Spitfire List Web site and blog of anti-fascist researcher and radio personality Dave Emory.

News & Supplemental  

Cyber Attribution, the Mega-Hacks of 2021, and the Existential Threat of Blind Faith in Bad-Faith

Move over COVID. 2021 is turn­ing out to be anoth­er year of the dig­i­tal virus. One mas­sive hack­ing sto­ry after anoth­er. Unre­lat­ed sto­ries in many cas­es, we are told. In par­tic­u­lar:

1. The Solar­Winds mega-hack announced in Decem­ber of 2020, blamed on Rus­sia. Specif­i­cal­ly, blamed on the hack­ing group known as ‘Cozy Bear’/APT29/Pawn Storm. Microsoft dubbed them Nobeli­um.

2. The Microsoft Exchange mega-hack dis­closed in March 2021, blamed on Chi­na. Specif­i­cal­ly, blamed on a pre­vi­ous­ly uniden­ti­fied state-backed group Microsoft dubbed Hafni­um.

3. The rev­e­la­tions about NSO Group’s over­sight (or lack there­of) of its pow­er­ful spy­ware sold to gov­ern­ments around the world.

4. The emerg­ing sto­ry of Can­diru, one of NSO Group’s fel­low “com­mer­cial sur­veil­lance ven­dors”, sell­ing toolk­its over­flow­ing with zero-day exploits, spe­cial­iz­ing in tar­get­ing Microsoft prod­ucts.

But how unre­lat­ed are these sto­ries? That’s the big ques­tion we’re going to explore in this post. A ques­tion punc­tu­at­ed by anoth­er meta-sto­ry we’ve looked at many times before: the meta-sto­ry of a cyber­at­tri­bu­tion par­a­digm seem­ing­ly designed to allow pri­vate com­pa­nies and gov­ern­ments to con­coct an attri­bu­tion sce­nario for what­ev­er guilty par­ty they want to fin­ger. As long as there was some sort of ‘clue’ found by inves­ti­ga­tors — like piece of Cyril­lic or Man­darin text or mal­ware pre­vi­ous­ly attrib­uted to a group — these clues were strung togeth­er in a “pat­tern recog­ni­tion” man­ner to arrive at a con­clu­sion about the iden­ti­ty of the per­pe­tra­tors. Attri­bu­tion con­clu­sions often arrived at with incred­i­ble lev­els of con­fi­dence. Recall how the Japan­ese cyber­se­cu­ri­ty firm Trend­Mi­cro attrib­uted a 2017 US Sen­ate email phish­ing cam­paign to ‘Pawn Storm’/Fancy Bear with 100 per­cent cer­tain­ty, and they made this high­ly cer­tain attri­bu­tion based heav­i­ly on how sim­i­lar the hack was to the 2017 hacks of Emmanuel Macron’s emails via a phish­ing cam­paign that Trend­Mi­cro attrib­uted at the time with 99 per­cent cer­tain­ty to Pawn Storm/Fancy Bear and yet the ANSSI, the French government’s cyber­se­cu­ri­ty agency, was leav­ing open the pos­si­bil­i­ty that the hack they could be the work of “oth­er high-lev­el” hack­ers try­ing to pin the blame on “Pawn Storm” (anoth­er name for “Fan­cy Bear”). Trend­Mi­cro was mak­ing 99 per­cent cer­tain attri­bu­tions that the French gov­ern­ment said could be any range of actors. That was the state of affairs for cyber­at­tri­bu­tions in 2017 and noth­ing has changed in the years since. High­ly cer­tain attri­bu­tions con­tin­ued to be piled on top of high­ly cer­tain attri­bu­tions — almost always point­ing towards Russ­ian, Iran, Chi­na, or North Korea — built on a foun­da­tion of what appear to be large­ly guess­work. Often high­ly moti­vat­ed guess­work.

It’s that will­ing­ness by cyber­se­cu­ri­ty firms and gov­ern­ments to make strong ‘100 per­cent cer­tain’ dec­la­ra­tions about who was behind a hack, based on seem­ing­ly no com­pelling evi­dence, that con­tin­ues plague our col­lec­tive under­stand­ing of glob­al dig­i­tal threats. A lack of under­stand­ing that could have grave glob­al impli­ca­tions going for­ward. Because as we’re going to see, the repeat­ed pre­vail­ing nar­ra­tive encour­ag­ing the pub­lic to fix­ate their hack­ing fears on Russ­ian and Chi­nese hack­ers is a nar­ra­tive that con­ve­nient­ly leaves out the explo­sion over the last decade of a glob­al indus­try of pow­er­ful legal cut­ting-edge spy­ware sold to gov­ern­ments around the world. Dozens of gov­ern­ments that did­n’t pre­vi­ous­ly have access to spy­ware of this cal­iber. In oth­er words, the default ‘Rus­sia or Chi­na did!’ nar­ra­tive acts as a cov­er sto­ry to deflect sus­pi­cions from all the oth­er coun­tries (or pri­vate enti­ties) with access to the kind of spy­ware pre­vi­ous­ly assumed to be the exclu­sive to a hand­ful of nations with known pow­er­ful hack­ing capa­bil­i­ties.

Also loom­ing large in this dis­cus­sion is the sto­ry of the “Shad­ow­Bro­kers” sto­ry of 2016 and the leak of Vault7, the CIA’s hack­ing toolk­it that includ­ed fea­tures explic­it­ly designed to con­fuse this “pat­tern recog­ni­tion” approach to cyber­at­tri­bu­tion. The toolk­it lit­er­al­ly con­tained fea­tures that inject­ed Cyril­lic or Man­darin or oth­er ‘clues’ into the mal­ware code. This was all revealed months before Trend­Mi­cro made its ‘100 per­cent cer­tain’ attri­bu­tion of the Macron email hacks based on pat­tern recog­ni­tion. And yet, oth­er than the acknowl­edg­ment by France’s ANSSI that some­one could be inten­tion­al­ly leav­ing false ‘clues’, the sto­ry of the Shad­ow­Bro­kers and the dig­i­tal ‘clues’ left by Vault7 did not appear to impact the report­ing or analy­sis of the Macron hack in any mean­ing­ful way. It’s a big part of the meta-sto­ry here: no mat­ter how many reports come out that should raise major ques­tions about the qual­i­ty of cur­rent cyber­at­ti­bu­tions based on “pat­tern recog­ni­tion”, noth­ing actu­al­ly changes in terms of how the cyber­se­cu­ri­ty car­ries out its attri­bu­tions.

For exam­ple, as we’re going to see, when the Solar­Winds hack was first uncov­ered, it was a team led Adam Mey­ers, the vice pres­i­dent for threat intel­li­gence at Crowd­Strike, who first exam­ined the hack. In an inter­view describ­ing their ear­ly inves­ti­ga­tion, Mey­ers claimed to be ful­ly expect­ing to find some sort of ‘cul­tur­al arti­fact’ like Cyril­lic or Man­darin and expressed dis­may that noth­ing was found. They nonethe­less attrib­uted the hack to Rus­sia. We’re nev­er giv­en a clear expla­na­tion why. The whole episode, and Mey­er­s’s shock at a lack of any ‘clues’, sug­gests the elite cyber­se­cu­ri­ty firms like Crowd­Strike are not only will­ing to uti­lize “pat­tern recog­ni­tion” to car­ry out these attri­bu­tions but are rou­tine­ly doing so, rais­ing the ques­tion of whether or not hack­ers these days just now know to leave ‘clues’ in order to sat­is­fy the cyber­se­cu­ri­ty indus­try and their clients.

Now, when we learn that it was Crowd­Strike who led the Solar­Winds hack inves­ti­ga­tion rely­ing heav­i­ly on look­ing for ‘cul­tur­al arti­facts’ in the mal­ware, it’s also import to recall how Crowd­Strike itself was lit­er­al­ly found­ed in 2011 by Dmitri Alper­ovitch on the con­vic­tion that hacks should be respond­ed to with clear pub­lic attri­bu­tions as a pri­ma­ry means of ward­ing off future attacks. Before Crowd­Strike, the idea of pub­licly nam­ing cul­prits was anath­e­ma in the cyber secu­ri­ty indus­try in large part because it is so dif­fi­cult to tru­ly know who the cul­prit is due to this hall-of-mir­rors nature of dig­i­tal evi­dence. So in that sense, we should­n’t at all be sur­prised to learn that Crowd­Strike con­tin­ues to make base­less attri­bu­tions. It’s Crowd­Strike’s busi­ness mod­el.

As we’re also going to see, it’s not like cyber­se­cu­ri­ty indus­try always plays dumb about the pos­si­bil­i­ty of actors spoof­ing the ‘pat­tern recog­ni­tion’ meth­ods by inten­tion­al­ly leav­ing ‘clues’ like Cyril­lic. When the Solar­Winds mega-hack sto­ry broke, it broke in the wake of a dis­clo­sure by cyber­se­cu­ri­ty firm Fire­Eye that its own “Red Team” suite of hack­ing tools — kits of known exploits used to test clients sys­tems for vul­ner­a­bil­i­ties — was stolen by unknown hack­ers. Imme­di­ate­ly, experts warned how a toolk­it like that could be used by gov­ern­ments to cov­er their tracks. But that’s real­ly the only time we’re going see this kind of basic insight plain­ly stat­ed. Right at the start of it with the Fire­Eye attack. For the rest of the time, this obvi­ous prob­lem with our glob­al cyber­at­tri­bu­tion regime is sys­tem­at­i­cal­ly ignored. Still.

NSO Group: A Quick Review

First, recall how NSO Group first came to the pub­lic’s atten­tion in rela­tion to Michael Fly­n­n’s appoint­ment in May of 2016 to the advi­so­ry board of OSY Tech­nolo­gies and con­sult­ed for Fran­cis­co Part­ners. Fran­cis­co Part­ners was NSO Group’s own­er at the time and OSY hap­pened to be an NSO Group off­shoot.

Next, recall how Fran­cis­co Part­ners end­ed up sell­ing NSO Group to a Euro­pean pri­vate equi­ty firm, Novalpina, in ear­ly 2019 fol­low­ing the inter­na­tion­al out­rage over the role NSO Group’s mal­ware played in the assas­si­na­tion of Jamal Khashog­gi. We’re going to learn more about that sale and why it hap­pened (hint: Sau­di Ara­bi­a’s access to that spy­ware was part of a larg­er diplo­mat­ic process).

In May of 2019, we learned that NSO Group was sell­ing its clients the “zero-click” capa­bil­i­ty of infect­ing smart­phones via What­sApp and there was noth­ing vic­tims could do to pre­vent it. The exploit worked auto­mat­i­cal­ly when the attack­ers called the vic­tim’s phone via What­sApp. But we also learned that Israel was treat­ing access to this kind of mal­ware as a diplo­mat­ic tool in its nego­ti­a­tions with its region­al part­ners. Beyond that, there was osten­si­bly a lim­i­ta­tion on how this pow­er­ful mal­ware is used by client states: the Israeli gov­ern­ment was set­ting geo­graph­i­cal lim­i­ta­tions on where the mal­ware could be deployed.

So the pic­ture that had already emerged about NSO Group was that of a provider of cut­ting-edge hack­ing toolk­its to gov­ern­ments around the world, but also a point of lever­age in Israel’s own diplo­mat­ic toolk­it. It was the kind of cor­po­rate pro­file that sug­gests any scan­dals involv­ing NSO Group are implic­it­ly gov­ern­ment-relat­ed scan­dals. And that pic­ture of a com­pa­ny that dis­trib­utes pow­er­ful hack­ing tools as part of Israel’s diplo­mat­ic efforts gets all the more intrigu­ing when we fac­tor in the chap­ter of the #TrumpRus­sia saga involv­ing Michael Fly­nn, Eric Prince, Michael Cohen, and the Saudi/UAE scheme to build nuclear pow­er plants across the Mid­dle East (except for Iran). In oth­er words, there’s no way of sep­a­rat­ing the NSO Group sto­ry from the larg­er sto­ry of the cozy­ing rela­tion­ship between Israel and its Sun­ni allies in a region­al alliance against Iran and the still-unre­solved agen­da of Michael Fly­nn, Erik Prince, and the net­work of oth­er US con­ser­v­a­tives in Don­alt Trump’s orbit who had major agen­da’s of their own involv­ing the Mid­dle East.

That’s all part of the con­text we’re going to have to keep in mind when read­ing about these new rev­e­la­tions that appears to show the wide­spread use of NSO Group’s pow­er­ful mal­ware against a num­ber of jour­nal­ist, activists, and even gov­ern­ment min­is­ters around the world. And the more we’re learn­ing about the his­to­ry of the NSO Group, the clear­er it’s becom­ing that the NSO Group’s mal­ware has been secret­ly used by dozens of gov­ern­ments around the world for at least decade now.

And as we’re going to see with the sto­ry of Can­diru, it’s impor­tant to keep in mind that NSO Group is mere­ly one of a num­ber of secre­tive firms sell­ing cut­ting-edge hack­ing toolk­its to gov­ern­ments around the world. This is a glob­al indus­try.

Final­ly, it’s impor­tant to keep in mind anoth­er major dimen­sion of this sto­ry: the explo­sion of gov­ern­ment access to these pow­er­ful hack­ing tools over the last decade has pre­sum­ably coin­cid­ed with an explo­sion of actu­al hack­ing. Well, that pre­sumed explo­sion of actu­al hack­ing just hap­pened to coin­cide with the emer­gence of high­ly ‘noisy’ and high-pro­file ‘Russ­ian hack­er’ cam­paigns. As we’ve seen, fol­low­ing the out­break of con­flict in Ukraine, a num­ber of very pub­licly vis­i­ble mass phish­ing attacks were waged against NATO gov­ern­ments and insti­tu­tions. It was described by cyber­se­cu­ri­ty experts as a sig­nif­i­cant shift in the behav­ior of Russ­ian gov­ern­ment-backed hack­ers and yet we were nonethe­less told that these high-pro­file hacks must be com­ing from Rus­sia despite a lack of any sol­id tech­ni­cal evi­dence. It was the rise of the “pat­tern recog­ni­tion” form of cyber­at­tri­bu­tion, which con­sis­tent­ly found pat­terns of “Russ­ian hack­ers”. Recall how the first hack of the DNC, the 2015 hack, took place amidst a giant phish­ing cam­paign that hit 50–60,000 email address­es and was described is very dif­fer­ent from tra­di­tion­al Russ­ian gov­ern­ment hack­er phish­ing cam­paigns that would nor­mal­ly just have 5 to 6 care­ful­ly craft­ed phish­ing emails. Noth­ing has done a more effec­tive job at obscur­ing from the glob­al pub­lic the emer­gence of this glob­al super-hack­ing capa­bil­i­ty bet­ter than the pre­vail­ing nar­ra­tive that all hacks are being done by Rus­sia and Chi­na. Hard­ly any­one even both­ers ask­ing if it could be any­one else any­more.

Final­ly, it’s impor­tant to keep in mind anoth­er major dimen­sion of this sto­ry: the explo­sion of gov­ern­ment access to these pow­er­ful hack­ing tools over the last decade has pre­sum­ably coin­cid­ed with an explo­sion of actu­al hack­ing. Well, that pre­sumed explo­sion of actu­al hack­ing just hap­pened to coin­cide with the emer­gence of high­ly ‘noisy’ and high-pro­file ‘Russ­ian hack­er’ cam­paigns. As we’ve seen, fol­low­ing the out­break of con­flict in Ukraine, a num­ber of very pub­licly vis­i­ble mass phish­ing attacks were waged against NATO gov­ern­ments and insti­tu­tions. It was described by cyber­se­cu­ri­ty experts as a sig­nif­i­cant shift in the behav­ior of Russ­ian gov­ern­ment-backed hack­ers and yet we were nonethe­less told that these high-pro­file hacks must be com­ing from Rus­sia despite a lack of any sol­id tech­ni­cal evi­dence. It was the rise of the “pat­tern recog­ni­tion” form of cyber­at­tri­bu­tion, which con­sis­tent­ly found pat­terns of “Russ­ian hack­ers”. Recall how the first hack of the DNC, the 2015 hack, took place amidst a giant phish­ing cam­paign that hit 50–60,000 email address­es and was described is very dif­fer­ent from tra­di­tion­al Russ­ian gov­ern­ment hack­er phish­ing cam­paigns that would nor­mal­ly just have 5 to 6 care­ful­ly craft­ed phish­ing emails.

Let’s not for­get that the glob­al­iza­tion of NSA-lev­el spy­ware was one of the obvi­ous pos­si­ble log­i­cal con­clu­sions of the Snow­den affair. Yes, it was remark­able what a stun­ning edge the NSA had over almost every oth­er gov­ern­ment. A desire for a lev­el­ing of the play­ing field was under­stand­able and the glob­al­iza­tion of super-spy­ware is one of the obvi­ous ways to achieve that. There are no easy answer on this top­ic. It’s a ‘less­er evil’ sit­u­a­tion.

So we have to ask: what role have these very high-pro­file pub­lic mass hack­ing cam­paigns waged over the last decade and blamed on ‘Rus­sia hack­ers’ (or ‘Chi­nese hack­ers’) played in obscur­ing the real­i­ty that dozens of gov­ern­ments around the world sud­den­ly got access to qui­et super hack­ing tools? The tim­ing sure has been con­ve­nient. And it’s not hard to imag­ine that the high pro­file ‘noisy’ phish­ing cam­paigns of the last decade simul­ta­ne­ous­ly ran zero-click super-mal­ware like NSO Group’s unstop­pable What­sApp exploit mal­ware. One of the key sell­ing points of this NSO Group mal­ware is how dif­fi­cult it is to detect. A lot of peo­ple and orga­ni­za­tions have pre­sum­ably been hacked with­out ever dis­cov­er­ing the source of the hack. How often have orga­ni­za­tions over the past decade, espe­cial­ly gov­ern­ments, dis­cov­ered they were hacked by a com­pa­ny’s ‘legal’ hack­er toolk­it like NSO Group’s and just assumed it was ‘Russ­ian hack­ers’ due to the waves of glob­al high-pro­file ‘Russ­ian hack­er’ cam­paigns? It’s a ques­tion that looms ever larg­er as the client list of this glob­al legal hack­ing indus­try con­tin­ues to grow in the shad­ows.

**************************

Let’s Play “What’s Wrong With This Pic­ture?”

Ok, so let’s start off with an overview of the arti­cles we’re going to be review­ing. An overview that screams the ques­tion “What’s wrong with this pic­ture?”. Again, it’s four major sto­ries. Unre­lat­ed sto­ries we are told: 1. The Solar­Winds mega-hack of Decem­ber 2020 (blamed on Rus­sia). 2. The Microsoft Exchange mega-hack of March 2021 (blamed on Chi­na). 3. Rev­e­la­tions of NSO Group abus­es. 4. Rev­e­la­tions that Can­diru is sell­ing cut­ting-edge spy­ware show­ing, spe­cial­ized in tar­get­ing Microsoft­’s sys­tems. We are told those are four large­ly unre­lat­ed sto­ries. What’s wrong with this pic­ture?

* Decem­ber 8, 2020: Fire­Eye, a Top Cyber­se­cu­ri­ty Firm, Says It Was Hacked by a Nation-State:

The sto­ry that got the ball rolling. At least pub­licly. Cyber­se­cu­ri­ty firm Fire­Eye informs the world of a night­mare sce­nario. FireEye’s “Red Team” code suite was stolen. So who­ev­er man­aged to hack Fire­Eye obtained a toolk­it of vir­tu­al­ly all the most pow­er­ful known exploits. A dig­i­tal trea­sure trove that had sud­den­ly fall­en into the hands of who­ev­er already had the where­with­al to pull off this hack. And as experts warned, nation-states could poten­tial­ly hide their own tracks using this toolk­it. This is basi­cal­ly going to be the only time we see an expert admit that gov­ern­ments around the world could be inten­tion­al­ly , an implic­it admis­sion as to how shod­dy con­tem­po­rary cyber­at­tri­bu­tion tru­ly are today. So who did it? Fire­Eye was­n’t ready to name a cul­prit. The FBI announced was it was con­fi­dent it was car­ried out by a nation-state, and while they would name a spe­cif­ic nation it was pret­ty clear Rus­sia was the prime sus­pect. No rea­son for these sus­pi­cions are giv­en.

