Move over COVID. 2021 is turning out to be another year of the digital virus. One massive hacking story after another. Unrelated stories in many cases, we are told. In particular:
1. The SolarWinds mega-hack announced in December of 2020, blamed on Russia. Specifically, blamed on the hacking group known as ‘Cozy Bear’/APT29/Pawn Storm. Microsoft dubbed them Nobelium.
2. The Microsoft Exchange mega-hack disclosed in March 2021, blamed on China. Specifically, blamed on a previously unidentified state-backed group Microsoft dubbed Hafnium.
3. The revelations about NSO Group’s oversight (or lack thereof) of its powerful spyware sold to governments around the world.
4. The emerging story of Candiru, one of NSO Group’s fellow “commercial surveillance vendors”, selling toolkits overflowing with zero-day exploits, specializing in targeting Microsoft products.
But how unrelated are these stories? That’s the big question we’re going to explore in this post. A question punctuated by another meta-story we’ve looked at many times before: the meta-story of a cyberattribution paradigm seemingly designed to allow private companies and governments to concoct an attribution scenario for whatever guilty party they want to finger. As long as there was some sort of ‘clue’ found by investigators — like piece of Cyrillic or Mandarin text or malware previously attributed to a group — these clues were strung together in a “pattern recognition” manner to arrive at a conclusion about the identity of the perpetrators. Attribution conclusions often arrived at with incredible levels of confidence. Recall how the Japanese cybersecurity firm TrendMicro attributed a 2017 US Senate email phishing campaign to ‘Pawn Storm’/Fancy Bear with 100 percent certainty, and they made this highly certain attribution based heavily on how similar the hack was to the 2017 hacks of Emmanuel Macron’s emails via a phishing campaign that TrendMicro attributed at the time with 99 percent certainty to Pawn Storm/Fancy Bear and yet the ANSSI, the French government’s cybersecurity agency, was leaving open the possibility that the hack they could be the work of “other high-level” hackers trying to pin the blame on “Pawn Storm” (another name for “Fancy Bear”). TrendMicro was making 99 percent certain attributions that the French government said could be any range of actors. That was the state of affairs for cyberattributions in 2017 and nothing has changed in the years since. Highly certain attributions continued to be piled on top of highly certain attributions — almost always pointing towards Russian, Iran, China, or North Korea — built on a foundation of what appear to be largely guesswork. Often highly motivated guesswork.
It’s that willingness by cybersecurity firms and governments to make strong ‘100 percent certain’ declarations about who was behind a hack, based on seemingly no compelling evidence, that continues plague our collective understanding of global digital threats. A lack of understanding that could have grave global implications going forward. Because as we’re going to see, the repeated prevailing narrative encouraging the public to fixate their hacking fears on Russian and Chinese hackers is a narrative that conveniently leaves out the explosion over the last decade of a global industry of powerful legal cutting-edge spyware sold to governments around the world. Dozens of governments that didn’t previously have access to spyware of this caliber. In other words, the default ‘Russia or China did!’ narrative acts as a cover story to deflect suspicions from all the other countries (or private entities) with access to the kind of spyware previously assumed to be the exclusive to a handful of nations with known powerful hacking capabilities.
Also looming large in this discussion is the story of the “ShadowBrokers” story of 2016 and the leak of Vault7, the CIA’s hacking toolkit that included features explicitly designed to confuse this “pattern recognition” approach to cyberattribution. The toolkit literally contained features that injected Cyrillic or Mandarin or other ‘clues’ into the malware code. This was all revealed months before TrendMicro made its ‘100 percent certain’ attribution of the Macron email hacks based on pattern recognition. And yet, other than the acknowledgment by France’s ANSSI that someone could be intentionally leaving false ‘clues’, the story of the ShadowBrokers and the digital ‘clues’ left by Vault7 did not appear to impact the reporting or analysis of the Macron hack in any meaningful way. It’s a big part of the meta-story here: no matter how many reports come out that should raise major questions about the quality of current cyberattibutions based on “pattern recognition”, nothing actually changes in terms of how the cybersecurity carries out its attributions.
For example, as we’re going to see, when the SolarWinds hack was first uncovered, it was a team led Adam Meyers, the vice president for threat intelligence at CrowdStrike, who first examined the hack. In an interview describing their early investigation, Meyers claimed to be fully expecting to find some sort of ‘cultural artifact’ like Cyrillic or Mandarin and expressed dismay that nothing was found. They nonetheless attributed the hack to Russia. We’re never given a clear explanation why. The whole episode, and Meyers’s shock at a lack of any ‘clues’, suggests the elite cybersecurity firms like CrowdStrike are not only willing to utilize “pattern recognition” to carry out these attributions but are routinely doing so, raising the question of whether or not hackers these days just now know to leave ‘clues’ in order to satisfy the cybersecurity industry and their clients.
Now, when we learn that it was CrowdStrike who led the SolarWinds hack investigation relying heavily on looking for ‘cultural artifacts’ in the malware, it’s also import to recall how CrowdStrike itself was literally founded in 2011 by Dmitri Alperovitch on the conviction that hacks should be responded to with clear public attributions as a primary means of warding off future attacks. Before CrowdStrike, the idea of publicly naming culprits was anathema in the cyber security industry in large part because it is so difficult to truly know who the culprit is due to this hall-of-mirrors nature of digital evidence. So in that sense, we shouldn’t at all be surprised to learn that CrowdStrike continues to make baseless attributions. It’s CrowdStrike’s business model.
As we’re also going to see, it’s not like cybersecurity industry always plays dumb about the possibility of actors spoofing the ‘pattern recognition’ methods by intentionally leaving ‘clues’ like Cyrillic. When the SolarWinds mega-hack story broke, it broke in the wake of a disclosure by cybersecurity firm FireEye that its own “Red Team” suite of hacking tools — kits of known exploits used to test clients systems for vulnerabilities — was stolen by unknown hackers. Immediately, experts warned how a toolkit like that could be used by governments to cover their tracks. But that’s really the only time we’re going see this kind of basic insight plainly stated. Right at the start of it with the FireEye attack. For the rest of the time, this obvious problem with our global cyberattribution regime is systematically ignored. Still.
NSO Group: A Quick Review
First, recall how NSO Group first came to the public’s attention in relation to Michael Flynn’s appointment in May of 2016 to the advisory board of OSY Technologies and consulted for Francisco Partners. Francisco Partners was NSO Group’s owner at the time and OSY happened to be an NSO Group offshoot.
Next, recall how Francisco Partners ended up selling NSO Group to a European private equity firm, Novalpina, in early 2019 following the international outrage over the role NSO Group’s malware played in the assassination of Jamal Khashoggi. We’re going to learn more about that sale and why it happened (hint: Saudi Arabia’s access to that spyware was part of a larger diplomatic process).
So the picture that had already emerged about NSO Group was that of a provider of cutting-edge hacking toolkits to governments around the world, but also a point of leverage in Israel’s own diplomatic toolkit. It was the kind of corporate profile that suggests any scandals involving NSO Group are implicitly government-related scandals. And that picture of a company that distributes powerful hacking tools as part of Israel’s diplomatic efforts gets all the more intriguing when we factor in the chapter of the #TrumpRussia saga involving Michael Flynn, Eric Prince, Michael Cohen, and the Saudi/UAE scheme to build nuclear power plants across the Middle East (except for Iran). In other words, there’s no way of separating the NSO Group story from the larger story of the cozying relationship between Israel and its Sunni allies in a regional alliance against Iran and the still-unresolved agenda of Michael Flynn, Erik Prince, and the network of other US conservatives in Donalt Trump’s orbit who had major agenda’s of their own involving the Middle East.
That’s all part of the context we’re going to have to keep in mind when reading about these new revelations that appears to show the widespread use of NSO Group’s powerful malware against a number of journalist, activists, and even government ministers around the world. And the more we’re learning about the history of the NSO Group, the clearer it’s becoming that the NSO Group’s malware has been secretly used by dozens of governments around the world for at least decade now.
And as we’re going to see with the story of Candiru, it’s important to keep in mind that NSO Group is merely one of a number of secretive firms selling cutting-edge hacking toolkits to governments around the world. This is a global industry.
Finally, it’s important to keep in mind another major dimension of this story: the explosion of government access to these powerful hacking tools over the last decade has presumably coincided with an explosion of actual hacking. Well, that presumed explosion of actual hacking just happened to coincide with the emergence of highly ‘noisy’ and high-profile ‘Russian hacker’ campaigns. As we’ve seen, following the outbreak of conflict in Ukraine, a number of very publicly visible mass phishing attacks were waged against NATO governments and institutions. It was described by cybersecurity experts as a significant shift in the behavior of Russian government-backed hackers and yet we were nonetheless told that these high-profile hacks must be coming from Russia despite a lack of any solid technical evidence. It was the rise of the “pattern recognition” form of cyberattribution, which consistently found patterns of “Russian hackers”. Recall how the first hack of the DNC, the 2015 hack, took place amidst a giant phishing campaign that hit 50–60,000 email addresses and was described is very different from traditional Russian government hacker phishing campaigns that would normally just have 5 to 6 carefully crafted phishing emails. Nothing has done a more effective job at obscuring from the global public the emergence of this global super-hacking capability better than the prevailing narrative that all hacks are being done by Russia and China. Hardly anyone even bothers asking if it could be anyone else anymore.
Finally, it’s important to keep in mind another major dimension of this story: the explosion of government access to these powerful hacking tools over the last decade has presumably coincided with an explosion of actual hacking. Well, that presumed explosion of actual hacking just happened to coincide with the emergence of highly ‘noisy’ and high-profile ‘Russian hacker’ campaigns. As we’ve seen, following the outbreak of conflict in Ukraine, a number of very publicly visible mass phishing attacks were waged against NATO governments and institutions. It was described by cybersecurity experts as a significant shift in the behavior of Russian government-backed hackers and yet we were nonetheless told that these high-profile hacks must be coming from Russia despite a lack of any solid technical evidence. It was the rise of the “pattern recognition” form of cyberattribution, which consistently found patterns of “Russian hackers”. Recall how the first hack of the DNC, the 2015 hack, took place amidst a giant phishing campaign that hit 50–60,000 email addresses and was described is very different from traditional Russian government hacker phishing campaigns that would normally just have 5 to 6 carefully crafted phishing emails.
Let’s not forget that the globalization of NSA-level spyware was one of the obvious possible logical conclusions of the Snowden affair. Yes, it was remarkable what a stunning edge the NSA had over almost every other government. A desire for a leveling of the playing field was understandable and the globalization of super-spyware is one of the obvious ways to achieve that. There are no easy answer on this topic. It’s a ‘lesser evil’ situation.
So we have to ask: what role have these very high-profile public mass hacking campaigns waged over the last decade and blamed on ‘Russia hackers’ (or ‘Chinese hackers’) played in obscuring the reality that dozens of governments around the world suddenly got access to quiet super hacking tools? The timing sure has been convenient. And it’s not hard to imagine that the high profile ‘noisy’ phishing campaigns of the last decade simultaneously ran zero-click super-malware like NSO Group’s unstoppable WhatsApp exploit malware. One of the key selling points of this NSO Group malware is how difficult it is to detect. A lot of people and organizations have presumably been hacked without ever discovering the source of the hack. How often have organizations over the past decade, especially governments, discovered they were hacked by a company’s ‘legal’ hacker toolkit like NSO Group’s and just assumed it was ‘Russian hackers’ due to the waves of global high-profile ‘Russian hacker’ campaigns? It’s a question that looms ever larger as the client list of this global legal hacking industry continues to grow in the shadows.
**************************
Let’s Play “What’s Wrong With This Picture?”
Ok, so let’s start off with an overview of the articles we’re going to be reviewing. An overview that screams the question “What’s wrong with this picture?”. Again, it’s four major stories. Unrelated stories we are told: 1. The SolarWinds mega-hack of December 2020 (blamed on Russia). 2. The Microsoft Exchange mega-hack of March 2021 (blamed on China). 3. Revelations of NSO Group abuses. 4. Revelations that Candiru is selling cutting-edge spyware showing, specialized in targeting Microsoft’s systems. We are told those are four largely unrelated stories. What’s wrong with this picture?
* December 8, 2020: FireEye, a Top Cybersecurity Firm, Says It Was Hacked by a Nation-State:
The story that got the ball rolling. At least publicly. Cybersecurity firm FireEye informs the world of a nightmare scenario. FireEye’s “Red Team” code suite was stolen. So whoever managed to hack FireEye obtained a toolkit of virtually all the most powerful known exploits. A digital treasure trove that had suddenly fallen into the hands of whoever already had the wherewithal to pull off this hack. And as experts warned, nation-states could potentially hide their own tracks using this toolkit. This is basically going to be the only time we see an expert admit that governments around the world could be intentionally , an implicit admission as to how shoddy contemporary cyberattribution truly are today. So who did it? FireEye wasn’t ready to name a culprit. The FBI announced was it was confident it was carried out by a nation-state, and while they would name a specific nation it was pretty clear Russia was the prime suspect. No reason for these suspicions are given.
* December 14, 2020: Russian government hackers are behind a broad espionage campaign that has compromised U.S. agencies, including Treasury and Commerce:
The nightmare explodes. We learn it wasn’t just FireEye after FireEye informs SolarWinds that it was SolarWinds’s own Orion update software that delivered the malware onto FireEye’s systems. It was a rather ominous update given that the same Orion software is on another 18,000 client networks. Oh, and the US was already naming names: It was Russia again. Specificaly APT29/Cozy Bear/Pawn Storm, the infamous hacking group thought to work for Russia’s FSB (or SVR, it’s unclear) and that the US claims was behind the first hack of the Democratic National Committee (DNC) in 2015. Cozy Bear was also behind this new mega-hack. That was the line from the US a week after FireEye first announced the hack. Russia did it. No reasons for this attribution are given, of course, but is treated as more of a given since numerous US government agencies were hit. Simultaneously, we are told that the aggressive nature of this hack was unprecedented for Cozy Bear.
We also get an early important clue about how the SolarWinds hack was carried out: SolarWinds informed the world that it suspects Microsoft’s Office 365 email may have been “an attack vector” used by the hackers. In other words, the SolarWinds hack started with the hack of Microsoft’s products.
* December 15, 2020: FireEye Discovered SolarWinds Breach While Probing Own Hack:
In some additional reporting on the breaking SolarWinds news, we learn that FireEye isn’t actually ready to join the US government in attributing the hack to Russia due to a lack of evidence.
* December 15, 2020: Microsoft’s Role In SolarWinds Breach Comes Under Scrutiny:
More information is coming out about the role Microsoft product vulnerabilities played in the hack. The hackers were tricking Microsoft’s authentication controls. This includes forging authentication tokens for Microsoft’s Azure cloud services and creating password credentials for legitimate processes enabling them to read emails from Microsoft’s Exchange Online cloud-based email service. Keep in mind that the Microsoft-Exchange mega-hack that is announced in March was targeting the non-cloud self-hosted Microsoft Exchange email servers. So when the SolarWinds hackers demonstrate an ability to break into the cloud-based Exchange servers, they were demonstrating a capability that wasn’t exactly the same as that used to execute the Microsoft Exchange mega-hack but awfully close. And yet we will be assured by Microsoft that the Microsoft-Exchange hack was carried out by China.
* December 21, 2020: Treasury Department’s Senior Leaders Were Targeted by Hacking:
The US Treasury Department gives us an update on the scope of the hack. The hackers gained access to agency emails in July 2020, via the manipulation of internal software keys. Specifically, we are told the hackers performed a complex step inside Microsoft’s Office 365 system to create an encrypted “token” that identifies a computer to the larger network. This taken allowed the hackers to fool the system into thinking they were legitimate users. So spoofing Microsoft credentials appears to be one of the SolarWinds hacker specialties.
* Febuary 4, 2021: SolarWinds CEO Confirms Office 365 Email ‘Compromise’ Played Role In Broad-Based Attack:
It’s confirmed! SolarWinds confirms the hack started via a compromised Microsoft Office 365 email account. The hackers used a previously unknown zero-day vulnerability in Microsoft’s Officer 365 email software to gain access to and exploit the development environment for the SolarWinds Orion.
But beyond that, we learn that 30 percent of the private sector and government victims of the colossal hacking campaign had no direct connection to SolarWinds. It’s the kind of revelation that raises the disturbing question of whether or not these hackers had some other yet-to-be-discovered technique for infiltrating networks. Which obviously raises a number of questions about whether or not other Microsoft exploits were being used by these hackers. After all, the hackers managed to infiltrate SolarWinds’s own network via a zero-day Microsoft exploit. Why wouldn’t it work elsewhere? In other words, the SolarWinds mega-hack might actually be part of an even larger Microsoft super-mega-hack. A still unrecognized super-mega-Microsoft-hack.
* February 05, 2021: Microsoft: No Evidence SolarWinds Was Hacked Via Office 365:
Not true! None of it! That’s the line from Microsoft a day after SolarWinds’s CEO appears to confirm that the exploitation of a Microsoft Office 365 email vulnerability wasn’t just used in the hack but used to execute the initial compromise of SolarWinds’s software development environment. Microsoft does admit that Microsoft services were indeed targeted by the SolarWinds hackers, but insists that the hackers gained privileged credentials in another way, implying it was due to software configuration issues on the client end and not due to vulnerabilities in Microsoft’s products. And what about all the reports from SolarWinds and the US government that they found evidence of an Office 365 email exploit? “As we said at the time, and based upon all investigations since, we have found no indications that our systems were used to attack others.” That was Microsoft’s line. Still.
* February 19, 2021: SolarWinds Hackers Kept Going After Microsoft Until January:
Microsoft gave us an update on its SolarWinds investigation. The company acknowledge that its own networks were plundered during the attack, and even some of its source was stolen. The source code reported involved the cloud-based versions of Asure, Intune, and Exchange (email server software). We are also told the hackers were searching Microsoft’s networks for useful secrets like API keys, credentials, and security tokens that may have been embedded in the source code.
* March 5, 2021: At Least 30,000 U.S. Organizations Newly Hacked Via Holes in Microsoft’s Email Software:
A new mega-hack is upon us! Back-to-back mega-hacks. This time Microsoft is the main target. The software giant informed the world that hundreds of thousands of Microsoft Exchange Servers were attacked around the world. The attack was first detected by Volexity on January 6, during the Capitol insurrection, with a large download to an illegitimate user, although days later Volexity issued an update that it found evidence of the attack starting on January 3rd. Days later this quiet hack exploded into a loud global ransacking. Virtually every self-hosted Microsoft Exchange email server in the world connected to the internet was hit over the next two months. Or at least is assumed hit. That’s a lot of hacked email. And potentially voicemail. Microsoft was continuing to assure us the hack had nothing to do with the SolarWinds hack, and also that the SolarWinds hack had nothing to do with any Microsoft vulnerabilities. They were seriously touting the ‘don’t worry about Microsoft security’ line during the Exchange mega-hack disclosure.
* March 10, 2021: Microsoft Exchange Hack Could Be Worse Than SolarWinds:
With more information about the Hafnium hack coming in the more this is looking like the worst worst case scenario. Or at least worse than the SolarWinds hack, which would make this the worst yet. Literally the worst hack ever. So far. Give it a few months.
The hack started on Jan 3, with “Hafnium” quietly hacking away at dozens of targets until Microsoft issued a patch in early March. At that point, it was a criminal free-for-all race that included at least a dozen more criminal actors.
A big part of what make it the worst hack ever is the scale, with potentially hundreds of thousands of Exchange email servers all hit in short order but this is an attack that can be automated. The hackers needed scrips and time to let the scripts to their work.
But another part of what arguably makes this the worst hack ever is that the ability to remotely take over the Exchange server software doesn’t just potentially give the hackers the ability to read emails. It also potentially give hackers the ability to compromise the Microsoft Active Directory system, which is the system used for ID authentication across the Microsoft ecosystem of software. So if you corrupt the Active Directory system on a computer, you can potentially get super-user access to all the Microsoft software running on that computer’s network. And the catch here is that Microsoft Exchange server only runs on Windows. So anyone running it is running it on a Windows Server operating system. So compromising the Active Directory system on the computer running the Microsoft Exchange server software can hand over complete control of the server. This also means the hackers could have burrowed in all sorts of hidden backdoors all over the victim networks. This was a huge deep hack.
But here’s the big detail we learn from Ed Hunter, CISO at Infoblox, a cybersecurity company, who is commenting to a reporter about the hack: the vulnerability has been present in the Microsoft Exchange codebase for a decade. As Hunter put it, “one has to wonder how long this vulnerability has been a closely held – and used – tool in this threat actor’s toolbox.”
And, again, it was just two weeks earlier that Microsoft disclosed that the SolarWinds hackers stole Exchange source code for the cloud-based version of Exchange. But in this case, it was the self-host Exchange servers that got hacked. All of them. Hundreds of thousands of email servers around the world. Also keep in mind the SolarWinds hackers had already demonstrated zero-day abilities to manipulate Microsoft’s credential systems. So this hack sure seems closely related to the SolarWinds hackers, and yet Microsoft confidently assured us that this had nothing to do with the SolarWinds hack and was in fact carried out by a state-backed Chinese hacking group Microsoft dubbed “Hafnium”.
* April 16, 2021: A ‘Worst Nightmare’ Cyberattack: The Untold Story Of The SolarWinds Hack:
Four months after it was first announced, NPR has a big piece on the then-untold story of how the hack unfolded. By that point, the Biden White House was unequivically stating Russian intelligence was behind it. While the reason Russia is given the attribution is, as always, never given, there was by now enough known about the hack to determine that these really were exceptional hackers. Multiple never-before-seen “zero-day” exploits were utilized. Beyond that, the malware was introduced into the SolarWinds software development pipeline at the very last possible moment, during the compilation process, allowing it to evade the standard security checks for unwanted software. It was proof-of-concept and could be used against anyone else using the same compilation softare (they didn’t name the software). This ability to use this attack against other software developers is particularly acute when we recall that this attack created backdoors on the networks of the many of the largest software developers in the world. Including Microsoft. Yikes.
And it’s in this April 2021 NPR piece where we get further confirmation of something that has long been clear but is rare said out loud so clearly: contemporary cyberattribution really does rely heavily on ‘clues’ like Cyrillic characters or Mandarin in the code and such ‘clues’ are frequently found. At least that’s how Adam Meyers, the vice president for threat intelligence at CrowdStrike, described his approach to determining the identity of the SolarWinds hackers. And he was leading the team that first investigated it. Meyers expresses dismay at how thorough the hackers were. Thorough in the sense that there was no ‘cultural artifact’ like Cyrillic or Mandarin. Meyers describe the lack of anything that a human might have inadvertently left behind as a clue as “mind-blowing”. His response to the tiny piece of malware used in the initial SolarWinds hack — distributed to all 18,000 clients via the Orion software — and it’s lack of clues as “the craziest f***ing thing I’d ever seen.” So this update on the SolarWinds investigation includes an update on the general state of affairs in cyberattribution. A state of affairs where malware that’s cleaned and lacks a ‘cultural artifact’ is “the craziest f***ing thing I’d ever seen.” This is a good time to recall the story of the Shadow Brokers and the CIA’s hacking toolkit that included features like leaving Cyrillic or Mandarin characters to leave a false lead. This was confirmed just four years ago. Everyone really is playing dumb here. Double yikes.
* April 23, 2021: SolarWinds hacking campaign puts Microsoft in the hot seat:
Microsoft’s terrible, horrible, no good, very bad year continues. A week after that big NPR piece on SolarWinds, we learn new significant details on the SolarWinds hack in a new report put out by The Atlantic Council. The kind of details that have Microsoft scrambling for explanations. And culprits. Again. It turns out the delivery of the backdoor malware via the SolarWinds Orion updating software was just the first phase of the mega-hack. Once the hackers used those backdoors to gain access to victims’ networks they continued to exploit more vulnerabilities. In particular Microsoft vulnerabilities involving how Microsoft products validate user identities. Now, part of the reason Microsoft vulnerabilities were heavily targeted was because, well, these vulnerabilities exist. But the other big reason is that Microsoft has more than 85% of the market share for government and industry. In other words, the juiciest targets — especially government agencies — were almost all running Microsoft tools on their networks. Microsoft continued to deflect blame, suggesting poorly configured software by the clients was the cause. But according to Senator Ron Wyden, the software Microsoft supplies to US federal agencies is itself poorly configured with default log settings that won’t capture the information needed to catch attacks while they’re in progress.
* May 28, 2021: Microsoft says group behind SolarWinds hack now targeting government agencies, NGOs:
Cozy Bear/APT29/“Nobelium” is back at it. They’re up to their old tricks, according to Microsoft. Targeted phishing, with organizations who signed up to received communications from USAID being the targets. 3,000 email accounts at more than 150 different organizations. Somehow, the hackers managed to minick emails from the firm Constant Contact, the firm that handle’s USAID’s email communications, to make it look like a USAID communication. At least a quarter of the targeted organisations were involved in international development, humanitarian issues and human rights work. The US and UK blame Russia’s SVR (the same agency Cozy Bear/APT is said to work for...long with the FSB).
How did Microsoft determine that this was done by the same hackers who pulled off the SolarWinds hack? That’s never explained. It’s not due to technical similarities. In fact, the Microsoft blog post describing this USAID phishing scheme explicitly states that this new attack had few technical similarities to the SolarWinds hack and suggests the hackers intentionally changed their tactics after the SolarWinds hack was uncovered. Four new zero-day pieces of malware deployed on the computers of the victims that clicked on the malicious link, so keep in mind that if this was the same hacking group that is involved with the SolarWinds hack and/or Microsoft Exchange hack, this crew is sporting a significant number of zero-day exploits.
* June 25, 2021: Microsoft says new breach discovered in probe of suspected SolarWinds hackers:
Cozy Bear/APT29/“Nobelium” is at it again. Again. This time, Microsoft tells is the hackers somehow hacked a Microsoft agent who had access to Microsoft customer support tools with subscription information. Of course, we’ve already been told about how the SolarWinds hackers stole code involving how Microsoft tools verify identities, and the same hackers reportedly pulled this hack off. So it’s not hard to imagine some of those stolen insights were used to carry out this hack. But we aren’t told much else from Microsoft other than that it was definitely the SolarWinds hackers who are definitely working for the Russian state. Of that they are sure. Always and forever, except when it’s China.
* July 4, 2021: SolarWinds: How Russian spies hacked the Justice, State, Treasury, Energy and Commerce Departments:
Less than two weeks later, CBS has an article with more interviews of figures involved with the SolarWinds hack investigation, including Brad Smith, president of Microsoft. Smith points to the list of US government agencies hit by the hack and insists that means it was a foreign intelligence collection mission (which ignores the other 18,000 largely commercial group of victims also hit). The piece reveals that the SolarWinds hackers were on US federal networks reading emails and other traffic for months.
It ends an interview of Jon Miller, who runs a company Boldend, that sells cutting-edge cyber weapons to US intelligence agencies. Miller observes that the notable thing about the SolarWinds hack wasn’t the sophistication. He builds things much more sophisticated (presumably for his US intelligence clients). Instead, what makes this attack stand out is how aggressive it was. It’s the kind of assessment that suggests a lot of different actors could have pulled this attack of for some time and someone finally did it.
Miller also reminds us of another crucial aspect of both the SolarWinds and Exchange mega-hacks: It would be trivial to turn those backdoors into digital bombs that destroy victim networks. In other words, these mega-hacks could have been A LOT more damaging had the hackers wanted them to be. And since the hackers like embedded themselves in victim networks in ways not yet detected, they could decide to unleash those digital bombs in the future if they choose to in the future.
* July 15, 2021: Microsoft says Israeli group sold tools to hack Windows:
CitizenLab put out a report on an Israeli commercial hacking group behind malware discovered targeting Windows. But Candiru’s toolkit doesn’t just hit MIcrosoft products. It appears to be the same company Google had just attributed to a set of additional zero-day exploits targeting Google’s products that Citizen Lab also connected to Candiru. So Microsoft and Google both announced the discovery of Candiru zero-day exploits as roughly the same time.
* July 15, 2021: Microsoft says it blocked spying on rights activists, others:
In some more reporting on Candiru, we learn that the company goes by several names. We also learn that its spyware “infrastructure” includes webistes “masquerading as advocacy organizations” such as Amnesty International and Black Lives Matter.
* July 15, 2021: Safari Zero-Day Used in Malicious LinkedIn Campaign:
More on Google’s Threat Assessment Group (TAG) security announcement. A Russian-language group was exploiting a vulnerability in the Safari browser on iOS systems. Malicious links that executed the vulnerability were being sent to Western European government officials through LinkedIn’s direct message app. It is noted that the malicious link campaign coincided with a “Nobelium’s” USAID phishing campaign in May targeting Windows devices.
During this same report, Google’s TAG announced a new exploit it discovered that was used against Armenian activists in April. A zero-day exploit against Microsoft’s Internet Explorer.
The TAG team also announced three new zero-day exploits attributed to an unnamed “commercial surveillance vendor” (Candiru). Two vulnerabilities in Google’s Chrome and one in Microsoft’s Internet Explorer. These exploits were also used against Armenian targets but we are told that this was a separate campaign for the other Armenian hack, with one of the Chrome exploits discovered in February and the second in June.
Finally, the article notes that security researchers have identified 33 zero-day vulnerabilities until that point in 2021, which is 11 more than the 22 total found in 2020. That’s triple the rate of the previous year, which itself was a record year.
* July 17, 2021: Israeli Companies Aided Saudi Spying Despite Khashoggi Killing:
NSO Group’s recent headache has begun. The New York Times has an update on NSO Group and long-standing questions about the extent to which the license given to countries to buy NSO Group’s super-spyware is used as a tool of Israel’s foreign policy. It’s a question that relates to more than NSO Group but the entire Israeli ‘commercial surveillance’ industry that governments around the world turn to. As we should have expected, it turns out the super-spyware suites like NSO Group’s Pegasus software aren’t just super-spyware suites. They’re also diplomatic tools for the Israeli government. And that means sometimes NSO Groups might effectively be forced to keep selling to clients like Saudi Arabia even when its relationship with those clients becomes toxic. That’s apparently what happened following the Saudi government’s assassination of Jamal Khashoggi. NSO Group canceled the Saudi contract only to be pressured by the Israeli government to renew it. NSO Group was ultimately sold to new private equity owners and proceeded to renew the Saudi contract.
But the NSO Group reveals a far more legitimate excuse for its apparent negligence in regulating its super-spyware: the Israeli government approves of these sales. If you want a subscription for Pegasus, you better make sure you’re on at least least decent terms with the Israeli government. It’s pretty
* July 18, 2021: Private Israeli spyware used to hack cellphones of journalists, activists worldwide:
The Washington Post follows up with a huge report that confirmed a bunch of other things that have been suspected about NSO Group: People have long accused the company of not having any safeguards to ensure the super-spyware it sells to governments around the world around only used to track ‘terrorists and criminals’. And, yep, there are basically no safeguards. It’s up to the government to promise not to abuse the super spyware. Although there are geographic limitations. The spyware was configured to not work on US-based smartphones and could be limited to certain countries. But how it was used inside those approved geographic areas was up to the governments. In other words, Pegasus was abused. A lot. At least that’s according to an investigation released by Forbidden Stories, a Paris-based journalism nonprofit, and Amnesty International.
How much abused of the NSO Group’s super-spyware has been taking place? Well, this report was based on thousands phone numbers leaked that were purportedly the target phone numbers of NSO Group’s feared Pegasus spyware. Almost unstoppable spyware suits that can hit almost any smartphone. And if those thousands of numbers really are an accurate target list, it was rampant abuse, with activists and rival politicians frequently on the target list. 60 government agencies in 40 countries were allowed to buy subscriptions to the software and, again, they policed themselves.
NSO Group’s defense against charges that it was knowingly allowing governments to abuse its super-spyware was to point out that the company doesn’t police how governments use its software. It really is up to the governments to polices themselves, as confirmed by this study and the rampant abuse it reveals. It’s not actually a great defense if you think about it, but it gets better when you keep in mind this is all sanctioned and encouraged by the Israeli government (and probably the US government).
* July 19, 2021: Microsoft Exchange hack caused by China, US and allies say:
The US formally accuses Chinese state-backed hackers of carrying out the Microsoft Exchange mega-hack. At the same time, the US Justice Department announced charges against four Chinese nationals who prosecutors said were working with China’s Ministry of State Security in a different hacking campaign that targeted dozens of computer systems, including companies, universities and government entities. But beyond that, the US accused these state-backed Chinese hackers of carrying out ransomware and other for-profit extortion hacks for their own personal enrichment. In fact, an administration official told reporters that the formal attribution of the Exchange hack to China took this many months (recall Microsoft did it immediately) in part because of the ransomware and for-profit hacking operations. In other words, the hackers the US was accusing of working on behalf of the Chinese state were behaving like regular criminals. But we are nonetheless assured that, no, they were working for China. Dmitri Alperovitch — co-founder of CrowdStrike and the guy who pioneered the modern approach of making loud evidence-free hacking accusations against countries as a means of preventing future attacks — expresses a sense of puzzlement that sanctions against China haven’t been declared yet.
* July 20, 2021: China says Microsoft hacking accusations fabricated by US and allies:
The US’s allies (the UK, New Zealand, Australia, and EU) join the US in jointly condemning China for the Microsoft Exchange mega-hack. Anonymous Western security sources tell reports that they believe Hafnium new Microsoft was going to plug the Exchange vulnerability and so shared it with other China-based hackers, culminating in the giant global smash-and-grab. It’s another indication that the Microsoft Exchange mega-hack has the appearance of being a criminal smash-and-grab event and we are now told that this was all how China planned it to play out. And we are also told that Microsoft was about to plug this massive vulnerability but were thwarted by Chinese spies or something. The facts and details may change, but two things always stays the same: China did it and this definitely didn’t involve the SolarWinds hack.
* July 22, 2021: France’s Macron changes phone in light of Pegasus case:
The NSO Group scandal gets extra awkward when Emmanuel Macron’s administration officially acknowledges that it changed Macron’s mobile phone and phone number after the number showed up on a list of potential targets for surveillance by Morocco in the report by Forbidden Stories and Amnesty International. Israel has formed an inter-ministerial team to look into the export licenses issued by the Defence Export Controls Agency (DECA). NSO Group continues to defend itself by reiterating that it doesn’t know the identities of the people targeted by Pegasus. The company can, however, retroactively acquire the target lists in the event of a complaint and unilaterally shut down the offending government’s subscription following an investigation. So oversight only happens if a complaint is issued over the abuse of the super-secret difficult-to-find spyware. There presumably aren’t very many complaints.
*******************************
That’s the story we are being asked to buy. Or rather, those are the stories we are being asked to buy. Breaking stories about two record-breaking mega-hacks and revelatory stories about two cutting-edge ‘commercial surveillance vendors’ licensing selling zero-day exploits around the world. Separate stories, at least that’s what we are told. The SolarWinds hack and the Microsoft Exchange hack are two completely separate hacks, one executed by Russia and the other by China. The fact that the SolarWinds hackers possessed Microsoft zero-day exploits and appeared to initiate the hack using those exploits is just ignored. The fact that no actual evidence indicating it was Russia or China behind the hacks are also just ignored. And the fact that stories about a massive powerful global “commercial surveillance” industry selling super-exploits to governments around the world are also just ignored. Or other government hacking toolkits like the CIA’s Vault7, that had features specifically designed to spoof the “pattern recognition” approach to cyberattribution. Ignore all that. It’s a faith-based attribution paradigm, ripe for bad-faith attributions.
FireEye Wakes Up to a “Red Team Tools” Nightmare. Which Could Become Everyone’s Nightmare
December 8, 2020, was a dark day for digital security. A worst case scenario was playing out in real-time. Someone hacked the security firm and stole its “Red Team” code suite. A toolkit of virtually all the most powerful known exploits. And as experts warned, nation-states could potentially hide their own tracks using this toolkit. This is basically going to be the only time we see an expert admit that governments around the world could be intentionally. FireEye wasn’t ready to name a culprit. But the FBI announced was it was confident it was carried out by a nation-state, and while they would name a specific nation it was pretty clear Russia was the prime suspect. No reason for these suspicions are given:
The New York Times
FireEye, a Top Cybersecurity Firm, Says It Was Hacked by a Nation-State
The Silicon Valley company said hackers — almost certainly Russian — made off with tools that could be used to mount new attacks around the world.
By David E. Sanger and Nicole Perlroth
Published Dec. 8, 2020 Updated Feb. 6, 2021WASHINGTON — For years, the cybersecurity firm FireEye has been the first call for government agencies and companies around the world who have been hacked by the most sophisticated attackers, or fear they might be.
Now it looks like the hackers — in this case, evidence points to Russia’s intelligence agencies — may be exacting their revenge.
FireEye revealed on Tuesday that its own systems were pierced by what it called “a nation with top-tier offensive capabilities.” The company said hackers used “novel techniques” to make off with its own tool kit, which could be useful in mounting new attacks around the world.
It was a stunning theft, akin to bank robbers who, having cleaned out local vaults, then turned around and stole the F.B.I.’s investigative tools. In fact, FireEye said on Tuesday, moments after the stock market closed, that it had called in the F.B.I.
The $3.5 billion company, which partly makes a living by identifying the culprits in some of the world’s boldest breaches — its clients have included Sony and Equifax — declined to say explicitly who was responsible. But its description, and the fact that the F.B.I. has turned the case over to its Russia specialists, left little doubt who the lead suspects were and that they were after what the company calls “Red Team tools.”
These are essentially digital tools that replicate the most sophisticated hacking tools in the world. FireEye uses the tools — with the permission of a client company or government agency — to look for vulnerabilities in their systems. Most of the tools are based in a digital vault that FireEye closely guards.
The F.B.I. on Tuesday confirmed that the hack was the work of a state, but it also would not say which one. Matt Gorham, assistant director of the F.B.I. Cyber Division, said, “The F.B.I. is investigating the incident and preliminary indications show an actor with a high level of sophistication consistent with a nation-state.”
The hack raises the possibility that Russian intelligence agencies saw an advantage in mounting the attack while American attention — including FireEye’s — was focused on securing the presidential election system. At a moment that the nation’s public and private intelligence systems were seeking out breaches of voter registration systems or voting machines, it may have a been a good time for those Russian agencies, which were involved in the 2016 election breaches, to turn their sights on other targets.
The hack was the biggest known theft of cybersecurity tools since those of the National Security Agency were purloined in 2016 by a still-unidentified group that calls itself the ShadowBrokers. That group dumped the N.S.A.’s hacking tools online over several months, handing nation-states and hackers the “keys to the digital kingdom,” as one former N.S.A. operator put it. North Korea and Russia ultimately used the N.S.A.’s stolen weaponry in destructive attacks on government agencies, hospitals and the world’s biggest conglomerates — at a cost of more than $10 billion.
The N.S.A.’s tools were most likely more useful than FireEye’s since the U.S. government builds purpose-made digital weapons. FireEye’s Red Team tools are essentially built from malware that the company has seen used in a wide range of attacks.
Still, the advantage of using stolen weapons is that nation-states can hide their own tracks when they launch attacks.
“Hackers could leverage FireEye’s tools to hack risky, high-profile targets with plausible deniability,” said Patrick Wardle, a former N.S.A. hacker who is now a principal security researcher at Jamf, a software company. “In risky environments, you don’t want to burn your best tools, so this gives advanced adversaries a way to use someone else’s tools without burning their best capabilities.”
A Chinese state-sponsored hacking group was previously caught using the N.S.A.’s hacking tools in attacks around the world, ostensibly after discovering the N.S.A.’s tools on its own systems. “It’s like a no-brainer,” said Mr. Wardle.
The breach is likely to be a black eye for FireEye. Its investigators worked with Sony after the devastating 2014 attack that the firm later attributed to North Korea. It was FireEye that was called in after the State Department and other American government agencies were breached by Russian hackers in 2015. And its major corporate clients include Equifax, the credit monitoring service that was hacked three years ago, affecting nearly half of the American population.
In the FireEye attack, the hackers went to extraordinary lengths to avoid being seen. They created several thousand internet protocol addresses — many inside the United States — that had never before been used in attacks. By using those addresses to stage their attack, it allowed the hackers to better conceal their whereabouts.
“This attack is different from the tens of thousands of incidents we have responded to throughout the years,” said Kevin Mandia, FireEye’s chief executive. (He was the founder of Mandiant, a firm that FireEye acquired in 2014.)
But FireEye said it was still investigating exactly how the hackers had breached its most protected systems. Details were thin.
Mr. Mandia, a former Air Force intelligence officer, said the attackers “tailored their world-class capabilities specifically to target and attack FireEye.” He said they appeared to be highly trained in “operational security” and exhibited “discipline and focus,” while moving clandestinely to escape the detection of security tools and forensic examination. Google, Microsoft and other firms that conduct cybersecurity investigations said they had never seen some of these techniques.
FireEye also published key elements of its “Red Team” tools so that others around the world would see attacks coming.
American investigators are trying to determine if the attack has any relationship to another sophisticated operation that the N.S.A. said Russia was behind in a warning issued on Monday. That gets into a type of software, called VM for virtual machines, which is used widely by defense companies and manufacturers. The N.S.A. declined to say what the targets of that attack were. It is unclear whether the Russians used their success in that breach to get into FireEye’s systems.
...
On Tuesday, Russia’s National Association for International Information Security held a forum with global security experts where Russian officials again claimed that there was no evidence its hackers were responsible for attacks that have resulted in American sanctions and indictments.
Security firms have been a frequent target for nation-states and hackers, in part because their tools maintain a deep level of access to corporate and government clients all over the world. By hacking into those tools and stealing source code, spies and hackers can gain a foothold to victims’ systems.
McAfee, Symantec and Trend Micro were among the list of major security companies whose code a Russian-speaking hacker group claimed to have stolen last year. Kaspersky, the Russian security firm, was hacked by Israeli hackers in 2017. And in 2012, Symantec confirmed that a segment of its antivirus source code was stolen by hackers.
————
“FireEye revealed on Tuesday that its own systems were pierced by what it called “a nation with top-tier offensive capabilities.” The company said hackers used “novel techniques” to make off with its own tool kit, which could be useful in mounting new attacks around the world.”
FireEye couldn’t say who penetrated their systems. But they nonetheless confidently state it was the work a “a nation with top-tier offensive capabilities,” an assertion ostensibly rooted in the sophisticated nature of the attack, the discipine of the attackers, and the number of never-before-seen techniques used by these unknown hackers. In other words, a guess made based on pattern recognition, and not an assertion made with real certainty. FireEye didn’t actually know this attack came from a nation with top-tier offensive capabilities when it made that statement. FireEye couldn’t have truly ruled out a private actor when it made that confident statement. Or a nation without top-tier capabilites that purchased those top-tier capabilities from a top-tier commercial malware provider like NSO Group. But making attributions in cyber attacks is a service FireEye provides. It points towards one of the fundamental binds the cybersecurity industry faces: their clients are paying for answers, whether answers are feasible or not.
And when the FBI turned the case over to its Russia specialist, and ‘confirmed’ the hack was the work of a state, it was pretty clear where the blame was ultimately going to go. That ‘confirmation’ was no doubt predicated in part on the sophistication of the hack. And yet the apparent prize of this hack was FireEye’s “Red Team” tool kit that replicated the most sophisticated hacking tools in the world. Or at least the most sophisticated known hacking tools seen in the wild. It’s implicitly obvious in this very hack that the possession of world-class hacking tools isn’t limited to major nation-states like the US, Russia, and China. Beyond that, we are told how the theft of the FireEye Red Team kit was highly useful to nation-states because it would give them plausible deniability by allowing them to carry out risky hacks without using their ‘zero-day’ exploits, using someone else’s tools instead. All of the details about this story point towards the hall of mirrors nature of cyberattribution investigations:
...
It was a stunning theft, akin to bank robbers who, having cleaned out local vaults, then turned around and stole the F.B.I.’s investigative tools. In fact, FireEye said on Tuesday, moments after the stock market closed, that it had called in the F.B.I.The $3.5 billion company, which partly makes a living by identifying the culprits in some of the world’s boldest breaches — its clients have included Sony and Equifax — declined to say explicitly who was responsible. But its description, and the fact that the F.B.I. has turned the case over to its Russia specialists, left little doubt who the lead suspects were and that they were after what the company calls “Red Team tools.”
These are essentially digital tools that replicate the most sophisticated hacking tools in the world. FireEye uses the tools — with the permission of a client company or government agency — to look for vulnerabilities in their systems. Most of the tools are based in a digital vault that FireEye closely guards.
The F.B.I. on Tuesday confirmed that the hack was the work of a state, but it also would not say which one. Matt Gorham, assistant director of the F.B.I. Cyber Division, said, “The F.B.I. is investigating the incident and preliminary indications show an actor with a high level of sophistication consistent with a nation-state.”
...
The N.S.A.’s tools were most likely more useful than FireEye’s since the U.S. government builds purpose-made digital weapons. FireEye’s Red Team tools are essentially built from malware that the company has seen used in a wide range of attacks.
Still, the advantage of using stolen weapons is that nation-states can hide their own tracks when they launch attacks.
“Hackers could leverage FireEye’s tools to hack risky, high-profile targets with plausible deniability,” said Patrick Wardle, a former N.S.A. hacker who is now a principal security researcher at Jamf, a software company. “In risky environments, you don’t want to burn your best tools, so this gives advanced adversaries a way to use someone else’s tools without burning their best capabilities.”
A Chinese state-sponsored hacking group was previously caught using the N.S.A.’s hacking tools in attacks around the world, ostensibly after discovering the N.S.A.’s tools on its own systems. “It’s like a no-brainer,” said Mr. Wardle.
...
And as the article reminds us, despite all hype about the ‘Shadow Brokers’ being a Russian hacker group, the global community has still never truly determined their idenity. As is the case with nearly all major hacks, the identities of the perpetrators is ultimately unknowable based on the available evidence:
...
The hack was the biggest known theft of cybersecurity tools since those of the National Security Agency were purloined in 2016 by a still-unidentified group that calls itself the ShadowBrokers. That group dumped the N.S.A.’s hacking tools online over several months, handing nation-states and hackers the “keys to the digital kingdom,” as one former N.S.A. operator put it. North Korea and Russia ultimately used the N.S.A.’s stolen weaponry in destructive attacks on government agencies, hospitals and the world’s biggest conglomerates — at a cost of more than $10 billion.
...
It’s also worth observing how FireEye was declaring that the attackers tailored their world-class capabilities specifically to target and attack FireEye.” And yet, as we learn, this wasn’t a specific attack on FireEye at all. It was an attack on FireEye and SolarWinds’s 18,000 other customers. FireEye was just a very juicy target to pilfer amongst the thousands the hackers had to choose from:
...
But FireEye said it was still investigating exactly how the hackers had breached its most protected systems. Details were thin.Mr. Mandia, a former Air Force intelligence officer, said the attackers “tailored their world-class capabilities specifically to target and attack FireEye.” He said they appeared to be highly trained in “operational security” and exhibited “discipline and focus,” while moving clandestinely to escape the detection of security tools and forensic examination. Google, Microsoft and other firms that conduct cybersecurity investigations said they had never seen some of these techniques.
...
On Tuesday, Russia’s National Association for International Information Security held a forum with global security experts where Russian officials again claimed that there was no evidence its hackers were responsible for attacks that have resulted in American sanctions and indictments.
Security firms have been a frequent target for nation-states and hackers, in part because their tools maintain a deep level of access to corporate and government clients all over the world. By hacking into those tools and stealing source code, spies and hackers can gain a foothold to victims’ systems.
...
Finally, note that FireEye is far from the only cybersecurity firm to report having their code stolen by ‘a Russian-speaking hacker group’ last year. McAfee, Symantec, and TrendMicro all reported getting hit. Which mean the “Red Team code” kits from all those other firms are also floating around out there. And in each case, it was “Russian-speaking hackers”. Whoever has been hacking these other security firms was been leaving Russian language artifacts in their malware. It’s a thing:
...
McAfee, Symantec and Trend Micro were among the list of major security companies whose code a Russian-speaking hacker group claimed to have stolen last year. Kaspersky, the Russian security firm, was hacked by Israeli hackers in 2017. And in 2012, Symantec confirmed that a segment of its antivirus source code was stolen by hackers.
...
And yet, as we’re going to see, that’s not actually the case with the FireEye hack. No Russian language artifacts, or any other language artifacts, were left in the malware used to attack FireEye. And as we’re also going to see, this lack of language artifacts in the atttack — no Cyrillic, or Mandarin or Persion — was seen as a utter shock by the CrowdStrike figures tasked with studying the attack.
FireEye Didn’t Start the Fire. Welcome to the SolarWinds Nightmare. Brought to You by Cozy Bear, According to the FBI, although FireEye isn’t So Sure
The FireEye nightmare explodes into the SolarWinds waking worst nightmare. It was determined that SolarWinds’s Orion update software delivered the malware onto FireEye’s systems. It’s the kind of ominous discovery that comes with the implication that the other 18,000 SolarWinds clients running the Orion software got hit too. Which is basically what happened.
We also got an early hint from SolarWinds about how the hack started in the first place: in its corporate filing disclosing the hack with the SEC, SolarWinds indicated that Microsoft’s Office 365 email may have been “an attack vector” used by the hackers.
And as we can see, the FBI was ready to name names from the very onset of this investigation. It took basically no time at all: APT29 aka Cozy Bear is at it again. That was the line from the FBI. The infamous hacking group thought to work for Russia’s FSB (or SVR, it’s unclear) and that the US claims was behind the first hack of the Democratic National Committee (DNC) in 2015 was also behind the new SolarWinds mega-hack. No reasons for this attribution are given, of course:
The Washington Post
Russian government hackers are behind a broad espionage campaign that has compromised U.S. agencies, including Treasury and Commerce
By Ellen Nakashima and Craig Timberg
December 14, 2020 at 11:30 a.m. ESTRussian government hackers breached the Treasury and Commerce departments, along with other U.S. government agencies, as part of a global espionage campaign that stretches back months, according to people familiar with the matter.
Officials were scrambling over the weekend to assess the nature and extent of the intrusions and implement effective countermeasures, but initial signs suggested the breach was long-running and significant, the people familiar with the matter said.
The Russian hackers, known by the nicknames APT29 or Cozy Bear, are part of that nation’s foreign intelligence service, the SVR, and they breached email systems in some cases, said the people familiar with the intrusions, who spoke on the condition of anonymity because of the sensitivity of the matter. The same Russian group hacked the State Department and the White House email servers during the Obama administration.
The FBI is investigating the campaign, which may have begun as early as spring, and had no comment Sunday. The victims have included government, consulting, technology, telecom, and oil and gas companies in North America, Europe, Asia and the Middle East, according to FireEye, a cyber firm that itself was breached.
The Russian Embassy in Washington on Sunday called the reports of Russian hacking “baseless.” In a statement on Facebook it said, “attacks in the information space contradict” Russian foreign policy and national interests. “Russia does not conduct offensive operations” in the cyber domain.
All of the organizations were breached through the update server of a network management system made by the firm SolarWinds, FireEye said in a blog post Sunday.
The federal Cybersecurity and Infrastructure Security Agency issued an alert Sunday warning about an “active exploitation” of the SolarWinds Orion Platform, from versions of the software released in March and June. “CISA encourages affected organizations to read the SolarWinds and FireEye advisories for more information and FireEye’s GitHub page for detection countermeasures,” the alert said.
SolarWinds said Sunday in a statement that monitoring products it released in March and June of this year may have been surreptitiously weaponized in a “highly-sophisticated, targeted . . . attack by a nation state.”
The company filed a document Monday with the Securities and Exchange Commission saying that “fewer than 18,000” of its more than 300,000 customers may have installed a software patch enabling the Russian attack. It was not clear, the filing said, how many systems were actually hacked. The corporate filing also said that Microsoft’s Office 365 email may have been “an attack vector” used by the hackers.
Microsoft said in a blog post Sunday that it had not identified any Microsoft product or cloud service vulnerabilities in its investigation of the matter.
The scale of the Russian espionage operation appears to be large, said several individuals familiar with the matter. “This is looking very, very bad,” said one person. SolarWinds products are used by organizations across the world. They include all five branches of the U.S. military, the Pentagon, State Department, Justice Department, NASA, the Executive Office of the President and the National Security Agency, the world’s top electronic spy agency, according to the firm’s website.
Its clients also include the top 10 U.S. telecommunications companies.
“This is a big deal, and given what we now know about where breaches happened, I’m expecting the scope to grow as more logs are reviewed,” said John Scott-Railton, a senior researcher at Citizen Lab at the University of Toronto’s Munk School of Global Affairs and Public Policy. “When an aggressive group like this gets an open sesame to many desirable systems, they are going to use it widely.”
FireEye reported last week that it was breached and that hacking tools it uses to test clients’ computer defenses were stolen. The Washington Post reported that APT29 was the group behind that hack. FireEye and Microsoft, which were investigating the breach, discovered the hackers were gaining access to victims through updates to SolarWinds’ Orion network monitoring software, FireEye said in its blog post, without publicly naming the Russians.
...
At Commerce, the Russians targeted the National Telecommunications and Information Administration, an agency that handles Internet and telecommunications policy, Reuters reported. They have also been linked to attempts to steal coronavirus coronavirus research.
In 2014 and 2015, the same group carried out a wide-ranging espionage campaign that targeted thousands of organizations, including government agencies, foreign embassies, energy companies, telecommunications firms and universities.
As part of that operation, it hacked the unclassified email systems of the White House, the Pentagon’s Joint Chiefs of Staff and the State Department.
“That was the first time we saw the Russians become much more aggressive, and instead of simply fading away like ghosts when they were detected, they actually contested access to the networks,” said Michael Daniel, who was White House cybersecurity coordinator at the time.
One of its victims in 2015 was the Democratic National Committee. But unlike a rival Russian spy agency, the GRU, which also hacked the DNC, it did not leak the stolen material. In 2016, the GRU military spy agency leaked hacked emails to the online anti-secrecy organization WikiLeaks in an operation that disrupted the Democrats’ national convention in the midst of the presidential campaign.
The SVR, by contrast, generally steals information for traditional espionage purposes, seeking secrets that might help the Kremlin understand the plans and motives of politicians and policymakers. Its operators also have filched industrial data and hacked foreign ministries.
Because the Obama administration saw the APT29 operation as traditional espionage, it did not consider taking punitive measures, said Daniel, who is now president and chief executive of the Cyber Threat Alliance, an information-sharing group for cybersecurity companies.
“It was information collection, which is what nation states — including the United States — do,” he said. “From our perspective, it was more important to focus on shoring up defenses.”
But Chris Painter, State Department cyber coordinator in the Obama administration, said even if the Russian campaign is strictly about espionage and there’s no norm against spying, if the scope is broad there should be consequences. “We just don’t have to sit still for it and say ‘good job,’ ” he said.
Sanctions might be one answer, especially if done in concert with allies who were similarly affected, he said. “The problem is there’s not even been condemnation from the top. President Trump hasn’t wanted to say anything bad to Russia, which only encourages them to act irresponsibly across a wide range of activities.”
At the very least, he said, “you’d want to make clear to [Russian President Vladimir] Putin that this is unacceptable — the scope is unacceptable.”
So far there is no sign that the current campaign is being waged for purposes of leaking information or for disruption of critical infrastructure, such as electric grids.
SolarWinds’ monitoring tool has extremely deep “administrative” access to a network’s core functions, which means that hacking the tool would allow the Russians to freely root around victims’ systems.
APT29 compromised SolarWinds so that any time a customer checked in to request an update, the Russians could hitch a ride on the weaponized update to get into a victim’s system. FireEye dubbed the malware that the hackers used “Sunburst.”
“Monday may be a bad day for lots of security teams,” tweeted Dmitri Alperovitch, a cybersecurity expert and founder of the Silverado Policy Accelerator think tank.
———–
“The Russian hackers, known by the nicknames APT29 or Cozy Bear, are part of that nation’s foreign intelligence service, the SVR, and they breached email systems in some cases, said the people familiar with the intrusions, who spoke on the condition of anonymity because of the sensitivity of the matter. The same Russian group hacked the State Department and the White House email servers during the Obama administration.”
Less than a week after the FireEye nightmare hack is first announced to the world, we learn it was just one part of a much larger SolarWinds nightmare. A global espionage campaign that seemingly targeted US government agencies. And the US government had already determined the culprit: APT29/Cozy Bear was behind it. That’s the word we were getting from anonymous sources tied to the investigation. It was definitely Russia who had thoroughly hacked the US government’s networks starting in March of 2020 and was reading all those government emails and routing through US government networks this whole time:
...
The federal Cybersecurity and Infrastructure Security Agency issued an alert Sunday warning about an “active exploitation” of the SolarWinds Orion Platform, from versions of the software released in March and June. “CISA encourages affected organizations to read the SolarWinds and FireEye advisories for more information and FireEye’s GitHub page for detection countermeasures,” the alert said.SolarWinds said Sunday in a statement that monitoring products it released in March and June of this year may have been surreptitiously weaponized in a “highly-sophisticated, targeted . . . attack by a nation state.”
...
SolarWinds’ monitoring tool has extremely deep “administrative” access to a network’s core functions, which means that hacking the tool would allow the Russians to freely root around victims’ systems.
...
And note this ominous early detail: in its corporate filing disclosing the hack with the SEC, SolarWinds indicated that Microsoft’s Office 365 email may have been “an attack vector” used by the hackers. Now, it’s important to note that this language is somewhat vague as to whether or not Microsoft’s Office 365 was used for the initial attack to infect the SolarWinds network or it was used after the SolarWinds hack to further exploit the networks of the 18,000 victims. But as we’re going to see, SolarWinds does confirm two months later that, yes, this Microsoft Office 365 email vulnerability was used in the initial hack of the SolarWinds network:
...
The company filed a document Monday with the Securities and Exchange Commission saying that “fewer than 18,000” of its more than 300,000 customers may have installed a software patch enabling the Russian attack. It was not clear, the filing said, how many systems were actually hacked. The corporate filing also said that Microsoft’s Office 365 email may have been “an attack vector” used by the hackers.Microsoft said in a blog post Sunday that it had not identified any Microsoft product or cloud service vulnerabilities in its investigation of the matter.
...
Finally, observe how similar the narrative we’re hearing now is to exactly what we heard from the US government in 2016 following the remarkably ‘aggressive’ and ‘noisy’ second hack of the DNC that we are told was executed by ‘Fancy Bear’ of Russia’s GRU. Recall how, back in late July 2016, US investigators were suggesting Fancy Bear was trying to get caught in the DNC hack. That was the explanation given for the notable apparent lack of sophistication in the hack that was seen as very different from previous hacks attributed to Fancy Bear. So now we’re more or less hearing the same story in relation to Cozy Bear: this hack was highly uncharacteristic for Cozy Bear in the sense that the hackers actively fought to maintain their grip on the networks even after being caught. But we are nonetheless assured it’s Cozy Bear:
...
As part of that operation, it hacked the unclassified email systems of the White House, the Pentagon’s Joint Chiefs of Staff and the State Department.“That was the first time we saw the Russians become much more aggressive, and instead of simply fading away like ghosts when they were detected, they actually contested access to the networks,” said Michael Daniel, who was White House cybersecurity coordinator at the time.
One of its victims in 2015 was the Democratic National Committee. But unlike a rival Russian spy agency, the GRU, which also hacked the DNC, it did not leak the stolen material. In 2016, the GRU military spy agency leaked hacked emails to the online anti-secrecy organization WikiLeaks in an operation that disrupted the Democrats’ national convention in the midst of the presidential campaign.
The SVR, by contrast, generally steals information for traditional espionage purposes, seeking secrets that might help the Kremlin understand the plans and motives of politicians and policymakers. Its operators also have filched industrial data and hacked foreign ministries.
...
They weren’t behaving like Cozy Bear, which has never been known to behave this aggressively before. But it was definitely Cozy Bear. That’s what the US was confidently stating less than a week after the FireEye hack was disclosed. Yet FireEye wasn’t convinced. It’s one of the many data points pointing in the direction of contemporary cyber attributions being mostly just made up convenient narratives:
Bloomberg Quint
FireEye Discovered SolarWinds Breach While Probing Own Hack
Kartikay Mehrotra
Published Dec 15 2020, 7:32 AM
Updated Dec 16 2020, 7:25 AM(Bloomberg) — When FireEye Inc. discovered that it was hacked this month, the cybersecurity firm’s investigators immediately set about trying to figure out how attackers got past its defenses.
It wasn’t just FireEye that got attacked, they quickly found out. Investigators discovered a vulnerability in a product made by one of its software providers, Texas-based SolarWinds Corp.
“We looked through 50,000 lines of source code, which we were able to determine there was a backdoor within SolarWinds,” said Charles Carmakal, senior vice president and chief technical officer at Mandiant, FireEye’s incident response arm.
After discovering the backdoor, FireEye contacted SolarWinds and law enforcement, Carmakal said.
...
National Security Advisor Robert O’Brien cut short a trip to the Middle East and Europe to deal with the hack of U.S. government agencies. And Senator Richard Blumenthal, Democrat from Connecticut, said a classified briefing on “Russia’s cyber-attack left me deeply alarmed, in fact downright scared.”
s
The hackers who attacked FireEye stole sensitive tools that the company uses to find vulnerabilities in clients’ computer networks. While the hack on FireEye was embarrassing for a cybersecurity firm, Carmakal argued that it may prove to be a crucial mistake for the hackers.“If this actor didn’t hit FireEye, there is a chance that this campaign could have gone on for much, much longer,” Carmakal said. “One silver lining is that we learned so much about how this threat actor works and shared it with our law enforcement, intelligence community and security partners.” Carmakal said there is no evidence FireEye’s stolen hacking tools were used against U.S. government agencies.
“There will unfortunately be more victims that have to come forward in the coming weeks and months,” he said. While some have attributed the attack to a state-sponsored Russian group known as APT 29, or Cozy Bear, FireEye had not yet seen sufficient evidence to name the actor, he said. A Kremlin official denied that Russia had any involvement.
...
Carmakal said the hackers took advanced steps to conceal their actions. “Their level of operational security is truly exceptional,” he said, adding that the hackers would operate from servers based in the same city as an employee they were pretending to be in order to evade detection.
...
———–
““There will unfortunately be more victims that have to come forward in the coming weeks and months,” he said. While some have attributed the attack to a state-sponsored Russian group known as APT 29, or Cozy Bear, FireEye had not yet seen sufficient evidence to name the actor, he said. A Kremlin official denied that Russia had any involvement.”
That early hesitancy on FireEye’s behalf to name a culprit due to a lack of evidence is going to be important to keep in mind. Because as we see in an NPR article from April of 2021, four months after the attack, there wasn’t really any new conclusive information about the hackers that emerges. No clue that can positively identify the hackers and not even the joke ‘clues’ like Cyrillic or Mandarin characters. Nothing. The big shock expressed by Adam Meyers of CrowdStrike — the figure who led the early investigation of the SolarWinds hack — was that there wasn’t any ‘cultural artifact’ like Cyrillic or Mandarin. And yet we’re going to hear assertion after assertion that this was the work of Russian government hackers. Never an explanation why.
Is this the SolarWinds Mega-Hack? Or the Microsoft Mega-hack?
Similarly, note how SolarWinds was pointing an finger at a vulnerability in Microsoft’s Office 365 email as being a vector in the hack, and yet Microsoft was vociferously denying that a vulnerability in its own products played a role at all. As we’ll see, there’s never an explanation. Just faith. Faith in Microsoft. Faith that was again tested days after the initial disclosure of the hack when SolarWinds revealed more details on nature of the Microsoft exploits used by the hackers. Somehow the hackers were tricking Microsoft’s authentication controls. This includes forging authentication tokens for Microsoft’s Azure cloud services and creating password credentials for legitimate processes enabling them to read emails from Microsoft’s Exchange Online cloud-based email service. Keep in mind that the Microsoft-Exchange mega-hack that is announced in March was targeting the non-cloud self-hosted Microsoft Exchange email servers. So when the SolarWinds hackers demonstrate an ability to break into the cloud-based Exchange servers, they were demonstrating a capability that wasn’t exactly the same as that used to execute the Microsoft Exchange mega-hack but awfully close. And yet we will be repeatedly assured by Microsoft that the Microsoft-Exchange hack was carried out by China and not at all connected to the SolarWinds hack or “commercial surveillance vendors”. That’s part of what makes these early disclosures by Microsoft itself, that the SolarWinds hackers demonstrated a remarkable ability to manipulate Microsoft system credentials, is so significant. These are disclosures Microsoft seems to want to forget as this looks more and more like a Microsoft mega-hack:
CRN
Microsoft’s Role In SolarWinds Breach Comes Under Scrutiny
By Michael Novinson
December 15, 2020, 05:18 PM ESTMicrosoft has become ensnared in probes surrounding the recently disclosed colossal U.S. government hack, with media reports and company messages focusing on Office 365, Azure Active Directory and a key domain name.
Two key victims in the massive nation-state hacking campaign reportedly had their Microsoft Office 365 accounts broken into. The Russian intelligence service hackers for months monitored staff emails sent via Office 365 at the Commerce Department’s National Telecommunications and Information Administration (NTIA) after breaking into the NTIA’s office software, Reuters reported Sunday.
The hackers are “highly sophisticated” and were able to trick the Microsoft platform’s authentication controls, according to Reuters, citing a person familiar with the incident. The Commerce Department said that one of its bureaus had been breached, but didn’t respond to an inquiry about the role of Office 365 in the attack.
Microsoft didn’t provide an on-the-record response to CRN questions about if the company itself was breached as part of this campaign, and how significant Microsoft’s technology was in the hackers’ ability to exploit customers. Microsoft said in a blog post Sunday that its investigations haven’t identified any Microsoft product or cloud service vulnerabilities. Once an attacker has compromised a target network, they potentially have access to a range of systems, according to a source familiar with the situation.”
On Monday, SolarWinds said it was made aware of an attack vector that was used to compromise the company’s Microsoft Office 365 emails, according to a filing with the U.S. Securities and Exchange Commission (SEC). Hackers had gained access to numerous public and private organizations through trojanized updates to SolarWinds’ Orion network monitoring software, FireEye said in a blog Sunday.
That same attack vector might have provided access to other data contained in SolarWinds’ Office 365 office productivity tool, the company said. SolarWinds said it’s probing with Microsoft if any customer, personnel or other data was exfiltrated as a result of this compromise, but hasn’t uncovered any evidence at this time of exfiltration.
“SolarWinds, in collaboration with Microsoft, has taken remediation steps to address the compromise and is investigating whether further remediation steps are required, over what period of time this compromise existed and whether the compromise is associated with the attack on its Orion software build system,” the company wrote in its SEC filing.
As for Azure, the hackers were able to forge a token which claims to represent a highly privileged account in Azure Active Directory (AD), the Microsoft Security Research Center wrote in a blog Sunday. The hackers could also gain administrative Azure AD privileges with compromised credentials. Microsoft said this was particularly likely if the account in question is not protected by multi-factor authentication.
“Having gained a significant foothold in the on-premises environment, the actor has made modifications to Azure Active Directory settings to facilitate long term access,” the Microsoft Security Research Center wrote.
The hackers were observed adding new federation trusts to an existing tenant or modifying the properties of an existing federation trust to accept tokens signed with hacker-owned certificates, Microsoft said. They could also use their administrator privileges to grant additional permissions to the target Application or Service Principal, according to Microsoft.
Microsoft also observed the hackers adding password credentials or x509 certificates to legitimate processes, granting them the ability to read mail content from Exchange Online via Microsoft Graph or Outlook REST. Examples of this happening include mail archiving applications, the firm said. Permissions usually, but not always, considered only the app identity rather than the current user’s permissions.
And from a domain perspective, Microsoft on Monday took control over a key domain name that was used by the SolarWinds hackers to communicate with systems compromised by the backdoor Orion product updates, KrebsOnSecurity reported Tuesday. Microsoft has a long history of seizing control of domains involved with malware, particularly when those sites are being used to attack Windows clients.
Armed with that access, KrebsOnSecurity said Microsoft should soon have some idea which and how many SolarWinds customers were affected. That’s because Microsoft now has insight into which organizations have IT systems that are still trying to ping the malicious domain, KrebsOnSecurity said.
“However, because many Internet service providers and affected companies are already blocking systems from accessing that malicious control domain or have disconnected the vulnerable Orion services, Microsoft’s visibility may be somewhat limited,” KrebsOnSecurity cautioned.
...
———-
“Microsoft’s Role In SolarWinds Breach Comes Under Scrutiny” by Michael Novinson; CRN; 12/15/2020
“Two key victims in the massive nation-state hacking campaign reportedly had their Microsoft Office 365 accounts broken into. The Russian intelligence service hackers for months monitored staff emails sent via Office 365 at the Commerce Department’s National Telecommunications and Information Administration (NTIA) after breaking into the NTIA’s office software, Reuters reported Sunday.”
The ‘Russian hackers’ were reading government emails for months. And while we were getting assured that it was Russia behind it, it’s worth keeping in mind that the idea that it was Russia reading these emails is actually far more assuring than the idea of cyber criminals doing the same because at least Russia is less inclined to sell or release the data. In other words, these early aggressively highly confident attributions towards Russia aren’t just self-serving from the standpoint of aligning with US geopolitical interests. They’re also highly self-serving for Microsoft, SolarWinds, and the US government agencies that got hacked by downplaying the potential implications of the hack.
Now note these early details of how Microsoft vulnerabilities were used in the attack. The hackers were tricking Microsoft’s authentication controls. They could forge authentication tokens enabling access to Microsoft’s cloud-based Azure services. But critically, they were gaining access to read mail content from Exchange Online, effectively demonstrating the ability to hack Microsoft’s cloud-based Exchange email servers. This is going to be an important detail to keep in mind as we read about the Microsoft Exchange server mega-hack disclosed in March:
...
The hackers are “highly sophisticated” and were able to trick the Microsoft platform’s authentication controls, according to Reuters, citing a person familiar with the incident. The Commerce Department said that one of its bureaus had been breached, but didn’t respond to an inquiry about the role of Office 365 in the attack....
As for Azure, the hackers were able to forge a token which claims to represent a highly privileged account in Azure Active Directory (AD), the Microsoft Security Research Center wrote in a blog Sunday. The hackers could also gain administrative Azure AD privileges with compromised credentials. Microsoft said this was particularly likely if the account in question is not protected by multi-factor authentication.
...
Microsoft also observed the hackers adding password credentials or x509 certificates to legitimate processes, granting them the ability to read mail content from Exchange Online via Microsoft Graph or Outlook REST. Examples of this happening include mail archiving applications, the firm said. Permissions usually, but not always, considered only the app identity rather than the current user’s permissions.
...
And note that at this point Microsoft itself is also describing how it observed the hackers adding password credentials or x509 certificates to legitimate processes to enabling the reading of emails. Microsoft’s own security researchers were telling us about this. And yet, as we’ll see in the articles below from February, Microsoft insists that vulnerabilities in its software played no role at all in the hack and all such reports are misinformation.
A week into the SolarWinds hack disclosure, the US Treasury Department gives an update. We’re told the department’s hack started in July. And in another indication that the hackers had the ability to authenticate the credential needed to extract data from Microsoft’s Office 365 email software, we’re told that’s exactly what they were doing on the Treasury’s network. So both SolarWinds and the US Treasury were giving us strong hints early on that the story of the SolarWinds mega-hack is the story of a still-unrecognized Microsoft mega-hack:
The New York Times
Treasury Department’s Senior Leaders Were Targeted by Hacking
The disclosure was the first acknowledgment of a specific intrusion in the vast cyberattack. At the White House, national security leaders met to assess how to deal with the situation.
