UK's National Cyber Force: A Bunch of Mindf-ckers

PLUS: Biden's Spyware EO Just the Opening Act

Your weekly dose of Seriously Risky Business news is written by Tom Uren, edited by Patrick Gray with help from Catalin Cimpanu. It's supported by the Cyber Initiative at the Hewlett Foundation and founding corporate sponsor Proofpoint.

NOTE: There will be no Risky Business newsletters next week, we're all taking some time off.

Silhouette by Ben Sweet

The UK's National Cyber Force (NCF) has published its views on "being a responsible cyber power" and explained how it currently conducts offensive cyber operations (those that deny, degrade, disrupt). It's a great read, and what shines through very strongly is that for the NCF the goal of these types of operations is to mess with people's minds.

The NCF is the UK's equivalent of US Cyber Command and was established in 2020 to operate "in and through cyberspace to disrupt, deny, degrade and contest those who would do harm to the UK and its allies". It brings together personnel from UK defence and intelligence agencies such as GCHQ, boffins from the Ministry of Defence and the SIS (aka MI6, the UK's foreign HUMINT organisation).

So, not just a bunch of cyber geeks, then. This breadth of perspectives is evident in the human-centric way that the NCF talks about its goal, which is not about dominating cyberspace but is instead to mess with people:

Our objective is to change adversary behaviour by exploiting their reliance on digital technology. Sometimes our operations will simply aim to remove the adversary’s ability to act. For example, preventing a terrorist group from publishing pieces of extremist media. While it may not be possible to prevent such actions indefinitely, there is advantage in disrupting activity at key points.

Other operations seek to have a more wide-ranging effect on the adversary’s ability to carry out their intentions. We do this through various means including affecting an adversary’s ability to acquire, analyse and exploit the information they need to advance their objectives. We may also limit their ability to communicate and co-ordinate with others. And we may seek to affect their confidence in their digital technology and the information it is providing them.

In other words, when the goal is to change a target's behaviour there are opportunities wherever they use some form of digital technology. The document provides a number of hypothetical examples that we think illustrate activities the NCF has at least considered if not carried out. These include disrupting adversary's communications systems at critical times, interfering with their access to data or the systems that enable decision-making, or disrupting their ability to use online platforms and services. The NCF will even contact targets, either overtly or covertly, "to influence their actions in a positive way". Our favourite:

We may also use a combination of technical and information operations against hostile actors in a mutually supportive way, for example, to sow distrust in groups such as criminal gangs or terrorist cells.

Rather than simply destroying target systems, NCF finds that in practice disrupting them is more effective:

From operational experience, we find that we can often achieve the greatest cognitive effect by affecting the functionality and effectiveness of an adversary’s systems over a period of time, rather than denying them entirely (as in some cases they can be quickly replaced).

This makes sense given the NCF's target set includes both state and non-state actors including serious and organised crime. All of these actors are enduring threats, so a covert campaign that disrupts activities over a long period of time makes more sense than a one-off incident that is relatively quickly overcome.

The NCF calls this focus on adversary behaviour the "doctrine of cognitive effect". (We prefer "messing with computers to f**k with people", but hey, we're not the British government.)

The document also places NCF's cyber activities in context and recognises that for many security threats "traditional responses are best placed". It cites "measures such as cyber resilience, law enforcement action, sanctions, diplomatic intervention and military activity" and notes that where these are effective the NCF would "rarely if ever" get involved. This implicitly recognises the limits of disruptive cyber operations.

On the flip side, however, the document also points out that there are situations where disruptive cyber operations have advantages:

They provide an opportunity to reach adversaries irrespective of geography and without the need for individuals to be physically present. They can sometimes provide the only practical means of disrupting an adversary’s ability to exploit the internet and digital technology. They can be precisely targeted with specific effect and can avoid the challenges of using other, potentially physically destructive, interventions. They can create a range of cognitive effects — such as undermining an adversary’s confidence in the data they are receiving or in the ability of their information systems to function effectively — that may be harder to achieve with other approaches.

This is realistic. Offensive cyber operations aren't a replacement for other levers of national power, but they have a unique contribution to make. This reflects the NCF's current thinking, however, and the document notes that its "thinking and approach will inevitably continue to evolve as we reflect and learn".

The document identifies that coordinating and synchronising activities with partners is important and identifies integration with military operations as an area requiring further effort:

We are supporting the development of better understanding of the cyber and electro-magnetic domain and its integration with the other operational areas of the military — maritime, land, air and space — to be able to synchronise effects across the tactical, operational and strategic levels.