* Decem­ber 14, 2020: Russ­ian gov­ern­ment hack­ers are behind a broad espi­onage cam­paign that has com­pro­mised U.S. agen­cies, includ­ing Trea­sury and Com­merce:

The night­mare explodes. We learn it was­n’t just Fire­Eye after Fire­Eye informs Solar­Winds that it was Solar­Wind­s’s own Ori­on update soft­ware that deliv­ered the mal­ware onto FireEye’s sys­tems. It was a rather omi­nous update giv­en that the same Ori­on soft­ware is on anoth­er 18,000 client net­works. Oh, and the US was already nam­ing names: It was Rus­sia again. Specif­i­caly APT29/Cozy Bear/Pawn Storm, the infa­mous hack­ing group thought to work for Rus­si­a’s FSB (or SVR, it’s unclear) and that the US claims was behind the first hack of the Demo­c­ra­t­ic Nation­al Com­mit­tee (DNC) in 2015. Cozy Bear was also behind this new mega-hack. That was the line from the US a week after Fire­Eye first announced the hack. Rus­sia did it. No rea­sons for this attri­bu­tion are giv­en, of course, but is treat­ed as more of a giv­en since numer­ous US gov­ern­ment agen­cies were hit. Simul­ta­ne­ous­ly, we are told that the aggres­sive nature of this hack was unprece­dent­ed for Cozy Bear.

We also get an ear­ly impor­tant clue about how the Solar­Winds hack was car­ried out: Solar­Winds informed the world that it sus­pects Microsoft’s Office 365 email may have been “an attack vec­tor” used by the hack­ers. In oth­er words, the Solar­Winds hack start­ed with the hack of Microsoft­’s prod­ucts.

* Decem­ber 15, 2020: Fire­Eye Dis­cov­ered Solar­Winds Breach While Prob­ing Own Hack:

In some addi­tion­al report­ing on the break­ing Solar­Winds news, we learn that Fire­Eye isn’t actu­al­ly ready to join the US gov­ern­ment in attribut­ing the hack to Rus­sia due to a lack of evi­dence.

* Decem­ber 15, 2020: Microsoft’s Role In Solar­Winds Breach Comes Under Scruti­ny:

More infor­ma­tion is com­ing out about the role Microsoft prod­uct vul­ner­a­bil­i­ties played in the hack. The hack­ers were trick­ing Microsoft­’s authen­ti­ca­tion con­trols. This includes forg­ing authen­ti­ca­tion tokens for Microsoft­’s Azure cloud ser­vices and cre­at­ing pass­word cre­den­tials for legit­i­mate process­es enabling them to read emails from Microsoft­’s Exchange Online cloud-based email ser­vice. Keep in mind that the Microsoft-Exchange mega-hack that is announced in March was tar­get­ing the non-cloud self-host­ed Microsoft Exchange email servers. So when the Solar­Winds hack­ers demon­strate an abil­i­ty to break into the cloud-based Exchange servers, they were demon­strat­ing a capa­bil­i­ty that was­n’t exact­ly the same as that used to exe­cute the Microsoft Exchange mega-hack but awful­ly close. And yet we will be assured by Microsoft that the Microsoft-Exchange hack was car­ried out by Chi­na.

* Decem­ber 21, 2020: Trea­sury Department’s Senior Lead­ers Were Tar­get­ed by Hack­ing:

The US Trea­sury Depart­ment gives us an update on the scope of the hack. The hack­ers gained access to agency emails in July 2020, via the manip­u­la­tion of inter­nal soft­ware keys. Specif­i­cal­ly, we are told the hack­ers per­formed a com­plex step inside Microsoft’s Office 365 sys­tem to cre­ate an encrypt­ed “token” that iden­ti­fies a com­put­er to the larg­er net­work. This tak­en allowed the hack­ers to fool the sys­tem into think­ing they were legit­i­mate users. So spoof­ing Microsoft cre­den­tials appears to be one of the Solar­Winds hack­er spe­cial­ties.

* Febuary 4, 2021: Solar­Winds CEO Con­firms Office 365 Email ‘Com­pro­mise’ Played Role In Broad-Based Attack:

It’s con­firmed! Solar­Winds con­firms the hack start­ed via a com­pro­mised Microsoft Office 365 email account. The hack­ers used a pre­vi­ous­ly unknown zero-day vul­ner­a­bil­i­ty in Microsoft­’s Offi­cer 365 email soft­ware to gain access to and exploit the devel­op­ment envi­ron­ment for the Solar­Winds Ori­on.

But beyond that, we learn that 30 per­cent of the pri­vate sec­tor and gov­ern­ment vic­tims of the colos­sal hack­ing cam­paign had no direct con­nec­tion to Solar­Winds. It’s the kind of rev­e­la­tion that rais­es the dis­turb­ing ques­tion of whether or not these hack­ers had some oth­er yet-to-be-dis­cov­ered tech­nique for infil­trat­ing net­works. Which obvi­ous­ly rais­es a num­ber of ques­tions about whether or not oth­er Microsoft exploits were being used by these hack­ers. After all, the hack­ers man­aged to infil­trate Solar­Wind­s’s own net­work via a zero-day Microsoft exploit. Why would­n’t it work else­where? In oth­er words, the Solar­Winds mega-hack might actu­al­ly be part of an even larg­er Microsoft super-mega-hack. A still unrec­og­nized super-mega-Microsoft-hack.

* Feb­ru­ary 05, 2021: Microsoft: No Evi­dence Solar­Winds Was Hacked Via Office 365:

Not true! None of it! That’s the line from Microsoft a day after Solar­Wind­s’s CEO appears to con­firm that the exploita­tion of a Microsoft Office 365 email vul­ner­a­bil­i­ty was­n’t just used in the hack but used to exe­cute the ini­tial com­pro­mise of Solar­Wind­s’s soft­ware devel­op­ment envi­ron­ment. Microsoft does admit that Microsoft ser­vices were indeed tar­get­ed by the Solar­Winds hack­ers, but insists that the hack­ers gained priv­i­leged cre­den­tials in anoth­er way, imply­ing it was due to soft­ware con­fig­u­ra­tion issues on the client end and not due to vul­ner­a­bil­i­ties in Microsoft­’s prod­ucts. And what about all the reports from Solar­Winds and the US gov­ern­ment that they found evi­dence of an Office 365 email exploit? “As we said at the time, and based upon all inves­ti­ga­tions since, we have found no indi­ca­tions that our sys­tems were used to attack oth­ers.” That was Microsoft­’s line. Still.

* Feb­ru­ary 19, 2021: Solar­Winds Hack­ers Kept Going After Microsoft Until Jan­u­ary:

Microsoft gave us an update on its Solar­Winds inves­ti­ga­tion. The com­pa­ny acknowl­edge that its own net­works were plun­dered dur­ing the attack, and even some of its source was stolen. The source code report­ed involved the cloud-based ver­sions of Asure, Intune, and Exchange (email serv­er soft­ware). We are also told the hack­ers were search­ing Microsoft­’s net­works for use­ful secrets like API keys, cre­den­tials, and secu­ri­ty tokens that may have been embed­ded in the source code.

* March 5, 2021: At Least 30,000 U.S. Orga­ni­za­tions New­ly Hacked Via Holes in Microsoft’s Email Soft­ware:

A new mega-hack is upon us! Back-to-back mega-hacks. This time Microsoft is the main tar­get. The soft­ware giant informed the world that hun­dreds of thou­sands of Microsoft Exchange Servers were attacked around the world. The attack was first detect­ed by Volex­i­ty on Jan­u­ary 6, dur­ing the Capi­tol insur­rec­tion, with a large down­load to an ille­git­i­mate user, although days lat­er Volex­i­ty issued an update that it found evi­dence of the attack start­ing on Jan­u­ary 3rd. Days lat­er this qui­et hack explod­ed into a loud glob­al ran­sack­ing. Vir­tu­al­ly every self-host­ed Microsoft Exchange email serv­er in the world con­nect­ed to the inter­net was hit over the next two months. Or at least is assumed hit. That’s a lot of hacked email. And poten­tial­ly voice­mail. Microsoft was con­tin­u­ing to assure us the hack had noth­ing to do with the Solar­Winds hack, and also that the Solar­Winds hack had noth­ing to do with any Microsoft vul­ner­a­bil­i­ties. They were seri­ous­ly tout­ing the ‘don’t wor­ry about Microsoft secu­ri­ty’ line dur­ing the Exchange mega-hack dis­clo­sure.

* March 10, 2021: Microsoft Exchange Hack Could Be Worse Than Solar­Winds:

With more infor­ma­tion about the Hafni­um hack com­ing in the more this is look­ing like the worst worst case sce­nario. Or at least worse than the Solar­Winds hack, which would make this the worst yet. Lit­er­al­ly the worst hack ever. So far. Give it a few months.

The hack start­ed on Jan 3, with “Hafni­um” qui­et­ly hack­ing away at dozens of tar­gets until Microsoft issued a patch in ear­ly March. At that point, it was a crim­i­nal free-for-all race that includ­ed at least a dozen more crim­i­nal actors.

A big part of what make it the worst hack ever is the scale, with poten­tial­ly hun­dreds of thou­sands of Exchange email servers all hit in short order but this is an attack that can be auto­mat­ed. The hack­ers need­ed scrips and time to let the scripts to their work.

But anoth­er part of what arguably makes this the worst hack ever is that the abil­i­ty to remote­ly take over the Exchange serv­er soft­ware does­n’t just poten­tial­ly give the hack­ers the abil­i­ty to read emails. It also poten­tial­ly give hack­ers the abil­i­ty to com­pro­mise the Microsoft Active Direc­to­ry sys­tem, which is the sys­tem used for ID authen­ti­ca­tion across the Microsoft ecosys­tem of soft­ware. So if you cor­rupt the Active Direc­to­ry sys­tem on a com­put­er, you can poten­tial­ly get super-user access to all the Microsoft soft­ware run­ning on that com­put­er’s net­work. And the catch here is that Microsoft Exchange serv­er only runs on Win­dows. So any­one run­ning it is run­ning it on a Win­dows Serv­er oper­at­ing sys­tem. So com­pro­mis­ing the Active Direc­to­ry sys­tem on the com­put­er run­ning the Microsoft Exchange serv­er soft­ware can hand over com­plete con­trol of the serv­er. This also means the hack­ers could have bur­rowed in all sorts of hid­den back­doors all over the vic­tim net­works. This was a huge deep hack.

But here’s the big detail we learn from Ed Hunter, CISO at Infoblox, a cyber­se­cu­ri­ty com­pa­ny, who is com­ment­ing to a reporter about the hack: the vul­ner­a­bil­i­ty has been present in the Microsoft Exchange code­base for a decade. As Hunter put it, “one has to won­der how long this vul­ner­a­bil­i­ty has been a close­ly held – and used – tool in this threat actor’s tool­box.”

And, again, it was just two weeks ear­li­er that Microsoft dis­closed that the Solar­Winds hack­ers stole Exchange source code for the cloud-based ver­sion of Exchange. But in this case, it was the self-host Exchange servers that got hacked. All of them. Hun­dreds of thou­sands of email servers around the world. Also keep in mind the Solar­Winds hack­ers had already demon­strat­ed zero-day abil­i­ties to manip­u­late Microsoft­’s cre­den­tial sys­tems. So this hack sure seems close­ly relat­ed to the Solar­Winds hack­ers, and yet Microsoft con­fi­dent­ly assured us that this had noth­ing to do with the Solar­Winds hack and was in fact car­ried out by a state-backed Chi­nese hack­ing group Microsoft dubbed “Hafni­um”.

* April 16, 2021: A ‘Worst Night­mare’ Cyber­at­tack: The Untold Sto­ry Of The Solar­Winds Hack:

Four months after it was first announced, NPR has a big piece on the then-untold sto­ry of how the hack unfold­ed. By that point, the Biden White House was unequiv­i­cal­ly stat­ing Russ­ian intel­li­gence was behind it. While the rea­son Rus­sia is giv­en the attri­bu­tion is, as always, nev­er giv­en, there was by now enough known about the hack to deter­mine that these real­ly were excep­tion­al hack­ers. Mul­ti­ple nev­er-before-seen “zero-day” exploits were uti­lized. Beyond that, the mal­ware was intro­duced into the Solar­Winds soft­ware devel­op­ment pipeline at the very last pos­si­ble moment, dur­ing the com­pi­la­tion process, allow­ing it to evade the stan­dard secu­ri­ty checks for unwant­ed soft­ware. It was proof-of-con­cept and could be used against any­one else using the same com­pi­la­tion soft­are (they did­n’t name the soft­ware). This abil­i­ty to use this attack against oth­er soft­ware devel­op­ers is par­tic­u­lar­ly acute when we recall that this attack cre­at­ed back­doors on the net­works of the many of the largest soft­ware devel­op­ers in the world. Includ­ing Microsoft. Yikes.

And it’s in this April 2021 NPR piece where we get fur­ther con­fir­ma­tion of some­thing that has long been clear but is rare said out loud so clear­ly: con­tem­po­rary cyber­at­tri­bu­tion real­ly does rely heav­i­ly on ‘clues’ like Cyril­lic char­ac­ters or Man­darin in the code and such ‘clues’ are fre­quent­ly found. At least that’s how Adam Mey­ers, the vice pres­i­dent for threat intel­li­gence at Crowd­Strike, described his approach to deter­min­ing the iden­ti­ty of the Solar­Winds hack­ers. And he was lead­ing the team that first inves­ti­gat­ed it. Mey­ers express­es dis­may at how thor­ough the hack­ers were. Thor­ough in the sense that there was no ‘cul­tur­al arti­fact’ like Cyril­lic or Man­darin. Mey­ers describe the lack of any­thing that a human might have inad­ver­tent­ly left behind as a clue as “mind-blow­ing”. His response to the tiny piece of mal­ware used in the ini­tial Solar­Winds hack — dis­trib­uted to all 18,000 clients via the Ori­on soft­ware — and it’s lack of clues as “the cra­zi­est f***ing thing I’d ever seen.” So this update on the Solar­Winds inves­ti­ga­tion includes an update on the gen­er­al state of affairs in cyber­at­tri­bu­tion. A state of affairs where mal­ware that’s cleaned and lacks a ‘cul­tur­al arti­fact’ is “the cra­zi­est f***ing thing I’d ever seen.” This is a good time to recall the sto­ry of the Shad­ow Bro­kers and the CIA’s hack­ing toolk­it that includ­ed fea­tures like leav­ing Cyril­lic or Man­darin char­ac­ters to leave a false lead. This was con­firmed just four years ago. Every­one real­ly is play­ing dumb here. Dou­ble yikes.

* April 23, 2021: Solar­Winds hack­ing cam­paign puts Microsoft in the hot seat:

Microsoft­’s ter­ri­ble, hor­ri­ble, no good, very bad year con­tin­ues. A week after that big NPR piece on Solar­Winds, we learn new sig­nif­i­cant details on the Solar­Winds hack in a new report put out by The Atlantic Coun­cil. The kind of details that have Microsoft scram­bling for expla­na­tions. And cul­prits. Again. It turns out the deliv­ery of the back­door mal­ware via the Solar­Winds Ori­on updat­ing soft­ware was just the first phase of the mega-hack. Once the hack­ers used those back­doors to gain access to vic­tims’ net­works they con­tin­ued to exploit more vul­ner­a­bil­i­ties. In par­tic­u­lar Microsoft vul­ner­a­bil­i­ties involv­ing how Microsoft prod­ucts val­i­date user iden­ti­ties. Now, part of the rea­son Microsoft vul­ner­a­bil­i­ties were heav­i­ly tar­get­ed was because, well, these vul­ner­a­bil­i­ties exist. But the oth­er big rea­son is that Microsoft has more than 85% of the mar­ket share for gov­ern­ment and indus­try. In oth­er words, the juici­est tar­gets — espe­cial­ly gov­ern­ment agen­cies — were almost all run­ning Microsoft tools on their net­works. Microsoft con­tin­ued to deflect blame, sug­gest­ing poor­ly con­fig­ured soft­ware by the clients was the cause. But accord­ing to Sen­a­tor Ron Wyden, the soft­ware Microsoft sup­plies to US fed­er­al agen­cies is itself poor­ly con­fig­ured with default log set­tings that won’t cap­ture the infor­ma­tion need­ed to catch attacks while they’re in progress.

* May 28, 2021: Microsoft says group behind Solar­Winds hack now tar­get­ing gov­ern­ment agen­cies, NGOs:

Cozy Bear/APT29/“Nobelium” is back at it. They’re up to their old tricks, accord­ing to Microsoft. Tar­get­ed phish­ing, with orga­ni­za­tions who signed up to received com­mu­ni­ca­tions from USAID being the tar­gets. 3,000 email accounts at more than 150 dif­fer­ent orga­ni­za­tions. Some­how, the hack­ers man­aged to minick emails from the firm Con­stant Con­tact, the firm that han­dle’s USAID’s email com­mu­ni­ca­tions, to make it look like a USAID com­mu­ni­ca­tion. At least a quar­ter of the tar­get­ed organ­i­sa­tions were involved in inter­na­tion­al devel­op­ment, human­i­tar­i­an issues and human rights work. The US and UK blame Rus­si­a’s SVR (the same agency Cozy Bear/APT is said to work for...long with the FSB).

How did Microsoft deter­mine that this was done by the same hack­ers who pulled off the Solar­Winds hack? That’s nev­er explained. It’s not due to tech­ni­cal sim­i­lar­i­ties. In fact, the Microsoft blog post describ­ing this USAID phish­ing scheme explic­it­ly states that this new attack had few tech­ni­cal sim­i­lar­i­ties to the Solar­Winds hack and sug­gests the hack­ers inten­tion­al­ly changed their tac­tics after the Solar­Winds hack was uncov­ered. Four new zero-day pieces of mal­ware deployed on the com­put­ers of the vic­tims that clicked on the mali­cious link, so keep in mind that if this was the same hack­ing group that is involved with the Solar­Winds hack and/or Microsoft Exchange hack, this crew is sport­ing a sig­nif­i­cant num­ber of zero-day exploits.

* June 25, 2021: Microsoft says new breach dis­cov­ered in probe of sus­pect­ed Solar­Winds hack­ers:

Cozy Bear/APT29/“Nobelium” is at it again. Again. This time, Microsoft tells is the hack­ers some­how hacked a Microsoft agent who had access to Microsoft cus­tomer sup­port tools with sub­scrip­tion infor­ma­tion. Of course, we’ve already been told about how the Solar­Winds hack­ers stole code involv­ing how Microsoft tools ver­i­fy iden­ti­ties, and the same hack­ers report­ed­ly pulled this hack off. So it’s not hard to imag­ine some of those stolen insights were used to car­ry out this hack. But we aren’t told much else from Microsoft oth­er than that it was def­i­nite­ly the Solar­Winds hack­ers who are def­i­nite­ly work­ing for the Russ­ian state. Of that they are sure. Always and for­ev­er, except when it’s Chi­na.

* July 4, 2021: Solar­Winds: How Russ­ian spies hacked the Jus­tice, State, Trea­sury, Ener­gy and Com­merce Depart­ments:

Less than two weeks lat­er, CBS has an arti­cle with more inter­views of fig­ures involved with the Solar­Winds hack inves­ti­ga­tion, includ­ing Brad Smith, pres­i­dent of Microsoft. Smith points to the list of US gov­ern­ment agen­cies hit by the hack and insists that means it was a for­eign intel­li­gence col­lec­tion mis­sion (which ignores the oth­er 18,000 large­ly com­mer­cial group of vic­tims also hit). The piece reveals that the Solar­Winds hack­ers were on US fed­er­al net­works read­ing emails and oth­er traf­fic for months.

It ends an inter­view of Jon Miller, who runs a com­pa­ny Bold­end, that sells cut­ting-edge cyber weapons to US intel­li­gence agen­cies. Miller observes that the notable thing about the Solar­Winds hack was­n’t the sophis­ti­ca­tion. He builds things much more sophis­ti­cat­ed (pre­sum­ably for his US intel­li­gence clients). Instead, what makes this attack stand out is how aggres­sive it was. It’s the kind of assess­ment that sug­gests a lot of dif­fer­ent actors could have pulled this attack of for some time and some­one final­ly did it.