By David E. Sanger and Alan Rappeport
Published Dec. 21, 2020 Updated Jan. 6, 2021WASHINGTON — The Russian hackers who penetrated United States government agencies broke into the email system used by the Treasury Department’s most senior leadership, a Democratic member of the Senate Finance Committee said on Monday, the first detail of how deeply Moscow burrowed into the Trump administration’s networks.
In a statement after a briefing for committee staff members, Senator Ron Wyden of Oregon, who has often been among the sharpest critics of the National Security Agency and other intelligence agencies, said that the Treasury Department had acknowledged that “the agency suffered a serious breach, beginning in July, the full depth of which isn’t known.”
The Treasury Department ranks among the most highly protected corners of the government because of its responsibility for market-moving economic decisions, communications with the Federal Reserve and economic sanctions against adversaries. Mr. Wyden said the hackers had gained access to the email system by manipulating internal software keys.
The department learned of the breach not from any of the government agencies whose job is to protect against cyberattacks, but from Microsoft, which runs much of Treasury’s communications software, Mr. Wyden said. He said that “dozens of email accounts were compromised,” apparently including in what is called the departmental offices division, where the most senior officials operate.
“Treasury still does not know all of the actions taken by hackers, or precisely what information was stolen,” he said.
An aide to Mr. Wyden said the department’s officials indicated that Treasury Secretary Steven Mnuchin’s email account had not been breached.
The newest disclosures underscored the administration’s conflicting messages about the source of the attacks and the extent of the damage as more reports about the targets leak out. A Treasury Department spokeswoman did not immediately respond to a request for comment.
Mr. Mnuchin addressed the hacking earlier on Monday and said the department’s classified systems had not been breached.
“At this point, we do not see any break-in into our classified systems,” he said in an interview with CNBC. “Our unclassified systems did have some access.”
Mr. Mnuchin said that the hacking was related to third-party software. He added that there had been no damage or large amounts of information displaced as a result of the attack and that the agency had robust resources to protect the financial industry.
“I can assure you, we are completely on top of this,” he said. He did not explain how the Russian presence was not detected in the system for more than four months.
His statement came on the same day that Attorney General William P. Barr, at his final news conference before stepping down, sided with Secretary of State Mike Pompeo in saying that Moscow was almost certainly behind the hacking. The intrusion went through a commercial network management software package made by SolarWinds, a company based in Austin, Texas, and allowed the hackers broad access to government and corporate systems.
“I agree with Secretary Pompeo’s assessment: It certainly appears to be the Russians,” Mr. Barr said, further undercutting President Trump’s effort to cast doubt on whether the government of President Vladimir V. Putin of Russia was behind the attack. Mr. Trump appears to be alone in the administration in his contention that China might have been the source of the hacking.
Mr. Mnuchin was among several top officials in the government who met with national security officials for the first time at the White House on Monday to assess the damage and discuss how to deal with it.
The meeting was a principals committee session led by Robert C. O’Brien, the national security adviser. It was held two days after Mr. Trump said the attack on federal networks was “under control,” was being exaggerated by the news media and might have been carried out by China rather than Russia, which has been identified by intelligence agencies, other government officials and cybersecurity firms as the almost certain source of the hacking.
The session was classified, but if it was like the briefings to Congress in recent days, the intelligence officials expressed little doubt that the attack was most likely carried out by hackers associated with the S.V.R., Russia’s premier intelligence agency.
But on Monday there was no public declaration attributing the hacking to Russia, perhaps reflecting Mr. Trump’s reluctance to confront Moscow over the issue and the doubts he has expressed about the seriousness of the attack.
The meeting, according to one senior administration official, was intended to “take stock of the intelligence, the investigation and the actions being taken to remediate” the attack. Absent from that description was any preparation for imposing a cost on the attacker. Mr. Trump did not attend the meeting.
...
The list of attendees at the meeting was notable because it provided some indication of which parts of the government might have been affected. White House officials said Treasury Secretary Steven Mnuchin, Commerce Secretary Wilbur Ross, the acting homeland security secretary Chad F. Wolf and Energy Secretary Dan Brouillette were present. All of those agencies were previously identified by news organizations as targets of the hacking.
John Ratcliffe, the director of national intelligence, participated in the meeting; so did Gina Haspel, the C.I.A. director, and Gen. Paul M. Nakasone, the director of the National Security Agency and the commander of the United States Cyber Command. Secretary of State Mike Pompeo, who was the first high-ranking administration official to acknowledge that Russia was the most likely source of the attack before he was undercut by Mr. Trump, did not attend. His deputy, Stephen E. Biegun, stood in for him.
General Nakasone, an experienced cyberwarrior who is responsible for the defense of national security systems, has been silent since the hacking was revealed. At the N.S.A. and Cyber Command, officials said, there was extraordinary embarrassment that a private company, FireEye, had been the first to alert the government that it had been hacked.
According to the details released by Mr. Wyden, once the Russian hackers used the SolarWinds software update to get inside Treasury’s systems, they performed a complex step inside Microsoft’s Office 365 system to create an encrypted “token” that identifies a computer to the larger network.
That counterfeiting enabled them to fool the system into thinking they were legitimate users — and to sign on without trying to guess user names and passwords. Microsoft said last week that it had fixed the flaw that the Russians had exploited, but that did not answer the question of whether the hackers used their access to bore through other channels into the Treasury Department or other systems.
Formally determining who was responsible for a hacking like this one can be time-consuming work, though the administration did so twice in Mr. Trump’s first year in office, pointing to North Korea for the so-called WannaCry attack on the British health care system and Russia for the “NotPetya” attack that cost Maersk, Federal Express and other major corporations hundreds of millions of dollars.
In this case, officials say, a formal declaration of who was responsible for the attack — which is needed to start any form of retaliation — may not come until after Mr. Biden is inaugurated. That would leave the Trump administration to focus on damage control but skip the hard questions of how to deter Moscow from future attacks.
Capt. Katrina J. Cheesman, a spokeswoman for Cyber Command, said that so far the military had found “no evidence of compromises” in the Pentagon’s network. She said that parts of the Defense Department’s “software supply chain source have disclosed a vulnerability within their systems, but we have no indication the D.O.D. network has been compromised.”
———–
“The Treasury Department ranks among the most highly protected corners of the government because of its responsibility for market-moving economic decisions, communications with the Federal Reserve and economic sanctions against adversaries. Mr. Wyden said the hackers had gained access to the email system by manipulating internal software keys.”
It’s the second early indication that the SolarWinds hackers have some advanced Microsoft email exploits: Less than two weeks after the initial FireEye disclosure, the Treasury Department informs us that it was the manipulation of internal software keys that enabled access to the agency’s emails after the hackers entered the government networks via the SolarWinds backdoor. Specially Microsoft Office 365 identity tokens:
...
According to the details released by Mr. Wyden, once the Russian hackers used the SolarWinds software update to get inside Treasury’s systems, they performed a complex step inside Microsoft’s Office 365 system to create an encrypted “token” that identifies a computer to the larger network.That counterfeiting enabled them to fool the system into thinking they were legitimate users — and to sign on without trying to guess user names and passwords. Microsoft said last week that it had fixed the flaw that the Russians had exploited, but that did not answer the question of whether the hackers used their access to bore through other channels into the Treasury Department or other systems.
...
So claims about Microsoft’s Office 365 email vulnerabilities being exploited as part of the SolarWinds hack were coming from not just the SolarWinds company itself but also the US Treasury Department. Claims Microsoft continued to vociferously dispute for months.
And just note again how soon and definitive the attributions to Russia were coming from the Trump administration: they couldn’t explain how the hackers evaded detection for months, but everyone was ready to join Mike Pompeo in declaring that Moscow was almost certainly behind it. No reasons are given. None are necessary. It’s just a given: if there’s a major hack that hits Western 0government agencies, it’s either Russia or China. Because of course it is. Who else could it be? It’s the unquestioned operating paradigm for contemporary cyberattribution:
...
Mr. Mnuchin said that the hacking was related to third-party software. He added that there had been no damage or large amounts of information displaced as a result of the attack and that the agency had robust resources to protect the financial industry.“I can assure you, we are completely on top of this,” he said. He did not explain how the Russian presence was not detected in the system for more than four months.
His statement came on the same day that Attorney General William P. Barr, at his final news conference before stepping down, sided with Secretary of State Mike Pompeo in saying that Moscow was almost certainly behind the hacking. The intrusion went through a commercial network management software package made by SolarWinds, a company based in Austin, Texas, and allowed the hackers broad access to government and corporate systems.
“I agree with Secretary Pompeo’s assessment: It certainly appears to be the Russians,” Mr. Barr said, further undercutting President Trump’s effort to cast doubt on whether the government of President Vladimir V. Putin of Russia was behind the attack. Mr. Trump appears to be alone in the administration in his contention that China might have been the source of the hacking.
...
The session was classified, but if it was like the briefings to Congress in recent days, the intelligence officials expressed little doubt that the attack was most likely carried out by hackers associated with the S.V.R., Russia’s premier intelligence agency.
...
John Ratcliffe, the director of national intelligence, participated in the meeting; so did Gina Haspel, the C.I.A. director, and Gen. Paul M. Nakasone, the director of the National Security Agency and the commander of the United States Cyber Command. Secretary of State Mike Pompeo, who was the first high-ranking administration official to acknowledge that Russia was the most likely source of the attack before he was undercut by Mr. Trump, did not attend. His deputy, Stephen E. Biegun, stood in for him.
...
Keep in mind how disturbing these warnings about Microsoft vulnerabilities were at the time. We already knew by that point that someone planted backdoors on 18,000 of the companies and organizations around the world, including numerous government agencies. But we didn’t necessarily know what the hackers could do on all those networks after they walked through the backdoors. Learning about these Microsoft exploits told us at least some of what they could do on those networks. And given how ubiquitous Microsoft’s software is in large organizations, it’s a safe assumption that a large number of those SolarWinds clients were running Microsoft services on those networks.
SolarWinds Update: ‘It Started with a Zero-Day Microsoft Exploit.’ Microsoft Counter-Update: ‘No it Didn’t.’ CISA Update: ‘It’s Not Just SolarWinds.’
It was early February, less than two months after the initial FireEye disclosure, when we got a confirmation of sorts. The question of whether or not the Microsoft Office 365 email vulnerability characterized as an “attack vector” by SolarWinds in December was actually used to execute the initial hack of SolarWinds. SolarWinds CEO Sudhakar Ramakrishna appeared to confirm that, yes, a Microsoft vulnerability was used in the initial hack of the SolarWinds Orion software developer. A zero-day vulnerability never seen before. Although SolarWinds didn’t identify the specific Office 365 vulnerability.
But we also got another updated from Brandon Wales, acting director of the Cybersecurity and Infrastructure Security Agency: Roughly 30 percent of the victim organizations that found the backdoor malware on their network had no connection to SolarWinds. Other methods for creating backdoors were being deployed by these hackers. So we learn that the SolarWinds hack likely started with a Microsoft exploit and also that the hackers are infecting other networks through means other than the infected SolarWinds software. It’s not great news for Microsoft users:
CRN
SolarWinds CEO Confirms Office 365 Email ‘Compromise’ Played Role In Broad-Based Attack
SolarWinds CEO Sudhakar Ramakrishna has verified suspicious activity in its Office 365 environment, with a company email account compromised and used to access accounts of targeted SolarWinds staff in business and technical roles.
By Michael Novinson
February 04, 2021, 07:28 AM ESTSolarWinds CEO Sudhakar Ramakrishna verified Wednesday “suspicious activity” in its Office 365 environment allowed hackers to gain access to and exploit the SolarWinds Orion development environment.
Hackers most likely entered SolarWinds’s environment through compromised credentials and/or a third-party application that capitalized on a zero-day vulnerability, Ramakrishna said.
“We’ve confirmed that a SolarWinds email account was compromised and used to programmatically access accounts of targeted SolarWinds personnel in business and technical roles,” he said in the blog post. “By compromising credentials of SolarWinds employees, the threat actors were able to gain access to and exploit our Orion development environment.”
The beleaguered Austin, Texas-based IT infrastructure management vendor said a SolarWinds email account was compromised and used to programmatically access accounts of targeted SolarWinds personnel in business and technical roles.
By compromising the credentials of SolarWinds employees, Ramakrishna said the hackers were able to gain access to and exploit the development environment for the SolarWinds Orion network monitoring platform. SolarWinds was first notified by Microsoft about a compromise related to its Office 365 environment on Dec. 13, the same day news of the hack went public.
SolarWinds’s investigation has not identified a specific vulnerability in Office 365 that would have allowed the hackers to enter the company’s environment through Office 365, he said Wednesday. A day earlier, Ramakrishna told The Wall Street Journal that one of several theories the company was pursuing is that the hackers used an Office 365 account compromise as the initial point of entry into SolarWinds.
Microsoft declined to comment to CRN. Ramakrishna said SolarWinds has analyzed data from multiple systems and logs, including from our Office 365 and Azure tenants, as part of its investigation. The SolarWinds hack is believed to be the work of the Russian foreign intelligence service.
“While it’s widely understood any one company could not protect itself against a sustained and unprecedented nation-state attack of this kind, we see an opportunity to lead an industry-wide effort that makes SolarWinds a model for secure software environments, development processes, and products,” Ramakrishna wrote in a blog post Wednesday.
Some 30 percent of the private sector and government victims of the colossal hacking campaign had no direct connection to SolarWinds, Brandon Wales, acting director of the Cybersecurity and Infrastructure Security Agency, told The Wall Street Journal Friday. But he said investigators haven’t identified another company whose products were broadly compromised to infect other firms the way SolarWinds was.
SolarWinds’s investigations will be ongoing for at least several more weeks, and possibly months, due to the sophistication of the campaign and actions taken by the hackers to remove evidence of their activity, he said. SolarWinds has not determined the exact date hackers first gained unauthorized access to the company’s environment, though innocuous code changes were first made to Orion in October 2019.
The hackers deleted programs following use to avoid forensic discovery and masqueraded file names and activity to mimic legitimate applications and files, he said. The hackers had automated dormancy periods of two weeks or more prior to activation and utilized servers outside the monitoring authority of U.S. intelligence, he said.
...
———–
“By compromising the credentials of SolarWinds employees, Ramakrishna said the hackers were able to gain access to and exploit the development environment for the SolarWinds Orion network monitoring platform. SolarWinds was first notified by Microsoft about a compromise related to its Office 365 environment on Dec. 13, the same day news of the hack went public.”
It’s more or less confirmed: The SolarWinds hacked started with the exploitation of a vulnerability in Microsoft’s Office 365 email. The vulnerability gave the hackers access to the SolarWinds Orion software development environments. That’s where it all started.
Or at least that’s where the SolarWinds hack all started. As they note, some 30 percent of the victims of this hack don’t actually have a direct connection to SolarWinds, raising the possibility of that the SolarWinds hacks is really part of an even larger hack being executed by a group of actors with numerous powerful Microsoft exploit. In other words, we might not be looking at the SolarWinds mega-hack but instead a Microsoft mega-hack that just includes a large SolarWinds component:
...
Some 30 percent of the private sector and government victims of the colossal hacking campaign had no direct connection to SolarWinds, Brandon Wales, acting director of the Cybersecurity and Infrastructure Security Agency, told The Wall Street Journal Friday. But he said investigators haven’t identified another company whose products were broadly compromised to infect other firms the way SolarWinds was.
...
So if 30 percent of the victims weren’t running SolarWinds’s Orion software, what was the attack vector in their cases? That’s a mystery, but we have a pretty obvious clue if the SolarWinds hack started with a Microsoft exploit. It’s no wonder Microsoft’s public relations team was is hyper-damage-control mode, denying all reports going back to December that it’s products played any role at all in the attack. Recall how it was Microsoft’s own security team that was telling us back in December how the hackers were modifying credentials to read emails from Microsoft Exchange Online (the cloud Exchange service). But once it started looked like the SolarWinds mega-hack was really the Microsoft mega-hack, it was a complete denial from Microsoft. The company has nothing to do with any of this and anyone saying anything to the contrary they are misinterpreting or misreading the available data:
CRN
Microsoft: No Evidence SolarWinds Was Hacked Via Office 365
‘The wording of the SolarWinds 8K [regulatory] filing was unfortunately ambiguous, leading to erroneous interpretation and speculation, which is not supported by the results of our investigation,’ Microsoft said Thursday.
By Michael Novinson
February 05, 2021, 06:52 AM ESTMicrosoft said its investigation hasn’t found any evidence that SolarWinds was attacked through Office 365, meaning the hackers gained privileged credentials in some other way.
The Redmond, Wash.-based software giant said a Dec. 14 regulatory filing by SolarWinds gave the impression that SolarWinds was investigating an attack vector related to Microsoft Office 365. In the filing, SolarWinds said it’s aware of an attack vector used to compromise the company’s Office 365 emails that may have provided access to other data contained in the company’s office productivity tools.
“The wording of the SolarWinds 8K filing was unfortunately ambiguous, leading to erroneous interpretation and speculation, which is not supported by the results of our investigation,” the Microsoft Security Team wrote in a blog post Thursday.
SolarWinds’s investigation hasn’t identified a specific vulnerability in Office 365 that would have allowed the hackers to enter the company’s environment through Office 365, CEO Sudhakar Ramakrishna said Wednesday. A day earlier, he told The Wall Street Journal one of several theories the firm was pursuing is hackers used an Office 365 account compromise as the initial point of entry into SolarWinds.
Ramakrishna said Wednesday that SolarWinds has confirmed suspicious activity related to its Office 365 environment, with a company email account compromised and used to access accounts of targeted SolarWinds staff in business and technical roles. By compromising the credentials of SolarWinds staff, he said the hackers were able to gain access to and exploit the SolarWinds development environment.
Although data hosted in Microsoft services such as email was sometimes targeted by the SolarWinds hackers, Microsoft insists the attacker gained privileged credentials in another way. The Cybersecurity and Infrastructure Security Agency (CISA) isn’t aware of cloud software other than Microsoft’s targeted in the SolarWinds attack, Acting Director Brandon Wales told The Wall Street Journal Jan. 29.
In many of their break-ins, the SolarWinds hackers took advantage of known Microsoft configuration issues to trick systems into giving them access to emails and documents stored on the cloud, The Wall Street Journal said. Hackers can go from one cloud-computing account to another by taking advantage of little-known idiosyncrasies in the way software authenticates itself on the Microsoft service.
...
Reuters reported Dec. 17 that Microsoft was compromised via SolarWinds, with suspected Russian hackers then using Microsoft’s own products to further the attacks on other victims. Microsoft told CRN at the time that sources for the Reuters report are “misinformed or misinterpreting their information,“ but acknowledged the software giant had ”detected malicious SolarWinds binaries” in its environment.
“No, it [the Reuters article] is not accurate,” the Microsoft Security Team wrote in its blog post Thursday. “As we said at the time, and based upon all investigations since, we have found no indications that our systems were used to attack others.”
Microsoft acknowledged Dec. 31 that a company account compromised by the SolarWinds hackers had been used to view source code in a number of source code repositories. The compromised Microsoft account, however, didn’t have permissions to modify any code or engineering systems, and an investigation confirmed no changes were made, Microsoft said at the time.
The company also responded Thursday to criticism for not disclosing attack details as soon as Microsoft knew about them, saying that the company is restricted from sharing details in cases where Microsoft is providing investigative support to other organizations. In these types of engagements, Microsoft said the victim organizations have control in deciding what details to disclose and when to disclose them.
Investigators can additionally discover early indicators that require further research before they are actionable, Microsoft said. Taking the time to thoroughly investigate incidents is necessary to provide the best possible guidance to customers, partners, and the broader security community, Microsoft said.
...
———–
““The wording of the SolarWinds 8K filing was unfortunately ambiguous, leading to erroneous interpretation and speculation, which is not supported by the results of our investigation,” the Microsoft Security Team wrote in a blog post Thursday.”
The denials can’t get any stronger. A day after SolarWinds CEO Sudhakar Ramakrishna seem to more or less public confirm that a vulnerability in Microsoft’s Office 365 email played a direct role in the initial attack, Microsoft reiterates that all reports of Microsoft vulnerabilities playing any role in the SolarWinds hack of unsubstantiated and false. That’s the line.
And note how the company acknowledges its products were hacked in many cases on the SolarWinds victims network as part of the second phase of the hack, but Microsoft insists that the gained privileged credentials in another way. Now, in fairness, it’s possible Microsoft systems could be hacked on client networks for reasons that have nothing to do with vulnerabilities in Microsoft’s code and are instead the fault of misconfigured software on the client end. But that’s what Microsoft was insisting at that point in early February, a day after SolarWinds’s CEO seemed to confirm a Microsoft Office 365 email exploit was used to initiate the hack and well after the US government confirmed the SolarWinds hackers used a Microsoft Office 365 email exploit during its plundering of the Treasury Department’s networks. The plausible deniability of Microsoft’s insistence that client configuration issues were the cause of the hacked Microsoft products was rapidly dwindling. Microsoft’s insistence held strong:
...
Although data hosted in Microsoft services such as email was sometimes targeted by the SolarWinds hackers, Microsoft insists the attacker gained privileged credentials in another way. The Cybersecurity and Infrastructure Security Agency (CISA) isn’t aware of cloud software other than Microsoft’s targeted in the SolarWinds attack, Acting Director Brandon Wales told The Wall Street Journal Jan. 29.In many of their break-ins, the SolarWinds hackers took advantage of known Microsoft configuration issues to trick systems into giving them access to emails and documents stored on the cloud, The Wall Street Journal said. Hackers can go from one cloud-computing account to another by taking advantage of little-known idiosyncrasies in the way software authenticates itself on the Microsoft service.
...
Reuters reported Dec. 17 that Microsoft was compromised via SolarWinds, with suspected Russian hackers then using Microsoft’s own products to further the attacks on other victims. Microsoft told CRN at the time that sources for the Reuters report are “misinformed or misinterpreting their information,“ but acknowledged the software giant had ”detected malicious SolarWinds binaries” in its environment.
“No, it [the Reuters article] is not accurate,” the Microsoft Security Team wrote in its blog post Thursday. “As we said at the time, and based upon all investigations since, we have found no indications that our systems were used to attack others.”
Microsoft acknowledged Dec. 31 that a company account compromised by the SolarWinds hackers had been used to view source code in a number of source code repositories. The compromised Microsoft account, however, didn’t have permissions to modify any code or engineering systems, and an investigation confirmed no changes were made, Microsoft said at the time.
...
“As we said at the time, and based upon all investigations since, we have found no indications that our systems were used to attack others.” Have fun interpreting that one. But as a public statement, it sounds definitive. There were no Microsoft software vulnerabilities involved at all with the SolarWinds hack. Period. End of story.
Another Update from Microsoft: We Were Hacked and Our Source Code Was Viewed. Including for Microsoft Exchange. But Don’t Worry, Nothing was Compromised and Everything is Fine on Our End Now.
Two weeks later, the story got another update. From Microsoft: the SolarWinds hackers rooted around in Microsoft’s networks through January and managed to download some source code for its Azure, Exchange and Intune cloud-based products. Again, keep in mind that Microsoft will be forced to disclose the Microsoft Exchange mega-hack in a couple of weeks following this update, and in that new mega-hack it was the self-hosted non-cloud version of Microsoft Exchange that got hacked. So the hackers stole code pretty closely-related to the very system that got mega-hacked. We’re also going to learn that the Microsoft Exchange mega-hack apparently started in January, the same month the SolarWinds hackers were presumably (hopefully) kicked out of Microsoft’s networks. And we’ve already seen that the SolarWinds hackers have impressive never-before-seen abilities to trick Microsoft’s credential systems. That’s all part of what makes this latest update to the SolarWinds story so ominous: It sure seems like it’s related to the Microsoft Exchange mega-hack that Microsoft will disclose in March, even though Microsoft assures us it’s not and that’s a completely separate hack by different Chinese hackers:
CRN
SolarWinds Hackers Kept Going After Microsoft Until January
The SolarWinds hackers first viewed a file in a Microsoft source repository in November, and were able to download source code for its Azure, Exchange and Intune cloud-based products.
By Michael Novinson
February 19, 2021, 06:34 AM ESTThe SolarWinds hackers continued efforts to infiltrate Microsoft until early January, keeping up the assault even after Microsoft revealed its source code had been compromised.
The likely Russian hackers first viewed a file in a Microsoft source repository in late November, and the Redmond, Wash.-based software giant detected unusual activity in some internal accounts the next month. The hackers lost source repository access after Microsoft secured its compromised accounts, but the threat actor kept making unsuccessful attempts to regain access all the way until early January.
“A concerning aspect of this attack is that security companies were a clear target,” Vasu Jakkal, Microsoft’s corporate vice president of security, compliance and identity, wrote in a blog post Thursday. “Microsoft, given the expansive use of our productivity tools and leadership in security, of course was an early target.”
Microsoft admitted the SolarWinds hackers were able to download some source code for its Azure, Exchange and Intune cloud-based products. The downloaded Azure source code was for subsets of its service, security and identity components, according to Microsoft.
The search terms used by the SolarWinds hackers indicates they were attempting to find secrets such as API keys, credentials, and security tokens that may have been embedded in the source code, according to Microsoft. But the company said it has a development policy that prohibits storing secrets in source code and runs automated tools to verify compliance.
Microsoft said it subsequently confirmed that both current and historical branches of its source code repositories don’t contain any live production credentials. For nearly all the Microsoft code repositories accessed by the SolarWinds hackers, only a few individual files were viewed as a result of a repository search, according to the company.
...
Microsoft said the SolarWinds hackers weren’t able to access its privileged credentials or leverage Security Access Markup Language (SAML) techniques against the company’s corporate domains. But outside of Microsoft, U.S. investigators said one of the principal ways the hacker has collected victim information is by compromising the SAML signing certificate using escalated Active Directory privileges.
Organizations that delegate trust to on-premises components in deployments that connect on-premises infrastructure and the cloud end up with an additional seam they need to secure, the MSRC wrote. As a result, if an on-premises environment is compromised, Microsoft said there’s an opportunity for hackers to target cloud services.
“When you rely on on-premises services, like authentication server, it is up to a customer to protect their identity infrastructure,” Jakkal wrote in her blog post. “With a cloud identity, like Azure Active Directory, we protect the identity infrastructure from the cloud.”
At the same time, Jakkal said the SolarWinds hackers took advantage of abandoned app accounts with no multi-factor authentication to access cloud administrative settings with high privilege. As organizations transition from implicit trust to explicit verification, Jakkal said they first must focus on protecting identities, especially privileged user accounts.
“Gaps in protecting identities (or user credentials) like weak passwords or lack of multifactor authentication are opportunities for an actor to find their way into a system, elevate their status, and move laterally across the environments targeting email, source code, critical databases and more,” Jakkal said.
The SolarWinds hackers tried and failed to get into CrowdStrike and read their emails via a Microsoft reseller’s Azure account that was responsible for managing CrowdStrike’s Microsoft Office licenses. If a customer buys a cloud service from a reseller and allows the reseller to retain administrative access, then a compromise of reseller credentials would grant access to the customer’s tenant, Microsoft said.
But the abuse of administrative access wouldn’t be a compromise of Microsoft’s services themselves, the company told CRN on Dec. 24.
———–
“Microsoft admitted the SolarWinds hackers were able to download some source code for its Azure, Exchange and Intune cloud-based products. The downloaded Azure source code was for subsets of its service, security and identity components, according to Microsoft.”
It’s more than a little ominous. In February, weeks before the Microsoft Exchange mega-hack was disclosed, the company gave us an update on its SolarWinds investigation: source code was stolen. Source code involve the cloud-based versions of Azure, Intune, and Exchange. Sure, it sounds like it was only the self-hosted Exchange servers that got in the mega-hack, not the cloud-based Exchange systems. But when Microsoft admits the SolarWinds hackers obtained source code for Exchange’s cloud-based service, and then a couple weeks later we’re told the largest hack on record took place when virtually all of Exchange’s self-hosted servers got hacked in a zero-day exploit, it’s kind of hard to avoid suspicions the two events are related. And yet Microsoft assures us SolarWinds was the work of ‘Cozy Bear’ and the Exchange hack was from previously unknown state Chinese hackers. It’s all quite convenient for Microsoft. The kind of explanation that avoids a lot of messy questions:
...
The search terms used by the SolarWinds hackers indicates they were attempting to find secrets such as API keys, credentials, and security tokens that may have been embedded in the source code, according to Microsoft. But the company said it has a development policy that prohibits storing secrets in source code and runs automated tools to verify compliance.Microsoft said it subsequently confirmed that both current and historical branches of its source code repositories don’t contain any live production credentials. For nearly all the Microsoft code repositories accessed by the SolarWinds hackers, only a few individual files were viewed as a result of a repository search, according to the company.
...
But, again, keep in mind another major reason Microsoft might want to assure the world that it’s Russian and Chinese state actors who carried out these mega-hacks: state actors are far more likely hack for espionage purposes. And when you hack for espionage purposes you probably won’t sell the information you hacked. Criminal actors, on the other hand, have very different motivations. So for the general public, learning that Russia or China hacked into your organization is far less alarming that learning some criminal elite hacker group did it. Although, as we’ll see, the hackers we’re told are Chinese state hackers actually run their own personal for-profit ransom schemes.
A New(?) Mega-Hack is Upon Us: The Microsoft Exchange Mega-Hack. Which, Microsoft Promises, is Definitely Totally Unrelated to the SolarWinds Mega-Hack
Do you or your organization own a self-hosted Microsoft Exchange email server that was connected to the internet between January and March of this year? Congrats! It was hacked. Basically all of them got hacked. A global ransacking that was arguably larger than the SolarWinds hack. And much like the SolarWinds hack, these hackers had the potential to seed victim networks with backdoors or worse. So it’s another mega-hack that sets the hackers up for even bigger mega-hacks in the future. Another Microsoft mega-hack:
Krebs on Security
At Least 30,000 U.S. Organizations Newly Hacked Via Holes in Microsoft’s Email Software
March 5, 2021
At least 30,000 organizations across the United States — including a significant number of small businesses, towns, cities and local governments — have over the past few days been hacked by an unusually aggressive Chinese cyber espionage unit that’s focused on stealing email from victim organizations, multiple sources tell KrebsOnSecurity. The espionage group is exploiting four newly-discovered flaws in Microsoft Exchange Server email software, and has seeded hundreds of thousands of victim organizations worldwide with tools that give the attackers total, remote control over affected systems.
On March 2, Microsoft released emergency security updates to plug four security holes in Exchange Server versions 2013 through 2019 that hackers were actively using to siphon email communications from Internet-facing systems running Exchange.
Microsoft said the Exchange flaws are being targeted by a previously unidentified Chinese hacking crew it dubbed “Hafnium,” and said the group had been conducting targeted attacks on email systems used by a range of industry sectors, including infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks, and NGOs.
In the three days since then, security experts say the same Chinese cyber espionage group has dramatically stepped up attacks on any vulnerable, unpatched Exchange servers worldwide.
In each incident, the intruders have left behind a “web shell,” an easy-to-use, password-protected hacking tool that can be accessed over the Internet from any browser. The web shell gives the attackers administrative access to the victim’s computer servers.
Speaking on condition of anonymity, two cybersecurity experts who’ve briefed U.S. national security advisors on the attack told KrebsOnSecurity the Chinese hacking group thought to be responsible has seized control over “hundreds of thousands” of Microsoft Exchange Servers worldwide — with each victim system representing approximately one organization that uses Exchange to process email.
Microsoft’s initial advisory about the Exchange flaws credited Reston, Va. based Volexity for reporting the vulnerabilities. Volexity President Steven Adair said the company first saw attackers quietly exploiting the Exchange bugs on Jan. 6, 2021, a day when most of the world was glued to television coverage of the the riot at the U.S. Capitol.
But Adair said that over the past few days the hacking group has shifted into high gear, moving quickly to scan the Internet for Exchange servers that weren’t yet protected by the security updates Microsoft released Tuesday.
“We’ve worked on dozens of cases so far where web shells were put on the victim system back on Feb. 28 [before Microsoft announced its patches], all the way up to today,” Adair said. “Even if you patched the same day Microsoft published its patches, there’s still a high chance there is a web shell on your server. The truth is, if you’re running Exchange and you haven’t patched this yet, there’s a very high chance that your organization is already compromised.”
Reached for comment, Microsoft said it is working closely with the U.S. Cybersecurity & Infrastructure Security Agency (CISA), other government agencies, and security companies, to ensure it is providing the best possible guidance and mitigation for its customers.
“The best protection is to apply updates as soon as possible across all impacted systems,” a Microsoft spokesperson said in a written statement. “We continue to help customers by providing additional investigation and mitigation guidance. Impacted customers should contact our support teams for additional help and resources.”
Meanwhile, CISA has issued an emergency directive ordering all federal civilian departments and agencies running vulnerable Microsoft Exchange servers to either update the software or disconnect the products from their networks.
Adair said he’s fielded dozens of calls today from state and local government agencies that have identified the backdoors in their Exchange servers and are pleading for help. The trouble is, patching the flaws only blocks the four different ways the hackers are using to get in. But it does nothing to undo the damage that may already have been done.
White House press secretary Jen Psaki told reporters today the vulnerabilities found in Microsoft’s widely used Exchange servers were “significant,” and “could have far-reaching impacts.”
“We’re concerned that there are a large number of victims,” Psaki said.
By all accounts, rooting out these intruders is going to require an unprecedented and urgent nationwide clean-up effort. Adair and others say they’re worried that the longer it takes for victims to remove the backdoors, the more likely it is that the intruders will follow up by installing additional backdoors, and perhaps broadening the attack to include other portions of the victim’s network infrastructure.
Security researchers have published several tools for detecting vulnerable servers. One of those tools, a script from Microsoft’s Kevin Beaumont, is available from Github.
KrebsOnSecurity has seen portions of a victim list compiled by running such a tool, and it is not a pretty picture. The backdoor web shell is verifiably present on the networks of thousands of U.S. organizations, including banks, credit unions, non-profits, telecommunications providers, public utilities and police, fire and rescue units.
“It’s police departments, hospitals, tons of city and state governments and credit unions,” said one source who’s working closely with federal officials on the matter. “Just about everyone who’s running self-hosted Outlook Web Access and wasn’t patched as of a few days ago got hit with a zero-day attack.”
Another government cybersecurity expert who participated in a recent call with multiple stakeholders impacted by this hacking spree worries the cleanup effort required is going to be Herculean.
“On the call, many questions were from school districts or local governments that all need help,” the source said, speaking on condition they were not identified by name. “If these numbers are in the tens of thousands, how does incident response get done? There are just not enough incident response teams out there to do that quickly.”
When it released patches for the four Exchange Server flaws on Tuesday, Microsoft emphasized that the vulnerability did not affect customers running its Exchange Online service (Microsoft’s cloud-hosted email for businesses). But sources say the vast majority of the organizations victimized so far are running some form of Internet-facing Microsoft Outlook Web Access (OWA) email systems in tandem with Exchange servers internally.
“It’s a question worth asking, what’s Microsoft’s recommendation going to be?,” the government cybersecurity expert said. “They’ll say ‘Patch, but it’s better to go to the cloud.’ But how are they securing their non-cloud products? Letting them wither on the vine.”
The government cybersecurity expert said this most recent round of attacks is uncharacteristic of the kinds of nation-state level hacking typically attributed to China, which tends to be fairly focused on compromising specific strategic targets.
“Its reckless,” the source said. “It seems out of character for Chinese state actors to be this indiscriminate.”
Microsoft has said the incursions by Hafnium on vulnerable Exchange servers are in no way connected to the separate SolarWinds-related attacks, in which a suspected Russian intelligence group installed backdoors in network management software used by more than 18,000 organizations.
“We continue to see no evidence that the actor behind SolarWinds discovered or exploited any vulnerability in Microsoft products and services,” the company said.
Nevertheless, the events of the past few days may well end up far eclipsing the damage done by the SolarWinds intruders.
...
————-
“Microsoft said the Exchange flaws are being targeted by a previously unidentified Chinese hacking crew it dubbed “Hafnium,” and said the group had been conducting targeted attacks on email systems used by a range of industry sectors, including infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks, and NGOs.”
Somehow Microsoft determined this hack was carried out by a previously unidentified Chinese hacking crew. Again, we have no idea how they know this group was Chinese or how they know it’s not the same group behind the SolarWinds hack or all sorts of other hacks. We just know Microsoft was very confidently declaring this mega-hack with extreme parallels to SolarWinds wasn’t carried out by the same crew. Instead, we’re confidently assured it’s a Chinese nation-state-backed hacking group that has uncharacteristically decided to carry out what may be the largest hack ever, even larger than SolarWinds. We just have to trust Microsoft:
...
Speaking on condition of anonymity, two cybersecurity experts who’ve briefed U.S. national security advisors on the attack told KrebsOnSecurity the Chinese hacking group thought to be responsible has seized control over “hundreds of thousands” of Microsoft Exchange Servers worldwide — with each victim system representing approximately one organization that uses Exchange to process email....
The government cybersecurity expert said this most recent round of attacks is uncharacteristic of the kinds of nation-state level hacking typically attributed to China, which tends to be fairly focused on compromising specific strategic targets.
“Its reckless,” the source said. “It seems out of character for Chinese state actors to be this indiscriminate.”
...
It’s also worth noting that Microsoft didn’t catch this vulnerability. It was Volexity, which detected the first major attack coinciding with the January 6 far right insurrection. We are told that the Chinese hackers quietly first started the hack during the insurrection but transitioned towards an open smash-and-grab a few days later. So that’s some pretty interesting timing, but Volexity had an update. They found signs cyberoperations with this zero-day exploit on January 3, 2021. So the timing with the Capitol insurrection isn’t quite as interesting as early reporting indicates.
Also recall how Volexity was the first company to identify the SolarWinds malware on their clients’ networks back in July of 2020. Their warnings were ignored but they were the first to find it, at least on record. Volexity is apparently the one company capable of finding these current mega backdoor hacks:
...
Microsoft’s initial advisory about the Exchange flaws credited Reston, Va. based Volexity for reporting the vulnerabilities. Volexity President Steven Adair said the company first saw attackers quietly exploiting the Exchange bugs on Jan. 6, 2021, a day when most of the world was glued to television coverage of the the riot at the U.S. Capitol.But Adair said that over the past few days the hacking group has shifted into high gear, moving quickly to scan the Internet for Exchange servers that weren’t yet protected by the security updates Microsoft released Tuesday.
....
And in case the scale of the hack wasn’t clear, note how it appears to be virtually every single self-hosted Outlook Web Access (OWS) server on the planet connected to the internet. Every single one. It’s a global digital nightmare scenario:
...
“We’ve worked on dozens of cases so far where web shells were put on the victim system back on Feb. 28 [before Microsoft announced its patches], all the way up to today,” Adair said. “Even if you patched the same day Microsoft published its patches, there’s still a high chance there is a web shell on your server. The truth is, if you’re running Exchange and you haven’t patched this yet, there’s a very high chance that your organization is already compromised.”
...
Adair said he’s fielded dozens of calls today from state and local government agencies that have identified the backdoors in their Exchange servers and are pleading for help. The trouble is, patching the flaws only blocks the four different ways the hackers are using to get in. But it does nothing to undo the damage that may already have been done.
...
By all accounts, rooting out these intruders is going to require an unprecedented and urgent nationwide clean-up effort. Adair and others say they’re worried that the longer it takes for victims to remove the backdoors, the more likely it is that the intruders will follow up by installing additional backdoors, and perhaps broadening the attack to include other portions of the victim’s network infrastructure.
...
“It’s police departments, hospitals, tons of city and state governments and credit unions,” said one source who’s working closely with federal officials on the matter. “Just about everyone who’s running self-hosted Outlook Web Access and wasn’t patched as of a few days ago got hit with a zero-day attack.”
...
And finally, it’s hard to avoid marveling at the rather stunning assurances given by Microsoft at this point regarding the SolarWinds hack and the role Microsoft vulnerabilities played in that event: Microsoft tells us, “We continue to see no evidence that the actor behind SolarWinds discovered or exploited any vulnerability in Microsoft products and services.” This was what Microsoft was telling the public in March of 2021. As we saw in the previous article excerpt, which was published about 6 weeks later, the exploitation of Microsoft products was the defining feature of the second phase the SolarWinds attack. First the SolarWinds Orion software deployed backdoors on all of the SolarWinds customer networks. Then the hackers used those backdoors to roam the network, looking for valuable information to steal. And that meant exploiting Microsoft vulnerabilities, which they apparently did with abandon. To claim there was no evidence that the actor behind SolarWinds discovered or exploited any vulnerability in Microsoft products and services just a lie. A lie that conveniently helped Microsoft avoid the uncomfortable questions about whether or not this Microsoft Exchange mega-backdoor and the SolarWinds mega-backdoor hack were part of some sort joint mega-backdoor hack run by the same group of people:
...
Microsoft has said the incursions by Hafnium on vulnerable Exchange servers are in no way connected to the separate SolarWinds-related attacks, in which a suspected Russian intelligence group installed backdoors in network management software used by more than 18,000 organizations.“We continue to see no evidence that the actor behind SolarWinds discovered or exploited any vulnerability in Microsoft products and services,” the company said.
Nevertheless, the events of the past few days may well end up far eclipsing the damage done by the SolarWinds intruders.
...
And while Microsoft was aggresively distancing itself and this hack from the SolarWinds hack early on, within a week it was starting to look like SolarWinds was the company that should be doing the distancing. Because this hack was looking much more than SolarWinds. Like an automatable SolarWinds that was plundered to the full extent available by a variety of criminal actors. It was ‘Hafnium’ who quietly and exclusively used this zero-day exploit starting from January 3 until the Microsoft announced the patch on March 2, at which point a criminal free-for-all that involved at least a half dozen other hacking groups ensued to ransack any unpatched servers.
But perhaps the most scandalous aspect of all this is that zero-day exploit that enabled all this has apparently been sitting in Microsoft’s code for at least a decade. How much do you want to bet Jan 3 wasn’t the first time this exploit was exploited?:
Data Center Knowledge
Microsoft Exchange Hack Could Be Worse Than SolarWinds
The massive hack’s scope keeps growing. Unlike the SolarWinds exploit, this one can be automated.
Maria Korolov | Mar 10, 2021
The scope of damage from the newly public Microsoft Exchange vulnerability keeps growing, with some experts saying that it is “worse than SolarWinds.”
As of last count, more than 60,000 organizations have fallen victim to the attack.
“The scale of the attack is the biggest threat at this time,” said Mark Goodwin, managing senior analyst at security consulting firm Bishop Fox.
Government institutions have been attacked, large corporations, and small local businesses, he told DCK. According to the internet scanning tool Shodan, more than 250,000 servers are vulnerable, he added.
Unlike the SolarWinds breach, the Microsoft Exchange vulnerability can be exploited in an automated way. If a data center has an Exchange server accessible via the public internet, assume it’s been compromised, he said.
The problem is so severe that Microsoft has released patches even for older servers that are no longer supported, Goodwin said.
And, unlike the SolarWinds breach, which was primarily exploited by a single state-sponsored group, reportedly from Russia, the Microsoft Exchange vulnerability is open to everybody. Originally associated with a Chinese state-sponsored group, Hafnium, at last count half a dozen different groups are actively attacking organizations with vulnerable servers.
The Microsoft Exchange vulnerability gives hackers full access to Microsoft Exchange servers which in turn can be leveraged to compromise Active Directory servers.
“Once you compromise Active Directory, you can go after anything you want,” said Srikant Vissamsetti, senior VP of engineering at Attivo Networks, a cybersecurity vendor. “You get the keys to the kingdom.”
The big problem is that Microsoft Exchange is designed to be accessed by external users, which means servers can be accessible via the internet – and attackers can find them when they scan for vulnerabilities.
“There are ways to scan everything connected to the internet to find vulnerable systems,” said Jethro Beekman, technical director at cybersecurity firm Fortanix. “This has an enormous threat of misuse.”
As a result, the Department of Homeland Security last week issued an emergency directive for federal agencies, warning that the Microsoft Exchange vulnerability is being actively exploited and ordering them to take defensive action.
“This is a crazy huge hack,” said Chris Krebs, the former director of the Cybersecurity and Infrastructure Security Agency, in a Tweet on Friday. “The numbers I’ve heard dwarf what’s reported.”
This is a crazy huge hack. The numbers I’ve heard dwarf what’s reported here & by my brother from another mother (@briankrebs). Why, though? Is this a flex in the early days of the Biden admin to test their resolve? Is it an out of control cybercrime gang? Contractors gone wild? pic.twitter.com/cA4lkS4stg
— Chris Krebs (@C_C_Krebs) March 6, 2021
Also on Friday, security firm Huntress released a report of its analysis of 3,000 servers, most of which had antivirus or endpoint security solutions installed. Of those, 800 were still not patched, and there were more than 350 malicious webshells already installed by attackers.
“This has seemingly slipped past a majority of preventative security products,” said Huntress senior security researcher John Hammond in a report.
The number of affected enterprises is so much higher with this attack than with SolarWinds because this attack can be highly automated, Attivo’s Vissamsetti told DCK.
“With something like this, attackers can mobilize within a day,” he said. “They can script the whole thing in just a few hours.”
Cleanup Will Be Messy
Patching the Microsoft Exchange server is not enough if an organization has been compromised.
Enterprises can look for indicators of compromise in log files, but smart attackers may erase those traces as well.
Then, attackers may have installed back doors or created accounts for themselves with high levels of access, or even conducted a “golden ticket” attack on Active Directory.
“Once you have a golden ticket attack, you pretty much have to start over,” said Vissamsetti. “Changing passwords is not sufficient. They’ve got a super admin.”
And the possibilities for damage are nearly endless, he added.
“It will be messy to clean up,” said Oliver Tavakoli, CTO at Vectra Networks. “It will effectively require backing up data, re-imaging the Exchange server, scrubbing the backup of any accounts which should not be present, resetting all passwords and secrets, and restoring the remaining backup data.”
This is while security teams are already stretched thin by the SolarWinds attack, he added.
“This hack will compete for the same investigative and remediation resources,” he told DCK. “So, having two such broad attacks occur near the same time places exorbitant strain on the resources.”
And even if the Exchange servers are patched, back doors shut down, and attackers fully cleaned out, that’s not the end of it, said Adrien Gendre, chief product and services officer at Vade Secure.
“Based on our knowledge of prior incidents,” he said, “expect to see a rise in spear phishing attacks in the coming weeks.”
The attackers will be able to use the information they’ve collected while in the system, such as emails and other documents, to craft extremely targeted and credible scam emails, he said.
Time to Ditch Microsoft Exchange
Experts recommend that companies replace on-prem deployments of Microsoft Exchange with cloud-based alternatives like Office 365, which are not vulnerable to the attack.
And if there is an attack, the SaaS vendor simply installs the patch themselves. There’s no need for every single customer to install their own patches, dramatically simplifying security.
If that’s not an option, the Exchange servers can be put behind VPNs, Fortanix’s Beekman told DCK.
“And there are web application firewalls that you can insert between the server and the internet,” he added.
Data center providers that offer managed servers to clients are particularly vulnerable, because if they themselves use a vulnerable Microsoft Exchange server and their environment is compromised, client infrastructure could potentially be at risk, he added.
This is where security approaches like zero trust and micro segmentation can be used to restrict lateral movement, he said.
...
The Timeline of the Microsoft Exchange Hack
Security experts began noticing signs of compromise in early January, with the first attacks on January 3, according to security firm Volexity.
At first, these attacks, which exploited a zero-day vulnerability, were limited to Hafnium.
Then, after Microsoft finally released patches on March 2, other criminal groups started using it in a race to attack as many servers as possible before they were patched.
But the vulnerability has been present in the Microsoft Exchange codebase for a decade, said Ed Hunter, CISO at Infoblox, a cybersecurity company.
“One has to wonder how long this vulnerability has been a closely held – and used – tool in this threat actor’s toolbox,” he told DCK.
...
———–
“Unlike the SolarWinds breach, the Microsoft Exchange vulnerability can be exploited in an automated way. If a data center has an Exchange server accessible via the public internet, assume it’s been compromised, he said.”
Not only is this hack the kind of hack that any common hacker criminal is capable of executing once they know the exploit, but it’s the kind of hack that a single hacker could theoretically turn into a mega-hack with a simple script because this is an automatable hack. That’s why you should assume you got hit if you were exposed. Everyone exposed got hit because it was easy for anyone to hit everyone.
But everyone wasn’t hit at first. It was “Hafnium” who quietly started hacking targets, with Volexity first detecting the usage of the zero-day exploit on January 3 (not Jan 6 as earlier indicated). It was after Microsoft released the patches on March 2 that other criminal groups went on a global spree, hitting every remaining unpatched Exchange server on the planet connected to the internet. As we’re going to see, when the US and its Western allies all issue coordinated formal statements in mid-July, formally accusing China of executing the hack, we are told by unnamed sources familiar with the investigation that it is suspected that Hafnium knew Microsoft was going to close the zero-day vulnerabilities (which were no-longer zero-days at that point) and at that point handed the exploits over to criminals. But we have no idea why that particular scenario was suspected, as opposed to Hafnium being a criminal actor who sold their exploit to other actors once the patch was released. Or another actor pretending to be a Chinese state actor, although it’s unclear what if any ‘Chinese’ indicators are being left by “Hafnium”. Microsoft told us it was a never-before Chinese state-backed group called Hafnium and that declaration alone is treated as adequate evidence. As with the SolarWinds hack, it’s faith-based public attributions, which is a big part of the reason the reading-the-tea-leaves behind-the-scenes methods of attribution are so problematic. That’s what we’re supposed to have faith in. Tea-leave-reading with huge conflicts of interest:
...
And, unlike the SolarWinds breach, which was primarily exploited by a single state-sponsored group, reportedly from Russia, the Microsoft Exchange vulnerability is open to everybody. Originally associated with a Chinese state-sponsored group, Hafnium, at last count half a dozen different groups are actively attacking organizations with vulnerable servers....
Security experts began noticing signs of compromise in early January, with the first attacks on January 3, according to security firm Volexity.
At first, these attacks, which exploited a zero-day vulnerability, were limited to Hafnium.
Then, after Microsoft finally released patches on March 2, other criminal groups started using it in a race to attack as many servers as possible before they were patched.
...
Also observer how Chris Krebs, the former director of the Cybersecurity and Infrastructure Security Agency, was trying to make sense of the incredibly aggressive nature of this hack by questioning on Twitter if this was the work of an out of control cybercrime gang or contractors gone wild. Krebs is generally considered a pretty credible word on these matters. So he was not ready to jump on board the China-did-it bandwagon at this point when we were being assured by Microsoft and others that yes, China did it. Just take their word for it. Krebs wasn’t taking their word:
...
“This is a crazy huge hack,” said Chris Krebs, the former director of the Cybersecurity and Infrastructure Security Agency, in a Tweet on Friday. “The numbers I’ve heard dwarf what’s reported.”This is a crazy huge hack. The numbers I’ve heard dwarf what’s reported here & by my brother from another mother (@briankrebs). Why, though? Is this a flex in the early days of the Biden admin to test their resolve? Is it an out of control cybercrime gang? Contractors gone wild? pic.twitter.com/cA4lkS4stg
— Chris Krebs (@C_C_Krebs) March 6, 2021
...
But it isn’t just the automatable nature of this hacking technique that makes it so scary. It’s also the fact that the hackers could leverage the complete control over the Exchange server to compromise the Active Directory servers and that potentially gives you the opportunity to conduct a “golden ticket” attack on the Active Directory and the hackers can give themselves super-user privileges. That’s the highest level. This is a potentially devastating hack. Complete control is an apt description of what it can confer. Thanks in part to a lot of Microsoft exploits:
...
The Microsoft Exchange vulnerability gives hackers full access to Microsoft Exchange servers which in turn can be leveraged to compromise Active Directory servers.“Once you compromise Active Directory, you can go after anything you want,” said Srikant Vissamsetti, senior VP of engineering at Attivo Networks, a cybersecurity vendor. “You get the keys to the kingdom.”
...
Patching the Microsoft Exchange server is not enough if an organization has been compromised.
Enterprises can look for indicators of compromise in log files, but smart attackers may erase those traces as well.
Then, attackers may have installed back doors or created accounts for themselves with high levels of access, or even conducted a “golden ticket” attack on Active Directory.
“Once you have a golden ticket attack, you pretty much have to start over,” said Vissamsetti. “Changing passwords is not sufficient. They’ve got a super admin.”
And the possibilities for damage are nearly endless, he added.
...
It’s also worth noting another potentially devastating aspect of this nightmare and the fact that super-user admin privileges can be obtained by the hackers: data centers running Microsoft Exchange servers may have those super-user admin privileges stolen too. And that potentially threatens all the data in that data center:
...
Data center providers that offer managed servers to clients are particularly vulnerable, because if they themselves use a vulnerable Microsoft Exchange server and their environment is compromised, client infrastructure could potentially be at risk, he added.This is where security approaches like zero trust and micro segmentation can be used to restrict lateral movement, he said.
...
Finally, and significantly, note how long this vulnerability has existed in Microsoft’s code: a decade! As one security expert astutely asks, “One has to wonder how long this vulnerability has been a closely held – and used – tool in this threat actor’s toolbox”:
...
But the vulnerability has been present in the Microsoft Exchange codebase for a decade, said Ed Hunter, CISO at Infoblox, a cybersecurity company.“One has to wonder how long this vulnerability has been a closely held – and used – tool in this threat actor’s toolbox,” he told DCK.
...
For the last 10 years, anyone with access to that code could have potentially spotted this vulnerability. Keep this in mind when Microsoft assures us that the theft of its code by the SolarWinds hackers is of no consequence.
SolarWinds Sanctions Arrive. Along With a Lesson in How Attribution Works By CrowdStrike’s Adam Meyers: Surprise! It’s a Hunt for “Cultural Artifacts” ‘Accidentally’ Left Behind
In the span of just four months the world was introduced to the two largest hacks on record. Quite a few lessons were hopefully learned. And if we listen to Adam Meyers, the vice president for threat intelligence at the cybersecurity firm CrowdStrike who led the SolarWinds investigation, it was a master class in hacking. That’s what Meyers expressed in a highly revealing NPR interview in April. A master class in how to obscure one’s tracks.
As we’ll see, Meyers gives us further confirmation of something that has long been clear but is rare said out loud so clearly: contemporary cyberattribution really does rely heavily on ‘clues’ like Cyrillic characters or Mandarin in the code and such ‘clues’ are frequently found. At least that’s how Adam Meyers, the vice president for threat intelligence at CrowdStrike, described his approach to determining the identity of the SolarWinds hackers. Meyers expresses dismay at how thorough the hackers were. Thorough in the sense that there was no ‘cultural artifact’ like Cyrillic or Mandarin. Meyers describe the lack of anything that a human might have inadvertently left behind as a clue as “mind-blowing”. His response to the tiny piece of malware used in the initial SolarWinds hack — distributed to all 18,000 clients via the Orion software — and it’s lack of clues as “the craziest f***ing thing I’d ever seen.” Take a moment to process that.
So this April update on the SolarWinds investigation includes an update on the general state of affairs in cyberattribution. A state of affairs where malware that’s cleaned and lacks a ‘cultural artifact’ is “the craziest f***ing thing I’d ever seen.” And yet, as we saw, there was virtually no hesitancy in attributing the hack to ‘Cozy Bear’/APT29/‘Nobelium’. This is a good time to recall that the story of the Shadow Brokers and the CIA’s hacking toolkit that included features like leaving Cyrillic or Mandarin characters to leave a false lead was confirmed just four years ago.
Oh, and the US government was ready to announce sanctions against Russia for the hack. So at the same time sanctions were announced, we got an interview that further confirmed the cyberattribution industry is predicated on lunatic assumptions. It really does seem to be the case that everyone really is playing dumb here. Double yikes.:
National Public Radio
A ‘Worst Nightmare’ Cyberattack: The Untold Story Of The SolarWinds Hack
Dina Temple-Raston
April 16, 2021 10:05 AM ET“This release includes bug fixes, increased stability and performance improvements.”
The routine software update may be one of the most familiar and least understood parts of our digital lives. A pop-up window announces its arrival and all that is required of us is to plug everything in before bed. The next morning, rather like the shoemaker and the elves, our software is magically transformed.
Last spring, a Texas-based company called SolarWinds made one such software update available to its customers. It was supposed to provide the regular fare — bug fixes, performance enhancements — to the company’s popular network management system, a software program called Orion that keeps a watchful eye on all the various components in a company’s network. Customers simply had to log into the company’s software development website, type a password and then wait for the update to land seamlessly onto their servers.
The routine update, it turns out, is no longer so routine.
Hackers believed to be directed by the Russian intelligence service, the SVR, used that routine software update to slip malicious code into Orion’s software and then used it as a vehicle for a massive cyberattack against America.
“Eighteen thousand [customers] was our best estimate of who may have downloaded the code between March and June of 2020,” Sudhakar Ramakrishna, SolarWinds president and CEO, told NPR. “If you then take 18,000 and start sifting through it, the actual number of impacted customers is far less. We don’t know the exact numbers. We are still conducting the investigation.”
On Thursday, the Biden administration announced a roster of tough sanctions against Russia as part of what it characterized as the “seen and unseen” response to the SolarWinds breach.
NPR’s months-long examination of that landmark attack — based on interviews with dozens of players from company officials to victims to cyber forensics experts who investigated, and intelligence officials who are in the process of calibrating the Biden administration’s response — reveals a hack unlike any other, launched by a sophisticated adversary who took aim at a soft underbelly of digital life: the routine software update.
By design, the hack appeared to work only under very specific circumstances. Its victims had to download the tainted update and then actually deploy it. That was the first condition. The second was that their compromised networks needed to be connected to the Internet, so the hackers could communicate with their servers.
For that reason, Ramakrishna figures the Russians successfully compromised about 100 companies and about a dozen government agencies. The companies included Microsoft, Intel and Cisco; the list of federal agencies so far includes the Treasury, Justice and Energy departments and the Pentagon.
The hackers also found their way, rather embarrassingly, into the Cybersecurity and Infrastructure Security Agency, or CISA — the office at the Department of Homeland Security whose job it is to protect federal computer networks from cyberattacks.
The concern is that the same access that gives the Russians the ability to steal data could also allow them to alter or destroy it. “The speed with which an actor can move from espionage to degrading or disrupting a network is at the blink of an eye,” one senior administration said during a background briefing from the White House on Thursday. “And a defender cannot move at that speed. And given the history of Russia’s malicious activity in cyberspace and their reckless behavior in cyberspace, that was a key concern.”
“The tradecraft was phenomenal”
Network monitoring software is a key part of the backroom operations we never see. Programs like Orion allow information technology departments to look on one screen and check their whole network: servers or firewalls, or that printer on the fifth floor that keeps going offline. By its very nature, it touches everything — which is why hacking it was genius.
“It’s really your worst nightmare,” Tim Brown, vice president of security at SolarWinds, said recently. “You feel a kind of horror. This had the potential to affect thousands of customers; this had the potential to do a great deal of harm.”
When cybersecurity experts talk about harm, they’re thinking about something like what happened in 2017, when the Russian military launched a ransomware attack known as NotPetya. It, too, began with tainted software, but in that case the hackers were bent on destruction. They planted ransomware that paralyzed multinational companies and permanently locked people around the world out of tens of thousands of computers. Even this much later, it is considered the most destructive and costly cyberattack in history.
Intelligence officials worry that SolarWinds might presage something on that scale. Certainly, the hackers had time to do damage. They roamed around American computer networks for nine months, and it is unclear whether they were just reading emails and doing the things spies typically do, or whether they were planting something more destructive for use in the future.
“When there’s cyber-espionage conducted by nations, FireEye is on the target list,” Kevin Mandia, CEO of the cybersecurity firm FireEye, told NPR, but he believes there are other less obvious targets that now might need more protecting. “I think utilities might be on that list. I think health care might be on that list. And you don’t necessarily want to be on the list of fair game for the most capable offense to target you.”
The SolarWinds attackers ran a master class in novel hacking techniques. They modified sealed software code, created a system that used domain names to select targets and mimicked the Orion software communication protocols so they could hide in plain sight. And then, they did what any good operative would do: They cleaned the crime scene so thoroughly investigators can’t prove definitively who was behind it. The White House has said unequivocally that Russian intelligence was behind the hack. Russia, for its part, has denied any involvement.
“The tradecraft was phenomenal,” said Adam Meyers, who led the cyber forensics team that pawed through that tainted update on behalf of SolarWinds, providing details for the first time about what they found. The code was elegant and innovative, he said, and then added, “This was the craziest f***ing thing I’d ever seen.”
Like razor blades in peanut butter cups
Meyers is the vice president for threat intelligence at the cybersecurity firm CrowdStrike, and he’s seen epic attacks up close. He worked on the 2014 Sony hack, when North Korea cracked into the company’s servers and released emails and first-run movies. A year later, he was on the front lines when a suspected Kremlin-backed hacking team known as “Cozy Bear” stole, among other things, a trove of emails from the Democratic National Committee. WikiLeaks then released them in the runup to the 2016 election.
“We’re involved in all kinds of incidents around the globe every day,” Meyers said. Typically he directs teams, he doesn’t run them. But SolarWinds was different: “When I started getting briefed up, I realized [this] was actually quite a big deal.”
The attack began with a tiny strip of code. Meyers traced it back to Sept. 12, 2019. “This little snippet of code doesn’t do anything,” Meyers said. “It’s literally just checking to see which processor is running on the computer, if it is a 32- or 64-bit processor and if it is one or the other, it returns either a zero or a one.”
The code fragment, it turns out, was a proof of concept — a little trial balloon to see if it was possible to modify SolarWinds’ signed-and-sealed software code, get it published and then later see it in a downloaded version. And they realized they could. “So at this point, they know that they can pull off a supply chain attack,” Meyers said. “They know that they have that capability.”
After that initial success, the hackers disappeared for five months. When they returned in February 2020, Meyers said, they came armed with an amazing new implant that delivered a backdoor that went into the software itself before it was published.
To understand why that was remarkable, you need to know that finished software code has a kind of digital factory seal. If you break that seal, someone can see it and know that the code might have been tampered with. Meyers said the hackers essentially found a way to get under that factory seal.
They began by implanting code that told them any time someone on the SolarWinds development team was getting ready to build new software. They understood that the process of creating software or an update typically begins with something routine such as checking a code out of a digital repository, sort of like checking a book out of the library.
Under normal circumstances, developers take the code out of the repository, make changes and then check it back in. Once they finish tinkering, they initiate something called the build process, which essentially translates the code a human can read to the code a computer does. At that point, the code is clean and tested. What the hackers did after that was the trick.
They would create a temporary update file with the malicious code inside while the SolarWinds code was compiling. The hackers’ malicious code told the machine to swap in their temporary file instead of the SolarWinds version. “I think a lot of people probably assume that it is the source code that’s been modified,” Meyers said, but instead the hackers used a kind of bait-and-switch.
But this, Meyers said, was interesting, too. The hackers understood that companies such as SolarWinds typically audit code before they start building an update, just to make sure everything is as it should be. So they made sure that the switch to the temporary file happened at the last possible second, when the updates went from source code (readable by people) to executable code (which the computer reads) to the software that goes out to customers.
The technique reminded Meyers of old fears around trick-or-treating. For decades, there had been an urban myth that kids couldn’t eat any Halloween candy before checking the wrapper seal because bad people might have put razor blades inside. What the hackers did with the code, Meyers said, was a little like that.
“Imagine those Reese’s Peanut Butter Cups going into the package and just before the machine comes down and seals the package, some other thing comes in and slides a razor blade into your Reese’s Peanut Butter Cup,” he said. Instead of a razor blade, the hackers swapped the files so “the package gets sealed and it goes out the door to the store.”
The update that went out to SolarWinds’ customers was the dangerous peanut butter cup — the malicious version of the software included code that would give the hackers unfettered, undetected access to any Orion user who downloaded and deployed the update and was connected to the Internet.
But there was something else about that code that bothered Meyers: It wasn’t just for SolarWinds. “When we looked at [it], it could have been reconfigured for any number of software products,” Meyers said. In other words, any number of other software developers using the same compiler may also be on the receiving end of a cyberattack, he said, and they just don’t know it yet.
Picking and choosing targets
Meyers said it’s hard not to admire just how much thought the hackers put into this operation. Consider the way they identified targets. The downside of breaking into so many customer networks all at once is that it is hard to decide what to exploit first. So the hackers created a passive domain name server system that sent little messages with not just an IP address, which is just a series of numbers, but also with a thumbnail profile of a potential target.
“So they could then say, ‘OK, we’re going to go after this dot gov target or whatever,’ ” Meyers said. “I think later it became clear that there were a lot of government technology companies being targeted.”
The hackers also reverse-engineered the way Orion communicated with servers and built their own coding instructions mimicking Orion’s syntax and formats. What that did is allow the hackers to look like they were “speaking” Orion, so their message traffic looked like a natural extension of the software.
“So once they determined that a target was of interest, they could say, ‘OK, let’s go active, let’s manipulate files, let’s change something,’ ” Meyers said, and then they would slip in unnoticed through the backdoor they had created. “And there is one other thing I should mention: This backdoor would wait up to two weeks before it actually went active on the host. This was a very patient adversary.”
None of the tripwires put in place by private companies or the government seems to have seen the attack coming. Christopher Krebs, who had been in charge of the office that protected government networks at DHS during the Trump administration, told NPR that DHS’ current system, something known (without irony) as Einstein, only catches known threats. The SolarWinds breach, he said, was just “too novel.”
“Upwards of 90[%] to 95% of threats are based on known techniques, known cyberactivity,” Krebs explained. “And that’s not just criminal actors, that’s state actors, too, including the Russian intelligence agencies and the Russian military. This was a previously unidentified technique.”
And there is something else that Einstein doesn’t do: It doesn’t scan software updates. So even if the hackers had used code that Einstein would have recognized as bad, the system might not have seen it because it was delivered in one of those routine software updates.
The National Security Agency and the military’s U.S. Cyber Command were also caught flat-footed. Broadly speaking, their cyber operators sit in foreign networks looking for signs of cyberattacks before they happen. They can see suspicious activity in much the same way a satellite might see troops amassing on the border. Critics said they should have seen the hackers from the Russian intelligence service, the SVR, preparing this attack.
“The SVR has a pretty good understanding that the NSA is looking out,” Krebs said. “What the SVR was able to do was make the transition from wherever they were operating from into the U.S. networks. They move like ghosts. They are very hard to track.”
The hackers didn’t do anything fancy to give them the domestic footprint, officials confirmed. In fact, they just rented servers from Amazon and GoDaddy.
Early warnings
There were some indications, elsewhere, though, that something was wrong.
In early July, Steven Adair, the founder of a Washington, D.C.-based cybersecurity company called Volexity, saw some suspicious activity on a client’s computers. “We traced it back, and we thought it might be related to a bad update with SolarWinds,” Adair told NPR. “We addressed the problem, made sure no one was in our customers’ systems, and we left it at that.”
Adair said he didn’t feel he had enough detail to report the problem to SolarWinds or the U.S. government. “We thought we didn’t have enough evidence to reach out,” he said.
That was the first missed sign.
The second came three months later when a California-based cybersecurity company called Palo Alto Networks discovered a malicious backdoor that seemed to emanate from the Orion software.
In that case, according to SolarWinds’ Ramakrishna, the security teams at SolarWinds and Palo Alto worked together for three months to try to pick up the thread of the problem and walk it back. “None of us could pinpoint a supply chain attack at that point,” Ramakrishna told NPR. “The ticket got closed as a result of that. If we had the benefit of hindsight, we could have traced it back” to the hack.
Palo Alto Networks had agreed to speak to NPR about the incident last month and then canceled the interview just an hour before it was supposed to take place. A spokesperson declined to say why and sent a few blog posts and wrote: “I’m afraid this is all we have to help at this time.”
“Just 3,500 lines long”
It was the cybersecurity firm FireEye that finally discovered the intrusion. Mandia, the company’s CEO, used to be in the U.S. Air Force Office of Special Investigations, so his specialty was criminal cases and counterintelligence. In the intervening years, the kinds of patterns he learned to recognize in special investigations kept appearing in his cyber security work.
The first indication that hackers had found their way into FireEye’s networks came in an innocuous way. Someone on the FireEye security team had noticed that an employee appeared to have two phones registered on his network, so she called him. “And that phone call is when we realized, hey, this isn’t our employee registering that second phone, it was somebody else,” Mandia said.
Mandia had a security briefing a short time later and everything he heard reminded him of his previous work in the military. “There was a lot of pattern recognition from me,” he told NPR. “I spent from 1996 to 1998 responding to what I would equate to the Russian Foreign Intelligence Service, and there were some indicators in the first briefing that were consistent with my experience in the Air Force.”
He called a board meeting the same day. “It just felt like the breach that I was always worried about.”
What his team discovered over the course of several weeks was that not only was there an intruder in its network, but someone had stolen the arsenal of hacking tools FireEye uses to test the security of its own clients’ networks. FireEye called the FBI, put together a detailed report, and once it had determined the Orion software was the source of the problem, it called SolarWinds.
Brown, vice president of security at SolarWinds, took the Saturday morning phone call. “He said, ‘Essentially, we’ve decompiled your code. We found malicious code,’ ” Brown said. FireEye was sure SolarWinds “had shipped tainted code.”
The tainted code had allowed hackers into FireEye’s network, and there were bound to be others who were compromised, too. “We were hearing that different reporters had the scoop already,” Mandia said. “My phone actually rang from a reporter and that person knew and I went, OK, we’re in a race.”
Mandia thought they had about a day before the story would break.
After that, events seemed to speed up. SolarWinds’ chief security officer, Brown, called Ron Plesco, a lawyer at the firm DLA Piper, and told him what had happened. One of the first things companies tend to do after cyberattacks is hire lawyers, and they put them in charge of the investigation. They do this for a specific reason — it means everything they find is protected by attorney-client privilege and typically is not discoverable in court.
Plesco, who has made cybercrimes a specialty of his practice, knew that once the story broke it would be saying “to the world that, ready, set, go, come after it,” Plesco said. “So that puts you on an accelerated timeline on two fronts: Figure out what happened if you can and get a fix out as soon as possible.”
The company worked with DHS to craft a statement that went out on Dec. 13.
To investigate a hack, you have to secure a digital crime scene. Just as detectives in the physical world have to bag the evidence and dust for prints for the investigation later, SolarWinds had to pull together computer logs, make copies of files, ensure there was a recorded chain of custody, all while trying to ensure the hackers weren’t inside its system watching everything they did.
“I’ve been in situations where, while you’re in there doing the investigation, they’re watching your email, they’re compromising your phone calls or your Zooms,” Plesco said. “So they’re literally listening in on how you’re going to try to get rid of them.”
By mid-January, Meyers and the CrowdStrike team had isolated what they thought was the attack’s tiny beating heart. It was an elegant, encrypted little blob of code “just 3,500 lines long,” he said. The best code is short and to the point, like a well-written sentence. This little encrypted strip, Meyers thought, might help them figure out who was behind the attack.