The document's section on deterrence also identifies uncertainty:

… there remain questions over the role of cyber operations as a part of modern deterrence. Much has been written about cyber and deterrence, without distinguishing between deterring cyber activity, or using cyber effects to deter other activities. The complexity of the many contributing factors to deterrence means it is not straightforward to read across concepts and lessons directly from the fields of conventional or nuclear deterrence, or seek to build a standalone concept of deterrence without thinking holistically across these broader aspects.

Whilst evidence is limited for cyber operations being a primary contributor to deterrence, they can form a secondary or supporting element in an integrated approach.

This very much feels like an unresolved internal NCF debate that somehow ended up in the final document. "Deterrence is a thing!" countered by "But there's no evidence", and unsatisfactorily concluded with "well, combined with other things it might work?"

Our view is that cyber operations just aren't good for deterrence. Capabilities are justifiably kept secret (otherwise vulnerabilities will be fixed), but this means that the consequences of cyber operations aren't well understood by the people you'd like to deter. And without fear of consequences, there is no deterrence. In this particular case, however, the NCF could mean reaching out to targets and warning them off. So… perhaps?

Another portion of the document deals with the NCF's view on responsible offensive cyber operations. The document describes these as "accountable, precise, calibrated and therefore proportionate". Predictable and precisely controlled cyber capabilities are used to satisfy legitimate and justifiable national security interests. These carefully scoped operations are also subject to robust authorisation and oversight procedures.

It's a great document that clearly explains not only the NCF's views on what offensive cyber operations are good for but also how to use them responsibly. It'll be influential, at least among some countries.

Biden's Spyware EO Was Just the Opening Act

Last week this newsletter wrote that President Biden's spyware executive order "formalised the status quo" and hoped that it would encourage action from other governments. Happily, shortly after that edition was published the US government issued a joint statement with nine other countries on Efforts to Counter the Proliferation and Misuse of Commercial Spyware.

It's a short statement, but a good one, and covers a range of issues from ensuring appropriate use within each government, preventing export to unsuitable end users, and also encouraging additional partner governments to up their game.

Having said that, it is a bit disappointing that more countries didn't sign up. All of the Five Eyes countries signed up, as did France and the UK. Where's Germany?

This statement was part of a broader set of announcements published under the banner of "Advancing Technology for Democracy''. Some of these announcements were a bit meh,  but we did like the document on Guiding Principles on Government Use of Surveillance Technologies.

The guiding principles document was drafted by 36 governments belonging to the Freedom Online Coalition and according to the US State Department "illustrate how governments can maintain their commitment to respect democratic values and protect human rights in the responsible use of surveillance technology".

Taken as a whole, these efforts are a reminder that surveillance technologies — including spyware — are dual-use and can be either used while respecting human rights or can be abused while positively trampling them.

What's the difference between CCTV surveillance in London and Beijing? The government and its intent.

The 3CX-pocalypse Could Have Been Worse

North Korean hackers successfully compromised VoIP software provider 3CX to launch a large-scale supply chain attack likely targeting cryptocurrency companies.

Both the Windows and Mac versions of 3CX's desktop software were compromised and pushed out to 3CX customers. Based on different features of the malware, both CrowdStrike and Kaspersky think the threat actor is North Korean. (Risky Biz News has additional coverage)

It's not known how many of 3CX's 600,000 customers were infected, although Kaspersky's telemetry indicates that 3CX infections are "worldwide". The company has been tracking the malware involved, which it calls Gopuram, since 2020, and believes it is the final payload in the attack chain. Kaspersky has observed this end stage malware being deployed to fewer than ten machines. The company described this as "surgical precision" and says it indicates "a specific interest in cryptocurrency companies".

The infosec response to the 3CX supply chain attack has been described as a success compared to the SolarWinds breach in 2020. In that case, a compromised build of SolarWinds' Orion software was pushed out from March that year but the attack wasn't discovered till December.

For 3CX, a number of different security firms including Sentinel One, Palo Alto and CrowdStrike started detecting anomalous behaviour almost immediately after the malicious software started beaconing. Sentinel One places the earliest infection attempt at 8th March and by the end of March multiple firms were reporting the attack and responding.

Although this response was far quicker — weeks, rather than months — it is still plenty long enough to carry out some dastardly deeds, if that's what North Korea wanted. Fortunately, they are fixated on stealing cryptocurrency rather than launching another WannaCry-style mass ransomware event. It really could have been much, much worse.

