When Sanctioning Code Makes Sense

Your weekly dose of Seriously Risky Business news is written by Tom Uren, edited by Patrick Gray and supported by the Cyber Initiative at the Hewlett Foundation and founding corporate sponsor Proofpoint.

Last week Dutch financial crime authorities announced they had arrested Alexey Perksov, a suspected developer of the Tornado Cash Ethereum cryptocurrency mixer. The arrest followed shortly after the US government sanctioned the service the week prior on August 8. These actions are significant new steps tackling cryptocurrency anonymity.

In May this year the US Treasury sanctioned Bitcoin mixer Blender.io, claiming that North Korean state-sponsored groups had used Blender to launder USD$20.5m from the almost USD$620m hack of the Axie Infinity game. Treasure also cited Blender's use by Russian-linked ransomware groups.

This isn’t the first mixer-related arrest, but predictably, Perksov’s arrest was condemned by "crypto Twitter", which was outraged that Perksov's "free speech" resulted in his arrest (the linked article is worth reading if you enjoy the deranged wailing of crypto boosters). To be clear, however, the Dutch authority that arrested Perksov believe the developers behind Tornado Cash "have made large-scale profits". In other words, Perksov wasn't arrested for just cutting code, he was arrested because the Dutch suspect he made bucket-loads of cash from being involved in laundering literally billions of dollars worth of cryptocurrency.

What makes sanctioning Tornado Cash different? For a start, its scale. Tornado Cash is far bigger than Blender. Since its creation in August 2019 Tornado Cash has received over USD$7.6bn worth of Ethereum and Treasury claims it was used to launder USD$455m from the Axie Infinity heist and another USD$95m from the Harmony Bridge theft.

Kim Grauer, head of research at Chainalysis, told Seriously Risky Business that "more cryptocurrency is being stolen than ever, and in almost every hack we’ve observed this year, Tornado Cash has received at least some of the stolen funds".

Grauer also described Tornado Cash as "one of the most advanced methods available for laundering ill-gotten cryptocurrency". It runs as an Ethereum smart contract that theoretically cannot be shut down. In 2020 Tornado Cash ran a "Trusted Setup Ceremony" to remove control from the original developers and set up the smart contract as "trustless, decentralised and forever unstoppable". One of its founders, Roman Semenov, told Bloomberg earlier this year that it is "technically impossible" for sanctions to be enforced against protocols like Tornado Cash.

Well, the US government is certainly trying.

Although the service itself appears to be operating, GitHub has closed it and its developers accounts, various related cryptocurrency accounts have been blocked and its DAO (Distributed Autonomous Organisation or governance structure) has shut down.

There has been some pushback on the sanctioning of Tornado Cash. One argument is that the specific type of sanction used — adding Tornado Cash to Treasury's Specifically Designated Nationals and Blocked Persons List — is inappropriate because a smart contract isn't a person that can be sanctioned.

A second argument — one we are more sympathetic to — is that the sanction affects innocent people. US citizens can no longer send or receive money from Tornado Cash without violating sanctions laws. Blockchain analysis company Chainalysis reports that Tornado Cash receives a lot of currency from illicit sources (almost 30% of funds received are stolen or have come from sanctioned entities), but that still leaves 70% that may be legal.

We think, however, that in this case punishing innocent people is not really a bug so much as a feature. For a mixer to be effective at obfuscating transactions it ideally has a large number of users all mixing similar amounts of cryptocurrency. By discouraging legal users, the US government is effectively shrinking that pool and also making it more likely that any Tornado Cash transaction is actually illicit. Additionally, Chainalysis’s Grauer says "cutting it off from compliant cryptocurrency businesses represents a huge blow for criminals looking to cash out".

In a briefing to the press, a senior Treasury Department official made it clear that Tornado Cash sanctions were intended to influence the private sector. "We do believe that this action will send a really critical message to the private sector about the risks associated with mixers writ large, which obviously is designed to inhibit Tornado Cash or any sort of reconstituted versions of it to continue to operate."

Tornado Cash code is available and open source, so there is not much to stop people from reconstituting new versions of the service. We think, however, that although Tornado Cash will continue to operate and other versions will pop up, it will be much harder for these services to attract the 'clean' liquidity they need to be effective money laundering services.

Grauer cautions, however, that "neither full transparency nor total anonymity is ideal" and that there needs to be a balance in regulation. Cryptocurrency regulation that puts the financial privacy and autonomy of regular individuals at risk might make mixing services more attractive, for example.

Our prediction: many people will not like it, but sanctioning Tornado Cash will be effective.

Another prediction from Binance CEO Changpeng Zhao: "developers will be more anonymous; code will be more open-source".

End-to-End Encryption Can't Beat Bad Laws

Meta handed chats between a mother and daughter to Nebraska police after receiving a warrant in an investigation into an illegal abortion.

Although this investigation occurred before the Supreme Court overturned Roe v Wade, it illustrates the concern held by data privacy experts that tech companies will share the data of users seeking abortions with police now that the constitutional right to abortion has been eliminated.