Little blobs of clues
Think of forensic cyber teams as digital detectives looking for patterns. Coding tics can sometimes help identify perpetrators or sometimes forensic teams find small cultural artifacts — such as Persian script, or Korean hangul. When an elite Russian hacking team took over the electrical grid in Ukraine in 2015, it had more literary aspirations: It sprinkled its malicious code with references to Frank Herbert’s Dune novels. That’s why CrowdStrike found that little blob of malicious code so intriguing.
After weeks of working with the code, Meyers convened a Zoom call with leaders at SolarWinds and members of his team from around the world. He shared his screen so everyone could all watch the encryption fall away in real time. He began walking the spectators through the code as it was revealed, like a play-by-play analysis of a game. Meyers kept watching for the big reveal. “We’re hoping it’s going to have, you know, variable names or maybe some comments in Cyrillic or Mandarin to give us some clue who wrote this thing,” he said.
But as CrowdStrike’s decryption program chewed its way through the zeroes and ones, Meyers’ heart sank. The crime scene was a bust. It had been wiped down. “They’d washed the code,” Meyers said. “They’d cleaned it of any human artifact or tool mark. And that was kind of mind-blowing that [they] had the wherewithal to hide anything that a human might have inadvertently left behind as a clue.”
Holy s***, he thought to himself, who does that?
...
Bigger attacks
“It’s one of the most effective cyber-espionage campaigns of all time,” said Alex Stamos, director of the Internet Observatory at Stanford University and the former head of security at Facebook. “In doing so, they demonstrated not just technical acumen, but the way they did this demonstrated that they understand how tech companies operate, how software companies operate. ... This certainly is going to change the way that large enterprises think about the software they install and think about how they handle updates.”
Intelligence analysts, already years ahead of the rest of us, are paid to imagine the darkest of scenarios. What if the hackers planted the seeds of future attacks during that nine months they explored SolarWinds’ customer networks — did they hide code for backdoors that will allow them to come and go as they please at a time of their choosing? When hackers shut down the Ukraine’s power grid in 2015 and disabled a Saudi refinery with computer code a year later, they showed it was possible to jump from a corporate network to system controls. Will we find out later that the SolarWinds hack set the stage for something more sinister?
Even if this was just an espionage operation, FireEye’s Mandia said, the attack on SolarWinds is an inflection point. “We ... kind of mapped out the evolution of threats and cyber,” he said. “And we would have landed at this day sooner or later, that at some point in time, software that many companies depend on is going to get targeted and it’s going to lead to exactly what it led to,” Mandia said. “But to see it happen, that’s where you have a little bit of shock and surprise. OK, it’s here now, nations are targeting [the] private sector, there’s no magic wand you can shake. ... It’s a real complex issue to solve.”
...
“This was an intelligence collection operation meant to steal information, and it’s not the last time that’s going to happen,” CrowdStrike’s Meyers warned. “This is going to happen every day. ... And I think there’s a lot that we all need to do to work together to stop this from happening.”
———–
“The SolarWinds attackers ran a master class in novel hacking techniques. They modified sealed software code, created a system that used domain names to select targets and mimicked the Orion software communication protocols so they could hide in plain sight. And then, they did what any good operative would do: They cleaned the crime scene so thoroughly investigators can’t prove definitively who was behind it. The White House has said unequivocally that Russian intelligence was behind the hack. Russia, for its part, has denied any involvement.”
A hacker master class. They were so smooth they wiped the crime scene of any evidence that could definitely prove who did it. The US government nonetheless has said unequivocally that Russian intelligence was behind the hack. Without delay. Funny how that works.
And with that unequivocal attribution came new US sanctions against Russia in retaliation for a hack that was so massive even the Cybersecurity and Infrastructure Security Agency got hacked:
...
On Thursday, the Biden administration announced a roster of tough sanctions against Russia as part of what it characterized as the “seen and unseen” response to the SolarWinds breach....
For that reason, Ramakrishna figures the Russians successfully compromised about 100 companies and about a dozen government agencies. The companies included Microsoft, Intel and Cisco; the list of federal agencies so far includes the Treasury, Justice and Energy departments and the Pentagon.
The hackers also found their way, rather embarrassingly, into the Cybersecurity and Infrastructure Security Agency, or CISA — the office at the Department of Homeland Security whose job it is to protect federal computer networks from cyberattacks.
...
And note who led this investigation into the SolarWinds hack: Adam Meyers, the vice president for threat intelligence at the cybersecurity firm CrowdStrike. Our understanding of the SolarWinds hack is largely controlled by CrowdStrike, the firm that pioneered the contemporary “pattern recognition” cyberattribution paradigm. It’s one of the many clues that this investigation is compromised:
...
Network monitoring software is a key part of the backroom operations we never see. Programs like Orion allow information technology departments to look on one screen and check their whole network: servers or firewalls, or that printer on the fifth floor that keeps going offline. By its very nature, it touches everything — which is why hacking it was genius.“It’s really your worst nightmare,” Tim Brown, vice president of security at SolarWinds, said recently. “You feel a kind of horror. This had the potential to affect thousands of customers; this had the potential to do a great deal of harm.”
...
“The tradecraft was phenomenal,” said Adam Meyers, who led the cyber forensics team that pawed through that tainted update on behalf of SolarWinds, providing details for the first time about what they found. The code was elegant and innovative, he said, and then added, “This was the craziest f***ing thing I’d ever seen.”
Like razor blades in peanut butter cups
Meyers is the vice president for threat intelligence at the cybersecurity firm CrowdStrike, and he’s seen epic attacks up close. He worked on the 2014 Sony hack, when North Korea cracked into the company’s servers and released emails and first-run movies. A year later, he was on the front lines when a suspected Kremlin-backed hacking team known as “Cozy Bear” stole, among other things, a trove of emails from the Democratic National Committee. WikiLeaks then released them in the runup to the 2016 election.
“We’re involved in all kinds of incidents around the globe every day,” Meyers said. Typically he directs teams, he doesn’t run them. But SolarWinds was different: “When I started getting briefed up, I realized [this] was actually quite a big deal.”
...
So what kind of evidence would have revealed the identities of these hackers that Meyers and the other people working on this case were looking for but never found? This is the part of the article where we get confirmation that it’s as stupid as we should have suspected. Because in the worlds of Meyers, a big part of what they found really frustrating — and shocking — about this case was the lack of ‘a big reveal’ that suddenly makes clear who was behind it. What kind of ‘big reveal’? As Meyers put it, “We’re hoping it’s going to have, you know, variable names or maybe some comments in Cyrillic or Mandarin to give us some clue who wrote this thing.” That’s considered to be a ‘big reveal’ from the CrowdStrike figure leading the investigation. The most obvious, easily planted ‘clues’. That’s what they were keenly looking out for to confidently make an attribution. But these devious super-hackers managed to ‘wash the code’ of any human artifact, a move described as “mind-blowing” by Meyers. It’s that stupid.
It’s also the kind of anecdote that doesn’t just raise massive questions about the veracity of the SolarWinds investigation but basically every other cyber investigation taking place these days. Could the entire industry be operating in this manner? Making conclusion based on a Cyrillic or Mandarin ‘big reveal’? Even after the Vault7 leak in 2017 demonstrated to the world that the CIA uses hacking tools built to leave ‘clues’ like Cyrillic and Mandarin characters. It really is playing dumb professionally.
Don’t forget that businesses like CrowdStrike and FireEye aren’t just paid to remove malware and protect networks. They’re paid to name culprits too, ideally. Keep that in mind when assessing the credibility of this investigation. But also keep in mind that it was CrowdStrike that blazed the trail in the cyberattribution industry over the last decade of simply naming nation-states like China or Russia as the culprit for hacks without evidence as a means of addressing the fact that hacks are the type of crime that criminals can, in theory, execute in a fool-proof manner without leaving evidence. Confidently declaring a geopolitical adversary like Russian, China, or North Korea were behind a hack based on ‘pattern recognition’ and ‘educated guesses’ is as good a service as the cybersecurity industry can provide. Cyberattributions are a real geopolitical tool/weapon and these companies offer those attributions as a commercial service. So that’s the service the world is getting: Educated guesses passed off as confident attributions based on ‘big reveal’ clues like Mandarin or Cyrillic in the code. Yes, that stupid. Professionally.
Also keep in mind that when CrowdStrike’s Adam Meyers was marveled at how these hackers left no trace of Cyrillic or Mandarin, he was marveling over that intentionally-compact 3,500 line piece of code. Like they’re going to have the ‘big reveal’ in their ultra-compact code. It raises the question of how often these cybersecurity companies like CrowdStrike or FireEye really do find a ‘big reveal’ like Cyrillic or Mandarin in the code of malware they’re investigating. Because it wouldn’t be surprised if hackers just routinely slip that in their at this point. Why not? It’s like a sure fire way to ensure your hack will get blamed on Russia or China. Maybe Iran if you use Persian. The folks at CrowdStrike will clearly be swayed by your ‘big reveal’ clues:
...
It was the cybersecurity firm FireEye that finally discovered the intrusion. Mandia, the company’s CEO, used to be in the U.S. Air Force Office of Special Investigations, so his specialty was criminal cases and counterintelligence. In the intervening years, the kinds of patterns he learned to recognize in special investigations kept appearing in his cyber security work.The first indication that hackers had found their way into FireEye’s networks came in an innocuous way. Someone on the FireEye security team had noticed that an employee appeared to have two phones registered on his network, so she called him. “And that phone call is when we realized, hey, this isn’t our employee registering that second phone, it was somebody else,” Mandia said.
Mandia had a security briefing a short time later and everything he heard reminded him of his previous work in the military. “There was a lot of pattern recognition from me,” he told NPR. “I spent from 1996 to 1998 responding to what I would equate to the Russian Foreign Intelligence Service, and there were some indicators in the first briefing that were consistent with my experience in the Air Force.”
He called a board meeting the same day. “It just felt like the breach that I was always worried about.”
...
By mid-January, Meyers and the CrowdStrike team had isolated what they thought was the attack’s tiny beating heart. It was an elegant, encrypted little blob of code “just 3,500 lines long,” he said. The best code is short and to the point, like a well-written sentence. This little encrypted strip, Meyers thought, might help them figure out who was behind the attack.
Little blobs of clues
Think of forensic cyber teams as digital detectives looking for patterns. Coding tics can sometimes help identify perpetrators or sometimes forensic teams find small cultural artifacts — such as Persian script, or Korean hangul. When an elite Russian hacking team took over the electrical grid in Ukraine in 2015, it had more literary aspirations: It sprinkled its malicious code with references to Frank Herbert’s Dune novels. That’s why CrowdStrike found that little blob of malicious code so intriguing.
After weeks of working with the code, Meyers convened a Zoom call with leaders at SolarWinds and members of his team from around the world. He shared his screen so everyone could all watch the encryption fall away in real time. He began walking the spectators through the code as it was revealed, like a play-by-play analysis of a game. Meyers kept watching for the big reveal. “We’re hoping it’s going to have, you know, variable names or maybe some comments in Cyrillic or Mandarin to give us some clue who wrote this thing,” he said.
But as CrowdStrike’s decryption program chewed its way through the zeroes and ones, Meyers’ heart sank. The crime scene was a bust. It had been wiped down. “They’d washed the code,” Meyers said. “They’d cleaned it of any human artifact or tool mark. And that was kind of mind-blowing that [they] had the wherewithal to hide anything that a human might have inadvertently left behind as a clue.”
Holy s***, he thought to himself, who does that?
...
Now, it’s worth pointing out that there has actually been some Russian-language artifacts apparently left by the SolarWinds hackers. That was in a report published by cybersecurity company Prodaft, which analyzed a command-and-control (C&C) server used in the SolarWinds hack. On that server they found an organization management forum used by the teams of hackers where various hacked targets were discussed for their potential value. Keep in mind they hacked like 18,000 organizations at once with the hack so whoever pulled this off probably really did have to have teams of hackers coordinating their efforts somewhere. In that report, where they call the group “SilverFish” instead of Nobelium, they state: “When taking its first look inside the C&C server, the PTI Team observed that main dashboard of the SilverFish C&C panel features a section named ”Active Teams”, involving several comments entered by different user groups such as Team 301, Team 302, etc. Such a design indicates that this infrastructure is meant for multiple teams. Most comments entered by attackers for each victim are mostly in English and Russian and include urban slang.” So we can actually state that the hackers did leave behind English and Russian in their team organization software. And given how important these kinds of ‘clues’ are in making attributions it wouldn’t be surprising if those Russian comments on that server are a major part of what the ‘Russia did it’ attribution is based on. But it was the kind of evidence the hackers had to realize was left out in the open, at least once the server is seized by authorities, a scenario they had to realize was very possible. It happened, after all. Keep in mind this was the biggest hack ever and these are clearly experienced hackers. They must realize command-and-control servers might be found by investigators which means comments made on that forum are going to be done with the realization that artifacts like the language used to make the comments could be used later for attribution purposes. These kinds of ‘clues’ play a huge role in modern cyberattribution, as Meyers made abundantly clear with his dismay at the lack of a ‘cultural artifact’ to make his attribution on. And as the CIA’s hacking tool-kit, with its Russian and Chinese language artifact-leaving features, exposed by the ShadowBroker leak made abundantly clear. These little language clues are stupidly taken very seriously and the cyberattribution industry doesn’t even hide it. So did the super sophisticated hacking group that pull off the biggest hack ever leave their Russian language clues consciously or without realizing it? That’s what we are being asked to believe, although it’s not actually clear if the Russian language comments left in this command-and-control forum were the primary basis for the attribution of the SolarWinds hack to Russia (as opposed to China) because we still have no idea what the attribution was ultimately based on. It’s faith-based.
But there are technical details about that attack that are more than just speculation: We are told that the attack effective began on Sept 12, 2019, when someone appeared to execute a proof-of-concept trial run of the plan that merely injected an innocuous snippet of code into the SolarWinds update package. The hackers were testing whether or not the code could be inserted into the next SolarWinds update and distributed to its customer networks without SolarWinds detecting it and they accomplished this feat by injecting the code at the very last opportunity — during the compilation process — which effectively bypassed all of the standard security measures deployed by SolarWinds to ensure only the intended code is delivered to its thousands of customers. It was a successful proof-of-concept test. The innocuous update was delivered to SolarWinds’s clients around the world. Five months later, in February of 2020, the hackers returned to repeat the trick with malicious code that inserted a compact 3,500 line payload that introduced a backdoor into the SolarWinds software itself on the clients’ systems. A backdoor that could be remotely accessed. That’s how the hackers turned the hack of SolarWinds into the mega-hack of the thousands of corporations and government agencies. The only thing holding back the hackers was the abundance of opportunity and limitations of time.
So we have a decent understanding of how this attack worked technically and when it happened but no clue who did it. No ‘big reveal’ clue was left in the code and they somehow managed to avoid leaving any Cyrillic or Mandarin elsewhere on the SolarWinds network during this long period of time when the hackers clearly had deep access. But despite all that, they’re pretty sure it was Russia. It’s how cyberattribution works in the modern age. Gut feelings about the culprit. Reading the digital tea leaves and arriving at a gut feeling about the culprit and then confidently declaring it to the world. Or just making it up and confidently declaring it to the world. Confident declarations are the important part. The underlying facts the declarations are based not so much:
...
The attack began with a tiny strip of code. Meyers traced it back to Sept. 12, 2019. “This little snippet of code doesn’t do anything,” Meyers said. “It’s literally just checking to see which processor is running on the computer, if it is a 32- or 64-bit processor and if it is one or the other, it returns either a zero or a one.”The code fragment, it turns out, was a proof of concept — a little trial balloon to see if it was possible to modify SolarWinds’ signed-and-sealed software code, get it published and then later see it in a downloaded version. And they realized they could. “So at this point, they know that they can pull off a supply chain attack,” Meyers said. “They know that they have that capability.”
After that initial success, the hackers disappeared for five months. When they returned in February 2020, Meyers said, they came armed with an amazing new implant that delivered a backdoor that went into the software itself before it was published.
To understand why that was remarkable, you need to know that finished software code has a kind of digital factory seal. If you break that seal, someone can see it and know that the code might have been tampered with. Meyers said the hackers essentially found a way to get under that factory seal.
They began by implanting code that told them any time someone on the SolarWinds development team was getting ready to build new software. They understood that the process of creating software or an update typically begins with something routine such as checking a code out of a digital repository, sort of like checking a book out of the library.
Under normal circumstances, developers take the code out of the repository, make changes and then check it back in. Once they finish tinkering, they initiate something called the build process, which essentially translates the code a human can read to the code a computer does. At that point, the code is clean and tested. What the hackers did after that was the trick.
They would create a temporary update file with the malicious code inside while the SolarWinds code was compiling. The hackers’ malicious code told the machine to swap in their temporary file instead of the SolarWinds version. “I think a lot of people probably assume that it is the source code that’s been modified,” Meyers said, but instead the hackers used a kind of bait-and-switch.
But this, Meyers said, was interesting, too. The hackers understood that companies such as SolarWinds typically audit code before they start building an update, just to make sure everything is as it should be. So they made sure that the switch to the temporary file happened at the last possible second, when the updates went from source code (readable by people) to executable code (which the computer reads) to the software that goes out to customers.
...
Then there’s the ominous observation they made about the malware that surreptitiously slipped the backdoor malware into the Orion client update software: the malware that added the backdoor at the last moment during the compilation process “could have been reconfigured for any number of software products” that rely on the same compiler, raising the distinct possibility of this same attack being used against other software developers. All the hackers would need is access to the developers’ computers when they’re compiling the code. And what did they gain from the SolarWinds hack? Backdoors onto the network of every SolarWinds client. In other words, not only can the hackers use this same compiler trick to embed backdoors in other developers software but they gained the incredible opportunity to do exactly that from the SolarWinds hack. Thousands of SolarWinds clients were undoubtedly developing their own software using the same compiler and the hackers could have deployed the same trick. Maybe they embed a backdoor. Maybe something else. It’s an ominous observation and part of the reason the identities of the real hackers really is a serious global concern. Whoever did this had the opportunity to plant the seeds from something orders of magnitude more devastating involving a wide array of different software tools being developed around the world:
...
But there was something else about that code that bothered Meyers: It wasn’t just for SolarWinds. “When we looked at [it], it could have been reconfigured for any number of software products,” Meyers said. In other words, any number of other software developers using the same compiler may also be on the receiving end of a cyberattack, he said, and they just don’t know it yet....
The hackers also reverse-engineered the way Orion communicated with servers and built their own coding instructions mimicking Orion’s syntax and formats. What that did is allow the hackers to look like they were “speaking” Orion, so their message traffic looked like a natural extension of the software.
“So once they determined that a target was of interest, they could say, ‘OK, let’s go active, let’s manipulate files, let’s change something,’ ” Meyers said, and then they would slip in unnoticed through the backdoor they had created. “And there is one other thing I should mention: This backdoor would wait up to two weeks before it actually went active on the host. This was a very patient adversary.”
None of the tripwires put in place by private companies or the government seems to have seen the attack coming. Christopher Krebs, who had been in charge of the office that protected government networks at DHS during the Trump administration, told NPR that DHS’ current system, something known (without irony) as Einstein, only catches known threats. The SolarWinds breach, he said, was just “too novel.”
...
And note the timing here in the lead up to the December 13, 2020, public announcement by SolarWinds about acknowleging the hack: We are told that the first clue something was up took place in early July 2020, when Volexity found suspicious activity on a client’s computer traced back to an update with SolarWinds. We’re then told the second clue came several months later when Palo Alto Networks contacted SolarWinds about a malicious back door that appeared to be emanating from the Orion software. SolarWinds then tells us the company work with Palo Alto Networks for several months before giving up and closing the ticket. If that’s all true, that ticket must have been closed just days before FireEye contacted SolarWinds about its ominous discovery. Because if the first call from Palo Alto Networks came ‘several months’ after an ‘early July’ first tip from Volexity, that call would have had to be around mid-to-late September to early October if we interpret ‘several months’ to be 10–13 weeks. And if Palo Alto Networks and SolarWinds then spent another ‘several months’ studying the problem before giving up, that would put the ‘giving up’ point at early December at the earliest. So when exactly did that ticket get closed in relation to FireEye’s tip about the larger hack? SolarWinds didn’t tell us and Palo Alto Networks isn’t talking:
...
In early July, Steven Adair, the founder of a Washington, D.C.-based cybersecurity company called Volexity, saw some suspicious activity on a client’s computers. “We traced it back, and we thought it might be related to a bad update with SolarWinds,” Adair told NPR. “We addressed the problem, made sure no one was in our customers’ systems, and we left it at that.”Adair said he didn’t feel he had enough detail to report the problem to SolarWinds or the U.S. government. “We thought we didn’t have enough evidence to reach out,” he said.
That was the first missed sign.
The second came three months later when a California-based cybersecurity company called Palo Alto Networks discovered a malicious backdoor that seemed to emanate from the Orion software.
In that case, according to SolarWinds’ Ramakrishna, the security teams at SolarWinds and Palo Alto worked together for three months to try to pick up the thread of the problem and walk it back. “None of us could pinpoint a supply chain attack at that point,” Ramakrishna told NPR. “The ticket got closed as a result of that. If we had the benefit of hindsight, we could have traced it back” to the hack.
Palo Alto Networks had agreed to speak to NPR about the incident last month and then canceled the interview just an hour before it was supposed to take place. A spokesperson declined to say why and sent a few blog posts and wrote: “I’m afraid this is all we have to help at this time.”
...
All in all, it’s hard to say that NPR piece should make reader’s feel confident hacks like this aren’t going to happen again. Even when the hack was detected on client systems and investigations were started they still couldn’t find it. Only FireEye, itself a top tier security firm, was able to detect it on its own systems and all indications are the hack would be ongoing today had FireEye not found it.
The Atlantic Council Confirms The SolarWinds Hackers Could Spoof Microsoft Credentials. Microsoft Blames Clients
And just a week after that NPR piece, we got another big reminder that the SolarWinds hack wasn’t just a giant hack of the SolarWinds company. It was a giant hack of Microsoft’s products. That was the message in a new report put out by The Atlantic Council, which appeared to confirm what Microsoft had long been denying: Once the hackers used those backdoors to gain access to victims’ networks they continued to exploit more vulnerabilities. In particular Microsoft vulnerabilities involving how Microsoft products validate user identities. Now, part of the reason Microsoft vulnerabilities were heavily targeted was because, well, these vulnerabilities exist. But as the report notes, the other big reason Microsoft was targeted so heavily is that Microsoft has more than 85% of the market share for government and industry. In other words, the juiciest targets — especially government agencies — were almost all running Microsoft tools on their networks.
So what was Microsoft’s response to the Atlantic Council report? Microsoft continued to deflect blame, suggesting poorly configured software by the clients was the cause. But according to Senator Ron Wyden, the software Microsoft supplies to US federal agencies is itself poorly configured with default log settings that won’t capture the information needed to catch attacks while they’re in progress. As we can see, the SolarWinds blame game is increasingly becoming Microsoft vs the World:
Associated Press
SolarWinds hacking campaign puts Microsoft in the hot seat
By FRANK BAJAK
April 23, 2021BOSTON (AP) — The sprawling hacking campaign deemed a grave threat to U.S. national security came to be known as SolarWinds, for the company whose software update was seeded by Russian intelligence agents with malware to penetrate sensitive government and private networks.
Yet it was Microsoft whose code the cyber spies persistently abused in the campaign’s second stage, rifling through emails and other files of such high-value targets as then-acting Homeland Security chief Chad Wolf — and hopping undetected among victim networks.
This has put the world’s third-most valuable company in the hot seat. Because its products are a de facto monoculture in government and industry — with more than 85% market share — federal lawmakers are insisting that Microsoft swiftly upgrade security to what they say it should have provided in the first place, and without fleecing taxpayers.
Seeking to assuage concerns, Microsoft this past week offered all federal agencies a year of “advanced” security features at no extra charge. But it also seeks to deflect blame, saying it is customers who do not always make security a priority.
Risks in Microsoft’s foreign dealings also came into relief when the Biden administration imposed sanctions Thursday on a half-dozen Russian IT companies it said support Kremlin hacking. Most prominent was Positive Technologies, which was among more than 80 companies that Microsoft has supplied with early access to data on vulnerabilities detected in its products. Following the sanctions announcement, Microsoft said Positive Tech was no longer in the program and removed its name from a list of participants on its website.
The SolarWinds hackers took full advantage of what George Kurtz, CEO of top cybersecurity firm CrowdStrike, called “systematic weaknesses” in key elements of Microsoft code to mine at least nine U.S. government agencies — the departments of Justice and Treasury, among them — and more than 100 private companies and think tanks, including software and telecommunications providers.
The SolarWinds hackers’ abuse of Microsoft’s identity and access architecture — which validates users’ identities and grants them access to email, documents and other data — did the most dramatic harm, the nonpartisan Atlantic Council think tank said in a report. That set the hack apart as “a widespread intelligence coup.” In nearly every case of post-intrusion mischief, the intruders “silently moved through Microsoft products “vacuuming up emails and files from dozens of organizations.”
Thanks in part to the carte blanche that victim networks granted the infected Solarwinds network management software in the form of administrative privileges, the intruders could move laterally across them, even jump among organizations. They used it to sneak into the cybersecurity firm Malwarebytes and to target customers of Mimecast, an email security company.
The campaign’s “hallmark” was the intruders’ ability to impersonate legitimate users and create counterfeit credentials that let them grab data stored remotely by Microsoft Office, the acting director of the Cybersecurity Infrastructure and Security Agency, Brandon Wales, told a mid-March congressional hearing. “It was all because they compromised those systems that manage trust and identity on networks,” he said.
Microsoft President Brad Smith told a February congressional hearing that just 15% of victims were compromised through an authentication vulnerability first identified in 2017 — allowing the intruders to impersonate authorized users by minting the rough equivalent of counterfeit passports.
Microsoft officials stress that the SolarWinds update was not always the entry point; intruders sometimes took advantage of vulnerabilities such as weak passwords and victims’ lack of multi-factor authentication. But critics say the company took security too lightly. Sen. Ron Wyden, D‑Ore., verbally pummeled Microsoft for not supplying federal agencies with a level of “event logging” that, if it had not detected the SolarWinds hacking in progress, would at least have provided responders with a record of where the intruders were and what they saw and removed.
“Microsoft chooses the default settings in the software it sells, and even though the company knew for years about the hacking technique used against U.S. government agencies, the company did not set default logging settings to capture information necessary to spot hacks in progress,” Wyden said. He was not the only federal lawmaker who complained.
When Microsoft on Wednesday announced a year of free security logging for federal agencies, for which it normally charges a premium, Wyden was not appeased.
“This move is far short of what’s needed to make up for Microsoft’s recent failures,” he said in a statement. “The government still won’t have access to important security features without handing over even more money to the same company that created this cybersecurity sinkhole.”
...
Even the highest level of logging doesn’t prevent break-ins, though. It only makes it easier to detect them.
And remember, many security professionals note, Microsoft was itself compromised by the SolarWinds intruders, who got access to some of its source code — its crown jewels. Microsoft’s full suite of security products — and some of the industry’s most skilled cyber-defense practitioners — had failed to detect the ghost in the network. Not until alerted to the hacking campaign by FireEye, the cybersecurity firm that detected it in mid-December, did Microsoft responders discover the related breach of their systems.
The intruders in the unrelated hack of Microsoft Exchange email servers disclosed in March — blamed on Chinese spies — used wholly different infection methods. But they gained immediate high-level access to users’ email and other info.
Across the industry, Microsoft’s investments in security are widely acknowledged. It is often first to identify major cybersecurity threats, its visibility into networks is so great. But many argue that as the chief supplier of security solutions for its products, it needs to be more mindful about how much it should profit off defense.
“The crux of it is that Microsoft is selling you the disease and the cure,” said Marc Maiffret, a cybersecurity veteran who built a career finding vulnerabilities in Microsoft products and has a new startup in the works called BinMave.
Last month, Reuters reported that a $150 million payment to Microsoft for a “secure cloud platform” was included in a draft outline for spending the $650 million appropriated for the Cybersecurity and Infrastructure Security Agency in last month’s $1.9 trillion pandemic relief act.
A Microsoft spokesperson would not say how much, if any, of that money it would be getting, referring the question to the cybersecurity agency. An agency spokesman, Scott McConnell, would not say either. Langevin said he didn’t think a final decision has been made.
In the budget year ending in September, the federal government spent more than half a billion dollars on Microsoft software and services.
Many security experts believe Microsoft’s single sign-on model, emphasizing user convenience over security, is ripe for retooling to reflect a world where state-backed hackers now routinely run roughshod over U.S. networks.
Alex Weinert, Microsoft’s director of identity security, said it offers various ways for customers to strictly limit users’ access to what they need to do their jobs. But getting customers to go along can be difficult because it often means abandoning three decades of IT habit and disrupting business. Customers tend to configure too many accounts with the broad global administrative privileges that allowed the SolarWinds campaign abuses, he said. “It’s not the only way they can do it, that’s for sure.”
In 2014–2015, lax restrictions on access helped Chinese spies steal sensitive personal data on more than 21 million current, former and prospective federal employees from the Office of Personnel Management.
Curtis Dukes was the National Security Agency’s head of information assurance at the time.
The OPM shared data across multiple agencies using Microsoft’s authentication architecture, granting access to more users than it safely should have, said Dukes, now the managing director for the nonprofit Center for Internet Security.
“People took their eye off the ball.”
———–
“This has put the world’s third-most valuable company in the hot seat. Because its products are a de facto monoculture in government and industry — with more than 85% market share — federal lawmakers are insisting that Microsoft swiftly upgrade security to what they say it should have provided in the first place, and without fleecing taxpayers.”
If you want to hack the US government, be ready to hack Microsoft products. That’s the undeniable reality. Microsoft is basically the software supplier for the US government and other governments around the world. So it should come as no surprise to learn that the second phase of the SolarWinds hack was basically the exploitation of Microsoft product weaknesses after the hackers gained access to client networks. In particular, vulnerabilities in Microsoft’s identity and access architecture which validates users’ identities and grants them access to email, documents and other data. The SolarWinds hackers were repeatedly impersonating legitimate users and creating counterfeit credentials that let them grab data stored remotely by Microsoft Office. So the SolarWinds hack didn’t just involve the pilfering of victims’ networks but also the data stored remotely accessible through Microsoft Office. Those sound like some massive vulnerabilities. The SolarWinds hack wasn’t just the creation and exploitation of backdoors placed on 18,000 client networks. It was the exploitation of the information stored remotely via Microsoft Office for those clients too:
...
The SolarWinds hackers took full advantage of what George Kurtz, CEO of top cybersecurity firm CrowdStrike, called “systematic weaknesses” in key elements of Microsoft code to mine at least nine U.S. government agencies — the departments of Justice and Treasury, among them — and more than 100 private companies and think tanks, including software and telecommunications providers.The SolarWinds hackers’ abuse of Microsoft’s identity and access architecture — which validates users’ identities and grants them access to email, documents and other data — did the most dramatic harm, the nonpartisan Atlantic Council think tank said in a report. That set the hack apart as “a widespread intelligence coup.” In nearly every case of post-intrusion mischief, the intruders “silently moved through Microsoft products “vacuuming up emails and files from dozens of organizations.”
Thanks in part to the carte blanche that victim networks granted the infected Solarwinds network management software in the form of administrative privileges, the intruders could move laterally across them, even jump among organizations. They used it to sneak into the cybersecurity firm Malwarebytes and to target customers of Mimecast, an email security company.
The campaign’s “hallmark” was the intruders’ ability to impersonate legitimate users and create counterfeit credentials that let them grab data stored remotely by Microsoft Office, the acting director of the Cybersecurity Infrastructure and Security Agency, Brandon Wales, told a mid-March congressional hearing. “It was all because they compromised those systems that manage trust and identity on networks,” he said.
...
But it gets worse for Microsoft because the hackers didn’t simply exploit vulnerabilities in Microsoft’s products. They also rifled through Microsoft’s treasured source code looking for the code that valideates users’ identities and grants them access to email, documents, and other data. So these super-hackers likely learned hack to become even more super. At least more super against Microsoft:
...
And remember, many security professionals note, Microsoft was itself compromised by the SolarWinds intruders, who got access to some of its source code — its crown jewels. Microsoft’s full suite of security products — and some of the industry’s most skilled cyber-defense practitioners — had failed to detect the ghost in the network. Not until alerted to the hacking campaign by FireEye, the cybersecurity firm that detected it in mid-December, did Microsoft responders discover the related breach of their systems.
...
But perhaps worst of all is how long these security deficiencies have been plaguing Microsoft. This isn’t a new problem. Which is why it’s so problematic and scandalous that, as Senator Wyden angrily pointed out during a recent congressional hearing, that Microsoft has been providing the US governing with products that have the default “event logging” settings turned off. So by default, the US federal government doesn’t log these hacks when they happen. That’s apparently the case, according to Senator Wyden. The US government’s cyber-defenses have to been flying blind by default thanks to Microsoft:
...
Microsoft officials stress that the SolarWinds update was not always the entry point; intruders sometimes took advantage of vulnerabilities such as weak passwords and victims’ lack of multi-factor authentication. But critics say the company took security too lightly. Sen. Ron Wyden, D‑Ore., verbally pummeled Microsoft for not supplying federal agencies with a level of “event logging” that, if it had not detected the SolarWinds hacking in progress, would at least have provided responders with a record of where the intruders were and what they saw and removed.“Microsoft chooses the default settings in the software it sells, and even though the company knew for years about the hacking technique used against U.S. government agencies, the company did not set default logging settings to capture information necessary to spot hacks in progress,” Wyden said. He was not the only federal lawmaker who complained.
...
Even the highest level of logging doesn’t prevent break-ins, though. It only makes it easier to detect them.
...
Of course, keep in mind that a big advantage for the victims of hacks when of no event-logging was employed: the less information you have about what actually happened, the more you’re forced to speculate about what happened and the easier it is to just say it was probably Russia or China or whoever you want to blame. Ignorance can be both a cudgel and shield when cyberattribution is wielded as a weapon.
Finally note how we are told the ‘Chinese hackers’ behind the Microsoft Exchange hack used wholly different infection methods. Now, technically, yes, they may have used a different zero-day exploit target different Microsoft products. As we’ve seen, it was reportedly an Office 365 email exploit that the hackers used to initiate the hack on SolarWinds’s network and the US Treasury Department confirmed that an Office 365 email exploit was used after the hackers infiltrated their networks via the backdoor. Whereas in the Microsoft Exchange hack, it ws some sort of vulnerability in the Exchange software that was exploited. So yes, these are two different infection methods. But they both relied on manipulating Microsoft’s credentialing systems. From that perspective, it’s kind of the same underlying method:
...
The intruders in the unrelated hack of Microsoft Exchange email servers disclosed in March — blamed on Chinese spies — used wholly different infection methods. But they gained immediate high-level access to users’ email and other info.
...
Keep in mind that pointing out the different attack methods used in the SolarWinds and Microsoft Exchange hacks, and citing that as evidence of it being different hacking groups, is another example of how vague technical ‘digital fingerprints’ like the particular type of malware or exploit used in a hack are used for cyberattribution purposes. It’s the kind of cyberattribution phenomena that assumes the “commercial surveillance” industry isn’t supplying incredible zero-day attacks to dozens of governments around the world simultaneously.
The SolarWinds Hackers(?) Go Phishing. With USAID as the Bait.
The multifaceted ability of the SolarWinds hackers was on display again with a new announce from Microsoft at the end of May: Remember those warnings following the Microsoft Exchange hack about highly sophisticated and targeted phishing campaigns emerging from all the information the hackers were able to extract from all those stolen emails? Well, a new highly sophisticated and target phishing campaign was indeed unleashed. But we are told “Nobelium” — the name Microsoft gave to Cozy Bear/APT29 — was the culprit. Approximately 3,000 email accounts at more than 150 different organizations in 24 different countries received emails seemingly from the United States Agency For International Development (USAID), encouraging victims to download a file about election fraud. The hackers carried out the hack by breaking into an email marketing account for Constant Contact, which is used by USAID for official communications. From there, they launched the phishing attacks.
Microsoft assures us that no exploits of Microsoft products were involved with this phishing attempt. At the same time, we’re told nothing about how this Constant Contact email marketing account was broken into in the first place. In fact, it’s not actually clear at all what ties this phishing attack to the SolarWinds hack. And yet are assured by Microsoft, with high confidence, that Russia’s SVR is behind it and that it appeared to be a continuation of multiple efforts to target government agencies involved in foreign policy as part of intelligence gathering efforts. And since the SVR is also blamed for the SolarWinds hack, it’s therefore behind this phishing attempt. That appears to be the ‘logic’ at work here.
Now, if we view the Microsoft blog post on this hack, there is one technical fact that relates back to the SolarWinds hack: the use of zero-day exploits. Victims who fell for the phishing emails had four zero-day pieces of malware deployed on their computers according to a second Microsoft blog post about the attack. So the technical traits shared between this phishing attack in the earlier SolarWinds hack are the use of multiple zero-day exploits. But different exploits. The Microsoft blog post describing this USAID phishing scheme explicitly states that this new attack bears very little technical similarities to the SolarWinds hack and suggests the hackers intentionally changed their tactics after the discovery of the SolarWinds hack. So the possession of multiple zero-day exploits is apparently being used as a technical indicator for attributions. If a hacker is sporting lots of zero-day exploits, it’s assumed to be the same hacker who ran the last hack with lots of zero-day exploits. And since zero-day exploits are widely assumed to largely be the exclusive property of well-financed nations (the US, Russian, China, Israel, etc), when a hack involved lots of zero-day exploits the list of suspects gets narrowed down to that list. That appears to be the pattern playing out here. A pattern that ignores the existence of a robust industry selling zero-day exploits to dozens of governments around the world.
But also keep in mind that the Microsoft Exchange mega-hack announced in March also utilized zero-day exploits and this hack started with the compromise of USAID’s Constant Contact’s email account. Is there an Exchange server involved with this service? It was be nice to know but, again, we aren’t told how the hack started. So how was Microsoft able to deduce that it was the SolarWinds hacks and no the Exchange hackers or some other group? We have no idea, but we are assured that Microsoft figured it all out. We’ll just have to blindly trust them on this. As always:
Reuters
TechnologyMicrosoft says group behind SolarWinds hack now targeting government agencies, NGOs
Raphael Satter, Kanishka Singh
May 28, 2021 12:53 PM CDT UpdatedMay 28 (Reuters) — The group behind the SolarWinds (SWI.N) cyber attack identified late last year is now targeting government agencies, think tanks, consultants, and non-governmental organizations, Microsoft Corp (MSFT.O) said on Thursday.
“This week we observed cyberattacks by the threat actor Nobelium targeting government agencies, think tanks, consultants, and non-governmental organizations”, Microsoft said in a blog.
Nobelium, originating from Russia, is the same actor behind the attacks on SolarWinds customers in 2020, according to Microsoft.
The comments come weeks after a May 7 ransomware attack on Colonial Pipeline shut the United States’ largest fuel pipeline network for several days, disrupting the country’s supply.
“This wave of attacks targeted approximately 3,000 email accounts at more than 150 different organizations”, Microsoft said on Thursday.
While organisations in the United States received the largest share of attacks, targeted victims came from at least 24 countries, Microsoft said.
At least a quarter of the targeted organisations were involved in international development, humanitarian issues and human rights work, Microsoft said in the blog.
Nobelium launched this week’s attacks by breaking into an email marketing account used by the United States Agency For International Development (USAID) and from there launching phishing attacks on many other organisations, Microsoft said.
In statements issued Friday, the Department of Homeland Security and USAID both said they were aware of the hacking and were investigating.
The hack of information technology company SolarWinds, which was identified in December, gave access to thousands of companies and government offices that used its products. Microsoft President Brad Smith described the attack as “the largest and most sophisticated attack the world has ever seen”. read more
...
The United States and Britain have blamed Russia’s Foreign Intelligence Service (SVR), successor to the foreign spying operations of the KGB, for the hack which compromised nine U.S. federal agencies and hundreds of private sector companies.
The attacks disclosed by Microsoft on Thursday appeared to be a continuation of multiple efforts to target government agencies involved in foreign policy as part of intelligence gathering efforts, Microsoft said.
The company said it was in the process of notifying all of its targeted customers and had “no reason to believe” these attacks involved any exploitation or vulnerability in Microsoft’s products or services.
————–
“Nobelium launched this week’s attacks by breaking into an email marketing account used by the United States Agency For International Development (USAID) and from there launching phishing attacks on many other organisations, Microsoft said.”
As Microsoft announced in May, the SolarWinds attacks continue. Sort of. This wasn’t an extension of the SolarWinds attack. At least we aren’t told so. Instead, we’re told that the same hackers, Nobelium, who carried out the SolarWinds attack also carried out this new attack targeting the email marketing firm, , that handles the emails for USAID. Somehow, the hackers were able to send out emails to 3,000 email accounts at more than 150 different organizations that looked like they came from USAID, and if victims clicked on the links in the emails they received sophisticated malware like was deployed in the SolarWinds attack. Again, Nobelium is Microsoft’s name for APT29/Cozy Bear, the group accused of the 2015 DNC hack (the first DNC hack of the 2016 election seasons).
Now how did the Microsoft arrive at the conclusion that this phishing attack was carried out by the same “Nobelium” SolarWinds hackers? As we should expect, it’s entirely unclear. Microsoft first dubbed the SolarWinds hackers “Nobelium” back in March of 2020 in a blog post describing the comand-and-control malware from the SolarWinds hack. ‘Zero-day’ Malware that had never been seen before, adding to the perceived sophistication of the hacker. Of course, as we’re going to see with the NSO Group story, ultra-sophisticated ‘zero-day’ hacks that have ‘never been seen before’ are effectively for sale to governments around world. Any government with permission to buy this software would suddenly become an ultra-sophisticated actor with an armory of zero-day exploits never seen before.
So were more zero-day exploits found in this latest USAID phishing hack? Yes, there were four zero-day pieces of malware deployed according to a second Microsoft blog post about the attack. So the technical traits shared between this phishing attack in the earlier SolarWinds hack are the use of multiple zero-day exploits. But different exploits. The Microsoft blog post describing this USAID phishing scheme explicitly states that this new attack bears very little technical similarities to the SolarWinds hack and suggests the hackers intentionally changed their tactics after the discovery of the SolarWinds hack. So the possession of multiple zero-day exploits is apparently being used as a technical indicator for attributions. If a hacker is sporting lots of zero-day exploits, it’s assumed to be the same hacker who ran the last hack with lots of zero-day exploits. And since zero-day exploits are widely assumed to largely be the exclusive property of well-financed nations (the US, Russian, China, Israel, etc), when a hack involved lots of zero-day exploits the list of suspects gets narrowed down to that list. That appears to be the pattern playing out here. A pattern that ignores the existence of a robust industry selling zero-day exploits to dozens of governments around the world.
And note how, while this attack clearly involves USAID, it’s not actually targeting USAID. It was an attack that used USAID’s persona to targeting 150 different organizations in at least 24 countries. And only around a quarter of those targeted organisations were involved in international development, humanitarian issues and human rights work. And yet Microsoft confidently tells us this hack is a continuation of an SVR espionage campaign targeting government agencies involved in foreign policy. It’s a remarkably cherry-picked assessment:
...
“This wave of attacks targeted approximately 3,000 email accounts at more than 150 different organizations”, Microsoft said on Thursday.While organisations in the United States received the largest share of attacks, targeted victims came from at least 24 countries, Microsoft said.
At least a quarter of the targeted organisations were involved in international development, humanitarian issues and human rights work, Microsoft said in the blog.
...
The United States and Britain have blamed Russia’s Foreign Intelligence Service (SVR), successor to the foreign spying operations of the KGB, for the hack which compromised nine U.S. federal agencies and hundreds of private sector companies.
The attacks disclosed by Microsoft on Thursday appeared to be a continuation of multiple efforts to target government agencies involved in foreign policy as part of intelligence gathering efforts, Microsoft said.
...
So we have the SolarWinds mega-hack discovered in December 2020 initially attributed to a previously unknown group — that governments nonetheless assure us are the SVR — but later attributed to Cozy Bear/APT29 aka Nobelium. Then a May 2021 phishing campaign that doesn’t actually share any of the technical traits of the SolarWinds hack other than the use of different zero-day exploits is also attributed to Cozy Bear. Why exactly it’s been determined that these two separate attacks were done by the same group is never explained, let alone why they’ve determined that group is Russia’s SVR.
The SolarWinds Hackers(?) Can’t Stop, Won’t Stop...Hacking Microsoft
It’s always a ‘trust us’ narrative. A narrative that sounds awfully similar to the story we got a month later in the last week of June, when Microsoft announced a new Nobelium/Cozy Bear attack. Although it’s more like an update on the May phishing attack. Like with the May phishing attack report, Microsoft assured us that this new attack is unrelated to the SolarWinds hack. And yet Microsoft also assured us that the same group was behind it, Nobelium. The reason for this attribution to Nobelium is never given. It’s another phishing attack that isn’t technically related to the SolarWinds hack but they’re still sure it’s the same group. The reasons never given. Sounding familiar yet?
But this June attack appears to differ from the May phishing attack in a potentially significant way: one of Microsoft’s own agents was hacked and customer information about Microsoft services were stolen, allowing for tailored phishing attacks. So whoever pulled this off demonstrated an eerily similar ability to exploit previously unknown Microsoft vulnerabilities. An ability demonstrated by both the SolarWinds and Exchange hackers.
Microsoft didn’t answer questions of whether or not its agent was hacked during the initial SolarWinds hack. But we are told that Microsoft discovered this phishing campaign and the hacking of its agent as a result of its investigation into the earlier SolarWinds hacks. Part of the reason this is potentially significant is that it once again raises the question of whether or not this new hack of the Microsoft agent — where customer service information was somehow accessed and used to tailor phishing emails — was executed with some sort of exploit targeting Microsoft systems. And if that’s the case, we have to ask why these are necessarily the SolarWinds hackers and not the Exchange hackers. Both possessed Microsoft zero-day exploits.
But beyond the potential relationship between the SolarWinds and Exchange hackers, it’s hard to ignore the story of NSO Group, Candiru, and the existence of the private industry that creates and sells cutting edge malware bristling with zero-day exploits — including zero-day exploits targeting Microsoft products — that are sold to dozens of governments around the world. And yet ignoring the existence of this private industry that makes cutting edge zero-day exploits available to dozens of governments around the world is exactly what we are asked to do. Over and over. Every time there’s a new hack that shows a reasonable degree of sophistication or that hits a government agency (even if many more non-government agencies are hit too), it’s treated as if the only possible actors in the world who could have pulled off the hack were Russia, China, Iran or North Korea. It is systematically ignored that dozens of governments around the world can and do buy the necessary ‘zero-day’ malware toolkits to pull off these hacks. Would Saudi Arabia attempt a SolarWinds-style mega-hack if if they new it was going to be blamed on Russia or China? There’s no way to responsibly avoid asking these kind of questions when we know Saudi Arabia and dozens of other countries have already purchased the ability to do so.
So we have a second phishing attack attributed to Nobelium/Cozy Bear. But unlike the previous phishing attack, where Microsoft acknowledged there was no apparent technical link back to the earlier SolarWinds hack, this phishing attack appears to have employed some sort of vulnerability in Microsoft’s products. And at the same time Microsoft assures us this wasn’t technically related to the SolarWinds hack, Microsoft also reminds of us of what was disclosed months agao: that data and insights were stolen from Microsoft during the initial SolarWinds attack, including software instructions governing how Microsoft verifies user identities. Were any of those stolen vulnerabilities used in this hack? Microsoft isn’t saying. And that’s a big part of the larger story here: extremely serious allegations about who was behind these cyberattacks are being made — with all fingers pointing towards the Russian or Chinese governments — with almost no information being released regarding why and how those attributions are made. The entire cyberattribution industry is rooted in a ‘just trust us on this’ ethos:
Reuters
Microsoft says new breach discovered in probe of suspected SolarWinds hackers
Joseph Menn
June 25, 2021 8:59 PM CDT UpdatedSAN FRANCISCO, June 25 (Reuters) — Microsoft (MSFT.O) said on Friday an attacker had won access to one of its customer-service agents and then used information from that to launch hacking attempts against customers.
The company said it had found the compromise during its response to hacks by a team it identifies as responsible for earlier major breaches at SolarWinds (SWI.N) and Microsoft.
Microsoft said it had warned the affected customers. A copy of one warning seen by Reuters said the attacker belonged to the group Microsoft calls Nobelium and that it had access during the second half of May.
“A sophisticated Nation-State associated actor that Microsoft identifies as NOBELLIUM accessed Microsoft customer support tools to review information regarding your Microsoft Services subscriptions,” the warning reads in part. The U.S. government has publicly attributed the earlier attacks to the Russian government, which denies involvement.
When Reuters asked about that warning, Microsoft announced the breach publicly.
After commenting on a broader phishing campaign it said had compromised a small number of entities, Microsoft said it had also found the breach of its own agent, who it said had limited powers.
The agent could see billing contact information and what services the customers pay for, among other things.
“The actor used this information in some cases to launch highly-targeted attacks as part of their broader campaign,” Microsoft said.
Microsoft warned affected customers to be careful about communications to their billing contacts and consider changing those usernames and email addresses, as well as barring old usernames from logging in.
Microsoft said it was aware of three entities that had been compromised in the phishing campaign.
It did not immediately clarify whether any had been among those whose data was viewed through the support agent, or if the agent had been tricked by the broader campaign.
Microsoft did not say whether the agent was at a contractor or a direct employee.
A spokesman said the latest breach by the threat actor was not part of Nobelium’s previous successful attack on Microsoft, in which it obtained some source code.
In the SolarWinds attack, the group altered code at that company to access SolarWinds customers, including nine U.S. federal agencies.
At the SolarWinds customers and others, the attackers also took advantage of weaknesses in the way Microsoft programs were configured, according to the Department of Homeland Security.
Microsoft later said the group had compromised its own employee accounts and taken software instructions governing how Microsoft verifies user identities.
A White House official said the latest intrusion and phishing campaign was far less serious than the SolarWinds fiasco.
“This appears to be largely unsuccessful, run-of-the-mill espionage,” the official said.
...
————
““A sophisticated Nation-State associated actor that Microsoft identifies as NOBELLIUM accessed Microsoft customer support tools to review information regarding your Microsoft Services subscriptions,” the warning reads in part. The U.S. government has publicly attributed the earlier attacks to the Russian government, which denies involvement.”
Nobelium “accessed Microsoft customer support tools to review information.” That’s the language used by Microsoft to describe the hacking of its agent and use of the obtained information to run targeted phishing campaigns. That’s what we know. What we don’t know is how the agent got hacked in the first place. Was is simply exploiting a backdoor created by the SolarWinds hack? Microsoft isn’t saying. But we know Microsoft has previously disclosed that ‘Nobelium’ stole code involving Microsoft’s user verification. And DHS tells us these same hackers are taking advantage of weaknesses in the way Microsoft programs were configured. A lot of arrows are pointing in the direction of another Microsoft vulnerability being exploited but as always we’re forced to guess:
...
A spokesman said the latest breach by the threat actor was not part of Nobelium’s previous successful attack on Microsoft, in which it obtained some source code....
At the SolarWinds customers and others, the attackers also took advantage of weaknesses in the way Microsoft programs were configured, according to the Department of Homeland Security.
Microsoft later said the group had compromised its own employee accounts and taken software instructions governing how Microsoft verifies user identities.
...
The bad news stories just keep piling up. What’s next?
Backdoors aren’t Just Backdoors. They’re Digital Bombs Too.
What might be next is the question ominously answered in a CBS News piece from July 4 that includes commentary from Jon Miller, a former hacker who now runs a company called Boldend tjat designs and sells cutting-edge cyber weapons to US intelligence agencies. According to Miller, what stood out for him in the SolarWinds hack wasn’t the sophistication malware. Miller claims to create much more sophisticated malware in his own work. What surprised him was the scope of the attack. Whoever did this didn’t even bother trying to hide it and seemed to execute it with no regard to the damage caused or potential consequences.
And then Miller drops the bomb: when asked if the hackers were capable of doing more damage than they did and, for example, destroy all the computers on the network, Miller tells us that not only would that be possible but it would be trivial. A few dozen additional lines of code. So if the SolarWinds hacks — or Microsoft Exchange hackers — wanted to destroy the computer systems of organizations around the world, they could have done so. Easily.
The piece also include an interview of Brad Smith, president of Microsoft. Smith points to the numerous government agencies to make the case that it must be a foreign intelligence operation‑, an observation that systematically ignores all the non-government commercial victims that also got hit. Smith goes on to make an interesting defense of the US government’s inability to detect and stop the SolarWinds hack: because the hackers launched the hack from US-based servers the NSA wasn’t legally allowed to observe and prevent it. Domestic network security in the US is the responsibility of the private sector. How those policies change in response to these mega-hacks will be something to watch.
Then Smith issues a warning that, when combined with Miller’s warnings about digital bombs, should send chills down the spines of system administrators everywhere: Smith warns that its almost certain the SolarWinds hackers planted additional backdoors and spread to other networks. Keep in mind that Microsoft has been one of the lead investigators on this, so when Microsoft tells us the SolarWinds hackers are probably still residing on these hacked networks and spread to others that’s the kind of warning we should take seriously. So if you were hoping the discovery of the SolarWinds hack meant the closing of all these backdoors on the networks of thousands organizations around the world your hopes should be dashed by now. Microsoft was basically telling us they don’t think they can realistically expel the hackers from all these networks. So if these hackers do decide to actually destroy tens of thousands of hacked networks around the world, or conduct a global ransomware attack, they could probably still do so:
CBS News
SolarWinds: How Russian spies hacked the Justice, State, Treasury, Energy and Commerce Departments
Bill Whitaker reports on how Russian spies used a popular piece of software to unleash a virus that spread to 18,000 government and private computer networks.
Correspondent Bill Whitaker
2021 Jul 04When Presidents Biden and Putin met in Geneva last month – it was the first time that the threat of cyber war eclipsed that of nuclear war between the two old super-powers… and “SolarWinds” was one big reason why. Last year, in perhaps the most audacious cyber attack in history, Russian military hackers sabotaged a tiny piece of computer code buried in a popular piece of software called SolarWinds. As we first reported in February, the hidden virus spread to 18,000 government and private computer networks by way of one of those software updates we all take for granted. After it was installed, Russian agents went rummaging through the digital files of the U.S. departments of Justice, State, Treasury, Energy, and Commerce –among others—and for nine months, they had unfettered access to top-level communications, court documents, even nuclear secrets.
Brad Smith: I think from a software engineering perspective, it’s probably fair to say that this is the largest and most sophisticated attack the world has ever seen.
Brad Smith is president of Microsoft. He learned about the hack after the presidential election this past November. By that time, the stealthy intruders had spread throughout the tech giants’ computer network and stolen some of its proprietary source code used to build its software products. More alarming: how the hackers got in… piggy-backing on a piece of third party software used to connect, manage and monitor computer networks.
Bill Whitaker: What makes this so momentous?
Brad Smith: One of the really disconcerting aspects of this attack was the widespread and indiscriminate nature of it. What this attacker did was identify network management software from a company called SolarWinds. They installed malware into an update for a SolarWinds product. When that update went out to 18,000 organizations around the world, so did this malware.
“SolarWinds Orion” is one of the most ubiquitous software products you probably never heard of, but to thousands of I.T. departments worldwide, it’s indispensable. It’s made up of millions of lines of computer code. 4,032 of them were clandestinely re-written and distributed to customers in a routine update, opening up a secret backdoor to the 18,000 infected networks. Microsoft has assigned 500 engineers to dig in to the attack. One compared it to a Rembrandt painting, the closer they looked, the more details emerged.
Brad Smith: When we analyzed everything that we saw at Microsoft, we asked ourselves how many engineers have probably worked on these attacks. And the answer we came to was, well, certainly more than 1,000.
Bill Whitaker: You guys are Microsoft. How did Microsoft miss this?
Brad Smith: I think that when you look at the sophistication of this attacker there’s an asymmetric advantage for somebody playing offense.
Bill Whitaker: Is it still going on?
Brad Smith: Almost certainly, these attacks are continuing.
The world still might not know about the hack if not for FireEye, a three-and-a-half billion dollar cybersecurity company run by Kevin Mandia, a former Air Force intelligence officer.
...
They discovered the malware inside SolarWinds and on December 13 informed the world of the brazen attack.
Much of the damage had already been done. The U.S. Justice Department acknowledged the Russians spent months inside their computers accessing email traffic – but the department won’t tell us exactly what was taken. It’s the same at Treasury, Commerce, the NIH, Energy. Even the agency that protects and transports our nuclear arsenal. The hackers also hit the biggest names in high tech.
Bill Whitaker: So, what does that target list tell you?
Brad Smith: I think this target list tells us that this is clearly a foreign intelligence agency. It exposes the secrets potentially of the United States and other governments as well as private companies. I don’t think anyone knows for certain how all of this information will be used. But we do know this: It is in the wrong hands.
And Microsoft’s Brad Smith told us it’s almost certain the hackers created additional backdoors and spread to other networks.
The revelation this past December came at a fraught time in the U.S. President Trump was disputing the election, and tweeted China might be responsible for the hack. Within hours he was contradicted by his own secretary of state and attorney general. They blamed Russia. The Department of Homeland Security, FBI and intelligence agencies concurred. The prime suspect: the SVR, one of several Russian spy agencies the U.S. labels “advanced persistent threats.” Russia denies it was involved.
Brad Smith: I do think this was an act of recklessness. The world runs on software. It runs on information technology. But it can’t run with confidence if major governments are disrupting and attacking the software supply chain in this way.
Bill Whitaker: That almost sounds like you think that they went in to foment chaos?
Brad Smith: What we are seeing is the first use of this supply chain disruption tactic against the United States. But it’s not the first time we’ve witnessed it. The Russian government really developed this tactic in Ukraine.
...
Bill Whitaker: It’s hard to downplay the severity of this.
Chris Inglis: It is hard to downplay the severity of this. Because it’s only a stone’s throw from a computer network attack.
Chris Inglis spent 28 years commanding the nation’s best cyber warriors at the National Security Agency – seven as its deputy director – and now sits on the Cyberspace Solarium Commission – created by Congress to come up with new ideas to defend our digital domain.
Bill Whitaker: Why didn’t the government detect this?
Chris Inglis: The government is not looking on private sector networks. It doesn’t surveil private sector networks. That’s a responsibility that’s given over to the private sector. FireEye found it on theirs, many others did not. The government did not find it on their network, so that’s a disappointment.
Disappointment is an understatement. The Department of Homeland Security spent billions on a program called “Einstein” to detect cyber attacks on government agencies. The Russians outsmarted it. They circumvented the NSA, which gathers intelligence overseas, but is prohibited from surveilling U.S. computer networks. So the Russians launched their attacks from servers set up anonymously in the United States.
Bill Whitaker: This hack happened on American soil. It went through networks based in the United States. Are our defense capabilities constrained?
Chris Inglis: U.S. Intelligence Community, U.S. Department of Defense, can suggest what the intentions of other nations are based upon what they learn in their rightful work overseas. But they can’t turn around and focus their unblinking eye on the domestic infrastructure. That winds up making it more difficult for us.
...
It’s not everyday you meet someone who builds cyber weapons as complex as those deployed by Russian intelligence. But Jon Miller, who started off as a hacker and now runs a company called Boldend, designs and sells cutting-edge cyber weapons to U.S. intelligence agencies.
Jon Miller: I build things much more sophisticated than this. What’s impressive is the scope of it. This is a watershed style attack. I would never do something like this. It creates too much damage.
Miller says with the SolarWinds attack, Russia has demonstrated that none of the software we take for granted is truly safe, including the apps on our telephones, laptops, and tablets. These days, he says, any device can be sabotaged.
Jon Miller: When you buy something from a tech company, a new phone or a laptop, you trust that that is secure when they give it to you. And what they’ve shown us in this attack is that is not the case. They have the ability to compromise those supply chains and manipulate whatever they want. Whether it’s financial data, source code, the functionality of these products. They can take control.
Bill Whitaker: So, for instance, they could destroy all the computers on a network?
Jon Miller: Oh, easily. The malware that they deployed off of SolarWinds, it didn’t have the functionality in it to do that. But to do that is trivial. Couple dozen lines of code.
...
———–
“Much of the damage had already been done. The U.S. Justice Department acknowledged the Russians spent months inside their computers accessing email traffic – but the department won’t tell us exactly what was taken. It’s the same at Treasury, Commerce, the NIH, Energy. Even the agency that protects and transports our nuclear arsenal. The hackers also hit the biggest names in high tech.”
The SolarWind hackers spent months inside numerous US government agency networks. Presumably from February 2020 until December 2020. 10 or so months of emails. That’s a lot of government emails. It makes the “Hillary’s emails” stories sound like a sweet lullaby of yesteryear.
But the SolarWinds hack was obviously not just targeting the US government. Thousands of companies were hit too. And yet, when asked, the President of Microsoft insists, “I think this target list tells us that this is clearly a foreign intelligence agency”. It’s what it looks like when everyone plays dumb professionally:
...
Bill Whitaker: So, what does that target list tell you?Brad Smith: I think this target list tells us that this is clearly a foreign intelligence agency. It exposes the secrets potentially of the United States and other governments as well as private companies. I don’t think anyone knows for certain how all of this information will be used. But we do know this: It is in the wrong hands.
And Microsoft’s Brad Smith told us it’s almost certain the hackers created additional backdoors and spread to other networks.
The revelation this past December came at a fraught time in the U.S. President Trump was disputing the election, and tweeted China might be responsible for the hack. Within hours he was contradicted by his own secretary of state and attorney general. They blamed Russia. The Department of Homeland Security, FBI and intelligence agencies concurred. The prime suspect: the SVR, one of several Russian spy agencies the U.S. labels “advanced persistent threats.” Russia denies it was involved.
...
Also note how the fact that the SolarWinds hack was conducted with US-based servers, and the fact that the NSA isn’t mandated with monitoring US networks, is turning into an argument for giving the NSA authority to monitor US networks. This is a good to recall the story from earlier this year about the DARPA projects involving the creation of autonomous anti-virus software that can traverse networks that sound awfully similar to the “Project TURBINE” plan for mass automated malware implantation. Automated ‘anti-malware’ delivered by goodware. As questions about the constituionality of NSA monitoring of domestic networks get raised, don’t be surprised if automated ‘goodware’ solutions are offered:
...
Chris Inglis spent 28 years commanding the nation’s best cyber warriors at the National Security Agency – seven as its deputy director – and now sits on the Cyberspace Solarium Commission – created by Congress to come up with new ideas to defend our digital domain.Bill Whitaker: Why didn’t the government detect this?
Chris Inglis: The government is not looking on private sector networks. It doesn’t surveil private sector networks. That’s a responsibility that’s given over to the private sector. FireEye found it on theirs, many others did not. The government did not find it on their network, so that’s a disappointment.
Disappointment is an understatement. The Department of Homeland Security spent billions on a program called “Einstein” to detect cyber attacks on government agencies. The Russians outsmarted it. They circumvented the NSA, which gathers intelligence overseas, but is prohibited from surveilling U.S. computer networks. So the Russians launched their attacks from servers set up anonymously in the United States.
Bill Whitaker: This hack happened on American soil. It went through networks based in the United States. Are our defense capabilities constrained?
Chris Inglis: U.S. Intelligence Community, U.S. Department of Defense, can suggest what the intentions of other nations are based upon what they learn in their rightful work overseas. But they can’t turn around and focus their unblinking eye on the domestic infrastructure. That winds up making it more difficult for us.
...
Finally note the assessment about the relative sophistication of the SolarWinds source code by Jon Miller, the former hacker who now runs a company called Boldend, designs and sells cutting-edge cyber weapons to U.S. intelligence agencies. Miller wasn’t impressed by the sophistication. He admits to building things much more sophisticated (that is presumably sold to US intelligence agencies). What surprised Miller was the scale of the attack and that someone actually did something that created so much damage. It’s the kind of response from an industry professional (who isn’t playing dumb professionally) that points towards a reality where large scale hacks of this nature have long been possible, but assumed to be too inflammatory to execute without inciting inviting serious repercussions. As Miller pointed out, this attack potentially tainted the entire global software supply chain. The same compiler attack that snuck the backdoor into SolarWinds’s Orion client tool could be reapplied to the software being developed by the tens of thousands of SolarWinds corporate and government clients. It really was a massive attack. But he’s not surprised someone was able to pull it off technically. He’s surprised someone actually did it. It’s an important distinction to keep in mind when assessing the nature of this attack. Thankfully, another possible nightmare scenario wasn’t executed. That being a scenario where malware is deployed that actually causes these networks to physically destroy themselves. But it they could have if they wanted to:
...
It’s not everyday you meet someone who builds cyber weapons as complex as those deployed by Russian intelligence. But Jon Miller, who started off as a hacker and now runs a company called Boldend, designs and sells cutting-edge cyber weapons to U.S. intelligence agencies.Jon Miller: I build things much more sophisticated than this. What’s impressive is the scope of it. This is a watershed style attack. I would never do something like this. It creates too much damage.
Miller says with the SolarWinds attack, Russia has demonstrated that none of the software we take for granted is truly safe, including the apps on our telephones, laptops, and tablets. These days, he says, any device can be sabotaged.
Jon Miller: When you buy something from a tech company, a new phone or a laptop, you trust that that is secure when they give it to you. And what they’ve shown us in this attack is that is not the case. They have the ability to compromise those supply chains and manipulate whatever they want. Whether it’s financial data, source code, the functionality of these products. They can take control.
Bill Whitaker: So, for instance, they could destroy all the computers on a network?
Jon Miller: Oh, easily. The malware that they deployed off of SolarWinds, it didn’t have the functionality in it to do that. But to do that is trivial. Couple dozen lines of code.
...
Miller is absolutely correct. SolarWinds wasn’t just the mega-hack of SolarWinds and its thousands of clients. It was potentially the hack of the global technological supply chain. Someone executed a very very big hack.
CitizenLab Issues a Warning to the World: Someone is Hacking the Sh*t Out of Microsoft. Legally. Meet Candiru
It was the middle of July this year when the stories of the mega-hacks took a sudden turn. After months of disclosing (and denying) one hack after another involving a Microsoft vulnerability, CitizenLab had a dramatic, and thematically appropriate, new security warning: a mercenary spyware company has been selling an exploit used against Windows users in several countries, including Iran, Lebanon, Spain and the United Kingdom. Beyond that, the malware has been found targeting activists, which isn’t particularly surprising given the fact that Candiru’s clients are governments. Candiru’s exploits aren’t solely against Microsoft products. Google’s popular Chrome browser is also a target. But it sounds like Candiru specializes Microsoft products.
Microsoft fixed the vulnerabilities identified in CitizenLab’s report. Curiously, in its report on the fix, Microsoft never refers to Candiru by name. Instead, it refers to it as an “Israel-based private sector offensive actor” which the company codenamed Sourgum. Google also issued a report on Candiru’s targeting of activists and the zero-day exploits discovered used against activists. Google also didn’t refer to Candiru by name.
So at least one Candiru customer — but perhaps more than one — was running around using zero-day exploits against activists and they got caught. Because it was blamed on Candiru it couldn’t be attributed to Russia or China. So who got blamed for these discovered hacks against activists? No one:
Reuters
TechnologyMicrosoft says Israeli group sold tools to hack Windows
Christopher Bing
July 15, 2021 4:45 PM CDT
UpdatedJuly 15 (Reuters) — An Israeli group sold a tool to hack into Microsoft Windows, Microsoft and technology human rights group Citizen Lab said on Thursday, shedding light on the growing business of finding and selling tools to hack widely used software.
The hacking tool vendor, named Candiru, created and sold a software exploit that can penetrate Windows, one of many intelligence products sold by a secretive industry that finds flaws in common software platforms for their clients, said a report by Citizen Lab.
Technical analysis by security researchers details how Candiru’s hacking tool spread around the globe to numerous unnamed customers, where it was then used to target various civil society organizations, including a Saudi dissident group and a left-leaning Indonesian news outlet, the reports by Citizen Lab and Microsoft show.
...
Evidence of the exploit recovered by Microsoft Corp (MSFT.O) suggested it was deployed against users in several countries, including Iran, Lebanon, Spain and the United Kingdom, according to the Citizen Lab report.
“Candiru’s growing presence, and the use of its surveillance technology against global civil society, is a potent reminder that the mercenary spyware industry contains many players and is prone to widespread abuse,” Citizen Lab said in its report.
Microsoft fixed the discovered flaws on Tuesday through a software update. Microsoft did not directly attribute the exploits to Candiru, instead referring to it as an “Israel-based private sector offensive actor” under the codename Sourgum.
“Sourgum generally sells cyberweapons that enable its customers, often government agencies around the world, to hack into their targets’ computers, phones, network infrastructure, and internet-connected devices,” Microsoft wrote in a blog post. “These agencies then choose who to target and run the actual operations themselves.”
Candiru’s tools also exploited weaknesses in other common software products, like Google’s Chrome browser.
On Wednesday, Google (GOOGL.O) released a blog post where it disclosed two Chrome software flaws that Citizen Lab found connected to Candiru. Google also did not refer to Candiru by name, but described it as a “commercial surveillance company.” Google patched the two vulnerabilities earlier this year.
Cyber arms dealers like Candiru often chain multiple software vulnerabilities together to create effective exploits that can reliably break into computers remotely without a target’s knowledge, computer security experts say.
Those types of covert systems cost millions of dollars and are often sold on a subscription basis, making it necessary for customers to repeatedly pay a provider for continued access, people familiar with the cyber arms industry told Reuters.
“No longer do groups need to have the technical expertise, now they just need resources,” Google wrote in its blog post.
———–
“Microsoft says Israeli group sold tools to hack Windows” by Christopher Bing; Reuters; 07/15/2021
““No longer do groups need to have the technical expertise, now they just need resources,” Google wrote in its blog post.”
Are you a government with cash to burn? Welcome to the world of elite hackers. Just be sure to maintain your subscription fees.
Google’s researchers weren’t exaggerating. It really is just a matter of having the resources — and permission from the Israeli (and US?) government(s?) — for a government to go from having virtually no cyber capabilities to having a suite of zero-day exploits capable of defeating the top technology firms in the world.
And yet it’s kind of interesting that both Google and Microsoft didn’t actually name Candiru in their reports. Microsoft refers to Candiru with its own made up codename Sourgum. Although Microsoft does point out in its report that Citizen Lab identified the Sourgum as Candiru. But that’s the only reference to Candiru in the report. And Google’s report on Candiru just refers to a “commercial surveillance company.” Recall that this is the same language Google used in its report on the three zero-day exploits discovered targeting Armenia activists. So Google and Microsoft appear to go out of their way to avoid naming names in its reports when the culprit is a private company:
...
Microsoft fixed the discovered flaws on Tuesday through a software update. Microsoft did not directly attribute the exploits to Candiru, instead referring to it as an “Israel-based private sector offensive actor” under the codename Sourgum.“Sourgum generally sells cyberweapons that enable its customers, often government agencies around the world, to hack into their targets’ computers, phones, network infrastructure, and internet-connected devices,” Microsoft wrote in a blog post. “These agencies then choose who to target and run the actual operations themselves.”
...
On Wednesday, Google (GOOGL.O) released a blog post where it disclosed two Chrome software flaws that Citizen Lab found connected to Candiru. Google also did not refer to Candiru by name, but described it as a “commercial surveillance company.” Google patched the two vulnerabilities earlier this year.