Miller also reminds us of anoth­er cru­cial aspect of both the Solar­Winds and Exchange mega-hacks: It would be triv­ial to turn those back­doors into dig­i­tal bombs that destroy vic­tim net­works. In oth­er words, these mega-hacks could have been A LOT more dam­ag­ing had the hack­ers want­ed them to be. And since the hack­ers like embed­ded them­selves in vic­tim net­works in ways not yet detect­ed, they could decide to unleash those dig­i­tal bombs in the future if they choose to in the future.

* July 15, 2021: Microsoft says Israeli group sold tools to hack Win­dows:

Cit­i­zen­Lab put out a report on an Israeli com­mer­cial hack­ing group behind mal­ware dis­cov­ered tar­get­ing Win­dows. But Can­diru’s toolk­it does­n’t just hit MIcrosoft prod­ucts. It appears to be the same com­pa­ny Google had just attrib­uted to a set of addi­tion­al zero-day exploits tar­get­ing Google’s prod­ucts that Cit­i­zen Lab also con­nect­ed to Can­diru. So Microsoft and Google both announced the dis­cov­ery of Can­diru zero-day exploits as rough­ly the same time.

* July 15, 2021: Microsoft says it blocked spy­ing on rights activists, oth­ers:

In some more report­ing on Can­diru, we learn that the com­pa­ny goes by sev­er­al names. We also learn that its spy­ware “infra­struc­ture” includes webistes “mas­querad­ing as advo­ca­cy orga­ni­za­tions” such as Amnesty Inter­na­tion­al and Black Lives Mat­ter.

* July 15, 2021: Safari Zero-Day Used in Mali­cious LinkedIn Cam­paign:

More on Google’s Threat Assess­ment Group (TAG) secu­ri­ty announce­ment. A Russ­ian-lan­guage group was exploit­ing a vul­ner­a­bil­i­ty in the Safari brows­er on iOS sys­tems. Mali­cious links that exe­cut­ed the vul­ner­a­bil­i­ty were being sent to West­ern Euro­pean gov­ern­ment offi­cials through Linked­In’s direct mes­sage app. It is not­ed that the mali­cious link cam­paign coin­cid­ed with a “Nobeli­um’s” USAID phish­ing cam­paign in May tar­get­ing Win­dows devices.

Dur­ing this same report, Google’s TAG announced a new exploit it dis­cov­ered that was used against Armen­ian activists in April. A zero-day exploit against Microsoft­’s Inter­net Explor­er.

The TAG team also announced three new zero-day exploits attrib­uted to an unnamed “com­mer­cial sur­veil­lance ven­dor” (Can­diru). Two vul­ner­a­bil­i­ties in Google’s Chrome and one in Microsoft­’s Inter­net Explor­er. These exploits were also used against Armen­ian tar­gets but we are told that this was a sep­a­rate cam­paign for the oth­er Armen­ian hack, with one of the Chrome exploits dis­cov­ered in Feb­ru­ary and the sec­ond in June.

Final­ly, the arti­cle notes that secu­ri­ty researchers have iden­ti­fied 33 zero-day vul­ner­a­bil­i­ties until that point in 2021, which is 11 more than the 22 total found in 2020. That’s triple the rate of the pre­vi­ous year, which itself was a record year.

* July 17, 2021: Israeli Com­pa­nies Aid­ed Sau­di Spy­ing Despite Khashog­gi Killing:

NSO Group’s recent headache has begun. The New York Times has an update on NSO Group and long-stand­ing ques­tions about the extent to which the license giv­en to coun­tries to buy NSO Group’s super-spy­ware is used as a tool of Israel’s for­eign pol­i­cy. It’s a ques­tion that relates to more than NSO Group but the entire Israeli ‘com­mer­cial sur­veil­lance’ indus­try that gov­ern­ments around the world turn to. As we should have expect­ed, it turns out the super-spy­ware suites like NSO Group’s Pega­sus soft­ware aren’t just super-spy­ware suites. They’re also diplo­mat­ic tools for the Israeli gov­ern­ment. And that means some­times NSO Groups might effec­tive­ly be forced to keep sell­ing to clients like Sau­di Ara­bia even when its rela­tion­ship with those clients becomes tox­ic. That’s appar­ent­ly what hap­pened fol­low­ing the Sau­di gov­ern­men­t’s assas­si­na­tion of Jamal Khashog­gi. NSO Group can­celed the Sau­di con­tract only to be pres­sured by the Israeli gov­ern­ment to renew it. NSO Group was ulti­mate­ly sold to new pri­vate equi­ty own­ers and pro­ceed­ed to renew the Sau­di con­tract.

But the NSO Group reveals a far more legit­i­mate excuse for its appar­ent neg­li­gence in reg­u­lat­ing its super-spy­ware: the Israeli gov­ern­ment approves of these sales. If you want a sub­scrip­tion for Pega­sus, you bet­ter make sure you’re on at least least decent terms with the Israeli gov­ern­ment. It’s pret­ty

* July 18, 2021: Pri­vate Israeli spy­ware used to hack cell­phones of jour­nal­ists, activists world­wide:

The Wash­ing­ton Post fol­lows up with a huge report that con­firmed a bunch of oth­er things that have been sus­pect­ed about NSO Group: Peo­ple have long accused the com­pa­ny of not hav­ing any safe­guards to ensure the super-spy­ware it sells to gov­ern­ments around the world around only used to track ‘ter­ror­ists and crim­i­nals’. And, yep, there are basi­cal­ly no safe­guards. It’s up to the gov­ern­ment to promise not to abuse the super spy­ware. Although there are geo­graph­ic lim­i­ta­tions. The spy­ware was con­fig­ured to not work on US-based smart­phones and could be lim­it­ed to cer­tain coun­tries. But how it was used inside those approved geo­graph­ic areas was up to the gov­ern­ments. In oth­er words, Pega­sus was abused. A lot. At least that’s accord­ing to an inves­ti­ga­tion released by For­bid­den Sto­ries, a Paris-based jour­nal­ism non­prof­it, and Amnesty Inter­na­tion­al.

How much abused of the NSO Group’s super-spy­ware has been tak­ing place? Well, this report was based on thou­sands phone num­bers leaked that were pur­port­ed­ly the tar­get phone num­bers of NSO Group’s feared Pega­sus spy­ware. Almost unstop­pable spy­ware suits that can hit almost any smart­phone. And if those thou­sands of num­bers real­ly are an accu­rate tar­get list, it was ram­pant abuse, with activists and rival politi­cians fre­quent­ly on the tar­get list. 60 gov­ern­ment agen­cies in 40 coun­tries were allowed to buy sub­scrip­tions to the soft­ware and, again, they policed them­selves.

NSO Group’s defense against charges that it was know­ing­ly allow­ing gov­ern­ments to abuse its super-spy­ware was to point out that the com­pa­ny does­n’t police how gov­ern­ments use its soft­ware. It real­ly is up to the gov­ern­ments to polices them­selves, as con­firmed by this study and the ram­pant abuse it reveals. It’s not actu­al­ly a great defense if you think about it, but it gets bet­ter when you keep in mind this is all sanc­tioned and encour­aged by the Israeli gov­ern­ment (and prob­a­bly the US gov­ern­ment).

* July 19, 2021: Microsoft Exchange hack caused by Chi­na, US and allies say:

The US for­mal­ly accus­es Chi­nese state-backed hack­ers of car­ry­ing out the Microsoft Exchange mega-hack. At the same time, the US Jus­tice Depart­ment announced charges against four Chi­nese nation­als who pros­e­cu­tors said were work­ing with China’s Min­istry of State Secu­ri­ty in a dif­fer­ent hack­ing cam­paign that tar­get­ed dozens of com­put­er sys­tems, includ­ing com­pa­nies, uni­ver­si­ties and gov­ern­ment enti­ties. But beyond that, the US accused these state-backed Chi­nese hack­ers of car­ry­ing out ran­somware and oth­er for-prof­it extor­tion hacks for their own per­son­al enrich­ment. In fact, an admin­is­tra­tion offi­cial told reporters that the for­mal attri­bu­tion of the Exchange hack to Chi­na took this many months (recall Microsoft did it imme­di­ate­ly) in part because of the ran­somware and for-prof­it hack­ing oper­a­tions. In oth­er words, the hack­ers the US was accus­ing of work­ing on behalf of the Chi­nese state were behav­ing like reg­u­lar crim­i­nals. But we are nonethe­less assured that, no, they were work­ing for Chi­na. Dmitri Alper­ovitch — co-founder of Crowd­Strike and the guy who pio­neered the mod­ern approach of mak­ing loud evi­dence-free hack­ing accu­sa­tions against coun­tries as a means of pre­vent­ing future attacks — express­es a sense of puz­zle­ment that sanc­tions against Chi­na haven’t been declared yet.

* July 20, 2021: Chi­na says Microsoft hack­ing accu­sa­tions fab­ri­cat­ed by US and allies:

The US’s allies (the UK, New Zealand, Aus­tralia, and EU) join the US in joint­ly con­demn­ing Chi­na for the Microsoft Exchange mega-hack. Anony­mous West­ern secu­ri­ty sources tell reports that they believe Hafni­um new Microsoft was going to plug the Exchange vul­ner­a­bil­i­ty and so shared it with oth­er Chi­na-based hack­ers, cul­mi­nat­ing in the giant glob­al smash-and-grab. It’s anoth­er indi­ca­tion that the Microsoft Exchange mega-hack has the appear­ance of being a crim­i­nal smash-and-grab event and we are now told that this was all how Chi­na planned it to play out. And we are also told that Microsoft was about to plug this mas­sive vul­ner­a­bil­i­ty but were thwart­ed by Chi­nese spies or some­thing. The facts and details may change, but two things always stays the same: Chi­na did it and this def­i­nite­ly did­n’t involve the Solar­Winds hack.

* July 22, 2021: France’s Macron changes phone in light of Pega­sus case:

The NSO Group scan­dal gets extra awk­ward when Emmanuel Macron’s admin­is­tra­tion offi­cial­ly acknowl­edges that it changed Macron’s mobile phone and phone num­ber after the num­ber showed up on a list of poten­tial tar­gets for sur­veil­lance by Moroc­co in the report by For­bid­den Sto­ries and Amnesty Inter­na­tion­al. Israel has formed an inter-min­is­te­r­i­al team to look into the export licens­es issued by the Defence Export Con­trols Agency (DECA). NSO Group con­tin­ues to defend itself by reit­er­at­ing that it does­n’t know the iden­ti­ties of the peo­ple tar­get­ed by Pega­sus. The com­pa­ny can, how­ev­er, retroac­tive­ly acquire the tar­get lists in the event of a com­plaint and uni­lat­er­al­ly shut down the offend­ing gov­ern­men­t’s sub­scrip­tion fol­low­ing an inves­ti­ga­tion. So over­sight only hap­pens if a com­plaint is issued over the abuse of the super-secret dif­fi­cult-to-find spy­ware. There pre­sum­ably aren’t very many com­plaints.

*******************************

That’s the sto­ry we are being asked to buy. Or rather, those are the sto­ries we are being asked to buy. Break­ing sto­ries about two record-break­ing mega-hacks and rev­e­la­to­ry sto­ries about two cut­ting-edge ‘com­mer­cial sur­veil­lance ven­dors’ licens­ing sell­ing zero-day exploits around the world. Sep­a­rate sto­ries, at least that’s what we are told. The Solar­Winds hack and the Microsoft Exchange hack are two com­plete­ly sep­a­rate hacks, one exe­cut­ed by Rus­sia and the oth­er by Chi­na. The fact that the Solar­Winds hack­ers pos­sessed Microsoft zero-day exploits and appeared to ini­ti­ate the hack using those exploits is just ignored. The fact that no actu­al evi­dence indi­cat­ing it was Rus­sia or Chi­na behind the hacks are also just ignored. And the fact that sto­ries about a mas­sive pow­er­ful glob­al “com­mer­cial sur­veil­lance” indus­try sell­ing super-exploits to gov­ern­ments around the world are also just ignored. Or oth­er gov­ern­ment hack­ing toolk­its like the CIA’s Vault7, that had fea­tures specif­i­cal­ly designed to spoof the “pat­tern recog­ni­tion” approach to cyber­at­tri­bu­tion. Ignore all that. It’s a faith-based attri­bu­tion par­a­digm, ripe for bad-faith attri­bu­tions.

FireEye Wakes Up to a “Red Team Tools” Nightmare. Which Could Become Everyone’s Nightmare

Decem­ber 8, 2020, was a dark day for dig­i­tal secu­ri­ty. A worst case sce­nario was play­ing out in real-time. Some­one hacked the secu­ri­ty firm and stole its “Red Team” code suite. A toolk­it of vir­tu­al­ly all the most pow­er­ful known exploits. And as experts warned, nation-states could poten­tial­ly hide their own tracks using this toolk­it. This is basi­cal­ly going to be the only time we see an expert admit that gov­ern­ments around the world could be inten­tion­al­ly. Fire­Eye was­n’t ready to name a cul­prit. But the FBI announced was it was con­fi­dent it was car­ried out by a nation-state, and while they would name a spe­cif­ic nation it was pret­ty clear Rus­sia was the prime sus­pect. No rea­son for these sus­pi­cions are giv­en:

The New York Times

Fire­Eye, a Top Cyber­se­cu­ri­ty Firm, Says It Was Hacked by a Nation-State

The Sil­i­con Val­ley com­pa­ny said hack­ers — almost cer­tain­ly Russ­ian — made off with tools that could be used to mount new attacks around the world.

By David E. Sanger and Nicole Perl­roth
Pub­lished Dec. 8, 2020 Updat­ed Feb. 6, 2021

WASHINGTON — For years, the cyber­se­cu­ri­ty firm Fire­Eye has been the first call for gov­ern­ment agen­cies and com­pa­nies around the world who have been hacked by the most sophis­ti­cat­ed attack­ers, or fear they might be.

Now it looks like the hack­ers — in this case, evi­dence points to Russia’s intel­li­gence agen­cies — may be exact­ing their revenge.

Fire­Eye revealed on Tues­day that its own sys­tems were pierced by what it called “a nation with top-tier offen­sive capa­bil­i­ties.” The com­pa­ny said hack­ers used “nov­el tech­niques” to make off with its own tool kit, which could be use­ful in mount­ing new attacks around the world.

It was a stun­ning theft, akin to bank rob­bers who, hav­ing cleaned out local vaults, then turned around and stole the F.B.I.’s inves­tiga­tive tools. In fact, Fire­Eye said on Tues­day, moments after the stock mar­ket closed, that it had called in the F.B.I.

The $3.5 bil­lion com­pa­ny, which part­ly makes a liv­ing by iden­ti­fy­ing the cul­prits in some of the world’s bold­est breach­es — its clients have includ­ed Sony and Equifax — declined to say explic­it­ly who was respon­si­ble. But its descrip­tion, and the fact that the F.B.I. has turned the case over to its Rus­sia spe­cial­ists, left lit­tle doubt who the lead sus­pects were and that they were after what the com­pa­ny calls “Red Team tools.”

These are essen­tial­ly dig­i­tal tools that repli­cate the most sophis­ti­cat­ed hack­ing tools in the world. Fire­Eye uses the tools — with the per­mis­sion of a client com­pa­ny or gov­ern­ment agency — to look for vul­ner­a­bil­i­ties in their sys­tems. Most of the tools are based in a dig­i­tal vault that Fire­Eye close­ly guards.

The F.B.I. on Tues­day con­firmed that the hack was the work of a state, but it also would not say which one. Matt Gorham, assis­tant direc­tor of the F.B.I. Cyber Divi­sion, said, “The F.B.I. is inves­ti­gat­ing the inci­dent and pre­lim­i­nary indi­ca­tions show an actor with a high lev­el of sophis­ti­ca­tion con­sis­tent with a nation-state.”

The hack rais­es the pos­si­bil­i­ty that Russ­ian intel­li­gence agen­cies saw an advan­tage in mount­ing the attack while Amer­i­can atten­tion — includ­ing FireEye’s — was focused on secur­ing the pres­i­den­tial elec­tion sys­tem. At a moment that the nation’s pub­lic and pri­vate intel­li­gence sys­tems were seek­ing out breach­es of vot­er reg­is­tra­tion sys­tems or vot­ing machines, it may have a been a good time for those Russ­ian agen­cies, which were involved in the 2016 elec­tion breach­es, to turn their sights on oth­er tar­gets.

The hack was the biggest known theft of cyber­se­cu­ri­ty tools since those of the Nation­al Secu­ri­ty Agency were pur­loined in 2016 by a still-uniden­ti­fied group that calls itself the Shad­ow­Bro­kers. That group dumped the N.S.A.’s hack­ing tools online over sev­er­al months, hand­ing nation-states and hack­ers the “keys to the dig­i­tal king­dom,” as one for­mer N.S.A. oper­a­tor put it. North Korea and Rus­sia ulti­mate­ly used the N.S.A.’s stolen weapon­ry in destruc­tive attacks on gov­ern­ment agen­cies, hos­pi­tals and the world’s biggest con­glom­er­ates — at a cost of more than $10 bil­lion.

The N.S.A.’s tools were most like­ly more use­ful than FireEye’s since the U.S. gov­ern­ment builds pur­pose-made dig­i­tal weapons. FireEye’s Red Team tools are essen­tial­ly built from mal­ware that the com­pa­ny has seen used in a wide range of attacks.

Still, the advan­tage of using stolen weapons is that nation-states can hide their own tracks when they launch attacks.

“Hack­ers could lever­age FireEye’s tools to hack risky, high-pro­file tar­gets with plau­si­ble deni­a­bil­i­ty,” said Patrick War­dle, a for­mer N.S.A. hack­er who is now a prin­ci­pal secu­ri­ty researcher at Jamf, a soft­ware com­pa­ny. “In risky envi­ron­ments, you don’t want to burn your best tools, so this gives advanced adver­saries a way to use some­one else’s tools with­out burn­ing their best capa­bil­i­ties.”

A Chi­nese state-spon­sored hack­ing group was pre­vi­ous­ly caught using the N.S.A.’s hack­ing tools in attacks around the world, osten­si­bly after dis­cov­er­ing the N.S.A.’s tools on its own sys­tems. “It’s like a no-brain­er,” said Mr. War­dle.

The breach is like­ly to be a black eye for Fire­Eye. Its inves­ti­ga­tors worked with Sony after the dev­as­tat­ing 2014 attack that the firm lat­er attrib­uted to North Korea. It was Fire­Eye that was called in after the State Depart­ment and oth­er Amer­i­can gov­ern­ment agen­cies were breached by Russ­ian hack­ers in 2015. And its major cor­po­rate clients include Equifax, the cred­it mon­i­tor­ing ser­vice that was hacked three years ago, affect­ing near­ly half of the Amer­i­can pop­u­la­tion.

In the Fire­Eye attack, the hack­ers went to extra­or­di­nary lengths to avoid being seen. They cre­at­ed sev­er­al thou­sand inter­net pro­to­col address­es — many inside the Unit­ed States — that had nev­er before been used in attacks. By using those address­es to stage their attack, it allowed the hack­ers to bet­ter con­ceal their where­abouts.

“This attack is dif­fer­ent from the tens of thou­sands of inci­dents we have respond­ed to through­out the years,” said Kevin Man­dia, FireEye’s chief exec­u­tive. (He was the founder of Man­di­ant, a firm that Fire­Eye acquired in 2014.)

But Fire­Eye said it was still inves­ti­gat­ing exact­ly how the hack­ers had breached its most pro­tect­ed sys­tems. Details were thin.

Mr. Man­dia, a for­mer Air Force intel­li­gence offi­cer, said the attack­ers “tai­lored their world-class capa­bil­i­ties specif­i­cal­ly to tar­get and attack Fire­Eye.” He said they appeared to be high­ly trained in “oper­a­tional secu­ri­ty” and exhib­it­ed “dis­ci­pline and focus,” while mov­ing clan­des­tine­ly to escape the detec­tion of secu­ri­ty tools and foren­sic exam­i­na­tion. Google, Microsoft and oth­er firms that con­duct cyber­se­cu­ri­ty inves­ti­ga­tions said they had nev­er seen some of these tech­niques.

