Cyberweekly #60 - Is it Cyberwar or Cyberespionage?

Published on Saturday, July 13, 2019

The shift in policy of moving the reins of power of offensive cyber from intelligence organisations like the NSA or GCHQ over to military organisations like the US CyberCommand or the Ministry of Defence is an interesting one.

The military has always claimed that Cyber is the fifth domain of warfare (the others being Land, Sea, Air and Space). Interestingly the russian doctrine uses a word that is closer to Information rather than our use of Cyber, to mean the same thing, and this might be why Russia is so much more advanced in disinformation tactics than the west.

I find this move of power (which happened years ago, but is coming to the fore now), deeply worrying. Regardless of your views on espionage and spying agencies, one of the advantages of espionage driven cyber campaigns is that it is an extension of diplomatic soft power around the world. Countries generally don't want to be caught spying on each other, even if it's an open secret that they do. It's undiplomatic to accuse another country of spying without solid evidence, and shaming to be caught.

This means that cyber operations under a diplomatic arm are designed not to inspire awe, shock and fear, but to gather intelligence, to stay quiet and to very deniably damage an adversary countries ability to conduct offensive missions. It encourages restraint and caution in the operations conducted and the doctrine behind it.

However military commands have almost always been more about hard power, and the inspiration of shock and awe. To quote Tony Stark, "the best weapon is not one you don't have to use, but one you only ever have to use once". Offensive cyber missions with this doctorine are likely to take on a far different cast to them, one that is difficult to achieve on a global, distributed system like the internet. How is it possible to claim and demonstrate your complete and unabiding power without affecting a global marketplace of businesses? How much do military commands care about the impact on the governance and structure of the internet itself?

These are questions that I hope are being asked and answered within CyberCommand structures around the world, but as I've said before, the asymmetry of cyberweapons is quite astounding. It's entirely possible for a nation to build highly capable offensive capabilities without the requisite defensive capabilities, and leads to arms races. Additionally, it's entirely possible to have, own and operate cyber weapons of various forms without needing to understand the technicalities of the battleground on which they will be used, without needing to know what the internet actually is or how it works.

These are the thoughts that keep me up at night far more than worries about meeting software turning on my webcam (but more on that next week!)

    Bad News

    https://getbadnews.com/#intro

    In Bad News, you take on the role of fake news-monger. Drop all pretense of ethics and choose a path that builds your persona as an unscrupulous media magnate. But keep an eye on your ‘followers’ and ‘credibility’ meters. Your task is to get as many followers as you can while slowly building up fake credibility as a news site. But watch out: you lose if you tell obvious lies or disappoint your supporters!

    This is a lovely educational bit of gaming that teaches people about disinformation tactics online without taking a specific left or right leaning political view.

    I got a highscore of 11,764 followers, see if you can beat me!

    TikTok Stars Are Preparing to Take Over the Internet

    https://www.theatlantic.com/technology/archive/2019/07/tiktok-stars-are-preparing-take-over-internet/593878/

    VidCon was founded 10 years ago by YouTubers to highlight the platform’s content creators, and over the past decade, many of them have seen their careers transformed by the event. It’s where brand deals are negotiated and crucial collaborations are planned. But this year, the platform everyone is talking about isn’t YouTube—it’s TikTok.

    TikTok, which boomed in China before entering the U.S. market in August, allows users to upload and edit 15-second videos, usually set to catchy music or voice-overs. The videos are fun and silly, and watching them feels like taking a break from the broader, toxic world of social media. In one video, a teen does a viral dance with traffic cones fitted to his legs. In another, a stream of puppies tumble over one another to the beat of an EDM song. Less than a year after its U.S. launch, the platform is poised to dominate the American social-media landscape and upend the creator ecosystem.

    TikTok is the biggest platform you've probably never heard of. Bigger in active users than Instagram and the third most downloaded app on the Appstore after WhatsApp and Facebook Messenger.

    Because of its userbase and the style of creators on it, it's a joyful place mostly, with funny, cute or inspiring content being created all the time. But as brands and adults move into the system, we'll see the darker side of society move in, from fraud through to online abuse, and we don't know how TikTok will scale to cope with those changes.