...
Also note how Candiru’s toolkit doesn’t just include an array of Microsoft exploits. It also hits other common non-Microsoft apps like Google’s Chrome. And as the article notes, cyber arms dealers like Candiru often chain multiple software vulnerabilities together to create effective exploits. In other words, these toolkits have to consists of numerous zero-day exploits. That’s the underlying product these companies are selling: toolkits that chain together mulitple zero-day exploits:
...
Candiru’s tools also exploited weaknesses in other common software products, like Google’s Chrome browser....
Cyber arms dealers like Candiru often chain multiple software vulnerabilities together to create effective exploits that can reliably break into computers remotely without a target’s knowledge, computer security experts say.
...
Days after Microsoft was forced to patch these vulnerabilities, the company issued an update on the actions it was taking against Candiru’s malware as well as the scope of the use of this malware: Microsoft claimed it blocked tools used to spy on more than 100 people around the world, including politicians, human rights activists, journalists, academics and political dissidents. Politicians got hit too. It’s not surprising, but a notable admission. Precision attacks were identified in the Palestinian territory, Israel, Iran, Lebanon, Yemen, Spain, the United Kingdom, Turkey, Armenia, and Singapore.
Intriguling, Citizen Lab said Candiru’s spyware infrastructure included websites “masquerading as advocacy organizations” such as Amnesty International and Black Lives Matter. So the next time you hear about a Black Lives Matter website and it’s automatically attributed to Russian and the Internet Research Agency, keep this ‘feature’ in mind. Candiru was selling tools specifically to mimic left-wing organizations. Also keep in mind that it’s Amnesty International that releases a big NSO Group expose days after Candiru’s malware is revealed, so there’s probably quite a few people in the cybersecurity industry itself with an interest in spying on people affiliated with Amnesty International:
Associated Press
Microsoft says it blocked spying on rights activists, others
By ALAN SUDERMAN
July 15, 2021RICHMOND, Va. (AP) — Microsoft said Thursday it has blocked tools developed by an Israeli hacker-for-hire company that were used to spy on more than 100 people around the world, including politicians, human rights activists, journalists, academics and political dissidents.
Microsoft issued a software update and worked with the Citizen Lab at the University of Toronto to investigate the secretive Israeli company behind the hacking efforts. Citizen Lab said the company goes by several names including Candiru, which according to legend is a parasitic fish found in the Amazon that attacks human private parts.
Microsoft said people targeted in “precision attacks” by the spyware were located in the Palestinian territory, Israel, Iran, Lebanon, Yemen, Spain, the United Kingdom, Turkey, Armenia, and Singapore. Microsoft did not name the targets but described them generally by category.
Citizen Lab said Candiru’s spyware infrastructure included websites “masquerading as advocacy organizations” such as Amnesty International and Black Lives Matter.
The reports by Microsoft and Citizen Lab shine new light on an opaque and lucrative industry of selling sophisticated hacking tools to governments and law enforcement agencies. Critics say such tools are often misused by authoritarian governments against innocent people.
“A world where private sector companies manufacture and sell cyberweapons is more dangerous for consumers, businesses of all sizes and governments,” Microsoft said in a blog post.
...
Microsoft said the business model for companies such as Candiru is to sell its services to government agencies, which then likely choose the targets and run the operations themselves.
Citizen Lab published parts of what it said were a leaked proposal by Candiru for hacking services that offered a la carte hacking options. For 16 million euros ($18.9 million), the company would allow the customer to monitor 10 devices simultaneously in a single country. For an extra 5.5 million euros ($6.5 million), 25 additional devices could be monitored in five more countries.
Citizen Lab said Candiru’s spyware targets computers, mobile devices and cloud accounts.
Thursday’s disclosure by Microsoft was part of what the company said was a broader effort to “address the dangers” caused by hacker-for-hire companies. Microsoft is supporting Facebook in its lawsuit against NSO Group, which is also based in Israel and is perhaps the most prominent private offensive spyware company.
Facebook filed a federal civil suit in 2019 allegedly that NSO Group targeted some 1,400 users of Facebook’s encrypted messaging service WhatsApp with highly sophisticated spyware.
————-
“Microsoft issued a software update and worked with the Citizen Lab at the University of Toronto to investigate the secretive Israeli company behind the hacking efforts. Citizen Lab said the company goes by several names including Candiru, which according to legend is a parasitic fish found in the Amazon that attacks human private parts.”
Candiru is so secretive it uses secret identities. Secrecy that’s probably driven, in part, by the fact that it’s crafting the digital infrastructure governments are using to hack civil society. Organizations like Black LIves Matter and Amnesty International. That’s the kind of activity one might hide from. Presumably the utility of these fake websites is to direct people there to deliver the malware which implies the targets of this malware were at least sympathetic to Black Lives Matter and Amnesty International. Just think about how many schemes targeting Black Lives Matter attributed to Russian since 2016 that were actually a product of Candiru’s ready-to-use toolkit. Or some other “commercial surveillance vendor” selling similar tools:
...
Citizen Lab said Candiru’s spyware infrastructure included websites “masquerading as advocacy organizations” such as Amnesty International and Black Lives Matter.
...
And note the price. Yeah, your average person can’t handle these kinds of subscription fees. But basically every government on the planet can. Easily:
...
Citizen Lab published parts of what it said were a leaked proposal by Candiru for hacking services that offered a la carte hacking options. For 16 million euros ($18.9 million), the company would allow the customer to monitor 10 devices simultaneously in a single country. For an extra 5.5 million euros ($6.5 million), 25 additional devices could be monitored in five more countries.Citizen Lab said Candiru’s spyware targets computers, mobile devices and cloud accounts.
...
It’s too bad CitizenLab couldn’t get the actual subscription information for Candiru’s many clients to see just how many devices governments are paying to hack. It’s almost $2 million per hacked device. That’s probably a lot of people. And a lot of profit for Candiru’s investors.
2021: Year of the Zero-Day
Just how much money is being made by this mercenary spyware industry? We’ll obviously never know. But if the discovery of new zero-day exploits are any indication of the industry’s work, we can say 2021 has been a robust year for the industry. As the following Threatpost piece from July 15 describes, there were 33 zero-day exploits reported by that date this year compared to 22 zero-day exploits in 2021 in total. At this point, 2021 will have triple the number of zero-day exploits of 2020, and 2020 was a record year. There’s simply been an explosion of discovered zero-days. For example, at the same time Google issued its own mid-July report on Candiru’s malware being used against activist, it also disclosed a new zero-day flaw against the iOS Safari browser that was targeting Western European government officials. They note in the report that ‘Russian-language actors’ were using the exploit at the same time ‘Nobelium’ was targeting users on Windows devices to deliver Cobalt Strike, suggesting the two are related.
Putting aside the already addressed problems with placing an emphasis on the ‘cultural artifact’ language clues hackers leave, it’s worth noting that the Nobelium hack targeting users on Windows devices was a reference to the USAID phishing attack. As we saw, Microsoft reported multiple zero-day pieces of malware deployed on the victims’ networks from the USAID attack. But Microsoft also reported the deployment of Cobalt Strike in its initial post about the phishing attack a day earlier. Which should come as no surprise. Cobalt Strike, a legitimate security tool that finds vulnerabilities in networks, has exploded in popularity and gone mainstream among criminals. In other words, we can’t infer much from the fact that both this iOS Safari hack and a hack attributed to Nobelium both deployed Cobalt Strike. Cobalt Strike is what savvy cybercriminals use these days, and therefore not a trademark indicator of a particular actor. What is a notable coincidence between the USAID phishing hacks and the Safari hack is that both involve zero-day exploits. That’s the primary meaningful technical indicator shared between all of the hacks we are discussing here: Zero-day exploits were deployed. And yet, we can only infer so much. We don’t know who is developing or deploying all these zero-days. We just know it could be a much broader range of actors than just Russian and China:
Threatpost
Safari Zero-Day Used in Malicious LinkedIn Campaign
Author: Elizabeth Montalbano
July 15, 2021 7:04 amResearchers shed light on how attackers exploited Apple web browser vulnerabilities to target government officials in Western Europe.
Threat actors used a Safari zero-day flaw to send malicious links to government officials in Western Europe via LinkedIn before researchers from Google discovered and reported the vulnerability.
That’s the word from researchers from Google Threat Analysis Group (TAG) and Google Project Zero, who Wednesday posted a blog shedding more light on several zero-day flaws that they discovered so far this year. Researchers in particular detailed how attackers exploited the vulnerabilities—the prevalence of which are on the rise–before they were addressed by their respective vendors.
TAG researchers discovered the Safari WebKit flaw, tracked as CVE-?2021–1879, on March 19. The vulnerability allowed for the processing of maliciously crafted web content for universal cross site scripting and was addressed by Apple in an update later that month.
Before the fix, researchers assert Russian-language threat actors were exploiting the vulnerability in the wild by using LinkedIn Messaging to send government officials from Western European countries malicious links that could collect website-authentication cookies, according to the post by Maddie Stone and Clement Lecigne from Google TAG.
“If the target visited the link from an iOS device, they would be redirected to an attacker-controlled domain that served the next-stage payloads,” they wrote.
The exploit, which targeted iOS versions 12.4 through 13.7, would turn off Same-Origin-Policy protections on an infected device to collect authentication cookies from several popular websites–including Google, Microsoft, LinkedIn, Facebook and Yahoo–and then send them via WebSocket to an attacker-controlled IP, researchers wrote. The victim would need to have a session open on these websites from Safari for cookies to be successfully exfiltrated.
Moreover, the campaign targeting iOS devices coincided with others from the same threat actor—which Microsoft has identified as Nobelium–targeting users on Windows devices to deliver Cobalt Strike, researchers wrote. Security firm Volexity described one of these attacks in a report posted online in May, the researchers added.
...
Other Zero-Day Attacks
Google researchers also linked three additional zero-day flaws they identified this year to a commercial surveillance vendor, according to Google TAG’s Shane Huntley. Two of those vulnerabilities–CVE-2021–21166 and CVE-2021–30551—were found in Chrome, and one, tracked as CVE-2021–33742, in Internet Explorer.
CVE-2021–21166 and CVE-2021–30551, two Chrome rendered remote-code execution (RCE) flaws, were identified separately but later believed to be used by the same actor, researchers wrote in the blog. Google researchers discovered the former in February and the latter in June.
“Both of these 0‑days were delivered as one-time links sent by email to the targets, all of whom we believe were in Armenia,” Stone and Lecigne wrote. “The links led to attacker-controlled domains that mimicked legitimate websites related to the targeted users.”
When prospective victims clicked the link, they were redirected to a webpage that would fingerprint their device, collect system information about the client, and generate ECDH keys to encrypt the exploits, researchers wrote. This info—which included screen resolution, timezone, languages, browser plugins, and available MIME types—would then be sent back to the exploit server and used by attackers to decide whether or not an exploit should be delivered to the target, they said.
Researchers also identified a separate campaigned in April that also targeted Armenian users by leveraging CVE-2021–26411, an RCE bug found in Internet Explorer (IE). The campaign loaded web content within IE that contained malicious Office documents, researchers wrote.
“This happened by either embedding a remote ActiveX object using a Shell.Explorer.1 OLE object or by spawning an Internet Explorer process via VBA macros to navigate to a web page,” Stone and Lecigne explained.
At the time, researchers said they were unable to recover the next-stage payload, but successfully recovered the exploit after discovering an early June campaign from the same actors. Microsoft patched the flaw later that month, they said.
Why There is an Increase in Zero-Days?
All in all, security researchers have identified 33 zero-day flaws so far in 2021, which is 11 more than the total number from 2020, according to the post.
While that trend reflects an increase in the number of these types of vulnerabilities that exist, Google researchers “believe greater detection and disclosure efforts are also contributing to the upward trend,” they wrote.
Still, it’s highly possible that attackers are indeed using more zero-day exploits for a few reasons, researchers noted. One is that the increase and maturation of security technologies and features means attackers also have to level up, which in turn requires more zero-day vulnerabilities for functional attack chains, they said.
The growth of mobile platforms also has resulted in an increase in the number of products that threat actors want to target—hence more reason to use zero-day exploits, researchers observed. Perhaps inspired by this increase in demand, commercial vendors also are selling more access to zero-days than in the early 2010s, they said.
Finally, the maturation of security protections and strategies also inspires sophistication on the part of attackers as well, boosting the need for them to use zero-day flaws to convince victims to install malware, researchers noted.
“Due to advancements in security, these actors now more often have to use 0‑day exploits to accomplish their goals,” Stone and Lecigne wrote.
———-
“Before the fix, researchers assert Russian-language threat actors were exploiting the vulnerability in the wild by using LinkedIn Messaging to send government officials from Western European countries malicious links that could collect website-authentication cookies, according to the post by Maddie Stone and Clement Lecigne from Google TAG.”
Russian-language threat actors are behind the big vulnerability found in Safari targeting iPhones, according to Google’s Threat Assessment Group (TAG). Malicious links were sent via the LinkedIn Messaging app to Western European government officials that, when clicked, stole the authentication credentials for sites like Google, Microsoft, LinkedIn, Facebook and Yahoo. The kind of hack that opens the victims up to more hacks, along with any organizations they work for. And based on the timing of this hacking campaign, and the fact that it coincided with the ‘Nobelium’ USAID phishing campaign in May against Windows systems that delivered Cobalt Strike, suggests it’s the same actor behind both attacks.
But there’s a more significant technical link between the Safari hacking campaign targeting Western government officials and the USAID phishing campaign: both deployed zero-days. Microsoft reported the deployment of Cobalt Strike in its initial post about the hack but later reported multiple zero-day pieces of malware deployed on the victims’ networks from the USAID attack. That’s the real ‘clue’ tying these two hacks. It was someone sophisticated enough to have an abundance of zero-day hacks. Except, with it’s not really much of a clue the existence of an industry filled with secretive companies like Candiru. Numerous actors on the stage have access to cutting-edge zero-days. For all we know the Safari zero-day campaign and USAID phishing campaigns could both be different Candiru customers using ‘Russian language’ features to leave those ‘clues’ for CrowdStrike and others to find:
...
Moreover, the campaign targeting iOS devices coincided with others from the same threat actor—which Microsoft has identified as Nobelium–targeting users on Windows devices to deliver Cobalt Strike, researchers wrote. Security firm Volexity described one of these attacks in a report posted online in May, the researchers added.
...
Also note that the Microsoft zero-day exploits identified in a separate campaign in April targeting Armenian activists is a references to the same Candiru exploits CitizenLab was reporting on. They aren’t all Microsoft vulnerabilities. Google’s Chrome browser was hit. But we’re hearing about vulnerabilities in Internet Explorer, Office, and some other mystery payload that couldn’t even be recovered initially. That’s a lot of Microsoft holes. It’s fits the Candiru ‘pattern’:
...
Google researchers also linked three additional zero-day flaws they identified this year to a commercial surveillance vendor, according to Google TAG’s Shane Huntley. Two of those vulnerabilities–CVE-2021–21166 and CVE-2021–30551—were found in Chrome, and one, tracked as CVE-2021–33742, in Internet Explorer.CVE-2021–21166 and CVE-2021–30551, two Chrome rendered remote-code execution (RCE) flaws, were identified separately but later believed to be used by the same actor, researchers wrote in the blog. Google researchers discovered the former in February and the latter in June.
“Both of these 0‑days were delivered as one-time links sent by email to the targets, all of whom we believe were in Armenia,” Stone and Lecigne wrote. “The links led to attacker-controlled domains that mimicked legitimate websites related to the targeted users.”
...
All in all, it’s been such a parade of zero-day exploits that we’ve heard about this year hitting Microsoft that it should come as no surprise to learn that, just over mid way through this year there’s already been 50 percent more zero-days exploits announced than the entire year of 2020. That’s triple the pace of 2020 and 2020 was a record year. Why is this happening? Well, more reporting is no doubt a factor. But as the Google security researcher admit, commercial vendors are selling more access to zero-day exploits than they were a decade ago. There are simply many more zero-day pieces of malware in existence and a growing number of actors with the ability to deploy them:
...
All in all, security researchers have identified 33 zero-day flaws so far in 2021, which is 11 more than the total number from 2020, according to the post.While that trend reflects an increase in the number of these types of vulnerabilities that exist, Google researchers “believe greater detection and disclosure efforts are also contributing to the upward trend,” they wrote.
Still, it’s highly possible that attackers are indeed using more zero-day exploits for a few reasons, researchers noted. One is that the increase and maturation of security technologies and features means attackers also have to level up, which in turn requires more zero-day vulnerabilities for functional attack chains, they said.
The growth of mobile platforms also has resulted in an increase in the number of products that threat actors want to target—hence more reason to use zero-day exploits, researchers observed. Perhaps inspired by this increase in demand, commercial vendors also are selling more access to zero-days than in the early 2010s, they said.
...
We’ve seen a lot of ominous cyber warnings this year. But that stat of zero-days at triple last year’s rate is meta-ominous. It’s like the cyber version of the point in Marvel movies where the universe on the cusp of exploding. Or imploding. Something really bad.
NSO Group: It’s Not Just a Cybermercenary. It’s a Tool of Israel’s Foreign Policy. A Very Important Tool MBS Covets
A couple days later, we get our first big NSO Group update of July. The New York Times has a piece giving us a big update on the consequences NSO Group paid over the role its Pegasus software played in the killing of Saudi dissident Jamal Khashoggi. The company did pay a price. Or the owners. Although they were paid actually: Following Khashoggi’s killing, NSO Group investigation the Saudi’s use of its software and determined the contract should be canceled. And it was canceled, at which point the full diplomatic nature of these ‘export licenses’ became more apparent. The Israeli government pressured NSO Group to renewed the Pegasus contract. When that didn’t happen, the owners sold to a European private equity group and the Saudi subscription to NSO Group’s tools was renewed. At the end of it all, the one party involved with the Jamal Khashoggi killing to pay a price was Khashoggi:
The New York Times
Israeli Companies Aided Saudi Spying Despite Khashoggi Killing
Ignoring concerns that Saudi Arabia was abusing Israeli spyware to crush dissent at home and abroad, Israel encouraged its companies to work with the kingdom.
By Ronen Bergman and Mark Mazzetti
July 17, 2021TEL AVIV — Israel secretly authorized a group of cyber-surveillance firms to work for the government of Saudi Arabia despite international condemnation of the kingdom’s abuse of surveillance software to crush dissent, even after the Saudi killing of the journalist Jamal Khashoggi, government officials and others familiar with the contracts said.
After the murder of Mr. Khashoggi in 2018, one of the firms, NSO Group, canceled its contracts with Saudi Arabia amid accusations that its hacking tools were being misused to abet heinous crimes.
But the Israeli government encouraged NSO and two other companies to continue working with Saudi Arabia, and issued a new license for a fourth to do similar work, overriding any concerns about human rights abuses, according to one senior Israeli official and three people affiliated with the companies.
Since then, Saudi Arabia has continued to use the spyware to monitor dissidents and political opponents.
The fact that Israel’s government has encouraged its private companies to do security work for the kingdom — one of its historic adversaries and a nation that still does not formally recognize Israel — is yet more evidence of the reordering of traditional alliances in the region and the strategy by Israel and several Persian Gulf countries to join forces to isolate Iran.
NSO is by far the best known of the Israeli firms, largely because of revelations in the last few years that its Pegasus program was used by numerous governmens to spy on, and eventually imprison, human rights activists.
NSO sold Pegasus to Saudi Arabia in 2017. The kingdom used the spyware as part of a ruthless campaign to crush dissent inside the kingdom and to hunt down Saudi dissidents abroad.
It is not publicly known whether Saudi Arabia used Pegasus or other Israeli-made spyware in the plot to kill Mr. Khashoggi. NSO has denied that its software was used.
Israel’s Ministry of Defense also licensed for Saudi work a company called Candiru, which Microsoft accused last week of helping its government clients spy on more than 100 journalists, politicians, dissidents and human rights advocates around the world.
Microsoft, which conducted its investigation in tandem with Citizen Lab, a research institute at the University of Toronto, said Candiru had used malware to exploit a vulnerability in Microsoft products, enabling its government clients to spy on perceived enemies.
Candiru has had at least one contract with Saudi Arabia since 2018.
Israel has also granted licenses to at least two other firms, Verint, which was licensed before the Khashoggi killing, and Quadream, which signed a contract with Saudi Arabia after the killing.
A fifth company, Cellebrite, which manufactures physical hacking systems for mobile phones, has also sold its services to the Saudi government, but without ministry approval, according to the newspaper Haaretz.
Israel insists that if any Israeli spyware were used to violate civil rights that it would revoke the company’s license.
If the Defense Ministry “discovers that the purchased item is being used in contravention of the terms of the license, especially after any violation of human rights, a procedure of cancellation of the defense export license or of enforcing its terms is initiated,” the ministry said in a statement in response to questions from The New York Times.
The ministry declined to respond to specific questions about the licenses it gave to the Israeli firms, but said that “a wide range of security, diplomatic and strategic considerations are taken into account” when considering whether to grant a license to export offensive cyber technology.
Revelations about the abuses of NSO products led the company to hire a group of outside consultants in 2018 to provide advice about which new clients NSO should take on and which to avoid. The group included Daniel Shapiro, the former Obama administration ambassador to Israel, and Beacon Global Strategies, a Washington strategic consulting firm.
Beacon is led by Jeremy Bash, a former C.I.A. and Pentagon chief of staff; Michael Allen, a former staff director for the House Intelligence Committee; and Andrew Shapiro, a former top State Department official.
While the group’s mandate was to vet potential new clients, the international outrage over Mr. Khashoggi’s killing in October 2018 led the group to advise NSO to cancel its Saudi contracts and shut down NSO systems in the kingdom.
Separately, NSO conducted an internal investigation into whether any of its tools were used by Saudi officials for the Khashoggi operation and concluded that they were not. However a lawsuit against NSO by a friend of Mr. Khashoggi’s claims that his phone had been hacked by Saudi Arabia using Pegasus, and that hack gave Saudi officials access to his conversations with Mr. Khashoggi, including communications about opposition projects.
Over several days in late 2018, executives both of NSO and the private equity firm that owned it at the time, Francisco Partners, met in Washington with the advisory group.
According to several people familiar with the meetings, the NSO executives argued that the Israeli government was strongly encouraging the company to weather the storm and continue its work in Saudi Arabia. They also said that Israeli officials had indicated to them that the Trump administration also wanted NSO’s work with Saudi Arabia to continue.
In the end, NSO management heeded the advice of the outside group and canceled its contracts with Saudi Arabia in late 2018. Mr. Shapiro, the former ambassador to Israel, ended his work for the company shortly afterward.
Months later, however, after another private equity firm bought NSO, the company was once again doing business with Saudi Arabia.
NSO’s new owner, Novalpina, rejected the advice of the outside advisory group and NSO resumed its work in Saudi Arabia in mid-2019. Around that time, Beacon ended its work with NSO.
The new contract with the Saudis came with some restrictions. For example, NSO set up its system to block any attempts by Saudi officials to hack European telephone numbers, according to a person familiar with the programming.
But it is clear that Saudi Arabia has continued to use NSO software to spy on perceived opponents abroad.
In one case that has come to light, three dozen phones belonging to journalists at Al Jazeera, which Saudi Arabia considers a threat, were hacked using NSO’s Pegasus software last year, according to Citizen Lab. Citizen Lab traced 18 of the attacks back to Saudi intelligence.
After the revelation of the attack on Al Jazeera journalists, NSO recently shut down the system, and at a meeting in early July, the company’s board decided to declare new deals with Saudi Arabia off limits, according to a person familiar with the decision.
Israel’s defense ministry is currently fighting lawsuits by Israeli rights activists demanding that it release details about its process for granting the licenses.
The Israeli government also imposes strict secrecy on the companies that receive the licenses, threatening to revoke them if the companies speak publicly about the identity of their clients.
...
These business ties came as Israel was quietly building relationships directly with the Saudi government.
Benjamin Netanyahu, then Israel’s prime minister, met several times with Saudi Arabia’s day-to-day ruler, Crown Prince Mohammed bin Salman, and military and intelligence leaders of the two countries meet frequently.
While Saudi Arabia was not officially party to the Abraham Accords — the diplomatic initiatives during the end of the Trump administration normalizing relations between Israel and several Arab countries — Saudi leaders worked behind the scenes to help broker the deals.
————–
“The fact that Israel’s government has encouraged its private companies to do security work for the kingdom — one of its historic adversaries and a nation that still does not formally recognize Israel — is yet more evidence of the reordering of traditional alliances in the region and the strategy by Israel and several Persian Gulf countries to join forces to isolate Iran.”
It wasn’t just a national security tool. Pegasus was effectively being used as a diplomatic tool. A diplomatic tool to help bring Saudi Arabia and other Persian Gulf neighors into an alliance against Iran. Which, we’ll recall, was the meta-theme throughout the #TrumpRussia adventures involving Michael Flynn, Eric Prince, Michael Cohen, and the Saudi/UAE scheme to build nuclear power plants across the Middle East (except for Iran). The security relationship between the US, Israel, Saudi Arabia, and the UAE got a lot deeper over the last decade and it’s hard to avoid suspicions that sharing access to super spyware tools like NSO Group’s Pegasus was part of that deepening relationship. Just look at the language the Israeli Defense Ministry used when describing the process that goes into approving one of these licenses: ““a wide range of security, diplomatic and strategic considerations are taken into account” when considering whether to grant a license to export offensive cyber technology.” That’s one way to put it:
...
Israel insists that if any Israeli spyware were used to violate civil rights that it would revoke the company’s license.If the Defense Ministry “discovers that the purchased item is being used in contravention of the terms of the license, especially after any violation of human rights, a procedure of cancellation of the defense export license or of enforcing its terms is initiated,” the ministry said in a statement in response to questions from The New York Times.
The ministry declined to respond to specific questions about the licenses it gave to the Israeli firms, but said that “a wide range of security, diplomatic and strategic considerations are taken into account” when considering whether to grant a license to export offensive cyber technology.
...
And as we saw, NSO Group isn’t the only company with hacking tools the Israeli government was licensing to Saudi Arabia at this time. One company, Quadream, even signed its contracts with Saudi Arabia after Khoshoggi’s killing. So when the NSO Group claims that it canceled the Saudi contracts in the wake of the Khashoggi killings, but were then encourage by the Israeli government to continue working with Saudi Arabia, it’s not an implausible scenario. The licensing of cutting-edge hacking tools is clearly part of the Israeli diplomatic playbook. Which isn’t a surprise. It’s a powerful diplomatic tool. Crazy dangerous, but powerful:
...
After the murder of Mr. Khashoggi in 2018, one of the firms, NSO Group, canceled its contracts with Saudi Arabia amid accusations that its hacking tools were being misused to abet heinous crimes.But the Israeli government encouraged NSO and two other companies to continue working with Saudi Arabia, and issued a new license for a fourth to do similar work, overriding any concerns about human rights abuses, according to one senior Israeli official and three people affiliated with the companies.
Since then, Saudi Arabia has continued to use the spyware to monitor dissidents and political opponents.
...
NSO sold Pegasus to Saudi Arabia in 2017. The kingdom used the spyware as part of a ruthless campaign to crush dissent inside the kingdom and to hunt down Saudi dissidents abroad.
...
Israel’s Ministry of Defense also licensed for Saudi work a company called Candiru, which Microsoft accused last week of helping its government clients spy on more than 100 journalists, politicians, dissidents and human rights advocates around the world.
...
Israel has also granted licenses to at least two other firms, Verint, which was licensed before the Khashoggi killing, and Quadream, which signed a contract with Saudi Arabia after the killing.
A fifth company, Cellebrite, which manufactures physical hacking systems for mobile phones, has also sold its services to the Saudi government, but without ministry approval, according to the newspaper Haaretz.
...
The Israeli government also imposes strict secrecy on the companies that receive the licenses, threatening to revoke them if the companies speak publicly about the identity of their clients.
...
But, again, the sale of this kind of super-hacking software to governments around the world probably wasn’t just an Israeli government project. The US government would almost surely have involved in giving its approval, if informally. So we shouldn’t be surprised to learn NSO Group hired DC-based Beacon Global Strategies — led by figures US national security state community figureheads like Jeremy Bash — to effectively give its blessings to NSO Group’s more controversial clients. The picture that emerges from the various accounts of NSO Group’s internal deliberations is a picture where NSO Group wanted to drop the contract but was feeling like it was effectively being asked by the Israeli government and Trump administration to continue the Saudi contract:
...
Revelations about the abuses of NSO products led the company to hire a group of outside consultants in 2018 to provide advice about which new clients NSO should take on and which to avoid. The group included Daniel Shapiro, the former Obama administration ambassador to Israel, and Beacon Global Strategies, a Washington strategic consulting firm.Beacon is led by Jeremy Bash, a former C.I.A. and Pentagon chief of staff; Michael Allen, a former staff director for the House Intelligence Committee; and Andrew Shapiro, a former top State Department official.
While the group’s mandate was to vet potential new clients, the international outrage over Mr. Khashoggi’s killing in October 2018 led the group to advise NSO to cancel its Saudi contracts and shut down NSO systems in the kingdom.
Separately, NSO conducted an internal investigation into whether any of its tools were used by Saudi officials for the Khashoggi operation and concluded that they were not. However a lawsuit against NSO by a friend of Mr. Khashoggi’s claims that his phone had been hacked by Saudi Arabia using Pegasus, and that hack gave Saudi officials access to his conversations with Mr. Khashoggi, including communications about opposition projects.
Over several days in late 2018, executives both of NSO and the private equity firm that owned it at the time, Francisco Partners, met in Washington with the advisory group.
According to several people familiar with the meetings, the NSO executives argued that the Israeli government was strongly encouraging the company to weather the storm and continue its work in Saudi Arabia. They also said that Israeli officials had indicated to them that the Trump administration also wanted NSO’s work with Saudi Arabia to continue.
....
And then, at the end of all that consulting about what to do about its Saudi contract, NSO Group canceled the contract. Months later the company is sold to a new private equity group and the contract is re-opened. The commitment on behalf of the Israeli government and Trump administration to providing Saudi Arabia with these hacking tools was so intense that NSO Group somehow found a new owner who was open to that Saudi contract:
...
In the end, NSO management heeded the advice of the outside group and canceled its contracts with Saudi Arabia in late 2018. Mr. Shapiro, the former ambassador to Israel, ended his work for the company shortly afterward.Months later, however, after another private equity firm bought NSO, the company was once again doing business with Saudi Arabia.
NSO’s new owner, Novalpina, rejected the advice of the outside advisory group and NSO resumed its work in Saudi Arabia in mid-2019. Around that time, Beacon ended its work with NSO.
The new contract with the Saudis came with some restrictions. For example, NSO set up its system to block any attempts by Saudi officials to hack European telephone numbers, according to a person familiar with the programming.
But it is clear that Saudi Arabia has continued to use NSO software to spy on perceived opponents abroad.
...
It’s worth keeping in mind that it’s possible Saudi Arabia was task with a similar role to one Israel has long played in the Western alliance: spying on other Western allies. Might that be part of the reason Israel and the US were insistent Saudi Arabia get access to these tools? Outsource the outsource ally-spying? Perhaps.
It’s also possible the Saudis were making access to NSO Group tools a requirement for the broader Middle East peace plan the Trump administration and Jared Kushner were working on and this story reflects those unusual circumstances the US and Israel were acquiescing to those demands. But these aren’t normal demands. These are tools approaching the NSA and GCHQ capabilities in many respects. It’s hard to imagine the US and Israel casually giving this kind of power away, even to a long-standing military ally like Saudi Arabia. That’s part why questions about deeper intelligence-sharing pacts and/or illicit quid-pro-quo spying arrangements are so intriguing in this story. NSO Group was peddling digital nuclear weapons. That couldn’t have been treated lightly by the US and Israel. And yet 40 or so governments got their hands on these digital nuclear weapons. What kind of arrangements were made to ensure the inevitable abuses of these tools don’t target US and Israeli interests? A promise not to abuse it? It’s a massive question looming over this story (and the answers point towards little more than promises).
NSO Group’s Worst Nightmare: Sunshine. Lots of Sunshine on Its Shady Activities from Forbidden Stories and Amnesty International
A day after that explosive NY Times report, the Washington Post brings us a write up of a huge new investigation released by Forbidden Stories, a Paris-based journalism nonprofit, and Amnesty International, based on thousands phone numbers leaked that were purportedly the target phone numbers of NSO Group’s feared Pegasus spyware. Phone numbers that, as we’ll see, include major world leaders like Emmanuel Macron. And if those thousands of numbers really are an accurate target list, it was rampant abuse, with activists and rival politicians frequently on the target list. There’s also a new unstoppable zero-day exploit that worked simply by sending a SMS text message or iMessage to smartphones. 60 government agencies in 40 countries were allowed to buy subscriptions to the software and, again, they policed themselves. It started with Mexico getting a subscription in 2011. So the Pegasus super spyware has been sold for a decade now to a growing list of government agencies. Those unlucky Armenian activists had a lot of company.
What is NSO Group’s response to this report? By pointing out that it’s up to the governments to decide who gets targeted and NSO Group doesn’t know. And while that may not be the best response to the criticism since it’s more or less an admission the abuse allegations are likely true, it’s an entirely plausible response. NSO Group’s tools are probably entirely controlled by the governments who buy these subscriptions. It’s absurd to expect governments to hand information like their intelligence targets over to NSO Group. That’s part of what’s so scandalous about this industry supply super-spyware to governments: it’s hard to imagine a scenario where there’s meaningful oversight possible. It’s an industry built for unchecked secrecy by the clients and that’s an industry built for abuse.
And yet we are told there are geolocation restrictions on the software and US-based smartphones can’t be targeted by NSO Group’s tools. The phone number list in the report appears to bear that out. So there is some degree of oversight, solely based on location. But that’s it. All other oversight is up to the client, hence all the activists, journalists, and political opponent phone numbers that show up on the target list:
The Washington Post
Private Israeli spyware used to hack cellphones of journalists, activists worldwide
NSO Group’s Pegasus spyware, licensed to governments around the globe, can infect phones without a click
By Dana Priest, Craig Timberg and Souad Mekhennet
Updated July 18 at 8:15 p.m. Originally published July 18, 2021
Military-grade spyware licensed by an Israeli firm to governments for tracking terrorists and criminals was used in attempted and successful hacks of 37 smartphones belonging to journalists, human rights activists, business executives and two women close to murdered Saudi journalist Jamal Khashoggi, according to an investigation by The Washington Post and 16 media partners.
The phones appeared on a list of more than 50,000 numbers that are concentrated in countries known to engage in surveillance of their citizens and also known to have been clients of the Israeli firm, NSO Group, a worldwide leader in the growing and largely unregulated private spyware industry, the investigation found.
The list does not identify who put the numbers on it, or why, and it is unknown how many of the phones were targeted or surveilled. But forensic analysis of the 37 smartphones shows that many display a tight correlation between time stamps associated with a number on the list and the initiation of surveillance, in some cases as brief as a few seconds.
Forbidden Stories, a Paris-based journalism nonprofit, and Amnesty International, a human rights group, had access to the list and shared it with the news organizations, which did further research and analysis. Amnesty’s Security Lab did the forensic analyses on the smartphones.
The numbers on the list are unattributed, but reporters were able to identify more than 1,000 people spanning more than 50 countries through research and interviews on four continents: several Arab royal family members, at least 65 business executives, 85 human rights activists, 189 journalists, and more than 600 politicians and government officials — including cabinet ministers, diplomats, and military and security officers. The numbers of several heads of state and prime ministers also appeared on the list.
Among the journalists whose numbers appear on the list, which dates to 2016, are reporters working overseas for several leading news organizations, including a small number from CNN, the Associated Press, Voice of America, the New York Times, the Wall Street Journal, Bloomberg News, Le Monde in France, the Financial Times in London and Al Jazeera in Qatar.
The targeting of the 37 smartphones would appear to conflict with the stated purpose of NSO’s licensing of the Pegasus spyware, which the company says is intended only for use in surveilling terrorists and major criminals. The evidence extracted from these smartphones, revealed here for the first time, calls into question pledges by the Israeli company to police its clients for human rights abuses.
The media consortium, titled the Pegasus Project, analyzed the list through interviews and forensic analysis of the phones, and by comparing details with previously reported information about NSO. Amnesty’s Security Lab examined 67 smartphones where attacks were suspected. Of those, 23 were successfully infected and 14 showed signs of attempted penetration.
For the remaining 30, the tests were inconclusive, in several cases because the phones had been replaced. Fifteen of the phones were Android devices, none of which showed evidence of successful infection. However, unlike iPhones, Androids do not log the kinds of information required for Amnesty’s detective work. Three Android phones showed signs of targeting, such as Pegasus-linked SMS messages.
Amnesty shared backup copies of data on four iPhones with Citizen Lab, which confirmed that they showed signs of Pegasus infection. Citizen Lab, a research group at the University of Toronto that specializes in studying Pegasus, also conducted a peer review of Amnesty’s forensic methods and found them to be sound.
In lengthy responses before publication, NSO called the investigation’s findings exaggerated and baseless. It also said it does not operate the spyware licensed to its clients and “has no insight” into their specific intelligence activities.
After publication, NSO chief executive Shalev Hulio expressed concern in a phone interview with The Post about some of the details he had read in Pegasus Project stories Sunday, while continuing to dispute that the list of more than 50,000 phone numbers had anything to do with NSO or Pegasus.
“The company cares about journalists and activists and civil society in general,” Hulio said. “We understand that in some circumstances our customers might misuse the system and, in some cases like we reported in [NSO’s] Transparency and Responsibility Report, we have shut down systems for customers who have misused the system.”
He said that in the past 12 months NSO had terminated two contracts over allegations of human rights abuses, but he declined to name the countries involved.
“Every allegation about misuse of the system is concerning me,” he said. “It violates the trust that we give customers. We are investigating every allegation.”
NSO describes its customers as 60 intelligence, military and law enforcement agencies in 40 countries, although it will not confirm the identities of any of them, citing client confidentiality obligations. The consortium found many of the phone numbers in at least 10 country clusters, which were subjected to deeper analysis: Azerbaijan, Bahrain, Hungary, India, Kazakhstan, Mexico, Morocco, Rwanda, Saudi Arabia and the United Arab Emirates. Citizen Lab also has found evidence that all 10 have been clients of NSO, according to Bill Marczak, a senior research fellow.
Forbidden Stories organized the media consortium’s investigation, and Amnesty provided analysis and technical support but had no editorial input. Amnesty has openly criticized NSO’s spyware business and supported an unsuccessful lawsuit against the company in an Israeli court seeking to have its export license revoked. After the investigation began, several reporters in the consortium learned that they or their family members had been successfully attacked with Pegasus spyware.
Beyond the personal intrusions made possible by smartphone surveillance, the widespread use of spyware has emerged as a leading threat to democracies worldwide, critics say. Journalists under surveillance cannot safely gather sensitive news without endangering themselves and their sources. Opposition politicians cannot plot their campaign strategies without those in power anticipating their moves. Human rights workers cannot work with vulnerable people — some of whom are victims of their own governments — without exposing them to renewed abuse.
For example, Amnesty’s forensics found evidence that Pegasus was targeted at the two women closest to Saudi columnist Khashoggi, who wrote for The Post’s Opinions section. The phone of his fiancee, Hatice Cengiz, was successfully infected during the days after his murder in Turkey on Oct. 2, 2018, according to a forensic analysis by Amnesty’s Security Lab. Also on the list were the numbers of two Turkish officials involved in investigating his dismemberment by a Saudi hit team. Khashoggi also had a wife, Hanan Elatr, whose phone was targeted by someone using Pegasus in the months before his killing. Amnesty was unable to determine whether the hack was successful.
“This is nasty software — like eloquently nasty,” said Timothy Summers, a former cybersecurity engineer at a U.S. intelligence agency and now director of IT at Arizona State University. With it “one could spy on almost the entire world population. … There’s not anything wrong with building technologies that allows you to collect data; it’s necessary sometimes. But humanity is not in a place where we can have that much power just accessible to anybody.”
In response to detailed questions from the consortium before publication, NSO said in a statement that it did not operate the spyware it licensed to clients and did not have regular access to the data they gather. The company also said its technologies have helped prevent attacks and bombings and broken up rings that trafficked in drugs, sex and children. “Simply put, NSO Group is on a life-saving mission, and the company will faithfully execute this mission undeterred, despite any and all continued attempts to discredit it on false grounds,” NSO said. “Your sources have supplied you with information that has no factual basis, as evidenced by the lack of supporting documentation for many of the claims.”
The company denied that its technology was used against Khashoggi, or his relatives or associates.
...
Thomas Clare, a libel attorney hired by NSO, said that the consortium had “apparently misinterpreted and mischaracterized crucial source data on which it relied” and that its reporting contained flawed assumptions and factual errors.
“NSO Group has good reason to believe that this list of ‘thousands of phone numbers’ is not a list of numbers targeted by governments using Pegasus, but instead, may be part of a larger list of numbers that might have been used by NSO Group customers for other purposes,” Clare wrote.
In response to follow-up questions, NSO called the 50,000 number “exaggerated” and said it was far too large to represent numbers targeted by its clients. Based on the questions it was being asked, NSO said, it had reason to believe that the consortium was basing its findings “on misleading interpretation of leaked data from accessible and overt basic information, such as HLR Lookup services, which have no bearing on the list of the customers targets of Pegasus or any other NSO products … we still do not see any correlation of these lists to anything related to use of NSO Group technologies.”
The term HLR, or Home Location Register, refers to a database that is essential to operating cellular phone networks. Such registers keep records on the networks of cellphone users and their general locations, along with other identifying information that is used routinely in routing calls and texts. HLR lookup services operate on the SS7 system that cellular carriers use to communicate with each other. The services can be used as a step toward spying on targets.
Telecommunications security expert Karsten Nohl, chief scientist for Security Research Labs in Berlin, said that he does not have direct knowledge of NSO’s systems but that HLR lookups and other SS7 queries are widely and inexpensively used by the surveillance industry — often for just tens of thousands of dollars a year.
“It’s not difficult to get that access. Given the resources of NSO, it’d be crazy to assume that they don’t have SS7 access from at least a dozen countries,” Nohl said. “From a dozen countries, you can spy on the rest of the world.”
Pegasus was engineered a decade ago by Israeli ex-cyberspies with government-honed skills. The Israeli Defense Ministry must approve any license to a government that wants to buy it, according to previous NSO statements.
“As a matter of policy, the State of Israel approves the export of cyber products exclusively to governmental entities, for lawful use, and only for the purpose of preventing and investigating crime and counterterrorism, under end-use/end user certificates provided by the acquiring government,” a spokesperson for the Israeli defense establishment said Sunday. “In cases where exported items are used in violation of export licenses or end-use certificates, appropriate measures are taken.”
The numbers of about a dozen Americans working overseas were discovered on the list, in all but one case while using phones registered to foreign cellular networks. The consortium could not perform forensic analysis on most of these phones. NSO has said for years that its product cannot be used to surveil American phones. The consortium did not find evidence of successful spyware penetration on phones with the U.S. country code.
“We also stand by our previous statements that our products, sold to vetted foreign governments, cannot be used to conduct cybersurveillance within the United States, and no customer has ever been granted technology that would enable them to access phones with U.S. numbers,” the company said in its statement. “It is technologically impossible and reaffirms the fact your sources’ claims have no merit.”
...
Some Pegasus intrusion techniques detailed in a 2016 report were changed in a matter of hours after they were made public, underscoring NSO’s ability to adapt to countermeasures.
Pegasus is engineered to evade defenses on iPhones and Android devices and to leave few traces of its attack. Familiar privacy measures like strong passwords and encryption offer little help against Pegasus, which can attack phones without any warning to users. It can read anything on a device that a user can, while also stealing photos, recordings, location records, communications, passwords, call logs and social media posts. Spyware also can activate cameras and microphones for real-time surveillance.
“There is just nothing from an encryption standpoint to protect against this,” said Claudio Guarnieri, a.k.a. “Nex,” the Amnesty Security Lab’s 33-year-old Italian researcher who developed and performed the digital forensics on 37 smartphones that showed evidence of Pegasus attacks.
That sense of helplessness makes Guarnieri, who often dresses head-to-toe in black, feel as useless as a 14th-century doctor confronting the Black Plague without any useful medication. “Primarily I’m here just to keep the death count,” he said.
The attack can begin in different ways. It can come from a malicious link in an SMS text message or an iMessage. In some cases, a user must click on the link to start the infection. In recent years, spyware companies have developed what they call “zero-click” attacks, which deliver spyware simply by sending a message to a user’s phone that produces no notification. Users do not even need to touch their phones for infections to begin.
Many countries have laws pertaining to traditional wiretapping and interception of communications, but few have effective safeguards against deeper intrusions made possible by hacking into smartphones. “This is more devious in a sense because it really is no longer about intercepting communications and overhearing conversation. … This covers all of them and goes way beyond that,” Guarnieri said. “It has raised a lot of questions from not only human rights, but even national constitutional laws as to is this even legal?”
Clare, NSO’s attorney, attacked the forensic examinations as “a compilation of speculative and baseless assumptions” built on assumptions based on earlier reports. He also said, “NSO does not have insight into the specific intelligence activities of its customers.”
...
‘What a question!’
Some expressed outrage even at the suggestion of spying on journalists.
A reporter for the French daily Le Monde working on the Pegasus Project recently posed such a question to Hungarian Justice Minister Judit Varga during an interview about the legal requirements for eavesdropping:
“If someone asked you to tape a journalist or an opponent, you wouldn’t accept this?”
“What a question!” Varga responded. “This is a provocation in itself!” A day later, her office requested that this question and her answer to it “be erased” from the interview.
In the past, NSO has blamed its client countries for any alleged abuses. NSO released its first “Transparency and Responsibility Report” last month, arguing that its services are essential to law enforcement and intelligence agencies trying to keep up with the 21st century.
“Terror organizations, drug cartels, human traffickers, pedophile rings and other criminal syndicates today exploit off-the-shelf encryption capabilities offered by mobile messaging and communications applications.
“These technologies provide criminals and their networks a safe haven, allowing them to ‘go dark’ and avoid detection, communicating through impenetrable mobile messaging systems. Law enforcement and counterterrorism state agencies around the world have struggled to keep up.”
NSO also said it conducts rigorous reviews of potential customers’ human rights records before contracting with them and investigates reports of abuses, although it did not cite any specific cases. It asserted that it has discontinued contracts with five clients for documented violations and that the company’s due diligence has cost it $100 million in lost revenue. A person familiar with NSO operations who spoke on the condition of anonymity to discuss internal company matters noted that in the last year alone NSO had terminated contracts with Saudi Arabia and Dubai in the United Arab Emirates over human rights concerns.
“Pegasus is very useful for fighting organized crime,” said Guillermo Valdes Castellanos, head of Mexico’s domestic intelligence agency CISEN from 2006 to 2011. “But the total lack of checks and balances [in Mexican agencies] means it easily ends up in private hands and is used for political and personal gain.”
Mexico was NSO’s first overseas client in 2011, less than a year after the firm was founded in Israel’s Silicon Valley, in northern Tel Aviv.
In 2016 and 2017, more than 15,000 Mexicans appeared on the list examined by the media consortium, among them at least 25 reporters working for the country’s major media outlets, according to the records and interviews.
One of them was Carmen Aristegui, one of the most prominent investigative journalists in the country and a regular contributor to CNN. Aristegui, who is routinely threatened for exposing the corruption of Mexican politicians and cartels, was previously revealed as a Pegasus target in several media reports. At the time, she said in a recent interview, her producer was also targeted. The new records and forensics show that Pegasus links were detected on the phone of her personal assistant.
“Pegasus is something that comes to your office, your home, your bed, every corner of your existence,” Aristegui said. “It is a tool that destroys the essential codes of civilization.”
Unlike Aristegui, freelance reporter Cecilio Pineda was unknown outside his violence-wracked southern state of Guerrero. His number appears twice on the list of 50,000. A month after the second listing, he was gunned down while lying in a hammock at a carwash while waiting for his car. It is unclear what role, if any, Pegasus’s ability to geolocate its targets in real time contributed to his murder. Mexico is among the deadliest countries for journalists; 11 were killed in 2017, according to Reporters Without Borders.
“Even if Forbidden Stories were correct that an NSO Group client in Mexico targeted the journalist’s phone number in February 2017, that does not mean that the NSO Group client or data collected by NSO Group software were in any way connected to the journalist’s murder the following month,” Clare, NSO’s lawyer, wrote in his letter to Forbidden Stories. “Correlation does not equal causation, and the gunmen who murdered the journalist could have learned of his location at a public carwash through any number of means not related to NSO Group, its technologies, or its clients.”
Mexico’s Public Security Ministry acknowledged last year that the domestic intelligence agency, CISEN, and the attorney general’s office acquired Pegasus in 2014 and discontinued its use in 2017 when the license expired. Mexican media have also reported that the Defense Ministry used the spyware.
Snowden’s legacy
Today’s thriving international spyware industry dates back decades but got a boost after the unprecedented 2013 disclosure of highly classified National Security Agency documents by contractor Edward Snowden. They revealed that the NSA could obtain the electronic communications of almost anyone because it had secret access to the transnational cables carrying Internet traffic worldwide and data from Internet companies such as Google and giant telecommunications companies such as AT&T.
Even U.S. allies in Europe were shocked by the comprehensive scale of the American digital spying, and many national intelligence agencies set out to improve their own surveillance abilities. For-profit firms staffed with midcareer retirees from intelligence agencies saw a lucrative market-in-waiting free from the government regulations and oversight imposed on other industries.
The dramatic expansion of end-to-end encryption by Google, Microsoft, Facebook, Apple and other major technology firms also prompted law enforcement and intelligence officials to complain they had lost access to the communications of legitimate criminal targets. That in turn sparked more investment in technologies, such as Pegasus, that worked by targeting individual devices.
“When you build a building, you want to make sure the building holds up, so we follow certain protocols,” said Ido Sivan-Sevilla, an expert on cyber governance at the University of Maryland. By promoting the sale of unregulated private surveillance tools, “we encourage building buildings that can be broken into. We are building a monster. We need an international norms treaty that says certain things are not okay.”
Without international standards and rules, there are secret deals between companies like NSO and the countries they service.
The unfettered use of a military-grade spyware such as Pegasus can help governments to suppress civic activism at a time when authoritarianism is on the rise worldwide. It also gives countries without the technical sophistication of such leading nations as the United States, Israel and China the ability to conduct far deeper digital cyberespionage than ever before.
‘Your body stops functioning’
Azerbaijan, a longtime ally of Israel, has been identified as an NSO client by Citizen Lab and others. The country is a family-run kleptocracy with no free elections, no impartial court system and no independent news media. The former Soviet territory has been ruled since the Soviet Union collapsed 30 years ago by the Aliyev family, whose theft of the country’s wealth and money-laundering schemes abroad have resulted in foreign embargoes, international sanctions and criminal indictments.
Despite the difficulties, roughly three dozen Azerbaijani reporters continue to document the family’s corruption. Some are hiding inside the country, but most were forced into exile where they are not so easy to capture. Some work for the Prague-based, U.S.-funded Radio Free Europe/Radio Liberty, which was kicked out of the country in 2015 for its reporting. The others work for an investigative reporting nonprofit called the Organized Crime and Corruption Reporting Project, which is based in Sarajevo, the Bosnian capital, and is one of the partners in the Pegasus Project.
The foremost investigative reporter in the region is Khadija Ismayilova, whom the regime has worked for a decade to silence: It planted a secret camera in her apartment wall, took videos of her having sex with her boyfriend and then posted them on the Internet in 2012; she was arrested in 2014, tried and convicted on trumped-up tax-evasion and other charges, and held in prison cells with hardened criminals. After global outrage and the high-profile intervention of human rights attorney Amal Clooney, she was released in 2016 and put under a travel ban.
“It is important that people see examples of journalists who do not stop because they were threatened,” Ismayilova said in a recent interview. “It’s like a war. You leave your trench, then the attacker comes in. … You have to keep your position, otherwise it will be taken and then you will have less space, less space, the space will be shrinking and then you will find it hard to breathe.”
Last month, her health failing, she was allowed to leave the country. Colleagues arranged to test her smartphone immediately. Forensics by Security Lab determined that Pegasus had attacked and penetrated her device numerous times from March 2019 to as late as May of this year.
She had assumed some kind of surveillance, Ismayilova said, but was still surprised at the number of attacks. “When you think maybe there’s a camera in the toilet, your body stops functioning,” she said. “I went through this, and for eight or nine days I could not use the toilet, anywhere, not even in public places. My body stopped functioning.”
She stopped communicating with people because whoever she spoke with ended up harassed by security services. “You don’t trust anyone, and then you try not to have any long-term plans with your own life because you don’t want any person to have problems because of you.”
Confirmation of the Pegasus penetration galled her. “My family members are also victimized. The sources are victimized. People I’ve been working with, people who told me their private secrets are victimized,” she said. “It’s despicable. … I don’t know who else has been exposed because of me, who else is in danger because of me.”
Is the minister paranoid or sensible?
The fear of widespread surveillance impedes the already difficult mechanics of civic activism.
“Sometimes, that fear is the point,” said John Scott-Railton, a senior researcher at Citizen Lab, who has researched Pegasus extensively. “The psychological hardship and the self-censorship it causes are key tools of modern-day dictators and authoritarians.”
When Siddharth Varadarajan, co-founder of the Wire, an independent online outlet in India, learned that Security Lab’s analysis showed that his phone had been targeted and penetrated by Pegasus, his mind immediately ran through his sensitive sources. He thought about a minister in Prime Minister Narendra Modi’s government who had displayed an unusual concern about surveillance when they met.
The minister first moved the meeting from one location to another at the last moment, then switched off his phone and told Varadarajan to do the same.
Then “the two phones were put in a room and music was put on in that room … and I thought: ‘Boy, this guy is really paranoid. But maybe he was being sensible,’ ” Varadarajan said in a recent interview.
When forensics showed his phone had been penetrated, he knew the feeling himself. “You feel violated, there’s no doubt about it,” he said. “This is an incredible intrusion, and journalists should not have to deal with this. Nobody should have to deal with this.”
————-
“The targeting of the 37 smartphones would appear to conflict with the stated purpose of NSO’s licensing of the Pegasus spyware, which the company says is intended only for use in surveilling terrorists and major criminals. The evidence extracted from these smartphones, revealed here for the first time, calls into question pledges by the Israeli company to police its clients for human rights abuses.”
It’s long been justifiably suspected that NSO Group doesn’t actually have safeguards in place to ensure its unstoppable hacking software isn’t being abused by its government clients. Dozens and dozens of government clients. But if the analysis of the lists of targeted phones and forensic analysis of a number of those phones by Forbidden Stories and Amnesty International is correct, we have that evidence. NSO Group’s Pegasus software has been wildly abused by its government clients. Because of course it was. You couldn’t give dozens of governments around the world super hacking tools and not expect them to target activists, journalists, academics, and other governments.
How much abuse has taken place? We don’t know. And if we believe NSO Group, they don’t really know either. They don’t operate the software for the clients and “has no insight” into their specific intelligence activities. That’s what the company itself is claiming in its defense. It doesn’t know how its software is actually used. That’s 60 intelligence, military and law enforcement agencies in 40 countries operating under that see-no-evil-because-we-are-blind oversight from the vendor.
And yet the company defends itself by pointing out how it terminated two contracts over allegations of abuses in the last 12 months. Note the term “allegations”. Not “investigation” or “routine audit”. The contracts were canceled after allegations. Against Saudi Arabia and Dubai. So NSO defended itself against charges that it was allowing its clients to abuse its software by pointing out that it canceled Saudi Arabia’s and Dubai’s contracts due to human rights concerns. Concerns obviously tied to the assassination of Jamal Khashoggi and all of the public scrutiny NSO received as a result. It’s not exactly proactive oversight:
...
In lengthy responses before publication, NSO called the investigation’s findings exaggerated and baseless. It also said it does not operate the spyware licensed to its clients and “has no insight” into their specific intelligence activities.After publication, NSO chief executive Shalev Hulio expressed concern in a phone interview with The Post about some of the details he had read in Pegasus Project stories Sunday, while continuing to dispute that the list of more than 50,000 phone numbers had anything to do with NSO or Pegasus.
“The company cares about journalists and activists and civil society in general,” Hulio said. “We understand that in some circumstances our customers might misuse the system and, in some cases like we reported in [NSO’s] Transparency and Responsibility Report, we have shut down systems for customers who have misused the system.”
He said that in the past 12 months NSO had terminated two contracts over allegations of human rights abuses, but he declined to name the countries involved.
“Every allegation about misuse of the system is concerning me,” he said. “It violates the trust that we give customers. We are investigating every allegation.”
NSO describes its customers as 60 intelligence, military and law enforcement agencies in 40 countries, although it will not confirm the identities of any of them, citing client confidentiality obligations. The consortium found many of the phone numbers in at least 10 country clusters, which were subjected to deeper analysis: Azerbaijan, Bahrain, Hungary, India, Kazakhstan, Mexico, Morocco, Rwanda, Saudi Arabia and the United Arab Emirates. Citizen Lab also has found evidence that all 10 have been clients of NSO, according to Bill Marczak, a senior research fellow.
...
“This is nasty software — like eloquently nasty,” said Timothy Summers, a former cybersecurity engineer at a U.S. intelligence agency and now director of IT at Arizona State University. With it “one could spy on almost the entire world population. … There’s not anything wrong with building technologies that allows you to collect data; it’s necessary sometimes. But humanity is not in a place where we can have that much power just accessible to anybody.”
In response to detailed questions from the consortium before publication, NSO said in a statement that it did not operate the spyware it licensed to clients and did not have regular access to the data they gather. The company also said its technologies have helped prevent attacks and bombings and broken up rings that trafficked in drugs, sex and children. “Simply put, NSO Group is on a life-saving mission, and the company will faithfully execute this mission undeterred, despite any and all continued attempts to discredit it on false grounds,” NSO said. “Your sources have supplied you with information that has no factual basis, as evidenced by the lack of supporting documentation for many of the claims.”
...
Clare, NSO’s attorney, attacked the forensic examinations as “a compilation of speculative and baseless assumptions” built on assumptions based on earlier reports. He also said, “NSO does not have insight into the specific intelligence activities of its customers.”
...
In the past, NSO has blamed its client countries for any alleged abuses. NSO released its first “Transparency and Responsibility Report” last month, arguing that its services are essential to law enforcement and intelligence agencies trying to keep up with the 21st century.
...
NSO also said it conducts rigorous reviews of potential customers’ human rights records before contracting with them and investigates reports of abuses, although it did not cite any specific cases. It asserted that it has discontinued contracts with five clients for documented violations and that the company’s due diligence has cost it $100 million in lost revenue. A person familiar with NSO operations who spoke on the condition of anonymity to discuss internal company matters noted that in the last year alone NSO had terminated contracts with Saudi Arabia and Dubai in the United Arab Emirates over human rights concerns.
...
Mexico was NSO’s first overseas client in 2011, less than a year after the firm was founded in Israel’s Silicon Valley, in northern Tel Aviv.
...
But then there’s the NSO Group’s more legitimate excuse for selling this kind of powerful software to governments known for human rights abuses: the Israeli Defense Ministry has to approve of the NSO Group’s contracts. Beyond that, NSO Group claims its software cannot be used on US-based phones, raising questions about whether or not the US government was also tacitly giving its approval for these contracts:
...
Pegasus was engineered a decade ago by Israeli ex-cyberspies with government-honed skills. The Israeli Defense Ministry must approve any license to a government that wants to buy it, according to previous NSO statements.“As a matter of policy, the State of Israel approves the export of cyber products exclusively to governmental entities, for lawful use, and only for the purpose of preventing and investigating crime and counterterrorism, under end-use/end user certificates provided by the acquiring government,” a spokesperson for the Israeli defense establishment said Sunday. “In cases where exported items are used in violation of export licenses or end-use certificates, appropriate measures are taken.”
The numbers of about a dozen Americans working overseas were discovered on the list, in all but one case while using phones registered to foreign cellular networks. The consortium could not perform forensic analysis on most of these phones. NSO has said for years that its product cannot be used to surveil American phones. The consortium did not find evidence of successful spyware penetration on phones with the U.S. country code.
“We also stand by our previous statements that our products, sold to vetted foreign governments, cannot be used to conduct cybersurveillance within the United States, and no customer has ever been granted technology that would enable them to access phones with U.S. numbers,” the company said in its statement. “It is technologically impossible and reaffirms the fact your sources’ claims have no merit.”
...
But by the biggest revelation in this story is the nature of these NSO Group exploits being sold with the Pegasus system: “zero-click” exploits that quietly deliver spyware simply by sending a message to the target’s phone. That is effectively an unstoppable attack. So NSO Group was selling unstoppable exploits that could target any smartphone in the world — with the possible exception of US phones if we believe the company’s assurances — to over 40 different governments around the world, starting in 2011 with the contract with Mexico. And as this investigation revealed, those unstoppable exploits were widely used by these governments for far more than just law enforcement and terrorism cases. That is a massive relevation, in part because it means governments around the world have been empowered to secretly hack each other for years now. But this wasn’t exactly a new revelation. We learned back in May 2019 about NSO Group’s unstoppable exploit that could infect a phone simply by calling them over the WhatsApp calling feature. The exploit worked when victims didn’t answer the call. So the existence of ‘zero-click’ exploits isn’t exactly a new revelation, but it sounds like that WhatsApp exploit was far from the only one. They’ve figured out how to do it with SMS Text messages or iMessages too. That covers basically every smartphone, whether you have WhatsApp on it or not:
...
Some Pegasus intrusion techniques detailed in a 2016 report were changed in a matter of hours after they were made public, underscoring NSO’s ability to adapt to countermeasures.Pegasus is engineered to evade defenses on iPhones and Android devices and to leave few traces of its attack. Familiar privacy measures like strong passwords and encryption offer little help against Pegasus, which can attack phones without any warning to users. It can read anything on a device that a user can, while also stealing photos, recordings, location records, communications, passwords, call logs and social media posts. Spyware also can activate cameras and microphones for real-time surveillance.
“There is just nothing from an encryption standpoint to protect against this,” said Claudio Guarnieri, a.k.a. “Nex,” the Amnesty Security Lab’s 33-year-old Italian researcher who developed and performed the digital forensics on 37 smartphones that showed evidence of Pegasus attacks.
That sense of helplessness makes Guarnieri, who often dresses head-to-toe in black, feel as useless as a 14th-century doctor confronting the Black Plague without any useful medication. “Primarily I’m here just to keep the death count,” he said.
The attack can begin in different ways. It can come from a malicious link in an SMS text message or an iMessage. In some cases, a user must click on the link to start the infection. In recent years, spyware companies have developed what they call “zero-click” attacks, which deliver spyware simply by sending a message to a user’s phone that produces no notification. Users do not even need to touch their phones for infections to begin.
...
Unstoppable zero-day attacks and zero oversight. What could possibly go wrong?
Forget All Those NSO Group and Candiru Stories: The US and Western Allies Accuse China of the Microsoft Exchange Hack
So how are governments responding to this string of devastating reports. First Candiru’s zero-day malware gets exposed being used against activists around the world. Then NSO Group is revealed to be the cyber equivalent of a nuclear mercenary. And a diplomatic tool. It was a rough week of reporting on the “commercial surveillance” cyber industry. A lot of tough questions for raised. And we got our answer one day after the Washington Post’s report: The US and Western allies were finally formally accusing China of being behind the Microsoft Exchange hack first disclosed back in March. It was great timing.
And as we’ll see in the next article excerpt about the public accusations by the US and its fellow allies against China’s Ministry of State Security (MSS), China isn’t just accused of tolerating smash-and-grab raids. The MSS-backed hacker groups are also accused of tolerating ransomware attacks for their own personal profit. So the hacker groups accused of carrying out the Microsoft Exchange hack and other hacks attributed to China are also groups engaging in the kind of cyber-extortion and ransomware schemes for their own profit that are traditional associated with standard cyber criminals. That’s the evolving narrative in the face of evidence that the Microsoft Exchange hack was really many hacks involving multiple criminal groups on a rampant spree that also run cyber-extortion schemes: They were Chinese state-backed hackers who also run private extortive criminal hacks on their own because China’s government has decided to give zero-day exploits to groups that take those zero-day exploits and go on a global hacking spree. The Chinese government endorsed or at least tolerated that dramatic escalation. No longer espionage but global smash-and-grab sprees. That’s the new narrative. A new narrative that’s evolving in the face of the evidence that the people carrying out these mega-hacks are acting like traditional hackers and not state-backed espionage-focused groups.
Recall how the known timeline of the Exchange hack is that it started on January 3 (Volexity’s first detected use of the zero-day exploit by “Hafnium). It was January 6, during the Capitol Insurrection, when Volexity first observed a large download to an unauthorized address. Hafnium quietly hit organizations until Microsoft issued a patch on March 2. At that point, multiple groups went on a global race to hit every unpatched server connected to the internet. So given that timeline, it’s likely that the groups that went on the race following the patch are the ones with a criminal for-profit track-record. And we are to assume “Hafnium”, a state-backed Chinese hacker group, handed this zero-day exploit over to these groups and gave its blessing to the global smash-and-grab. Which, if true, really would be a dramatic escalation in hacks from China. It’s the “if true” part that’s the catch. Notice how no one even bothers to provide a pretense of evidence for any of these claims.
Amusingly, the governments making these accusations against China hadn’t quite gotten their stories straight. Because as we just saw, much of the ostensible alarm over these accusations is that they signify a shift from quiet espionage to in-your-face smash-and-grab raids by Chinese state-backed hacker. And yet as we’ll see, U.K. Foreign Secretary Dominic Raab describe the attack “a reckless but familiar pattern of behaviour” by Chinese state-backed groups. So what is it? New reckless behavior? Or familiar reckless behavior? That part of the narrative has yet to be decided. But this was what major Western governments were talking about a day about that NSO Group report: China:
Associated Press
Microsoft Exchange hack caused by China, US and allies say
By ERIC TUCKER
July 19, 2021WASHINGTON (AP) — The Biden administration and Western allies formally blamed China on Monday for a massive hack of Microsoft Exchange email server software and asserted that criminal hackers associated with the Chinese government have carried out ransomware and other illicit cyber operations.
The announcements, though not accompanied by sanctions against the Chinese government, were intended as a forceful condemnation of activities a senior Biden administration official described as part of a “pattern of irresponsible behavior in cyberspace.” They highlighted the ongoing threat from Chinese hackers even as the administration remains consumed with trying to curb ransomware attacks from Russia-based syndicates that have targeted critical infrastructure.
The broad range of cyberthreats from Beijing disclosed on Monday included a ransomware attack from government-affiliated hackers that targeted victims — including in the U.S. — with demands for millions of dollars. U.S officials also alleged that criminal contract hackers associated with China’s Ministry of State Security have engaged in cyber extortion schemes and theft for their own profit.
Meanwhile, the Justice Department on Monday announced charges against four Chinese nationals who prosecutors said were working with the MSS in a hacking campaign that targeted dozens of computer systems, including companies, universities and government entities. The defendants are accused of targeting trade secrets and confidential business information, including scientific technologies and infectious-disease research.
Unlike in April, when public finger-pointing of Russian hacking was paired with a raft of sanctions against Moscow, the Biden administration did not announce any actions against Beijing. Nonetheless, a senior administration official who briefed reporters said that the U.S. has confronted senior Chinese officials and that the White House regards the multination shaming as sending an important message, even if no single action can change behavior.
President Joe Biden told reporters “the investigation’s not finished,” and White House press secretary Jen Psaki did not rule out future consequences for China, saying, “This is not the conclusion of our efforts as it relates to cyber activities with China or Russia.”
Even without fresh sanctions, Monday’s actions are likely to exacerbate tensions with China at a delicate time. Just last week, the U.S. issued separate stark warnings against transactions with entities that operate in China’s western Xinjiang region, where China is accused of repressing Uyghur Muslims and other minorities.
...
The European Union and Britain were among the allies who called out China. The EU said malicious cyber activities with “significant effects” that targeted government institutions, political organizations and key industries in the bloc’s 27 member states could be linked to Chinese hacking groups. The U.K.’s National Cyber Security Centre said the groups targeted maritime industries and naval defense contractors in the U.S. and Europe and the Finnish parliament.
In a statement, EU foreign policy chief Josep Borrell said the hacking was “conducted from the territory of China for the purpose of intellectual property theft and espionage.”
The Microsoft Exchange cyberattack “by Chinese state-backed groups was a reckless but familiar pattern of behaviour,” U.K. Foreign Secretary Dominic Raab said.
NATO, in its first public condemnation of China for hacking activities, called on Beijing to uphold its international commitments and obligations “and to act responsibly in the international system, including in cyberspace.” The alliance said it was determined to “actively deter, defend against and counter the full spectrum of cyber threats.”
That hackers affiliated with the Ministry of State Security were engaged in ransomware was surprising and concerning to the U.S. government, the senior administration official said. But the attack, in which an unidentified American company received a high-dollar ransom demand, also gave U.S. officials new insight into what the official said was “the kind of aggressive behavior that we’re seeing coming out of China.”
A spokesperson for the Chinese Embassy in Washington, Liu Pengyu, said in a statement that the “U.S. has repeatedly made groundless attacks and malicious smear against China on cybersecurity. Now this is just another old trick, with nothing new in it.” The statement called China “a severe victim of the US cyber theft, eavesdropping and surveillance.”
The majority of the most damaging and high-profile recent ransomware attacks have involved Russian criminal gangs. Though the U.S. has sometimes seen connections between Russian intelligence agencies and individual hackers, the use of criminal contract hackers by the Chinese government “to conduct unsanctioned cyber operations globally is distinct,” the official said.
Dmitri Alperovitch, the former chief technology officer of the cybersecurity firm Crowdstrike, said the announcement makes clear that MSS contractors who for years have worked for the government and conducted operations on its behalf have over time decided — either with the approval or the “blind eye of their bosses” — to ”start moonlighting and engaging in other activities that could put money in their pockets.”
The Microsoft Exchange hack that months ago compromised tens of thousands of computers around the world was swiftly attributed to Chinese cyber spies by Microsoft.
An administration official said the government’s attribution to hackers affiliated with the Ministry of State Security took until now in part because of the discovery of the ransomware and for-profit hacking operations and because the administration wanted to pair the announcement with guidance for businesses about tactics that the Chinese have been using.
Given the scope of the attack, Alperovitch said it was “puzzling” that the U.S. did not impose sanctions.
“They certainly deserve it, and at this point, it’s becoming a glaring standout that we have not,” he said.
He added, in a reference to a large Russian cyberespionage operation discovered late last year, “There’s no question that the Exchange hacks have been more reckless, more dangerous and more disruptive than anything the Russians have done in SolarWinds.
———-
“The broad range of cyberthreats from Beijing disclosed on Monday included a ransomware attack from government-affiliated hackers that targeted victims — including in the U.S. — with demands for millions of dollars. U.S officials also alleged that criminal contract hackers associated with China’s Ministry of State Security have engaged in cyber extortion schemes and theft for their own profit.”
Criminal contract hackers. That’s who China’s Ministry of State Security is apparently hiring to carry out these mega hacks. That’s the accusation coming from the US and allies. What evidence this assertion is based is of course never given, but the parallel charges against four Chinese nationals accuse of working wit the MSS in a hacking campaign is presumably supposed to serve as a kind of proxy evidence:
...
