, and the US.
…
Breached companies began requesting that IR investigators not produce a report at all, instructing that all findings be delivered in oral form. All incident response communications were required to take place via IM clients that supported disappearing messages, and if an IR report needed to be put on paper, it had to contain the least information possible. The main purpose of all of this was to avoid leaving any paper trail that could be used in the discovery process of any possible class-action lawsuit.
[more on Risky Business News, including further details of the court cases and more on the undesirable second order consequences]
Google throws out GlobalTrust certs: Google is removing GlobalTrust TLS certificates from the Chrome browser's certificate root store.
The ban will apply to any new certificate issued by GlobalTrust after June 30 this year.
Chrome will continue to trust older/existing GlobalTrust certificates, and websites using them will work as before.
Google says e-commerce monitoring GmbH, the Austrian company behind the GlobalTrust brand, had several issues over the past years and failed to follow incident reporting requirements (e.g., [1],[2],[3],[4],[5],[6],[7],[8]).
[more on Risky Business News]
Backdoor found in court and jail AV recording software: Cybersecurity researchers from Rapid7 and S2W have found a backdoor trojan inside a popular app used for recording courtroom and jury meetings.
The malware was found in the installer for JAVS Viewer, version 8.3.7, an app from Justice AV Solutions that allows customers to play back older recordings.
JAVS customers who downloaded the official installer from the company's website between April 1 and mid-May are likely infected with a version of the GateDoor backdoor.
The malware is written in Go and is the Windows version of RustDoor, a Rust-based backdoor that could infect macOS systems.
Previous reports from Bitdefender and S2W linked both versions of the malware to server infrastructure previously operated by the AlphV (BlackCat) ransomware operation.
[more on Risky Business News]