    Revealed: This Is Palantir’s Top-Secret User Manual for Cops - VICE

    https://www.vice.com/en_us/article/9kx4z8/revealed-this-is-palantirs-top-secret-user-manual-for-cops

    The Palantir user guide shows that police can start with almost no information about a person of interest and instantly know extremely intimate details about their lives. The capabilities are staggering, according to the guide: [...] All of this information is aggregated and synthesized in a way that gives law enforcement nearly omniscient knowledge over any suspect they decide to surveil.

    (Joel) Palantir specialises in big data analysis. While Palantir Gotham has been relatively documented for some time this the exposure of the user manual (for what appears to be Californian law enforcement) provides an eye opening insight into the power of such data gathering and correlation.

    Turning just a name into email addresses, phone numbers, current/previous addresses, bank accounts, social security number(s), business/family relationships and biometrics (height, weight, eye colour etc) will certainly pique privacy and civil liberty interests.

    Apple disables Walkie Talkie app due to vulnerability that could allow iPhone eavesdropping | TechCrunch

    https://techcrunch.com/2019/07/10/apple-disables-walkie-talkie-app-due-to-vulnerability-that-could-allow-iphone-eavesdropping/

    Apple has disabled the Apple Watch Walkie Talkie app due to an unspecified vulnerability that could allow a person to listen to another customer’s iPhone without consent, the company told TechCrunch this evening.

    Apple has apologized for the bug and for the inconvenience of being unable to use the feature while a fix is made.

    The Walkie Talkie app on Apple Watch allows two users who have accepted an invite from each other to receive audio chats via a “push to talk” interface reminiscent of the PTT buttons on older cell phones.

    I think the biggest shock here is that anybody uses this mode. I've got an Apple watch and many people in tech do, and I've never seen it being used apart from people who just bought their watch and are experimenting.

    There's no evidence yet that the bug has been exploited in the wild anywhere.

    The Model Estonian Soldier Who Spied for Russia - The Atlantic

    https://www.theatlantic.com/international/archive/2019/06/estonia-russia-deniss-metsavas-spy/592417/

    Metsavas thought they were playing amateur hour. “You could find that stuff on the internet very easily,” he told me. He was offered a small sum of money that his interlocutors said were to cover his expenses, and went back home.

    That first exchange had felt innocuous; even though a tentative plan had been set to meet again the following December, Metsavas said he still didn’t feel like a spy. And yet the table had been set. He had accepted money for information—“That was the first step,” he told me—and met the man who would be his handler for the years to come, Anton. Throughout the conversation, the Russians he spoke with peppered their discussions with questions about Metsavas’s family, querying whether his mother’s flower business was doing well and asking after his father’s health. “They never said obviously that something could happen to my parents if I didn’t cooperate,” Metsavas said, “but I understood it that way.”

    This is how it starts, just handing over information that you don't think is sensitive or interesting for money. But once it's started, it's hard to go back or stop.

    I first wrote about this case back in April in Cyber Weekly 48 because this story was featured in the Estonian Internal Security Service Annual Review. At the time I thought it was a fascinating insight into how espionage systems work to get people to betray secrets, and this interview just gives us more insight into the background and how it worked.

    Ryuk, Ryuk, Ryuk: Georgia’s courts hit by ransomware | Ars Technica

    https://arstechnica.com/information-technology/2019/07/ryuk-ryuk-ryuk-georgias-courts-hit-by-ransomware/

    Georgia's Judicial Council and Administrative Office of the Courts is the victim of the latest ransomware attack against state and local agencies. And this looks like the same type of attack that took down the systems of at least two Florida municipal governments in June.

    Administrative Office of the Courts spokesman Bruce Shaw confirmed the ransomware attack to Atlanta's Channel 11 News. The Administrative Office of the Courts' website is currently offline.

    Shaw told 11 News that some systems had not been affected by the ransomware but that all systems connected to the network had been taken offline to prevent the ransomware from spreading. The Courts' IT department was in contact with "external agencies" to coordinate a response to the attack, Shaw said.

    RYUK continues to spread, and we mostly continue to hear about it from public systems. This is a good indicator of the resilience of our national infrastructure.