Meanwhile, the Justice Department on Monday announced charges against four Chinese nationals who prosecutors said were working with the MSS in a hacking campaign that targeted dozens of computer systems, including companies, universities and government entities. The defendants are accused of targeting trade secrets and confidential business information, including scientific technologies and infectious-disease research.
...
But, again, observe how inconsistent the accusations are. The EU is referring to hacks that could be linked to Chinese hacking groups while the UK’s Foreign Secretary calls it “a reckless but familiar pattern of behaviour”. And look at he US’s explanation for why it took this long to make the attribution when Microsoft seemingly did it immediately: the discovery of ransomware and for-profit schemes by these same hackers delayed the attribution. In other words, Microsoft’s evidence-free initial assertion that the hack was the responsibility of the Chinese (and definitely completely unrelated to the SolarWinds hack!) got complicated after it was observed that the hackers were behaving like normal criminals and engaging in ransomware for-profit schemes. So they had to create a new narrative about how the Chinese government is now using contract criminal hackers to carry out their mega-hacks. Because why carry out a mega-hack on your own when you can share it with the criminal-underworld:
...
Even without fresh sanctions, Monday’s actions are likely to exacerbate tensions with China at a delicate time. Just last week, the U.S. issued separate stark warnings against transactions with entities that operate in China’s western Xinjiang region, where China is accused of repressing Uyghur Muslims and other minorities....
The European Union and Britain were among the allies who called out China. The EU said malicious cyber activities with “significant effects” that targeted government institutions, political organizations and key industries in the bloc’s 27 member states could be linked to Chinese hacking groups. The U.K.’s National Cyber Security Centre said the groups targeted maritime industries and naval defense contractors in the U.S. and Europe and the Finnish parliament.
In a statement, EU foreign policy chief Josep Borrell said the hacking was “conducted from the territory of China for the purpose of intellectual property theft and espionage.”
The Microsoft Exchange cyberattack “by Chinese state-backed groups was a reckless but familiar pattern of behaviour,” U.K. Foreign Secretary Dominic Raab said.
NATO, in its first public condemnation of China for hacking activities, called on Beijing to uphold its international commitments and obligations “and to act responsibly in the international system, including in cyberspace.” The alliance said it was determined to “actively deter, defend against and counter the full spectrum of cyber threats.”
That hackers affiliated with the Ministry of State Security were engaged in ransomware was surprising and concerning to the U.S. government, the senior administration official said. But the attack, in which an unidentified American company received a high-dollar ransom demand, also gave U.S. officials new insight into what the official said was “the kind of aggressive behavior that we’re seeing coming out of China.”
...
The majority of the most damaging and high-profile recent ransomware attacks have involved Russian criminal gangs. Though the U.S. has sometimes seen connections between Russian intelligence agencies and individual hackers, the use of criminal contract hackers by the Chinese government “to conduct unsanctioned cyber operations globally is distinct,” the official said.
...
The Microsoft Exchange hack that months ago compromised tens of thousands of computers around the world was swiftly attributed to Chinese cyber spies by Microsoft.
An administration official said the government’s attribution to hackers affiliated with the Ministry of State Security took until now in part because of the discovery of the ransomware and for-profit hacking operations and because the administration wanted to pair the announcement with guidance for businesses about tactics that the Chinese have been using.
...
Also keep in mind that the criminal hacker groups didn’t appear in the Exchange hack until March 2 according to our known timeline, the day Microsoft also issued its report that blamed the hack on state-sponsored “Hafnium”. So the criminal-like behavior of the groups with access to this exploit wasn’t necessarily apparent when Microsoft made its initial “Hafnium” attribution
But note the one consistent actor here: Dmitri Alperovitch — co-founder of CrowdStrike and the guy who pioneered the modern approach of making loud evidence-free hacking accusations against countries as a means of preventing future attacks — is giving us exactly the response we should expect by asking why these accusations haven’t led to new sanctions against China:
...
Dmitri Alperovitch, the former chief technology officer of the cybersecurity firm Crowdstrike, said the announcement makes clear that MSS contractors who for years have worked for the government and conducted operations on its behalf have over time decided — either with the approval or the “blind eye of their bosses” — to ”start moonlighting and engaging in other activities that could put money in their pockets.”Given the scope of the attack, Alperovitch said it was “puzzling” that the U.S. did not impose sanctions.
“They certainly deserve it, and at this point, it’s becoming a glaring standout that we have not,” he said.
He added, in a reference to a large Russian cyberespionage operation discovered late last year, “There’s no question that the Exchange hacks have been more reckless, more dangerous and more disruptive than anything the Russians have done in SolarWinds.
...
Also note that Alperovitch is now the former CTO of Crowdstrike, having left the company in 2020 to start a non-profit “policy accelerator” focused on cybersecurity in a geopolitical context. In other words, Alperovtich started a think-tank and lobby shop dedicated to push for the kind of hacking-based sanctions against Russian and China he’s long advocated for anyway.
The BBC has a bit more on the story that gives us a better idea of how the Western governments of theorizing China decided to carry out this global mega-hack using common cyber-criminals as co-conspirators: Hafnium knew Microsoft planned to deal with the weakness and so shared it with other China-based hackers. In other words, the Chinese state-backed hackers realized the jig was up and handed the zero-day exploit (which was no longer a zero-day) to criminals for some strategic reason.
Again, recall the timeline: Recall how the known timeline of the Exchange hack is that it started on January 3 (Volexity’s first detected use of the zero-day exploit by “Hafnium). It was January 6, during the Capitol Insurrection, when Volexity first observed a large download to an unauthorized address. Hafnium quietly hit organizations until Microsoft issued a patch on March 2, the same day it blamed the hack on Hafnium, a state-backed Chinese hacker group. That’s the day we are told multiple criminal groups went on a global race to hit every unpatched server connected to the internet.
So what would be the motive for Hafnium to hand that zero-day exploit over to criminal groups and escalate the hack to the level of worst ever? Maximize damage? Cover their tracks? It’s unclear what the theorized rationale would be. Microsoft blamed the hack on “Hafnium” and called them a Chinese state-backed group during the initial security blog post that announced the Exchange patch to fix the exploit, which is when the criminal ransacking reportedly started. So it’s not like there was obvious track covering by Hafnium to be done at that point. But that’s what we’re told by these Western government sources: after getting caught with their quiet target hack, these state-backed hackers made a conscious decision to hand the super exploit over to criminals and tolerate a global ransacking:
BBC News
China says Microsoft hacking accusations fabricated by US and allies
Published
7/20/2021China has denied allegations that it carried out a major cyber-attack against tech giant Microsoft.
The US and other Western countries on Monday accused China of hacking Microsoft Exchange — a popular email platform used by companies worldwide.
They said it was part of a broader pattern of “reckless” behaviour that threatened global security.
China says it opposes all forms of cyber-crime, and has called the claims “fabricated”.
China’s foreign ministry spokesman said the US had got its allies to make “unreasonable criticisms” against China.
The UK, EU, New Zealand, Australia and others joined the US to accuse Chinese state-sponsored hackers.
...
Microsoft blamed a Chinese cyber-espionage group for targeting a weakness in Microsoft Exchange, which allowed hackers to get into email inboxes.
It said the group, known as Hafnium, was state-sponsored and based in China.
Western security sources believe Hafnium knew Microsoft had planned to deal with the weakness, and so shared it with other China-based hackers.
The sources say the hack seems to signal a shift from a targeted espionage campaign to a smash-and-grab raid, leading to concerns that Chinese cyber-behaviour is escalating.
The UK Foreign Office said the Chinese government had “ignored repeated calls to end its reckless campaign, instead allowing state-backed actors to increase the scale of their attacks”.
US President Joe Biden said the Chinese government may not have been carrying out the attacks itself, but was “protecting those who are doing it. And maybe even accommodating them being able to do it”.
...
———–
“China says Microsoft hacking accusations fabricated by US and allies”; BBC News; 7/20/2021
“Western security sources believe Hafnium knew Microsoft had planned to deal with the weakness, and so shared it with other China-based hackers.”
It’s quite a scenario described by the Western security source for this article: Hafnium found out Microsoft planned on closing some vulnerabilities, prompting Hafnium to share the vulnerability with other China-based hackers. Recall how, as we saw above, Volexity witnessed what was a quiet infiltration of some systems — using the zero-day exploits — on January 6 during the Capitol insurrection. It was in the following days that the hack because much more widespread and open and aggressive. So we are probably being asked to assume that the second noisy phase of the hack was after Hafnium gave their incredible zero-day exploit to other criminal hackers around China. And this was all quietly sanctioned by the Chinese government. That’s the narrative we are being asked to believe, this time with Western governments making the assertions, not Microsoft. And as always, we have no idea what evidence this belief is based on. The one thing we can state with confidence is that a large number of the actors who used this exploit during that global ransacking phase appear to be criminal.
But if we take the state-backed criminal-super-hack narrative seriously, we have to treat this as a major escalation by the Chinese government. Which it very much would be if true. An insane escalation that could enrage the global business community. Not just governments:
...
The sources say the hack seems to signal a shift from a targeted espionage campaign to a smash-and-grab raid, leading to concerns that Chinese cyber-behaviour is escalating.
...
But, again, keep in mind that this entire discussion about Hafnium and criminal hacking groups was due to the US and its allies issue a big coordinated public rebuke of China’s involvement in the Exchange hack one day after the pair of NSO Group mega-scandal stories. Stories that raised enormous questions about the hacking attributions of the last decade, at a minimum.
Macron to the World: New Phone, Who Dis?
And a few days after that coordinated public rebuke of China over “Hafnium”, we get an update on the fallout from the NSO Group story: Emmanuel Macron changed his phone. As a precaution. His number was on Morocco’s target list. Awkward!
We also get an update from NSO Group on how its oversight system works: while it doesn’t know the identities of the people targeted by Pegasus, the company can retroactively acquire the target lists in the event of a complaint and unilaterally shut down the offending government’s subscription following an investigation. In other words, NSO Group could in theory do retrospective audits. But won’t unless there’s a complaint. A complaint about the super secret spyware you can’t find and don’t know about:
Reuters
France’s Macron changes phone in light of Pegasus case
Michel Rose and Dan Williams
July 22, 2021 3:25 PM CDT UpdatedPARIS, July 22 (Reuters) — French President Emmanuel Macron has changed his mobile phone and phone number in light of the Pegasus spyware case, a presidency official said on Thursday, in one of the first concrete actions announced in relation to the scandal.
“He’s got several phone numbers. This does not mean he has been spied on. It’s just additional security,” the official told Reuters. Government spokesman Gabriel Attal said the president’s security protocols were being adapted in light of the incident.
A global outcry was triggered when several international media organisations reported that the Pegasus spyware was used in hacking smartphones belonging to journalists, human rights activists and government officials in several countries.
In Israel, home of Pegasus developer NSO Group, a senior lawmaker said a parliamentary panel may look into spyware export restrictions. NSO says its software is used to fight crime and terrorism and has denied any wrongdoing.
“Obviously we’re taking (this) very seriously,” Attal told reporters hours after an emergency cabinet meeting focused on the Pegasus allegations.
Le Monde newspaper and Radio France broadcaster reported on Tuesday that Macron’s phone was on a list of potential targets for surveillance by Morocco. The two media said that they did not have access to Macron’s phone and could not verify if his phone had indeed been spied on.
Morocco has rejected these allegations.
A French lawyer for Morocco, Olivier Baratelli, said the government planned to lodge defamation lawsuits in Paris against nongovernmental organisations Amnesty International and Forbidden Stories, according to French news outlet franceinfo on Thursday. The two groups participated in the Pegasus probe and alleged Morocco had targeted French officials for surveillance with the spyware.
Amid mounting EU concern, German Chancellor Angela Merkel told reporters in Berlin that spyware should be denied to countries where there is no judicial oversight.
Hungarian prosecutors on Thursday launched an investigation into multiple complaints received in the wake of the reports.
Israel has appointed an inter-ministerial team to assess reports based on an investigation by 17 media organisations that said Pegasus had been used in attempted or successful hacks of smartphones using malware that enables the extraction of messages, records calls and secretly activates microphones.
...
“We certainly have to look anew at this whole subject of licences granted by DECA,” Ram Ben-Barak, head of the Knesset Foreign Affairs and Defence Committee, told Israel’s Army Radio, referring to the government-run Defence Export Controls Agency.
The Israeli government team “will conduct its checks, and we will be sure to look into the findings and see if we need to fix things here”, said Ben-Barak. A former deputy chief of Mossad, he said proper use of Pegasus had “helped a great many people”.
DECA is within Israel’s Defence Ministry and oversees NSO exports. Both the ministry and the firm have said that Pegasus is meant to be used to track only terrorists or criminals, and that all foreign clients are vetted governments.
NSO says it does not know the specific identities of people against whom clients use Pegasus. If it receives a complaint of Pegasus having been misused by a client, NSO can retroactively acquire the target lists and, should the complaint prove true, unilaterally shut down that client’s software, the company says.
Other world leaders among those whose phone numbers the news organisations said were on a list of possible targets include Pakistani Prime Minister Imram Khan and Morocco’s King Mohammed VI.
———-
“NSO says it does not know the specific identities of people against whom clients use Pegasus. If it receives a complaint of Pegasus having been misused by a client, NSO can retroactively acquire the target lists and, should the complaint prove true, unilaterally shut down that client’s software, the company says.”
NSO Group can retroactively acquire the target lists to investigate complaints. It’s the kind of description that sounds like NSO Group would need to go to the clients to retrieve the list of target phone numbers or emails. That’s the kind of oversight regime that raises questions about whether or not these clients have the capability to scrub those target lists before returning them to NSO Group. It’s also the kind of oversight regime that raises questions about how any sort of oversight could ever happen outside of instances when there’s a news report about NSO Group malware being discovered and a ‘retrospective investigation’ is conducted. Either an insider needs to leak about it or victims need to discover the malware. Those are the only viable scenarios that could realistically trigger an investigation and this is super-secret malware that operated without being detected for years. Almost nothing other than the investigative reporting done by Amnesty International and Forbidden Stories could realistically cause a client to have their subscription revoked.
And as we saw in the case of Saudi Arabia and the fallout from the Jamal Khashoggi assassination, the fallout — in the form of NSO Group canceling Saudi Arabia’s subscription, a move opposed by the Israeli government — was ultimately reversed after NSO Group was suddenly sold to new investors. That’s part of the context of Israel’s assurances that it will be look anew at the licenses granted for these subscription. It can’t look anew. It would be a diplomatic nightmare for Israel. And perhaps not something Israel can reasonably unilaterally decide on its own. If what we are looking at here is a broader Western-sanctioned global system for distributing limited super-hacker capabilities, the fate of NSO Group and the entire Israeli “commercial surveillance” sector suddenly becomes a much more multilateral affair:
...
“We certainly have to look anew at this whole subject of licences granted by DECA,” Ram Ben-Barak, head of the Knesset Foreign Affairs and Defence Committee, told Israel’s Army Radio, referring to the government-run Defence Export Controls Agency.The Israeli government team “will conduct its checks, and we will be sure to look into the findings and see if we need to fix things here”, said Ben-Barak. A former deputy chief of Mossad, he said proper use of Pegasus had “helped a great many people”.
DECA is within Israel’s Defence Ministry and oversees NSO exports. Both the ministry and the firm have said that Pegasus is meant to be used to track only terrorists or criminals, and that all foreign clients are vetted governments.
...
Will the Israeli government conduct a meaningful audit of its cyber mercenary export sector? The story of the NSO Group and Jamal Khashoggi’s murder suggests otherwise.
NSO Group and Candiru: Joined at the Founding Financial Hip
We’re now at the end of our article marathon. This one isn’t from December 2020-July 2021. It’s from October 2019. So it wasn’t old news as all of this as has been playing out. One mega-hack story after another. One Microsoft exploit after another. As the world turned to Microsoft to lead the investigation into this parade of Microsoft vulnerabilities (some might consider that a conflict of interest), the following story for October 2019 was systematically ignore: An introduction to Candiru, its powerful suite of Microsoft exploits, and the fact that its founders overlap with the NSO Group’s founders.
Yep, in the following Forbes piece we learn how Candiru has clients like Uzbekistan, Saudi Arabia, and the UAE. The main Candiru financial backer was Founders Group, which was co-founded by one of the three men who set up NSO Group, Omri Lavie. Additionally, one of the lead investors is Founders Group managing partner Isaac Zack. We’re also told that the industry is increasingly close to its financial backers because, well, it’s become so controversial there aren’t that many financial backers available. A hyper-secretive incestuous industry increasingly beholden to the shrinking number of people willing to go into something this explosively powerful:
Forbes
Meet Candiru — The Mysterious Mercenaries Hacking Apple And Microsoft PCs For Profit
Thomas Brewster Forbes Staff
Cybersecurity
Associate editor at Forbes, covering cybercrime, privacy, security and surveillance.
Oct 3, 2019,06:06am EDTIsrael is home to scores of hacker-for-hire businesses, but one of the most clandestine has been Candiru. With no website and few records available, it’s operated largely under the radar.
But now a researcher is claiming the elite Tel Aviv-based firm sold cyber weapons to the government of Uzbekistan, while industry sources tell Forbes the company is hacking both Microsoft Windows and Apple Macs for various nation states.
In doing so it calls into question the company’s ethics for partnering with a government branded as an abuser of surveillance tools, just like the morals of its compatriot digital arms dealers have come under scrutiny over the last half decade.
Smashing Windows
Candiru’s speciality, hacking Microsoft Windows for nation-state intelligence agencies, is one key revenue stream. And one of those Candiru customers is almost certainly Uzbekistan, according to Brian Bartholomew, a researcher at Russian cybersecurity company Kaspersky Lab. He claimed that a lapse in an Uzbekistan intelligence agency’s operational security allowed him to link multiple Windows vulnerabilities used in Uzbek attacks back to Candiru and two other customers: Saudi Arabia and the U.A.E.
Bartholomew detailed just how Uzbekistan was sloppy to Forbes ahead of the public release of his research at London’s Virus Bulletin conference on Thursday, though he couldn’t provide clear links between the leaked tools and the Israeli company.
Perhaps Uzbekistan’s biggest mistake was to set up a test computer, exposed on the internet, that tested its hacking tools against various antivirus systems like Kaspersky. Bartholomew’s team found that computer online and noted that it regularly connected to a single Web address. And here’s where the Uzbekistan government exposed itself: Not only was that address registered in Uzbekistan, but the registrant was the apparent leader of “Military Unit 02616.” Though there was little information on that division, Bartholemew soon discovered it was part of Uzbekistan’s surveillance agency, the National Security Service (NSS).
According to Bartholomew, the NSS is essentially the successor to the Soviet KGB contingent, which transferred power in the early 1990s. “They have loads of power. They can pretty much do what they want,” Bartholemew said. The NSS also has a history of buying malware from foreign dealers, as revealed in the leaked 2015 emails of Italian provider Hacking Team. Hosted on Wikileaks, the emails contain frequent messages about deals between Hacking Team and the unit; Bartholomew believes Uzbekistan spent nearly $1 million on the Italian company’s services, looking at all the invoices in the leak.
But because the agency exposed its Windows exploits on the web, Kaspersky researchers were able to link them to other malicious software Bartholomew says were created by Candiru, namely those that appeared to be controlled by Saudi Arabia and the U.A.E. “Sloppy customers are bad customers,” the researcher said.
Human rights experts have now raised the alarm about Candiru’s customer base and the potential for abuse. Bartholomew and another source with knowledge of the attacks said he discovered Candiru surveillance software was used in previously reported hacks on Uzbek human rights activists and independent media.
“Each of these governments is a serial spyware abuser, and it is painfully predictable that civil society got targeted again,” said John Scott-Railton, a surveillance market researcher at the University of Toronto’s Citizen Lab. “For an industry that is trying to tell investors and regulators that it is working to clean up its act, providing spyware to these autocratic regimes is a guaranteed way to get it abused.”
Raining down on Macs
Candiru specializes in hacking Windows, but it’s also working on tools to crack Apple’s MacOS operating system, according to Tal Dilian, who claims to have partnered with Candiru as part of his work with his own surveillance startup, Intellexer. Though not sure, he also said Candiru may also have a focus on iOS too.
Scott-Railton said he was also convinced that Candiru was developing exploits for both Apple and Microsoft technology.
Israel’s digital mercenaries unite
Outside of Candiru’s apparent relationship with Dilian’s spyware enterprises—WiSpear and Intellexa—it has at least one tie to the most controversial of Israel’s surveillance providers: NSO Group. That’s because two industry sources said the main Candiru financial backer was Founders Group, cofounded by one of the three men who set up NSO, Omri Lavie.
As surveillance industry sources also told Forbes, one of the lead investors is Founders Group managing partner Isaac Zack.. According to Pitchbook, Zack is also a board member at wireless charging startup Humavox and at Sepio Systems. The latter is a cybersecurity company, focused on doing the exact opposite of Candiru: protecting hardware from being turned into silent surveillance devices. Its board also includes Tamir Pardo, the former head of the Mossad, Israel’s intelligence agency.
Companies like Candiru are being forced to go to investors with whom they’re already on friendly terms because of an increasing antipathy towards the industry from typical venture capital firms. “YL Ventures has not and will not invest in offensive cyber technology vendors,” said Yoav Leitersdorf, managing partner at YL Ventures. “The primary reason for this is ethical, since oftentimes the customers of these vendors end up using the technology in a way that violates human rights, with or without the vendors’ knowledge. Such usage goes directly against our values and the values of our limited partners.”
Israeli firms have found themselves at the center of an international controversy over the sale of spyware to repressive governments. Candiru has avoided the spotlight up until now, but its rival NSO Group has become embroiled in several controversies. In Mexico, the use of alleged NSO malware Pegasus by the government to monitor journalists, activists and lawyers working on the 2014 killing of 43 students caused a major political scandal. And in January, NSO chief Shalev Hulio had to state on the record that his firm had not worked with the Saudi government to monitor journalist Jamal Khashoggi in the months before his murder by Saudi agents.
...
————
“Candiru’s speciality, hacking Microsoft Windows for nation-state intelligence agencies, is one key revenue stream. And one of those Candiru customers is almost certainly Uzbekistan, according to Brian Bartholomew, a researcher at Russian cybersecurity company Kaspersky Lab. He claimed that a lapse in an Uzbekistan intelligence agency’s operational security allowed him to link multiple Windows vulnerabilities used in Uzbek attacks back to Candiru and two other customers: Saudi Arabia and the U.A.E.”
Uzbekistan, Saudi Arabia, and the UAE. Those were three of Candiru’s clients identified back in late 2019 when the company first received media exposure and it’s obviously a very incomplete client list. The kind of client list where we can be confident all sorts of other terrifying customers are being quietly serviced.
Also keep in mind that Uzbekistan’s hackers wouldn’t have any trouble leaving Russian ‘cultural artifact’ clues. They all speak Russian. Of course, as we saw with the ShadowBrokers story, the CIA’s hacking toolkit featured tools to inject Russian or Mandarin into the code to leave leave kinds of clues so it’s not like a hacker necessarily needs to know Russian or Mandarin to leave these kinds of ‘clues’. But still, since such ‘clues’ are given so much weight when it comes to cyberattribution, it behooves us to note that the hackers working for the many former Soviet Republics are going to know Russian. At least enough to stick it in their code or on forums or wherever to make sure everyone knows it was the ‘Russians’. We now know all dozens of governments have been subscribing to these malware services over the last decade. What are the odds they haven’t been doing precisely what the CIA’s toolkits do and injecting their own ‘cultural artifacts’? What are the odds these subscription toolkits don’t already offer those exact features? Saudi Arabia and the UAE, for example, would probably really enjoy those features:
...
According to Bartholomew, the NSS is essentially the successor to the Soviet KGB contingent, which transferred power in the early 1990s. “They have loads of power. They can pretty much do what they want,” Bartholemew said. The NSS also has a history of buying malware from foreign dealers, as revealed in the leaked 2015 emails of Italian provider Hacking Team. Hosted on Wikileaks, the emails contain frequent messages about deals between Hacking Team and the unit; Bartholomew believes Uzbekistan spent nearly $1 million on the Italian company’s services, looking at all the invoices in the leak.But because the agency exposed its Windows exploits on the web, Kaspersky researchers were able to link them to other malicious software Bartholomew says were created by Candiru, namely those that appeared to be controlled by Saudi Arabia and the U.A.E. “Sloppy customers are bad customers,” the researcher said.
Human rights experts have now raised the alarm about Candiru’s customer base and the potential for abuse. Bartholomew and another source with knowledge of the attacks said he discovered Candiru surveillance software was used in previously reported hacks on Uzbek human rights activists and independent media.
“Each of these governments is a serial spyware abuser, and it is painfully predictable that civil society got targeted again,” said John Scott-Railton, a surveillance market researcher at the University of Toronto’s Citizen Lab. “For an industry that is trying to tell investors and regulators that it is working to clean up its act, providing spyware to these autocratic regimes is a guaranteed way to get it abused.”
...
And look at the remarkable relationship between NSO Group and Candiru: the main Candiru financial backer was Founders Group, co-founded by one of the three men who set up NSO, Omri Lavie, and one of the lead investors is Founders Group managing partner Isaac Zack:
...
Outside of Candiru’s apparent relationship with Dilian’s spyware enterprises—WiSpear and Intellexa—it has at least one tie to the most controversial of Israel’s surveillance providers: NSO Group. That’s because two industry sources said the main Candiru financial backer was Founders Group, cofounded by one of the three men who set up NSO, Omri Lavie.As surveillance industry sources also told Forbes, one of the lead investors is Founders Group managing partner Isaac Zack.. According to Pitchbook, Zack is also a board member at wireless charging startup Humavox and at Sepio Systems. The latter is a cybersecurity company, focused on doing the exact opposite of Candiru: protecting hardware from being turned into silent surveillance devices. Its board also includes Tamir Pardo, the former head of the Mossad, Israel’s intelligence agency.
...
So when we read about NSO Group and Candiru both being licensed out to countries like Saudi Arabia, it’s seems like kind of a package deal. You get Candiru for the Microsoft exploits and NSO Group for the other things.
********************************
Ok, we’re almost done with our excerpt marathon. A marathon that was almost all from just a seven month period starting in December 2020. FireEye delivers what felt like a nightmare at the time. And was and is a nightmare. Just not our worst nightmare. Not even close. Our nightmare scenario kept getting worse. Keeps going. It never ends.
And sure, it’s never going to end by definition. As long as there are computer there are going to be hack stories and some of them major hacks. But as we’ve seen, this is been an unusual seven month period. One mega-hack after another. It’s like cyber-climate change just started to become noticeable.
And throughout this wave of Microsoft mega-hacks, we’ve had Microsoft leading the way in attributions. It’s always a state-backed actor. Known within 24 to 48 hours. Conclusively. Russia or China. Don’t ask why. Just accept the conclusion. The highly self-serving easy conclusion that is far less terrifying than the idea of criminals carrying out these mega-hacks. Yes, the US government backs Microsoft on these attributions. Also without providing any hint of the evidence it’s based on. Just accept whatever attribution people come up with uncritically because, hey, they’re experts. They must know, right? That’s the climate of contemporary cyberattribution: Watching people engage it what appears to be reading the digital tea leaves to come up with the culprit, who then proclaim their findings like a forensic examination decisively concluded it. And for the most part this is absolutely unquestioned.
Now, it’s important to keep one thing in mind in terms of this cyberattribution regime: part of the reason Microsoft and governments make these attribution pronouncements without bothering to give any evidence and act as if we should just trust them is because we more or less have to do exactly that. We have to just trust Microsoft and governments and whoever else has access to the computer systems to study these hacks. Much of the evidence is private and someone has to go in and the forensic cyber-investigations examining malware, looking for ‘cultural artifacts’ or whatever. That’s all well and good and part of how a technologically complex society operates. It’s heavily trust-based.
But that’s precisely why the highly convenient and logically suspect narratives that continually pop up around these mega-hacks — where the culprit is always Russian or Chinese hackers, declared within days — is so problematic. We’re forced to trust the investigators because no evidence is ever given. And yet the conclusions always seem like they were conveniently made up and virtually never acknowledge the existence of a global industry of companies like NSO Group and Candiru. If activists are targeted, sure, a government running “commercial surveillance vendor” software might be suspected, as was the case with Candiru’s malware getting caught being used against activists. But that’s basically the only time we see this legal offensive cyber-for-hire industry come up in the attributions. It’s nearly always otherwise attributed to Russia, China, North Korea or Iran. Maybe criminals if no government networks got it. But that’s basically it. That’s contemporary cyberattribution regime. Those are the acceptable choices. Russia, China, North Korea Iran, maybe criminals. While at least 40 governments around the world have NSO Group subscriptions. And stories like the Vault7 hacking tools that planted foreign ‘cultural artifacts’ are less than a decade all. Each individual hack might by hard to assess, but taken together it’s just implausible.
To get a sense of how implausible, here’s our final quick excerpt. It’s from October 2020, about the finding in Microsoft Digital Defence Report, which you can download here. The report includes a diagram (page 42) showing the percent breakdown of the different countries for the state-backed attributions made by Microsoft’s Microsoft’s Threat Intelligence Center (MSTC) study between July 2019 and June 2020. So this is Microsoft telling us what it’s own security experts found. There were just four countries on the entire chart. Guess which four: 52 percent of hacked attributed to state-backed actors were attributed to Russia, 25 percent to Iran, 12 to China, and 11 to North Korea. Now, take a moment to digest those numbers. 52 + 25 + 12+ 11 = 100. 100 percent of the state-backed attributions made between July 2019 and June 2020 by Microsoft were Russia, Iran, China, or North Korea. All of them. That’s why the ‘trust us’ attribution paradigm is slow problematic. It’s hard to trust an implausible narrative:
The Independent
Russia responsible for over half of all state-sponsored hacking, Microsoft says
Attacks focused on political groups, rather than national infrastructure, in an attempt to affect other governments’ policy
Adam Smith
Friday 02 October 2020 14:57Russia is responsible for over half of all state-sponsored hacking, vastly more than any other state, according to a new report from Microsoft.
Russian activity made up 52 per cent of all attacks between July 2019 and June 2020, the software giant’s Digital Defence Report states.
It is followed by Iran, which makes up 25 per cent of the attacks monitored.
China is responsible for 12 per cent of attacks, while North Korea and other states make up the final 11 per cent.
The majority of their targets have been in the United States, which is targeted 69 per cent of the time. The United Kingdom is the next most popular victim, receiving 19 per cent of attacks, followed by Canada, South Kora, and Saudi Arabia.
While there has been much concern over recent years that countries’ criticial national infastructure – such as the national grid of financial services – could be targeted by hackers, Microsoft says that is not the most common target.
According to the software giant, 90 per cent of attacks from nation-states have been focused on “nongovernmental organisations (NGOs), advocacy groups, human rights organizations and think tanks focused on public policy, international affairs or security.”
The company suggests that nation-states are hoping to influence government policy through subtler means, rather than targeting infrastructure directly.
...
————
Again, 52 + 25 + 12+ 11 = 100. Microsoft’s threat assessment team can apparently only determine hacks came from those four countries. Even at a time when dozens of governments have subscriptions software from companies like NSO Group and Candiru and none of this is really a secret. It’s shameless. No states decided to abuse their super spyware? None at all? Just Russian, Iran, China, and North Korea? Yes, that’s what we are being it’s to believe by Microsoft and Microsoft is the leading figure shaping this narrative. A narrative mostly about Microsoft vulnerabilities of late. Lots of Microsoft vulnerabilities and yet almost no mentions by Microsoft’s threat assessment teams of Candiru’s existence. The company exists to sell super Microsoft exploits to governments around the world and yet, in this entire collection of stories we looked it, it was only after CitizenLab publicly identified new Microsoft zero-day exploits Candiru’s clients were using against activists that we saw Microsoft even acknowledge the existence of Candiru.
But to really appreciate why this problematic cyberattribution narrative — where it’s always Russia, Iran, China, and North Korea — is so wildly dangerous to civilization, we have to appreciate how the SolarWinds hack and Microsoft Exchange mega-hacks relate to these seemingly soothing words from Microsoft back in October when it was assuaging concerns about attacks on critical infrastructure: nation-states are hoping to influence government policy through subtler means, rather than targeting infrastructure directly:
...
While there has been much concern over recent years that countries’ criticial national infastructure – such as the national grid of financial services – could be targeted by hackers, Microsoft says that is not the most common target.According to the software giant, 90 per cent of attacks from nation-states have been focused on “nongovernmental organisations (NGOs), advocacy groups, human rights organizations and think tanks focused on public policy, international affairs or security.”
The company suggests that nation-states are hoping to influence government policy through subtler means, rather than targeting infrastructure directly.
...
Microsoft was telling us this as the SolarWinds hack was ongoing and two months before it was revealed. And as we’ve seen, both the SolarWinds and Microsoft Exchange mega-hacks could arguably be considered attacks on critical infrastructure. They were a very big deal. Especially the Microsoft Exchange hacks that could be automated and were carried out by seemingly for-profit criminal actors. That’s an infrastructure attack. Whoever carried this out was conducting a kind of digital infrastructure attack. It was that vast and aggressive.
But beyond the immediate damage by these mega-hacks, it’s the potential for seeds to have been sown for future even more devastating hacks that make these stories absolutely devastating from a security standpoint. Basically every major organization’s computer networks got hit by sophisticated actors with a demonstrated capacity to deploy multiple zero-day exploits. We have every reason to believe the retained access to a large number of these networks. Remember what Bill Whitaker of Bolden told us: it would have been trivial for the SolarWinds hackers to have turned that malware into the kind of stuff that causes the computers on those networks to effectively self-destruct. A few dozen more lines of code. That’s how easily these kinds of mega-hacks can become major crises. Lethal crises. Imagine the digital infrastructure of most of the world getting crippled with ransomware simultaneously. A few dozen lines of code could have turned SolarWinds or the Exchange hack into the kind of hack that cripples physical infrastructure.
Now imagine a global strike like that that cripples every county’s digital infrastructure except, say, Russia’s. Or China’s. It would be treated as an act of war. And we could be pretty confident Microsoft and plenty of other actors in the security sector would be more than happy to provide those definitive attributions that, yes, it was Russia. Or China. Or Iran or North Korea or whoever is most convenient. Hacking has become the perfect crime in multiple senses. Not only can a hack be executed in a manner where no one can determine the identity of the culprit but, by virtue of that complication, anyone can become the culprit. True conclusive attribution is so difficult, and yet increasingly important and urgent, that civilization has collective just turned to the digital security industry and governments and asked them to give us their best educated guesses and then we treat those best educated guesses as conclusive findings. It really is a faith-based attribution system. Increasingly faith in Microsoft being honest about Microsoft mega-hacks. There’s bad faith. And blind faith. And then there’s that kind of faith. Blind dumb faith in Microsoft’s honesty and integrity. It’s clearly very popular these days. Enjoy it while you still can.
Uncle Sam and Il Duce
Welcome to your new security nightmare. Brought to you by Microsoft: The recently company issued an update on a relative new zero-day exploit. “PrintNightmare”. The appropriately named exploit really is a security nightmare. The vulnerability in Microsoft’s print spooling software — the software that manages which documents get printed next from the printer — potentially allowed hackers to install programs, change data and create new accounts with full user rights, among other actions. In other words, your entire computer network could be taken over.
Microsoft’s recent update on the vulnerabilities includes a new vulnerability that allows for the remote execution of any code on the system. It’s the kind of update that let’s us know this vulnerability was even bigger than previously acknowledged, which is pretty amazing given the scope of the initial warning. It’s like learning you can be hacked even more thoroughly.
So what is Microsoft recommending in response to this latest hyper-systemic vulnerability? Disable the printer spooling services, for starters. Patch your servers. And finally, migrate to Microsoft’s Cloud services. And that appears to be what the ultimate ‘fix’ is going to be as this era of mega-hacks accelerates: flee to the safety of the cloud. Of course, as we’re going to see, the cloud may not be as safe as advertised. Surprise!
Ok, first, here’s a report from early July, when the world woke up to a newest Microsoft security nightmare: the genuinely terrifying ‘PrintNightmare’:
“The vulnerability — officially dubbed “CVE-2021–34527” — is found in how print spooler improperly performs privileged file operations, according to a Microsoft post. An attacker could use the vulnerability to install programs, change data and create new accounts with full user rights, among other actions.”
Who knows why Microsoft allows print spoolers to create new accounts with full user rights, but they did. And anyone who knew about this vulnerability could have potentially taken over the entire connected network.
And CVE-2021–34527 is just one of the vulnerabilities of this nature recently discovered. There was also CVE-2021–1675 found in June that is apparently similar but distinct:
It’s the kind of update that hints at more “similar but distinct” super exploits sitting there waiting to be found. And that’s exactly the warning we appeared to get from Kelly Yeh, president of Chantilly, Va.-based Microsoft partner Phalanx Technology Group last week after Microsoft disclosed a new Windows Print Spooler vulnerability. The new vulnerability allowed for remote code execution that would similarly enable hackers to install programs, create new accounts with full user rights and even view, change or delete data. As Yeh warns us, “This is going to be the first of many exploits that probably come out.” And since this print spooler exploit was the second vulnerability of this nature recently disclosed (the first one, CVE-2021–1675, came out in June), Yeh is already technically correct.
What should organizations do in response to one super-Microsoft vulnerability after another? Migrate to the cloud. That’s Yeh’s advice. Stop trying to locally manage things and let Microsoft do the management for you:
““This is going to be the first of many exploits that probably come out,” Yeh said. “That exploit [PrintNightmare] is actually a pretty big exploit, from what we were reading it can do.””
The first [actually second] of many exploits to come. Probably. Just wait. And in the mean time, we get to learn more about the known super-vulnerabilities. Like the ability to remotely execute code via the Print Spooler. It’s like total organizational access was built Microsoft’s Printer Spooling software:
And, again, this is just the latest Microsoft security nightmare on top of all the rest. With more to come. What are cyber security professionals to do? Run to the sweet embrace of Microsoft’s cloud services:
Keep in mind that there isn’t any magical about cloud environments. They can still be hacked but, ideally, there’s just a lot more resources focused on their security. At the same time, gaining access to a cloud environment would be the ultimate hacking prize. Many people have to be working on that challenge and it’s hard to imagine they aren’t going to succeed some day. And if we listen to CrowdStrike CEO George Kurtz in the following recent interview, that success has already been achieved. As Kurtz told the US Senate back in February in response to the SolarWinds hack, shortcomings in how Microsoft authenticates credentials have been replicated in the cloud. And don’t forget what we already saw in reports days after the SolarWinds hack was initially disclosed in December: the SolarWinds hackers demonstrated an ability to create password credentials for legitimate processes enabling, them to read emails from Microsoft’s Exchange Online cloud-based email service. So we’re already seeing hints of some sort of future cloud-based mega-hack. As Kurtz put it in the interview, “In other technologies, you can’t necessarily just steal passwords and use those encrypted passwords to authenticate to something...“But in the Microsoft world, you literally can steal an encrypted password, without even decrypting it, and pass that hash to another Microsoft system and access the system as if you knew what the password was.”:
“CrowdStrike has become one of Microsoft’s most vocal security critics, with Kurtz blasting “systemic weaknesses in the Windows authentication architecture” for exacerbating the impact of the SolarWinds hack during written and oral testimony before the U.S. Senate in February. Shortcomings in how Microsoft authenticates credentials have been replicated in the cloud, furthering customer pain, he said.”
It’s pretty ominous. At the same time experts are encouraging a mass migration to the cloud, we’re continuing to learn about new cloud-based vulnerabilities. Or not even cloud-specific vulnerabilities. That’s part of Kurtz’s critique of Microsoft’s security ecosystem: password hashes can be passed around from Microsoft-tool-to-Microsoft-tool without even decrypting them. Everyone is being asked to migrate their data and operations to a giant fancy vault filled with secret entrances:
Microsoft represents a “systemic risk”. That’s how CrowdStrike sees it, and its a risk that extend to the cloud. And yes, CrowdStrike is Microsoft’s direct competitor in the security arena so we shouldn’t be surprised by the criticisms. But these aren’t just random criticisms. The security issues with Microsoft are an empirical fact at this point. CrowdStrike is only warning about what our lying eyes and ears are already telling us.
So that’s the latest Miicrosoft cybersecurity nightmare update. ‘PrintNightmare’ is upon us and if you think there’s an easy solution your head is in the clouds. Well, ok, you can disconnect the printer. It’s the rest of the systemic risk you’ll still need to worry about.
Here’s an update on the SolarWinds mega-hack. Or rather, an update on SolarWinds-related major software vulnerabilities. As we’re going to see, there have been two major additional vulnerabilities discovered in SolarWinds software since the initial disclosure of the SolarWinds hack back in mid-December 2020.
Days after the first disclosure, there were reports of a second hacking team targeting SolarWinds customers. Not much was disclosed about the attack. We were told that this second piece of malware, dubbed “Supernova”, also targeted the SolarWinds Orion updating software. But unlike with the first SolarWinds hack’s malware (dubbed “Sunburst”), this new malware wasn’t “digitally signed”. Recall how part of what made the first SolarWinds hack so disturbing was how the hackers managed to sneak their malware into the software development process at the very last possible point, bypassing standard security measures designed to catch unwanted software. That’s what made the malware “digitally signed”. So Supernova doesn’t appear to have been incorporated into the SolarWinds Orion software in the same manner. That technical difference between the first and second SolarWinds hack appears to be part of the reason security researchers are assuming the two hacks were carried out by separate groups. As we’re going to see, it’s not actually a great reason for such an assumption.
Another related technical difference between the first ‘Russian’ SolarWinds hack and this second hack is the need for access to the target networks. As we’ve see, part of what made the first SolarWinds hack so potentially devastating is the fact that backdoors onto client networks were delivered by the malware. The hack itself was what provided access to client networks. But with this second hack, some sort of previous network access that allows the hackers to interact with the Orion software on the target network is required.
Importantly, the first and second SolarWinds hacks serve two different purposes. The first hack was a hack of the Orion software itself that deployed the “Sunburst” backdoors on all of SolarWinds 18,000 client networks. The second “Supernova” hack is a hack that exploits a bug in Orion software to help spread the hackers across networks they had already compromised. So you could imagine the same hacker wanting to use both hacks on the same network. This is important to keep in mind because we are told that the fact that one hack requires network access while the other suggests it was carried out by two different hacking groups.
Also note another important detail about the Supernova malware deployed in this second SolarWinds hack: it exploits weaknesses in the .NET software development framework. That’s one of Microsoft’s proprietary platforms.
So who is believed to be behind this second SolarWinds hack? Well, at the time it was first announced, researchers couldn’t say. But by February of this year, they were ready to name names: China did it! Because if it wasn’t Russia, it has to be China. Or Iran or North Korea. One of those four.
What’s the basis for this attribution to a China-based group? Very little. Anonymous sources first suggesting it was China back in February tell us the hack shared computer infrastructure and hacking tools with hacks previously attributed to Chinese hackers. That vague. The one somewhat detailed clue we are given is by security researchers at Secureworks. The company found connections between a November 2020 Supernova attack on one of its clients and an August 2020 attack that didn’t involve Supernova. That August 2020 attack was somewhat miraculously tied back to China when the hackers apparently made the accident of stealing Secureworks’s own endpoint security software from their hacked client and installed it on one of their own computers. The endpoint software predictably pinged Secureworks’s networks. That appears to be the stole piece of evidence connecting this second hack back to China. So both ‘Russian’ and ‘China’ were hacking the sh*t out of SolarWinds in parallel. That was the narrative that had emerged by February of this year.
Then, in July, we got reports of the other new SolarWinds hack. The new new hack. A third SolarWinds hack that focuses on exploiting vulnerabilities in the Serv‑U software made by SolarWinds. Like the second SolarWinds hack, the hackers need prior access to the victim network. The hack revolves around sending commands to the Serv‑U software with output that can be read remotely and used to grab information like passwords or modify files. It sounds like an incredibly powerful exploit.
And who is behind this third SolarWinds hack? China did it! Again! But a different group of Chinese hackers. We are told the vulnerability exists in the then-latest Serv‑U version 15.2.3 HF1, released on May 5, and all prior versions. So this super-exploit, that could potentially grant powerful access on the victim networks, had existed ever since Serv‑U was first deployed.
Now, why is this new hack attributed to China? We have no idea and are never told. Microsoft’s threat assessment report on the hack simply states twice that the group is based in China. That’s it. No other details on why this is a China-based group.
Oh, and there’s another important detail also left out of Microsoft’s report: the Serv‑U vulnerability only exists if the Serv‑U is being run on Windows-based operating systems. Linux-based systems aren’t impacted. In other words, this Serv‑U hack kind of sounds like a Microsoft hack. Kind of like how the Supernova hack was a hack of Microsoft’s .NET framework. Somehow, the hackers were able to use the Serv‑U software to exploit underlying vulnerabilities in Windows. That’s the story we appear to be looking at. There is no mention of the fact that only Windows systems were vulnerable in the Microsoft threat assessment report. We have to look at the SolarWinds report on the hack to learn about this. Yes, Microsoft left out of its threat assessment report the fact that they deployed Supernova and the fact that only Windows systems were hit. Imagine that.
So what’s the common thread here? The same thread we’ve seen all along: the hacking attribution industry is just kind of making it up. Weaponized attributions, for profit. And in Microsoft’s case, a narrative necessarily shaped to defend itself from accusations of shoddy security. Sometimes appropriate skepticism is deployed and often it’s tossed out the window. What stays the same is the convenience of the narratives.
Ok, first, here’s a December 19, 2020, report that gives us the first glimpse of this second hack. Not much is known at this point other than the fact that “Supernova” malware imitate SolarWinds’s Orion software, which is technically very different from the first hack where the malware was embedded inside the Orion software. So this second hack required prior access to the victim networks:
“Security experts told Reuters this second effort is known as “SUPERNOVA.” It is a piece of malware that imitates SolarWinds’ Orion product but it is not “digitally signed” like the other attack, suggesting this second group of hackers did not share access to the network management company’s internal systems.”
Note the example of attribution logic being used here. The fact that this second hack didn’t share the “digital signature” of the first hack is seen as a suggestion that this second group of hackers did not share access to the “network management company’s internal systems”, which is a reference to the first hack originated with a hack of the SolarWinds Orion software developer’s computer, allowing the embedding of the backdoor malware.
Now, on the one hand, it’s a useful observation to note that one hack required access to SolarWinds’s own developer networks, which ended up giving access to client networks, while this newly discovered hack instead just requires access to the client networks, keep in mind that it’s merely a suggestion these are different hackers. But it’s also important to keep in mind that there are scenarios where the same hackers could end up planting both this Supernova malware and the Orion backdoor from the first hack on the same system.
For example, we are told the first SolarWinds hack started in February of 2020, when the first compromised Orion updates went out to SolarWinds’s 18,000 clients. But as we’re going to see, it’s suspected that the ‘Chinese’ hackers behind this second SolarWinds hack, which required prior access to victim networks, relied on a separate ManageEngine ServiceDesk vulnerability to gain access to the networks that was being exploited as far back as 2018. And as we’re also going to see, this newly discovered hack appears to allow the hackers to move laterally across victim networks, which serves a different and very compatible purpose with the backdoor created by the first SolarWinds hack. But the narrative right out of the gate with this story was that it was completely unconnected to the mega-hack disclosed days earlier based on the assumption that both exploits wouldn’t be needed by the same actor.
Next, here’s a February 2, 2021, Reuters piece where we get the first hint of an official attribution for the hack. China did it. Of course. That’s the word from anonymous sources involved with the investigation. We also learn from these anonymous sources that the hackers used computer infrastructure and hacking tools previously deployed by state-backed Chinese cyber-spies. That’s the extent of the details we are given. A vague reference to vague ‘pattern-recognition’ based on some spoofable technical indicators. SolarWinds, on the other hand, that it had “not found anything conclusive” to show who was responsible.
And we also learn that this second hack served a different purpose from the first SolarWinds hack: it exploited a bug in Orion that helped the hackers spread across victim networks. So this second hack sounds like a potentially useful secondary attack that could have been exploited after the first SolarWinds hack creates the backdoor granting that initial access:
“Security researchers have previously said a second group of hackers was abusing SolarWinds’ software at the same time as the alleged Russian hack, but the suspected connection to China and ensuing U.S. government breach have not been previously reported.”
It took a little over two months before ‘anonymous sources’ started pointing the finger at China. Which is actually a lot more time than the mere days it took for the first SolarWinds hack to get blamed on Russia. So what evidence were these sources pointing at? The hackers “used computer infrastructure and hacking tools.” No details or examples of shared infrastructure or tools. That’s it. It tells us nothing other than the fact that shoddy ‘pattern recognition’ techniques were being relied on:
But here’s where we learn some very important details about the nature of this hack: it was used to help spread across already-compromised networks. Which make this the kind of exploit that sounds like a great partner with the first SolarWinds hack that compromised 18,000 client networks with backdoors:
A month later, in early March, we get another update. An update that would appear to tie the hack to China. It came from the research team at Secureworks’s Counter Threat Unit (CTU), who informed us that they first encountered the Supernova malware in November of 2020. Upon closer examination, they found similarities to a hack in August 2020 that was found to have been enable by a vulnerability in the ManageEngine ServiceDesk software that the hackers likely exploited in early 2018. That ManageEngine ServiceDesk exploit is previously known to have been used by Chinese hackers. And it was during the investigation of this August 2020 hack that the hackers decided to install Secureworks’s own endpoint software on one of their computers and connect it to the internet. The endpoint software on the hackers’ computer predictably pinged Secureworks’s servers and the company had the information it needed to connect that hack to China (which ignores the obvious possibility of remotely using a computer from anywhere). This appears to be the extent of the evidence that Supernova SolarWinds hack is being carried out by Chinese hackers. Vague digital spoofable clues:
“On Monday, researchers said the attack was likely carried out by a China-based hacking group they’ve dubbed “Spiral.” The finding, laid out in a report published on Monday by Secureworks’ Counter Threat Unit, is based on techniques, tactics, and procedures in the hack that were either identical or very similar to an earlier compromise the researchers discovered in the same network.”
Meet “Spiral”, who is definitely not “Hafnium” and definitely not responsible for the first SolarWinds hack. And not the Serv‑U SolarWinds hack we’re going to learn about in July. Only this second SolarWinds hack. And definitely from China.
That’s what Secureworks’s CTU concluded based on techniques, tactics, and procedures in the hack that were either identical or very similar to an earlier compromise of the same client: The August 2020 hack of the Secureworks client where the hackers stole Securworks’s endpoint software from the client’s network, installed it on their own computer in China, and allowed it to ping Secureworks’s servers. And the August 2020 hackers shared certain traits like using the same commands and name like “c:userspublic” as a working directory name. So some technical pattern recognition combined with reductive reasoning and/or wild guessing and/or convenient story-telling. This is the sausage-making of contemporary cyberattributions:
Also note the language in the Secureworks CTU report: “Characteristics of these intrusions indicate a possible connection to China.” A possible connection to China. Which is really all it is:
Now, jump forward to mid-July, and we learn about the third SolarWinds hack. This one by a different Chinese hacking crew. And this one sounds pretty serious in terms of the control it gives to the attackers. The Serv‑U attack allows hackers to install programs, and change or delete information. And every previous version of Serv‑U was vulnerable (but as we’ll see, only on Windows servers):
“Microsoft discovered the exploits and privately reported them to SolarWinds, the latter company said in an advisory published on Friday. SolarWinds said the attacks are entirely unrelated to the supply chain attack discovered in December.”
It’s definitely entirely unrelated to the SolarWinds hacks from December. Both. They don’t know much but they know that. Somehow. And it’s a vulnerability that’s existed in all previous versions of Serv‑U, so anyone who knew about it had plenty of opportunity. And plenty of potential for damage. The hack appears to give the attacker admin control over the computer. They can install programs, and add or delete information. That’s massive. Again, this is only going to be a vulnerability for Windows systems running Serv‑U:
Now let’s take a quick look at one of the fun facts found in the SolarWinds report on the Serv‑U hack: it only affects Windows computers. Linux systems aren’t impacted. In other words, the Serv‑U hack has another Microsoft Windows vulnerability at its core:
“Only SolarWinds Serv‑U Managed File Transfer and Serv‑U Secure FTP for Windows are affected by this vulnerability. Please note the Serv‑U Gateway is a component of these two products and is not a separate product.”
Only Windows systems are vulnerable. Weird how Microsoft failed to mention that in its threat assessment report on this very same vulnerability.
So we have not one but two addition SolarWinds hacks: one disclosed days after the initial hack and one seven months later. Both unrelated to the initial hack. Both from China. And both unrelated to each other. That’s what we’ve been told. With basically no evidence. What evidence we do have — like Secureworks tying the Supernova hack back to an August 2020 hack that pinged from China — suggests the evidence behind these attributions are tenuous guesswork at best. But at least Secureworks even bothers to vaguely describe its evidence. That’s more than we get from most.
And note how both of these new SolarWinds hacks appear to be, at their core, Microsoft hacks. The Supernova hack exploits a Microsoft .NET framework vulnerability and the Serv‑U hack only impacts Windows systems. And Microsoft is the company generally leading the global security responses to major hacks and defining our narratives. Again we have to ask, that’s a conflict of interest, right? Blind faith in Microsoft is hard enough as is. We don’t need blatant conflicts of interest with extraordinary stakes.
All sorts of extraordinary stakes. Long-standing stakes.
When we learned that Mexico was the first government to get a subscription to NSO Group’s malware back in 2011, one of the default questions raised by the revelation was why Mexico? Of course, there’s a pretty obvious answer. Sadly a default answer for Mexico: Organized crime, in particular in relation to the drug war. It’s the kind of use case that would fit squarely under the NSO Group’s list of official valid reasons for using its software. Terror and organized crime are precisely what the commercial surveillance industry touts as why it should be allowed to exist. Mexico certainly had no shortage of drug related organized crime in 2011.
So with that ostensible reason for Mexico’s early access to the NSO Group’s software in mind, here’s a piece last month by Daniel Hopsicker with some pretty wild history related to NSO Group, Mexico’s use of commercial spyware, and the drug trade. And Carlos Slim:
Before NSO Group’s relationship with Mexico, there was Verint, another Israeli spyware-for-hire company. Verint’s relationship with Mexico appears to have started in 2003. That’s based on a press release issued in 2006 by Carlos Slim’s Telmex in response to another press release touting the Bush State Department’s sponsorship of Verint’s program to monitor Telmex’s entire network. And since Telmex is Mexico’s monopoly telecom provider, that was basically every phone in Mexico getting spied on by Verint. This was, again, paid for by the US State Department.
And then there’s the giant twist in Verint’s background: It turns out it was Verint in 2003 — back was it was called ECI Telecom — that leased the space for the headquarters of SkyWay Aircraft. As Daniel Hopsicker has covered in a number of articles and shows, SkyWay is like collage of intelligence-protected illicit activity, with ties to everything from the April 2006 bust of 5.5 tons of cocaine on a SkyWay Aircraft to the 9/11 hijackers in Florida. As the Introduction of FTR#554 — and interview with Daniel Hopsicker — reminds us about the network of figures and companies surrounding SkyWay (owners of ‘Royal Sons’):
Recall how “Royal Sons”, owned by SkyWay, had an address that traced back to Huffman Aviation’s hanger at Venice Airport. SkyWay is a remarkably shady company. As we’ll see, a second SkyWay plane busted for a massive cocaine haul had previously been used in CIA rendition flights. So SkyWay has all the hallmarks of running an intelligence-connected drug trafficking operation and it was Verint that leased SkyWay its office space in 2003, the same year Telmex tells us Verint’s mass spying on Mexican phones started, paid for by the US State Department.
And as we’ll also see, it appears that when Verint’s spyware was being used by the Mexican government during this period to fight against the drug cartels, there was one cartel left out: the Sinaloa cartel. In other words, the spyware was being used to allow the government of Mexico to fight and win a drug war on behalf the chief cartel in bed with the government. With Slim in on the cut. According to Hopsicker, that’s what happened. Slim and the government of Felipe Calderone used Verint, and the force of the Mexican military and federal police, to fight a drug war the Sinaloa cartel was supposed to win.
There’s also a more direct connection to NSO Group: In May of 2018, it was reported that NSO Group and Verint were merging, although the talks were apparently ended a couple months later. So Verint is alive and well it would seem, which is another aspect of this story:
“In some shocking—and conveniently ignored—recent history, Carlos Slim, Mexico’s richest oligarch, between 2003 and 2007 was doing business with these same Israeli spyware vendors, which are all spin-offs from the intelligence unit of the Israeli Defense Forces, Unit 8200.”
It is indeed remarkably convenient for the pre-NSO Group history of Carlos Slim, Verint, and Mexico’s use of Israeli spyware. Because as we saw, it’s a history involving the governments of Mexico, Israeli, and the US. A whole bunch of very conveniently timed arrangements took place in the 2003–2007 Bush era-period. First, we learn that Carlos Slims telecom monopoly in Mexico signed a contract with Israeli spyware firm Verint to spy on Slim’s network. This effectively meant Verint was spying on every phone in Mexico. Verint remains active to this day. In May 2018, Verint was reportedly in talks to merge with NSO Group. Those talks were announced called off two months later (several months before Jamal Khashoggi’s assassination made NSO Group a problematic merger partner). That the two firms got that far along in merger talks is a sign of how close they are:
And Verint’s 2006 contract (then Comverse) to spy on Slim’s entire network was paid for by the Bush State Department. The fact that Telefonos de Mexico (Telmex) selected a company with roots in Israel’s Unit 9200 was touted in a press release. And then Telmex issues a press release indicating the eavesdropping program actually began in 2003. So Verint’s contract to spy on every phone in Mexico was paid for by the US State Department and started in 2003. This was the kind of stuff that was getting quietly underway in those early War on Terror years:
But wiretapping Mexico on the US State Departments tab is only part of what makes Verint such a fascinating company. As Hopsicker reminds us, it was none other than Verint who leased the land to SkyWay Aircraft. That was in 2003, when Verint — then called ECI Telecom — leased the land to SkyWay. It was April 2006 when SkyWay’s DC‑9 (N900SA) busted in the Yucatan on April 11, 2006 carrying a record—even for Mexico—seizure on an airplane, 5.5 tons of cocaine. And as Hopsicker has discussed many, many times, that plane is like the physical embodiment of the dark history of intelligence-protected drug-trafficking, going back to Oliver North’s Iran Contra operations:
Adding to the evidence that SkyWay Aircraft was an intelligence protected operation, the DC‑9 (N900SA), was designed to impersonate official US DHS aircraft. And yet the plane was based at Clearwater-St Petersburg International Airport, which also housed a fleet of planes which belonged to U.S. Customs:
Oh, and then other SkyWay drug plane busted in a multi-ton cocaine bust during this period was previously used in CIA rendition missions. Keep in mind this was around 2006. Those were recent renditions:
And that’s all the context for how Verint was used in 2006 when Mexico’s President Felipe Calderon unleashed Verint’s spyware during Mexico’s battle with the cartels. It was a battle on the side of one cartel. The Sinaloa Cartel. Taking down Sinaloa’s cartel enemies was how Verint’s spyware was used. Paid for by the State Department:
These kinds of tools aren’t just perfect for quiet government abuse. They’re also perfect for the those networks and agendas were organized crime, intelligence, and power politics coincide. And while the organized crime/intelligence/power politics nexus isn’t exclusively occupied by fascists, it’s concentrated with them. And that’s all part of the context of the contemporary story of NSO Group, Candiru, and the rest of the global spyware industry. These tools really are the perfect tool for criminals. So, you know, maybe governments are actually using these perfect criminal tools to help their elite criminal friends. Maybe extensively. Maybe especially when the State Department is paying for it.
Here’s a recent story about another Israeli “commercial surveillance” company coming under international scrutiny. This time it’s Cellebrite, the maker of special UFED devices used by law enforcement agencies around the world to break into smartphones, including US law enforcement. Alarmingly, these devices have even been found for sale on eBay. And now Cellebrites investors are hoping to cash in on their cutting edge technology by issuing a public offering. You too can own a slice of this cutting-edge spyware firm. The company is estimated to be worth $2.4 billion.
But with the announced public offering comes a complication: people are starting to take note of who Cellebrite’s clients are and how they’ve been using these devices. Clients like Belarus, Indonesia, Saudi Arabia, and Bangladesh. Interestingly, Russia and China are also former Cellebrite client, which is notable given all of the indications that the US is, at a minimum, quietly condoning Israel’s global sales of these tools, or outright paying for it, as was the case with the US State Department paying for Verint’s wiretapping of every phone in Mexico. But it’s the sale of Cellebrite’s tools to Bangladesh that have become a particularly sore point for the company’s public image. As the following piece by Richard Silverstein notes, Bangladesh’s Rapid Action Battalion of elite security forces have been known to engage in the torture and summary executions of gays, atheists, and political dissidents in a campaign that killed 465 people in 2018 alone. So Bangladesh has been unleashing what amounts to a state-sanctioned domestic terror campaign during the time Cellebrite has been selling the country exactly the kinds of tools that would facilitate that kind of domestic terror.
As we should expect, with Cellebrite getting ready to go public, the company is now touting to the world how it refuses to sell its tools to countries with track human rights abuse track record, releasing the statement citing Bangladesh, Belarus, China, Hong Kong, Macau, Russia and Venezuela as examples of countries it refuses to sells to. As Silverstein points out, part of the reason Cellebrite listed all those countries is because they’re all former clients:
Notice how Saudi Arabia wasn’t on that list. Given what we know about the direct actions the Israeli government took to ensure Saudi Arabia maintained a subscription to the NSO Group’s Pegasus super-spyware even after NSO Group dropped the Saudis in the wake of the global outrage over the killing of Jamal Khashoggi, it’s not absurd to assume that Cellebrite’s sales to Bangladesh are an important diplomatic tool. As Silverstein notes, in May of this year Israel was urging Bangladesh to normalized its relations with Israel. Those kinds of overtures become much more difficult when companies like Cellebrite are forced to cut off access in the face of public outrage. That’s all part of what makes this story of Cellebrite’s controversial public offering something to watch going forward. It’s the kind of transaction that could end up revealing aspects of these shadow relationships that meant to kept in the shadows:
“That might sound good to an uninformed individual. But the reason the list of countries it refuses to do business with for ethical reasons is so long and impressive, is that these are many of its most deadly former clients. Cellebrite had ditched many of these countries earlier, after Mack’s research exposed its sordid connection to them. But Bangladesh was one of the last dominoes to fall.”
It’s a lot more complicated selling your multi-billion dollar spyware firm when everyone knows about the human rights abuses with are going to be committed with your spyware. But it gets even more complicated with that powerful spyware doubles as a powerful diplomatic tool. it’s one reason we probably shouldn’t be surprised Bangladesh was the last of Cellebrites’s ‘problem’ clients to get dropped. Ongoing diplomatic overtures are getting in the way:
And note how the US government could impose some sort of punishment to the banks and private investors in these companies. It could happen, but doesn’t happen. A kind of silent consent:
Again, don’t forget that when NSO Group belatedly dropped Saudi Arabia as a client following the global outrage over the assassination of Jamal Khashoggi, it wasn’t just the Israeli government that pressured NSO Group to keep its Saudi clients. The Trump administration also reportedly wanted the Saudis to maintain access to the company’s spyware. And that’s why it’s hard to take Cellebrite’s pledges of being better seriously. The company isn’t really in a position to make these decisions on its own.
Plus, the fact that this industry has a habit of setting up shadow subsidiaries in order to get around export restrictions doesn’t exactly lend confidence to the idea that Cellebrite has suddenly turned over a new leaf:
You can build a secretive spyware firm, and you can take your company public, but taking a super secret spyware firm public is obviously a lot easier said than done. And yet, as Cellebrite is poised to demonstrate, it’s apparently doable.
Here’s one of those stories that should immediately prompt a ‘waiting for the other shoe to drop’ feeling:
The US Air Force’s first chief software office just announced his resignation. But that wasn’t the only announcement in Nicolas Chaillan’s resignation letter. Beyond the expected charges of institutional inertia, Chaillan accused the Air Force of borderline criminal negligence when it comes to basic IT security practices, starting with the habit of putting mid-ranking generalist officers in charge of specialist projects. But it’s his complaint on fiscal-related issues that is perhaps the most shocking: The Air Force apparently couldn’t come up with the $20 million for 2022 for the main project Chaillan has been working on. Yep, the US military just couldn’t find the money. After being repeatedly told that the project he was working on was critical and being asked to develop a “minimum viable project” (MVP) — a scaled down basic version of a new software tool designed to be released with basic features in order to get user feedback — in just four months, and after a massive undertaking and investment in the project, the Air Force told Chaillan that actually the $20 million won’t be there after all.
That painful disappoint was clearly a big driver in Chaillan’s decision to resign. But note that this project wasn’t exclusively an Air Force project. It was a Joint All-Domain Command and Control (JADC2) Department of Defense-wide project focused on making sure data can be seamlessly shared across platforms. Which is was obviously a wildly important project impacting the entire US military. That’s the project the Air Force couldn’t find $20 million for next year. So on top of all the expected reasons for Pentagon challenges with IT security — some understandable and some less so — we can add a reason that has no fathomable justification: that the US military somehow couldn’t find the money:
“Please,” he implored, “stop putting a Major or Lt Col (despite their devotion, exceptional attitude, and culture) in charge of ICAM, Zero Trust or Cloud for 1 to 4 million users when they have no previous experience in that field – we are setting up critical infrastructure to fail.”
Are people with no IT security being put in charge of major IT projects for the military and setting up future military IT disasters? That’s what Chaillan is accusing the Air Force of doing. Which might also partially explain the opposition to DevSecOps practices that avoid the kind of security nightmares Chaillan is warning us about:
But of all of Chaillan’s complaints, the fact that the Air Force couldn’t find the money to fund a project its first chief software officer is perhaps the most shocking. One doesn’t associate the US Air Force with being short on cash:
And as the following article describes, that Joint All-Domain Command and Control (JADC2) project the Air Force couldn’t find the money for in 2022 wasn’t just a random project. It was the project the Air Force has been telling Chaillan was absolutely critical and they made a huge investment in creating a minimum viable product (MVP) version of the project in a matter of months to meet those needs. After all that, Chaillan was told the money wasn’t going to be there. The Air Force can’t find the money. It’s like the DoD was trolling him. The kind of trolling that might trigger an angry public resignation:
“In the memo, Chaillan noted that lack of funding along with DOD bureaucracy left his office and its mission “unempowered to fix basic IT issues.” Specifically, the software chief named his recent task of helping the Joint Chiefs of Staff with its efforts on Joint All Domain Command and Control, a DOD-wide effort to make sure data can be seamlessly shared across platforms.”
One would think a DOD-wide effort to make sure data can be seamlessly shared across platforms would be the kind of project that gets budget priority. Nope. The DoD couldn’t find the $20 million. This is after they ask Chaillan, the Air Force’s first ever chief software officer, to help with the project. And then they told him they couldn’t find the $20 million. Non-seamless communication it is then:
Keep in mind that when the DoD said it couldn’t find $20 million for 2022 to support this project, it sounds like that money was just for the building the scaled down MVP. The full project would obviously cost much more. But that’s possibly part of what enraged Chaillan. If the DoD can’t even come up with the money for a pilot project what are the odds it’s going be able to commit itself to the full project.
But there’s another obvious possibility in terms of what drove the Air Force to pull the plug on Chaillan’s JADC2 pilot project: someone wants to redirect that project towards somewhere else. It could be an intra-bureaucratic turf war. Or perhaps someone has a private contractor in mind?
And that brings us to the other major story that can’t be ignored in the context of the Air Force’s inability to commit to the JADC2 project: the Pentagon’s announcement in July that it was canceling Microsoft’s giant $10 billion JEDI contract that would accomplish mush of what JADC2 would do in creating interoperability across the DoD’s IT systems. As we’ll see, when the DoD announced they were canceling the JEDI contract, JADC2’s overlapping capabilities were cited in the first paragraph of the press release giving the reasoning for the decision.
Instead of Microsoft having the JEDI contract, it sounds like it’s going to be divided up between multiple vendors, meaning competitors like Amazon and Palantir suddenly got a new opportunity to compete for slides of that JEDI contract.
So when we’re forced to interpret Chaillan’s public warning about the state of the military’s IT deficiencies, keep in mind the the pulling of the plug of Chaillan’s JADC2 project may have been one of the casualties in a giant contractor term war that opened up after Microsoft lost the JEDI contract:
“The 10-year JEDI contract was awarded to Microsoft in 2019 after a fight among Amazon and other tech giants for the deal to modernize the military’s cloud-computing systems. Much of the military operates on outdated computer systems, and the Defense Department has spent billions of dollars trying to modernize those systems while protecting classified material.”
Microsoft won the big JEDI contract in 2019 to build the US military’s unified cloud. But the Biden administration put the JEDI program on ice, allowing the Pentagon to reimagine the military’s shared cloud under a multi-service-provider model. Microsoft and Amazon are both going to build the Joint Warfighter Cloud Capability (JWCC) next-generation military cloud. And while concerns about the Trump administration’s skewing of the bidding process against Amazon may have play a role in this decision, concerns about the inherent security risks of using a sole cloud provider also played a role...along with the fact that there have been so many mega security scares of late. If no cloud can truly be relied on, the next best option is to rely on a many different clouds to minimize the inevitable damage:
But even compartmentalized clouds provided by separate contractors are still going to all have to interoperate if the JEDI vision of seamless interoperability is going to be realized. Compartmentalized, seamless interoperability. In other words, you’re still going to need the kind of functionality Nicolas Chaillan’s team was working on for the Pentagon’s JADC2 project.
And as the following Seek Alpha investment article reminded us shortly after the Pentagon canceled the JEDI contract, if there’s one company out there in the commercial sector that poised to fuse together the different components of the military’s cloud it’s Palantir. And yes, it’s a Palantir cheerleader piece by someone who wants Palantir’s stock to rise. But you can’t argue with them when they point out that Palantir is already a top favored software provider for the US military and has been building and integrating software across different branches of the military and intelligence community for years. Through a series of bad decisions made with increasing frequency over the years, Palantir has become one of the key software providers for the US national security state and connecting larger numbers of databases into a single analytical platform is one of the company’s specialties. In other words, if it turns out that the reason the Air Force suddenly ‘couldn’t find’ the $20 million needed for Chaillan’s JADC2 pilot project was because someone at the Pentagon has an alternative commercial provider for those kinds of services in mind, there’s a very good chance the provider they have in mind in Palantir:
“PLTR was selected to safeguard the United States nuclear stockpile and has been selected to develop and integrate software throughout the United States military branches. The cancelation of the JEDI contract seems like a significant opportunity for PLTR, in my opinion. PLTR has been putting all of the pieces together to connect every aspect of our government defense capabilities. The new initiatives from the Pentagon seem like an open invitation for PLTR. I do not know what the government will do, but when you look at what has recently occurred and PLTR’s previous contracts with the government, it’s not far-fetched that these new initiatives play right into PLTR’s wheelhouse. The JEDI contract was worth $10 billion, and with it being scrapped and becoming a multivendor opportunity, I believe PLTR will get a portion of that pie.”
