Seriously Risky Business

Why America Needs Its Own Salt Typhoon

Tom Uren

10 min read
Why America Needs Its Own Salt Typhoon

Your weekly dose of Seriously Risky Business news is written by Tom Uren and edited by Patrick Gray. It's supported by Lawfare with help from the William and Flora Hewlett Foundation. This week's edition is sponsored by Rad Security.

You can hear a podcast discussion of this newsletter by searching for "Risky Business News" in your podcatcher or subscribing via this RSS feed.

An American salt typhoon, Stability AI

US Senator Mark Warner has floated an idea to deal with Salt Typhoon's compromise of US telecommunications networks, basically telling China: get out of our networks or we'll hack yours.

Essentially, Warner’s comments imply that the threat of US hacking could force an understanding between the two nations to stay out of each other's telcos. 

However, we believe the US would be better off just pulling the trigger on its own, similar campaign if it hasn't already. 

The NSA is almost certainly conducting targeted collection operations in Chinese networks, but Warner appears to be talking about a retaliatory campaign similar in nature and scale to Salt Typhoon.

Warner has apparently seen what it would cost to defensively remediate Salt Typhoon, and it's got him thinking. Speaking at the Munich Security Conference, he told reporters that the costs of evicting Salt Typhoon from US telcos would be very, very high. Per Politico

Warner said that replacing aging and vulnerable networking equipment could cost the telecom companies tens of billions, while evicting the Chinese from every nook and cranny inside the nation's sprawling phone system could take "50,000 people and a complete shutdown of the network for 12 hours."

Instead, Warner thinks a more aggressive US hacking strategy is part of the solution:

…Warner said he now doesn't believe the U.S. can ever fully oust the elite, Beijing-backed hacking group from its telecommunications backbone without unleashing U.S. hackers inside China — or at least, credibly threatening to.
"Your diplomatic pushback on the Chinese would be a hell of a lot stronger," Warner said, if the U.S. could tell China, "We're going to go into your networks the exact same way you go into ours."

In other words: get out of our house or we'll break into yours.

We think, however, that in a world where China and the US run amok in each other's telcos, NSA would actually be better off than its Chinese counterparts. 

Indeed the US Government has already mitigated some of Salt Typhoon's impact by publishing good advice, encouraging Americans to use encrypted apps to protect themselves, including Signal, WhatsApp, iMessage, Threema, Wickr and Facebook Messenger. 

That kind of straightforward, practical advice isn't an option for the Chinese government. By contrast, it prioritises internal security and surveillance over secure communications. The upshot is that there are very few end-to-end encrypted messaging services available in China beyond Apple's iMessage (iPhones were 15% of new smartphone sales last year). The use of apps like Signal and WhatsApp is frowned upon

In infosec-speak, the Chinese government has fewer compensating controls for telco pwnership. 

Resources aside, evicting Salt Typhoon will take time, so telcos will remain compromised for the foreseeable future. So… bring on the mutual hacking?

Meanwhile, Chinese Telco Hacking Is Still Wreaking Havoc

While we're on the topic, Salt Typhoon is still active and exploiting networks around the world, according to a new report. 

The report, from cybersecurity firm Recorded Future, says the group "has attempted to exploit over 1,000 internet-facing Cisco network devices worldwide, primarily those associated with telecommunications providers, using a combination of two privilege escalation vulnerabilities". 

These are known vulnerabilities published by Cisco in October 2023. 

Recorded Future says:

More than half of the Cisco devices targeted by RedMike [Recorded Future's name for the group] were in the US, South America, and India. The remaining devices spanned over 100 other countries. Although the selected devices are primarily associated with telecommunications providers, thirteen were linked to universities across Argentina, Bangladesh, Indonesia, Malaysia, Mexico, the Netherlands, Thailand, the US, and Vietnam. 

Salt Typhoon successfully compromised devices within the networks of US, Italian, South African and Thai telecommunications providers. 

The report notes Salt Typhoon is continuing its activities  "despite significant media coverage and US sanctions". 

Samoa's CERT Calls Out APT40 

In a first for the Pacific nations, Samoa has called out China-backed hacking group APT40. It's a gutsy move as China is flexing its muscles in the region and more powerful countries like Australia have historically been reluctant to call them out on their own.

Dr Jessica Collins, a Pacific Islands expert at the Lowy Institute, told Seriously Risky Business that this was a first for a Pacific Island government.  

