Why Iran’s Attack on Albania Cannot Go Unchecked

Your weekly dose of Seriously Risky Business news is written by Tom Uren, edited by Patrick Gray and supported by the Cyber Initiative at the Hewlett Foundation and founding corporate sponsor Proofpoint.

Just two days after Albania severed diplomatic relations with Iran because of a mid-July cyber attack, Albania has again been hit by a major cyber attack. Albanian officials are blaming Iran again, saying the attack was carried out "by the same hand".

Risky Business News has excellent coverage of the mid-July attack, its consequences, attribution, and the history of the MEK Iranian opposition party in Albania. The presence of the MEK in Albania appears to be the underlying motivation behind the attack:

Both Mandiant and Microsoft say the Iranian attack is directly connected to the Albanian government harboring thousands of Iranian dissidents part of an exiled opposition party named the People's Mujahideen Organization of Iran, also known as Mujahideen-e-Khalq, or MEK.

The group found shelter in Albania in 2016, at the request of the US government, after the Iranian regime declared the group a terrorist organization and started hunting its members.

On the same day that Albania severed diplomatic relations, the US government issued a statement in support that also blamed Iran and spelled out a rationale for responding forcefully:

We have concluded that the Government of Iran conducted this reckless and irresponsible cyberattack and that it is responsible for subsequent hack and leak operations.

Iran’s conduct disregards norms of responsible peacetime State behaviour in cyberspace, which includes a norm on refraining from damaging critical infrastructure that provides services to the public. Albania views impacted government networks as critical infrastructure. Malicious cyber activity by a State that intentionally damages critical infrastructure or otherwise impairs its use and operation to provide services to the public can have cascading domestic, regional, and global effects; pose an elevated risk of harm to the population; and may lead to escalation and conflict.

The US statement also promised "the United States will take further action to hold Iran accountable". The EU, NATO member states and other international partners (aka Israel and Saudi Arabia, lol) also issued statements condemning Iran's behaviour.

Just two days later a second attack on Albanian systems occurred. Per Risky Business News:

The attack took place on Friday, September 9, and hit TIMS (Total Information Management System), an IT platform belonging to Albania's Ministry of Interior used to keep track of people entering and leaving the country.

Six border crossing points were impacted and experienced border crossing stoppages and delays for at least two days until the TIMS platform was restored, according to a series of tweets from Albania's Minister of the Interior, Bledi Chuchi.

So far no independent sources have confirmed Albania's attribution of this attack to Iran.

On the same day as the second attack, on Friday, September 9, the US Treasury sanctioned the Iranian Ministry of Intelligence and its Minister of Intelligence "for engaging in cyber-enabled activities against the United States and its allies". Further US action occurred today in the form of coordinated indictments, further sanctions and updated CISA Alerts.

Speaking to us before this second round of US actions, Chris Painter, the US's former top cyber diplomat, told Seriously Risky Business that past US responses may not have been as "concrete, swift and strong" as they had needed to be and the quick sanction action in this case was a "good move". Painter also views Albania's reaction as significant, as it is the first time that a state has responded so strongly to a cyber attack.

Iran's Embassy to the EU issued a statement in which it accused NATO of hypocrisy for ignoring cyber attacks against Iran, presumably referring to Stuxnet and more recent Predatory Sparrow attacks.

To be clear, Iran has been subject to destructive cyber attacks, but the context surrounding these attacks is very different.

Jason Brodsky, policy director at United Against Nuclear Iran told Seriously Risky Business that the Stuxnet attack was justified because the Iranian nuclear program had "advanced to such a state… beyond any plausible civilian justification". Brodsky agreed that there had been attacks on Iranian rail and fuel infrastructure in the case of the (likely) Israeli-led Predatory Sparrow campaign, "but viewing these operations in the context of the chain of attacks which triggered them is important". In other words, you reap what you sow.

"Iran has also been actively seeking to harm civilians in its cyberattacks — with the attempted operation against Boston Children's Hospital, which the FBI director called one of the most despicable he had ever seen in June 2021. That is not to mention attacks on Israel's water infrastructure which could have poisoned innocent Israelis. The cyberattacks targeting Iran do not even come close to those operations."