Again, it was never a good idea to allow a fascist-founded company like Palantir to develop such a central role in the US national security state’s digital infrastructure. But that happened. Palantir was even just selected to play a nuclear stockpile security role. Those awful decisions were made and now it’s hard to argue with the core argument behind this Palantir stock fan piece. The cancellation of Microsoft’s JEDI contract really was fabulous news for Palantir’s bottom line.
And that’s also why the angry public resignation of Nicolas Chaillan was also such good news for Palantir. If the DoD is losing interest in backing Chaillan’s JADC2 pilot project, that’s just more room for a company like Palantir to swoop in and provide those services under the new post-JEDI vision for the US military’s cloud. A vision that has yet to be finalized:
That’s all part of the context of Nicolas Chaillan’s public resignation involving the cutting of the JADC2 pilot project. It came two months after the cancellation of the Microsoft JEDI contract that opened up a new world of private contractor possibilities. And it sounds like those private contractor possibilities in this post-JEDI military cloud vision of the future include providing exactly the kind of JADC2 Chaillan was working on. And services Palantir appears well positions to fill, putting the company at the center of the US military’s digital networks.
So should we expect the imminent announcement of Palantir stepping in to provide the JADC2 interoperability service in the US military’s DoD-wide cloud of tomorrow? Putting Palantir at the very core of the US military’s ability to communicate with itself? It would obviously be a giant leap of faith by the US military about the company’s integrity, a leap the US national security state took a long time ago. This is probably a good time to recall that Avril Haines, the current head of the ODNI, was a Palantir employee before joining the Biden campaign in 2020. The company has all the connections it needs to become the digital fabric that holds the US military together. Including the nuclear stockpiles. It’s part of why the Palantir stock boosters aren’t just puffing smoke. It really is a company with spectacularly terrifying possibilities and those terrifying possibilities keep becoming more and more real every day.
Remember Ptech, the threat assessment software firm that became embroiled in post‑9/11 anti-terror investigations involving the Muslim Brotherhood’s network of front organizations? And remember how Ptech had a stunning list of government agencies for clients, including the US Air Force, making this a story about a possible Muslim Brotherhood-connected firm conducting threat assessments for the US government? It’s a company worth recall whenever we hear about massive systemic mega-hacks involving sophisticated spyware that can traverse an organization’s IT networks. Ptech’s services would probably be in extremely high demand these days.
And since the 20 year anniversary of 9/11 is upon us, here’s a look back a January 2003 article in Computerworld about the Ptech investigation for the purpose of asking an intriguing question that really hasn’t been asked: Was Palantir started as a kind of replacement for Ptech?
It’s hard to ignore the parallels. Highly sensitive US national-security-related contracts were at the core of the business model for both Ptech and Palantir. Both companies make threat assessment-related software, although it sounds like Ptech’s threat assessment capabilities were more focused on IT network architecture, which is far less generic than Palantir’s machine-learning-based threat assessment capabilities. But who knows what Ptech would be offering today if it had maintained its position as the US national security digital threat assessment contractor or choice. And it turns out Palantir was started in 2003, meaning it got started after Ptech suddenly became a problematic post‑9/11 national security contractor. So it’s worth asking: was Palantir formed as a replacement for Ptech? Because as the following 2003 article about Ptech’s investigative troubles make clear, the company really was a highly respected firm with a large number of important clients beyond the US government agencies. IBM even put Ptech’s flagship enterprise modeling product, FrameWork, at the center of IBM’s Enterprise Architecture Methodology. And this was still the case after all of the terror-related bad press for the company. In other words, Ptech was providing a product with a heavy demand. Then, all of sudden, Ptech becomes the kind of company other companies don’t want to do business with, hence the eventual name change to GoAgile. And that’s all why we have to ask: was Palantir started with the intent of replacing Ptech?
“Ptech’s crisis stems from a Dec. 5 consensual search by federal agents, which was broadly characterized by the media as an early-morning “raid” ((see story)). The search was part of an investigation of the company’s relationship with Yassin al-Qadi, a wealthy Saudi businessman and one of two “angel” investors who helped get Ptech on its feet in 1994. Al-Qadi, who was never a shareholder of record in Ptech and who later twice turned down Ptech requests for additional funding, is believed by the U.S. intelligence community to have financial ties to international terrorism.”
There’s bad PR and then there’s major terrorism-related bad PR. And in January of 2003, Ptech was suffering from a major case of the latter. The kind of terrorism-related bad PR that had its many government and Fortune 1000 clients taking a second look at whether or not that wanted to do business with the company. This was a company that rarely lost a competitive bid. And yet, even in the fact of this awful PR, we had companies like IBM more or less sticking with Ptech. Their network threat assessment software was just too important to give up, even in the face of an investigation into a possible connection to 9/11. Ptech was clearly developing something extremely important to a lot of people:
Later that year, Palantir was started by Peter Thiel with the help of the CIA’s In-Q-Tel seed money. And yes, Palantir products don’t do exactly the same thing Ptech did. But we wouldn’t necessarily expect that to be the case. The big question is whether or not Palantir was founded with the intent of filling the gap created by Ptech’s post‑9/11 pariah status. Not that it would change much of anything if this was the case. It’s more just an interesting historical question at this point. So in the spirit of ‘better late than never’ it’s worth asking: To what extent does Palantir owe its current status as the US national security state’s go-to big data threat assessment service provider to Ptech post‑9/11 demise? And, depending on the answer, maybe some follow up questions. Possibly a lot of follow up questions.
Here’s an NSO Group-related story where the big story is really all the questions it raises about what else is going on:
It turns out the NSO Group’s customer list includes Germany’s federal police, the Bundeskriminalamt (BKA). An inability to develop their own comparable hacking tools is reportedly part of the reasoning behind the purchase, which, if true, is an example of how cutting edge these toolkits really are.
Here’s the part that raises all sort of question about what else the German national security complex has been up to: The 2019 purchase of NSO Group’s Pegasus software was made despite initial concerns inside the BKA that use of the tools would violate the German constitution, which blocks wiretapping in all but the most extreme cases.
How serious were these concerns? It’s unclear from the report, but the fact that talks with NSO Group started in 2017 and the contract was inked in 2019 suggests those internal deliberations took a while. But in the end those concerns were somehow alleviated. Was this due to extensive safeguards being put in place to ensure the spyware was only used when absolutely necessary and protected by the German constitution? We have no idea.
It also sounds like the BKA’s contract with NSO Group is still in effect. The BKA first got access to Pegasus in late 2020 and reportedly used the tool in selection operations concerning terrorism and organized crime since March of this year.
There’s another angle to this story that’s worth keeping in mind: As we’ll see in the second article except below, it was only in 2020 when German courts rules that Germany’s constitutional rights to privacy extended to the citizens of other countries living abroad. The ruling was in response to a 2016 German law that granted Germany’s BND the right to spy non non-Germans abroad.
So in 2016, Germany passes a law giving the BND permission to spy abroad. And in 2017, negotiations between the NSO Group and the BKA are started completed by 2019. Then in May 2020, Germany’s courts rules the 2016 law was unconstitutional but the contract with NSO Group remained in place and the BKA first received the software later that year. We’re told the tools have been put to use since March of this year. So we have to ask, given how useful Pegasus would be to the BND, especially during the 2016–2020 window when the BND was given the powers to spy on the world, was the BND going to end up being one of the end users of Pegasus too? Perhaps informally? Yes, NSO Group reportedly places georestrictions on where its spyware can be used so that would theoretically prevent the BND from going wild globally with it, but who knows what kind of relationship Germany would be able to work out with NSO Group given the importance of the German-Israeli diplomatic relationship. Those negotiations with the BKA took quite a while to work out. That’s all part of what makes the story of the BKA getting its hands on Pegasus really part of a much larger story of Germany’s significant investment in digital spying capabilities:
“Despite initial legal concerns from within the BKA about the spyware, which allows its operators to take full control of any smartphones infected with Pegasus, a deal was inked with NSO in 2019.”
There were concerns, but those concerns were somehow addressed. We don’t know how, but the fact that deal was reached in 2019 tells how they were addressed one way or another. The unsettling part is that we know so little about the actual terms of the contact and how the Pegasus software was ultimately used that it’s entirely plausible these concerns were addressed by simply dropping them:
We know there were concerns, and we know those concerns were somehow addressed, but we know hardly anything about how the spyware was actually used and what sort of oversight was deployed.
But that doesn’t mean we can’t wager a reasonable guess as to how the Pegasus spyware would have been used. Because as as the following article from May of 2020 describes, it was only in 2016 when the German parliament passed a law allowing its intelligence services to spy on non-Germans abroad, something for which Pegasus would be an ideal fit. So while we don’t know if the 2017 NSO Group negotiations were directly tied to the passage of the 2016 spying law, it’s not too hard to connect these dots:
“The decision by the Constitutional Court found that parts of a 2016 law governing the country’s foreign intelligence agency, known by its German abbreviation BND, in part violated the universal right to privacy in communication. The ruling ordered the law to be rewritten to clarify the motivation for spying on individuals abroad, but it stopped short of banning the practice outright.”
Yes, it was 2016, the year before the BKA’s secret negotiations with the NSO Group started, when Germany passed a law allowing the BND to gather data on non-German’s outside Germany. This is the key context of the outreach to NSO Group the following year. Context that suddenly changed with that 2020 court ruling:
But how about after that 2020 court ruling? Are German intelligence services still using Pegasus? Yep. In fact, the BKA didn’t even receive delivery of Pegasus until late 2020 and only started using it in March of this year. So the BKA didn’t start using Pegasus until after German courts ended the history expansion of Germany’s legal wiretapping powers, which is either a good sign or a very bad sign in terms of the likelihood the spyware has already being abused:
“According to the Süddeutsche Zeitung, BKA Vice President Martina Link confirmed to lawmakers that her organization had purchased the software. In late 2020, the BKA acquired a version of the Pegasus Trojan virus software. It has been used in select operations concerning terrorism and organized crime since March of this year.”
As we can see, Germany’s federal police apparently received the Pegasus software in late 2020, months after the German court ruling finding the 2016 law permitting the spying on non-German citizens is unconstitutional. And we’re told it hasn’t been actually used until March of this year. So on the one hand, if we believe this timeline, it suggests the BKA hasn’t had a lot of time to abuse the Pegasus software yet. But it also highlights how Germany’s intelligence services were still willing to go ahead with the acquisition of Pegasus after a German court shot down the 2016 law granting those services the right to spy on the world. And when asked how NSO Group’s tools are being use, the government has repeatedly refused to say. Taken together, it’s the kind of constellation of data points all suggesting that Germany’s approach to addressing the potential constitution abuses of these spyware tools is to minimize the oversight so those abuses don’t come to light:
So the overarching story here is a story of one part of the German government asserting greater spying powers and taking steps to obtain those powers, while another side of the German government has ruled this is unconstitutional. And the way this bureaucratic impasse has been addressed is apparently for the BKA to just proceed with the Pegasus acquisition and for everyone else to just kind of pretend it’s not being used unconstitutionally while questions are deflected or ignored.
And, again, this is merely the story of how Germany’s government is handling the temptation of something like Pegasus. Answering the question of how many other German constitutional violations are casually being swept under the rug in a similar manner is the much bigger story here.
It seems like every other week these days there’s an announcement about new hacker-for-hire zero-day exploit that’s just been discovered. That was the case again last week when CitizenLab announced the discovery of a new zero-day exploit on the phone of a Saudi activist in March of 2021.
But there was a notable new detail with this latest discovery: the attribution was made to NSO Group based on technical similarities to previous NSO Group hacks. In other words, the “pattern recognition” methodology for making cyberattributions. Instead of the traditional “pattern recognition” conclusion (Russian, Chinese, or Iranian hackers), the “pattern recognition” technique is now being deployed against NSO Group.
What’s the technical pattern? There were two technical details in the Citizen Lab report they cite in making the NSO Group attribution:
1. The newly discovered malware, dubbed FORCEDENTRY, exploited another technique dubbed CASCADEFAIL, that is supposed to delete evidence of the malware’s manipulation from the victim phone’s sqlite database. There’s a single database entry of evidence left over. Citizen Lab’s researchers have only ever seen malware that leaves this last piece of leftover evidence in other NSO Group Pegasus malware.
2. The FORCEDENTRY malware generates multiple processes on the victim phone, assigning names to those processes. One of those process names, “setframed”, was the name of a process name used in another NSO Group malware CitizenLab discovered targeting an Al Jazeera journalist in July 2020. The Citizen Lab report adds, “Notably, we did not publish that detail at the time.”
So based on those two technical details, CitizenLab made a “high confidence” attribution of this malware to NSO Group. And part of that high confidence was rooted in the fact that CitizenLab never previously published that it found the same “setname” process name used in an earlier NSO Group attack.
Now, on the one hand, that sounds like a pretty reasonable conclusion to arrive at given the circumstances. Those circumstances being that this appears to be the initial publication of any details on these technical details and those details appear to be reasonably specific. But this is also turning int a wonderful example of how vulnerable technical “pattern recognition” really is to spoofing and erroneous conclusions. Because think about it: going forward, if malware if found to contain either of these two ‘features’, there’s this built-in bias that this is NSO Group malware. And it very well might be NSO Group malware making the same mistakes, but the fact that those two technical details are something a malware coding to easily incorporate into their malware design is an example of why the “pattern recognition” methodology is ripe for abuse.
It’s long been a fundamental challenge with the cyberattribution industry: Once the pattern is shared, that pattern is now shared knowledge that can be used to spoof future pattern recognition analyses. That’s why CitizenLab felt it relevant to emphasize that it hadn’t previously published the “setframed” process name. If it had previously published that process name, any malware designer could have easily intentionally had their malware use the “setframed” name to confuse cybersecurity analysts, which is now the case going forward.
Also keep in mind that the fact Citizen Lab never published the “setframed” process name from that previous NSO Group hack doesn’t mean the information wasn’t quietly shared with other entities. Trusted entities that end up passing it along to less trust-worthy entities that might end up abusing it and using it to cover their own hacking tracks. It’s not like there’s an impenetrable wall between the cybersecurity industry and the hacker-for-hire industry.
So that’s really the interesting to this story. In many ways, it’s just the latest in a seemingly endless string of hacker-for-hire exploits sold to another foul government and used against an activist. But the fact that this got attributed to NSO Group based on technical pattern recognition makes this the kind of story that could be a harbinger of many more NSO Group pattern recognition stories to come. Some of them might be real NSO Group stories and some where NSO Group was set up. Either way, it should be fun to watch. Except not so much fun for all the new victims.
And that brings us to another grimly interesting aspect of pattern recognition being used to attribute the highly sophisticated and target malware of this nature: A key issue with the prevailing “pattern recognition” attribution regime that seemed to always find a pattern from Russia, Iranian, Chin, or North Korea was how it was almost designed to encourage outside actors to join in on the fun. Just put your stupid ‘Russian’ patterns like Cyrillic characters and let Russsia take the blame. It encourages hacking that fit ‘the pattern’. And what’s the pattern in this case? Highly targeted hacks of prominent victims and activists using powerful zero-click exploits. Do folks want more of those?
So while it looks like Citizen Lab probably made the right call on this particular case of NSO Group “pattern recognition”, it’s going to be important to keep in mind that if we end up seeing a flood of copycat NSO Group malware stories based on similar patterns that may not just be an NSO Group group story. There’s a lot of competition in the global cybermercenary industry. Some might say too much competition:
“Citizen Lab said it was able to make a “high-confidence attribution” that the exploit had been created by NSO Group because they observed “multiple distinctive elements” in the spyware. An exploit is a technical vulnerability that allows spyware to infect a phone, and the code of the exploit discovered by Citizen Lab contained a specific bug that the researchers had only ever associated with NSO Group’s Pegasus in the past.”
We’re getting a peek at how the sausage is made. This was a high-confidence attribution made based on technical details tied back to previous hacks associated with Pegasus. The key terrifying feature this malware shares with a number of hacks associated with this mercenary hacking industry is the fact that it’s a zero-click hack that infects your phone whether you realize it or not. If it wasn’t NSO Group, it was another group with cutting-edge capabilities...willing to sell to Saudi Arabia:
And note that when we read about NSO Group dropping Saudi Arabia as a client in the wake of the Jamal Khashoggi killing, recall how NSO Group then changed ownership and once again took Saudi Arabia as a client. So that would actually be another data point pointing towards NSO Group: it’s like forced to supply the Saudis super spyware:
And NSO Group probably isn’t the only ‘commercial surveillance vendor’ the Saudis are getting their zero-click super-spyware from. Again, NSO Group has competitors.
Now here’s the Citizen Lab report itself giving us more details on what the malware does and how they made the attribution. The attacker sends a pdf disguised as a gif that causes an integer overflow vulnerability in Apple’s image rendering library, allowing for arbitrary code execution. A nightmare bug. And they’re highly confident this was NSO Group behind this nightmare bug based on the shared piece of non-deleted database evidence and the shared “setframed” process name. NSO Group got slightly sloppy:
“Citizen Lab forwarded the artifacts to Apple on Tuesday, September 7. On Monday, September 13, Apple confirmed that the files included a zero-day exploit against iOS and MacOS. They designated the FORCEDENTRY exploit CVE-2021–30860, and describe it as “processing a maliciously crafted PDF may lead to arbitrary code execution.””
Better watch out for the .gifs that are actually pdfs. Arbitrary code execution could be the result. Yikes! It’s certainly the kind of exploit that sounds like something NSO Group would be behind. And when it comes to this specific attribution, the pattern recognition based on two key pieces of technical evidence tying it back to NSO Group really do seem to be pretty solid evidence. The problem will be if the same clues are used in the future to tie hacks back to NSO Group. Anyone can make their malware leave behind these pieces of evidence. In other words, done right, the pattern recognition approach is kind of a one-off for a given pattern. Or at least until you share the pattern:
So we’ll see if there are more types of super-malware discovered with these technical details, and whether or not they’ll contain these technical details and get attributed back to NSO Group. But while it’s hard to have much sympathy for the company being set up to take the blame for other hackers, the fact that every hack misattributed to NSO Group is the cover story for another hacker is actually worth keeping in mind, quite possibly one of NSO Group’s competitors. Competitors with client governments feeling extra emboldened too.
The deluge of NSO Group-related stories does not appear to be letting up any time soon. We just got a report on another instance of a rogue undemocratic government using the spyware on journalists. This time, it’s Viktor Orban’s rogue undemocratic of Hungary, making this just the latest EU-related NSO Group story. Recall the recent reports on Germany’s federal police also obtaining NSO Group tools.
But while the story out of Germany was about the acquisition of spyware tools that are ripe for abuse, the story out of Hungary is about actual identified abuses. Specifically, an investigation by Direkt36 — an investigative media outlet and member of the Pegagus Project consortium — discovered signs of the Pegasus spyware on the phone of Budapest-based photojournalist Dániel Németh. The hacks took place at some point in July 2021, while Németh was reporting on the whereabouts of Lorinc Mészáros, a former gas fitter who has become one of Hungary’s richest men in the past few years. Mészáros also happens to be a childhood friend of Oban and once attributed his success to “God, luck and Viktor Orbán”.
And it’s that twist — that a journalist who was tracking a close personal friend of Orban got hacked — raises one of the obvious questions about this entire business model of selling super sophisticated spyware to governments around the world: given that most governments are run by people who are personal friends or business partners with the most powerful private interests in the nation (or the world), what’s to prevent those associates from asking the government to target a particular individual on their behalf? As we’ve seen, NSO Group’s go-to defense when faced with accusations about the abuse of its spyware is to point out that the company itself has no information on how its spyware is used. In other words, there’s basically no safeguard against a government running hacks on behalf of powerful friends of the government. It’s up to the integrity of the government itself. And as we’ll see, in the case of Hungary, the intelligence services can order surveillance with no judicial oversight, only the signature of the minister of justice, in cases where ‘national security is at stake’.
Let’s also keep in mind that there’s nothing ensuring governments are only runing special favor hacks for the powerful people in that country. Anyone around the world with connections to the government could potentially ask for such a favor. So with Viktor Orban having successfully transformed Hungary into a kind of global far right networking hub, the question of who may be asking Orban for special hacking favors is far from obvious. Heck, Tucker Carlson probably possibly in a favor with Orban at this point. That’s the bigger story here. It’s a facet of the NSO Group story that the globe has yet to even recognize, let alone address:
“A security officer formerly with one of Hungary’s intelligence services told Direkt36 that, according to his knowledge, Hungarian services started using Pegasus in 2018. The Hungarian government has not denied that it uses Pegasus, nor did it deny the surveillance of the people Direkt36 has reported about.”
Hungary isn’t even denying it. Nor are they citing a ‘national security’ interest. You have to wonder if that’s part of a tactic to intimidate journalists and let them know they can expect to be hacked, or if its just a reflection of Orban’s sense of impunity. Either way, it’s pretty clear Orban’s government intends to keep extremely close tabs on Németh’s whereabouts and communications. They literally hacked an older phone the day after it was activated:
And note how the government doesn’t even bother to explain why Németh was hacked, despite not denying it happened. That’s all part of why it’s hard to avoid suspicions that that was anything other than a favor by Viktor Orban for a wealthy and powerful friend who happened to be the target of Németh’s investigation:
Keep in mind it’s possible Orban ordered the surveillance on his own, without Mészáros requesting it. After all, if Mészáros made his fortune due to Orban’s will, odds are there’s some incredible graft that goes along with that story. Orban probably has a lot of Mészáros-related activities he’d prefer remain out of site. But, again, while we have no idea who actually ordered the hacks and why, what we do know is that the system is perfectly set up to enable private ‘favor’ abuses. Because we know there’s virtually no oversight of how these tools are used. NSO Group makes that clear in its public ‘defenses’ every time one of these abuse stories hit the wires. It’s solely up to the government client on whether or not abuses take place and whether or not those abuses are done for government interests or private interests:
How many of Orban’s friends around the globe have quietly asked for hacking ‘favors’ of this nature? That probably depends to some extent on what types of geolocation restrictions NSO Group imposed on Hungary’s contract. Recall how NSO Group will grant permissions to hack phones from particular countries for a client, but while we’ve been told that phones from a few countries like the US are off limits, we’ve never really heard about other geolocation restrictions. In other words, we don’t have a good sense of how much of the rest of the world for which Viktor Orban’s government could be granted hacking permissions. Can he only hack inside Hungary? How about neighboring countries? How about distant countries half way across the world? We have no idea.
But what we do know is that dozens of governments around the world are NSO Group clients, so if someone wants to hack you, odds are there are multiple governments out there with permissions from NSO Group to do exactly that. And while we don’t know if governments around the world are carrying out hacking ‘favors’ for powerful private interests using NSO Group’s tools, we can be confident the company is doing absolutely nothing to prevent it because it’s doing absolutely nothing to prevent any client abuses, whether or not that government client is conducting the hack for its own purposes or on behalf of some powerful private friends. We can be confident of all this because the company keep reminding us of how it does nothing to prevent abuses every time there’s another abuse story. It’s the kind of corporate alibi that could only leave NSO Group’s guilty clients feeling extra emboldened to getting guiltier.
Here’s a story related to the Microsoft Exchange mega-hack that could end up becoming part of the January 6 Capitol insurrection story. Or perhaps become part of just another GOP corruption scandal. We’ll see, but it’s the kind of hacking story that has immense potential to go in a lot of different due to the fact the that victim in this story happens to be the GOP. And when an notoriously corrupt entity gets hacked, it’s safe to assume the hackers are in possession of at least some evidence of that corruption. Nothing tells the tale of wrongdoing quite like an emails trail.
Specifically, the Republican Governors Association (RGA) announced that it was a victim of the Exchange server hack first announced in March of this year. The RGA said it was hit at some point between February and March of 2021.
It’s unclear about the extent of what was stolen. The group appeared to be minimizing the potential impact by implying only a small portion of its email: “RGA determined that the threat actors accessed a small portion of RGA’s email environment between February 2021 and March 2021, and that personal information may have been accessible to the threat actor(s) as a result.”
It’s the kind of vague assurance that could mean almost anything. After all, by what metric are they measuring a “small portion of the RGA’s email environment”? Keep in mind that nature of the Exchange hack, where hackers have the potential to not just steal the emails stored in the Exchange server but take control of the computer hosting the Exchange server itself and spread across the victim’s network. The scale of the potential damage is so vast that there’s no meaningful way to interpret what “a small portion of RGA’s email environment” actually means in a technical sense. For all we know it’s just the RGA’s way of sugarcoating the damage by vaguely pointing out that only the emails were stolen and the rest of their network wasn’t ransacked. We’re left to guess, but we know at least some information was stolen.
Beyond that, we can be pretty confident about the content of any stolen emails. At least some of them. This was February, after all, when the ‘stolen election’ and state election audits would have been front and center for entire Republican Party, more so than even today. So what did the hackers actually get their hands on? We’re told some people had sensitive personal information like Social Security numbers stolen, but what would sensitive embarrassing emails revealing the intra-party struggle over how to proceed with the ‘stolen election’ narrative taking place inside the RGA at the time. There’s no indication such emails were obtained but we wouldn’t expect an indication if they were. At least not from the RGA. If we’re going to receive any indication the hackers stole embarrassing or sensitive emails it’s the hackers who are going to reveal it.
Adding to the political dynamic here is the fact that Microsoft and the US government have already attributed the Exchange hack to a state-backed Chinese hacker group, Hafnium. At least the initial Exchange hack that reportedly started on or around January 6. Recall how we are told that “Hafnium” was quietly exploited the vulnerability from early January up until March, when the vulnerability was announced by Microsoft and criminal hacker groups apparently then went on a global spree hitting virtually everyone remaining vulnerable Exchange server connected to the internet. So based on that timeline and the fact that the RGA hack took place in February, it would suggest that the RGA was hit by the initial Hafnium hacker group.
So while the attribution of the original hack to a state-backed Chinese hacking crew never appeared to be based on any evidence and instead appeared to be the latest instance of a cyberattribution being conveniently made out of thin air, the fact that it was officially attributed to China is the kind of fun fact that potentially plays into the GOP’s whole ‘Chinese hackers stole the election from Trump’ narrative. A narrative the RGA was probably still hammering out during the time those emails were stolen.
How will the attribution to Chinese hackers play into how this hacker story plays out? That presumably depends a lot on whether or not this becomes a bigger story which, in turn, likely depends on whether or not the hackers end up exposing some of those stolen emails and whether nor not the emails happen to be scandalously embarrassing:
“Following an investigation started after March 10, “RGA determined that the threat actors accessed a small portion of RGA’s email environment between February 2021 and March 2021, and that personal information may have been accessible to the threat actor(s) as a result.””
The hackers just accessed a small portion of the RGA’s email environment, and maybe some personal information was stolen. It’s a remarkably downplayed statement. Nothing to worry outside of concerns about stolen Social Security or credit card information. But, of course, for an organization like the RGA, credit card and social security information isn’t the kind of sensitive information they have to worry about.
It’s also rather notable that the RGA isn’t yet making hay about the alleged Chinese origin of the hack. Isn’t this kind of free propaganda? Why isn’t more being made of it? Instead, we get this vague, terse statement about some possible stolen personal information from a small portion of the Exchange environment.
It raises the question of how we might expect the RGA to react if it did indeed determine that highly embarrassing emails were stolen. Would we expect them to preemptively go on the offensive and make a huge story about Chinese blackmail in or to mitigate the possible future damage? Or would we expect the kind of downplayed response we actually got? That’s the big question raised by this story. When the GOP passes up an opportunity for bombast and bluster we have to ask why.
Here’s a pair of articles about another emerging NSO Group-related scandal. It’s the kind of scandal that underscores what is perhaps the greatest danger of the explosion this global marketplace for cutting-edge spyware sold to government: beyond the fact that there’s not guarantee the spyware is going to be exclusively used for legitimate government interests, there’s also no guarantee the spyware is necessarily going to be used by the governments themselves. As NSO Group reiterates every time there’s a new scandal about a client abuses its toolkits, the company isn’t tracking who its clients target. And that means there’s nothing to prevent those government clients from lending these tools out to private interests. As we saw with the story of a Hungarian journalist who had his phone hacked with Pegasus in what appeared to be retaliation for his reporting on one of Viktor Orban’s close friends, there really doesn’t appear to be any control over not just how these tools are actually used but on whose behalf.
And that brings us to the follow reports of a letter sent by Mexico’s president to the Israeli government asking for the extradition of a former top Mexican security official, Tomás Zerón, who fled to Israel in August 2019. It’s suspected Zerón has connections to NSO Group. Recall how Mexico was NSO Group’s first foreign client starting back in 2011.
Yes, NSO Group’s first foreign client is asking Israel to extradite Mexico’s Why the interest former top Mexican security official, who also happens to have ties to NSO Group. It raises the obvious question of whether or not Zerón fled Mexico for reasons having to do with Mexico’s purchase of NSO Group’s Pegasus spyware.
So what are the charges against Zerón? It appears to be focused on the role Zerón played in overseeing the criminal investigation agency of the Attorney General’s Office. In particular, Zerón oversight of the forensic work done on the investigation of the 2014 disappearance and murder of 43 Mexican college students. The students all hailed from a training college with a history of left-wing activism and the students reportedly regularly took part in protests. The students were traveling back to their college when they were confronted by municipal police who opened fire on the buses. 43 students vanished after the clash and are suspect of having been handed over to local drug cartels by the police officers. Zerón’s investigation had long been criticized by the families of the student. Two independent teams of experts have cast doubt on the insistence of Mexican officials that the students bodies were incinerated in a huge fire at a trash dump. Additionally, many of the suspects arrested in the case were later released, but claimed they had been tortured by police or the military. So the overall investigation into Zerón focuses on what is now believed to be an intentionally botched investigation that literally tortured witnesses as part of the corrupt cover up.
It’s a genuinely horrific case point to the depths of the corruption inside the Mexican government. But it also demonstrates the depths of the ties between the Mexican government and the drug cartels that Mexico was ostensibly allowed to by NSO Group’s Pegasus software to combat. That’s why we have to ask: is the government of Mexico sharing Pegasus with the cartels its in bed with? And why aren’t similar questions valid for every other corrupt government with access to these tools?
But as we’re going to see in the second article except below from the Daily Beast, there suspicions that NSO Group’s tools could have been shared with drug cartels aren’t just circumstantial. Because it turns out there’s a Mexico drug cartel connection with the story of how NSO Group first got Mexico as a client back in 2011. Yep!
And there’s a rather wild twist to this story. The kind of twist that, at this point, shouldn’t really be all that surprising: one of the figures who played a key role in connecting the Mexican government to NSO Group was none other than Elliot Broidy. It’s a name that’s become increasingly familiar as the guy has managed to pop up in connection with almost every Trump-related scandal over the past four years. For example, recall how Broidy, the former finance chair for the RNC, has simultaneously been operating as a foreign agent. For example, Broidy worked closely with George Nader as foreign agents for the UAE and Saudi Arabia and was deeply enmeshed in many of the under-investigated aspects of the 2016 Trump campaign shenanigans involving. Also recall how Nader, Erik Prince, and PsyGroup’s Joel Zamel were involved in a secret Saudi/UAE-funded effort to help get Donald Trump elected in 2016 via tactics like social media manipulation campaigns. Broidy, like his partner Nader, really is an international man of mystery. The kind of sordid scandalous mystery fitting for a story about corrupt Mexican spyware deals.
And as we’re going to see, Broidy’s history of sordid mysteries includes the mystery of the role in played in facilitating Mexico’s first NSO Group contract back in 2011. Broidy continues to deny he played any role at all and that any such talk is libelous. He wants not part of it. Perhaps because, in the end, it sounds like he was ultimately robbed of being part of the final deal after his partner in the deal discovered Broidy was planning on going behind his back and creating a separate deal. It was a tri-middle-man deal: Broidy, his former employee Matn Caspi — whose Israeli technology export company had already signed up to help export NSO Group’s technology when he reached out to Broidy about Mexico — and “Mr Lambo” Jose Susumo Azano Matsura. Azano is the middle-man on the Mexican side. He owned the technology company that ended up getting the NSO Group license for Pegasus. It was Azano’s company that licensed Pegasus to the Mexican military.
Azano also happens to have apparent ties to Mexican drug traffickers and was under FBI investigation in relation to that less than a decade before they were putting together this deal. And while Broidy was ultimately cut out of this tri-middle-man arrangement, Azano wasn’t. His company got the power to issue Pegasus licenses in Mexico, which raises basic questions like whether or not his company had access to the software itself. Was Azano’s company effectively acting as a proxy overseer of how Pegasus was being used? We have no idea, and NSO Group isn’t saying whether or not it has similar middle-man deals with other client states. But whether or not Azano’s company somehow played a role in making Pegasus available to Mexico’s drug cartels, it isn’t really necessary. Mexico’s government is clearly in bed deeply enough with the cartels that it’s probably ready and willing to just operate Pegasus on the cartels’ behalf. They’re partners. So as we watch to see how the Mexican extradition request of Tomás Zerón plays out and whether or not new insights are learned about the slaughter of those students, it’s going to be worth keeping in mind that this might be an NSO-related story for more reasons than just the fact that Zerón fled to Israel and happens to know the NSO Group founders. It’s a story about the Mexican government being deeply in bed with the drug cartels at the same time NSO Group was selling Mexico the kind of super spyware cartels would most definitely kill for:
“The supposition is that Zerón and others tortured witnesses, illegally detained suspects and mishandled evidence to try to bring the investigation to a quick conclusion or cover up what really happened.”
It’s not hard to see why Zerón is a prime suspect here. Not only were the students initial attacked by the police but the witnesses were allegedly tortured. It was the worst kind of cover up. And then he fled the country. As the saying goes, it’s the cover up, not the crime. But when the cover up is this openly violent and corrupt, it’s also still very much the crime. Something horrid remains hidden. A relationship between the Mexican government and drug cartels that’s probably even worse than suspected:
And while there’s not yet any direct connection between the 2014 slayings of those 43 students and Mexico’s NSO Group contract, it’s hard to ignore the fact that Zerón had the kind of job that would have likely given him access to Pegasus, is known to have ties to the founders of NSO Group, and ended up fleeing to Israel. It’s the kind of constellation of facts demanding that we ask what the NSO Group angle is to the slayings of those 43 students.
And that brings us to the following Daily Beast story from a couple months ago describing the previously unknown role played by Elliot Broidy in brokering the initial NSO Group contract with Mexico. One of three middle-men between NSO Group and the Mexican government. Broidy’s former employee Matan Caspi reached out to him in 2010 on behalf of Caspi’s Israeli technology export company hoping to use Broidy’s contacts in Mexico to export Pegasus. Broidy points him towards “Mr. Lambo” Jose Susumo Azano Matsura, whose company Security Tracking Devices SA de CV, ended up getting the exclusive right to sell NSO Group licenses in Mexico. Azano then licenses it to the Mexican military for a higher price. That’s the original tri-middle-man relationship. The fact that Azano had been under US investigations in association with Mexican drug traffickers less than a decade earlier wasn’t a dealbreaker.
But Broidy apparently never got his cut, after he tried to cut Caspi out of the deal and Caspi cut him out first. At least that’s what various parties claimed in a lawsuit that erupted over the kickbacks in 2015. Broidy claims he knows absolutely nothing about NSO Group or any of this and it’s all lies:
“The documents do, however, raise troubling questions about the Israeli spyware maker’s recent claim that its products are intended for “the sole use of thoroughly vetted and approved governmental agencies charged with maintaining public safety and security.” Broidy’s contact in Mexico—a man nicknamed “Mr. Lambo” for his love of Italian sports cars—later served time in a U.S. federal prison for making illegal foreign contributions in an American election. A document filed by federal prosecutors in San Diego revealed that “Mr. Lambo” was investigated by U.S. authorities for a host of other crimes for which he wasn’t charged, including drug smuggling.”
Elliot Broidy sure knows a lot of interesting people. People like “Mr. Lambo”, his contact in Mexico. This is how Broidy was playing the middle-man role: Broidy had the contacts in Mexico and NSO Group. And playing such a middle-man role in international business isn’t necessarily scandalous. But when you’re in the middle of a peddler of super spyware like NSO Group on one side and a businessman billionaire, Jose Susumo Azano Matsura, with a history of being under US Mexican drug-trafficking-related investigations on the other side, that’s when being a commercial middle man becomes much more scandalous. Broidy was the matchmaker that set up a particularly dangerous relationship. Especially dangerous to the people of Mexico if Azano’s suspected drug cartel associates ever got access to something like Pegasus:
What should have added to everyone’s concern at the time is the fact that NSO Group wasn’t even directly licensing Pegasus to the Mexican government. It was licensing it to Azano’s company, when proceeded to re-license it to the Mexican military for a higher price. A great arrangement for arranging everyone’s kickbacks. And who knows what kind of freedom this arrangement gave to Azano to quietly distribute Pegasus to other parties. It’s a highly suspicious arrangement for a lot or reasons:
Another reason Elliott Broidy has to deny any association with NSO Group is that it didn’t sound like he was simply a Middle-Man looking for a finders fee commission. He was operating as an NSO Group representative, along with Matan Caspi — Broidy’s former employee who returned to Israel to co-found Rayzone Group, an Israeli cybersecurity firm that offers “boutique intelligence-based solutions for national agencies” — and Caspi’s partner. Broidy was likely set up to get a serious commission. Those are Caspi’s allegations in the lawsuit that broke out between the different people involved with this sale. Again, Broidy has a lot of reason to deny knowing anything about this:
But, in the end, Broidy was locked out. After he apparently got greedy and tried to create a direct relationship with NSO Group. In other words, Caspi was playing a middle-man role too. Broidy and Casp were each other’s middle-men, with Azano playing a third middle-man role of sorts. Quite a deal. And Broidy tried to cut out one of the three middle-men but the middle-man found out cut Broidy out first instead. It’s hard to have much sympathy based on the available facts. Recall that we are told Caspi was the one who approached Broidy this whole thing:
Given that history of how Mexico’s notoriously corrupt government became NSO Group’s first foreign client, and given the story of the Mexican government’s extradition request for Tomás Zerón, who was known to be close to the founders of NSO Group, it’s worth asking what the odds are that the story of Zerón’s cover up investigation of the slaughter of those students happens to include an angle involving the corruption use of Pegasus on those students. Don’t forget, these were activists students who were slaughtered. For the municipal police to attack those buses and hand the kids over to drug cartels to be slaughtered, they presumably had a reason to want at least soem of those kids very dead. Pegasus spyware on the phones of these activist students would have been a very convenient way for corrupt parties to acquire a reason to want to see some of them very dead. It raises the grim question of whether or not those students were about to break a big story on some sort of deep corruption between the police and cartels. Were these students Pegasus targets before the slaughter? We don’t know, but based on the CitizenLab Pegasus investigation we know Pegasus was used against top Mexican lawyers, journalists and anti-corruption activists. Maybe by corrupt police? Maybe by cartels that got their hands on the super-spyware from those corrupt police? Or maybe they got it through their connections to Azano’s middle-man Pegasus distribution company? Who knows. We just know we have every reason to suspect, yes, Pegasus could have been used on these students. It’s been that kind of situation in Mexico since 2011:
So that’s all part of what makes the story of the Tomás Zerón extradition request something to watch. Zerón is clearly deeply implicated in the wildly scandalous sham investigation of the 2014 activist student slaughter. And, circumstantially speaking, those students appear to fit the profile of the kind of people known to be targeted by Pegasus. They certainly sound like anti-corruption activists. The whole sequence of events that led up to the attack on the student convey involved the traditional student temporary commandeering of buses from Iguala, intended to be driven back to the rural college to take the student to a march in Mexico City comemmorating the 1968 Tlatelolco student massacre.
Is there a Pegasus abuse angle to the story of the 2014 student slaughter? We’ll see if the extradition requests of Tomás Zerón and Zerón’s ties to NSO Group ends up leading to the asking of that question. It’s possible there’s no Pegasus angle at all with the slaughter of those students. One theory is that the students inadvertently commandeered a bus containing police-protect heroin intended to be shipped to Chicago. Under that scenario, it would just be bad luck that triggered the events. Hopefully one day we get some clarity on what actually happened. But regardless of what actually happened in that case, the fact of the matter is the slaughter of those students happened during a period when the Mexican government had access to nearly unstoppable spyware while it was in bed with drug cartels.
And that’s just Mexico. A similar situation probably exists between the rest of the NSO Group’s government clients of those clients’ shadiest and most powerful criminal friends. In countries where you can’t separate the underworld from the overworld there’s no realistic way to keep something like Pegasus out of the wrong hands. Mexico is just an early example of what must be going on all over the world thanks to the explosion of the super-spyware global marketplace over the last decade.
Oh, and it’s worth pointing out that Elliott Broidy has a close working relationship with A LOT of other known NSO Group clients. Mexico was NSO Group’s first foreign client. So the guy that got iced out at the last minute of the Mexico deal under what appears to be shady circumstances (initiated by Broidy’s greed to cut out Caspi), also happens to have spent much of the last decade working as a foreign agent for a whole bunch of other very eager NSO Group clients. Did Elliott Broidy get to play middle-man for any of those other countries? Let’s hope investigators somewhere end up investigating that question. Elliott Broidy doth protest waaay too much on this one.
Oh look, another mega-hack. Yep, an obscure company few have ever heard of just quietly let the world know that potentially billions of people had their private information stolen. A LOT of private information potentially. So much so, one privacy expert suggested the hackers could know more about you than your doctor. The hackers could have accessed metadata such as length and cost, caller and receiver’s numbers, the location of the parties in the call, as well as the content of SMS text messages. Information who you called, when you called, where you called, how long you called. Plus text message content. It’s a remarkable data profile on almost any individual.
And thanks to that text message access, the hackers can potentially interfere with 2‑factor authentication schemes. That means they could have had indirect access to internet accounts protected with SMS 2‑factor authentication like Google, Microsoft, Facebook, Twitter, and Amazon. That’s why this is potentially such a massive hack.
That’s the news from Syniverse, a company that handles billions of text messages for telecommunications companies across the world. Ninety-five of the top 100 mobile carriers in the world, including the big three U.S. ones (AT&T, Verizon, T‑Mobile), are Syniverse customers. The company informed the world of the hack in documents it filed with the SEC back in August in anticipation of IPO.
So when did this occur? May of 2016. Who whoever did this has had access to this treasure trove of information for over 5 years. And, again, we only learned about this from the company’s SEC filings in anticipation of going public. In other words, the company was put in a position where it kind of had to disclose to the public the existence of this hack. It would be pretty scandalous to conduct an IPO without revealing that. Who knows how long this would have remained under wraps had the company not been forced to disclose it to the SEC.
It also all raises the question of who the private owners are that are taking this company public: Carlyle Group. The private equity firm purchased Syniverse in 2011 for $2.6 billion. As we’ll see in the second excerpt below, Carlyle intends to remain a minority shareholder following the IPO.
So one of the largest hacks ever took place in 2016. We have no idea when Syniverse actually discovered the hack, are are only learning about it now, five years later, in a quiet SEC filing the company issued back in August in anticipation of going public. Brought to you by the Carlyle Group:
““With all that information, I could build a profile on you. I’ll know exactly what you’re doing, who you’re calling, what’s going on. I’ll know when you get a voicemail notification. I’ll know who left the voicemail. I’ll know how long that voicemail was left for. When you make a phone call, I’ll know exactly where you made that phone call from,” a telecom industry insider, who asked to remain anonymous as he was not authorized to speak to the press, told Motherboard in a call. “i’ll know more about you than your doctor.””
Syniverse knows more about you than your doctor. Ninety-five of the top 100 mobile carriers in the world, including the big three U.S. ones, use Syniverse. And now whoever hacked Syniverse potentially know all that information too. On potentially billions of people. Since May 2016. Beyond that, the hack potentially allowed for the interception of the texting-based 2‑factor authentication systems (where a web service sends your phone a one-time pass key to log in). It’s the kind of hack that could be perfect for gaining access to major internet services like Google, Microsoft, Facebook, Twitter, Amazon. That’s why scale of this hack is so stunning. It’s potentially a mega-hack. Another mega-hack:
The hack is also obviously “espionage gold” as Senator Wyden put it, which already has fingers pointing toward a state-sponsored actor. And while it’s certainly possible a state actor was behind this, let’s not pretend that the commercial value of a hack like this isn’t immense. Also note how there are zero clues about the perpetrator so far:
Nest, note the assurances for Syniverse: don’t worry too much because no damage has actually been detected. It’s not exactly reassuring. But also keep in mind the nature of this hack: it allowed hackers to collect mobile-phone metadata on people and potentially compromise web site credentials, allowing the hackers to access services like Google or Amazon. That’s not necessarily the kind of damage that’s going to leave an obvious evidentiary trail leading back to this hack. In other words, given the nature of this hack, we shouldn’t really expect Syniverse to be in possession of evidence of how the hack was actually used:
Now here’s a quick reminder tha the current owners of Syniverse who brought the world this mega-hack, the Carlyle Group, are going to remain minority owners once they’re done taking Syniverse public again:
“The Carlyle Group will also stay on as a minority owner. Two other firms, Oak Hill Advisors and Brigade Capital Management, will invest $265 million through the purchase of stock at below market value.”
Let’s hope the public ownership of Syniverse somehow leads to more effective management now that the Carlyle Group is poised to partially cash out. But whoever ends up owning Syniverse after this IPO is all over has already learned a powerful and important lesson: one of the largest hacks ever can take place on your watch for years, it may have been covered up, and there’s basically no consequence to the owners. That may not be the lesson we want Syniverse’s new owners to take from this whole thing, but it’s hard to see how that’s not the lesson they’re learning right now.
Here’s a pair of articles about NSO Group’s mysterious competitor, Candiru, and their mutual relationship with each other as competitors but also possible partners. The first article excerpt also directly relates to the fascinating story of internation man of mystery Elliott Broidy and the 2011 role he played in securing NSO Group’s first foreign client, Mexico:
First, recall how NSO Group and Candiru both specialized in mutually compatible hacking products, with NSO Group focusing on smartphone hacks (iPhones and Android devices) while Candiru appears to have a specialty in hacking Microsoft products. Also recall how one of Candiru’s financial backers is NSO Group co-founder Isaac Zack. So it already looked like the two firms are sister-mercenary hacking companies.
Well, according to the follow Haaretz article from September of 2020 about a lawsuit between Candiru and a vice president of sales for the company from 2015–2018 who is referred to as “S” in the article. S makes a number of conflict-of-allegations against Zack, who is not just the chairman of the company but also the chair of the agent committee that overseas the “agent” intermediaries in client countries who facilitate the transactions. Agents who receive 15% commissions, according to documents filed in the case. Recall how the NSO Group sale to Mexico in 2011 that Elliott Broidy was involved with included the “Mr. Lambo” Mexican businessman who was basically acting as an intermediary along with Broidy. It really does sound like S was playing a Broidy-like role for Candiru, hooking the company up with governments. And for significant commissions. 15% is potentially tens of millions of dollars for S based on the revenues also cited in those documents.
The lawsuit appears to center around commissions S feels they are stilled owed. The anonymous “S” claims Candiru had no clients and was only in two negotiations when he joined at the end of 2015. By the beginning of 2016, Candiru had “a large number deals in the advanced stage with clients in Europe, the former Soviet Union, the Persian Gulf, Asia and Latin America.” In other words, “S” is claiming they showed up and brought in a large number of deals that were rapidly moved to advanced stages in a matter of months. And this figured stayed on until 2018. So “S” is presumably someone involved with a large number of Candiru’s client deals.
You have to wonder about the identity of “S”. How connected are they? That’s like Elliott Broidy-league shady connections, but “S” doesn’t appear to be Broidy. Who was able to show up at Candiru and generate high-end offensive cyber-sales to countries around the globe? We don’t know, but whoever they are they are pissed about how they were treated for their stellar cybersales performance. So if what “S” is claiming is true, it’s possible for a new super-spyware company to go from zero clients to clients around the world almost overnight. S did it. Yikes.
S points to Zack’s obvious conflict of interest in overseeing sales of Candiru’s products given Zack’s ownership of shares in NSO Group at the time. Recall how NSO Group’s ownership changed hands in 2019 following the Jamaal Khashoggi assassination, suggesting Zack’s ownership in NSO Group may have ended at that point.
But S’s conflict-of-interest accusations against Zack go much deeper and point at the synergistic nature of Candiru’s and NSO Group’s strengths: NSO Group specializes in hacking smartphones and Candiru specializes in Microsoft products. Governments have a strong incentive to hire both firms. But as we’ve seen, Candiru has also been moving into non-Microsoft hacks, like Chrome hacks. S claims Candiru decided in 2017 to develop non-Microsoft hacks for smartphones — NSO Group’s territory — but Zack suddenly blocked and sales of marketing of those new exploits in early 2018. Was Zack protecting NSO Group? That’s the obvious implication of S’s complaint, with the other implication that this ban on non-Microsoft exploits crimped S’s commissions.
Candiru counters that S broke the agent rules protecting against bribery and corruption. This is one of those times where it’s worth noting that both Candiru’s and S’s claims to be true. They aren’t mutually exclusive. Zack may really have taken conflicted steps to protect NSO Group’s exploit dominance in the marketplace. And S may have broken the bribery and corruption rules. These aren’t mutually exclusive scenarios:
“The company helps law enforcement and intelligence agencies in various countries hack into computer systems without permission, to conduct surveillance, steal information and even cause damage. But what the company actually does remains largely a riddle. However, a lawsuit filed by a former employee sheds light on some of their operations, which it seems the firm would prefer be kept in the dark.”
If you want to learn about a super-secretive industry, follow the legal disputes. That’s one of the lessons in this story. Because as was the case with Elliott Broidy and the 2011 role he played in NSO Group securing its first foreign client in Mexico, where contract disputes between the multiple-middle-men sales team became a key source of knowledge of how the industry operates, we’re seeing the same scenario play out with Candiru. We know nothing about how the company operates outside of what we’re learning in this sales agent contract dispute lawsuit. These companies operate like black boxes. That’s why these lawsuits are so important for our general understanding of this relatively new industry that secretly exploded over the last decade.
And observe how explosive that growth appeared to be for Candiru. It’s what the lawsuit is all about. S claims to be the source of much of that initial growth and was working there from November 2015 to December 2018. So it’s probably unfinished 2018 deals that the suit revolves around:
But it’s the accusations involving Candiru’s largest shareholder, Isaac Zack, that are the most interesting in terms of establishing what the relationship really is between Candiru and NSO Group. Again, NSO Group’s ownership changed hands in 2019 following the Jamaal Khashoggi assassination, suggesting Zack’s ownership in NSO Group may have ended at that point. And “S” was at Candiru from 2015 to 2018. So during S’s time at Candiru, Zack was the largest shareholder and sat on the agents committee, but was also a shareholder at NSO Group. Plus, Candiru and NSO Group literally share law firms. And industry observers expect Candiru and NSO Group to eventually merge, due, in part, to their synergistic toolkits. That’s all part of the conflict of interest charge S is alleging in the lawsuit. The guy overseeing the Candiru sales team had large investments in one of Candiru’s main competitors. Those are the claims of “S”, who also claims to have brought in enormous numbers of new government clients almost overnight after joining at the end of 2015 and who clearly doesn’t feel like they were adequately compensated:
But it’s S’s claims about Zack’s nixing of the sales of Candiru’s smartphone-targeting malware in early 2018 that are particularly interesting in terms of what’s in store for the future of Candiru and NSO Group. That’s when S alleges the sale and marketing of newly developed line of “cellular attacks” (smartphone hacks) that Candiru decided to develop in 2017 were halted by Zack. Hacks that more or less overlap with what NSO Group specializes in. Keep in mind that we’ve seen non-Microsoft exploits attributed to Candiru in 2021, so Candiru appears to have gone ahead with the sale of non-Microsoft exploits in the end. But it still points towards the obvious potential synergy of merging these two companies:
It’s worth keeping in mind that, while it’s entirely possible plans for a future NSO Group/Candiru merger were behind Zack’s decision to halt the sales and marketing of Candiru’s smartphone attacks, it’s also possible there’s an active desire to compartmentalize the industry by the types of attack. An oligopoly of monopolies. Like it might be better for one company to specialize in attack Microsoft products while another specializes in iPhones, etc. There’s the obvious monopoly logic just in terms of competing for precious elite hacker talent. But beyond that there’s the simple fact that the more competition there is in the creation of these elite hacking tools, the greater the rate the industry is going to burn through zero-day exploits. There are only so many possible zero-day exploits at any given point, many with redundant purposes, which is why you don’t necessarily want to deploy redundant zero-day’s at the same time, running the risk that more of your bag if tricks will get discovered unnecessarily. This is an industry where collusion between the competition can create powerful win-win situations
Interestingly, given the rapid number of deals “S” claims to have developed almost immediately for Candiru in late 2015/early 2016, Candiru responded to the lawsuit by arguing that “S” was breaking the agent committee rules set up to prevent bribery and corruption. So we have dueling, but not mutually exclusive, pictures. It’s the kind of dueling accusations that raise obvious questions about what sorts of bribery and corruption was S engaged in to secure all those deals? Unfortunately, Candiru doesn’t want to share that publicly and pushed for the trial to be conducted behind closed doors:
Finally, regarding the claims by both Candiru and NSO Group that the malware can’t be deployed in the US, Israel, Russia and China, take a look at the next article from last week about a new report on where Candiru’s malware just showed up:
Four countries are on the do-no-deploy blacklist. But as the following article suggests, it might be more of a greylist. Because Candiru’s malware was just found on computers in Russia and Israel according to the September report by cybersecurity company ESET. They’re described as infected “computers” in the report, suggesting these aren’t smartphones. They might be laptops, which raises the distinct possibility they were hacked outside of these countries. We don’t know. But it’s a reminder that even citizens and residents of declared do-not-hack countries can’t really expect to be protected once they leave their do-not-hack countries:
“ESET researchers, the report says, “Discovered indications of DevilsTongue malware in our telemetry data, affecting about 10 computers” in Albania, Russia and the Middle East. The malware was found in Israel, the Palestinian territories, Turkey and other parts of the region.”
Of the 10 computers ESET found with Candiru’s malware, 2 of them came from the do-not-hack countries Candiru claims its malware can’t hack. Maybe these 2 computers were hacked in different countries. We don’t know. We we do know is that any new meaningful insights into how companies like Candiru or NSO Group actually operate — from how they sign up clients to the oversight or lack thereof of those clients after they’re given the super-malware — will likely only be learned from more “agent” lawsuits.
We’ve long been told that the NSO Group’s spyware can’t target US and UK-based phones. But how true is that really? Is this like a built-in safeguard, where the Pegasus spyware automatically prevents the targeting of phones with numbers that start with a ‘+1′ or ‘+44’ (the US and UK country codes)? Or is it a ban purely rooted in policy, where NSO Group merely asks clients not to hack US or UK phones but clients could do so if they chose to? We may be getting an indirect answer to those basic questions about what the NSO Group’s 40+ state-clients are capable of doing with this super-spyware.
Can US and UK government officials get hacked by any of those 40+ NSO Group clients or not? It’s kind of a huge question. After all, think about how the 2016 hack of the DNC and all of the events surrounding that can be reinterpreted when we factor in the possibility that dozens of nation states had the capacity to hack the sh$t out of US political and government figures. We can’t forget that the crown princes of Saudi Arabia and the UAE were literally offering secret political manipulation campaigns to assist Trump campaign. Political manipulation campaigns that would use the services of elite Israeli IT mercenary firms like PsyGroup. So if that’s what we know they were directly offering the Trump campaign, what about tools like NSO Group’s Pegasus that both the Saudis and UAE had access to? Was that offered to the Trump campaign too in 2016? It’s a question that’s rarely asked in the context of the NSO Group story, and yet if we learn that Pegasus could indeed hack US and UK-based phones it’s hard to see why the possible use of NSO Group spyware in 2016 shouldn’t immediately become a major question.
That all part of what makes the unfolding story about the ruler of Dubai’s hack of his estranged ex-wife potentially such a big story. Because we’re now learning that, yes, UK phones are hackable. The ruler of Dubai — Sheikh Mohammed bin Rashid al-Maktoum, who is also the vice president and prime minister of the UAE — ordered the hacking of his ex-wife’s phone. Along with the phones of her lawyer and security team. The hacking apparently took place during the couple’s ongoing custody battle in London over their children. So it sounds like the hacking took place in the UK. And it turns out Princess Haya bint al-Hussein’s lawyer just happens to be Fiona Shackleton, a lawmaker in Britain’s House of Lords. So a member of the UK parliament was hacked in London using Pegasus. The ruler of Dubai was capable of ordering this last year.
The hack was reportedly discovered when a cybert expert studying the possible use of Pegasus against a UAE activist realized the phones were being hacked and passed on the information (presumably to CitizenLab or a similar group). Interestingly, NSO Group claims it also learned about the hack more or less at the same time from a whistleblower who informed the company that Pegasus was being misused against the princess and her legal team. NSO Group informed Cherie Blair (Tony Blair’s wife), who was hired by NSO Group to work as an external adviser on human rights, and asked her to get a warning to the princess. It’s a rather convenient story for NSO Group. We aren’t told anything more about this alleged whistleblower. NSO Group informs us it then cut the UAE’s contract. The move presumably made al-Maktoum a lot less popular with all the UAE’s other rulers trying to hack their own ex-wifes’ phones.
But then there’s still the question: did these phones have UK (or US) phone numbers, which we are told Pegasus can’t target? That would be kind of a huge contradiction of NSO Group’s repeated assurances, after all. And to get that answer we can look back at some early reporting on this princess hacking story from back in early August, when we were learning about a group of other figures close to the princess who were also hacked, including British human right’s lawyer and David Haigh. Haigh is the former managing director of Leeds United Football Club and current Chairman of Leeds United Ladies Football Club. Haigh also happens to be an outspoken critic of Dubai and spent time in prison there over charges of embezzlement. He claims to have been tortured while in prison. So Haigh is a figure the government of Dubai would have all sorts of reason to want to hack. But, in theory, he should have been protected as a UK citizen. Instead, Haigh’s hacked phone happened to have a ‘+44’ UK number. That’s our answer. UK phones are hackable. And therefore presumably US phones too.
And politicians are hackable in in these countries. That’s what we are learning from this story. It’s quite an update to the NSO Group story. And potentially a major update to quite a few other hacking-related stories. For a decade now, dozens of countries around the world have been gaining the ability to execute super secret hacks, and politicians and world leaders are all potential targets. Even the US and UK politicians who are supposed to be safe. That’s the picture that’s emerging. And yet, as we’ve seen, this is all more or less directly tolerated by the Israeli government and indirectly tolerated by the US government. It’s a wild story that keeps getting wilder.
Ok, first, here’s an article from earlier this month about the cancellation of the UAE’s NSO Group contracts over the hacking of Princess Haya and her legal team. A legal team that includes her lawyer Fiona Shackleton, a lawmaker in Britain’s House of Lords:
“Sheikh Mohammed bin Rashid al-Maktoum, vice president and prime minister of the UAE, instructed the hacking of six phones belonging to Princess Haya bint al-Hussein, her lawyers and security team, England’s High Court ruled in a judgment which was made public on Wednesday. read more”
The ruler of Dubai, who also happened to the the UAE’s prime minister, instructed the hacking. That’s what the court in London concluded as part of the legal fight between Sheikh Mohammed bin Rashid al-Maktoum and Princess Haya bint al-Hussein in their custody battle. A hacking that took place during the custody battle last year in London. It’s a damning detail for NSO Group if Haya was in London during the time of the hack. And especially damning if she had a UK-based phone number:
But it’s the hacking of Haya’s lawyer, Fiona Shackleton that is utterly damning for NSO Group’s claims that the UK is protected from its spyware. A member of the House of Lords got hacked with Pegasus:
And now here’s a WaPo report from early August about the revelation that figures close to Princess Haya in the UK were hacked last August. Figures like David Haigh, who had been secretly exchanging videos and text messages with the princess for more than a year and half from a phone smuggled into the Dubai villa where she was being held. She stopped responding on July 21, 2020. Haigh’s phone was hacked two weeks later. It’s the kind of anecdote that shows what must be the irresistible allure of the power of this spyware. Once Sheikh Maktoum found her phone and knew who to hack, they could hack them. Two weeks later Haigh was hacked and there was basically nothing he could do about it. It’s incredible power. Ever more so when it can be wielded in the UK. Or the US. Based on what we can infer from the available data, UK phones, and logically US phones too, were viable targets as long as clients were willing to break the rules. Just imagine how many entities out there with access to these tools may have wanted to hack the Democrats in 2015 or 2016. They all could have done it:
“Haigh said he had been exchanging videos and text messages for more than a year and a half with Princess Latifa through a phone that had been smuggled into the Dubai villa where she was being held. She stopped responding on July 21, 2020, according to a screenshot of the messages Haigh shared. The analysis shows that Haigh’s phone was hacked two weeks later.”
It must have been very clear who to hack once they got their hands on Princess Haya’s phone. David Haigh had been secretly swapping videos and texts with her for years. And it took the government of Dubai basically no time to hack Haigh and learn whatever he knew. The power that comes from abusing these tools is incredible:
The fact that Haigh’s number doesn’t appear on the leaked list of 50,000 published Pegasus suspected targets because the hacking happened after 2019 is worth noting in part because it’s a reminder that the number of targets global is actually likely far higher than that leaked list. But the fact that Haigh’s number is the first time Amnesty’s researchers had identified ad successful Pegasus attack on a UK phone number answers once and for all if UK-based phones can even be targeted by rogue clients. Yes they can:
But the revelation about the first UK phone targeted by Pegasus then raises the major question that looms over this story: was this the first instance of a NSO Group breaking the rules and targeting UK-based phones? Or is this abuse routine? There aren’t any UK or US phone numbers that show up in 50k list of numbers in the leaked Forbidden Stories/Amnesty International report on Pegasus. So is that prior lack of UK or US numbers of reflection of no abuse of this nature? Or a reflection of the fact that these kinds of abuses were hidden even from the source where the leak came from?
Keep in mind the Pegasus leak presumably came from someone at NSO Group or in contact with some there. Or maybe someone who hacked the company, ironically. But it didn’t come from all the clients separately. And that means if the clients were able to hide their targeting of US‑, UK‑, or any other blacklist countries-phones from NSO Group, then we shouldn’t necessarily expect the leaked list of Pegasus targets to include any US or UK targets. The clients all self-filtered that so they wouldn’t get their subscriptions cut off like the UAE. And therefore a lack of and UK or US numbers on that last shouldn’t necessarily be seen as an indication that these kinds of abuses weren’t taking place pre-2020.
All in all, this story about the hacking of Princess Haya could end up being the most consequential NSO Group story so far. There’s no shortage of questions raised by all this. Like whether or not Candiru cut the UAE off too after all this was discovered or just raised the rates and offered more products.
Here’s a pair of articles about one of the biggest questions facing the entire topic of the global offensive cyber-mercenary industry: the question of whether or not the Five Eyes countries are vulnerable to this super-spyware too. Just how much hacking of the US and UK governments has been quietly taking place over the last decade? Recall the recent reports about NSO Group cutting off the UAE’s access to Pegasus after it was discovered the head of Dubai was using the software to spy on his ex-wife, Princess Haya, along with a number of other members of her security and legal team based in the UK. Including her lawyer Fiona Shackleton, who happens to be a member of the House of Lords. Beyond that, their hacked phones at +44 UK phone numbers, something that shouldn’t be possible.
And as we’re going to see in the first excerpt below from several weeks ago, just days after the story of the NSO Group dropping the UAE as a client was first reported, NSO Group made a remarkable admission: following the apparent discovery inside NSO Group about the abuse of Pegasus, NSO Group immediately implemented a change to the Pegasus software that banned the targeting of +44 phone numbers. It’s the kind of admission that confirms the obvious: NSO Group clients have been able to target +44 numbers all along.
But it gets worse. Because as we’re going to see in the second excerpt below, from back in July when the story of the 50,000+ target numbers was first breaking, there were reports about a remarkable observation in that list of numbers: 400+ of them were +44 UK numbers, going back to 2017. And while most of the +44 numbers are believed to have been entered by the UAE, the Saudis are also responsible for some of them. Which means the UAE was rampantly target UK phone numbers for years.
So what are the odds NSO Group didn’t know about this? Well, that’s where the suspicious coincidental timing of the twin and allegedly independent discoveries of the UAE targeting of UK phones should serve as a hint. Recall how NSO Group claims it independently learned about the targeting of Princess Haya at the same time an independent researcher discovered evidence of Pegasus targeting members of Shackleton’s law firm. As we’ll see in the following report, an anonymous source close to the company assures us “It is a coincidence” that both of these discoveries were made on the exact same date. We’re also told that the code modifications that stopped the targeting of +44 numbers were implemented within hours of NSO Group learning about the abuses. It’s a rather dubious claim. NSO Group and this independent researcher just happened to learn about it all simultaneously and independently. You have to wonder if the researcher’s prodding on the infected phone was literally what tipped off NSO Group that he found the evidence. Keep in mind that the hacking of Princess Haya had already been alleged weeks earlier, as we’ll see in the excerpt from July. It’s not like NSO Group could claim it hadn’t already heard about this. So NSO Group’s story of how it first confirmed the hacking of the +44 numbers doesn’t really logically check out. Yet that’s the story being pushed by the anonymous source close to the company. So it’s noteworthy that this same anonymous source also assures us that this vulnerability for +44 doesn’t apply to +1 (US) or any other Five Eyes numbers.
Yes, the anonymous source giving us a highly dubious assurance about about NSO Group also claims there’s nothing to worry about when it comes to the hacking of the rest of the Five Eyes. It’s not exactly reassuring. And, more to the point, it’s the kind of scenario that suggests NSO Group knew all along the targeting of +44 numbers was happening and was fine with it. Beyond that, it’s hard not to notice that the UK government itself doesn’t seem very perturbed by this story. Or of the other Five Eyes governments who really should view this as one of the greatest security threats in history. It’s the kind of situation that suggests a major part of this scandal is the fact that the Five Eyes governments may have been fine with this. What kind of arrangements are being quietly worked out between the client stages given access to these tools and the Five Eyes network that appears to be a kind of tacit sponsor of this cyber industry? It’s a fascinating question at the heart of this story.
Ok, here’s the October 8 report that came out just days after we first learned about the UAE losing its hacking privileges over the Haya hacks, with NSO Group assuring everyone that it fixed the problem. A problem with Pegasus seemingly having no problem at all hacking +44 numbers. The fix was apparently so easy to do, NSO Group implemented it within hours of learning about the abuses. And it’s apparently just a coincidence that NSO Group didn’t decide to make this easy remote fix until the company ‘coincidentally’ confirmed the abuses on the exact same date as an independent researcher with access to Shackleton’s phone. It’s not exactly a compelling cover story:
“NSO Group, the Israeli maker of the Pegasus surveillance tool, implemented a change preventing client countries from targeting +44 numbers, the sources said, after it became aware of the British hacking scandal on 5 August last year.”
It’s confirmed. NSO Group clients did indeed have the technical capacity to target +44 UK numbers up until August 5 of 2020. This was, of course, after over 400 UK numbers showed up in the giant investigative leak of 50,000+ suspected target numbers. But we’re also getting another confirmation: NSO Group had the technical capacity to easily make it impossible for clients to target +44 numbers but didn’t use that capacity until the Princess Haya scandal. NSO Group could have easily prevented this entire scandal but didn’t do so. Why is that?
So what about the rest of the Five Eyes nations? We’re these numbers targetable too? We are told by an anonymous source close to NSO Group that, no, Pegasus can’t target these other nations. And yet this same anonymous source also assures us that it’s purely a coincidence that NSO Group became aware of the targeting of Princess Haya and others close to her on the same day an independent computer forensics researcher discovered the same hacks. So it was on the same day that an independent researcher effectively threatened to make this scandal public that NSO Group magically stumbled upon the same problematic behavior and finally put it to an end. It’s the kind of narrative that suggests this anonymous source is basically just pushing NSO Group’s cover story. Which also means we should probably assume that the targeting of numbers of the US, Uk, Australia, Canada, and New Zealand was also technically possible for NSO Group clients up until August of 2020:
Adding to the circumstantial evidence of a major undiscovered scandal here is the fact that the list of 50,000+ suspected target phone numbers only came from around 10 of NSO Group’s clients. Which means there’s around 30 more clients that we know nothing about...other than the fact that they presumably had the same capacity to target Five Eyes numbers as the UAE:
Next, here’s a Guardian report from back in July about the 400+ UK phone numbers discovered in the leaked list of 50,000+ target numbers. As we’ll see, NSO Group didn’t simply deny that Pegasus was used to target UK phone numbers. The company suggested it was technically impossible for Pegasus software to do so. That was the message coming out of NSO Group a couple weeks before the August 5 emergency change made to Pegasus’s code following the ‘discovery’ by NSO Group that the UAE was indeed targeting UK phone numbers. And not just a few UK phone numbers. Of the 400+ UK phone numbers in the list, the bulk of them were entered by the UAE. This one client was allowed to serially violate the nation blacklist rules. For years:
“The principal government responsible for selecting the UK numbers appears to be the United Arab Emirates, according to analysis of the data. The UAE is one of 40 countries that had access to the NSO spyware that is able to hack into and secretly take control of a mobile phone.”
Yes, it appears the UAE is the principle NSO Group client state responsible for the 400+ UK phone numbers that appeared on the list of 50,000+ suspected target numbers released in the Forbidden Papers leak. And the dates corresponding to the numbers indicates this targeting of UK-based phones was taking place from 2017–2019. The UAE was allowed to become a serial offender of one of the NSO Groups’s core rules.
So just how much more extensive was this abuse? It remains a significant unanswered question in this story. But don’t forget that the 50,000+ list of numbers was apparently only based on 10 NSO Group clients and the company has over 40 clients. That list is just a snapshot of what NSO Group’s clients have been up to. But we don’t have to entirely speculate about which other clients have been hacking UK phone numbers. Saudi Arabia had already been caught going it too. But note the interesting suggestion made by NSO Group lawyers when the issue of Saudi targeting of UK phones was brought up: they suggested it was “technically impossible”. Keep in mind this suggestion was given back in July, before the admission from NSO Group a few weeks ago that it only retroactively modified the Pegasus code to block the targeting of UK phone numbers. In other words, past assurances about the technical impossibility of the targeting of blacklisted country phone numbers are bogus. Which should immediately raise major questions about the technical possibility for the hacking of the rest of the “Five Eyes” nations on that blacklist:
But while a scenario where NSO Group clients have had the technical capability of hacking Five Eye phones certainly looks likely at this point, there’s another plausible worth considering: that the UAE and Saudi governments were given special permission to hack UK phones...perhaps on behalf of the UK’s own intelligence services. A domestic spying arrangement that relies on the outsourcing of the spying to friendly allied states outside of the Five-Eyes. Could we be looking at a situation like that? Because while it’s not hard to imagine that the UAE had plenty of interest in spying on all sort of activists or politicians living in the UK, it’s also not hard to imagine the UK’s own intelligence services having an interest in spying on these same groups. It would at least explain why the UK government seems almost uninterested in a scandal that has the appearance of having significant espionage implications:
The more this story unfolds the more questions it raises. Like the growing question of why there’s been so little outcry by the Five Eyes governments over a story that should, in theory, be one of the greatest security threats in history. Although that lack of outcry does, itself, suggest some answers. They’re not great answers.