Fire­Eye also pub­lished key ele­ments of its “Red Team” tools so that oth­ers around the world would see attacks com­ing.

Amer­i­can inves­ti­ga­tors are try­ing to deter­mine if the attack has any rela­tion­ship to anoth­er sophis­ti­cat­ed oper­a­tion that the N.S.A. said Rus­sia was behind in a warn­ing issued on Mon­day. That gets into a type of soft­ware, called VM for vir­tu­al machines, which is used wide­ly by defense com­pa­nies and man­u­fac­tur­ers. The N.S.A. declined to say what the tar­gets of that attack were. It is unclear whether the Rus­sians used their suc­cess in that breach to get into FireEye’s sys­tems.

...

On Tues­day, Russia’s Nation­al Asso­ci­a­tion for Inter­na­tion­al Infor­ma­tion Secu­ri­ty held a forum with glob­al secu­ri­ty experts where Russ­ian offi­cials again claimed that there was no evi­dence its hack­ers were respon­si­ble for attacks that have result­ed in Amer­i­can sanc­tions and indict­ments.

Secu­ri­ty firms have been a fre­quent tar­get for nation-states and hack­ers, in part because their tools main­tain a deep lev­el of access to cor­po­rate and gov­ern­ment clients all over the world. By hack­ing into those tools and steal­ing source code, spies and hack­ers can gain a foothold to vic­tims’ sys­tems.

McAfee, Syman­tec and Trend Micro were among the list of major secu­ri­ty com­pa­nies whose code a Russ­ian-speak­ing hack­er group claimed to have stolen last year. Kasper­sky, the Russ­ian secu­ri­ty firm, was hacked by Israeli hack­ers in 2017. And in 2012, Syman­tec con­firmed that a seg­ment of its antivirus source code was stolen by hack­ers.

————

“Fire­Eye, a Top Cyber­se­cu­ri­ty Firm, Says It Was Hacked by a Nation-State” by David E. Sanger and Nicole Perl­roth; The New York Times; 12/08/2020

“Fire­Eye revealed on Tues­day that its own sys­tems were pierced by what it called “a nation with top-tier offen­sive capa­bil­i­ties.” The com­pa­ny said hack­ers used “nov­el tech­niques” to make off with its own tool kit, which could be use­ful in mount­ing new attacks around the world.

Fire­Eye could­n’t say who pen­e­trat­ed their sys­tems. But they nonethe­less con­fi­dent­ly state it was the work a “a nation with top-tier offen­sive capa­bil­i­ties,” an asser­tion osten­si­bly root­ed in the sophis­ti­cat­ed nature of the attack, the dis­cip­ine of the attack­ers, and the num­ber of nev­er-before-seen tech­niques used by these unknown hack­ers. In oth­er words, a guess made based on pat­tern recog­ni­tion, and not an asser­tion made with real cer­tain­ty. Fire­Eye did­n’t actu­al­ly know this attack came from a nation with top-tier offen­sive capa­bil­i­ties when it made that state­ment. Fire­Eye could­n’t have tru­ly ruled out a pri­vate actor when it made that con­fi­dent state­ment. Or a nation with­out top-tier capa­bilites that pur­chased those top-tier capa­bil­i­ties from a top-tier com­mer­cial mal­ware provider like NSO Group. But mak­ing attri­bu­tions in cyber attacks is a ser­vice Fire­Eye pro­vides. It points towards one of the fun­da­men­tal binds the cyber­se­cu­ri­ty indus­try faces: their clients are pay­ing for answers, whether answers are fea­si­ble or not.

And when the FBI turned the case over to its Rus­sia spe­cial­ist, and ‘con­firmed’ the hack was the work of a state, it was pret­ty clear where the blame was ulti­mate­ly going to go. That ‘con­fir­ma­tion’ was no doubt pred­i­cat­ed in part on the sophis­ti­ca­tion of the hack. And yet the appar­ent prize of this hack was FireEye’s “Red Team” tool kit that repli­cat­ed the most sophis­ti­cat­ed hack­ing tools in the world. Or at least the most sophis­ti­cat­ed known hack­ing tools seen in the wild. It’s implic­it­ly obvi­ous in this very hack that the pos­ses­sion of world-class hack­ing tools isn’t lim­it­ed to major nation-states like the US, Rus­sia, and Chi­na. Beyond that, we are told how the theft of the Fire­Eye Red Team kit was high­ly use­ful to nation-states because it would give them plau­si­ble deni­a­bil­i­ty by allow­ing them to car­ry out risky hacks with­out using their ‘zero-day’ exploits, using some­one else’s tools instead. All of the details about this sto­ry point towards the hall of mir­rors nature of cyber­at­tri­bu­tion inves­ti­ga­tions:

...
It was a stun­ning theft, akin to bank rob­bers who, hav­ing cleaned out local vaults, then turned around and stole the F.B.I.’s inves­tiga­tive tools. In fact, Fire­Eye said on Tues­day, moments after the stock mar­ket closed, that it had called in the F.B.I.

The $3.5 bil­lion com­pa­ny, which part­ly makes a liv­ing by iden­ti­fy­ing the cul­prits in some of the world’s bold­est breach­es — its clients have includ­ed Sony and Equifax — declined to say explic­it­ly who was respon­si­ble. But its descrip­tion, and the fact that the F.B.I. has turned the case over to its Rus­sia spe­cial­ists, left lit­tle doubt who the lead sus­pects were and that they were after what the com­pa­ny calls “Red Team tools.”

These are essen­tial­ly dig­i­tal tools that repli­cate the most sophis­ti­cat­ed hack­ing tools in the world. Fire­Eye uses the tools — with the per­mis­sion of a client com­pa­ny or gov­ern­ment agency — to look for vul­ner­a­bil­i­ties in their sys­tems. Most of the tools are based in a dig­i­tal vault that Fire­Eye close­ly guards.

The F.B.I. on Tues­day con­firmed that the hack was the work of a state, but it also would not say which one. Matt Gorham, assis­tant direc­tor of the F.B.I. Cyber Divi­sion, said, “The F.B.I. is inves­ti­gat­ing the inci­dent and pre­lim­i­nary indi­ca­tions show an actor with a high lev­el of sophis­ti­ca­tion con­sis­tent with a nation-state.

...

The N.S.A.’s tools were most like­ly more use­ful than FireEye’s since the U.S. gov­ern­ment builds pur­pose-made dig­i­tal weapons. FireEye’s Red Team tools are essen­tial­ly built from mal­ware that the com­pa­ny has seen used in a wide range of attacks.

Still, the advan­tage of using stolen weapons is that nation-states can hide their own tracks when they launch attacks.

“Hack­ers could lever­age FireEye’s tools to hack risky, high-pro­file tar­gets with plau­si­ble deni­a­bil­i­ty,” said Patrick War­dle, a for­mer N.S.A. hack­er who is now a prin­ci­pal secu­ri­ty researcher at Jamf, a soft­ware com­pa­ny. “In risky envi­ron­ments, you don’t want to burn your best tools, so this gives advanced adver­saries a way to use some­one else’s tools with­out burn­ing their best capa­bil­i­ties.

A Chi­nese state-spon­sored hack­ing group was pre­vi­ous­ly caught using the N.S.A.’s hack­ing tools in attacks around the world, osten­si­bly after dis­cov­er­ing the N.S.A.’s tools on its own sys­tems. “It’s like a no-brain­er,” said Mr. War­dle.
...

And as the arti­cle reminds us, despite all hype about the ‘Shad­ow Bro­kers’ being a Russ­ian hack­er group, the glob­al com­mu­ni­ty has still nev­er tru­ly deter­mined their iden­i­ty. As is the case with near­ly all major hacks, the iden­ti­ties of the per­pe­tra­tors is ulti­mate­ly unknow­able based on the avail­able evi­dence:

...
The hack was the biggest known theft of cyber­se­cu­ri­ty tools since those of the Nation­al Secu­ri­ty Agency were pur­loined in 2016 by a still-uniden­ti­fied group that calls itself the Shad­ow­Bro­kers. That group dumped the N.S.A.’s hack­ing tools online over sev­er­al months, hand­ing nation-states and hack­ers the “keys to the dig­i­tal king­dom,” as one for­mer N.S.A. oper­a­tor put it. North Korea and Rus­sia ulti­mate­ly used the N.S.A.’s stolen weapon­ry in destruc­tive attacks on gov­ern­ment agen­cies, hos­pi­tals and the world’s biggest con­glom­er­ates — at a cost of more than $10 bil­lion.
...

It’s also worth observ­ing how Fire­Eye was declar­ing that the attack­ers tai­lored their world-class capa­bil­i­ties specif­i­cal­ly to tar­get and attack Fire­Eye.” And yet, as we learn, this was­n’t a spe­cif­ic attack on Fire­Eye at all. It was an attack on Fire­Eye and Solar­Wind­s’s 18,000 oth­er cus­tomers. Fire­Eye was just a very juicy tar­get to pil­fer amongst the thou­sands the hack­ers had to choose from:

...
But Fire­Eye said it was still inves­ti­gat­ing exact­ly how the hack­ers had breached its most pro­tect­ed sys­tems. Details were thin.

Mr. Man­dia, a for­mer Air Force intel­li­gence offi­cer, said the attack­ers “tai­lored their world-class capa­bil­i­ties specif­i­cal­ly to tar­get and attack Fire­Eye.” He said they appeared to be high­ly trained in “oper­a­tional secu­ri­ty” and exhib­it­ed “dis­ci­pline and focus,” while mov­ing clan­des­tine­ly to escape the detec­tion of secu­ri­ty tools and foren­sic exam­i­na­tion. Google, Microsoft and oth­er firms that con­duct cyber­se­cu­ri­ty inves­ti­ga­tions said they had nev­er seen some of these tech­niques.

...

On Tues­day, Russia’s Nation­al Asso­ci­a­tion for Inter­na­tion­al Infor­ma­tion Secu­ri­ty held a forum with glob­al secu­ri­ty experts where Russ­ian offi­cials again claimed that there was no evi­dence its hack­ers were respon­si­ble for attacks that have result­ed in Amer­i­can sanc­tions and indict­ments.

Secu­ri­ty firms have been a fre­quent tar­get for nation-states and hack­ers, in part because their tools main­tain a deep lev­el of access to cor­po­rate and gov­ern­ment clients all over the world. By hack­ing into those tools and steal­ing source code, spies and hack­ers can gain a foothold to vic­tims’ sys­tems.
...

Final­ly, note that Fire­Eye is far from the only cyber­se­cu­ri­ty firm to report hav­ing their code stolen by ‘a Russ­ian-speak­ing hack­er group’ last year. McAfee, Syman­tec, and Trend­Mi­cro all report­ed get­ting hit. Which mean the “Red Team code” kits from all those oth­er firms are also float­ing around out there. And in each case, it was “Russ­ian-speak­ing hack­ers”. Who­ev­er has been hack­ing these oth­er secu­ri­ty firms was been leav­ing Russ­ian lan­guage arti­facts in their mal­ware. It’s a thing:

...
McAfee, Syman­tec and Trend Micro were among the list of major secu­ri­ty com­pa­nies whose code a Russ­ian-speak­ing hack­er group claimed to have stolen last year. Kasper­sky, the Russ­ian secu­ri­ty firm, was hacked by Israeli hack­ers in 2017. And in 2012, Syman­tec con­firmed that a seg­ment of its antivirus source code was stolen by hack­ers.
...

And yet, as we’re going to see, that’s not actu­al­ly the case with the Fire­Eye hack. No Russ­ian lan­guage arti­facts, or any oth­er lan­guage arti­facts, were left in the mal­ware used to attack Fire­Eye. And as we’re also going to see, this lack of lan­guage arti­facts in the att­tack — no Cyril­lic, or Man­darin or Per­sion — was seen as a utter shock by the Crowd­Strike fig­ures tasked with study­ing the attack.

FireEye Didn’t Start the Fire. Welcome to the SolarWinds Nightmare. Brought to You by Cozy Bear, According to the FBI, although FireEye isn’t So Sure

The Fire­Eye night­mare explodes into the Solar­Winds wak­ing worst night­mare. It was deter­mined that Solar­Wind­s’s Ori­on update soft­ware deliv­ered the mal­ware onto FireEye’s sys­tems. It’s the kind of omi­nous dis­cov­ery that comes with the impli­ca­tion that the oth­er 18,000 Solar­Winds clients run­ning the Ori­on soft­ware got hit too. Which is basi­cal­ly what hap­pened.

We also got an ear­ly hint from Solar­Winds about how the hack start­ed in the first place: in its cor­po­rate fil­ing dis­clos­ing the hack with the SEC, Solar­Winds indi­cat­ed that Microsoft­’s Office 365 email may have been “an attack vec­tor” used by the hack­ers.

And as we can see, the FBI was ready to name names from the very onset of this inves­ti­ga­tion. It took basi­cal­ly no time at all: APT29 aka Cozy Bear is at it again. That was the line from the FBI. The infa­mous hack­ing group thought to work for Rus­si­a’s FSB (or SVR, it’s unclear) and that the US claims was behind the first hack of the Demo­c­ra­t­ic Nation­al Com­mit­tee (DNC) in 2015 was also behind the new Solar­Winds mega-hack. No rea­sons for this attri­bu­tion are giv­en, of course:

The Wash­ing­ton Post

Russ­ian gov­ern­ment hack­ers are behind a broad espi­onage cam­paign that has com­pro­mised U.S. agen­cies, includ­ing Trea­sury and Com­merce

By Ellen Nakashima and Craig Tim­berg
Decem­ber 14, 2020 at 11:30 a.m. EST

Russ­ian gov­ern­ment hack­ers breached the Trea­sury and Com­merce depart­ments, along with oth­er U.S. gov­ern­ment agen­cies, as part of a glob­al espi­onage cam­paign that stretch­es back months, accord­ing to peo­ple famil­iar with the mat­ter.

Offi­cials were scram­bling over the week­end to assess the nature and extent of the intru­sions and imple­ment effec­tive coun­ter­mea­sures, but ini­tial signs sug­gest­ed the breach was long-run­ning and sig­nif­i­cant, the peo­ple famil­iar with the mat­ter said.

The Russ­ian hack­ers, known by the nick­names APT29 or Cozy Bear, are part of that nation’s for­eign intel­li­gence ser­vice, the SVR, and they breached email sys­tems in some cas­es, said the peo­ple famil­iar with the intru­sions, who spoke on the con­di­tion of anonymi­ty because of the sen­si­tiv­i­ty of the mat­ter. The same Russ­ian group hacked the State Depart­ment and the White House email servers dur­ing the Oba­ma admin­is­tra­tion.

The FBI is inves­ti­gat­ing the cam­paign, which may have begun as ear­ly as spring, and had no com­ment Sun­day. The vic­tims have includ­ed gov­ern­ment, con­sult­ing, tech­nol­o­gy, tele­com, and oil and gas com­pa­nies in North Amer­i­ca, Europe, Asia and the Mid­dle East, accord­ing to Fire­Eye, a cyber firm that itself was breached.

The Russ­ian Embassy in Wash­ing­ton on Sun­day called the reports of Russ­ian hack­ing “base­less.” In a state­ment on Face­book it said, “attacks in the infor­ma­tion space con­tra­dict” Russ­ian for­eign pol­i­cy and nation­al inter­ests. “Rus­sia does not con­duct offen­sive oper­a­tions” in the cyber domain.

All of the orga­ni­za­tions were breached through the update serv­er of a net­work man­age­ment sys­tem made by the firm Solar­Winds, Fire­Eye said in a blog post Sun­day.

The fed­er­al Cyber­se­cu­ri­ty and Infra­struc­ture Secu­ri­ty Agency issued an alert Sun­day warn­ing about an “active exploita­tion” of the Solar­Winds Ori­on Plat­form, from ver­sions of the soft­ware released in March and June. “CISA encour­ages affect­ed orga­ni­za­tions to read the Solar­Winds and Fire­Eye advi­sories for more infor­ma­tion and FireEye’s GitHub page for detec­tion coun­ter­mea­sures,” the alert said.

Solar­Winds said Sun­day in a state­ment that mon­i­tor­ing prod­ucts it released in March and June of this year may have been sur­rep­ti­tious­ly weaponized in a “high­ly-sophis­ti­cat­ed, tar­get­ed . . . attack by a nation state.”

The com­pa­ny filed a doc­u­ment Mon­day with the Secu­ri­ties and Exchange Com­mis­sion say­ing that “few­er than 18,000” of its more than 300,000 cus­tomers may have installed a soft­ware patch enabling the Russ­ian attack. It was not clear, the fil­ing said, how many sys­tems were actu­al­ly hacked. The cor­po­rate fil­ing also said that Microsoft’s Office 365 email may have been “an attack vec­tor” used by the hack­ers.

Microsoft said in a blog post Sun­day that it had not iden­ti­fied any Microsoft prod­uct or cloud ser­vice vul­ner­a­bil­i­ties in its inves­ti­ga­tion of the mat­ter.

The scale of the Russ­ian espi­onage oper­a­tion appears to be large, said sev­er­al indi­vid­u­als famil­iar with the mat­ter. “This is look­ing very, very bad,” said one per­son. Solar­Winds prod­ucts are used by orga­ni­za­tions across the world. They include all five branch­es of the U.S. mil­i­tary, the Pen­ta­gon, State Depart­ment, Jus­tice Depart­ment, NASA, the Exec­u­tive Office of the Pres­i­dent and the Nation­al Secu­ri­ty Agency, the world’s top elec­tron­ic spy agency, accord­ing to the firm’s web­site.

Its clients also include the top 10 U.S. telecom­mu­ni­ca­tions com­pa­nies.

“This is a big deal, and giv­en what we now know about where breach­es hap­pened, I’m expect­ing the scope to grow as more logs are reviewed,” said John Scott-Rail­ton, a senior researcher at Cit­i­zen Lab at the Uni­ver­si­ty of Toronto’s Munk School of Glob­al Affairs and Pub­lic Pol­i­cy. “When an aggres­sive group like this gets an open sesame to many desir­able sys­tems, they are going to use it wide­ly.”

Fire­Eye report­ed last week that it was breached and that hack­ing tools it uses to test clients’ com­put­er defens­es were stolen. The Wash­ing­ton Post report­ed that APT29 was the group behind that hack. Fire­Eye and Microsoft, which were inves­ti­gat­ing the breach, dis­cov­ered the hack­ers were gain­ing access to vic­tims through updates to Solar­Winds’ Ori­on net­work mon­i­tor­ing soft­ware, Fire­Eye said in its blog post, with­out pub­licly nam­ing the Rus­sians.

...

At Com­merce, the Rus­sians tar­get­ed the Nation­al Telecom­mu­ni­ca­tions and Infor­ma­tion Admin­is­tra­tion, an agency that han­dles Inter­net and telecom­mu­ni­ca­tions pol­i­cy, Reuters report­ed. They have also been linked to attempts to steal coro­n­avirus coro­n­avirus research.

In 2014 and 2015, the same group car­ried out a wide-rang­ing espi­onage cam­paign that tar­get­ed thou­sands of orga­ni­za­tions, includ­ing gov­ern­ment agen­cies, for­eign embassies, ener­gy com­pa­nies, telecom­mu­ni­ca­tions firms and uni­ver­si­ties.

As part of that oper­a­tion, it hacked the unclas­si­fied email sys­tems of the White House, the Pentagon’s Joint Chiefs of Staff and the State Depart­ment.

“That was the first time we saw the Rus­sians become much more aggres­sive, and instead of sim­ply fad­ing away like ghosts when they were detect­ed, they actu­al­ly con­test­ed access to the net­works,” said Michael Daniel, who was White House cyber­se­cu­ri­ty coor­di­na­tor at the time.

One of its vic­tims in 2015 was the Demo­c­ra­t­ic Nation­al Com­mit­tee. But unlike a rival Russ­ian spy agency, the GRU, which also hacked the DNC, it did not leak the stolen mate­r­i­al. In 2016, the GRU mil­i­tary spy agency leaked hacked emails to the online anti-secre­cy orga­ni­za­tion Wik­iLeaks in an oper­a­tion that dis­rupt­ed the Democ­rats’ nation­al con­ven­tion in the midst of the pres­i­den­tial cam­paign.