    I've still seen no good evidence on the patient-zero infection vector for RYUK infections, but the good money is on traditional malware by email, with reasonable connections made with Emotet and Trickbot malware variants infecting target machines, spreading through the network and then downloading the RYUK ransomware only once the network is thoroughly infected

    US defense contractor falls for $3 million email scam — Quartz

    https://qz.com/1661537/us-defense-contractor-falls-for-3-million-email-scam/

    Zooming in on any official-looking seals included in the document may look fine at normal size but can sometimes expose a bad Photoshop job—indicative of a scam.

    In the example Wayne provided, enlarging the seal reveals heavy pixelation and rough, choppy edges

    This scam was a pretty well run scam. Based on the fact that they requested highly classified items for which there aren't good public records, is an indication that they had good information, probably passed to them by an intelligence service of some form.

    However, this defense is a ridiculous defence. I deal with around 3 purchase orders a month, and I have never once zoomed in on a logo to see whether it's pixelated at the edges. I can't imagine that someone in Government procurement who deals with thousands of orders a month is ever going to do this.

    But even if they did (and they wont), I've seen government departments send out official letters with plurry 72x7x pixel thumbnails printed in them, and I've received emails from people with giant 700kb images attached of print quality government department logos. People don't really understand images and really don't understand the different formats or when to use the right one, so as a detective technique it feels like it lacks any connection with reality.

    Iran-linked APT33 Shakes Up Cyberespionage Tactics | Threatpost

    https://threatpost.com/iranian-apt33-shakes-up-cyberespionage-tactics/146041/

    The infrastructure overhaul stems from a March 2019 Symantec report exposing the group’s wide-ranging infrastructure and cyberespionage efforts, including a three-year campaign against multiple firms in Saudi Arabia and the United States. In a report released Wednesday, Recorded Future researchers said that, days after the March report went live, they observed APT33 had reassigned its key domain infrastructure and starting using a new remote access trojan (RAT) not previously associated with the group.

    “Interestingly, while the Symantec research noted APT33’s use of Nanocore, njRAT was not mentioned, which indicates a previously unknown addition to the group’s ever-expanding repertoire of commodity malware,” said Recorded Future researchers on Wednesday. “The fact that this activity was executed just a day or so after the report went live suggests the Iranian threat actors are acutely aware of the media coverage of their activities and are resourceful enough to be able to react in a quick manner.”

    With the background of the political turmoil in the middle east, we see changing tactics by some of the players. APT33 is generally linked to Iran, and this behaviour is a clear sign that not only are they a determined cyber team, they are highly capable and agile, with the ability to change tactics as they get discovered and to deploy new tools and new processes fairly quickly.

    Talos Blog || Cisco Talos Intelligence Group - Comprehensive Threat Intelligence: Sea Turtle keeps on swimming, finds new victims, DNS hijacking techniques

    https://blog.talosintelligence.com/2019/07/sea-turtle-keeps-on-swimming.html#more

    This new technique once again involved modifying the target domain's name server records to point legitimate users to the actor-controlled server. In this case, the actor-controlled name server and the hijacked hostnames would both resolve to the same IP address for a short period of time, typically less than 24 hours. In both observed cases, one of the hijacked hostnames would reference an email service and the threat actors would presumably harvest user credentials. One aspect of this technique that makes it extremely difficult to track is that the actor-controlled name servers were not used across multiple targets — meaning that every entity hijacked with this technique had its own dedicated name server hostname and its own dedicated IP address. Whereas previously reported name server domains such as ns1[.]intersecdns[.]com were used to target multiple organizations.

    SeaTurtle is sometimes known as APT34, and has been linked to Iran in a similar but different manner to APT33. Countries having mutliple cyber offensive forces with very different purposes is normal, and despite the split investment, does allow for different targeting mechanisms as well as making it harder to shut them down.

    SeaTurtle has been behind a lot of DNS attacks over the last year, as outlined by Talos Group, and continues to iterate on that behaviour. The interesting thing about DNS is that pretty much everyone relies on it the same way, so it doesn't matter if you are a small business, an individual, a large corporation or an intelligence agency, there's a good probability that taking over your nameservers will give them the ability to control how your external staff can access your systems.

    Iranian Hackers Launch a New US-Targeted Campaign as Tensions Mount | WIRED

    https://www.wired.com/story/iran-hackers-us-phishing-tensions/

    CrowdStrike's vice president of intelligence Adam Meyers points out that the economic focus of the job lure suggests that the Iranian hackers may be trying to learn more about the Trump administration's intentions around its trade sanctions against Iran, rather than any more aggressive cyberattack preparation. But he doesn't discount that, given the right target of opportunity, it might later pivot to more destructive sabotage. "I think this is probably intelligence collection. But any time they’re going to engage in that collection there’s the possibility it could be preparation for other operations," Meyers says. "Depending on what you get back you make an assessment. You say 'this is a good target, we could do something with this.'"