The Biden administration took a step that is both somewhat expected and also quite surprising last week against both NSO Group and Candiru: they got blacklisted. The US Department of Commerce blacklisted the two cybertool firms. US companies can no longer export to them, so if any US-based firms were selling hacks to NSO Group and Candiru, they had better relocate or stop providing that service.
The move is, of course, in the wake of the recent revelations about the targeting of UK-based phones that raise major questions about the targetability of not just UK-phones, but US and Israeli phones. And as we’re going to see, it came days before we got the first confirmation of Pegasus infecting Israeli phones. So this blacklisting comes amid the confirmation of Pegasus hitting UK and Israeli phones. It’s really just a matter of time before we get our first US-phone confirmation. Who will it be? It’s kind of a huge question looming over all this.
So which Israeli phone got hacked and who did the hacking? 6 Palestinian activists’ phones were found with Pegasus spyware so far following the initial discovery of two infected phones in mid-October. Shortly after, the Israeli Defense Minister declared six Palestinian civil society groups to be terrorist organizations. These groups all happen to be affiliated with the left-wing Popular Front for the Liberation of Palestine (PFLP). And it turns out the 6 activists are all left-wing activists, three associated with the groups recently labeled terrorists and three who remain anonymous but assert they are independent activists. The Israeli government has provided little public evidence to justify the terrorism designation and at least two of the hacking targets say they consider Israeli government the main suspect in the hack and believe the terror designation of those groups may have been timed to try to overshadow the hacks’ discovery.
And while the Israeli government is certainly an obvious prime suspect here, it’s important to note that the researchers who discovered the Pegasus hack did not determine who sent it. As we learned in the case of the ruler of Dubai hacking his ex-wife’s UK phone along with her lawyer/UK lawmaker’s phones and numerous other UK phones, there’s every reason to suspect any of NSO Group’s clients could have potentially carried out the hack. That means roughly 40 different governments are potential suspects for the hacks of those Palestinian activists. It’s an important detail to keep in mind as the the finger-pointing around their hacks plays out. On some level, it’s level damaging for the Israeli government itself to implicitly admit to carrying out the hacks because the implications are far more significant if it turns out it was another government. And yet, as legal experts point out, the fact that Israel is a client of NSO Group is still a significant complication for both parties because it creates an obvious conflict of interest given that Israel is the government ostensibly overseeing these export licenses. It’s the kind of situation where the government of Israel is forced to choose which inconvenient narrative to go with. There isn’t a clean alibi readily available here.
So what was the Israeli government’s response to the blacklistings? As we’re going to see, the initial response from Israel’s Foreign Minister Yair Lapid was that the Israeli government has nothing to do with the NSO Group, telling reporters, “NSO is a private company, it is not a governmental project and therefore even if it is designated, it has nothing to do with the policies of the Israeli government.” Two days later, the New York Times had a report quoting unnamed Israeli government officials who acknowledged the Israeli government will be lobbying the US government to lift the blacklistings, in part because NSO Group and Candiru are both considered crucial elements of Israels foreign policy. It’s going to be that kind of response. A say anything response.
Finally, it’s important to keep in mind that the fact that NSO Group spyware was allegedly unable to target the phones of Israeli, UK, and US phones, that strongly hints at the US and UK having quietly given their tacit approval of the sales of these tools. The blacklisting of NSO Group and Candiru isn’t mutually exclusive with a scenario where the US endorsed the global export of these tools in the first place. That’s part of what makes this blacklisting story something to watch going forward. It potentially doubles a cover up. In other words, the Israeli government may not be the only government doing the ass-covering two-step here.
Ok, first, here’s a report on the discovery of NSO Group spyware on six Palestinian activists’ phones. The first reported instance of Israeli phones being infected with Pegasus:
“The revelation marks the first known instance of Palestinian activists being targeted by the military-grade Pegasus spyware. Its use against journalists, rights activists and political dissidents from Mexico to Saudi Arabia has been documented since 2015.”
First UK-bases numbers, and now Israeli numbers. When will we get our first confirmed US number? Time will tell. But at this point it seems rather inevitable. It’s part of why the question of who actually executed this hack is such an important question. Was is the Israeli government itself, or one of the NSO Group’s 40+ other clients? The answer to that question is the likely answer to the open question of which NSO Group clients have the capability of hacking US-based phones:
But given the fact that Israel labeled the groups associated with these targeted Palestinian activists as terrorists groups shortly after the Pegasus spyware was first discovered on their phones gives us a clue as to who carried out the hack. It was probably Israel, a rather complicated fun fact given that the Israeli government is also NSO Group’s regulator:
But as much as this story of the discovery of Pegasus on the Israeli phones of Palestinian activists creates complications for the Israeli government, it’s the story of the US decision to blacklist NSO Group and Candiru that creates a much bigger and more immediate complication. It’s why we shouldn’t be surprised to see completely contradictory statements from the Israeli government in the wake of that decision. This blacklisting really is an enormous potential complication between the relations between the US and Israel, especially if it turns out US phones were indeed hackable this entire time. The government of Israel really might want to create as much distanced as possible depending on how this NSO Group story plays out in the end:
“NSO is a private company, it is not a governmental project and therefore even if it is designated, it has nothing to do with the policies of the Israeli government...I don’t think there is another country in the world which has such strict rules according to cyber warfare and that is imposing those rules more than Israel and we will continue to do so.”
It’s just a random private company that the Israeli government has little to do with. That was the first response from the Israeli government in response to the blacklisting of NSO Group and Candiru. Just a blanket denial and distancing from the whole situation. But then, two days later as the story of the hack of the Palestinian activists played out in parallel, we get a report in the New York Times about how the Israeli government is not only intent on proving the terrorism charges against the PFLP-affiliated groups but are also planning on quietly lobbying the US government to overturn the blacklistings, while acknowledging that the companies play a crucial role in Israel’s foreign policy:
“But the company’s biggest backer, the government of Israel, considers the software a crucial element of its foreign policy and is lobbying Washington to remove the company from the blacklist, two senior Israeli officials said Monday.”
Is NSO Group just a random private company that the Israeli government cares little about? Or is it a crucial element of Israel’s foreign policy? It depends on who you ask, and what day. But the fact that Israel is specifically highly concerned about US concerns over these companies is an additional data point suggestion that this entire hacking tool export sector that’s exploded globally over the past decade did so with the quiet blessing of the US national security state. It’s the potential loss of that quiet blessing that makes a story of the blacklisting potentially so significant:
But, again, we have no idea how serious this US blacklisting really was. Is it largely theatrics or was the US genuinely pissed about NSO Group? And again, the answer to that question probably depends heavily on whether or not Pegasus (or Candiru’s spyware) really was technically capable of hacking US phones. It would be a legitimate mega-scandal if Israel promised the US government this wouldn’t happen and it ended up happening anyway, resulting the the extensive hacking of US phones. We have no evidence that such a scenario happened, other than the growing circumstantial evidence that it’s very possible.
There was a recent report in Harretz about the ongoing saga of the remarkably scandalous Dubai NSO Group scandal. Remarkably scandalous not just for NSO Group and the ruler of Dubai — who was abusing the software to spy on his ex-wife and her UK legal team — but potentially the UK and the rest of the ‘Five Eyes’ when it was revealed this was likely the tip of the iceberg for a much larger pattern of abuse by NSO Group clients target UK, Israeli, and potentially US, phone numbers. And the UK and the rest of the Five Eyes seemed barely perturbed by the whole thing. The has been a bit of a Five Eyes pushback. The Biden administration did end up blacklisting NSO Group and Candiru.
But as the following Haaretz report about how two different princes in the UAE got their own NSO Group contracts mentions another remarkably display of a lack of concern by a Five Eye government about all this:. The UK has apparently closed its investigation into the whole Dubai hacking scandal. Case closed, apparently.
Now, regarding the fact that the UAE had two princes with separate NSO Group contracts, keep in mind that the numbers we’ve heard thrown around for the number of different government agencies that NSO Group sells to is around 60. This is at the same time we’ve heard it has around 40 to 45 government clients. This implies there’s a lot more governments than the UAE with multiple NSO Group clients. In other words, there’s more where this came from. Again. It’s a major theme with this story.
And that brings us to the second article excerpt below from a December 2020 report by the Bureau of Investigative Journalism. The report isn’t about the NSO Group’s hacking scandals and instead arguably something much bigger. But also something awfully similar to sounding to the NSO Group in many ways. And a story the UK’s national security state would be deeply implicated in, along with presumably the rest of the Five Eyes. It’s a remarkable story.
The Bureau report is about an industry that has quietly emerged offering an NSO Group-like hacking-toolkit service targeting smartphones and mobile devices. Services include the capability of tracking device location around the world, but potentially become far more invasive and include the collection of very private data like bank information, emails, and text message content. 9 out of 10 text messages sent globally are vulnerable to the exploits offered as a service by this industry.
Like NSO Group, this telecom hacking toolkit service is ostensibly only offered to government clients and only for official law enforcement and anti-terror purposes. And as we’ll see, like with NSO Group’s toolkit, these toolkits are apparently run by these government clients on their own without oversight, allowing for who knows what kind of abuse.
And like the NSO Group story, it’s an Israeli firm that appears to be a major player in this global market place. But here’s the part of the story that makes this a highly sensitive story for the UK: that firm, Rayzone Group, doesn’t operate in Israel. It operates on the Channel Islands. And for global telecommunication purposes. the Channel Islands to treated like the UK. But it’s not. It’s an unregulated partner that shares the UK’s +44 country code while allowing for the operation of this marketplace where access to the global telecommunication’s infrastructure is leased to private firms to sell access and exploits to government clients. Yes, Rayzone Group is an Israeli company, but this industry is an UK-enabled/sanctioned enterprise.
Oh, and like the NSO Group story, this one also involves the same ruler of Dubai, Prince Bin Rashid al-Makhtoum, from abusing it. But this time he was cyberstalking his daughter instead of his ex-wife. Princess Latifa was fleeing his security services around the globe after claiming to have been drugged and imprisoned for years. Her yacht was eventually located and she was captured. After an investigation it was determined that Princess Latifa’s location was sold to her father by Rayzone Group. That guy was really into spyware. And why not? It was served to him on a platter.
So how does the Channel Islands facilitate this global spying service? Well, it comes down to vulnerabilities in old 2G and 3G technology and the necessity of ensuring more secure technologies can still communicate with those older vulnerable services. This decades old Signaling System 7 (SS7) first developed in 1975 enabled different phone services to exchange information, including geolocation services involved with functions like roaming when traveling in a foreign country. It’s a key protocol that allows what is in reality of patchwork of systems working under a patchwork of protocols to communicate with each other. But as we might expect with a system built in 1975, it has vulnerabilities. Vulnerabilities that effectively give a hacker remote surveillance powers of the device that the user cannot do anything about because the snooping is taking placing deep in the infrastructure of the global telecommunications industry.
It’s the kind of security arrangement that basically relies on limiting access to who can use this system and making them all promise not to abuse it. It’s that old and insecure. That’s why it’s rather scandalous to learn that the Channel Islands are allow private companies to lease access to this system and basically set up an NSO Group-style hack-for-service industry. Are governments really the only entities allowed to sign up for this super-telecom hacking service? That’s what they claim. Let’s hope so, but either way, we’re talking about a industry where private entities are given incredibly powerful access to this basic piece of the global mobile communications infrastructure and there’s basically no oversight.
Except, of course, there is oversight. As we’ll see, when the Bureau released its report in December 2020, it noted that the +44 ‘UK’ country code has been the consistent global leader in hacking attacks on this SS7 system over the prior two years, with the Channel Islands being the source of those attack. The UK could kick the Channel Islands off the +44 country code but doesn’t. Because obviously there’s an intelligence sharing relation here.
Keep in mind that, the UK, as a Five Eyes member, is the kind of nation that we would assume already has access to virtually all of the information made available by this Channel Islands SS7industry. That’s all part of what makes the story of Rayzone Group and the Channel Islands’ SS7 hack-for-hire industry so interesting: the UK is basically giving license to a secret industry that’s providing governments globally with access to incredibly powerful spyware under the auspices of it only being used for legitimate national security purposes but giving all those governments access to something that doubles as an incredible espionage tool. It’s not hard to imagine why Israel, ever in need of allies, would be willing to play a key role in this global industry, but the it’s the tacit approval of the UK and the rest of its Five Eyes partners that makes this such a fascinating story. The quiet commercialization of slices of global Total Information Awareness, in this case facilitated by the quiet exploitation of unpatchable security holes that haven’t quite yet aged out.
Finally, just note that, unlike the Pegasus story, there’s basically nothing you can do to defend against the SS7 exploits other than not use a phone. It’s done at that high a level and doesn’t need to interact directly with your phone.
Ok, first, here’s the recent Haaretz story that asks the simple ask: so how was it that the UAE got two different NSO Group accounts in the first place? And also points out that British police have already officially closed its investigation into the whole matter, despite a judge ruling that “the findings constitute a complete violation of trust and an illegal use of force.” Did the fact that this investigation involved abuses by the Rayzone Group on the Channel Islands play a role in the rapid closing of the case? It’s hard to imagine it was’t a factor:
“According to NSO findings handed to the British government, as reported by The Guardian, Princess Haya’s phone was hacked 11 times under Bin Rashid al-Makhtoum’s direction or knowledge, yielding 500 images and some 65 MB of data, equivalent to 24 hours of continuous audio, taken from her device. Oddly, while the British judge ruled that “the findings constitute a complete violation of trust and an illegal use of force,” British police have closed their investigation into the matter.”
It’s the kind of story that has all the appearances of the tip of an iceberg. And iceberg of hacks of prominent UK individuals that weren’t supposed to happen. An investigation into what should be a huge story, closed already with basically no real resolution. It’s hard to not assume there’s a whole bunch of awkward complicity being covered up by that.
But what about the following December 2020 report by The Bureau Investigative Journalism on the Channel Island’s SS7 hacking industry that describes an NSO Group-style private industry with government clients run via the UK’s quiet tolerance? And what about the fact that this NSO Group Dubai hacking story is directly involved with the SS7 story? How much were sensitivities about this playing a role in the UK’s decision to close the investigation?
It’s one of the many questions we’re forced to asked. Along with the general question of how many different governments are tracking our phones at any given point thanks to this Channel Island’s cottage industry:
“The investigation has found that private intelligence companies are able to rent access from mobile phone operators and this can then be exploited to allow the tracking of the physical location of users across the world. They are also potentially able to intercept calls and other private data, including bank accounts and emails.”
It’s a global vulnerability in mobile communications. Not just mobile phone geolocation services but other potentially data private data including bank accounts and emails. A global vulnerability rooted in the need to patch together communication systems, old and new, around the world if we’re going to have a truly global communication system. At least these technical vulnerabilities in the SS7 “signals” global switchboard for the telecoms industry are part of the story. The other part is the fact that the Channel Islands appears to be the hub of vulnerability for this global system, exploiting a loophole where the world treats the Channel Islands’ telecom traffic like its part of the UK, with a shared +44 country code, while the UK doesn’t actually have any power to ensure the Channel Islands lives up to UK regulations. Well the UK does have one option. Kicking the Channel Islands out of this shared +44 country code and no longer just trusting its traffic.
But as long as its considered a “nuclear option” for the UK to kick the Channel Islands out of the +44 clode, this loophole that creates a global vulnerability in mobile communications for lease to governments private intelligence firms alike remains in place. It’s kind of mega-scandalous. And the fact that the tracking of Prince Latifa by the ruler of Dubai was carried out by an Israeli firm that rents out access to this information to people like the rule of Dubai suggests this mega-scandal might be related to the larger story of the UK’s s
It’s a potentially significant aspect of the UK’s decision to close the investigation into the illicit NSO Group hacking of not just Princess Haya bint al-Hussein but her lawyer/UK lawmaker Fiona Shackleton, along with a number of other UK numbers. There have long been strong indications that NSO Group and the rest of the Israeli spyware industry is operating with the tacit approval of the UK and US national security states. But the premature closure of that investigation is the kind of move that hints at a lot more mega-scandal under that rock:
Adding to the potential mega-scandal here is the fact that the +44 country code has consistently led the world in the number of origin points for malicious traffic for the past two years, and the majority of that is believed to be from the Channel Islands. So the UK has tolerated a bonanza of attacks like this during the same period Rayzone Group was offering these kinds of malicious attack services from leased access to that system. It’s kind of amazing. The Channel Island had an industry of leasing access to this system for obvious exploitation to firms like Rayzone Group who would then play an NSO Group-style role of selling those attacks to governments around the world. Government clients like the ruler of Dubai so he can geolocate/stalk his fleeing daughter:
Also note how Rayzone Group’s alibi is the exact same alibi the NSO Group falls back on: don’t blame us. We have no idea what our clients are doing with our tools. In this case, “geolocation tools are operated solely by the customers (the end users) and not by us.” We know what that means. A lot more ‘don’t blame us! Blame our clients!’ alibis are on the way:
And this industry of leasing access to an antiquated SS7 system to private companies that sell exploits to its antiquated vulnerabilities to clients around the world will continue as long as there are 2G and 3G systems still operating. The necessity of creating interoperability between these older networks and the rest of the world will create the necessity for maintaining this SS7 global switchboard system with all of its known vulnerabilities. 9 out of 10 text messages are potentially vulnerable to this system and yet it continues as the commercial space grows, selling this powerful spying capability to clients (ostensibly just government clients) for official law enforcement and anti-terror uses. It’s like an NSO Group-like arrangement, but one that relies on maintaining this remarkable security hole in mobile telecommunications under the pretense that it will only be governments ultimately doing the exploiting:
So that’s all something to keep in mind regarding the UK investigation into the ruler of Dubai’s multi-faceted hack of UK devices and people. It’s the kind of investigation we should have probably expected to end prematurely because it’s investigating a story that clearly goes in sensitive directions. Sensitive directions that include core Five Eyes spying capabilities. And sensitive directions that includes the commercialization of that same global spying space.
The inevitable has finally happened. Sort of: we just got reports of US government officials getting their phones hacked with the NSO Group’s Pegasus spyware. At least 11 US embassy employees in Uganda had their iPhones hacked. It’s not known which NSO Group client carried out the hacks.
But while this story is confirmation that US government employees are vulnerable to the Pegasus spyware, it’s not actually a confirmation that US-based phones (with a 1+ number) are vulnerable. It appears the hacked phones were registered with foreign telephone numbers.
So while we’ve seen abundant circumstantial evidence suggesting that Pegasus can target US phones — like the fact that it could hack UK and Israeli phones despite NSO Group’s assurances to the contrary — we still don’t have confirmation that US phones are vulnerable. Although the pace these stories are developing it shouldn’t be long:
“NSO Group said in a statement on Thursday that it did not have any indication their tools were used but canceled access for the relevant customers and would investigate based on the Reuters inquiry.”
Who hacked the US embassy? NSO Group claims it doesn’t know, but has already canceled access for “the relevant customers”, so there’s clearly some prime suspects. Which government will it end up being?
But then there’s the general question of where else have US employees been hacked? It appears the answer might depend on where US government officials are using foreign-registered phones:
Then there’s ominous hint for a senior Biden administration officiaL the US government has seen “systemic abuse” in multiple countries involving Pegasus:
Are we going to be getting more details on those systemic abuses? It’s quite revelation for a government official to just dump out there in the wake of this story.
So how many NSO Group clients aren’t abusing the company’s spyware. It’s the question raised with each new story of discovered abuses. This time the culprit appears to be Poland’s far right government. We don’t have official confirmation that the Polish government was behind the questionable hacks, but it’s more or less obviously the case. The two opposition figures recently discovered with Pegasus spyware on their iPhones — lawyer Roman Giertych and prosecutor Ewa Wrzosek — were both rather big pests for the current government.
Giertych was apparently such a big pest that he was hacked 18 times in the last four months of 2019. At the time, he was representing former Prime Minister Donald Tusk of Civic Platform, now head of the largest opposition party, and former Foreign Minister Radek Sikorski, now a European Parliament member.
Last year, Ewa Wrzosek ordered an investigation into whether presidential elections should be postponed over pandemic concerns, but was almost immediately stripped of the case and transferred to a distant provincial city. We’ve now learned that Wrzosek was hacked multiple times in 2019.
So it appears the government of Poland has some explaining to do, along with NSO Group, of course. And that brings us to what is perhaps the most disturbing aspect of this story: when pressed about these latest stories of Pegasus being used for questionable purposes, NSO Group points out that Poland is a democratic government, so as long as these hacks followed due process under Poland’s law, this doesn’t actually constitute an abuse of these jacking tools. It’s the kind of answer from NSO Group that suggests there’s probably A LOT more examples of this kind of ‘legal’ targeting of opposition figures taking place in the the NSO Group client states across the world:
“A Polish state security spokesman, Stanislaw Zaryn, would neither confirm nor deny whether the government ordered the hacks or is an NSO customer.”
Yeah, it’s not exactly a mystery as to which government ordered these hacks of individuals creating major headaches for the Polish government. And the fact that a provincial prosecutor filed a motion seeking the arrest of Roman Giertych hours before a Polish state security spokesman answered questions to the AP is like in-your-face trolling of those concerned about these abuses:
And note how the hacking of prosecutor Ewa Wrzosek had already taken place multiple times in 2019, well before Wrzosek had ordered a 2020 investigation into whether or not the presidential elections should be postponed. Shortly after the opening of the investigation, Wrzosek was stripped of the case and reassigned. It’s hard not to suspect the government spies keeping tabs on her weren’t tracking her moves in that investigation:
It’s also worth noting that it’s not entirely inconceivable that it truly wasn’t the Polish government behind these hacks. After all, with fellow autocratic governments in the EU like Hungary sporting the exact same Pegasus spyware and demonstrating the same willingness to abuse it, it’s possible we could end up seeing governments do each other ‘favors’ by spying on their respective pesky citizens. Now, in the case of Giertych and Wrzosek it sure looks a lot like the Polish government was behind these hacks. But we should keep in mind there are other possibilities:
Finally, note the truly disturbing response from NSO Group to these hacking stories: first the company gives its standard excuse about it’s only a software provider who doesn’t know who its clients target. But then an NSO Group spokesperson suggested that, actually, these hacks may have been perfectly legal and following due process, and therefore not considered a misuse of spyware. Think about that: as long as a democratic government client itself defines an investigation as having been lawful, NSO Group is cool with it. In other words, democratic authoritarian governments like those in Poland and Hungary basically get free reign to hack whoever they want...as long as the hacks are processed through the corrupt judicial system:
So that’s one more NSO Group client shown to be abusing the Pegasus spyware. But in this case, it doesn’t appear that Poland is actually going be punished at all because the hacks were potentially done under the auspices of investigating crimes or corruption. So if you’re an NSO Group client state with a pesky person in need of hacking but you don’t want to risk having your subscription cut off after the hacks are discovered, be sure you accuse them with a crime warranting an investigation first, which will apparently make it all OK.
Here’s a recent NY Times piece on the US government’s relationship with NSO Group that serves as a reminder that Pegasus isn’t the only piece of super-spyware produced by the company. It’s also a reminder that NSO Group isn’t the only company out there offering these products and the US firms have their own share of the super-spyware industry:
It turns out the FBI has been secretly purchasing NSO Group software for years. With plans to use the spyware for domestic surveillance. Yep. On one level this is an utterly unsurprising revelation. But on another level, the story raises all sorts of fascinating questions regarding whether or not NSO Group’s spyware truly was capable of hacking US phones. Recall how the Pegasus spyware had the capacity to hack phones with UK and Israeli phone numbers despite all the assurances that the targeting of such phones was technically impossible, raising obvious questions about whether or not phones with “+1” US-based phone numbers are also vulnerable. And then we got that story about US embassy workers in Uganda having their phones hacked with Pegasus, but in that case the numbers for those phones were NOT +1 US-based numbers. So whether or not the US government and corporations have been hacked by NSO Group clients around the world remains a mystery with this story. But a mystery that now includes the FBI seeking out NSO Group software for domestic uses.
It’s also a story that adds additional potential dark context to Peter Thiel’s sudden decision to leave the board of Facebook. Because while there was no shortage of valid reasons for Thiel to leave that board, it was hard not to wonder if Thiel’s departure was related to the recent NY Times report on Thiel-backed US-based spyware firm, Boldend, developing hacks for Facebook-owned WhatsApp. Especially in the wake of the Biden administration’s blacklisting of NSO Group following the Uganda embassy hack. Firms like Boldend could be positioned for a lot more US government contracts. Contracts that presumably involve domestic surveillance. Is Peter Thiel’s deepening investments in the domestic spying and surveillance sector part of the reason he left Facebook’s board? Again, it’s hard not to wonder. But as we’ll see in that NY Times report below, the Boldend hack was a zero-click attack, like Pegasus, where the victim doesn’t even need to click on a link to become infected. That’s a cutting-edge hack. Thiel is now an investor in cutting-edge offensive hacking technology.
But perhaps what we should be wondering about the most following this NY Times piece is whether or not the new NSO Group super-spyware tools is on the market yet? Along with wondering about who exactly got the privileges of purchasing this next-generation tool? Because it turns out this new NSO Group tool, “Phantom”, is very much able to hack phones with US numbers. And, yes, the FBI was very interested in Phantom, reportedly spending two years trying to decide whether or not to deploy it:
“The yearlong investigation, by Ronen Bergman and Mark Mazzetti, also reports that the F.B.I. bought and tested NSO software for years with plans to use it for domestic surveillance until the agency finally decided last year not to deploy the tools.”
The FBI bought and tested NSO Group tools for years. With domestic surveillance plans. Now, it’s worth keeping in mind that it’s possible at least some of the FBI’s intended usage was to hack non-US number phones of people who happened to be in the US. But there’s still the big question about whether or not the FBI was planning on using NSO Group tools for hacking phones with US numbers. So when we learn the FBI spent two years debating whether or not to deploy Phantom, it’s hard to not assume the FBI was interested in hacking phones with US numbers:
And yet, as ominous as it is to read about Phantom, it’s probably not Phantom you need to worry about the most given the uncertainty of NSO Group’s future. Peter Thiel’s Boldend is poised to fill the space a collapsing NSO Group creates. Boldend should have plenty of access to cash and is back by an individual who just might have deeper connections into the privatized US national security state than anyone else on the planet. Watch out out for the Boldend zero-clicks. They’re coming:
Will it be the FBI who zero-click hacks you with the next Boldend innovation? Some other US government agency? Any other governments? Private entities? Thiel’s personal dirty tricks squad? We’ll find out. Although probably not actually, but it will happen whether you find out or not. And the man who could arguably be called the most dangerous man alive today, Peter Thiel, is getting a lot more dangerous in the process. Thiel’s in the custom cutting-edge offensive spying industry. For when all the other spying companies he’s been running — Facebook, Palantir, Clearview — Thiel has always had extensive spying options readily available.
It’s a grim reminder that, while the NSO Group is obviously a company that has engaged in some pretty scandalous behavior over the past decade with all the egregious client states its taken on, it’s not as if a Peter Thiel-owned super hacking firm isn’t a wildly scandalous entity on its own. A scandal that grows with every additional Thiel-owned company given a US government contract to develop new tools for conducting highly sensitive secret work. The US government is paying one of the world’s leading supervillains to build his own private national security empire. He’s been operating a private CIA-NSA hybrid empire for years. And now Thiel’s private spying empire has a its own TAO hacking team, paid for with clients like the FBI. That’s pretty scandalous too.
Here’s a pair of articles underscoring the growing risks of the war in Ukraine triggering a major cyber event:
First, here’s a report from several weeks ago about warnings from the cybersecruity community that Russia may use SolarWinds-like hacks as part of the conflict in Ukraine. In one sense, the warnings are exactly what we should expect emanating from the cybersecurity community during a period of enhanced tension between Russia and the West. But the warnings are also an acknowledgement that, as we’ve seen, whoever carried out the SolarWinds hack likely maintained access to the attacked networks. The ‘backdoors’ are in place and ready for future exploitation.
Now, as we’ve also seen, the evidence that the SolarWinds hack was a Russian government operation is quite limited. In other words, we don’t really know who it was who executed that devastating hack and potentially maintains access to the computer networks of thousands of companies around world. But it’s widely assumed to be Russia who did it, which means if we see a repeat of the SolarWinds hack it’s going to be blamed on Russia. And if some party wants to see the war in Ukraine expand beyond Ukraine, some sort of devastating cyber attack blamed on Russia would be a great way to do it:
“Russian threat actors — whether in government agencies such as the GRU and SVR, or in sympathetic groups such as Conti — have almost certainly compromised software supply chains that we don’t know about yet, according to cyber experts. And in any cyberwar maneuvers targeting the west, they might opt to utilize this access.”
It’s not a baseless warning. Russia really probably could execute a SolarWinds-style hack that targets the computer networks of thousands of government agencies and companies across the West if it chose to do so. The problem is that this ability isn’t limited to Russia while we’re still operating under a cybersecurity paradigm that views the ‘unusual suspects’ — Russian, China, North Korea and Iran — as basically the culprits behind all major cyberattacks. It’s that refusal to recognize the broader array of potential culprits that makes this such a dangerous situation. Because right now, if some groups wants to executive a SolarWinds-style mega-hack, they can do so with the near guarantee that it would be blamed on Russia:
And note the warnings we’re getting about how it’s not just companies that are directly operating with Ukraine. The view among some cyber experts is that every company in the West is seen as a potential target by Putin, which is basically a description of the SolarWinds hack that indiscriminately hit almost every major company in the world. So, again, if anyone has ambitions to execute a global SolarWinds-style hack, now its arguably the best time to do it:
Now would also arguably be the absolutely worst time for anyone to execute a SolarWinds-style hack precisely because it would inflame the situation with Russia so much, potentially triggering reprisal cyber attacks by the West. Unless, of course, that was goal. It’s a matter of motive.
And that brings us to an article from last week about Ukraine’s side in the cyber conflict. Because if any entity on the planet has an incentive to foment a cyber counter-attack against Russia it’s the government of Ukraine. And according to reports coming out of Israel, Ukraine has been actively seeking out exactly the kind of powerful offensive tools that could be used for devastating cyber attacks. Tools like NSO Group’s Pegasus spyware.
Now, we’ve seen no indications that NSO Group’s cybertools are built to execute a SolarWinds-style hack that hits almost every company in the world. But as we saw with the investigation of the SolarWinds hack, it essentially started with the hack of a single developer as SolarWinds and was propagated to SolarWinds’s thousands of clients from there. So when you have a tool like Pegasus that can deliver unstoppable ‘zero-click’ spyware onto targeted individuals, and you have the sophistication to embed your malware in an undetectable way in the manner the SolarWinds hackers used, the potential for strategically target other firms like SolarWinds that are trusted by thousands of companies around the world is very real.
But let’s also not assume that you need to execute a SolarWinds-style hack to enrage the West. The potential damage is immense in the hands of a skilled hacker.
But there’s another interesting angle to Ukraine’s request Israel spyware tools: as we’ve seen, NSO Group and Candiru claim their malware can’t be deployed in the Russia. Yes, Russia is one of the countries that is suppose to be off limits for Israel’s cyberweapons industry. And yet as we’ve also seen, phones from other countries on that banned country list — like the UK and Israel — have indeed been hacked with these tools. So when we learn that Ukraine has been seeking out Israeli hacking tools that can’t target Russian phones, we shouldn’t necessarily assume they aren’t planning on attempting to hack Russian phones. But there’s the other obvious application for Pegasus: hacking other countries and leaving ‘clues’ that it was Russia behind it. As we saw with the story of the Ukrainian hacker, ‘The Profexor’, and his alleged relationship with both ‘Russian hackers’ involved with hacking the DNC and the Ukrainian security services, the question of who is ultimately behind a high profile can be highly nebulous.
Israel flatly rejected Ukraine’s appeals according to these reports, citing the neutrality it needs to maintain as a peace talk negotiator. So at this point it doesn’t sound like Ukraine actually has access to Israel’s elite hacking tools. But the ambitions are clear. Don’t forget that Israel isn’t the only provider of these kinds of tools. It’s a global marketplace. Ukraine has options:
“Israel has long had good relations with both Ukraine and Russia, and has been seeking to use its position to broker an agreement, as it also tries to walk a tightrope maintaining its ties to both countries. But its relationship with Kyiv has strained as Bennett has avoided directly blaming Russia for the war, although Foreign Minister Yair Lapid has done so.”
Ukrainian requests for weapons are obviously going to be a complication with Israel playing the role of the peace talks intermediary. But we can’t really be surprised by the requests. What is far more notable is the request for cyber weaponry, including NSO Group’s Pegasus hacking toolkit. It raises the question: what kinds of cyber-actions is Ukraine hoping to execute? Is it merely the gaining of battlefield military intelligence? Or something more in the offensive realm, like attacking Russia’s electrical grid and other critical infrastructure? We don’t know, but we now know Ukraine is actively pursuing powerful cybertools with powerful offensive capabilities:
So where else has Ukraine been inquiring about elite hacking tools? It’s a question the Russian government is no doubt asking following these reports. Let’s hope the rest of the world is asking these kinds of questions too.
Here’s a pair of articles about a rather fascinating update to the US government’s blacklisting of NSO Group’s spyware. It sounds like there’s a possible solution to NSO Group’s pariah status: selling the company to US national security contractor L3Harris.
Yes, NSO Group might become a US-owned and operated firm. It’s the kind of move that could address the growing evidence that NSO Group’s spyware tools have been used against US-based phones, contradicting the company’s long-stated claims that its tools were banned from targeting phones in certain countries including the US, UK, and Israel. Recall how cases of NSO Group’s spyware hacking UK and Israeli-based phones have already been documented. Also recall how we learned in January of this year that the FBI secretly purchased and tested NSO Group’s spyware for years with plans to use it for domestic surveillance until the agency finally decided last year not to use the tools. So at the same there’s been well-documented fears in the US government of NSO Group’s global list of client states using that spyware against US targets, the FBI was planning on doing the same thing.
But as we’re going to see, the proposed sale is raising major alarms in the US government. The kind of alarms that raise all sorts of fascinating questions about how much direct involvement the Israeli intelligence services have had in the operations of NSO Group’s spyware. It’s also the kind of alarms that might explain why the FBI ultimately decided not to use the tools. Days after the proposed buyout story hit the news, Senator Ron Wyden warned that any intercepts carried out with NSO Group spyware by US intelligence services are just going to end up in Israeli hands too. The warning was based on what appears to be a widely held assumption that NSO Group’s spyware contained backdoors feed captured data back to Israeli intelligence. In other words, all of the claims by the Israeli government of “we had no idea how clients were using the spyware” were likely garbage. Israeli and NSO Group deny such backdoors exist, but it sure would help explain the large number of highly questionable clients who received access to these tools. Don’t forget that the Israeli government controlled which countries could become NSO Group clients. There’s going to be a lot less reticence about selling tools like that if backdoors are included.
It sounds like there’s also questions about where NSO Group would be located after a sale. The assumption in the Israeli cyber industry is that the personnel and development of new tools would remain in Israel and that Israel would continue to retain access to the tools. But it sounds like US might demand that access to NSO Group’s spyware be limited to the Five Eyes nations and maybe some NATO allies.
So if NSO Group’s spyware is filled with backdoors sending intelligence back to Israeli intelligence, which government agencies are going to feel comfortable using these tools? Well, as John Scott-Railton, a senior researcher at Citizen Lab at the Munk School at the University of Toronto, predicts, governments aren’t going to trust NSO technology for their most sensitive operations. Instead, it’s local authorities like US police departments that are the likeliest clients. Yep. And who knows, maybe the FBI all things considered. We’ll see if this sale actually goes through. But if it does happen, it would be a big mistake to assume that the US purchase of NSO Group is going to be done in order to minimize the potential abuses of NSO Group’s tools against US citizens. Quite the opposite:
“Wyden said in a statement to the Guardian: “If the US plans on using foreign-made surveillance technology, it might as well bcc the country that produces it on every intercept. It’s a serious national security risk, similar to the concerns associated with using foreign communications technology. The White House is right to raise concerns about this deal.””
It’s quite a warning: any intelligence gained using NSO Group spyware is automatically shared with Israeli intelligence. That assumption isn’t just held by Senator Wyden. It’s apparently the US intelligence community’s long-standing assumption. An assumption that, if true, utterly destroys the long-standing claims by the NSO Group and Israeli government that they weren’t aware of any abuses. The fruits of those abuses were likely automatically forwarded to Israeli intelligence the entire time:
Those lingering questions about backdoors in NSO Group’s software is part of the reason the major questions surrounding L3’s potential acquisition of the company include the question of whether or not it would still be housed in Israel and if the Israel government would still maintain access. Will the NSO Group’s powerful spyware just be limited to the Five Eyes and some NATO allies? Keep in mind all of the evidence that suggests Israel has been treating access to NSO Group’s tools as a key diplomatic tool. So if NSO Group gets sold and a number of existing NSO Group clients lose access to the tools, will Israel perhaps agree to carry out attacks on behalf of those clients? These are the kinds of questions regulators are presumably wrestling with right now:
But as the following report describes, there’s another major question looming over this potential acquisition by a US company: what entities are going to feel secure using spyware that is suspected of containing backdoors to Israeli intelligence? According to John Scott-Railton, a senior researcher at Citizen Lab at the Munk School at the University of Toronto, US intelligence agencies are unlikely to use tools with such massive security risks. And that leaves local law enforcement as the likely end-users. So it sounds like the stories of abuses of NSO Group’s tools by governments around the world are going to be replaced with stories of abuses of NSO Group’s tools by the local authorities in the Five Eyes countries and their lucky NATO allies:
“Any deal would also face hurdles in Israel. One assumption in the Israeli cyber industry is that it would have to keep oversight of the Israeli-made technology in Israel, and keep all development of Pegasus and personnel in Israel.”
Is NSO Group going to effectively remain an Israeli entity, with all development and personnel remaining in the country? That’s the remarkable assumption that was apparently held by the Israeli cyber industry when this proposed buyout was first reported. We’ll see if it actually pans out that way, but if that’s how this deal goes down, it’s hard to argue with the assessment of John Scott-Railton: this is going to become a tool of US local law enforcement because any entity with a national security mission is going to know not to touch it:
Keep in mind one of the key features of NSO Group’s software: the hacks are extremely difficult to detect, in part because of the zero-click capabilities. So any agencies that wanted to engage in surveillance that doesn’t quite meet constitutional muster would theoretically still have the capacity to carry out unauthorized surveillance campaigns with little chance of getting caught. Will US police departments handle the “zero-click” unstoppable hacking capabilities responsibly? How about the FBI? We’ll see. Well, actually, we the public probably won’t see. But the agencies that ultimately gain access to these tools are going to see see if they can handle the power responsibly. Them and presumably Israeli intelligence. Plenty of actors will be aware of abuses. They may not talk about it, but they’ll be aware of it.
Who watches the watchmen? It’s an alarmingly topical question as the investigation into the January 6 Capitol insurrection continues to flesh out both what we know and don’t know about the events leading up to that day. In particular, what we aren’t allowed to know thanks to what appears to be a massive coverup inside the Inspector General’s office at the Department of Homeland Security.
It’s not just that there was some sort of corruption inside the office of DHS Inspector General James Cuffari. As we’ve seen, it’s Cuffari himself — a 2019 Trump appointee to the office and a former aide of Republican Arizona governor Doug Ducey — who appears to be at the heart of it. Which is why congressional investigators are now calling for Cuffari to recuse himself from his agency’s investigations into Jan 6. As we’ve seen, Cuffari has been repeatedly sabotaging of his agency’s own investigation into Jan 6. An investigation that included the missing texts from 24 Secret Service agents phones in the month leading up to and on Jan 6. According to multiple anonymous whistleblowers, Cuffari was preparing to issue a public alert back in October 2021 over the resistance he was getting from the Secret Service and other DHS departments in their investigation into Jan 6. And then obviously he changed his mind since we never got that alert. Cuffari has responded to this outcry by opening a criminal investigation of the Secret Service over the missing texts and, in turn, is ordering for the Secret Service to halt its own ongoing forensic investigation into the missing text in lieu of the criminal investigation. Yes, Cuffari’s criminal investigation in the Secret Service’s handling of the missing texts is itself probably criminally corrupt or at least has that appearance.
We received a number of updates to that sordid mess over the last few days. It sounds like Cuffari made more attempts to alert Congress about the missing texts. And then canceled those orders. It’s a pattern.
For starters, in May 2021, the Secret Service informed Cuffari’s office that the agency tried to contact a cellular provider to retrieve the texts when they realized they were lost. We’re also told that key Secret Service personnel didn’t realize data was permanently lost until after the data migration was completed, and erroneously believed the data was backed up. At least that’s what anonymous sources were telling CNN. So the Secret Service’s story at this point is apparently that it thought texts were backed up and only belatedly realized they were lost permanently when they discovered that even the cellular provider couldn’t retrieve their own copies. As we’re going to see, part of what makes this a poor alibi, from a technical standpoint, is that the Secret Service agents were using government-issued iPhones. And when one iOS device texts another one they use the encrypted iMessaging texting protocol. Cellular providers only have access to the encrypted message. You need the iPhone itself to access the iMessages.
So any messages between the 24 Secret Service agents themselves would presumably be lost when those government-issued iPhones were wiped at the end of January 2021. But that still doesn’t explain the virtual lack of any traditional text messages. Don’t forget that it was just a lone message on Jan 6 from the Chief of the Capitol police that was turned in by those 24 agents. That’s it. One message. Are we to believe that all of the other text messages they receive were iMessages sent from or to another iPhone, because that’s what we would have to believe if we assume there aren’t lost traditional text messages. And yet the Secret Service told Cuffari’s office last May that the cellular provider it contacted couldn’t find any messages. It’s odd. Couldn’t they at least find the single message from the Chief of Police, or was that an iMessage? It’s all very odd.
So what did Cuffari’s office do in response to the May 2021 revelation that the Secret Service had ‘accidentally’ lost all these messages and concluded it couldn’t retrieve them after the cellular provider said it couldn’t find any? Well, in July of 2021, Cuffari’s office told DHS they were no longer seeking those text. Yep. Case closed as far as Cuffari’s office was concerned. At least until December, when Cuffari’s office reopened the probe.
Part of the reason that May 2021 date for when The Secret Service informed Cuffari’s office is so notable in the context of a coverup is that it was earlier this month when the Secret Service told congressional investigators that Cuffari’s office learned about the missing texts in December 2021, the month the probe was reopened. And yet here we learn that the Secret Service told Cuffari’s office in May of 2021 that it couldn’t find the messages and the Inspector General informed DHS two months later that the probe was over. The Secret Service and Cuffari’s office have had a lot of overlap in their omissions.
And then there’s a whole new dimension to all this: recall how Cuffari killed the public alert that was planned in October 2021 that included warnings about resistance from not just the Secret Service but other DHS agencies too. Well, we’re now learning that text messages for the two top DHS officials at the time: acting DHS Secretary Chad Wolf and acting Deputy Secretary Ken Cuccinelli. The top two officials in DHS lost their texts too. It’s the kind of revelation that should add all sorts of additional questions to all the existing questions about was going on with the different facets of national security state during the period around the insurrection. For example, recall the reports on how DHS and the FBI knew there might be trouble in the lead up to Jan 6 but apparently looked the other way. Then-acting DHS Secretary Chad Wolf was out of the country, in the Middle East, during this transition period.
But there’s another interesting aspect to Chad Wolf’s role in this story that’s worth keeping in mind when it comes to missing texts and any other missing digital documents: Wolf’s emails were the target of an apparent successful hacking attempt targeting high-level US government officials as part of the giant Microsoft Exchange hack. So at least when it comes to any potentially incriminating emails, whoever executed that hack probably has at least some of them. Recall how signs of the Microsoft Exchange mega-hack started on Jan 3, 2021. How many incriminating emails involving the insurrection and the various other criminal plots to overturn the election ended up in the hands of those hackers? Talk about some juicy blackmail material.
Also recall how the SolarWinds hack started as early as the Spring of 2020. All sorts of US government networks could have been infiltrated throughout the months leading up to the 2020 election and beyond. It would have been a blackmail treasure trove given the rampant criminality of the Trump administration at that point.
So while Jan 6 investigators may not want to ask the question of whether or not deleted Jan 6 evidence is in the hands of the perpetrators of these mega hacks, they really do need to ask the question. It’s relevant to the investigation. Certainly relevant to the potential fallout from the plot. Again, the blackmail material that could by used against future Republican administrations — which will undoubtedly be rooted in Trumpism — is just immense. It’s part of the damage assessment. And who knows, maybe a means of recovering the missing evidence.
But, of course, when we’re talking about missing iMessages, there’s another obvious source of hacked materials the investigators could potential turn to: all of the NSO Group’s clients. All of those governments. Because as the story of the Pegasus super-spyware made clear, basically any iPhone in the world was subject to a zero-click super-hack that left victims completely unaware. And while NSO Group claimed its spyware couldn’t be used against US-based phones, it also made similar claims about UK and Israeli phones that were proven to be false. Plus, the FBI spent years investigating whether or not to use Pegasus domestically. And as we also saw, NSO Group’s Pegasus spyware was caught hitting iPhones and lifting iMessages in the summer of 2021, so this capability was very likely available to NSO Group clients throughout the period around the 2020 election.
We have every reason to believe NSO Group’s spyware could have been potentially used on US phones. And we know the Secret Service issued iPhones to its agents. So we have to ask: did any NSO Group clients decide to infect Secret Service agents? If so, hopefully it’s a friendly client. Blackmail and all that.
Oh, and it turns out Chad Wolf and Ken Cuccinelli insist that they turned in their phones to DHS with their data fully intact and all the texts there so if any texts are missing that should be taken up with DHS. So either they’re both lying, or someone in DHS is deleting texts. That’s the kind of picture that’s emerging here. It’s awful. But it’s yet to be determined what exact flavor of awful we’re experiencing here.
Ok, first, here’s a CNN piece from over the weekend about the May 2021 notification by the Secret Service of their failed attempts to find the missing messages and Cuffari’s ending of the probe two months later. Before reopening the probe in December instead of alerting Congress and the public in October. It’s the latest round of revelations in this story building upon the underlying theme of an inspector general desperate to find a reason not to blow the whistle:
“Earlier this month, Secret Service officials told congressional committees that DHS Inspector General Joseph Cuffari, the department’s independent watchdog, was aware that texts had been erased in December 2021. But sources tell CNN, the Secret Service had notified Cuffari’s office of missing text messages in May 2021, seven months earlier.”
Missing document and a story that full of holes. Yep, we got ourselves a coverup. A coverup seemingly being carried out by the person tasked with identifying coverups. It’s a not a great look for DHS:
It’s the kind of awful look that raises the obvious question of how many other coverup DHS are going on, which brings us to the other new coverup scandal in this story: the recent revelation of missing texts for the two top DHS officials under former President Donald Trump — acting Secretary Chad Wolf and acting deputy secretary Ken Cuccinelli — during the period around Jan 6. Adding to the mystery is the fact that both Wolf and Cuccinelli insist that they actually preserved their text messages during the phone-switchover of Jan 2021. The clear implication from Wolf and Cuccinelli is that someone else deleted their texts after the fact. what is going on here?
And then we get to the utterly confusing and baffling timeline we are told about the Cuffari’s 2021 investigations into this matter: in June of 2021, Cuffari’s office requested records an texts on 24 Secret Service agents relevant to Jan 6, but rescinded that request the next month, telling DHS the inspector general’s office was no longer looking into the matter and considered it closed. And as CNN reported last week, investigators had been working to determine whether the content of the text messages sent by the 10 personnel contained relevant information that should have been preserved at the time when Cuffari issued that order to halt the investigation. So Cuffari’s office effectively stopped an ongoing investigation into missing texts after evidence of some of those missing texts had already been identified:
And then there’s the fact that Cuffari’s current investigation into the missing texts is now being used as a pretext for the Secret Service no longer cooperating with the Jan 6 congressional investigators. It’s like inspector general gaslighting:
And, of course, it gets worse. The squelching of that investigation back in July of 2021 was apparently just a warm up act. We’re also learning about an offer made in February of this year to the entire DHS by Cuffari’s office made of forensic help in retrieving data lost on devices. An offer rescinded later that month.
And it gets even worse: we’re also learning that the top two officials at DHS during the period around Jan 6 — Trump’s acting homeland security secretary Chad Wolf and acting deputy secretary Ken Cuccinelli — have missing texts of their own. Texts they both insist were never deleted from their phones. So either Wolf and Cuccinelli are lying, or someone in DHS deleted those messages for them after the fact. Either way, it’s one helluva coverup:
“Cuffari wrote a letter to the House and Senate Homeland Security committees this month saying the Secret Service’s text messages from the time of the attack had been “erased.” But he did not immediately disclose that his office first discovered that deletion in December and failed to alert lawmakers or examine the phones. Nor did he alert Congress that other text messages were missing, including those of the two top Trump appointees running the Department of Homeland Security during the final days of the administration.”
As we can see, the prior June 2021 request by Cuffari’s office for missing texts — which was rescinded the following month — described in the previous CNN article was just one of a number of apparent episodes where Cuffari’s office was quietly becoming aware of missing texts only to quietly close the investigation later. In early Feb 2022, plans were made in Cuffari’s office to contact ALL DHS agencies with an offer to help forensically retrieve messages from their phone. A plan that was scrapped the next month. It’s like plans to actually investigate Jan 6 couldn’t survive more than a month in cuffari’s office. We’re even told that it was Cuffari’s office made explicit orders to the agency’s top forensic expert to tell him to “stand down” on pursuing the forensics work for the Secret Service’s phones. Cuffari’s office has killed this investigation multiple times. That’s pretty damn guilty behavior. So guilty we have to ask: is James Cuffari — a former adviser to Republican Arizona Gov. Doug Ducey who was appointed to the office in 2019 by Donald Trump — running partisan political interference for his party? It sure looks exactly like that’s what’s happening. The inspector general of DHS has been secretly running interference for his party. Interference into the investigation of his party’s attempted to coup. It’s hard to come up with a more emblematic example of the deep rot infecting the basic operations of the US government:
It also sounds another DHS agency — the Federal Protective Service, which is tasked with protecting federal buildings — offered to have its phones forensically examined in February, and that forensic data recovery process was indeed started. Until Cuffari’s office ended it on Feb 18 with instructions not to take the phones are seek any data from them. And that was just one example of how Cuffari’s office was actively thwarting any forensic examination of these phones:
And it was late February, not long after Cuffari’s office squashed the DHS-wide offer for forensic data recovery of lost data, that Cuffari reportedly learned that the text messages for Char Wolf and Ken Cuccinelli were missing. And yet both Wolf and Cuccinelli insist that they never deleted any messages any returned their phones to DHS with all of the contents intact. So either Wolf and Cuccinelli are both lying and decided to deflect blame on someone involved with investigation, or someone else at DHS deleted those messages:
So with Cuffari’s office squashing its own offers for a forensic recovery of lost texts, we have to ask: why can’t these texts be recovered by the cell phone service providers? We got an answer to that question in a recent report out of Politico that adds some important technical information about the situation: while regular text messages are indeed recoverable via cell phone providers, the iMessage texts sent between iPhones are encrypted and only accessible via the phone itself. And it also happens to be the case that Secret Service agents are issued iPhones. So it sounds like it’s really just the iMessages that shouldn’t be recoverable. And yet, as we’ve seen, only a single text was ever turned over by the 24 Secret Service agents in question. So with only iMessages being theoretically unrecoverable without access to the phone, how is it feasible that only a single text was recovered? It’s the kind of detail that lends credence to the accusations by Wolf and Cuccinelli that someone else inside DHS has been actively deleting recoverable texts:
“The phone resets occurred as the Secret Service was implementing a new mobile device management platform, a technology that employers use to centrally manage and preserve emails, photos and other data stored on employees’ phones. Apple’s iMessages cannot be backed up by this system, because they are encrypted and stored on users’ devices, unlike regular text messages”
Well, at least we have a somewhat viable technical explanation for why the Secret Service agents’ text messages may be genuinely lost forever: if they were using iPhones, those text messages are encrypted and therefore inaccessible to cell-phone providers. And it sounds like Secret Service agents were indeed given government-issued iPhones. Now, iMessage system that encrypts messages is only used when communicating with another iOS device, e.g. another iPhone. So it sounds like any text messages sent from other iPhones are possibly lost forever, while messages sent to or from non-iPhones should, in theory, be accessible through various means, including from the cell-phone service providers. That’s an important detail to keep in mind in the context Cuffari’s office decision back in February to rescind its agency-wide offer of forensic examinations of devices. We have every reason to suspect that at least some of the messages should be technically retrievable:
Are the iMessages from those wiped Secret Service phones truly lost forever? That’s certainly what Cuffari’s office would like us to believe. And who knows, maybe it’s true. But as the following pair of articles remind us, it’s not like those Secret Service agents were necessarily the only entities with access to their iPhones. This is the age of the mega-hack, after all, including the the twin mega-hacks of the SolarWinds hack that started as early as the Spring of 2020 and the Microsoft Exchange hack that apparently started on January 3, three days before the insurrection. And the US government appears to have been heavily hit by both of mega-hacks.
So we have to ask: is it possible that any of groups behind the mega-hacks of 2021 managed to get their hands on these missing texts? Well, recall how the SolarWinds hack gave backdoor access corporate networks — which could potentially be useful for stealing information like regular text messages stored on cell phone provider networks — while the Microsoft Exchange Hack gave access to massive troves of emails. So those two mega-hacks didn’t appear to give direct access to something like encrypted iMessages text messages stored on iPhones.
But as we’ve seen, the mega-hack of SolarWinds’s corporate client networks wasn’t the only hack attributed to the ‘Nobellium’ hacking group last year. There was also the hack targeting iOS devices using fake LinkedIn email invites discovered in March of 2021. When someone clicked on the fake LinkedIn link, they were taken a fake landing page that secretly downloaded all sorts malware that enabled the capture of credentialing cookies for all sorts of websites. In other words, this hack that targeted iPhones doesn’t appear to allow for the lifting of iMessages off those phones, but it would allow for the potential hacking of all sorts of accounts for sites like GMail, Yahoo Mail, and plenty of other potentially sensitive accounts. And as the following article reminds us, this faked LinkedIn hacking campaign was apparently focused on the employees of Western governments. So while the SolarWinds hackers may or may not have gained access to any of those missing text messaged related to Jan 6, they could have still accessed plenty of other information related to that day as long as that information was accessible via web service the agents accessed through a browser over their phones:
“This cyberattack was reportedly part of an email campaign launched to steal web security credentials from Western European governments. The hackers sent messages to government officials via LinkedIn.”
Did the SolarWinds hackers break into any of those Secret Service iPhones during the period around Jan 6? Let’s hope investigators are finally allowed to ask these kinds of questions.
But, of course, if we’re talking about the hacking if iPhones, we can’t just be looking at groups like Nobellium of Hafnium that were attributed with pulling off the SolarWinds and Microsoft Exchange hacks. Governments around the world have had unstoppable ‘zero-click’ iPhone super-hacks for years: NSO Group’s Pegasus spyware.
Of course, as we’ve also seen, there was the ostensible block built into that Spyware that was supposed to prevent it from hacking US-based phones with a “+1” phone number. And it seems reasonable to assume Secret Service had iPhones with US-based phone numbers. So in theory, the phones of the 24 Secret Service agents in question — and anyone else working at DHS — would have been safe from a Pegasus hack. But, of course, as we’ve seen, those claims of a block against US-based phones appear to be PR garbage. Recall how the Pegasus spyware had the capacity to hack phones with UK and Israeli phone numbers despite all the assurances that the targeting of such phones was technically impossible, raising obvious questions about whether or not phones with “+1” US-based phone numbers are also vulnerable. And then we got that story about US embassy workers in Uganda having their phones hacked with Pegasus, but in that case the numbers for those phones were NOT +1 US-based numbers. And then we got the story about how the FBI got its own Pegasus subscription and experimented with it with the hopes of using it in the US for domestic surveillance purposes. So while we haven’t yet received clear confirmation that NSO Group’s many government clients around the world had the ability to hack the Secret Service agents phones, there’s only been growing circumstantial evidence pointing in that direction. And that why this report from September of last year — about the zero-click unstoppable spyware NSO Group was selling to governments around the world most gave access to the iMessages on those phones — is the kind of story we should be keeping in mind when it comes to the hunt for those Secret Service agents’ missing iMessages. The number of entities that might have copies of those agents’ messages just might include the range of NSO Group clients, depending on whether or not NSO Group really was allowing its clients to hack US phones:
“The malicious software takes control of an Apple device by first sending a message through iMessage, the company’s default messaging app, and then hacking through a flaw in how Apple processes images. It is what’s known in the cybersecurity industry as a “zero-click” exploit — a particularly dangerous and pernicious flaw that doesn’t require a victim clicking a link or downloading a file to take over.”
It wasn’t until September of 2021 that the world learned that NSO Group’s spyware targeting iPhones was so powerful that it could allow the attacker to effectively take complete control of the phone. A lot more than iMessages are at risk with an exploit like that. So when did NSO Group learn how to do this? And more importantly, when did its clients get access to something like that? We don’t know. But as it becomes more and more clear that a coverup now include a large number of Secret Service agents, the partisan hack Inspector General, and maybe the then-acting heads of the DHS, it’s also becoming increasingly clear that US government investigators might need to look elsewhere for evidence related to the Jan 6 investigation. They need to be looking into it anyway. It’s not great when government documents are hacked. But far worse when those hacked documents are then wiped from government’s records. Especially if the hacked documents involve the planning and execution of a coup attempt. And most especially if that coup attempt is under investigation and could really use those missing documents.
Here’s a set of articles about a growing government spyware scandal in Greece that one of the rare spyware stories these days the NSO Group can smile about. Because it’s not about the NSO Group. No, it’s about a home-grown piece of super-malware that was apparently used in the way we kind of expect home-grown super-malware to get used: on domestic journalists and opposition politicians.
In this case, it’s the Predator super-spyware — delivered through texted links that, when clicked, take the user to a website that quietly delivers the malware payload and allows near complete control of the phone — that was used against a financial crimes reporter at CNN Greece and the head of the PASOK opposition party. The Predator was developed by Cytrox, a company founded in North Macedonia and absorbed by Intellexa, which is thought to be based in Greece. But we can’t be sure where Intellexa is based and that’s a big part of the broader story here: this brewing Greek scandal is just the latest example of a thriving shadow industry across the EU. An industry operating so deeply in the dark that even EU regulators can’t figure out who is operating in this space and where they’re located. The Spywarepocalypse continues.
As we’re going to see, the Greek journalist who had his phone hacked, Thanasis Koukakis, was texted a link to a financial article that looked like it was a Greek CNN article but was actually an infected clone version of the Greece CNN website that delivered malware to his phone. Nikos Androulakis, the head of opposition party PASOK, was sent a similar link but never clicked it. When Koukakis alerted the public to his hacking back in April an investigation was started by thwarted by the parliamentary committee overseeing it. Then Androulakis experience a similar fake-CNN Greece link text in late July and went public with the hacking attempt, prompting a parliamentary hearing in early August where the head of the Greek intelligence agency, the EYP, admitted to hacking both phones. A week later the President of Greece called for an investigation. And the week after that the EU said it wanted to help investigate too. And that’s where we are on the story.
The EYP doesn’t give a reason for the hacks also insists it had a prosecutor’s approval for the hack of Androulakis and everything was lawful. The feel of revelation and discovery is in the air. And coverup. Mostly coverup.
Ok, first, here’s an article from last week about the EU parliament offering its help in the “inexcusable” spying now admitted by the EYP. Inexcusable spying that is happening in similar ways by other members of the EU which is part of why the EU parliament wants to look into this:
“The Greek president has called for an investigation into the tapping by the state intelligence of Nikos Androulakis, leader of Greece’s Socialist PASOK party and a member of the European Parliament.”
The Greek president is calling for an investigation. It’s serious. At least let’s hope so because it’s an investigation of the president’s own spy agency accused of spying on his own political opponents. That’s part of why it’s so significant that the EU parliament is now signalling that it’s interested in this investigation too:
And as the following Reuters article from a couple of weeks ago describes, Greek president Katerina Sakellaropoulou was informed the prior week by the head of the Greek spy agency, the EYP, that the agency had indeed spied on the opposition leader Nikos Androulakis. The head of the EYP was sacked, along with the president’s chief of staff, followed by Sakellaropoulou’s call for an investigation. So it sounds like the president didn’t know their spy agency was spying on one of the main opposition leaders. At least that’s the story so far:
“A government spokesman said that EYP had tapped Androulakis’s phone but that the surveillance, which was approved by a prosecutor, was lawful and the prime minister was informed about it last week.”
So, at least up to the point when Greece’s president called for an investigation, the government position was that, yes, the EYP had spied on the leader of PASOK, but it was entirely leader and done with a prosecutor’s approval. And we’re also told the president was only informed of all this last week, implying that this was an independent routine criminal investigation. And yet the yet of the EYP and chief of staff were sacked the same day of this statement and there’s still no explanation for why the head of PASOK had their phone hacked:
Also note another important detail in that government statement: the government was admitting Androulakis’s phone was indeed successfully hacked and didn’t just experience a hacking attempt. That’s going to be important to keep in mind when reading the Wired article below. According to Androulakis, he only experienced a hacking attempt when someone sent him a link to an infected website that delivers malware. But he wasn’t actually hacked because he never clicked on the link. At least that’s how it sounded in that article, but the Greek government sure sounds like it successfully hacked his phone.
And not just Androulakis’s phone. As the following Reuters article from a few weeks ago — when the story was first erupted in Greece — describes, the story of the hack of Androulakis phone was preceded by the story of the EYP hack of a Greek journalist. Specifically, Thanasis Koukakis, a financial reporter for Greek CNN who works on stories about financial crimes. And as before, there’s no good explanation given for why the hack was done. In other words, it’s a lot harder to dismiss the hack of PASOK’s leader as just a routine lawful investigation when we learn about what sounds like a very non-routine hack of a financial crimes reporter by the same agency:
“Journalist Koukakis, whose work has included investigative reporting on financial crimes, remains baffled why he was bugged: “I am surprised that areas that I cover as a reporter, economic policy and the banking system, can be a national security threat,” he told Reuters.”
So was this CNN financial crimes reporter hacked because of the crimes they were personally committing? Or the crimes they were investigating? Hmmm....whatever could it be? Either way, it’s not a great look for the Greek spy agency. But Panagiotis Kontoleon, chief of the EYP intelligence service, openly told the Greek parliament that the spying happened. No explanation for why it happened was given. But it definitely happened. And the Greek spokesperson told Reuters that it didn’t happen. It wasn’t the most convincing spin:
Part of what made the Greek government’s denials ring hollow is the fact that an earlier attempt to investigate the hacking of Koukakis’s phone back in April were denied by the same parliamentary committee. It was only after the claims by Androulakis in late July that this was taken seriously. Which is the kind of behavior by the parliament that suggests Androulakis isn’t the only journalist with a gift from the EYP on that their phone:
And finally, we learn one of the most intriguing details in this whole story: this wasn’t NSO Group malware. It was something called Predator. But it sounds plenty capable:
So where did Predator come from? North Macedonia, home of the obscure cyber-surveillance firm Cytrox. Although Cytrox was then absorbed by Intellexa, which is believe to be based in Greece. So predator was kind of home grown from Greece. Maybe. Assuming Intellexa is actually based in Greece now, which we can only speculated about. And that ambiguity turns out to be one of the biggest parts of this whole story. Because as the Wired article describes, a big part of what makes the story of the Predator hacks of these two Greek citizens by Greece’s spy agency so significant is that it appears to be just one example of a much large explosion of EU-made spyware being unleashed across the continent by an industry so secretive even the regulators can’t track them. It’s like a very real ghost industry:
“What sets the scandal in Greece apart is the company behind the spyware that was used. Until then the surveillance software in every EU scandal could be traced back to one company, the notorious NSO Group. Yet the spyware stalking Koukakis’ phone was made by Cytrox, a company founded in the small European nation of North Macedonia and acquired in 2017 by Tal Dilian—an entrepreneur who achieved notoriety for driving a high-tech surveillance van around the island of Cyprus and showing a Forbes journalist how it could hack into passing people’s phones. In that interview, Dilian said he had acquired Cytrox and absorbed the company into his intelligence company Intellexa, which is now thought to now be based in Greece. The arrival of Cytrox into Europe’s ongoing scandal shows the problem is bigger than just the NSO Group. The bloc has a thriving spyware industry of its own.”
The Spywarepocalype didn’t just continue. And it’s bigger and badder than ever. At least that’s what we have to infer since we can’t actually verify it. At this point most of what we know about Cytrox, the maker of the Predator malware, is that might exist in Greece and that Predator was used to making hacking attempts against at least one journalist and one politician. The rest is informed speculation about a growing shadow industry.
And note how Koukakis isn’t just a financial crimes reporter for CNN Greece. He’s also and editor, suggesting he got to see all sorts of financial reporting before it was published. It’s not hard to imagine the temptation to get into his phone.
Also note how this report makes it sound like Nikos Androulakis’s phone was never actually hacked because he didn’t click on the link. Keep in mind that NSO Group’s Pegasus malware didn’t require you to click on the sent links. They were zero-click, which is a big part of what made them so terrifying. Also recall above how the Greek government wasn’t just admitting to attempting to hack Androulakis’s phone. It sounded like the EYP admitted to hacking it. It raises the question as to whether or not Predator is indeed zero-click or if Koukakis fell for a bad link at a later date:
And the story of Cytrox is just one facet of a larger story of an out of control spyware industry thriving across the EU. And being used primarily against the EU. Secret spyware firms popping up all over the place, inevitably followed up with a spyware abuse scandal. It happened with HackingTeam almost a decade ago back and just keeps happening in one EU country after another:
And as Dutch MEP Sophie in’t Veld admits, even the regulators can’t figure out who is operating in this space. It’s a crisis of transparency. Which is a very sanitized way of describing a spyware industry that even the government doesn’t know about:
It’s also worth keeping in mind that one of the reasons there’s so much secrecy around this industry likely has to do with the uncomfortable fact that the EU members are still very likely spying on each other all the time and want to keep their home-grown spyware firms as safe as possible from counter-intelligence operations from their fellow EU-members. The EU is built on a foundation of treaties, laws, and shared borders. No one said anything about trust.
And that’s all part of why the EU parliamentary interest in Greece’s homegrown spyware-induced democratic crisis should probably be seen as both an opportunity to learn more about how this shadow industry operates, but also an opportunity for individual MEPs to keep their own domestic spyware firms safely in the shadows and away from prying regulatory eyes. In other words, don’t be surprised if the MEPs interested in investigated Greece’s spying scandal end up less interested in investigating their own domestic spying scandals.
Still, hopefully at least some of the EU parliamentarians will be genuinely interested in a vigorous investigation. And best of luck to any putative regulators of this shadow industry. But let’s hope they never click on random links texted to them. Because this is 2022. We’ve already answered the question of “Who watches the watchers?” The person who hacks their phone. That’s who. Watchers better watch their links. Especially spywatchers in the EU. It’s a jungle in there.
We got as rather interesting NSO Group update. It appears NSO Group has discovered a new public relations opportunity: using NSO Group’s tool to track down the location of the Hamas kidnapping victims. That’s the message delivered in a new Axios report based on an anonymous source close to the company. According to the source, several Israeli intelligence agencies are likely using the ‘zero-click’ Pegasus spyware to help track the kidnap victims. Recall how Pegasus enables for the collection the location records off a phone, allowing for a retrospective analysis of where the phone has been. So it sounds plausible that Pegasus could indeed be used to gather location information, although it’s not entirely clear how the Pegasus malware can be even delivered to the phones of the kidnapped victims at this point unless those phones are someone connected to either cellphone towers or the internet.
Or perhaps they’re using information that was being gathered and fed back to Israeli intelligence from phones that already had the Pegasus spyware installed on them at the time of the October 7 attack. Were any of the Hamas fighters walking around with spyware-infested phones that day? It’s unclear, although it’s notable that this same anonymous source claims they don’t know whether the Israeli government has safeguards in place to ensure the spyware technology won’t be used for broad surveillance of the entire Palestinian population.
What is clear at this point is that NSO Group is hoping the use of its tools to locate the kidnap victims will ‘open a dialogue’ with countries like the US about the usefulness of these tools. This is a good time to recall how the the Biden administration blacklisted both NSO Group and Candiru in November of 2021. The government of Israel openly admitted it was going to begin lobbying the US government to reverse that decision. Also recall the reports about the FBI secretly purchasing the NSO Group’s tools to exploring using it to hack US phones. And then there was the subsequent push to sell NSO Group to US national security contractor L3Harris, which resulted in warnings from Senator Ron Wyden about the security risks of allowing a US firm to acquire NSO Group. Specifically, the security risk that anything collected by the software is going to end up in the hands of Israeli intelligence.
Also note that NSO Group did eventually find new owners: the Dufresne Holding Luxembourg-based investment firm, owned by NSO Group founder Omar Lavie. Recall how Lavie also founded Candiru, which was the other spyware firm Blacklisted by the Biden administration back in November of 2021. It’s the kind of detail that presumably complicates these lobbying efforts.
That’s a big part of the context here. Because NSO Group clearly needs some very influential lobbying if its going to regain its lost clients. And the best lobbying NSO Group could imagine would be bragging rights about how its tools saved the hostages. Hence, the interesting lobbying campaign we’re seeing emerge as a result of this conflict:
“What’s happening: According to the NSO-linked source, several Israeli agencies are likely using Pegasus — a “zero-click” malware that can be snuck onto a target’s device without them knowing — to help track people kidnapped by Hamas, as well as people who have gone missing during Hamas’ attack last month.”
It’s a fascinating application of NSO Group’s powerful technology: use the Pegasus spyware to obtain the location histories of the kidnapped people. Recall how grabbing the location records off a phone — all for the retroactive examination of someone’s whereabouts — was one of the powerful features of Pegasus. So it sounds like the plan is to someone get the zero-click Pegasus spyware sent to the victims phones in the hopes that they are still charged and operating and communicating with celltowers.
Although it’s still a slightly confusing story, technically speaking. Phones don’t necessarily need access to the telecommunication infrastructure or the internet to track their locations as long as the phone as a GPS receiver. It’s possible that the victims’ phones were still recording their location history even if the phones were disconnected from the cell networks and internet. But if the kidnapped victims’ phones are still connected to telecommunications infrastructure and capable of receiving the zero-click Pegasus malware texts, the locations of these phones would already be readily available via the cellphone providers. Although it’s also possible for phones that are exclusively connected to the internet, with no cellular signal, to receive a text.
So were the victims phones turned off at one point but later turned back on and connected to the internet? Possibly by their captors? These are the kinds of details that remain unclear in this story. Instead, we’re just told that sold the headline story about how NSO Group and ‘other similar companies’ and former NSO employees have set up a “war room” to help find the kidnapped victims. As the anonymous source for this story puts it, “It’s not the purpose of why we’re doing it, but I think the people from the government — both in Israel and outside of Israel — and the public... now understand much better the value of these kinds of tools and why they are needed”:
And then we get to these rather interesting disclosures by this anonymous source...a source who is clearly very close to NSO Group and on board with the company’s public relations campaign: the source acknowledges they they don’t know whether or not the Israeli government won’t be used for the broad surveillance of the entire Palestinian population. Which raises another possibility in terms of tracking the location of the kidnap victims: inferring their locations by hacking the phones of Hamas and other Palestinians suspected of holding the kidnap victims prisoner and using the captors’ location history instead.