The SVR, by con­trast, gen­er­al­ly steals infor­ma­tion for tra­di­tion­al espi­onage pur­pos­es, seek­ing secrets that might help the Krem­lin under­stand the plans and motives of politi­cians and pol­i­cy­mak­ers. Its oper­a­tors also have filched indus­tri­al data and hacked for­eign min­istries.

Because the Oba­ma admin­is­tra­tion saw the APT29 oper­a­tion as tra­di­tion­al espi­onage, it did not con­sid­er tak­ing puni­tive mea­sures, said Daniel, who is now pres­i­dent and chief exec­u­tive of the Cyber Threat Alliance, an infor­ma­tion-shar­ing group for ­cyber­se­cu­ri­ty com­pa­nies.

“It was infor­ma­tion col­lec­tion, which is what nation states — includ­ing the Unit­ed States — do,” he said. “From our per­spec­tive, it was more impor­tant to focus on shoring up defens­es.”

But Chris Painter, State Depart­ment cyber coor­di­na­tor in the Oba­ma admin­is­tra­tion, said even if the Russ­ian cam­paign is strict­ly about espi­onage and there’s no norm against spy­ing, if the scope is broad there should be con­se­quences. “We just don’t have to sit still for it and say ‘good job,’ ” he said.

Sanc­tions might be one answer, espe­cial­ly if done in con­cert with allies who were sim­i­lar­ly affect­ed, he said. “The prob­lem is there’s not even been con­dem­na­tion from the top. Pres­i­dent Trump hasn’t want­ed to say any­thing bad to Rus­sia, which only encour­ages them to act irre­spon­si­bly across a wide range of activ­i­ties.”

At the very least, he said, “you’d want to make clear to [Russ­ian Pres­i­dent Vladimir] Putin that this is unac­cept­able — the scope is unac­cept­able.”

So far there is no sign that the cur­rent cam­paign is being waged for pur­pos­es of leak­ing infor­ma­tion or for dis­rup­tion of crit­i­cal infra­struc­ture, such as elec­tric grids.

Solar­Winds’ mon­i­tor­ing tool has extreme­ly deep “admin­is­tra­tive” access to a network’s core func­tions, which means that hack­ing the tool would allow the Rus­sians to freely root around vic­tims’ sys­tems.

APT29 com­pro­mised Solar­Winds so that any time a cus­tomer checked in to request an update, the Rus­sians could hitch a ride on the weaponized update to get into a victim’s sys­tem. Fire­Eye dubbed the mal­ware that the hack­ers used “Sun­burst.”

“Mon­day may be a bad day for lots of secu­ri­ty teams,” tweet­ed Dmitri Alper­ovitch, a cyber­se­cu­ri­ty expert and founder of the Sil­ver­a­do Pol­i­cy Accel­er­a­tor think tank.

———–

“Russ­ian gov­ern­ment hack­ers are behind a broad espi­onage cam­paign that has com­pro­mised U.S. agen­cies, includ­ing Trea­sury and Com­merce” by Ellen Nakashima and Craig Tim­berg; The Wash­ing­ton Post; 12/14/202

“The Russ­ian hack­ers, known by the nick­names APT29 or Cozy Bear, are part of that nation’s for­eign intel­li­gence ser­vice, the SVR, and they breached email sys­tems in some cas­es, said the peo­ple famil­iar with the intru­sions, who spoke on the con­di­tion of anonymi­ty because of the sen­si­tiv­i­ty of the mat­ter. The same Russ­ian group hacked the State Depart­ment and the White House email servers dur­ing the Oba­ma admin­is­tra­tion.”

Less than a week after the Fire­Eye night­mare hack is first announced to the world, we learn it was just one part of a much larg­er Solar­Winds night­mare. A glob­al espi­onage cam­paign that seem­ing­ly tar­get­ed US gov­ern­ment agen­cies. And the US gov­ern­ment had already deter­mined the cul­prit: APT29/Cozy Bear was behind it. That’s the word we were get­ting from anony­mous sources tied to the inves­ti­ga­tion. It was def­i­nite­ly Rus­sia who had thor­ough­ly hacked the US gov­ern­men­t’s net­works start­ing in March of 2020 and was read­ing all those gov­ern­ment emails and rout­ing through US gov­ern­ment net­works this whole time:

...
The fed­er­al Cyber­se­cu­ri­ty and Infra­struc­ture Secu­ri­ty Agency issued an alert Sun­day warn­ing about an “active exploita­tion” of the Solar­Winds Ori­on Plat­form, from ver­sions of the soft­ware released in March and June. “CISA encour­ages affect­ed orga­ni­za­tions to read the Solar­Winds and Fire­Eye advi­sories for more infor­ma­tion and FireEye’s GitHub page for detec­tion coun­ter­mea­sures,” the alert said.

Solar­Winds said Sun­day in a state­ment that mon­i­tor­ing prod­ucts it released in March and June of this year may have been sur­rep­ti­tious­ly weaponized in a “high­ly-sophis­ti­cat­ed, tar­get­ed . . . attack by a nation state.”

...

Solar­Winds’ mon­i­tor­ing tool has extreme­ly deep “admin­is­tra­tive” access to a network’s core func­tions, which means that hack­ing the tool would allow the Rus­sians to freely root around vic­tims’ sys­tems.
...

And note this omi­nous ear­ly detail: in its cor­po­rate fil­ing dis­clos­ing the hack with the SEC, Solar­Winds indi­cat­ed that Microsoft­’s Office 365 email may have been “an attack vec­tor” used by the hack­ers. Now, it’s impor­tant to note that this lan­guage is some­what vague as to whether or not Microsoft­’s Office 365 was used for the ini­tial attack to infect the Solar­Winds net­work or it was used after the Solar­Winds hack to fur­ther exploit the net­works of the 18,000 vic­tims. But as we’re going to see, Solar­Winds does con­firm two months lat­er that, yes, this Microsoft Office 365 email vul­ner­a­bil­i­ty was used in the ini­tial hack of the Solar­Winds net­work:

...
The com­pa­ny filed a doc­u­ment Mon­day with the Secu­ri­ties and Exchange Com­mis­sion say­ing that “few­er than 18,000” of its more than 300,000 cus­tomers may have installed a soft­ware patch enabling the Russ­ian attack. It was not clear, the fil­ing said, how many sys­tems were actu­al­ly hacked. The cor­po­rate fil­ing also said that Microsoft’s Office 365 email may have been “an attack vec­tor” used by the hack­ers.

Microsoft said in a blog post Sun­day that it had not iden­ti­fied any Microsoft prod­uct or cloud ser­vice vul­ner­a­bil­i­ties in its inves­ti­ga­tion of the mat­ter.
...

Final­ly, observe how sim­i­lar the nar­ra­tive we’re hear­ing now is to exact­ly what we heard from the US gov­ern­ment in 2016 fol­low­ing the remark­ably ‘aggres­sive’ and ‘noisy’ sec­ond hack of the DNC that we are told was exe­cut­ed by ‘Fan­cy Bear’ of Rus­si­a’s GRU. Recall how, back in late July 2016, US inves­ti­ga­tors were sug­gest­ing Fan­cy Bear was try­ing to get caught in the DNC hack. That was the expla­na­tion giv­en for the notable appar­ent lack of sophis­ti­ca­tion in the hack that was seen as very dif­fer­ent from pre­vi­ous hacks attrib­uted to Fan­cy Bear. So now we’re more or less hear­ing the same sto­ry in rela­tion to Cozy Bear: this hack was high­ly unchar­ac­ter­is­tic for Cozy Bear in the sense that the hack­ers active­ly fought to main­tain their grip on the net­works even after being caught. But we are nonethe­less assured it’s Cozy Bear:

...
As part of that oper­a­tion, it hacked the unclas­si­fied email sys­tems of the White House, the Pentagon’s Joint Chiefs of Staff and the State Depart­ment.

“That was the first time we saw the Rus­sians become much more aggres­sive, and instead of sim­ply fad­ing away like ghosts when they were detect­ed, they actu­al­ly con­test­ed access to the net­works,” said Michael Daniel, who was White House cyber­se­cu­ri­ty coor­di­na­tor at the time.

One of its vic­tims in 2015 was the Demo­c­ra­t­ic Nation­al Com­mit­tee. But unlike a rival Russ­ian spy agency, the GRU, which also hacked the DNC, it did not leak the stolen mate­r­i­al. In 2016, the GRU mil­i­tary spy agency leaked hacked emails to the online anti-secre­cy orga­ni­za­tion Wik­iLeaks in an oper­a­tion that dis­rupt­ed the Democ­rats’ nation­al con­ven­tion in the midst of the pres­i­den­tial cam­paign.

The SVR, by con­trast, gen­er­al­ly steals infor­ma­tion for tra­di­tion­al espi­onage pur­pos­es, seek­ing secrets that might help the Krem­lin under­stand the plans and motives of politi­cians and pol­i­cy­mak­ers. Its oper­a­tors also have filched indus­tri­al data and hacked for­eign min­istries.
...

They weren’t behav­ing like Cozy Bear, which has nev­er been known to behave this aggres­sive­ly before. But it was def­i­nite­ly Cozy Bear. That’s what the US was con­fi­dent­ly stat­ing less than a week after the Fire­Eye hack was dis­closed. Yet Fire­Eye was­n’t con­vinced. It’s one of the many data points point­ing in the direc­tion of con­tem­po­rary cyber attri­bu­tions being most­ly just made up con­ve­nient nar­ra­tives:

Bloomberg Quint

Fire­Eye Dis­cov­ered Solar­Winds Breach While Prob­ing Own Hack

Kar­tikay Mehro­tra
Pub­lished Dec 15 2020, 7:32 AM
Updat­ed Dec 16 2020, 7:25 AM

(Bloomberg) — When Fire­Eye Inc. dis­cov­ered that it was hacked this month, the cyber­se­cu­ri­ty firm’s inves­ti­ga­tors imme­di­ate­ly set about try­ing to fig­ure out how attack­ers got past its defens­es.

It wasn’t just Fire­Eye that got attacked, they quick­ly found out. Inves­ti­ga­tors dis­cov­ered a vul­ner­a­bil­i­ty in a prod­uct made by one of its soft­ware providers, Texas-based Solar­Winds Corp.

“We looked through 50,000 lines of source code, which we were able to deter­mine there was a back­door with­in Solar­Winds,” said Charles Car­makal, senior vice pres­i­dent and chief tech­ni­cal offi­cer at Man­di­ant, FireEye’s inci­dent response arm.

After dis­cov­er­ing the back­door, Fire­Eye con­tact­ed Solar­Winds and law enforce­ment, Car­makal said.

...

Nation­al Secu­ri­ty Advi­sor Robert O’Brien cut short a trip to the Mid­dle East and Europe to deal with the hack of U.S. gov­ern­ment agen­cies. And Sen­a­tor Richard Blu­men­thal, Demo­c­rat from Con­necti­cut, said a clas­si­fied brief­ing on “Russia’s cyber-attack left me deeply alarmed, in fact down­right scared.”
s
The hack­ers who attacked Fire­Eye stole sen­si­tive tools that the com­pa­ny uses to find vul­ner­a­bil­i­ties in clients’ com­put­er net­works. While the hack on Fire­Eye was embar­rass­ing for a cyber­se­cu­ri­ty firm, Car­makal argued that it may prove to be a cru­cial mis­take for the hack­ers.

“If this actor didn’t hit Fire­Eye, there is a chance that this cam­paign could have gone on for much, much longer,” Car­makal said. “One sil­ver lin­ing is that we learned so much about how this threat actor works and shared it with our law enforce­ment, intel­li­gence com­mu­ni­ty and secu­ri­ty part­ners.” Car­makal said there is no evi­dence FireEye’s stolen hack­ing tools were used against U.S. gov­ern­ment agen­cies.

“There will unfor­tu­nate­ly be more vic­tims that have to come for­ward in the com­ing weeks and months,” he said. While some have attrib­uted the attack to a state-spon­sored Russ­ian group known as APT 29, or Cozy Bear, Fire­Eye had not yet seen suf­fi­cient evi­dence to name the actor, he said. A Krem­lin offi­cial denied that Rus­sia had any involve­ment.

...

Car­makal said the hack­ers took advanced steps to con­ceal their actions. “Their lev­el of oper­a­tional secu­ri­ty is tru­ly excep­tion­al,” he said, adding that the hack­ers would oper­ate from servers based in the same city as an employ­ee they were pre­tend­ing to be in order to evade detec­tion.

...

———–

“Fire­Eye Dis­cov­ered Solar­Winds Breach While Prob­ing Own Hack” by Kar­tikay Mehro­tra; Bloomberg Quint; 12/15/2020

““There will unfor­tu­nate­ly be more vic­tims that have to come for­ward in the com­ing weeks and months,” he said. While some have attrib­uted the attack to a state-spon­sored Russ­ian group known as APT 29, or Cozy Bear, Fire­Eye had not yet seen suf­fi­cient evi­dence to name the actor, he said. A Krem­lin offi­cial denied that Rus­sia had any involve­ment.”

That ear­ly hes­i­tan­cy on FireEye’s behalf to name a cul­prit due to a lack of evi­dence is going to be impor­tant to keep in mind. Because as we see in an NPR arti­cle from April of 2021, four months after the attack, there was­n’t real­ly any new con­clu­sive infor­ma­tion about the hack­ers that emerges. No clue that can pos­i­tive­ly iden­ti­fy the hack­ers and not even the joke ‘clues’ like Cyril­lic or Man­darin char­ac­ters. Noth­ing. The big shock expressed by Adam Mey­ers of Crowd­Strike — the fig­ure who led the ear­ly inves­ti­ga­tion of the Solar­Winds hack — was that there was­n’t any ‘cul­tur­al arti­fact’ like Cyril­lic or Man­darin. And yet we’re going to hear asser­tion after asser­tion that this was the work of Russ­ian gov­ern­ment hack­ers. Nev­er an expla­na­tion why.

Is this the SolarWinds Mega-Hack? Or the Microsoft Mega-hack?

Sim­i­lar­ly, note how Solar­Winds was point­ing an fin­ger at a vul­ner­a­bil­i­ty in Microsoft­’s Office 365 email as being a vec­tor in the hack, and yet Microsoft was vocif­er­ous­ly deny­ing that a vul­ner­a­bil­i­ty in its own prod­ucts played a role at all. As we’ll see, there’s nev­er an expla­na­tion. Just faith. Faith in Microsoft. Faith that was again test­ed days after the ini­tial dis­clo­sure of the hack when Solar­Winds revealed more details on nature of the Microsoft exploits used by the hack­ers. Some­how the hack­ers were trick­ing Microsoft­’s authen­ti­ca­tion con­trols. This includes forg­ing authen­ti­ca­tion tokens for Microsoft­’s Azure cloud ser­vices and cre­at­ing pass­word cre­den­tials for legit­i­mate process­es enabling them to read emails from Microsoft­’s Exchange Online cloud-based email ser­vice. Keep in mind that the Microsoft-Exchange mega-hack that is announced in March was tar­get­ing the non-cloud self-host­ed Microsoft Exchange email servers. So when the Solar­Winds hack­ers demon­strate an abil­i­ty to break into the cloud-based Exchange servers, they were demon­strat­ing a capa­bil­i­ty that was­n’t exact­ly the same as that used to exe­cute the Microsoft Exchange mega-hack but awful­ly close. And yet we will be repeat­ed­ly assured by Microsoft that the Microsoft-Exchange hack was car­ried out by Chi­na and not at all con­nect­ed to the Solar­Winds hack or “com­mer­cial sur­veil­lance ven­dors”. That’s part of what makes these ear­ly dis­clo­sures by Microsoft itself, that the Solar­Winds hack­ers demon­strat­ed a remark­able abil­i­ty to manip­u­late Microsoft sys­tem cre­den­tials, is so sig­nif­i­cant. These are dis­clo­sures Microsoft seems to want to for­get as this looks more and more like a Microsoft mega-hack:

CRN

Microsoft’s Role In Solar­Winds Breach Comes Under Scruti­ny

By Michael Novin­son
Decem­ber 15, 2020, 05:18 PM EST

Microsoft has become ensnared in probes sur­round­ing the recent­ly dis­closed colos­sal U.S. gov­ern­ment hack, with media reports and com­pa­ny mes­sages focus­ing on Office 365, Azure Active Direc­to­ry and a key domain name.

Two key vic­tims in the mas­sive nation-state hack­ing cam­paign report­ed­ly had their Microsoft Office 365 accounts bro­ken into. The Russ­ian intel­li­gence ser­vice hack­ers for months mon­i­tored staff emails sent via Office 365 at the Com­merce Department’s Nation­al Telecom­mu­ni­ca­tions and Infor­ma­tion Admin­is­tra­tion (NTIA) after break­ing into the NTIA’s office soft­ware, Reuters report­ed Sun­day.

The hack­ers are “high­ly sophis­ti­cat­ed” and were able to trick the Microsoft platform’s authen­ti­ca­tion con­trols, accord­ing to Reuters, cit­ing a per­son famil­iar with the inci­dent. The Com­merce Depart­ment said that one of its bureaus had been breached, but didn’t respond to an inquiry about the role of Office 365 in the attack.

Microsoft didn’t pro­vide an on-the-record response to CRN ques­tions about if the com­pa­ny itself was breached as part of this cam­paign, and how sig­nif­i­cant Microsoft’s tech­nol­o­gy was in the hack­ers’ abil­i­ty to exploit cus­tomers. Microsoft said in a blog post Sun­day that its inves­ti­ga­tions haven’t iden­ti­fied any Microsoft prod­uct or cloud ser­vice vul­ner­a­bil­i­ties. Once an attack­er has com­pro­mised a tar­get net­work, they poten­tial­ly have access to a range of sys­tems, accord­ing to a source famil­iar with the sit­u­a­tion.”

On Mon­day, Solar­Winds said it was made aware of an attack vec­tor that was used to com­pro­mise the company’s Microsoft Office 365 emails, accord­ing to a fil­ing with the U.S. Secu­ri­ties and Exchange Com­mis­sion (SEC). Hack­ers had gained access to numer­ous pub­lic and pri­vate orga­ni­za­tions through tro­janized updates to Solar­Winds’ Ori­on net­work mon­i­tor­ing soft­ware, Fire­Eye said in a blog Sun­day.

That same attack vec­tor might have pro­vid­ed access to oth­er data con­tained in Solar­Winds’ Office 365 office pro­duc­tiv­i­ty tool, the com­pa­ny said. Solar­Winds said it’s prob­ing with Microsoft if any cus­tomer, per­son­nel or oth­er data was exfil­trat­ed as a result of this com­pro­mise, but hasn’t uncov­ered any evi­dence at this time of exfil­tra­tion.

“Solar­Winds, in col­lab­o­ra­tion with Microsoft, has tak­en reme­di­a­tion steps to address the com­pro­mise and is inves­ti­gat­ing whether fur­ther reme­di­a­tion steps are required, over what peri­od of time this com­pro­mise exist­ed and whether the com­pro­mise is asso­ci­at­ed with the attack on its Ori­on soft­ware build sys­tem,” the com­pa­ny wrote in its SEC fil­ing.

As for Azure, the hack­ers were able to forge a token which claims to rep­re­sent a high­ly priv­i­leged account in Azure Active Direc­to­ry (AD), the Microsoft Secu­ri­ty Research Cen­ter wrote in a blog Sun­day. The hack­ers could also gain admin­is­tra­tive Azure AD priv­i­leges with com­pro­mised cre­den­tials. Microsoft said this was par­tic­u­lar­ly like­ly if the account in ques­tion is not pro­tect­ed by mul­ti-fac­tor authen­ti­ca­tion.

“Hav­ing gained a sig­nif­i­cant foothold in the on-premis­es envi­ron­ment, the actor has made mod­i­fi­ca­tions to Azure Active Direc­to­ry set­tings to facil­i­tate long term access,” the Microsoft Secu­ri­ty Research Cen­ter wrote.