Both Painter and Brodsky conceded that the levers available today that could apply pressure to Iran's cyber operations are somewhat limited because of the ongoing efforts to restrain Iran's nuclear program. The argument that torpedoing ongoing nuclear negotiations between Iran and the West in response to a cyber attack on Albania would be throwing the baby out with the bathwater has merit.

But Painter and Brodsky both think there's at least some room to move.

Painter describes it succinctly: while he doesn't want to die in a nuclear fireball and Iran's nuclear program is the higher priority, the US government can both prioritise and creatively investigate other options.

Brodsky also points out that while Iran's Ministry of Intelligence (MOIS) has already been sanctioned for other stuff, the new sanctions on MOIS and its minister were "piecemeal". The EU and UK could also apply sanctions pressure.

It's important to ratchet up the pressure here. We don't want a world where states feel emboldened to launch attacks on critical government and civilian infrastructure willy-nilly. The response to this event — from both sides —— will be important to watch.

When Data Governance Meets National Security

On Tuesday, Pieter "Mudge" Zatko appeared before the US Senate's judiciary Committee and testified about Twitter's alleged security failings. We've previously reported on aspects of Mudge's whistleblowing that seem downright weird. Some of his complaints look absolutely groundless, others have been disputed.

However, we're very interested in what he has to say about its poor data governance, the overprovisioning of privileged access within the company and the espionage opportunities those things afford foreign adversaries.

That's a problem that intersects with national security risk in a major way.

At heart, Mudge believes that Twitter's security problems stem from very poor data governance, which then means that engineers need overly broad access to data and systems. In his Senate testimony, he said:

"[Twitter] don't know what data they have, where it lives, or where it came from and so, unsurprisingly, they can't protect it. This leads to the second problem, which is the employees then have to have too much access to too much data in too many systems."

This creates an environment that is ripe for exploitation by foreign intelligence services. Mudge says that if intelligence agencies "are not placing foreign agents inside Twitter — because it is very difficult to detect them, it is very valuable to a foreign agent to be inside there… they are most likely not doing [their] job".

Mudge believes with "high probability" that there is an individual working for the Indian government on Twitter's payroll. Additionally, in the week before his dismissal, Mudge alleges the FBI told Twitter's security team there was "at least one agent" from China’s Ministry of State Security working there.

At least one agent has been caught — in August this year a former Twitter employee was found guilty of accepting bribes from Saudi Arabian officials. In return for money and gifts the employee monitored Saudi Arabian dissidents and handed over their personal information.

There are multiple reasons that other governments would be interested in access to Twitter data. The Saudi government was interested in learning about dissidents, possibly to persecute them. A well-placed source at a company like Twitter can look up non-public user information that unmasks the true identities of account holders.

The type of information available could also be used for intelligence gathering about all sorts of people, not just dissidents.

Mudge's testimony exposes the lack of incentives for executives at social media firms to tackle foreign espionage. He claims that when he approached a Twitter executive with concerns that he was "confident we have a foreign agent", they replied "well, since we already have one, what is the problem if we have more? Let's keep growing the office."

We wonder if this was said in jest, but still, how much is the "public good" of national security worth to private companies? Without some sort of regulatory obligation to tighten internal controls — at great expense — why would they? Twitter loses money. Convincing a board to spend money to remediate security issues that investors are unlikely to give a hoot about is an exercise in pushing the proverbial muck up the hill.

Federal privacy and data protection rules will help, but they aren't focused at all on the internal management of big tech companies. They'll do more good reigning in the unconstrained adtech and data broker ecosystem.

Mudge's testimony has managed to motivate politicians across the political spectrum to search for a solution. Bloomberg reports that it has managed to get Republican Lindsey Graham and progressive Democrat Elizabeth Warren working together:

The two senators are working on a bill to create a new federal regulator to oversee big tech, Graham told reporters after the hearing. He proposed licensing companies like Twitter, saying while they might not worry about paying a fine of $150 million, "they could worry about losing their license." Graham and Warren haven’t reached agreement on the details, according to a congressional aide.

Graham said such an agency should force companies to harden their platforms against foreign interference, be more responsible with user data and provide an appeals process for content moderation decisions. He said new rules should "create a consequence for these organisations, give them an incentive to do better."

In a perfect world a licensing scheme could work, but it's not a perfect world. The next Donald Trump will pull the licence revocation lever faster than you can say covfefe.

