When Pig (Butcherers) Fly
Your weekly dose of Seriously Risky Business news is written by Tom Uren and edited by Patrick Gray. It's supported by Lawfare with help from the William and Flora Hewlett Foundation. This week's edition is sponsored by Devicie.
You can hear a podcast discussion of this newsletter by searching for "Risky Business News" in your podcatcher or subscribing via this RSS feed.
Southeast Asian organised crime groups operating cyber-enabled scam compounds are becoming more sophisticated and going global, according to a new report from the UN Office of Drugs and Crime (UNODC). This threat will need concerted and swift political action to counter it.
We've written about the nexus of cyber-enabled scams, trafficked persons and forced labour, money laundering, and the rise of massive criminal service marketplaces since 2023. Governments are fighting back against the syndicates, so they're now expanding into new countries that lack the capacity to deal with transnational crime of this scale. Without decisive action these groups will be able to dig in and corrupt the countries they move into.
The gangs in question run industrial-scale scam centres known as "boiler rooms" or "pig-butchering farms", typically using forced labour. This week's UN report estimates the workforce involved is "comprised of hundreds of thousands of trafficked victims and complicit individuals".
These operations generate a massive amount of revenue, estimated to be around USD$30 billion annually. A network of laundering services has also developed to deal with the huge amounts of money involved. The report says that "as a result, Asian crime syndicates have emerged as definitive market leaders in cyber-enabled fraud, money laundering, and underground banking globally".
The UNODC identifies a couple of significant trends. One is consolidation, where "independent and scattered fraud groups [are] being replaced by larger, consolidated criminal groups" operating as legitimate businesses including industrial and science and technology parks, casinos and hotels.
Increasing globalisation is another trend, and the Southeast Asian organised criminal networks are developing links and partnerships with other major criminal networks around the globe. For example, Chinese money laundering organisations (MLOs) are already working with Mexican cartels. It's not only cheaper for the cartels, but also harder to track and disrupt:
Unlike other professional launderers who may charge higher commissions for their services, Chinese MLOs and brokers have been found to undercut the competition by charging between 0 to 6 per cent, making their profit by reselling foreign currencies — in this case U.S. dollars generated by the cartels — to overseas buyers who are willing to bear the majority of the service cost. Moreover, the diversification of laundering techniques by Chinese and other Asian criminal networks, including those utilizing mirror transactions, international networks of money mules or so-called motorcades, as well as casino junkets, online gambling, cryptocurrencies, and related service providers, has further compounded existing challenges.
These networks are also branching out into legitimate industries:
Moreover, many of the region's largest criminal groups have shifted towards the development of key infrastructure and infiltration of legitimate financial industries - particularly those related to online payment processing, blockchain technology, and cryptocurrency trading and exchange services. There is also growing indication of targeting of compliance-related businesses involved in platform on-boarding and customer due diligence and KYC processes, leading to concerns of further infiltration of the virtual asset ecosystem.
There is some good news. Kind of. Part of the reason these Southeast Asian crime groups have expanded overseas and into supposedly legitimate businesses is in response to strong government action against them. This has included military action in Myanmar, and strong Thai and Philippine government efforts.
Every silver lining has a cloud, unfortunately. This strong action has pushed these criminal syndicates to move into areas with relatively limited capacity to deal with transnational crime, such as countries in the Pacific Islands, Africa, South America and Georgia.
For our Australian, Kiwi and Pacifika readers, the report's section on the Pacific Islands is worth reading. It notes that these criminal networks "have steadily expanded their influence in the Pacific in recent years through the development of casinos, junkets, hotel resorts, travel agencies, and other related businesses and investment projects, often involving virtual assets, used to conceal a wide range of illicit activities".
Vanuatu, Fiji, Palau and Tonga are specifically mentioned, and the report notes that senior members of the transnational organised crime groups often operate openly and present themselves as legitimate foreign investors.
When it comes to the Pacific Islands, we think there needs to be a cohesive international response that bolsters the ability of countries to identify and push back against these criminal syndicates.
There is no single magic bullet that will counter the gangs. The report says that scam centre criminal networks should be recognised as national and regional threats. It recommends strengthening regulatory responses, building law enforcement capacity and increasing regional intelligence sharing.
It's grim reading, but there is a window of opportunity for decisive action. These criminal networks are still in the process of overseas expansion and haven't yet ingratiated themselves with local law enforcement and politicians.
But history tells us the window won't be open for long.
Secure by Design Is Limping, but Not Dead
The future of CISA's Secure by Design initiative is in doubt after two key individuals announced they are leaving the organisation, reports Cybersecurity Dive. Even if CISA can't support the program, we think international security authorities should step up and keep it going.
The Secure by Design campaign is an effort to encourage software makers to adopt practices that would result in more secure products. It has produced guides on how vendors can make more secure software and also guides on how buyers can choose more secure products.
CISA senior advisers who led the campaign, Bob Lord and Lauren Zabierek, are leaving the organisation and Cybersecurity Dive explores the implications for the initiative:
Lord's departure is an especially big setback for Secure by Design, according to one person familiar with the matter, who requested anonymity to speak candidly.
"Not having him there hurts it," this person said. "SBD could still succeed without him, but the road will be much tougher."
In our view, encouraging commercial software vendor practices to produce more secure products is a long-term effort that will require both carrots and sticks. Given the Trump administration is averse to regulatory sticks, the Secure by Design carrot becomes more important than ever.
Secure by Design is the kind of project that won't change the world overnight. But its long-term impact could be substantial if it receives consistent support.