The hack­ers were observed adding new fed­er­a­tion trusts to an exist­ing ten­ant or mod­i­fy­ing the prop­er­ties of an exist­ing fed­er­a­tion trust to accept tokens signed with hack­er-owned cer­tifi­cates, Microsoft said. They could also use their admin­is­tra­tor priv­i­leges to grant addi­tion­al per­mis­sions to the tar­get Appli­ca­tion or Ser­vice Prin­ci­pal, accord­ing to Microsoft.

Microsoft also observed the hack­ers adding pass­word cre­den­tials or x509 cer­tifi­cates to legit­i­mate process­es, grant­i­ng them the abil­i­ty to read mail con­tent from Exchange Online via Microsoft Graph or Out­look REST. Exam­ples of this hap­pen­ing include mail archiv­ing appli­ca­tions, the firm said. Per­mis­sions usu­al­ly, but not always, con­sid­ered only the app iden­ti­ty rather than the cur­rent user’s per­mis­sions.

And from a domain per­spec­tive, Microsoft on Mon­day took con­trol over a key domain name that was used by the Solar­Winds hack­ers to com­mu­ni­cate with sys­tems com­pro­mised by the back­door Ori­on prod­uct updates, Kreb­sOn­Se­cu­ri­ty report­ed Tues­day. Microsoft has a long his­to­ry of seiz­ing con­trol of domains involved with mal­ware, par­tic­u­lar­ly when those sites are being used to attack Win­dows clients.

Armed with that access, Kreb­sOn­Se­cu­ri­ty said Microsoft should soon have some idea which and how many Solar­Winds cus­tomers were affect­ed. That’s because Microsoft now has insight into which orga­ni­za­tions have IT sys­tems that are still try­ing to ping the mali­cious domain, Kreb­sOn­Se­cu­ri­ty said.

“How­ev­er, because many Inter­net ser­vice providers and affect­ed com­pa­nies are already block­ing sys­tems from access­ing that mali­cious con­trol domain or have dis­con­nect­ed the vul­ner­a­ble Ori­on ser­vices, Microsoft’s vis­i­bil­i­ty may be some­what lim­it­ed,” Kreb­sOn­Se­cu­ri­ty cau­tioned.

...

———-

“Microsoft’s Role In Solar­Winds Breach Comes Under Scruti­ny” by Michael Novin­son; CRN; 12/15/2020

“Two key vic­tims in the mas­sive nation-state hack­ing cam­paign report­ed­ly had their Microsoft Office 365 accounts bro­ken into. The Russ­ian intel­li­gence ser­vice hack­ers for months mon­i­tored staff emails sent via Office 365 at the Com­merce Department’s Nation­al Telecom­mu­ni­ca­tions and Infor­ma­tion Admin­is­tra­tion (NTIA) after break­ing into the NTIA’s office soft­ware, Reuters report­ed Sun­day.

The ‘Russ­ian hack­ers’ were read­ing gov­ern­ment emails for months. And while we were get­ting assured that it was Rus­sia behind it, it’s worth keep­ing in mind that the idea that it was Rus­sia read­ing these emails is actu­al­ly far more assur­ing than the idea of cyber crim­i­nals doing the same because at least Rus­sia is less inclined to sell or release the data. In oth­er words, these ear­ly aggres­sive­ly high­ly con­fi­dent attri­bu­tions towards Rus­sia aren’t just self-serv­ing from the stand­point of align­ing with US geopo­lit­i­cal inter­ests. They’re also high­ly self-serv­ing for Microsoft, Solar­Winds, and the US gov­ern­ment agen­cies that got hacked by down­play­ing the poten­tial impli­ca­tions of the hack.

Now note these ear­ly details of how Microsoft vul­ner­a­bil­i­ties were used in the attack. The hack­ers were trick­ing Microsoft­’s authen­ti­ca­tion con­trols. They could forge authen­ti­ca­tion tokens enabling access to Microsoft­’s cloud-based Azure ser­vices. But crit­i­cal­ly, they were gain­ing access to read mail con­tent from Exchange Online, effec­tive­ly demon­strat­ing the abil­i­ty to hack Microsoft­’s cloud-based Exchange email servers. This is going to be an impor­tant detail to keep in mind as we read about the Microsoft Exchange serv­er mega-hack dis­closed in March:

...
The hack­ers are “high­ly sophis­ti­cat­ed” and were able to trick the Microsoft platform’s authen­ti­ca­tion con­trols, accord­ing to Reuters, cit­ing a per­son famil­iar with the inci­dent. The Com­merce Depart­ment said that one of its bureaus had been breached, but didn’t respond to an inquiry about the role of Office 365 in the attack.

...

As for Azure, the hack­ers were able to forge a token which claims to rep­re­sent a high­ly priv­i­leged account in Azure Active Direc­to­ry (AD), the Microsoft Secu­ri­ty Research Cen­ter wrote in a blog Sun­day. The hack­ers could also gain admin­is­tra­tive Azure AD priv­i­leges with com­pro­mised cre­den­tials. Microsoft said this was par­tic­u­lar­ly like­ly if the account in ques­tion is not pro­tect­ed by mul­ti-fac­tor authen­ti­ca­tion.

...

Microsoft also observed the hack­ers adding pass­word cre­den­tials or x509 cer­tifi­cates to legit­i­mate process­es, grant­i­ng them the abil­i­ty to read mail con­tent from Exchange Online via Microsoft Graph or Out­look REST. Exam­ples of this hap­pen­ing include mail archiv­ing appli­ca­tions, the firm said. Per­mis­sions usu­al­ly, but not always, con­sid­ered only the app iden­ti­ty rather than the cur­rent user’s per­mis­sions.
...

And note that at this point Microsoft itself is also describ­ing how it observed the hack­ers adding pass­word cre­den­tials or x509 cer­tifi­cates to legit­i­mate process­es to enabling the read­ing of emails. Microsoft­’s own secu­ri­ty researchers were telling us about this. And yet, as we’ll see in the arti­cles below from Feb­ru­ary, Microsoft insists that vul­ner­a­bil­i­ties in its soft­ware played no role at all in the hack and all such reports are mis­in­for­ma­tion.

A week into the Solar­Winds hack dis­clo­sure, the US Trea­sury Depart­ment gives an update. We’re told the depart­men­t’s hack start­ed in July. And in anoth­er indi­ca­tion that the hack­ers had the abil­i­ty to authen­ti­cate the cre­den­tial need­ed to extract data from Microsoft­’s Office 365 email soft­ware, we’re told that’s exact­ly what they were doing on the Trea­sury’s net­work. So both Solar­Winds and the US Trea­sury were giv­ing us strong hints ear­ly on that the sto­ry of the Solar­Winds mega-hack is the sto­ry of a still-unrec­og­nized Microsoft mega-hack:

The New York Times

Trea­sury Department’s Senior Lead­ers Were Tar­get­ed by Hack­ing

The dis­clo­sure was the first acknowl­edg­ment of a spe­cif­ic intru­sion in the vast cyber­at­tack. At the White House, nation­al secu­ri­ty lead­ers met to assess how to deal with the sit­u­a­tion.

By David E. Sanger and Alan Rappe­port
Pub­lished Dec. 21, 2020 Updat­ed Jan. 6, 2021

WASHINGTON — The Russ­ian hack­ers who pen­e­trat­ed Unit­ed States gov­ern­ment agen­cies broke into the email sys­tem used by the Trea­sury Department’s most senior lead­er­ship, a Demo­c­ra­t­ic mem­ber of the Sen­ate Finance Com­mit­tee said on Mon­day, the first detail of how deeply Moscow bur­rowed into the Trump administration’s net­works.

In a state­ment after a brief­ing for com­mit­tee staff mem­bers, Sen­a­tor Ron Wyden of Ore­gon, who has often been among the sharpest crit­ics of the Nation­al Secu­ri­ty Agency and oth­er intel­li­gence agen­cies, said that the Trea­sury Depart­ment had acknowl­edged that “the agency suf­fered a seri­ous breach, begin­ning in July, the full depth of which isn’t known.”

The Trea­sury Depart­ment ranks among the most high­ly pro­tect­ed cor­ners of the gov­ern­ment because of its respon­si­bil­i­ty for mar­ket-mov­ing eco­nom­ic deci­sions, com­mu­ni­ca­tions with the Fed­er­al Reserve and eco­nom­ic sanc­tions against adver­saries. Mr. Wyden said the hack­ers had gained access to the email sys­tem by manip­u­lat­ing inter­nal soft­ware keys.

The depart­ment learned of the breach not from any of the gov­ern­ment agen­cies whose job is to pro­tect against cyber­at­tacks, but from Microsoft, which runs much of Treasury’s com­mu­ni­ca­tions soft­ware, Mr. Wyden said. He said that “dozens of email accounts were com­pro­mised,” appar­ent­ly includ­ing in what is called the depart­men­tal offices divi­sion, where the most senior offi­cials oper­ate.

“Trea­sury still does not know all of the actions tak­en by hack­ers, or pre­cise­ly what infor­ma­tion was stolen,” he said.

An aide to Mr. Wyden said the department’s offi­cials indi­cat­ed that Trea­sury Sec­re­tary Steven Mnuchin’s email account had not been breached.

The newest dis­clo­sures under­scored the administration’s con­flict­ing mes­sages about the source of the attacks and the extent of the dam­age as more reports about the tar­gets leak out. A Trea­sury Depart­ment spokes­woman did not imme­di­ate­ly respond to a request for com­ment.

Mr. Mnuchin addressed the hack­ing ear­li­er on Mon­day and said the department’s clas­si­fied sys­tems had not been breached.

“At this point, we do not see any break-in into our clas­si­fied sys­tems,” he said in an inter­view with CNBC. “Our unclas­si­fied sys­tems did have some access.”

Mr. Mnuchin said that the hack­ing was relat­ed to third-par­ty soft­ware. He added that there had been no dam­age or large amounts of infor­ma­tion dis­placed as a result of the attack and that the agency had robust resources to pro­tect the finan­cial indus­try.

“I can assure you, we are com­plete­ly on top of this,” he said. He did not explain how the Russ­ian pres­ence was not detect­ed in the sys­tem for more than four months.

His state­ment came on the same day that Attor­ney Gen­er­al William P. Barr, at his final news con­fer­ence before step­ping down, sided with Sec­re­tary of State Mike Pom­peo in say­ing that Moscow was almost cer­tain­ly behind the hack­ing. The intru­sion went through a com­mer­cial net­work man­age­ment soft­ware pack­age made by Solar­Winds, a com­pa­ny based in Austin, Texas, and allowed the hack­ers broad access to gov­ern­ment and cor­po­rate sys­tems.

“I agree with Sec­re­tary Pompeo’s assess­ment: It cer­tain­ly appears to be the Rus­sians,” Mr. Barr said, fur­ther under­cut­ting Pres­i­dent Trump’s effort to cast doubt on whether the gov­ern­ment of Pres­i­dent Vladimir V. Putin of Rus­sia was behind the attack. Mr. Trump appears to be alone in the admin­is­tra­tion in his con­tention that Chi­na might have been the source of the hack­ing.

Mr. Mnuchin was among sev­er­al top offi­cials in the gov­ern­ment who met with nation­al secu­ri­ty offi­cials for the first time at the White House on Mon­day to assess the dam­age and dis­cuss how to deal with it.

The meet­ing was a prin­ci­pals com­mit­tee ses­sion led by Robert C. O’Brien, the nation­al secu­ri­ty advis­er. It was held two days after Mr. Trump said the attack on fed­er­al net­works was “under con­trol,” was being exag­ger­at­ed by the news media and might have been car­ried out by Chi­na rather than Rus­sia, which has been iden­ti­fied by intel­li­gence agen­cies, oth­er gov­ern­ment offi­cials and cyber­se­cu­ri­ty firms as the almost cer­tain source of the hack­ing.

The ses­sion was clas­si­fied, but if it was like the brief­in­gs to Con­gress in recent days, the intel­li­gence offi­cials expressed lit­tle doubt that the attack was most like­ly car­ried out by hack­ers asso­ci­at­ed with the S.V.R., Russia’s pre­mier intel­li­gence agency.

But on Mon­day there was no pub­lic dec­la­ra­tion attribut­ing the hack­ing to Rus­sia, per­haps reflect­ing Mr. Trump’s reluc­tance to con­front Moscow over the issue and the doubts he has expressed about the seri­ous­ness of the attack.

The meet­ing, accord­ing to one senior admin­is­tra­tion offi­cial, was intend­ed to “take stock of the intel­li­gence, the inves­ti­ga­tion and the actions being tak­en to reme­di­ate” the attack. Absent from that descrip­tion was any prepa­ra­tion for impos­ing a cost on the attack­er. Mr. Trump did not attend the meet­ing.

...

The list of atten­dees at the meet­ing was notable because it pro­vid­ed some indi­ca­tion of which parts of the gov­ern­ment might have been affect­ed. White House offi­cials said Trea­sury Sec­re­tary Steven Mnuchin, Com­merce Sec­re­tary Wilbur Ross, the act­ing home­land secu­ri­ty sec­re­tary Chad F. Wolf and Ener­gy Sec­re­tary Dan Brouil­lette were present. All of those agen­cies were pre­vi­ous­ly iden­ti­fied by news orga­ni­za­tions as tar­gets of the hack­ing.

John Rat­cliffe, the direc­tor of nation­al intel­li­gence, par­tic­i­pat­ed in the meet­ing; so did Gina Haspel, the C.I.A. direc­tor, and Gen. Paul M. Naka­sone, the direc­tor of the Nation­al Secu­ri­ty Agency and the com­man­der of the Unit­ed States Cyber Com­mand. Sec­re­tary of State Mike Pom­peo, who was the first high-rank­ing admin­is­tra­tion offi­cial to acknowl­edge that Rus­sia was the most like­ly source of the attack before he was under­cut by Mr. Trump, did not attend. His deputy, Stephen E. Biegun, stood in for him.

Gen­er­al Naka­sone, an expe­ri­enced cyber­war­rior who is respon­si­ble for the defense of nation­al secu­ri­ty sys­tems, has been silent since the hack­ing was revealed. At the N.S.A. and Cyber Com­mand, offi­cials said, there was extra­or­di­nary embar­rass­ment that a pri­vate com­pa­ny, Fire­Eye, had been the first to alert the gov­ern­ment that it had been hacked.

Accord­ing to the details released by Mr. Wyden, once the Russ­ian hack­ers used the Solar­Winds soft­ware update to get inside Treasury’s sys­tems, they per­formed a com­plex step inside Microsoft’s Office 365 sys­tem to cre­ate an encrypt­ed “token” that iden­ti­fies a com­put­er to the larg­er net­work.

That coun­ter­feit­ing enabled them to fool the sys­tem into think­ing they were legit­i­mate users — and to sign on with­out try­ing to guess user names and pass­words. Microsoft said last week that it had fixed the flaw that the Rus­sians had exploit­ed, but that did not answer the ques­tion of whether the hack­ers used their access to bore through oth­er chan­nels into the Trea­sury Depart­ment or oth­er sys­tems.

For­mal­ly deter­min­ing who was respon­si­ble for a hack­ing like this one can be time-con­sum­ing work, though the admin­is­tra­tion did so twice in Mr. Trump’s first year in office, point­ing to North Korea for the so-called Wan­naCry attack on the British health care sys­tem and Rus­sia for the “Not­Petya” attack that cost Maer­sk, Fed­er­al Express and oth­er major cor­po­ra­tions hun­dreds of mil­lions of dol­lars.

In this case, offi­cials say, a for­mal dec­la­ra­tion of who was respon­si­ble for the attack — which is need­ed to start any form of retal­i­a­tion — may not come until after Mr. Biden is inau­gu­rat­ed. That would leave the Trump admin­is­tra­tion to focus on dam­age con­trol but skip the hard ques­tions of how to deter Moscow from future attacks.

Capt. Kat­ri­na J. Cheesman, a spokes­woman for Cyber Com­mand, said that so far the mil­i­tary had found “no evi­dence of com­pro­mis­es” in the Pentagon’s net­work. She said that parts of the Defense Department’s “soft­ware sup­ply chain source have dis­closed a vul­ner­a­bil­i­ty with­in their sys­tems, but we have no indi­ca­tion the D.O.D. net­work has been com­pro­mised.”

———–

“Trea­sury Department’s Senior Lead­ers Were Tar­get­ed by Hack­ing” by David E. Sanger and Alan Rappe­port; The New York Times; 12/21/2020

“The Trea­sury Depart­ment ranks among the most high­ly pro­tect­ed cor­ners of the gov­ern­ment because of its respon­si­bil­i­ty for mar­ket-mov­ing eco­nom­ic deci­sions, com­mu­ni­ca­tions with the Fed­er­al Reserve and eco­nom­ic sanc­tions against adver­saries. Mr. Wyden said the hack­ers had gained access to the email sys­tem by manip­u­lat­ing inter­nal soft­ware keys.

It’s the sec­ond ear­ly indi­ca­tion that the Solar­Winds hack­ers have some advanced Microsoft email exploits: Less than two weeks after the ini­tial Fire­Eye dis­clo­sure, the Trea­sury Depart­ment informs us that it was the manip­u­la­tion of inter­nal soft­ware keys that enabled access to the agen­cy’s emails after the hack­ers entered the gov­ern­ment net­works via the Solar­Winds back­door. Spe­cial­ly Microsoft Office 365 iden­ti­ty tokens:

...
Accord­ing to the details released by Mr. Wyden, once the Russ­ian hack­ers used the Solar­Winds soft­ware update to get inside Treasury’s sys­tems, they per­formed a com­plex step inside Microsoft’s Office 365 sys­tem to cre­ate an encrypt­ed “token” that iden­ti­fies a com­put­er to the larg­er net­work.

That coun­ter­feit­ing enabled them to fool the sys­tem into think­ing they were legit­i­mate users — and to sign on with­out try­ing to guess user names and pass­words. Microsoft said last week that it had fixed the flaw that the Rus­sians had exploit­ed, but that did not answer the ques­tion of whether the hack­ers used their access to bore through oth­er chan­nels into the Trea­sury Depart­ment or oth­er sys­tems.
...

So claims about Microsoft­’s Office 365 email vul­ner­a­bil­i­ties being exploit­ed as part of the Solar­Winds hack were com­ing from not just the Solar­Winds com­pa­ny itself but also the US Trea­sury Depart­ment. Claims Microsoft con­tin­ued to vocif­er­ous­ly dis­pute for months.

And just note again how soon and defin­i­tive the attri­bu­tions to Rus­sia were com­ing from the Trump admin­is­tra­tion: they could­n’t explain how the hack­ers evad­ed detec­tion for months, but every­one was ready to join Mike Pom­peo in declar­ing that Moscow was almost cer­tain­ly behind it. No rea­sons are giv­en. None are nec­es­sary. It’s just a giv­en: if there’s a major hack that hits West­ern 0government agen­cies, it’s either Rus­sia or Chi­na. Because of course it is. Who else could it be? It’s the unques­tioned oper­at­ing par­a­digm for con­tem­po­rary cyber­at­tri­bu­tion:

...
Mr. Mnuchin said that the hack­ing was relat­ed to third-par­ty soft­ware. He added that there had been no dam­age or large amounts of infor­ma­tion dis­placed as a result of the attack and that the agency had robust resources to pro­tect the finan­cial indus­try.

“I can assure you, we are com­plete­ly on top of this,” he said. He did not explain how the Russ­ian pres­ence was not detect­ed in the sys­tem for more than four months.

His state­ment came on the same day that Attor­ney Gen­er­al William P. Barr, at his final news con­fer­ence before step­ping down, sided with Sec­re­tary of State Mike Pom­peo in say­ing that Moscow was almost cer­tain­ly behind the hack­ing. The intru­sion went through a com­mer­cial net­work man­age­ment soft­ware pack­age made by Solar­Winds, a com­pa­ny based in Austin, Texas, and allowed the hack­ers broad access to gov­ern­ment and cor­po­rate sys­tems.

“I agree with Sec­re­tary Pompeo’s assess­ment: It cer­tain­ly appears to be the Rus­sians,” Mr. Barr said, fur­ther under­cut­ting Pres­i­dent Trump’s effort to cast doubt on whether the gov­ern­ment of Pres­i­dent Vladimir V. Putin of Rus­sia was behind the attack. Mr. Trump appears to be alone in the admin­is­tra­tion in his con­tention that Chi­na might have been the source of the hack­ing.

...