In a statement on the overturning of Roe vs Wade the Electronic Frontier Foundation (EFF) neatly describes the data privacy problem: "... those seeking, offering, or facilitating abortion access must now assume that any data they provide online or offline could be sought by law enforcement".

The details of this particular case are disturbing. With her mother's help, a 17-year-old girl acquired and took abortion pills and subsequently miscarried at around 28 weeks pregnant, and the pair secretly buried the fetus after trying to burn it. Nebraska law bans abortion past 20 weeks.

Facebook was served with a warrant relating to the "alleged illegal burning and burial of a stillborn infant" and provided Nebraska police with messages appearing to show the mother and daughter pair talking about acquiring and taking abortion medication. These messages were then used as the basis for a second search warrant that resulted in the seizure of laptops and smartphones. Police interest was initially triggered by a tip-off that the daughter had miscarried and secretly buried the body.

Given the capabilities that law enforcement has (eg searching cell phones) it's very difficult to hide crimes if the state is motivated to obtain search warrants. Even when the stakes are as high it is hard to maintain good OPSEC (see the Toebbes trying to sell nuclear secrets), so ordinary innocent people have close to zero chance when faced with the perhaps unexpected need to get an abortion.

The previously mentioned EFF statement on Roe vs Wade identifies a suite of solutions for individuals, companies, and lawmakers:

People should carefully review privacy settings on the services they use, turn off location services on apps that don’t need them, and use encrypted messaging services. Companies should protect users by allowing anonymous access, stopping behavioural tracking, strengthening data deletion policies, encrypting data in transit, enabling end-to-end message encryption by default, preventing location tracking, and ensuring that users get notice when their data is being sought. And state and federal policymakers must pass meaningful privacy legislation. All of these steps are needed to protect privacy, and all are long overdue.

In this particular case, strong and easily used end-to-end encryption would have prevented Facebook providing Messenger chats to law enforcement. Indeed, talking on the issue of abortion privacy Mark Zuckerberg identified deployment of end-to-end encryption as one step that Meta could take to protect people. Messenger is currently not end-to-end encrypted by default, although that is expected to be rolled out sometime in 2023.

End-to-end encryption, however, does nothing to protect devices from being seized, a potential trump card for law enforcement. Although modern devices provide strong on-device encryption, the law surrounding the compelled production of passcodes or biometrics is not settled and police are often allowed to compel decryption (even though various state courts have issued conflicting rulings). In the UK and Australia police can compel the production of decryption passwords via court order.

It's possible that tech companies may refuse law enforcement requests to satisfy abortion-related data requests, but they haven't yet indicated one way or another. On the one hand, they do push back on lawful requests at times, such as when they are overly broad. On the other hand, Andrew Crocker, senior staff attorney with the EFF, told NPR that when it comes to tech companies handling warrants for abortion investigations "there isn't a whole lot of room for them to pick and choose". Tech companies are also facing political headwinds and anti-trust legislation. Nu Wexler, a former Facebook and Twitter communications manager told The Washington Post "the political complication is that some of the companies don’t want to antagonize state attorneys general who are involved in the antitrust cases".

The real problem here, left unmentioned in the EFF's statement, is that overturning Roe vs Wade rolled back abortion rights across many US states nearly immediately. What had been constitutionally protected for nearly 50 years was banned, in some cases within hours or days of the Supreme Court decision being announced. That's just terrible.

We think the measures the EFF argues for are sensible, good, and justified. But trying to deal with terrible lawmaking by improving information security and privacy practices is tackling symptoms rather than addressing the cause. You can't end-to-end encrypt your way out of coercive and authoritarian laws — you just protect yourself a little bit.

Cyber War Crimes are Not a Thing

The head of Ukraine's cyber security organisation, Victor Zhora, was at Black Hat 2022 to rally support for Ukraine and share information.

Some of Zhora's comments reinforced concerns this newsletter has held that the importance or impact of Russian cyber operations in Ukraine are being exaggerated. In July, for example, we were skeptical of the thin evidence behind Microsoft claims that Russian forces had conducted integrated cyber and conventional operations in the invasion. Talking to CyberScoop, Zhora described Russian cyber attacks as "chaotic" and having an "absence of strategy", which makes us think our skepticism was justified.

Zhora also told Vice Motherboard that Russian cyber operations targeting civilian infrastructure were "cyber war crimes" that should be prosecuted by the International Criminal Court. With the caveat that we are not aware of the details of all Russian cyber operations, we don't think that any of them in isolation have yet reached the level of a war crime. In May we reported on the widespread formal condemnation of the Russian attack on the KA-SAT satellite communication system, but we pointed out that cyberspace isn't special and that unprovoked aggression is a problem wherever it occurs, writing:

The real problem with all these destructive cyber operations isn't the attacks themselves, it's that the whole war is unjustified, irresponsible, and illegal.

There may well be Russian cyber operations that are war crimes, or contributed to war crimes, and they absolutely should be prosecuted. But we don't think that talking about them in isolation as "cyber war crimes" is useful — cyber operations are just a standard part of warfare nowadays and we wouldn't talk about "air force war crimes" or "navy war crimes".