Three Reasons to be Cheerful this Week:

  1. US recovers USD$112m from "pig butchering" scams: The US Department of Justice seized the funds from six different cryptocurrency accounts that were being used to launder the stolen money. Pig butchering is a type of confidence scam that encourages victims to invest money in fake cryptocurrency investments that appear to be delivering stellar returns.
  2. Cybercriminal market takedown: Genesis Market, one of world's largest marketplaces for stolen credentials and compromised computers has been taken down by an international operation, as reported by The Record. Genesis sold what it called "bots", collections of browser authentication cookies stolen from individuals, hence the operation's name, Cookie Monster.  Large numbers of arrest warrants are reportedly being served.
  3. Microsoft cracks down on OneNote malware: Microsoft has announced that it is rolling out changes to OneNote on Windows devices that means the software will block embedded files with malicious extensions. Cybercriminals have been embedding malicious files within OneNote documents to infect users with malware since the end of last year. [more coverage at Risky Biz News]

Seriously Risky Business is supported by the Hewlett Foundation's Cyber Initiative and corporate sponsor Proofpoint.

Tines No-code Automation For Security Teams

Risky Business publishes sponsored product demos to YouTube. They're a great way for you to save the time and hassle of trying to actually get useful information out of security vendors. You can subscribe to our product demo page on YouTube here.

In this video demo, Tines CEO and co-founder, Eoin Hinchy, demonstrates the Tines automation platform to host Patrick Gray.


Mom and Pop Cybercrime

Trend Micro has published a report examining the structure and operations of different-sized cybercrime groups. These sorts of reports are interesting from a counter-cybercrime perspective as they often illuminate potential areas for disruption.

According to the report, larger organisations are typically more profitable but also have many more opportunities for disruption.

It's Technology, but Racist

Wired has a good examination of how IPVM, a physical security technology trade publication, over time uncovered very troubling features advertised by Chinese security camera manufacturers. These include racial profiling to identify minorities and mass face-recognition systems deployed to Xinjiang to track Uyghur muslims.

NSO "Spyware Purchase" Story Overegged

The New York Times has a story about the purchase of NSO Group's geolocation capability (called Landmark) by an unnamed US government agency. The importance of the purchase is drastically overegged here, but the story contains some interesting nuggets.

Landmark is reportedly an SS7 geolocation system and its frankly laughable that The Times describes it as one of NSO's "most powerful weapons". SS7 is the protocol that phones use to set up and tear down phone calls and determining a device's location is a prerequisite for sending an SMS, so it is not really even an abuse of SS7 functionality. That kind of SS7 geolocation is almost table stakes for surveillance companies.

Having said that, there is interesting reporting on the aborted attempt by defence contractor L3Harris to buy NSO. For example, the article reports the US government was concerned about the counterintelligence risk posed by NSO. How do we trust a company outside the Five Eyes "tent"?

Risky Biz Talks

In addition to a podcast version of this newsletter (last edition here), the Risky Biz News feed  (RSS, iTunesor Spotify) also publishes interviews.

In our last "Between Two Nerds" discussion Tom Uren and The Grugq discuss why US Cyber Command's Operation Glowing Symphony operation feels so small.

From Risky Biz News:

Commercial spyware 0day campaign targeting Android and iOS: Google's security team says it discovered a threat actor using Android and iOS zero-day exploit chains to target users located in Italy, Malaysia, and Kazakhstan. The campaign took place last year and involved SMS messages containing links to websites hosting the exploits. Google didn't link the campaign to any specific threat actor.

Veritas attacks: An affiliate of the AlphV (BlackCat) ransomware gang is targeting publicly exposed Veritas backup servers to gain access to corporate networks. The attacker, tracked by Mandiant as UNC4466, is exploiting three 2021 vulnerabilities (CVE-2021-27876, CVE-2021-27877, and CVE-2021-27878) in the Veritas Backup Exec server. Mandiant says it saw the first attacks in October of last year, a month after the publication of a Metasploit module for the vulnerabilities. Currently, there are more than 8,500 internet-accessible Veritas Backup Exec servers. [kinda like a downstream supply chain attack]

Google blocks SEO/SERP poisoning campaign: Google says it took action against a coordinated campaign that used ads on its search engine to promote links to thousands of malicious websites. These sites posed as legitimate or open-source software but spread trojanized apps that would infect users with malware. Google says the coordinated campaign (which we covered here) lasted for about a month, from the end of 2022 into the new year, and involved "tens of thousands of malicious advertisements." Google confirmed its takedown in its yearly Ads Safety Report. All in all, Google says it blocked more than 5.2 billion malicious ads last year because of malware, disinformation, trademark infringement, and other reasons.