The ses­sion was clas­si­fied, but if it was like the brief­in­gs to Con­gress in recent days, the intel­li­gence offi­cials expressed lit­tle doubt that the attack was most like­ly car­ried out by hack­ers asso­ci­at­ed with the S.V.R., Russia’s pre­mier intel­li­gence agency.

...

John Rat­cliffe, the direc­tor of nation­al intel­li­gence, par­tic­i­pat­ed in the meet­ing; so did Gina Haspel, the C.I.A. direc­tor, and Gen. Paul M. Naka­sone, the direc­tor of the Nation­al Secu­ri­ty Agency and the com­man­der of the Unit­ed States Cyber Com­mand. Sec­re­tary of State Mike Pom­peo, who was the first high-rank­ing admin­is­tra­tion offi­cial to acknowl­edge that Rus­sia was the most like­ly source of the attack before he was under­cut by Mr. Trump, did not attend. His deputy, Stephen E. Biegun, stood in for him.
...

Keep in mind how dis­turb­ing these warn­ings about Microsoft vul­ner­a­bil­i­ties were at the time. We already knew by that point that some­one plant­ed back­doors on 18,000 of the com­pa­nies and orga­ni­za­tions around the world, includ­ing numer­ous gov­ern­ment agen­cies. But we did­n’t nec­es­sar­i­ly know what the hack­ers could do on all those net­works after they walked through the back­doors. Learn­ing about these Microsoft exploits told us at least some of what they could do on those net­works. And giv­en how ubiq­ui­tous Microsoft­’s soft­ware is in large orga­ni­za­tions, it’s a safe assump­tion that a large num­ber of those Solar­Winds clients were run­ning Microsoft ser­vices on those net­works.

SolarWinds Update: ‘It Started with a Zero-Day Microsoft Exploit.’ Microsoft Counter-Update: ‘No it Didn’t.’ CISA Update: ‘It’s Not Just SolarWinds.’

It was ear­ly Feb­ru­ary, less than two months after the ini­tial Fire­Eye dis­clo­sure, when we got a con­fir­ma­tion of sorts. The ques­tion of whether or not the Microsoft Office 365 email vul­ner­a­bil­i­ty char­ac­ter­ized as an “attack vec­tor” by Solar­Winds in Decem­ber was actu­al­ly used to exe­cute the ini­tial hack of Solar­Winds. Solar­Winds CEO Sud­hakar Ramakr­ish­na appeared to con­firm that, yes, a Microsoft vul­ner­a­bil­i­ty was used in the ini­tial hack of the Solar­Winds Ori­on soft­ware devel­op­er. A zero-day vul­ner­a­bil­i­ty nev­er seen before. Although Solar­Winds did­n’t iden­ti­fy the spe­cif­ic Office 365 vul­ner­a­bil­i­ty.

But we also got anoth­er updat­ed from Bran­don Wales, act­ing direc­tor of the Cyber­se­cu­ri­ty and Infra­struc­ture Secu­ri­ty Agency: Rough­ly 30 per­cent of the vic­tim orga­ni­za­tions that found the back­door mal­ware on their net­work had no con­nec­tion to Solar­Winds. Oth­er meth­ods for cre­at­ing back­doors were being deployed by these hack­ers. So we learn that the Solar­Winds hack like­ly start­ed with a Microsoft exploit and also that the hack­ers are infect­ing oth­er net­works through means oth­er than the infect­ed Solar­Winds soft­ware. It’s not great news for Microsoft users:

CRN

Solar­Winds CEO Con­firms Office 365 Email ‘Com­pro­mise’ Played Role In Broad-Based Attack

Solar­Winds CEO Sud­hakar Ramakr­ish­na has ver­i­fied sus­pi­cious activ­i­ty in its Office 365 envi­ron­ment, with a com­pa­ny email account com­pro­mised and used to access accounts of tar­get­ed Solar­Winds staff in busi­ness and tech­ni­cal roles.

By Michael Novin­son
Feb­ru­ary 04, 2021, 07:28 AM EST

Solar­Winds CEO Sud­hakar Ramakr­ish­na ver­i­fied Wednes­day “sus­pi­cious activ­i­ty” in its Office 365 envi­ron­ment allowed hack­ers to gain access to and exploit the Solar­Winds Ori­on devel­op­ment envi­ron­ment.

Hack­ers most like­ly entered SolarWinds’s envi­ron­ment through com­pro­mised cre­den­tials and/or a third-par­ty appli­ca­tion that cap­i­tal­ized on a zero-day vul­ner­a­bil­i­ty, Ramakr­ish­na said.

“We’ve con­firmed that a Solar­Winds email account was com­pro­mised and used to pro­gram­mat­i­cal­ly access accounts of tar­get­ed Solar­Winds per­son­nel in busi­ness and tech­ni­cal roles,” he said in the blog post. “By com­pro­mis­ing cre­den­tials of Solar­Winds employ­ees, the threat actors were able to gain access to and exploit our Ori­on devel­op­ment envi­ron­ment.”

The belea­guered Austin, Texas-based IT infra­struc­ture man­age­ment ven­dor said a Solar­Winds email account was com­pro­mised and used to pro­gram­mat­i­cal­ly access accounts of tar­get­ed Solar­Winds per­son­nel in busi­ness and tech­ni­cal roles.

By com­pro­mis­ing the cre­den­tials of Solar­Winds employ­ees, Ramakr­ish­na said the hack­ers were able to gain access to and exploit the devel­op­ment envi­ron­ment for the Solar­Winds Ori­on net­work mon­i­tor­ing plat­form. Solar­Winds was first noti­fied by Microsoft about a com­pro­mise relat­ed to its Office 365 envi­ron­ment on Dec. 13, the same day news of the hack went pub­lic.

SolarWinds’s inves­ti­ga­tion has not iden­ti­fied a spe­cif­ic vul­ner­a­bil­i­ty in Office 365 that would have allowed the hack­ers to enter the company’s envi­ron­ment through Office 365, he said Wednes­day. A day ear­li­er, Ramakr­ish­na told The Wall Street Jour­nal that one of sev­er­al the­o­ries the com­pa­ny was pur­su­ing is that the hack­ers used an Office 365 account com­pro­mise as the ini­tial point of entry into Solar­Winds.

Microsoft declined to com­ment to CRN. Ramakr­ish­na said Solar­Winds has ana­lyzed data from mul­ti­ple sys­tems and logs, includ­ing from our Office 365 and Azure ten­ants, as part of its inves­ti­ga­tion. The Solar­Winds hack is believed to be the work of the Russ­ian for­eign intel­li­gence ser­vice.

“While it’s wide­ly under­stood any one com­pa­ny could not pro­tect itself against a sus­tained and unprece­dent­ed nation-state attack of this kind, we see an oppor­tu­ni­ty to lead an indus­try-wide effort that makes Solar­Winds a mod­el for secure soft­ware envi­ron­ments, devel­op­ment process­es, and prod­ucts,” Ramakr­ish­na wrote in a blog post Wednes­day.

Some 30 per­cent of the pri­vate sec­tor and gov­ern­ment vic­tims of the colos­sal hack­ing cam­paign had no direct con­nec­tion to Solar­Winds, Bran­don Wales, act­ing direc­tor of the Cyber­se­cu­ri­ty and Infra­struc­ture Secu­ri­ty Agency, told The Wall Street Jour­nal Fri­day. But he said inves­ti­ga­tors haven’t iden­ti­fied anoth­er com­pa­ny whose prod­ucts were broad­ly com­pro­mised to infect oth­er firms the way Solar­Winds was.

SolarWinds’s inves­ti­ga­tions will be ongo­ing for at least sev­er­al more weeks, and pos­si­bly months, due to the sophis­ti­ca­tion of the cam­paign and actions tak­en by the hack­ers to remove evi­dence of their activ­i­ty, he said. Solar­Winds has not deter­mined the exact date hack­ers first gained unau­tho­rized access to the company’s envi­ron­ment, though innocu­ous code changes were first made to Ori­on in Octo­ber 2019.

The hack­ers delet­ed pro­grams fol­low­ing use to avoid foren­sic dis­cov­ery and mas­quer­ad­ed file names and activ­i­ty to mim­ic legit­i­mate appli­ca­tions and files, he said. The hack­ers had auto­mat­ed dor­man­cy peri­ods of two weeks or more pri­or to acti­va­tion and uti­lized servers out­side the mon­i­tor­ing author­i­ty of U.S. intel­li­gence, he said.

...

———–

“Solar­Winds CEO Con­firms Office 365 Email ‘Com­pro­mise’ Played Role In Broad-Based Attack” by Michael Novin­son; CRN; 02/02/2021

By com­pro­mis­ing the cre­den­tials of Solar­Winds employ­ees, Ramakr­ish­na said the hack­ers were able to gain access to and exploit the devel­op­ment envi­ron­ment for the Solar­Winds Ori­on net­work mon­i­tor­ing plat­form. Solar­Winds was first noti­fied by Microsoft about a com­pro­mise relat­ed to its Office 365 envi­ron­ment on Dec. 13, the same day news of the hack went pub­lic.”

It’s more or less con­firmed: The Solar­Winds hacked start­ed with the exploita­tion of a vul­ner­a­bil­i­ty in Microsoft­’s Office 365 email. The vul­ner­a­bil­i­ty gave the hack­ers access to the Solar­Winds Ori­on soft­ware devel­op­ment envi­ron­ments. That’s where it all start­ed.

Or at least that’s where the Solar­Winds hack all start­ed. As they note, some 30 per­cent of the vic­tims of this hack don’t actu­al­ly have a direct con­nec­tion to Solar­Winds, rais­ing the pos­si­bil­i­ty of that the Solar­Winds hacks is real­ly part of an even larg­er hack being exe­cut­ed by a group of actors with numer­ous pow­er­ful Microsoft exploit. In oth­er words, we might not be look­ing at the Solar­Winds mega-hack but instead a Microsoft mega-hack that just includes a large Solar­Winds com­po­nent:

...
Some 30 per­cent of the pri­vate sec­tor and gov­ern­ment vic­tims of the colos­sal hack­ing cam­paign had no direct con­nec­tion to Solar­Winds, Bran­don Wales, act­ing direc­tor of the Cyber­se­cu­ri­ty and Infra­struc­ture Secu­ri­ty Agency, told The Wall Street Jour­nal Fri­day. But he said inves­ti­ga­tors haven’t iden­ti­fied anoth­er com­pa­ny whose prod­ucts were broad­ly com­pro­mised to infect oth­er firms the way Solar­Winds was.
...

So if 30 per­cent of the vic­tims weren’t run­ning Solar­Wind­s’s Ori­on soft­ware, what was the attack vec­tor in their cas­es? That’s a mys­tery, but we have a pret­ty obvi­ous clue if the Solar­Winds hack start­ed with a Microsoft exploit. It’s no won­der Microsoft­’s pub­lic rela­tions team was is hyper-dam­age-con­trol mode, deny­ing all reports going back to Decem­ber that it’s prod­ucts played any role at all in the attack. Recall how it was Microsoft­’s own secu­ri­ty team that was telling us back in Decem­ber how the hack­ers were mod­i­fy­ing cre­den­tials to read emails from Microsoft Exchange Online (the cloud Exchange ser­vice). But once it start­ed looked like the Solar­Winds mega-hack was real­ly the Microsoft mega-hack, it was a com­plete denial from Microsoft. The com­pa­ny has noth­ing to do with any of this and any­one say­ing any­thing to the con­trary they are mis­in­ter­pret­ing or mis­read­ing the avail­able data:

CRN

Microsoft: No Evi­dence Solar­Winds Was Hacked Via Office 365

‘The word­ing of the Solar­Winds 8K [reg­u­la­to­ry] fil­ing was unfor­tu­nate­ly ambigu­ous, lead­ing to erro­neous inter­pre­ta­tion and spec­u­la­tion, which is not sup­port­ed by the results of our inves­ti­ga­tion,’ Microsoft said Thurs­day.

By Michael Novin­son
Feb­ru­ary 05, 2021, 06:52 AM EST

Microsoft said its inves­ti­ga­tion hasn’t found any evi­dence that Solar­Winds was attacked through Office 365, mean­ing the hack­ers gained priv­i­leged cre­den­tials in some oth­er way.

The Red­mond, Wash.-based soft­ware giant said a Dec. 14 reg­u­la­to­ry fil­ing by Solar­Winds gave the impres­sion that Solar­Winds was inves­ti­gat­ing an attack vec­tor relat­ed to Microsoft Office 365. In the fil­ing, Solar­Winds said it’s aware of an attack vec­tor used to com­pro­mise the company’s Office 365 emails that may have pro­vid­ed access to oth­er data con­tained in the company’s office pro­duc­tiv­i­ty tools.

“The word­ing of the Solar­Winds 8K fil­ing was unfor­tu­nate­ly ambigu­ous, lead­ing to erro­neous inter­pre­ta­tion and spec­u­la­tion, which is not sup­port­ed by the results of our inves­ti­ga­tion,” the Microsoft Secu­ri­ty Team wrote in a blog post Thurs­day.

SolarWinds’s inves­ti­ga­tion hasn’t iden­ti­fied a spe­cif­ic vul­ner­a­bil­i­ty in Office 365 that would have allowed the hack­ers to enter the company’s envi­ron­ment through Office 365, CEO Sud­hakar Ramakr­ish­na said Wednes­day. A day ear­li­er, he told The Wall Street Jour­nal one of sev­er­al the­o­ries the firm was pur­su­ing is hack­ers used an Office 365 account com­pro­mise as the ini­tial point of entry into Solar­Winds.

Ramakr­ish­na said Wednes­day that Solar­Winds has con­firmed sus­pi­cious activ­i­ty relat­ed to its Office 365 envi­ron­ment, with a com­pa­ny email account com­pro­mised and used to access accounts of tar­get­ed Solar­Winds staff in busi­ness and tech­ni­cal roles. By com­pro­mis­ing the cre­den­tials of Solar­Winds staff, he said the hack­ers were able to gain access to and exploit the Solar­Winds devel­op­ment envi­ron­ment.

Although data host­ed in Microsoft ser­vices such as email was some­times tar­get­ed by the Solar­Winds hack­ers, Microsoft insists the attack­er gained priv­i­leged cre­den­tials in anoth­er way. The Cyber­se­cu­ri­ty and Infra­struc­ture Secu­ri­ty Agency (CISA) isn’t aware of cloud soft­ware oth­er than Microsoft’s tar­get­ed in the Solar­Winds attack, Act­ing Direc­tor Bran­don Wales told The Wall Street Jour­nal Jan. 29.

In many of their break-ins, the Solar­Winds hack­ers took advan­tage of known Microsoft con­fig­u­ra­tion issues to trick sys­tems into giv­ing them access to emails and doc­u­ments stored on the cloud, The Wall Street Jour­nal said. Hack­ers can go from one cloud-com­put­ing account to anoth­er by tak­ing advan­tage of lit­tle-known idio­syn­crasies in the way soft­ware authen­ti­cates itself on the Microsoft ser­vice.

...

Reuters report­ed Dec. 17 that Microsoft was com­pro­mised via Solar­Winds, with sus­pect­ed Russ­ian hack­ers then using Microsoft’s own prod­ucts to fur­ther the attacks on oth­er vic­tims. Microsoft told CRN at the time that sources for the Reuters report are “mis­in­formed or mis­in­ter­pret­ing their infor­ma­tion,“ but acknowl­edged the soft­ware giant had ”detect­ed mali­cious Solar­Winds bina­ries” in its envi­ron­ment.

“No, it [the Reuters arti­cle] is not accu­rate,” the Microsoft Secu­ri­ty Team wrote in its blog post Thurs­day. “As we said at the time, and based upon all inves­ti­ga­tions since, we have found no indi­ca­tions that our sys­tems were used to attack oth­ers.”

Microsoft acknowl­edged Dec. 31 that a com­pa­ny account com­pro­mised by the Solar­Winds hack­ers had been used to view source code in a num­ber of source code repos­i­to­ries. The com­pro­mised Microsoft account, how­ev­er, didn’t have per­mis­sions to mod­i­fy any code or engi­neer­ing sys­tems, and an inves­ti­ga­tion con­firmed no changes were made, Microsoft said at the time.

The com­pa­ny also respond­ed Thurs­day to crit­i­cism for not dis­clos­ing attack details as soon as Microsoft knew about them, say­ing that the com­pa­ny is restrict­ed from shar­ing details in cas­es where Microsoft is pro­vid­ing inves­tiga­tive sup­port to oth­er orga­ni­za­tions. In these types of engage­ments, Microsoft said the vic­tim orga­ni­za­tions have con­trol in decid­ing what details to dis­close and when to dis­close them.

Inves­ti­ga­tors can addi­tion­al­ly dis­cov­er ear­ly indi­ca­tors that require fur­ther research before they are action­able, Microsoft said. Tak­ing the time to thor­ough­ly inves­ti­gate inci­dents is nec­es­sary to pro­vide the best pos­si­ble guid­ance to cus­tomers, part­ners, and the broad­er secu­ri­ty com­mu­ni­ty, Microsoft said.

...

———–

“Microsoft: No Evi­dence Solar­Winds Was Hacked Via Office 365” by Michael Novin­son; CRN; 02/05/2021

““The word­ing of the Solar­Winds 8K fil­ing was unfor­tu­nate­ly ambigu­ous, lead­ing to erro­neous inter­pre­ta­tion and spec­u­la­tion, which is not sup­port­ed by the results of our inves­ti­ga­tion,” the Microsoft Secu­ri­ty Team wrote in a blog post Thurs­day.”

The denials can’t get any stronger. A day after Solar­Winds CEO Sud­hakar Ramakr­ish­na seem to more or less pub­lic con­firm that a vul­ner­a­bil­i­ty in Microsoft­’s Office 365 email played a direct role in the ini­tial attack, Microsoft reit­er­ates that all reports of Microsoft vul­ner­a­bil­i­ties play­ing any role in the Solar­Winds hack of unsub­stan­ti­at­ed and false. That’s the line.

And note how the com­pa­ny acknowl­edges its prod­ucts were hacked in many cas­es on the Solar­Winds vic­tims net­work as part of the sec­ond phase of the hack, but Microsoft insists that the gained priv­i­leged cre­den­tials in anoth­er way. Now, in fair­ness, it’s pos­si­ble Microsoft sys­tems could be hacked on client net­works for rea­sons that have noth­ing to do with vul­ner­a­bil­i­ties in Microsoft­’s code and are instead the fault of mis­con­fig­ured soft­ware on the client end. But that’s what Microsoft was insist­ing at that point in ear­ly Feb­ru­ary, a day after Solar­Wind­s’s CEO seemed to con­firm a Microsoft Office 365 email exploit was used to ini­ti­ate the hack and well after the US gov­ern­ment con­firmed the Solar­Winds hack­ers used a Microsoft Office 365 email exploit dur­ing its plun­der­ing of the Trea­sury Depart­men­t’s net­works. The plau­si­ble deni­a­bil­i­ty of Microsoft­’s insis­tence that client con­fig­u­ra­tion issues were the cause of the hacked Microsoft prod­ucts was rapid­ly dwin­dling. Microsoft­’s insis­tence held strong:

...
Although data host­ed in Microsoft ser­vices such as email was some­times tar­get­ed by the Solar­Winds hack­ers, Microsoft insists the attack­er gained priv­i­leged cre­den­tials in anoth­er way. The Cyber­se­cu­ri­ty and Infra­struc­ture Secu­ri­ty Agency (CISA) isn’t aware of cloud soft­ware oth­er than Microsoft’s tar­get­ed in the Solar­Winds attack, Act­ing Direc­tor Bran­don Wales told The Wall Street Jour­nal Jan. 29.

In many of their break-ins, the Solar­Winds hack­ers took advan­tage of known Microsoft con­fig­u­ra­tion issues to trick sys­tems into giv­ing them access to emails and doc­u­ments stored on the cloud, The Wall Street Jour­nal said. Hack­ers can go from one cloud-com­put­ing account to anoth­er by tak­ing advan­tage of lit­tle-known idio­syn­crasies in the way soft­ware authen­ti­cates itself on the Microsoft ser­vice.

...