But we also have to ask: is the current conflict being used as an excuse for installing this spyware on every single phone in Palestine? It sounds like the answer is ‘maybe’, at this point:
We shouldn’t be surprised to learn that unnamed European governments are also reportedly lobbying the Biden administration to lift the NSO Group Blacklist. This is a good time to recall that NSO Group wasn’t the only party punished by the exposure and blacklisting of the company. NSO Group’s clients were indirectly punished too, through exposure and loss of access to their amazing spy toys. European governments aren’t above abusing these kinds of tools. It’s not hard to imagine there are a number of European government — including local governments — that would love to see a lifting of international sanctions on the NSO Group:
And all of this is happening in the context of a much larger US-based lobbying campaign by NSO Group to at least loosen the restrictions. Or as the anonymous sources puts it, “I think it’s clear to everyone that now is the time for greater intelligence collaboration between allies, like the U.S. and Israel, to keep people safe from terrorists like Hamas”:
And that brings us to the following report describing that ongoing lobbying effort. And as the article mentions, NSO Group did ultimately end up getting a new owner back in March of this year: Omar Lavie. Of course, as we’ve seen, Lavie is one of NSO Group’s co-founders who went on to found Candiru, which was the other firm blacklisted by the Biden administration back in November of 2021. It’s the kind of situation that suggests there’s going to be a lot more pro-NSO Group US lobbying to be done:
“The new filing with Congress comes after the company spent $1.1 million on lobbying in the U.S. in 2022, according to nonprofit OpenSecrets.org.”
Yes, what we are reading about isn’t a new lobbying campaign by NSO Group. It’s on top of the $1.1 million spent on lobbying in the US in 2022. And it’s happening after a March executive order by the Biden White House to limit the use of commercial spyware by federal agencies as part of a broader federal crackdown on this sector. In other words, NSO Group and its fellow spyware firms have plenty of issues to lobby about:
But there’s another complication NSO Group might have to deal with: the new owner is sort of the older owner. Luxembourg-based Dufresne Holding is controlled by NSO Group co-founder Omri Lavie. Again, Lavie went on to found Candiru. Candiru was the other firm Blacklisted by the Biden administration in November of 2021. That seems like a complication:
Will Omar Lavie’s acquisition of NSO Group be too much of a complication for these lobbying efforts? Time will tell. But, again, there are few lobbying efforts that will be more powerful than bragging rights over saving the hostages.
Well, maybe. There is one scenario were helping to free the hostages wouldn’t be something to brag about: if the data used was collected from phones that already had the Pegasus spyware on their phones before the October 7 attack took place. In other words, if the hostages are somehow saved thanks to the existence of a secret spyware-based panopticon fueled by NSO Group’s spyware, that may not be something they want brag about. Or at least not disclose all the details about how they saved the day.
And that’s all why it’s going to be very interesting to see if the hostage crisis ends with the NSO Group taking a bow for a job well done. Because it’s not hard to imagine NSO Group enthusiastically taking credit for ‘saving the day’ at this point. But it’s also not hard to imagine that the day was saved thanks to far more rampant spyware abuses than anyone has previously acknowledged.
It’s mega-hack panic time again. This time it’s the healthcare sector taking the brunt of it. But don’t assume this is just a healthcare hack story. Healthcare is just the biggest known victim so far. This is much bigger story. It’s another mega-hack. Or at least that’s how it appears so far. It’s too new to really know the scope.
It started a couple of weeks ago with a February 19 disclosure about two vulnerabilities newly disclosed by ConnectWise, the company that makes the popular ScreenConnect remote access software. The exploit allows for the hacker to effectively take control of a machine remotely, allowing them to install all sorts of malware, exfiltrate data, and generally create a giant nightmare. While a patch was issued, it wasn’t deployed fast enough for ConnectWise’s many customers and, within a week, security experts were warning that the hack was being massively exploited in the wild.
One of those customers happens to be Change Healthcare, an insurance claims processing giant recently acquired by healthcare giant UnitedHealth. The hackers claim 6 terbytes of personal healthcare information was stolen. Following the discovery of the hack, Change Healthcare suspended its services to the many companies across the healthcare sector that rely on it, freezing up much of the pharmaceutical claims processing across the United States.
The culprit behind the Change Healthcare hack appears to be the notorious ransomware group ALPHV, otherwise known as Blackcat. But don’t assume that’s the culprit behind all the people exploiting this vulnerability. It’s a mass exploitation situation. If your computers use ConnectWise’s software, and you haven’t yet patched it while it’s been connected to the internet for the past week, there’s a reasonable chance you’re now hacked by any one of the many groups exploiting this right now. Or perhaps more than one. It’s that kind of situation. One that sounds an awful lot like the SolarWind nightmare, where trusted third-party software gets compromised and turns into a giant backdoor on organizations around the world.
Except, as we should expect, it’s probably been going on a lot longer than just a couple of weeks. In fact, back on November 10, nearly four months ago, we got a report about warnings from security firm Huntress about intrusions into the networks of Transaction Data Systems (TDS) a a pharmacy supply chain and management systems solution provider used in all 50 states. Huntress reported seeing intrusions from October 28 to November 8 and that they were likely ongoing. ScreenConnect was the identified culprit. ConnectWise blamed it on an unmanaged machine on TDS’s networks that was running a version of ScreenConnect from 2019, which it described as not “best practices”. Which, if you think about it, is an implicit admission that ScreenConnect has vulnerabilties like this since at least 2019 that it’s been wrestling with. And really, who knows if that ‘old vulnerable version’ was really the explanation. What are the odds this happened three months ago due to an old fixed ScreenConnect bug, in the pharmaceutical claims processing sector no less, only to have this new nightmare emerge a few months later?
But that’s just one of the major hack stories that erupted over the past couple of weeks. There’s another major hacking story and it could end up playing a role in the 2024 US President election. Yes, it’s also political-mega-hack panic time again. Maybe. The writing is on the wall.
The second hacking story actually started off with the good news that, perhaps not coincidentally, happened on the same day (Feb 19) ConnectWise disclose its ScreenConnect vulnerability: an international bust of the LockBit Ransomware group was recently carried out, seemingly shutting down the group’s IT infrastructure used to deliver ransomware threats. The UK led the investigation but the FBI and a number of other law enforcement agencies were involved. One of the big, not particularly surprising, revelations from the raid is that data from victims who previously paid the ransom was found on their servers. In other words, just because you pay the ransom doesn’t mean the ransomer is ever going to delete the data they stole from you. They’ll just give you the decryption keys and not release it....hopefully. It’s something to keep in mind regarding the six terabytes of Change Healthcare’s sensitive medical claims data.
Days after the raid, LockBit’s website was back up on the darkweb listing its victims and the timers counting down until they run out of time to pay the ransom. Beyond that, at least two experts report seeing LockBit exploiting the ConnectScreen vulnerability. LockBit is back in business. And this includes a ransomware listing found on their new website for a certain Fulton County Court system. The same court system where Fani Willis is prosecuting Donald Trump over his 2020 Georgia election manipulation charges. LockBit’s new website claims the group has files related to the case and even claims the international raid was an attempt to prevent the release of them. And it doesn’t appear to be bluster. Not only did Fulton County first report back in January that its court system was hacked, but LockBit released some example documents, although nothing about the Trump case, that experts felt looked authentic.
Interestingly, as part of the international raid, the US placed sanctions on one of the presumed leaders of LockBit, Russian national Ivan Gennadievich Kondratiev. Thanks to those sanctions, US-based victims lf LockBit can’t legally pay LockBit’s ransom. So we have a Trump election case ransomware threat that can’t legally be paid.
So what happened with the Fulton County ransom? Well, the deadline came and went without a payment, but no documents were released. This led some experts to suggest the law enforcement raid made a bigger impact on the group’s operations than they let on. Others suggested there’s a variety of plausible motives for why the hackers may not have wanted to release the documents including the possibility that the true hackers who broke into the courthouse’s networks may be an affiliate of LockBit using them to carry out the ransom threat. The point being that we don’t actually know who took those documents or what their motives might be for releasing them. We just know at least one group has their digital hands on documents whose release could throw a major wrench into that case against Trump and someone has threatened to release them.
So two weeks ago, a new massive vulnerability impacting thousands of organizations was disclosed, with hackers proceeding to run wild exploiting it, which included the hack of Change Healthcare, a linchpin of the US health insurance claims processing infrastructure, by notorious hacking group, ALPHV/Blackcat. And on the same day, an international raid of another notorious ransomware group LockBit ends with the takedown of computing infrastructure and websites that were seemingly replaced within days. LockBit proceeds to not just engage in the ScreenConnect hack but issues a statement declaring its bust a politically targeted operation intended to prevent the release of Trump’s Fulton County courthouse. A ransom that can’t legally be paid thanks to the US sanctions imposed one of the LockBit’s leaders. But then that ransom deadline passes, no documents are released, and here we are. It’s a bad situation that’s only going to get a lot worse.
Ok, first, here’s a KFF Health New report about how the Change Healthcare hack has singlehandedly crippled the US’s ability to process health insurance claims, leading care providers to scramble for temporary alternatives while we all wait to see just how many big this hack really is:
“The company, recently purchased by insurance giant UnitedHealth Group, reportedly suffered a cyberattack. The impact is wide and expected to grow. Change Healthcare’s business is maintaining health care’s pipelines — payments, requests for insurers to authorize care, and much more. Those pipes handle a big load: Change says on its website, “Our cloud-based network supports 14 billion clinical, financial, and operational transactions annually.””
The impact is wide and expected to grow. Not the words one wants to hear when learning about a new hack. But the words we should probably expect by now. This is how these kinds of story almost always play out. It starts off bad and just keeps getting worse. And boy did this story start off bad. Change Healthcare isn’t just owned by the UnitedHealth health insurance giant. It’s a major service provider for the US healthcare sector, handling sensitive healthcare data on hundreds of millions of individuals, who are now potentially vulnerable to both identity theft and medical error:
So how did this happen and who is behind it? This is where the story gets extra awful. Because based on what we are learning, this wasn’t an issue specific to Change Healthcare’s IT practices. Instead, Change Healthcare got hit by a vulnerability impacting potentially all the users of the ConnectWise ScreenConnect remote access software. A vulnerability described as “apparently fairly trival to execute”. In other words, this isn’t just a Change Healthcare hack. The company is just the biggest, most newsworthy victim that we know about yet:
Interestingly, ConnectWise is seemingly denying any involvement at all and claims that its internal reviews have “yet to identify Change Healthcare as a ScreenConnect customer, and none of our extensive network of managed service providers have come forward with any information regarding their association with Change Healthcare.”:
So is it possible the Change Healthcare wasn’t due to a vulnerability in the ConnectWise remote access software, as ConnectWise appears to claim? Well, sure, it’s possible. But if that’s the case it’s a remarkable coincidence. For starters, it was just back on November 10, 2023, over three months ago, when security firm Huntress went public with warnings that Transaction Data Systems (TDS), a pharmacy supply chain and management systems solution provider used across the US, was getting targeted by hackers using ScreenConnect. Huntress observed intrusions between October 28 and November 8, and was likely still ongoing. ConnectWise confirmed TDS was hacked but appeared to shift the blame for the intrusions on TDS, claiming the hacker gained access via an unmanaged “on-prem instance” that hasn’t been updated since 2019, going against the recommended “best practices.” And who knows, maybe TDS really was responsible for running an old unmanaged instances of ScreenConnect that gave these hackers backdoor access. But, again, a lot of organizations use ConnectWise, and what are the odds TDS was the only one using this vulnerable old version on one of their machines? And what are the odds this story about a ScreenConnect exploit in the health insurance claims sector three months ago is completely unconnected to the health insurance ScreenConnect nightmare playing out right now:
“Threat actors are leveraging local ScreenConnect instances used by Transaction Data Systems (TDS), a pharmacy supply chain and management systems solution provider present in all 50 states.”
It was like a prelude to today’s health insurance nightmare. Or, more likely, an early warning about what’s likely been going on for months in a lot more organizations than just TDS and Change Healthcare. Going on since at least late October, despite ScreenConnects attempts to defect the blame onto an old version:
And that early warning we got back in November is why we shouldn’t allow this story about the Change Healthcare debacle to remain focused on just Change Healthcare. This is a much bigger hack that’s probably been going on for a lot longer than two weeks. Because, again, it’s not like Change Healthcare was the only entity to recently get hacked as a result of a vulnerability already identified in the ConnectWise software. It was just the biggest victim in what experts are describing as a mass attack:
“ConnectWise first disclosed the flaws on February 19 and urged on-premise customers to install security patches immediately. However, thousands of servers remain vulnerable, according to data from the Shadowserver Foundation, and each of these servers can manage up to 150,000 customer devices.”
ALL of ConnectWise’s clients have been at risk since at least February 19, when the vulnerability was first disclosed
. Some have patched the vulnerability, but not all of them. And the exploitation appears to be rampant as hacking groups take advantage of organizations that didn’t immediately fix the issue. And its not one hacking group taking advantage of the situation,. Multiple threat actors have already been seen using this exploit:
But also note the remarkable timing of this ongoing attack: it all started just days after an international law enforcement operation claimed to disrupt the LockBit ransomware gang. And yet security researchers claim to be witnessing LockBit exploiting this ConnectWise vulnerability. In other words, either the international takedown of LockBit was very incomplete, or there are multiple groups out there researchers are identifying as “LockBit”:
The situation is bad and getting worse. And as the following TechCrunch piece warns, the takedown of LockBit also revealed another grim surprise for the victims of the ongoing ConnectWise mega-hack: even if you pay hackers to delete the information they stole from you, there’s no guarantee they’re going to do so. That’s what we got to learn from UK authorities following the takedown of LockBit’s technical infrastructure. Data from victims who already paid a ransom fee was recovered. Keep in mind that the group that hit Change Healthcare — Blackcat/ALPHV — is claiming they stole 6 terabytes worth of information. So while it remains to be seen if Change Healthcare ends up paying some sort of ransom in an effort to resolve this situation, we can be pretty confident that stolen information is going to remain in criminal hands forever:
“The LockBit takedown has given us confirmation that this is absolutely the case. The NCA revealed that some of the data found on LockBit’s seized systems belonged to victims who had paid a ransom to the threat actors, “evidencing that even when a ransom is paid, it does not guarantee that data will be deleted, despite what the criminals have promised,” the NCA said in a statement.”
You might think you’re paying to unlock your ransomware-infected system and ‘return to normal’, but don’t suffer from the delusion that paying the ransom is going to make the nightmare go away. Stolen data will remain stolen and passed around on the darkweb. That’s the message from the U.K.’s National Crime Agency (NCA) following “Operation Cronos” and the takedown of LockBit. A takedown the FBI participated in. Or alleged takedown. The group’s website was apparently ready back up and running days after this article was published:
And then we get to this interesting detail that could create it’s not like LockBit’s technical infrastructure was the only part of LockBit’s operations that was thwarted by Operation Cronos. Individuals in the organization were named, indicted, and sanctioned, including one of LockBit’s alleged top members, Russian national Ivan Gennadievich Kondratiev. And it sounds like those sanctions might legally prevent US victims from paying a LockBit ransom demand. Which, could be a bit of a complication for Lockbit’s the US-based victims. With LockBit already over 2,000 victims worldwide (and that was before the ConnectWise mega-hack), there’s bound to be quite a few US victims willing to pay to unlock their systems, whether the data gets deleted or not:
And that legal complication for US-based victims in paying their LockBit ransoms brings us to the following story that may have just fizzled out...or may be building towards something much bigger. So big it could shape the 2024 US Presidential election. Yes, it turns out the Fulton County, Georgia, courthouse is one of LockBit’s victims. And they are not just demanding a ransom but threatening to release information about Fani Willis’s trial against Donald Trump over Trump’s attempts to intimidate his way to a 2020 win in Georgia. Making this the kind of story that could end up triggering the kind of legal technicalities that could get Trump let off the hook.
That the Fulton County courthouse was hacked isn’t in doubt. Its website even mentions some sort of network disruption. And one security researcher reports seeing LockBit release what appeared to be an authentic looking sample document.
Intriguingly, the newly launched LockBit website even asserts that the takedown raid was itself an attempt to block the release of the Trump-related court documents. But then the story took a significant twist: the ransom deadline passed without any payments but no data was released. Instead, the random listing for Fulton County was simply removed from the LockBit website (the same website that was taken down by law enforcement days earlier until it popped back up). Some security experts speculate that this could be due to the law enforcement actions a week earlier impacting the group more than they let on. But others note that there’s a range of possible motives for not releasing the files, including the possibility that the files were ultimately obtained by a different hacking group who teamed up with LockBit for executing the ransom threat. In other words, perhaps a third party affiliated hacker group, which might have very different motivations than LockBit, has its own reasons for not releasing the stolen documents...at least not until the time is right:
“For the past five days, LockBit promised on its dark-web site to publish data stolen from the Fulton County, Georgia, government, which it listed as one of its extortion victims, unless the county paid an unspecified ransom. One administrator for the group went so far as to post the specific threat of releasing documents related to Fulton County’s high-profile prosecution of Donald Trump: the Superior Court of Fulton County is the venue where Trump, the Republican presidential front-runner, stands accused of a criminal conspiracy to interfere in the 2020 election.”
It’s a remarkable turn of affairs: barely a week after the International LockBit takedown, the group’s website is back up and now threatening to release documents related to Trump’s Fulton County trial. Or was threatening, until the deadline passed. And while the lack of released documents has some suspecting it was a false threat, the group did release what appeared to be real documents and there’s no denying the courthouse was experiencing technical difficulties. There’s no way to reall discount the threat of a document leak in Trump’s case:
But then the deadline came and went without a leak. What’s the explanation? We can only speculate. And while that can include speculation about the hackers bluffing, that should also include speculation that the hackers do have the files but have their own motives for not releasing them. And also speculation that LockBit may not be the only be the actual hacker group who stole these fines and are putting them up for ransom. With LockBit operating as a kind of hacker ransom service for different hacking groups, we can’t really say who may have these files or why:
Are we going to find out who ultimately stole these files? LOL. Sure, if the perp decides to make their identity public. Otherwise, it’s back to the ‘ol “Fancy Bear” hall of mirrors, where security experts can read the tea leaves and divine any kind of culprit they desire. Let’s not forget, it was only in 2023, seven years after the DNC hacks, that we learned that Roger Stone’s middle-man ti Wikileaks in 2016 was none other than Isaac Molho, a shadowy Israeli attorney who is known as one of Benjamin Netanyahu’s most trusted associates. Which is another way of saying we should have zero expectation we’ll learn anything meaningful about the real identity of the hackers responsible for the Fulton County hack any time soon. Unless they decide to share that info themselves. But for now, it could be almost anyone. We’ll see who authorities ultimately point the finger at, but given that we’re talking about a mega-hack that we may have been effectively warned about four months ago, there’s going to be a lot of blame to go around. Mega hacks are group efforts. Or, rather, a mix of efforts on the hackers part and a lack of efforts on a whole bunch of other peoples part. An often profound lack of efforts.
We got an interesting set of updates on the giant Change Healthcare hack, which itself is just the biggest known victim of the much larger ConnectWise mega-hack that is still playing out. It appears the hackers won so big they’ve retired. Yep. The hackers known as ALPHV/Blackcat secured a $22 million ransom payment and declared the group is shutting, although experts expect the group will reform under a new name.
Did Change Healthcare pay the ransom? They aren’t saying one way or another. Neither confirming nor denying it when directly pressed. Which is basically a confirmation. And not only is $22 million the second largest known ransom paid in US history, but this high payout is part of a trend in ransomware attacks. As one expert describes, ransoms in the range of tens of thousands of dollars were common five years ago, hundreds of thousands of dollars two years ago, and multi-million dollar ransoms today. And as this expert also observes, the ransoms typically only get paid when companies don’t have a choice, which can often be the case if there are no backups for the encrypted data. So was Change Healthcare, one of the largest insurance payment service providers in the US and that was acquired by United Health for $13 billion a couple of years ago, not backing up its data? If so, it’s a warning about not just the potential consequences of the ongoing ConnectWise mega-hack. Because if an entity that large and well resourced was operating in a manner that left it highly vulnerable to a ransomware attack, we can be pretty confident there are a lot more large organizations with deep pockets that are going to find themselves forced to pay a ransom should the ransomware demands arrive.
Interestingly, experts also cite one of the tactics that law enforcement has found to be effective in breaking the ransomware business model: sanctioning the hackers so that paying a ransom becomes illegal. Recall how that’s what appeared to happen after the US sanctioned a hacker associated with LockBit, the hacking group that claims to have stolen documents related to Donald Trump’s prosecution in Georgia. But with no sanctions against ALPHV/Blackcat, it would seem that Change Healthcare got to avoid breaking the law.
So with sanctions that prevent the payment of ransoms being seen as a tool for combating ransomware at the same time hackers are managing to score record payouts for major companies that were presumably faced with no other option to keep their business operating, we appear to be heading towards a ‘between a rock and and hard place’ kind of scenario for ransomware victims. The kind of scenario that, for major corporations, might make Change Healthcare’s $22 million payout seem like a rounding error:
“It was a fittingly unsatisfying end to one of the worst ransomware attacks on essential American infrastructure since the Colonial Pipeline hack almost three years ago: Change Healthcare is trying to recover, its business partners and helpless consumers are adrift, the criminals are at large, and the money that changed hands will probably fund more wrongdoing.”
Mission accomplished? It sure sounds like it. A $22 million payday for ALPHV/Blackcat and still no idea of who is behind it. And while Change Healthcare isn’t admitting it paid the ransom, it’s not denying it either. It’s quite a rebound for the hacker group that was supposedly disrupted by the FBI less than three months ago:
And then we get to this interesting legal tactic for disrupting the ransomware industry: financial sanctions on the hackers that legally bar victims from paying the ransom. Recall how that’s exactly what the US imposed on one of the figures believed to be associated with LockBit, the group that threatened to release documents from the Fulton County court system related to Donald Trump’s Georgia prosecution unless it was paid a ransom. It doesn’t appear there were any sanctions on ALPHV/Blackcat. Either that, or Change Healthcare broke the law:
And in case it’s not clear how big of a deal this $22 million payout was, keep in mind that this is the second-highest known ransom payment in US history. It’s part of a trend that has seen bigger and bigger victims leading to bigger and bigger ransoms. Or as one security expert describes, “It was common to see ransomware in the tens of thousands of dollars five years ago. In the hundreds of thousands of dollars two years ago, and now the million and multimillion is becoming more and more common”:
“If this payment really happened, cybersecurity experts say it could be one of the largest payouts in history.”
The Change Healthcare hack isn’t just a big deal in terms of the history of harmful hacks. It led to the second largest ransomware payout in history. Or at least the second largest payment that has been publicly disclosed. And based on trends, the payments are only going to get larger. Especially given all the successes in getting these payouts:
And then we get this interesting observation about the scope of the hack at Change Healthcare: the ransom probably isn’t going to be paid unless the hack was so devastating that it would probably shut the company down, with a lack of data backups being an common scenario where that might happen:
Did Change Healthcare not have its data backed up? That’s kind of amazing for one of the largest insurance validation service providers in the world. Unless the motive for paying was something else, but what could that be? They paid $22 million, the second largest ransomware ransom in history. They wouldn’t have paid that casually. Which, again, raises the question as to just how screwed would Change Healthcare be if sanctions prevented that ransom payment?
And let’s not forget what else we recently learned from the international takedown of LockBit: these ransomware hackers don’t necessarily delete the data they stole after you pay them the ransom. So while Change Healthcare may have gotten its data unencrypted (hopefully), there’s still that 6 terabytes of stolen sensitive medical claims data that is presumably still going to be floating around the dark web for years to come. Money can’t buy happiness, at least when it comes to ransomware.
And in related news, Andrew Witty, the CEO of United Health, Change Healthcare’s parent company, took in over $20 million in total compensation in 2023, a hike from the $18 million he received in 2022. And his predecessor, David Wichmann — who left United in 2021 — realized over $142 million in compensation in 2021 after exercising his stock options, the biggest ever compensation package for a Minnesota-based public company at the time. So while money may not be able to buy happiness for the victims of ransomware attacks, we can be pretty confident the executive class can afford plenty of happiness, whether their ransomware-afflicted companies implode or not.
It’ll all be over soon. If soon is defined as a couple of weeks. Hopefully. That was the update we got from UnitedHealth on the status of its response to the hack that took down the US healthcare sector’s ability process insurance claims. “We expect to begin testing and reestablish connectivity to our claims network and software on March 18, restoring service through that week,” according to the company. So if you’re one of the many health care providers facing the risk of bankruptcy over the past couple of weeks as the ability to collect insurance claims collapsed, hold on for a couple more weeks. If you can.
That’s the horrid state of affairs two weeks after the ConnectWise mega-hack that continues to play out in more than the healthcare claims processing sector. Thousands of organizations were found to be vulnerable following the ConnectWise disclosure of a severe vulnerability in its ScreenConnect remote access software and thousands remain vulnerable. We still don’t know the scale of this event. What we do know is that the biggest player in the US health insurance claims processing marketplace has been taken out of commission for at least a month. If not longer. Fingers crossed.
But when it comes to assessing the damage caused by this hack, it’s important to keep in mind that we know, and have long known, about one of the other major factors that contributed to the scale of damage created by this Change Healthcare hack: the longstanding failure of the US to meaningfully enforce anti-trust laws. Put simply, UnitedHealth created a claims processing monopoly with its 2021 acquisition of Change Healthcare and that didn’t have to happen. Monopolies and oligopolies are a choice, at least for societies not controlled by monopolies and oligopolies.
How was the creation of this claims processing giant allowed in the first place? Well, as we’re going to see, it didn’t happen without a fight. In fact, the US Department of Justice (DOJ) filed a lawsuit blocking the purchase by Change Healthcare, which had been owned by private-equity giant Blackstone since 2015. But as we’re also going to see, that lawsuit was shot down by a federal judge in 2022. The DOJ dropped the suit and the merge was allowed to go through.
So why did the DOJ’s lawsuit ultimately fail? Well, for starters, the DOJ argued that allowing the merger to happen would result in UnitedHealth-owned Optum — the entity that actually merged with Change Healthcare — controlling 90% of the ‘first-pass claims editing’ part of the claims processing market. In response, UnitedHealth agreed to spin off Change Healthcare’s ClaimsXten unit, which alone controlled 70% of the first-pass claims market, to private-equity giant TPG Capital. So we have one private-equity giant, Blackstone, buying Change Healthcare in 2015, and then spinning off ClaimXten to TPG, another private-equity giant, as part of the 2021 merger. Which is a reminder that private-equity’s insatiable economy-wide appetite of course includes the healthcare sector. And not just in the US. Fun fact: Blackstone purchased a majority stake in 16 hospitals in India from TPG back in December. The whole world is a wealth extraction opportunity for private-equity’s business model.
Spinning off ClaimXten didn’t end up satisfying the DOJ, which continued to argue that ClaimXten would see its innovation hampered by the spin-off. But beyond the issues over the potential anti-trust issues with the ‘first-pass’ claims market, the DOJ argued about a much more fundamental risk associated with the merger: UnitedHealth would gain access to all sorts of highly sensitive data about its competitors. Which is obviously true if it has a near monopoly on the US’s insurance claims processing services market.
How did UnitedHealth get around those concerns about United gaining access to all sorts of competitor claims processing data? Well, it turns out the judge in the case, Judge Carl Nichols, found the DOJ’s concerns to be highly unconvincing. What he did find convincing was the testimonies of two UnitedHealth senior executives — current CEO Andrew Witty and former CEO David Wichmann who stepped down in 2021 — who assured the judge that the company wouldn’t think about abusing this highly sensitive information about its competitors because that would be a huge reputational risk that it couldn’t possible engage in. A kind of ‘we would never think of such of thing’ legal reasoning. That was it. The judge just found the assurances UnitedHealth’s current and former CEOs way more convincing than the DOJ’s concerns. Keep in mind forget that Andrew Witty took in over $20 million in total compensation in 2023, a hike from the $18 million he received in 2022 and David Wichmann made over $142 million in compensation in 2021 after exercising his stock options, the biggest ever compensation package for a Minnesota-based public company at the time. The guys like making money. But they definitely wouldn’t ever think of bending the rules with sensitive competitor data to make even more money and any such concerns are unwarranted, according the judge. That reasoning was how this merger happened.
Oh, and in case you’re wondering if Judge Nichols is a gift from the Trump administration, yep. And as we should expect being a Trump appointee, Judge Nichols is also affiliated with the Federalist Society. But beyond that, it turns out he used to clerk for Supreme Court Justice Clarence Thomas, the same Supreme Court justice who has for decades been getting secret lavish treatment from billionaire sugar-daddy Harlan Crow. So while we have no indication that judge Nichols has a secret billionaire sugar-daddy, the ‘apple didn’t fall too far from the tree’ when it came to this former Justice Thomas clerk’s affinity for the wealthy and powerful. Or fall too far from Leonard Leo, the architect of the consolidation of power in the US judiciary by a network of right-wing oligarchs. Judge Nichols’s ruling was very on brand for his judicial pedigree. A pedigree with roots in the wielding of power on behalf of concentrations of wealth.
So as we wait and see how this healthcare emergency pans out and how many small firms end up going under, it’s going to be worth keeping in mind the role the concentration of wealth and economic power play in enabling and shaping the consequences of this mega-hack. It took the locking up of just one firm’s computers to cripple the entire US healthcare payments system. That wouldn’t have happened even three years ago. This disaster was, to a large extent, a design choice of the contemporary late-stage Capitalism nature of US economy. A concentration of wealth and power created an economy and society that is extra vulnerable to hacks. Robust diverse markets with many smaller players have a whole new purpose in the age of the mega-hack. It’s a form of literal systemic stability for the digital age. This is a story about a mega-hack, but it’s also a story about the gross inequality of contemporary America, where fat cats make all the money while the little guy suffers the consequences:
““We expect to begin testing and reestablish connectivity to our claims network and software on March 18, restoring service through that week,” the company said in an announcement posted to its website about the cyberattack, which began on February 21.”
Services will be restored some time after March 18, nearly a month after the February 21 hack. A month of no ability to process insurance claims for much of the US healthcare sector. It’s not wonder that we have organizations like the AMA calling for a federal release of emergency funds to the healthcare sector. You can’t just halt claims processing for a month and not expect that it’s going to drive healthcare providers out of business. Especially the smallest providers:
But the fallout isn’t just hitting healthcare providers. Patients are suffering too, with consequences that could play out down the line. In other words, don’t expect this first round of patient lawsuits to necessarily be the last. And according to one of the class action lawsuits already underway, the 5 terabytes of stolen data included personally identifiable information, medical records, dental records, payment information, claims information, patients’ information (i.e. phone numbers, addresses, Social Security numbers and email addresses), insurance records, patient health information and more. Which is plenty of data for creating patient consequences for years to come:
And note the observations on the tradeoffs between protecting data and profiting: according to Kurt Osburn, director of risk management and governance at NCC Group, most healthcare organizations fail to implement risk-analysis and risk-mitigation tools due to costs. And at the same time, we hearing speculation that United decided to pay the ransom, not in an effort to protect the stolen data from release, but instead to get operations back up and running as soon as possible. Which, if true, would be a scenario that suggests United-owned Change Healthcare wasn’t backing up its data. The point being that we probably shouldn’t assume United was willing to pay the costs required to better protect this data simply because its a giant company with almost unlimited resources at its disposal. That’s not how monopoly capitalism works.:
So with weeks to go before the US healthcare markets regain the ability to process insurance claims, the clock is ticking ever more urgently for all those small care providers at risk of bankruptcy. Which makes this a good time to reflect on the fact that the scale of the impact of this hack was entirely avoidable. All that was required was some enforcement of the anti-trust laws that were clearly violated with United Health’s acquisition of Change Healthcare. A merger that was so obviously a systemic risk that the DOJ sued to block it, until a Trump-appointed federal judge block the suit and allowed the merger to go through:
“Two weeks after the attack, the outage is ongoing with no clear end in sight, affecting thousands of medical practices, hospitals, and pharmacies across the country, which rely on Change Healthcare’s services to varying degrees — as the company boasts on its own website, it handles records for one in three patients in the U.S. At minimum, it has meant that businesses that contract with Change have had to scramble to switch to one of its few competitors (a process that can take weeks) or devise labor-intensive workarounds, which often involve old-school tools like paper prescriptions and fax machines. For pharmacies that contract with Change, the outage has disrupted their ability to conduct transactions with doctors and insurance companies, forcing some pharmacists to either hand out medication and trust insurers to pay them back later or make their customers pay for the full cost of their drugs out of pocket. If the outage lasts long enough, though, its ultimate legacy may be the number of small medical providers it puts out of business entirely.”
The largest health insurer in the US, which also happens to own the largest insurance claims gets hacked and the end result might be the bankruptcy of a large number of small medical service provider. Monopoly capitalism in action. And as experts observe, the fallout to the industry is a direct consequence of UnitedHealth’s massive share of the marketplace for providing claims services. It’s effectively the only option following United’s acquisition of Change Healthcare from private-equity giant Blackstone:
Perversely, while smaller healthcare providers risk going out of business as their ability to process claims is thwarted, United Health is in the position of being able to stockpile extra cash as a result of paying out fewer insurance claims than usual thanks to the hack:
And it’s not like it wasn’t obvious that United’s acquisition of Change Healthcare was going to create a near monopoly in the claims processing space for the entire US healthcare sector. The AHA warned about this and the DOJ sued to block the merger. But that suit failed and the merger went through:
So what was it that convinced the judge that the merger that created a near-monopoly in this crucial segment of the healthcare services market didn’t pose a systemic risk to the sector? Well, according to the judge, the DOJ’s case contained “seriously flaws”, which apparently included the flaw of suspecting that UnitedHealth might be tempted to abuse the access it gained to highly sensitive competitor data. Instead of sharing the DOJ’s fears, Judge Nichols was apparently swayed by the “convincing testimony” from senior UnitedHealth executives who said such abuses would be against the company’s practices and risk its credibility. LOL:
“The most serious flaws were failing to prove that UnitedHealth is likely to misuse Change Healthcare’s data to advantage the company, a move that would ultimately chill innovation among rivals, Nichols, a former President Donald Trump appointee, said.”
Yep, it turns out the judge who rejected the DOJ antitrust objections to merge was a Trump appointee. Surprise!
So how did Judge Nichols rationalize the merger? Well, part of the initial objections had to do with the fact that Change Healthcare-owned ClaimsXten controlled 70% of the “first-pass claims editing” market, which could have resulted in United controlling 90% of that market following the merger. So to address those concerns, United agreed to have Change Healthcare spin off ClaimsXten to private equity firm TPG Capital:
But the spinoff of ClaimXten didn’t satisfy the DOJ, which further argued that ClaimsXten would be less competitive if split off from the rest of Change Healthcare. Furthermore, the DOJ warned about the inherent competitive risks in give United access to the sensitive competitor data that passes through Change Healthcare’s system. Judge Nichols apparently strongly disagreed with this assessment, pointing the “convincing testimony” of the current and former UnitedHealth CEOs who assured the judge that United wouldn’t think of abusing such information:
Judge Nichols sure seems to have a lot of faith in the integrity of corporate CEOs. So to get a better of idea of where that faith may be coming from, it’s worth noting that Judge Nichols wasn’t just a Trump appointee. Nor is he just a Federalist Society affiliated judge. As the following article notes, Judge Nichols used to clerk for Supreme Court Justice Clarence Thomas. And as we’ve seen, you can’t really understand Clarence Thomas’s thinking on matters without recognizing his remarkable relationship with ultra-wealthy ‘friends’ who have showered Thomas with lavish gifts for decades. And while we have no indication that Judge Thomas’s billionaire sugar-daddies are showering Judge Nichols with similar favors, you have to wonder just how much much ‘billionaire benevolence’ Nichols ended up witnessing during his time as Thomas’s clerk and how that might ultimately affect his willingness to trust in the good faith of overpaid CEOs:
“Judge Carl Nichols said in a September opinion that the DOJ’s arguments had “serious flaws,” and that they relied on “speculation” rather than real-world evidence to prove the department’s antitrust claims. Nichols served as a law clerk to Supreme Court justice Clarence Thomas, and was appointed to the bench by then-President Donald Trump.”
Judge Nichols isn’t just another Trump appointee from the Federalist Society. He was Clarence Thomas’s law clerk. Justice Sugar Baby’s clerk found the CEO testimonies quite convince while only seeing “serious flaws” in the DOJs concerns. Because who could believe a company as large as UnitedHealth would do something irresponsible while no one is looking. Cynics at the DOJ, that’s who.
So as bad as this mega-hack story is, keep in mind it could be worse. The claims processing market could have been completely under the control of UnitedHealth, instead of almost completely under its control. It could be worse, but not much worse, because that’s how bad we let this get. Monopolies are a lot more brittle in the age of the mega-hack. Well, not so much the monopolies but rather the societies reliant on them. The monopolies will be fine.
It’s not over. Not even close. The Change Healthcare hack lumbers on, despite the $22 million in ransom already paid out. Not only are healthcare providers still running into difficulties processing past claims — and meeting payroll as a consequence — but ransoms are still being demanded. Although with new entities making the demands this time.
As we’re going to see, it turns out the ALPHV/Blackcat hacking group that claimed credit for the hack — and subsequently received $22 million in bitcoin ransom payments from UnitedHealth — did the thing many feared it was going to do: walk away with the money without deleting the data and tentatively resolving the situation. But it’s worse than that. Because the stolen data isn’t just in the hands of ALPHV/Blackcat. Another hacking group, RansomHub, is apparently in possession of the stolen data too, and RansomHub never got its cut of the $22 million. Guess what happen next?
Yes, RansomHub is now making ransom demands of its own in order to prevent the leakage of the sensitive patient data on millions of Americans. While insisting that payees can trust that, this time, the ransom payment really is going to result in the deletion of the stolen data. ALPHA/Blackcat may have been a bad faith ransomware purveyor, but you can trust RansomHub. That’s the remarkable development in the cybercriminal space currently unfolding.
And the ransoms aren’t just being requested from UnitedHealth and its Change Healthcare subsidiary. Change Healthcare’s major clients, whose patient data was being processed by the company and was ultimately stolen, are the entities being asked to pay this time. Major healthcare insurers like MetLife, CVS Caremark, Davis Vision, Health Net, and Teachers Health Trust.
It’s not clear how much ransom is being requested of these entities. Nor is it clear if anyone has paid yet. But to make clear that the threat is real, RansomHub has shared information with journalists like Wired’s Andy Greenberg. Information that includes medical and dental records, payment claims, insurance details, and personal information like Social Security numbers and email addresses. In other words, the kind of information that could be very harmful to the millions of individual patients from an identity theft standpoint. And therefore the kind of information that might elicit some handsome ransom payments. Even if the ransom has already been paid and it’s not know if further payments are going to get results.
It’s a fascinating development in the ransomware criminal space. What kind of reputational damage could this do to all ransomware attacks? People aren’t going to keep paying if past ransom payments don’t get results.
And yet, as we’ve seen, warnings of this kind of development in the ransomware have been flashing, and recently. For example, there was the US bust of the LockBit ransomware ring back in February, weeks before the Change Healthcare hack, that discovered the group was still in possession of data that for which the ransom had already been paid. It’s always been obvious that a ransomware payment won’t necessarily mean the stolen data has be deleted, but it’s another thing to confirm it. But that’s what happened with the LockBit bust. And here we are, two months later, with RansomHub issuing new ransom requests, to the clients of Change Healthcare this time, after Change Healthcare paid $22 million, the second largest ransomware ransom in history to day:
“The stolen data allegedly includes medical and dental records, payment claims, insurance details, and personal information like Social Security numbers and email addresses, according to screenshots. RansomHub claimed it had health care data on active-duty US military personnel.”
It’s not just medical records. It’s Social Security numbers and insurance details too. That’s not the kind of information you want to see leaked to the public. But that’s what RansomHub is now threatening to leak if they don’t receive ransom payments. And it’s not just Change Healthcare or United Health receiving the ransom notice. All of their clients whose data was being processed by Change Healthcare are also facing calls to pay a ransom. It’s a much larger ransom-collecting operation. Interestingly, RansomHub itself even seemed to express disbelief that Change Healthcare could be processing such sensitive data for so many different companies:
And as a reminder that this is a scandal centered around an immensely powerful industry giant, note how UnitedHealth didn’t even bother make an executive available for congressional testimony. Most companies would probably fear pissing off Congress in this situation. But not UnitedHealth:
And in case there were suspicions that this is just some sort of empty threat and RansomHub doesn’t actually possess this data, here’s an interview with Wired’s Andy Greenberg who has been in communication with the RansomHub group. Greenberg confirms they shared example data with him in an attempt to verify their threat.
Greeberg also addressed the reality that this expanded ransom demand from the RansomHub group is coming after the ALPHV/Blackcat hacking group already claimed responsibility for the hack and received a $22 million ransom payment. ALPHV/Blackcat even claimed to have shut down and retired after the payment was received. And yet here we are with their apparent partner in crime, RansomHub, making its own expanded ransom demands. It’s a remarkable development in the ransomware industry. After all, there’s not going to be any incentive to pay a ransom if payment doesn’t make the nightmare go away. But as Greenberg explains, it appears ALPHV/Blackcat simply took all of the ransom money and disappeared without ever sharing it with RansomHub. In fact, RansomHub even tried to explain this situation to Greenberg by insisting that “Well, we are not like that other cyber criminal group. We can be trusted. We don’t even want to hold this data, as soon as we are paid, we’ll delete it.”
So at the same time the Change Healthcare nightmare hack is getting worse, we’re seeing a fascinating test of the Ransomware crime business model. What kind of impact will ALPHV/Blackcat’s betrayal of RansomHub have on this growing criminal sector? Are we going to see ransom payments by Change Healthcare’s clients too? Or will the bad faith nature of previous payment give them pause? And how much data will RansomHub end up leaking if it doesn’t get the ransom its now demanding? As Greenberg puts it, “So this is truly kind of worse than worst-case scenario. It’s something that I’ve never seen before in the ransom ware ecosystem”:
“Andy Greenberg: “Well, some patient information has actually been shared with me. When I asked RansomHub — this second group of hackers who are extorting Change Healthcare — to prove that this wasn’t just an empty threat, they did send me a few samples of patient records, a contract that Change Healthcare had with another company. We don’t know that they have the full, four terabytes of data that they claim to have and are threatening to leak, but if they did that would be, obviously, a terrible outcome for patients who would have just very sensitive information about themselves spilled onto the dark web.” ”
RansomHub isn’t issuing empty threats. The group apparently never got its cut of the ransom from ALPHV/Blackcat but still has the data and is determined to get a payment one way or another. It’s new territory for the ransomware sector, although it’s almost surprising a scenario like this hasn’t erupted before. It seems kind of inevitable. And here we are, with RansomHub trying to emphasize to a Wired reporter about how they are genuinely trustworthy and really will delete the data upon receipt of the ransom and not just run off with the money like their untrustworthy criminal partners just did:
Finally, note how the crisis is NOT over for large numbers of physicians and hospitals, with over a third of physicians indicating difficulty simply meeting payroll as a result of the hack’s ongoing disruption to claims processing. It’s an ongoing crisis, which is only going to make the newly issued demands for more ransom all the more compelling for the targeted parties:
Halloween isn’t exactly around the corner. It’s April. Plenty of time for more twists and turns in this story between now and then. How far will the ransom demands get? Don’t forget we’re talking about the threat of leaking patient information. There’s no reason patients can’t be ransomed too.
So we’ll see how this latest security nightmare plays out. But don’t plan on a resolution any time soon. If ever. It’s the nature of the ransomware industry. Whether or not the ransomers asking for one last payment insist otherwise.
We got some significant updates on the Change Healthcare mega-hack. Updates on the scale of the potential damage and updates how it happened in the first. All horrible updates, in keeping with the general theme of this story:
First, we got confirmation from UnitedHealth on whether or not the second round of demanded ransom was paid. It was. Another $22 million paid out, this time to RansomHub. Although as we also learned, it wasn’t RansomHub who was actually cheated out of their cut of the ransom. That would a hacker who goes by the name “Notchy”. It was “Notchy” was partnered with RansomHub to get the second ransom. Which also means the number of actors potentially in possession of all of that sensitive health care data is now Blackcat/ALPHV, Notchy, and RansomHub. Let’s hope two payments of $22 million ensures that data was destroyed. Fingers crossed.
And then we got a truly disturbing reassurance from UnitedHealth: The company let us know that is is unaware so far that any complete medical histories were stolen. It’s the kind of reassurance that strongly implies the company thinks it was possible entire medical histories were stolen. And when we’re talking about a mega-hack, we have to assume the disclosures come in stages. It typically starts off with ‘it could be worse’ assurances, following by belated acknowledgment that it’s actually worse. Which means we should probably assume entire medical histories were stolen for at least some people.
How many? Well, that’s where we got another awful update. Because while we still don’t know the scale of the damage, UnitedHealth is now acknowledging that possible one in three Americans may be impacted, which is more or less what we should expect given given that Change Healthcare is so vast that it’s services touch roughly one in three medical records.
But UnitedHealth can’t yet assess the damage, in part, because it appears the hackers were not only able to encrypt their customer databases but also all the backups. Yes, it turns out Change Healthcare’s data backup systems were on site, so once the hackers gained access to the network they were able to encrypt all the backups too. Whoops! The company is now insisting it will need several more months before it can fully assess the damage. Which kind of sounds like the twin $22 million payments didn’t actually buy a decryption key. Just the promise that the data won’t be leaked.
We’re also told that Change Healthcare’s systems aren’t just being rebuilt from the ground up but they are now moving to the cloud. We don’t know which cloud. Maybe it will be Google. Maybe Microsoft or Amazon. But whoever it is will have another trove of high sensitive data sitting on their cloud servers. And sure, Change Healthcare to in theory encrypt that data and make it unreadable for the cloud provider. But are they going to do so?
We’re also learning that the hack apparently began on February 12, nine days before the ransomware was deployed on Change Healthcare’s systems. That’s part of what makes possibility that entire medical histories may have been stolen so disturbing. They had 9 days to exfiltrate data undetected.
And then we got some significant updates on the nature of the vulnerability that was exploited in the first place: we are told that it wasn’t the ConnectWise vulnerability at all. Recall how it was February 19 when it was publicly disclosed that the ConnectWise ScreenConnect remote access software had a massive vulnerability that allowed any hack to easily create admin accounts and that hackers were running wild. So when we learned about the Change Healthcare debacle two days later, it was widely suspect that ConnectWise was the culprit, although ConnectWise denied any involvement at the time. Well, it appears ConnectWise’s denials were correct. According to UnitedHealth, it was a different remote access software portal that was broken into: the Citrix remote access software.
As we’re going to see, ConnectWise isn’t the only widely remote access software tool that has been the source of IT nightmares in recent months. A vulnerability in Citrix’s software known as “Citrix Bleed” has been exploited by hackers since at least August. Thousands of organizations were at risk. The company didn’t issue a patch until October, although even then it sounds like a patch alone isn’t enough and steps will need to be taken to route out any intruders. It also sounds like thousands of Citrix’s clients were lax on implementing the fixes. Two more Citrix vulnerabilities were disclosed in January. As reports were warning at the beginning of this year, we should expect new disclosures from of a Citrix-related breach for months to come. And then, a month and a half later, Change Healthcare gets hacked from a Citrix portal.
So was “Citrix Bleed” the source of the hack? Well, not quite. Because UnitedHealth is also insisting that the known vulnerabilities in Citrix weren’t the cause of the hack. Instead, “compromised credentials” were used on a Citrix portal without MFA. That’s it. Somehow a hacker got “compromised credentials” and just logged in. UnitedHealth appears to be emphasizing the lack of MFA as the cause of the entire thing in its public relations, while also suggesting that this lack of MFA on the portal was due to legacy practices of Change Healthcare and that UnitedHealth just hadn’t yet completed its modernization of Change’s IT practices (the company was acquired at the end of 2022). In other words, UnitedHealth is striving for an ‘Oopsy! Mistakes were made by our IT staff!’ kind of explanation.
It’s quite a remarkable coincidence of timing involved with this explanation: On February 12, we are told the hack began via “compromised credentials” on a Citrix portal running on Change Healthcare’s networks and definitely NOT via the many known Citrix vulnerabilities that has been percolating for months. A week later, it was publicly disclosed that the ConnectWise vulnerability exists and was being exploited in the wild. Two day later, the ransomware is deploy on Change Healthcare’s networks. So Change Healthcare wasn’t a victim of either of the two major remote access vulnerabilities that were being widely exploited at the time of the hack but instead a hacker just happened to have some “compromised credentials”. It’s possible this is really how it all happened. But it’s hard not to wonder if the company is trying to come up with the more liability-free explanation possible. Because it’s not hard to imagine the lawsuits are going to get extensive with one in three Americans potentially victims of this breach,.
So that’s the remarkably awful set of updates we’ve received: UnitedHealth assures us it’s not aware of any entire medical histories being stolen, which means we’re probably going to learn about entire medical histories being stolen in upcoming updates. And UnitedHealth also assures us that it was all an innocent “compromised credentials” issue and definitely NOT due to either of the major remote access vulnerabilities that were being widely exploited by hackers at the time. And, while that may or may not be the real explanation, it’s not even clear it’s a better explanation from a security standpoint, although it might be better from a liability standpoint. And we got to learn that the second ransom definitely was paid. But despite paying the ransom twice, the ransomwared data remains encrypted. The payments only prevent a leak. One has to hope:
“In a statement for BleepingComputer, the company confirmed that it paid a ransom to avoid patient data from being sold to cybercriminals or leaked publicly.”
There’s no need to speculate. UnitedHealth is making its second ransom payment public. Will this be the end of the ransoming? Time will tell. But if it’s not the end, it’s probably the start of a much larger nightmare, for more than just UnitedHealth. Everyone whose health information is part of this potentially drawn out nightmare too.
And note how drawn out the nightmare has been for care providers. This article was published April 23, more than two weeks into the claims process service outage. And 14% of the services (whatever that means) were still down. It’s an obtuse way of disclose that many health providers still aren’t getting paid for services rendered:
And also note this very troubling reassurgane: UnitedHealth assures us that it is unaware at this time of “exfiltration of materials such as doctors’ charts or full medical histories among the data”.” That might sound nice. But, for starters, there’s the obvious reality that if the company feels to assure us that full medical histories weren’t stolen, it means full medical histories were exposed to the hackers and could have been stolen. And then there’s the fact that when you are dealing with hacks like this, and the hacked entity suggests things could be worse, it’s best to assume they will later disclose that things are indeed worse. The progressive severity of many disclosure over turn is part of the public relations damage control. And when they are simultaneously warnings us that a “substantial proportion of people in America” are potentially impacted, we should assume disastrous disclosures are yet to come. And probably also assume that entire medical histories were stolen in some cases and we’re going to be informed of this in coming months:
Let’s hope that second $22 million really did result in all of that data being deleted. But also note one other wrinkle to this story that we’ve stumbled across: RansomHub, the seemingly aggrieved entity who never got their cut of the original ransom, isn’t actually the aggrieved entity. That would be “Notchy”, who apparently transferred the data to RansomHub. So in terms of assurances that this medical records aren’t leaked despite the two ransoms that have now been paid, it’s worth keep in mind that the entities known to already possess at least some of the data include “Notchy”, RansomHub, and presumably ALPHV/Blackcat too. Fingers crossed:
We can no doubt be confident “Notchy” & Friends will make good on the deal. Right? Keep in mind that, for any ransomware operation, the primary motive for deleting the data after receiving the ransom is to maintain the public integrity of the ransomware sector’s reputation to facilitate future ransom payments from future victims. It’s a weird kind of ‘pay it forward’ dynamic for a criminal activity and one that really only makes sense for a criminal industry that thrives on repeat victims. Not giant scores. And also keep in mind that the entities who violated that agreement and damaged the integrity of the ransomware industry in this story, Blackcat/ALPHV, claimed to have retired after this job. That initial $22 million ransom was enough for them to call it quits. Who knows if they did but it’s a reminder that the ‘pay it forward’ honor among thieves here is going to be less and less applicable the bigger the ‘score’. Who cares about the integrity of the ransomware industry when you just received tens of millions of dollars (or more going forward) in crypto and can live a life of luxury. Why not keep copies of that stolen trove just in case you need to get rich again. Or maybe just because you are board and like ransoming people. Don’t forget that each individual victim is a potential ransomware victim. And that especially includes people who might eventually learn they had their entire medical histories stolen.
And regarding the possibility of entire medical histories getting exfiltrated, we also learned another set of potentially relevant details: the hack began on February 12, nine days before the emergency was declared at Change Healthcare and services were cut off. Keep in mind that it was February 19 when we learned that the ConnectWise remote access software had a severe vulnerability allowing hackers to gain admin access to the systems of potentially thousands of organizations, requiring an immediate patch. Although ConnectWise denied any involvement with the Change HealthCare hack. So if we assume that UnitedHealth was hacked on February 12 via the ConnectWise vulnerability, that suggests the larger impact from that vulernability across ConnectWise’s thousands of customers could be much worse. But it also gives us an idea of how long the hackers had access to Change HealthCare’s systems. And the longer they had access, the more data they were likely able to steal:
“The attackers, who represented themselves as the ALPHV ransomware gang or one of its affiliates, gained entry into Change’s network on Feb. 12, a person familiar with the cyber investigation said. They used compromised credentials on an application that allows staff to remotely access systems, the person said.”
It’s not the admission we want to hear, but it is what it is: the hackers had access to Change HealthCare’s systems for a week and a half before the company was even aware of what was going on. And note how we are told compromised credentials “on an application that allows staff to remotely access systems” was the source of the attack. That sure sounds a lot like an admission that the ConnectWise vulnerability, publicly disclosed on February 19, was the likely culprit. But UnitedHealth wasn’t specifying which remote access app was involved.
And as we are warned, that Feb 12 intrusion date suggests the hackers may have been able to steal significant amounts of data. Which is extra problematic when they further disclose that Change Healthcare’s services touched one in three medical records in the US:
And then there’s the sleazy behavior of UnitedHealth in response to this crisis that includes predatory loans to the impacted health care providers. It’s the kind of behavior that will hopefully prompt greater lawmaker scrutiny over the wisdom of allowing this much market concentration. It’s a reminder that antitrust laws might need an update in the era of the mega-hack:
Keep in mind that we’ve learned that the Biden administration has quietly opened an antitrust probe of UnitedHealth a week after the hack was made public. We’ll see if anything emerges from that, but these antitrust rumblings are also a reminder of the political peril potentially facing UnitedHealth. You don’t want to expose a “substantial” portion of the US public to potential ransomware threats over stolen medical information during a presidential election year.
Especially when that “substantial” portion is maybe up to a third of Americans, as UnitedHealth’s CEO Andrew Witty acknowledged during a recent congressional testimony. It was an interesting testimony. Witty attributed the hack to compromised credentials on a remote access portal and a lack of multi-factor authentication (MFA). Keep in mind that the ConnectWise vulnerability was indeed a vulnerability in its ScreenConnect remote access software. But it was a vulnerability that allowed for the bypassing of the credentialing step entirely, where hackers could go straight to a setup page where they could create a new admin account. Was the ConnectWise vulnerability not the issue here?
Oh, and as a pair of congressional members also point out, if the stolen sensitive health information ends up in the hands of adversarial governments and includes information on people with high-level national security clearances, we’re potentially looking at a source of high-level blackmail. Is this the case? Who knows, but with a third of Americans impacted, and entire medical histories potentially stolen, it’s hard to rule that out:
“UnitedHealth Group still is working to determine the full scope of data that ransomware actors stole recently from its Change Healthcare subsidiary. But in a recent U.S. House of Representatives subcommittee hearing, CEO Andrew Witty said the theft includes protected health information and personally identifiable information on “maybe a third” of all Americans.”
“Maybe a third” of all Americans had at least some of their sensitive health data stolen. That’s more or less what we should have expected given that Change HealthCare touched around 1 in 3 medical records. But we don’t have clarity on that yet because even UnitedHealth apparently lacks clarity thanks to the fact that the hackers encrypted Change’s customer database. Keep in mind that the $22 million ransom has been paid twice now. Apparently those payments didn’t include a decryption password:
But the encryption of Change’s databases isn’t the only reason the company is going to need months to even figure out who was impacted. Because these kinds of databases typically have backups. Except those backups also got encrypted since they were stored in ‘on-prem’ data centers that were apparently also accessible to the hackers. It’s not how you’re supposed to do backups. But now, in response, we’re going to see all of that data moved to a cloud somewhere, which all of the access to that trove of data made available to some lucky cloud provider. Will it be Microsoft’s cloud? Google’s? Amazon’s? We’ll see. But unless UnitedHealth takes steps to hide that data from from the cloud providers themselves, we can assume that all of that sensitive medical information will be accessible to whoever UnitedHealth selects to provide these cloud services:
And note how the potential damage of a hack on this scale goes far beyond just the privacy violations of a large portion of the US population. There’s also the fact that this is the kind of information that could be used for blackmail. Especially blackmailing people with high-level security clearances. The potential cost of this hack can’t really be calculated when you factor in scenarios like that:
And then we get to UnitedHealth’s rebuttals during the congressional testimony of the accusations of predatory loans to its victims. A rebuttal that amounted to ‘don’t worry, we fixed all the problems’. And this, of course, includes the victims that still can’t process their claims. Note how Witty still cited the “86 percent” figure when describing how much of the halted services are back online. That’s the same figure we got by UnitedHealth in the reports from a week and a half earlier. That’s not great progress for an emergency situation:
And then we get to the rebuttal over the accusations that UnitedHealth was opportunistically acquiring firms that were distressed as a result of these lost claims processing services. The rebuttal appears to include the assurance that the companies UnitedHealth has recently acquired since the start of this emergency were companies UnitedHealth already had its eye on before the emergency. Which isn’t exactly a great excuse unless we subsequently learn that the value of companies UnitedHealth had to pay was in no way negatively impacted by the emergency. This is also a good time to recall how the lack of claims processing ended up actually preventing UnitedHealth from having to pay out on all sorts of claims, allowing the company to stockpile cash. Cash stockpiles that could come in handy should any opportunities arise during a period of widespread distress for the sector:
But then we get this curious attempt at deflection over who’s to blame for the whole hack on a lack of MFA safeguards. And while it’s true that an MFA setup could have potentially prevented a hack that was exclusively due to ‘compromised credentials’, it’s worth keeping in mind that we didn’t hear anything about MFA protecting against the ConnectWise vulnerability. Instead, that vulnerability appeared to allow hackers to bypass the credential system entirely and go directly to a setup Wizard that allowed for the creation of admin-level accounts. It’s not clear MFA would actually help in this case and the lack of calls for the implementation of MFA in the wake of the disclosure of this vulnerability suggests MFA wasn’t actually a fix. Was Change Healthcare hacked via a different route? Is it just a coincidence that this hack — which the company admits was due to a problem with remote access software — coincided with the emergence of a massive vulnerability with remote access software? Don’t forget that ConnectWise denied it had any role in the Change Healthcare hack. Is that true?
And that brings us to the following article with more details we’ve recently learned from UnitedHealth about how the hack happened: we are told the hack started on February 12 due to “compromised credentials” on a remote access portal. But it wasn’t ConnectWise’s remote access software. It was Citrix, another remote access software developer. And it turns out Citrix had some nightmare security vulnerabilities of its own in recent months. Back in October, the company had to issue a patch for a “Citrix Bleed” vulnerability that had been exploited by hackers since at least August. And another set of vulnerabilities disclosed in January. And yet, we are also being told that the hack of Change Healthcare did not happen as a result of these known vulnerabilities. Instead, we are told that it was simply “compromised credential” for a Citrix portal on a machine without MFA:
“However, the attack on Change Healthcare apparently did not involve the exploitation of Citrix flaws, as the attackers simply used compromised credentials to gain an initial foothold in the company’s network.”
It wasn’t ConnectWise. No, it was Citrix’s remote access software that was exploited. But the hackers apparently didn’t exploit the “Citrix Bleed” vulnerability that security researchers flagged back in November. Or the new Citrix vulnerabilities disclosed in January. No, we are told the attackers simply used “compromised credentials” on a machine with no MFA set up. That’s the story they are going with:
So was it really just a coincidence that this hack was apparently discovered just days after the announcement of a major vulnerability with the ConnectWise remote access software but was due to completely different remote access software? And it wasn’t due to the previously disclosed vulnerabilities in this other software but instead was simply a case of “compromised credentials”? That’s what we are going told.
Keep in mind that, if true, this is arguably a much worse look for UnitedHealth. After all, if the hack was due to ConnectWise, that vulnerability wasn’t disclosed until February 19, a week after the initial February 12 hack. At least Change Healthcare could point to the unknown nature of that vulnerability if that was the culprit.
Citrix, on the other hand, had a major vulnerability of its own revealed back in October and then two more warnings in January. So while we are told by UnitedHealth that “compromised credentials” was the culprit, keep in mind that this “compromised credentials with no MFA” explanation might be preferable, from a liability standpoint, to admitting that their systems were impacted by Citrix vulnerabilities disclosed months ago.
And as the following Axios piece from back in January about the then-ongoing Citrix security nightmare reveals, one of the terrifying features of the “Citrix Bleed” vulnerability that was discovered back in October — but used by hackers since at least August — was its ability to bypass MFA authentication. And as the article also warned, the organizations hit by Citrix Bleed weren’t going to have an easy time fixing the situation and that we should expect disclosures about Citrix Bleed hacks in the coming months. And about a month and a half after this article, Change Healthcare is seemingly hacked via Citrix but, we are told, it didn’t happen due to the Citrix Bleed hack. It was just “compromised credentials”. So we have to ask: is Change Healthcare a victim of Citrix Bleed but extremely hesitant about sharing that with the world? Or did the company really just coincidentally get hacked via Citrix through compromised credentials:
“Why it matters: Researchers believe hackers have been exploiting the vulnerability, known as Citrix Bleed, since at least August, and Citrix didn’t find the flaw and issue a patch until October.”
The Citrix Bleed nightmare started in August and wasn’t patched until October. The more we’re learning about these Citrix vulnerabilities the worse it sounds. Especially the fact that this Citrix Bleed vulnerability apparently allowed for the bypassing of MFA safeguards
Also note who else got hit by Citrix Bleed: Boeing. Given the multiple mysterious Boeing whistleblower deaths over the past couple of months, you have to wonder what the hackers may have uncovered on those internal networks:
Finally, note this warning from back in January that seems awfully prescient now: given the large numbers of organizations that had yet to patch the vulnerability, we should expect to see more organizations give details about a Citrix Bleed invasion in coming months:
This is a good time to keep in mind that the February 12 date for the initial hack is purely coming from UnitedHealth. It’s not like we have other parties that are corroborating that date. It’s hard to rule out at this point the possibility that Change Healthcare was hacked much earlier than Feb 12 as part of the Citrix-related security nightmare that was unfolding since at least August of 2023.
But who knows, maybe the hack really wasn’t a consequence of the multiple super-vulnerabilities in remote access software that have been actively exploited by hackers in recent months. It’s possible Change Healthcare got itself hacked through much more ‘traditional’ means. Which, again, isn’t necessarily better news, except maybe ‘better’ for UnitedHealth from a class action lawsuit perspective.
At this point, we’re largely forced to just trust UnitedHealth to handle this nightmare appropriately. And continue trusting it with the handling of one in three US medical records that it will continue to process for the foreseeable future. It’s one of the privileges of being a market giant after decades of limp antitrust enforcement and ever-increasing market consolidation. We’re left with the options of trusting UnitedHealth, or not trusting it but watching helplessly anyway as it processes our sensitive information anyway because it owns the market. Either/or. Everything is basically fine for the giants. Even disasters.
It just keeps happening. We have another major hack and remote access software is once again the suspected weak link in the chain that lead to the hack. Recall how, back in February 2024, when the ChangeHealthcare mega-hack was first disclosed, we also learned how the ConnectWise ScreenConnect remote access software had a massive vulnerability that allowed any hack to easily create admin accounts and that hackers were running wild. So it was assumed initially that the ConnectWise vulnerability caused the hack but ConnectWise denied any involvement at the time. Later, UnitedHealth — ChangeHealthcare’s parent company — insisted that it was a different remote access software portal that was broken into: the Citrix remote access software. But, oddly, UnitedHealth also insisted that the hackers hadn’t exploited a known Citrix vulnerability known as “CitrixBleed”. Instead, UnitedHealth asserted that the hackers had somehow gained login credentials for a Citrix account and tried to ultimately pin the blame on a lack of Multi-factor-authentication. And now here we are with the US Treasury Department announcing a new hack blamed on another remote access software provider, BeyondTrust, with a similar explanation to what UnitedHealth gave: a hacker somehow gained a BeyondTrust security key and used that to log into certain Treasury workstations.
At least that’s the story we’re getting from the US government at this point regarding the Treasury hack. Along with some strong assertions that it was Chinese state hackers behind it. Strong assertions that don’t actually sound very strong when you look at the language of the statement released about how the attribution to a Chinese hacking group was “based on available indicators” and the complete lack of any evidence that us far provided by the US. Which is another way of saying someone is looking at the evidence and making an educated guess. Evidence that, by its digital nature, is highly spoofable and can easily be used to leave ‘indicators’ pointing towards whoever one might want to implicate. And that’s assuming we ever even get to see the evidence. Usually we’re just assured it exists and that’s it.
We are also told that the hackers appeared to behave like they were on an espionage mission, as opposed to sabotage or theft. Along with US officials pointing out that the Treasury Department is the agency tasked with imposing sanctions on Chinese companies, including sanctions related to those aiding Russia in the war against Ukraine.
Officials tell us the hack went from December 2nd through the 8th, which happens to be right around the time the US was imposing commercial sanctions on Chinese companies as punishment for a major hack of US telecom firms earlier this year that was also blamed on China. That hack, dubbed Salt Typhoon, had targets that included the commercial, unencrypted phone lines used by President-elect Donald J. Trump, Vice President-elect JD Vance and top national security officials. We are also told Salt Typhoon resulted in hackers obtaining a nearly complete list of phone numbers the Justice Department has wiretapped to monitor people suspected of crimes or espionage. Making the information stolen during Salt Typhoon the kind of information that just about any intelligence service or criminal organization in the world world be extremely interested in getting their hands on.
But China got blamed and on December 16th, 8 days after BeyondTrust reported the hack to Treasury, the NY Times reported that the US had imposed commercial sanctions on China Telecom — China’s largest telecom company — as punishment for Salt Typhoon the prior week. So it sounds like the sanctions on China Telecom were issued right around the time this new Treasury hack was discovered. Making this hack the perfect excuse for a much tougher new round of anti-China sanctions.
We don’t know how what the fallout is going to be but it’s clear the US has arrived at a culprit. Nor do we really know the full extent of the damage from the hack itself, although one early detail is rather troubling: we are told the hackers are suspected of having the ability to create new accounts and change passwords and bypassing security. Which, if true, suggests they were gaining administrative access through this BeyondTrust remote access software. Which wouldn’t be surprising since it sounds like BeyondTrust is used for providing remote technical assistance, which can often require admin privileges.
Also keep in mind that when BeyondTrust told Treasury on December about the hack, the company also made a blog post where it announced that an attack gained access to a limited number of BeyondTrust customers’ instances of Remote Support SaaS, an access-management tool. The company also since disclosed that it patched two found vulnerabilities in its Remote Support SaaS and Privileged Remote Access products and that multiple BeyondTrust customers were impacted. One of those vulnerabilities was only added to the Cybersecurity and Infrastructure Security Agency’s catalog of known exploited vulnerabilities after this patch was made. Which is the kind of detail that suggests BeyondTrust may not have been the only remote access software provider vulnerable to this exploit.
And that’s all why, while we don’t know how many more clients beyond the Treasury Department were impacted by this hack, we know it’s this is bigger than just the Treasury hack. So don’t be shocked if we learn the damage from this hack was much worse than expected and also don’t be surprised that results in even more sanctions on China:
“In a letter informing lawmakers of the episode, the Treasury Department said it had been notified on Dec. 8 by a third-party software service company, BeyondTrust, that the hacker had obtained a security key that allowed it to gain remote access to certain Treasury workstations and documents on them.”
It just keeps happening. Remote access software is once again the point of vulnerability leading to a hack, which sounds plausible given all the other remote access hacks in recent years. At least that’s the story we’re getting at this point regarding the Treasury hack. Along with some strong assertions that it was Chinese state hackers behind it. Strong assertions that don’t actually sound very strong when you look at the language of the statement released about how the attribution to a Chinese hacking group was “based on available indicators”. Which is another way of saying someone is looking at the evidence and making an educated guess. Evidence that, by its digital nature, is highly spoofable and can easily be used to leave ‘indicators’ pointing towards whoever one might want to implicate. And that’s assuming we ever even get to see the evidence. Usually we’re just assured it exists and that’s it:
But also note the remarkable timing and potential fallout from this hack: it came right around the time the US was imposing sanctions on China Telecom over the Salt Typhoon mega-hack of US phone companies which was also blamed on China. Are new sanctions against Chinese firms on the way?
Time will tell in terms of the fallout from this hack but it’s not hard to imagine new sanctions of some sort. And as the following BBC report reminds us, the US hasn’t actually provided any evidence for its attribution of this hack yet. So time will also tell whether or not we ever get any more details on why it was that the US is convinced it must have been a Chinese state operation, but don’t hold your breath. Public explanations of hacking investigations aren’t something we can really expect at this point.
But it is worth noting one interesting technical detail regarding the nature of this hack and what the hacker may have been capable of doing on the Treasury Department’s network: we are told it’s suspected the hackers may have had the ability to create new accounts or change passwords. Which suggests they were gaining access to administrative accounts. Which could be really bad for Treasury. And bad for China after it takes the blame:
“The US has not supplied any evidence that China is responsible for the hack.”
No evidence yet. Is it forthcoming? Again, don’t hold your breath. But don’t surprised if we get more updates on the damage done by this hack. Because it sounds like the access granted via the BeyondTrust software is likely the kind of administrative access often necessary for providing remote technical support and the hackers used those privileges to ‘override security via a key’ used by BeyondTrust:
Which remote access tool will the Treasury Department rely on now? Who knows, but it’s worth keeping in mind that, while we don’t know who else may have been impacted by this BeyondTrust security vulnerability, we do know the Treasury Department wasn’t BeyondTrust’s only impacted customer:
“The cybersecurity vendor initially detected anomalous activity on one customer instance of Remote Support SaaS on Dec. 2, according to the updated blog. Three days later, the company determined multiple customers were impacted, suspended those instances and revoked the compromised API key.”
Multiple customers were impacted. This isn’t just a Treasury hack story. The Treasury hack is just the biggest part of it. So far.
But when we see BeyondTrust also acknowledging that a pair of vulnerabilities have since been identified and patched, and one of those vulnerabilities, CVE-2024–12356, was only added to the Cybersecurity and Infrastructure Security Agency’s list of known exploited vulnerabilities category after that patch suggests BeyondTrust may not have been the only victim of that exploit. Which is a another reminder the remote access software industry seems to have a much larger industry-wide security problem:
How long before we learn about the next remote access software nightmare? Again, time will tell. But we can be confident it’s just a matter of time. And probably sooner rather than later at this rate. But it’s going to happen. And it’s going to be blamed on China. Or maybe Russia. But, really, given that there’s only so much room left for the US to impose more sanctions on Russia, it will probably be China.