Three Reasons to be Cheerful this Week:

1. Conti rewards ratchet up the pressure: The US State Department announced USD$10m rewards for five specific individuals associated with the Conti ransomware group. This comes on top of a previous reward announced in May that was seeking information "leading to the identification and/or location of any individual(s) who hold a key leadership position in the Conti ransomware variant transnational organised crime group". Interestingly, the US government also went on record that the group "likely have a connection to government entities inside of Russia".
2. MFA for RubyGems: RubyGems now requires owners of Ruby packages with more than 180m total downloads to use multi-factor authentication (MFA). Risky Biz News has more detail on how MFA requirements have spread across PyPI, npm, NuGet and GitHub (and perhaps will spread further).
3. Meta Testing E2E for Messenger: Meta has begun testing default end-to-end encryption for its Messenger app. It's been a long time coming.

Running a Global Vulnerability Management Program with Nucleus

Risky Business publishes sponsored product demos to YouTube. They're a great way for you to save the time and hassle of trying to actually get useful information out of security vendors.

In our latest demo, Scott Kuffer shows Patrick Gray the ins and outs of Nucleus Security. Nucleus is a platform that ingests the scan outputs from a number of vulnerability identification tools, normalises that information and then allows vulnerability management teams to do things like assign responsibility for certain types of bugs to the correct people.

You can subscribe to our product demo page on YouTube here.

Shorts

Hacking Twilio to hack Signal to hack a Journalist

Twilio, the messaging and voice automation company, was hacked via a phishing attack and data from 125 customers accessed. Signal was one of those affected customers. The attackers specifically searched for three users in particular, taking over the Signal account of at least one of those three, VICE journalist Lorenzo Franceschi-Bicchierai.

Franceschi-Bicchierai has written about the experience. The attackers used their Twilio access to register another device to take over his Signal account. They were then able to masquerade as Franceschi-Bicchierai on Signal for about 13 hours until he was able to get to the devices he uses for Signal and re-register his account. Signal's design is good though — even when accounts are stolen, attackers don't get access to previous messages or even contact lists. Franceschi-Bicchierai's advice is to turn on 'registration lock' in Signal, which would have prevented the attack.

Who else was targeted by the Twilio hackers? And on what other platforms?

Pen and Paper Foils Advanced Hackers

In August last year, we wrote about Russian state hackers targeting of Department of Justice email systems in the Solar Winds campaign. In the last couple of weeks news has broken that there was a second separate breach in the US federal court system dating back to early 2020. Apparently, the Department now keeps its most sensitive court documents on paper. So… that's what progress in cyber security looks like.

We Are The Good Guys, So We Didn’t Poison You

The Cl0p ransomware crew breached a UK water utility, South Staffordshire PLC, but instead apparently accidentally claimed to have breached Thames Water, a different water provider.

Cl0p also claimed:

We have spent months in the company system and saw first hand evidence of very bad practice. This company is all for money and not deliver reliable service. It is better to save one pound so management can make bonuses and stock price do well. They lost way when only concentration on finance.

Cl0p didn't ransomware the water provider, but instead tried to extort the company, because it is "not [a] political organisation and we do not attack critical infrastructure". Cl0p also claims "it would be easy to change chemical composition for their water but… we are not interested in causing harm to people".

Absolutely nothing here is reassuring.

From Risky Biz News:

Iron Tiger: Trend Micro and Sekoia published reports last week on the recent shenanigans of the Iron Tiger APT (also known as Emissary Panda, APT27, Bronze Union, and Luckymouse). The report details a supply chain attack on a chat application named MiMi, through which the group delivered versions of the HyperBro backdoor to infected users.

We noticed Iron Tiger controlling the servers hosting the app installers of MiMi, suggesting a supply chain attack. Further investigation showed that MiMi chat installers have been compromised to download and install HyperBro samples for the Windows platform and rshell samples for the Mac OS platform. While this was not the first time the technique was used, this latest development shows Iron Tiger's interest in compromising victims using the three major platforms: Windows, Linux, and macOS.

Is ransomware going after the Global South? Sure looks like it! A report published last week by the British think tank the Royal United Services Institute (RUSI) argues that ransomware gangs have increased their targeting of the Global South—countries in Latin America, Asia, Africa, and Oceania.

RUSI analysts argue that ransomware gangs shifted their targeting over the past year following an acid response from US and European law enforcement agencies following a string of high-profile attacks that appear to have crossed a line and reached a point where the ransomware problem needed to be addressed. (continued)

SEC charges: The US Securities and Exchange Commission charged 18 individuals and corporate entities for their roles in a fraudulent scheme in which dozens of online retail brokerage accounts were hacked and used to purchase micro-stocks and manipulate their price and trading volume. According to the SEC, 31 brokerage accounts were hacked and abused in this scheme between late 2017 and early 2018, earning the hackers more than $1 million in illicit proceeds.