Dr Collins said the move was driven by Samoa's Prime Minister, Fiamē Mata'afa, who she described as a "regional leader" in addressing Chinese influence.

Although it doesn't mention China directly, an advisory from Samoa’s CERT (SamCERT) states APT40 is a "state-sponsored cyber group", and links to an international cybersecurity advisory and a US Department of Justice press release that associate the group with the Chinese Ministry of State Security.  

Mata'afa "led the [regional] trend to start rejecting China's risk-laden loans", Collins said, adding that "Fiamē is taking the lead for smaller Pacific states by standing up to this insidious [cyber espionage] problem".  

Samoa's advisory won't do much to deter China's cyber espionage as broad international coalitions have called out Chinese hacking behaviour without much apparent impact. 

Instead, the advisory is all about reaching out to regional partners and says "recent activity observed by SamCERT suggests the existence of campaigns specifically targeting networks hosted in the Blue Pacific." 'Blue Pacific' is a term that encompasses Pacific Island nations and their common interests. 

Bulletproof Zservers Is Having, Well, a Bad Time

International action against bulletproof hosting service Zservers is a first rate example of how offensive cyber operations can complement more traditional government measures such as sanctions and asset seizures in the fight against cybercrime. 

(Bulletproof hosting services don't respond to abuse reports or takedown requests and are often used to host illegal or malicious content.)

Last week, the US, UK and Australian governments announced sanctions against Zservers, and Dutch police seized 127 of the company's servers from a data center in Amsterdam. These measures complemented an Australian Signals Directorate (ASD) cyber operation to delete data from servers in the Russian city of Barnaul, in Western Siberia, as reported in the The Sydney Morning Herald

The ASD targeted Zservers because it was used to host data stolen from Medibank Private in perhaps Australia's highest-profile data extortion attack. The person responsible for that hack, later identified as Alexander Ermakov, tried to intimidate Medibank into paying a ransom by leaking patient data. 

The more appalling releases included a file 'abortions.csv' that contained claims made by policyholders in relation to pregnancy terminations and miscarriages, and another called 'boozy.csv' containing details of alcoholism-related treatment. 

This led to a Australian Government standing operation "to investigate, target and disrupt cyber criminal syndicates with a priority on ransomware threat groups", said Clare O'Neal, Australia's Cyber Security Minister at the time. 

Zservers was a multi-million dollar business with more than AUD$2 million in revenue over the last year and ASD dug deep into the operation. Per The Sydney Morning Herald:  

While directorate analysts under [Georgina] Fuller, [in charge of countering cybercrime at ASD] probed ZServers' systems, its linguists and behavioural psychologists began to profile the five Russians behind the company. "That process takes weeks, months, and in this case, sometimes years," Fuller says. "But the point is that by the end of it, we're very, very certain that we've got the right people, and we understand everything about them. We know where their weak points are, we know where they’re most vulnerable."

Hilariously, ASD says it deleted data from Zservers when five employees of the firm were out drinking so that it would be harder for them to respond. 

Without being explicit the Herald's reporting implies that ASD has wiped out more than one bulletproof hosting service:

"In order to make sure that we're not playing a game of whack-a-mole, we're actually moving up into the [cyber criminal's] critical infrastructure," [ASD Director-General Abigail] Bradshaw says. The agency has deleted 250 terabytes of stolen information held by so-called bulletproof hosting services.

For us, there are two good news stories here. Firstly, it is great to see cyber operations being used to complement other instruments of state power to achieve greater impact. Wiping servers is good, but combining it with doxxing, asset seizures and sanctions is far better. 

Secondly, it is good to see public reporting on these kinds of operations. Although the innate tendency of intelligence agencies is to keep secrets, this is a body of work that actually benefits from some openness because it sends a message. 

Let's hope we hear about more combined operations taking down criminal enterprises. 

Watch Patrick Gray and Tom Uren discuss this edition of the newsletter:

Three Reasons to Be Cheerful This Week:

  1. Japan getting active in cyber defence: Earlier this month the Japanese government approved draft 'active cyber defense' legislation that would introduce a range of measures to strengthen the country's defensive capabilities. These include allowing authorities to carry out operations designed to thwart potential attacks before they occurred and a new vice-ministerial post in charge of cyber security. 
  2. Thousands rescued from scam compounds: Thai Prime Minister Paetongtarn Shinawatra announced on Wednesday that 7,000 people had been rescued from scam compounds in Myanmar. 
  3. Spyware company outed by Google shuts down: Variston, a Barcelona-based spyware company has reportedly shut down. We first wrote about Variston back in 2022 after Google had published details about its exploitation framework. Former Variston employees told TechCrunch last year that this publicity had made life difficult for the firm and had resulted in an exodus of staff.  