    Dragos analyst Joe Slowik notes that even if APT33 is planting mines for a data-destroying operation, it may not actually detonate them unless the conflict between Iran and the deteriorates further. "When the shit hits the fan, you can't turn on a dime and say 'I need cyber now,'" Slowik says. "So it may be related to having that strategic flexibility in the future with no immediate intention to be disruptive or destructive," Slowik says. "When you see tensions start to rise, the need to flesh out that access is going to increase in tandem."

    The background of tension creates opportunities, and as outlined in a link further down, APT33 is showing that it is capable on an international level of going, if not toe-to-toe, at least tit-for-tat with the US in a cyber domain. While attribution is still hard, it's pretty clear that things are tense and that APT33 is ramping up its efforts, if not to strike, to at least build the capability to strike in the future.

    What Really Happened in the Cyber Command Action Against Iran? - Lawfare

    https://www.lawfareblog.com/what-really-happened-cyber-command-action-against-iran

    Understanding this reporting in all its complexity is particularly important given that the operations described constitute Cyber Command’s first major, publicly known offensive actions after being elevated to the status of a full combatant command in May 2018. Therefore, it has the potential to set several precedents, one of which concerns the behavior of government officials, some of whom appear to be sources for the reporting.

    In this instance, leaks to the press about these operations from government sources are likely serving strategic purposes. Perhaps the government hoped to send a message to the public and adversaries that, while the president reversed his decision to order a kinetic strike, the United States did in fact retaliate against Iran for downing the drone. Or perhaps it intended to signal technical capacity to adversaries as a deterrent. The problem is that fragmented reporting has produced a muddled message about what actually happened, calling into question how clear and effective any message could have been to the intended recipients. Whatever the case may be, Cyber Command has not released a statement and seems content to wait out the news cycle without correcting the record—suggesting that this pattern of silence will continue through future such operations.

    A good analysis of the different reporting around the US's counterstrike against Iranian targets in the cyber field. It was clear something had happened, but since all of the targets were military systems or intelligence systems, Iran hasn't been public about any damage suffered (and would you believe them if they said that they had?), and the US has kept quiet about exactly what they did.

    This is different to normal warfare, where independent journalists can go to war zones and see the damage for themselves. Whether they can assess the military impact is different, but even then, independent intelligence organisations around the world can look at satellite photos and journalist reports and make the assessment for themselves. Cyberwarfare on the other hand is deniable, and in many cases, entirely unremarkable, meaning that it's difficult to know how effective it is, or the impact on both valid military targets, as well as any potential collateral damage

    The Myth of the Cyber Offense: The Case for Restraint | Cato Institute

    https://www.cato.org/publications/policy-analysis/myth-cyber-offense-case-restraint#full

    Renewed great-power competition requires a global operating model comprised of four layers (contact, blunt, surge, and homeland) designed to help the United States “compete more effectively below the level of armed conflict; delay, degrade, or deny adversary aggression; surge war-winning forces and manage conflict escalation; and defend the U.S. homeland.”16 In this model, cyberspace becomes another domain in which the United States must achieve command of the commons to guarantee the larger international order.

    Securing command of the commons in the face of increasing cyber operations by China and Russia requires a policy framework that accelerates cyber offense. Offensive cyber operations entail missions “intended to project power in and through foreign cyberspace.”17 In August 2018, Trump granted the military the initiative to launch offensive cyber operations with what appears to be little interagency consultation or coordination.18 Cyberspace became a domain for soldiers, not just networks of spies. The move represented a dramatic shift from the restraints on cyber operations imposed by the Obama administration.

    Cyberspace became a domain for soldiers, not just networks of spies.

    This entire essay is worth a read since it covers everything from international projectection of power to the ability to measure the impact and effect of cyber operations on foreign nations. But it's interesting that it charts the US Administrations growing understanding of the cyber domain and what it can do with it, while simultaneously showing that lack of understanding of the impacts of its actions on a global level.