There is a clear case, however, for a robust oversight regime that requires big tech companies such as Twitter to invest in user data security and protection against foreign infiltration. Companies underinvest in these "public goods" because they don't see financial returns — and this is exactly where government regulation should apply.

Three Reasons to be Cheerful this Week:

1. Lockdown mode, safety check and Passkeys: iOS16, Apple's latest iPhone operating system has been released and includes very significant security advances. Lockdown mode is aimed for the small number of people specifically targeted with advanced spyware and disables features to reduce attack surface. Safety check makes it easier for victims of domestic abuse to manage permissions and sharing. Perhaps most significantly, Passkeys, Apple's version of WebAuthn, effectively turns iPhones into FIDO security devices and lets users log onto sites without using passwords.
2. Cryptocurrency recovered from North Korean hack: The US government recovered USD$30m worth of cryptocurrency stolen by North Korea in the Axie Infinity hack, about 10% of the stolen funds. Blockchain analytics company Chainalysis says this is the first time any funds have been recovered after a North Korea-linked hack. Its report contains fascinating detail about how funds can be traced even though North Korea used both mixers and cross cryptocurrency bridges to try to obscure the fund's source.
3. Rewards for Justice bears fruit: The relatively new US government practice of offering large rewards for information leading to cyber criminal leadership is paying off. We hope we learn more about the successes of the program.

Sponsor Section

Healthcare Cyber Attacks Endanger Patients

A Ponemon Institute report sponsored by Proofpoint studies the effect of cyber security threats on healthcare costs and patient care.

Ransomware gets all the attention, but it wasn't rated as all that much more disruptive than other types of attacks such as supply chain disruption, BEC and even cloud compromises. These types of incidents all affect patient care with up to a fifth of respondents saying they affect patient mortality rate.

The report is available here.

Analysing Files to identify threats with Stairwell's Inception platform

Risky Business publishes sponsored product demos to YouTube. They're a great way for you to save the time and hassle of trying to actually get useful information out of security vendors. You can subscribe to our product demo page on YouTube here.

In our latest demo, Mike Wiacek shows Patrick Gray how to hunt down and triage suspicious files within your enterprise using Stairwell's file analysis and threat detection platform.

Shorts

Examining Ronald Pelton, NSA's Second Worst Traitor

Jacob Silverman has published an excellent deep dive into Ronald Pelton, an NSA traitor who sold secrets to the Soviet Union and who passed away this month:

More than seven years ago, I started researching the story of Ronald William Pelton, a NSA cryptanalyst who, after leaving the agency in 1979, fell into destitution, sold government secrets to the Soviets, was arrested, and served 30 years in prison. Although he fell into obscurity, many consider him the worst traitor in NSA history, and he remains a key figure in the Year of the Spy, the period around 1985 when a number of US government employees were unmasked as foreign agents.

Among other things, Pelton was responsible for compromising Operation Ivy Bells, a 1970s program to tap undersea submarine cables in Soviet territorial waters. These cables in the Sea of Okhotsk carried military communications from the Soviet naval base in Petropavlovsk on the Kamchatka peninsula to Vladivostok in the Russian Far East.

The article is a must-read for anyone interested in the history of international espionage.

Next Steps for Tornado Cash Users

The US Treasury Department's Office of Foreign Assets Control has issued guidance on how US persons can withdraw their funds from Tornado Cash. Axios has a good summary of the process, which involves applying for a licence.

Patreon Fires Its Security Team

Creator crowdfunding platform Patreon has laid off five security staff, which Emily Metcalfe, a (now) former senior security engineer there claims is Patreon's entire security team, writing on LinkedIn: "So for better or worse, I and the rest of the Patreon Security Team are no longer with the company". A Patreon representative told CyberScoop "as part of a strategic shift of a portion of our security program, we have parted ways with five employees". It's not clear to us what is going on here, but we don't see how it can end well.

From Risky Biz News:

Iranian hackers sure love their social engineering: Three reports have been published over the past week on the recent activities of an Iranian cyber-espionage crew tracked under codenames such as Charming Kitten (Certfa Labs), APT42 (Mandiant), and TA453 (Proofpoint).

The common thread in all these reports is the group's dedication to the art of social engineering when going after their targets, something that is rarely seen among the arsenal of most other APT groups—maybe with the exception of some North Korean crews, and specifically those going after banks and cryptocurrency exchanges. (continued)