In this Risky Business News sponsor interview, Catalin Cimpanu talks with Jimmy Mesta, CTO and Co-Founder of Rad Security (formerly KSOC). Jimmy talks about how companies adopting new AI-based technologies may accidentally expose their infrastructure and data to new threats.

Shorts

Trump Cuts CISA Staff

Politico has covered large potential cuts to the US Cybersecurity Infrastructure Security Agency (CISA) workforce. Staff cuts across government have focussed on probationary staff due to inexperience. But newer staff at CISA aren't necessarily lacking experience as the agency has been on a hiring drive to recruit top talent.

Not good at all.  

Russia Turbocharges Campaigns With Device Code Phishing

Russian threat actors are successfully using 'device code phishing' (aka 'device code authentication') in spear-phishing attacks to gain access to Microsoft 365 accounts, according to reports from Microsoft and security firm Volexity

Volexity says that although the technique is not new, it's bloody effective:

Volexity's visibility into targeted attacks indicates this particular method has been far more effective than the combined effort of years of other social-engineering and spear-phishing attacks conducted by the same (or similar) threat actors. It appears that these Russian threat actors have made a concerted effort to launch several campaigns against organizations with a goal of simultaneously abusing this method before the targets catch on and implement countermeasures. 

The technique takes advantage of an authentication flow designed for printers, smart TVs or other input-constrained devices. In legitimate login flows, the constrained device displays a relatively short code that the user enters into a sign-in page on a separate web browser. This grants the device certain permissions.  

When used maliciously, a threat actor generates a legitimate device code, provides it to the target and tricks them into logging into a legitimate sign-in page using the code. The actor is then granted authentication tokens that it can use to pillage the target's account.  

Device code phishing steps, Source: Microsoft

After establishing rapport, the attacker tries to trick targets into authenticating by making the device code authentication request look like a messaging service such as a Microsoft Teams chat login. 

The technique is hard to detect because the code is actually legitimate and because it isn't a typical workflow, users might not recognise it as phishing. 

The good news is that most organisations don't need device code authentication so it can be blocked by default. 

Risky Biz Talks

You can find the audio edition of this newsletter and other fine podcasts and interviews in the Risky Biz News feed (RSS, iTunes or Spotify).  

In our last "Between Two Nerds" discussion Tom Uren and The Grugq talk about the United State’s Vulnerabilities Equities Program, which balances the need for intelligence collection with the need to protect the public. The government recently revealed that in 2023 it released 39 vulnerabilities, but what does this really tell us?. 

Or watch it on YouTube!

From Risky Biz News:

It's probably not a good idea to pay RansomHub: A recent CISA report and a series of tweets from Equinix threat intel analyst Will Thomas made me realize that quite a few infosec and adjacent cybersecurity experts are not fully aware that paying ransoms to a rising ransomware crew named RansomHub carries quite a high risk of breaking US sanctions.

The group launched in February 2024, when it started advertising its Ransomware-as-a-Service offering in underground hacking forums.

[more on Risky Business News, including RansomHub's rise and how its ransomware now appears to be used by the sanctioned cybercrime cartel EvilCorp]

Sandworm deploys Tor nodes on hacked networks: A unit inside Russia's Sandworm espionage group is hacking networks and deploying webshells and backdoors as part of a large initial access campaign. Some of the intrusions stand out because of a new command and control (C&C) method called ShadowLink. The technique involves installing a Tor hidden service on a compromised host and assigning each host a unique Tor onion address. Microsoft says the ShadowLink technique allows Sandworm to create a secret tunnel to the host with minimal opportunity for detection.

Cloudflare blocked in Spain on the weekends: Spanish internet service providers have started blocking access to some Cloudflare IP addresses on weekends. The blocks were put in place this month after Spain's soccer league won a lawsuit against Cloudflare for hosting pirate streaming sites. According to reports in local media, the blocks are indirectly blocking access to many legitimate websites, including GitHub, Reddit, and many private Spanish businesses. [Additional coverage in El Pais/English coverage in TorrentFreak]

Read more