Given potential job cuts at CISA, however, it is hard to see the Secure by Design project getting much love from the agency. There will inevitably be other short-term fires to extinguish. But even if CISA isn't able to support the effort there is still hope.
Lord told Cybersecurity Dive he would continue working on the initiative outside of government and likely won’t be alone: "From the messages I've received privately, I'm optimistic there are many people who are willing to help".
Additionally, a number of international cyber security authorities were involved in the Secure by Design campaign and co-authored guidance.
If CISA pulls back they could, and should, fill the gap.
Watch Adam Boileau and Tom Uren discuss this edition of the newsletter:
Three Reasons to Be Cheerful This Week:
- CVE program gets funding after all: In a last-minute step last week, the US Cybersecurity and Infrastructure Security Agency (CISA) said it had continued funding for the Common Vulnerabilities and Exposures (CVE) program. MITRE, the organisation that administers the program, warned last week that funding was due to expire within days. MITRE's vice president and director at the Center for Securing the Homeland, Yosry Barsoum, told The Verge that CISA had found "incremental funding" to keep the program running.
- Microsoft's security progress: Microsoft has published its second update on the Secure Future Initiative, what it describes as a "multiyear effort to revolutionize the way we design, build, test, and operate our products and services". There are lots of numbers in the update, but we'll just pick out the bit where Microsoft says: "this shift isn't about compliance, it's about empowerment. We want every person at Microsoft to understand their role in keeping our customers safe and to have the tools to act on that responsibility." We are optimistic.
- 600 vulnerabilities and $1.6 million: Microsoft's inaugural Zero Day Quest hacking competition focused on AI and cloud vulnerabilities awarded USD$1.6 million to security researchers.
Sponsor Section
In this Risky Bulletin sponsor interview Shane Harding, CEO of Devicie, talks to Tom Uren about trends in the enterprise software and security market that he thinks will have huge impacts. Software is becoming smarter and aims to solve problems rather than simply provide capabilities and Microsoft has embarked on a big push into the SME security market.
No race. No pressure. Just a better way forward to Windows 11, built for wherever you’re at and wherever you’re going. Visit devicie.com/windows11.
Shorts
Signalgate 2: This Time Its Personal
US Defense Secretary Pete Hegseth is embroiled in another Signal messaging controversy. The first Signal group was a shared disaster, but Hegseth alone is responsible for this one. Per The New York Times:
Hegseth shared detailed information about forthcoming strikes in Yemen on March 15 in a private Signal group chat that included his wife, brother and personal lawyer, according to four people with knowledge of the chat.
Some of those people said that the information Mr. Hegseth shared on the Signal chat included the flight schedules for the F/A-18 Hornets targeting the Houthis in Yemen — essentially the same attack plans that he shared on a separate Signal chat the same day that mistakenly included the editor of The Atlantic.
Hegseth created the group chat himself and its existence was confirmed by NBC News.
Both Hegseth's brother and lawyer work at the Pentagon, but their roles don't make it immediately clear why they would need details about planned military action. Hegseth's wife is a former Fox News producer.
Hegseth also used his personal phone for both this Signal group chat and the previously reported one that included the editor in chief of The Atlantic magazine. At the time of the first Signal controversy, we wrote that Hegseth deserved a "fair share of the blame" because Signal was "entirely inappropriate for the information he sent to the group".
In this case, he's sending very sensitive information to the wrong people on the wrong messaging platform using the wrong phone. Hegseth owns this screw up.
Risky Biz Talks
You can find the audio edition of this newsletter and other fine podcasts and interviews in the Risky Biz News feed (RSS, iTunes or Spotify).
In our last "Between Two Nerds" discussion Tom Uren and The Grugq discuss whether cyber operations can be 'strategic' and affect the fate of nations.
Or watch it on YouTube!
From Risky Bulletin:
Russian military personnel targeted with Android spyware reminiscent of Russia's own tactics: An unidentified threat actor is targeting Russian military personnel with spyware hidden in Android geo-mapping apps in what seems to be a campaign designed to spy on Russian military movements and positions.
The spyware is hidden inside legitimate versions of Alpine Quest, a mobile app used by Russian troops to coordinate operations in Ukraine.
According to Russian security firm Dr.Web, which spotted the campaign, the poisoned apps are spread via Telegram channels advertising a pirated PRO version of the app and even through some Russian Android app portals.
Once the spyware infects a target, it collects data from the device and sends it to a remote server. Collected data includes the usual data points, such as the victim's phone number, contacts list, geolocation details, and data about local files.
[more on Risky Bulletin]
Zoom has a remote control feature and crypto thieves are abusing it: Hackers are abusing a little known Zoom feature to take control of their victims' computers to install malware and steal cryptocurrency.
The feature is named "Remote Control" and is part of Zoom's accessibility suite, where it was included for users with various disabilities to allow other users in the same meeting to control their PC.
Since at least this year, a cybercrime group named ELUSIVE COMET has incorporated this secret Zoom feature into their social engineering attacks and has successfully stolen millions of US dollars worth of crypto assets from their victims.
[more on Risky Bulletin]
Thai army and police behind dissident doxing campaign: The Royal Thai Armed Forces and the Royal Thai Police ran an online harassment and doxing campaign against anti-government dissidents.
The campaign doxed victims and asked followers to report them to the police, which then happily launched investigations. The secretive attacks came to light after Thai MP Chayaphon Satondee leaked confidential police documents online at the end of March. The documents revealed the existence of a joint Thai army and police "cyber team" that allegedly ran the harassment campaign.
According to a CitizenLab report, most of the attacks took place with the help of Facebook and Twitter accounts, but other online services were also involved.
[more on Risky Bulletin]