Reuters report­ed Dec. 17 that Microsoft was com­pro­mised via Solar­Winds, with sus­pect­ed Russ­ian hack­ers then using Microsoft’s own prod­ucts to fur­ther the attacks on oth­er vic­tims. Microsoft told CRN at the time that sources for the Reuters report are “mis­in­formed or mis­in­ter­pret­ing their infor­ma­tion,“ but acknowl­edged the soft­ware giant had ”detect­ed mali­cious Solar­Winds bina­ries” in its envi­ron­ment.

“No, it [the Reuters arti­cle] is not accu­rate,” the Microsoft Secu­ri­ty Team wrote in its blog post Thurs­day. “As we said at the time, and based upon all inves­ti­ga­tions since, we have found no indi­ca­tions that our sys­tems were used to attack oth­ers.”

Microsoft acknowl­edged Dec. 31 that a com­pa­ny account com­pro­mised by the Solar­Winds hack­ers had been used to view source code in a num­ber of source code repos­i­to­ries. The com­pro­mised Microsoft account, how­ev­er, didn’t have per­mis­sions to mod­i­fy any code or engi­neer­ing sys­tems, and an inves­ti­ga­tion con­firmed no changes were made, Microsoft said at the time.
...

“As we said at the time, and based upon all inves­ti­ga­tions since, we have found no indi­ca­tions that our sys­tems were used to attack oth­ers.” Have fun inter­pret­ing that one. But as a pub­lic state­ment, it sounds defin­i­tive. There were no Microsoft soft­ware vul­ner­a­bil­i­ties involved at all with the Solar­Winds hack. Peri­od. End of sto­ry.

Another Update from Microsoft: We Were Hacked and Our Source Code Was Viewed. Including for Microsoft Exchange. But Don’t Worry, Nothing was Compromised and Everything is Fine on Our End Now.

Two weeks lat­er, the sto­ry got anoth­er update. From Microsoft: the Solar­Winds hack­ers root­ed around in Microsoft­’s net­works through Jan­u­ary and man­aged to down­load some source code for its Azure, Exchange and Intune cloud-based prod­ucts. Again, keep in mind that Microsoft will be forced to dis­close the Microsoft Exchange mega-hack in a cou­ple of weeks fol­low­ing this update, and in that new mega-hack it was the self-host­ed non-cloud ver­sion of Microsoft Exchange that got hacked. So the hack­ers stole code pret­ty close­ly-relat­ed to the very sys­tem that got mega-hacked. We’re also going to learn that the Microsoft Exchange mega-hack appar­ent­ly start­ed in Jan­u­ary, the same month the Solar­Winds hack­ers were pre­sum­ably (hope­ful­ly) kicked out of Microsoft­’s net­works. And we’ve already seen that the Solar­Winds hack­ers have impres­sive nev­er-before-seen abil­i­ties to trick Microsoft­’s cre­den­tial sys­tems. That’s all part of what makes this lat­est update to the Solar­Winds sto­ry so omi­nous: It sure seems like it’s relat­ed to the Microsoft Exchange mega-hack that Microsoft will dis­close in March, even though Microsoft assures us it’s not and that’s a com­plete­ly sep­a­rate hack by dif­fer­ent Chi­nese hack­ers:

CRN

Solar­Winds Hack­ers Kept Going After Microsoft Until Jan­u­ary

The Solar­Winds hack­ers first viewed a file in a Microsoft source repos­i­to­ry in Novem­ber, and were able to down­load source code for its Azure, Exchange and Intune cloud-based prod­ucts.

By Michael Novin­son
Feb­ru­ary 19, 2021, 06:34 AM EST

The Solar­Winds hack­ers con­tin­ued efforts to infil­trate Microsoft until ear­ly Jan­u­ary, keep­ing up the assault even after Microsoft revealed its source code had been com­pro­mised.

The like­ly Russ­ian hack­ers first viewed a file in a Microsoft source repos­i­to­ry in late Novem­ber, and the Red­mond, Wash.-based soft­ware giant detect­ed unusu­al activ­i­ty in some inter­nal accounts the next month. The hack­ers lost source repos­i­to­ry access after Microsoft secured its com­pro­mised accounts, but the threat actor kept mak­ing unsuc­cess­ful attempts to regain access all the way until ear­ly Jan­u­ary.

“A con­cern­ing aspect of this attack is that secu­ri­ty com­pa­nies were a clear tar­get,” Vasu Jakkal, Microsoft’s cor­po­rate vice pres­i­dent of secu­ri­ty, com­pli­ance and iden­ti­ty, wrote in a blog post Thurs­day. “Microsoft, giv­en the expan­sive use of our pro­duc­tiv­i­ty tools and lead­er­ship in secu­ri­ty, of course was an ear­ly tar­get.”

Microsoft admit­ted the Solar­Winds hack­ers were able to down­load some source code for its Azure, Exchange and Intune cloud-based prod­ucts. The down­loaded Azure source code was for sub­sets of its ser­vice, secu­ri­ty and iden­ti­ty com­po­nents, accord­ing to Microsoft.

The search terms used by the Solar­Winds hack­ers indi­cates they were attempt­ing to find secrets such as API keys, cre­den­tials, and secu­ri­ty tokens that may have been embed­ded in the source code, accord­ing to Microsoft. But the com­pa­ny said it has a devel­op­ment pol­i­cy that pro­hibits stor­ing secrets in source code and runs auto­mat­ed tools to ver­i­fy com­pli­ance.

Microsoft said it sub­se­quent­ly con­firmed that both cur­rent and his­tor­i­cal branch­es of its source code repos­i­to­ries don’t con­tain any live pro­duc­tion cre­den­tials. For near­ly all the Microsoft code repos­i­to­ries accessed by the Solar­Winds hack­ers, only a few indi­vid­ual files were viewed as a result of a repos­i­to­ry search, accord­ing to the com­pa­ny.

...

Microsoft said the Solar­Winds hack­ers weren’t able to access its priv­i­leged cre­den­tials or lever­age Secu­ri­ty Access Markup Lan­guage (SAML) tech­niques against the company’s cor­po­rate domains. But out­side of Microsoft, U.S. inves­ti­ga­tors said one of the prin­ci­pal ways the hack­er has col­lect­ed vic­tim infor­ma­tion is by com­pro­mis­ing the SAML sign­ing cer­tifi­cate using esca­lat­ed Active Direc­to­ry priv­i­leges.

Orga­ni­za­tions that del­e­gate trust to on-premis­es com­po­nents in deploy­ments that con­nect on-premis­es infra­struc­ture and the cloud end up with an addi­tion­al seam they need to secure, the MSRC wrote. As a result, if an on-premis­es envi­ron­ment is com­pro­mised, Microsoft said there’s an oppor­tu­ni­ty for hack­ers to tar­get cloud ser­vices.

“When you rely on on-premis­es ser­vices, like authen­ti­ca­tion serv­er, it is up to a cus­tomer to pro­tect their iden­ti­ty infra­struc­ture,” Jakkal wrote in her blog post. “With a cloud iden­ti­ty, like Azure Active Direc­to­ry, we pro­tect the iden­ti­ty infra­struc­ture from the cloud.”

At the same time, Jakkal said the Solar­Winds hack­ers took advan­tage of aban­doned app accounts with no mul­ti-fac­tor authen­ti­ca­tion to access cloud admin­is­tra­tive set­tings with high priv­i­lege. As orga­ni­za­tions tran­si­tion from implic­it trust to explic­it ver­i­fi­ca­tion, Jakkal said they first must focus on pro­tect­ing iden­ti­ties, espe­cial­ly priv­i­leged user accounts.

“Gaps in pro­tect­ing iden­ti­ties (or user cre­den­tials) like weak pass­words or lack of mul­ti­fac­tor authen­ti­ca­tion are oppor­tu­ni­ties for an actor to find their way into a sys­tem, ele­vate their sta­tus, and move lat­er­al­ly across the envi­ron­ments tar­get­ing email, source code, crit­i­cal data­bas­es and more,” Jakkal said.

The Solar­Winds hack­ers tried and failed to get into Crowd­Strike and read their emails via a Microsoft reseller’s Azure account that was respon­si­ble for man­ag­ing CrowdStrike’s Microsoft Office licens­es. If a cus­tomer buys a cloud ser­vice from a reseller and allows the reseller to retain admin­is­tra­tive access, then a com­pro­mise of reseller cre­den­tials would grant access to the customer’s ten­ant, Microsoft said.

But the abuse of admin­is­tra­tive access wouldn’t be a com­pro­mise of Microsoft’s ser­vices them­selves, the com­pa­ny told CRN on Dec. 24.

———–

“Solar­Winds Hack­ers Kept Going After Microsoft Until Jan­u­ary” by Michael Novin­son; CRN; 02/19/2021

Microsoft admit­ted the Solar­Winds hack­ers were able to down­load some source code for its Azure, Exchange and Intune cloud-based prod­ucts. The down­loaded Azure source code was for sub­sets of its ser­vice, secu­ri­ty and iden­ti­ty com­po­nents, accord­ing to Microsoft.”

It’s more than a lit­tle omi­nous. In Feb­ru­ary, weeks before the Microsoft Exchange mega-hack was dis­closed, the com­pa­ny gave us an update on its Solar­Winds inves­ti­ga­tion: source code was stolen. Source code involve the cloud-based ver­sions of Azure, Intune, and Exchange. Sure, it sounds like it was only the self-host­ed Exchange servers that got in the mega-hack, not the cloud-based Exchange sys­tems. But when Microsoft admits the Solar­Winds hack­ers obtained source code for Exchange’s cloud-based ser­vice, and then a cou­ple weeks lat­er we’re told the largest hack on record took place when vir­tu­al­ly all of Exchange’s self-host­ed servers got hacked in a zero-day exploit, it’s kind of hard to avoid sus­pi­cions the two events are relat­ed. And yet Microsoft assures us Solar­Winds was the work of ‘Cozy Bear’ and the Exchange hack was from pre­vi­ous­ly unknown state Chi­nese hack­ers. It’s all quite con­ve­nient for Microsoft. The kind of expla­na­tion that avoids a lot of messy ques­tions:

...
The search terms used by the Solar­Winds hack­ers indi­cates they were attempt­ing to find secrets such as API keys, cre­den­tials, and secu­ri­ty tokens that may have been embed­ded in the source code, accord­ing to Microsoft. But the com­pa­ny said it has a devel­op­ment pol­i­cy that pro­hibits stor­ing secrets in source code and runs auto­mat­ed tools to ver­i­fy com­pli­ance.

Microsoft said it sub­se­quent­ly con­firmed that both cur­rent and his­tor­i­cal branch­es of its source code repos­i­to­ries don’t con­tain any live pro­duc­tion cre­den­tials. For near­ly all the Microsoft code repos­i­to­ries accessed by the Solar­Winds hack­ers, only a few indi­vid­ual files were viewed as a result of a repos­i­to­ry search, accord­ing to the com­pa­ny.
...

But, again, keep in mind anoth­er major rea­son Microsoft might want to assure the world that it’s Russ­ian and Chi­nese state actors who car­ried out these mega-hacks: state actors are far more like­ly hack for espi­onage pur­pos­es. And when you hack for espi­onage pur­pos­es you prob­a­bly won’t sell the infor­ma­tion you hacked. Crim­i­nal actors, on the oth­er hand, have very dif­fer­ent moti­va­tions. So for the gen­er­al pub­lic, learn­ing that Rus­sia or Chi­na hacked into your orga­ni­za­tion is far less alarm­ing that learn­ing some crim­i­nal elite hack­er group did it. Although, as we’ll see, the hack­ers we’re told are Chi­nese state hack­ers actu­al­ly run their own per­son­al for-prof­it ran­som schemes.

A New(?) Mega-Hack is Upon Us: The Microsoft Exchange Mega-Hack. Which, Microsoft Promises, is Definitely Totally Unrelated to the SolarWinds Mega-Hack

Do you or your orga­ni­za­tion own a self-host­ed Microsoft Exchange email serv­er that was con­nect­ed to the inter­net between Jan­u­ary and March of this year? Con­grats! It was hacked. Basi­cal­ly all of them got hacked. A glob­al ran­sack­ing that was arguably larg­er than the Solar­Winds hack. And much like the Solar­Winds hack, these hack­ers had the poten­tial to seed vic­tim net­works with back­doors or worse. So it’s anoth­er mega-hack that sets the hack­ers up for even big­ger mega-hacks in the future. Anoth­er Microsoft mega-hack:

Krebs on Secu­ri­ty

At Least 30,000 U.S. Orga­ni­za­tions New­ly Hacked Via Holes in Microsoft’s Email Soft­ware

March 5, 2021

At least 30,000 orga­ni­za­tions across the Unit­ed States — includ­ing a sig­nif­i­cant num­ber of small busi­ness­es, towns, cities and local gov­ern­ments — have over the past few days been hacked by an unusu­al­ly aggres­sive Chi­nese cyber espi­onage unit that’s focused on steal­ing email from vic­tim orga­ni­za­tions, mul­ti­ple sources tell Kreb­sOn­Se­cu­ri­ty. The espi­onage group is exploit­ing four new­ly-dis­cov­ered flaws in Microsoft Exchange Serv­er email soft­ware, and has seed­ed hun­dreds of thou­sands of vic­tim orga­ni­za­tions world­wide with tools that give the attack­ers total, remote con­trol over affect­ed sys­tems.

On March 2, Microsoft released emer­gency secu­ri­ty updates to plug four secu­ri­ty holes in Exchange Serv­er ver­sions 2013 through 2019 that hack­ers were active­ly using to siphon email com­mu­ni­ca­tions from Inter­net-fac­ing sys­tems run­ning Exchange.

Microsoft said the Exchange flaws are being tar­get­ed by a pre­vi­ous­ly uniden­ti­fied Chi­nese hack­ing crew it dubbed “Hafni­um,” and said the group had been con­duct­ing tar­get­ed attacks on email sys­tems used by a range of indus­try sec­tors, includ­ing infec­tious dis­ease researchers, law firms, high­er edu­ca­tion insti­tu­tions, defense con­trac­tors, pol­i­cy think tanks, and NGOs.

In the three days since then, secu­ri­ty experts say the same Chi­nese cyber espi­onage group has dra­mat­i­cal­ly stepped up attacks on any vul­ner­a­ble, unpatched Exchange servers world­wide.

In each inci­dent, the intrud­ers have left behind a “web shell,” an easy-to-use, pass­word-pro­tect­ed hack­ing tool that can be accessed over the Inter­net from any brows­er. The web shell gives the attack­ers admin­is­tra­tive access to the victim’s com­put­er servers.

Speak­ing on con­di­tion of anonymi­ty, two cyber­se­cu­ri­ty experts who’ve briefed U.S. nation­al secu­ri­ty advi­sors on the attack told Kreb­sOn­Se­cu­ri­ty the Chi­nese hack­ing group thought to be respon­si­ble has seized con­trol over “hun­dreds of thou­sands” of Microsoft Exchange Servers world­wide — with each vic­tim sys­tem rep­re­sent­ing approx­i­mate­ly one orga­ni­za­tion that uses Exchange to process email.

Microsoft’s ini­tial advi­so­ry about the Exchange flaws cred­it­ed Reston, Va. based Volex­i­ty for report­ing the vul­ner­a­bil­i­ties. Volex­i­ty Pres­i­dent Steven Adair said the com­pa­ny first saw attack­ers qui­et­ly exploit­ing the Exchange bugs on Jan. 6, 2021, a day when most of the world was glued to tele­vi­sion cov­er­age of the the riot at the U.S. Capi­tol.

But Adair said that over the past few days the hack­ing group has shift­ed into high gear, mov­ing quick­ly to scan the Inter­net for Exchange servers that weren’t yet pro­tect­ed by the secu­ri­ty updates Microsoft released Tues­day.

“We’ve worked on dozens of cas­es so far where web shells were put on the vic­tim sys­tem back on Feb. 28 [before Microsoft announced its patch­es], all the way up to today,” Adair said. “Even if you patched the same day Microsoft pub­lished its patch­es, there’s still a high chance there is a web shell on your serv­er. The truth is, if you’re run­ning Exchange and you haven’t patched this yet, there’s a very high chance that your orga­ni­za­tion is already com­pro­mised.”

Reached for com­ment, Microsoft said it is work­ing close­ly with the U.S. Cyber­se­cu­ri­ty & Infra­struc­ture Secu­ri­ty Agency (CISA), oth­er gov­ern­ment agen­cies, and secu­ri­ty com­pa­nies, to ensure it is pro­vid­ing the best pos­si­ble guid­ance and mit­i­ga­tion for its cus­tomers.

“The best pro­tec­tion is to apply updates as soon as pos­si­ble across all impact­ed sys­tems,” a Microsoft spokesper­son said in a writ­ten state­ment. “We con­tin­ue to help cus­tomers by pro­vid­ing addi­tion­al inves­ti­ga­tion and mit­i­ga­tion guid­ance. Impact­ed cus­tomers should con­tact our sup­port teams for addi­tion­al help and resources.”

Mean­while, CISA has issued an emer­gency direc­tive order­ing all fed­er­al civil­ian depart­ments and agen­cies run­ning vul­ner­a­ble Microsoft Exchange servers to either update the soft­ware or dis­con­nect the prod­ucts from their net­works.

Adair said he’s field­ed dozens of calls today from state and local gov­ern­ment agen­cies that have iden­ti­fied the back­doors in their Exchange servers and are plead­ing for help. The trou­ble is, patch­ing the flaws only blocks the four dif­fer­ent ways the hack­ers are using to get in. But it does noth­ing to undo the dam­age that may already have been done.

White House press sec­re­tary Jen Psa­ki told reporters today the vul­ner­a­bil­i­ties found in Microsoft’s wide­ly used Exchange servers were “sig­nif­i­cant,” and “could have far-reach­ing impacts.”

“We’re con­cerned that there are a large num­ber of vic­tims,” Psa­ki said.

By all accounts, root­ing out these intrud­ers is going to require an unprece­dent­ed and urgent nation­wide clean-up effort. Adair and oth­ers say they’re wor­ried that the longer it takes for vic­tims to remove the back­doors, the more like­ly it is that the intrud­ers will fol­low up by installing addi­tion­al back­doors, and per­haps broad­en­ing the attack to include oth­er por­tions of the victim’s net­work infra­struc­ture.

Secu­ri­ty researchers have pub­lished sev­er­al tools for detect­ing vul­ner­a­ble servers. One of those tools, a script from Microsoft’s Kevin Beau­mont, is avail­able from Github.

Kreb­sOn­Se­cu­ri­ty has seen por­tions of a vic­tim list com­piled by run­ning such a tool, and it is not a pret­ty pic­ture. The back­door web shell is ver­i­fi­ably present on the net­works of thou­sands of U.S. orga­ni­za­tions, includ­ing banks, cred­it unions, non-prof­its, telecom­mu­ni­ca­tions providers, pub­lic util­i­ties and police, fire and res­cue units.

“It’s police depart­ments, hos­pi­tals, tons of city and state gov­ern­ments and cred­it unions,” said one source who’s work­ing close­ly with fed­er­al offi­cials on the mat­ter. “Just about every­one who’s run­ning self-host­ed Out­look Web Access and wasn’t patched as of a few days ago got hit with a zero-day attack.”

Anoth­er gov­ern­ment cyber­se­cu­ri­ty expert who par­tic­i­pat­ed in a recent call with mul­ti­ple stake­hold­ers impact­ed by this hack­ing spree wor­ries the cleanup effort required is going to be Her­culean.

“On the call, many ques­tions were from school dis­tricts or local gov­ern­ments that all need help,” the source said, speak­ing on con­di­tion they were not iden­ti­fied by name. “If these num­bers are in the tens of thou­sands, how does inci­dent response get done? There are just not enough inci­dent response teams out there to do that quick­ly.”

When it released patch­es for the four Exchange Serv­er flaws on Tues­day, Microsoft empha­sized that the vul­ner­a­bil­i­ty did not affect cus­tomers run­ning its Exchange Online ser­vice (Microsoft’s cloud-host­ed email for busi­ness­es). But sources say the vast major­i­ty of the orga­ni­za­tions vic­tim­ized so far are run­ning some form of Inter­net-fac­ing Microsoft Out­look Web Access (OWA) email sys­tems in tan­dem with Exchange servers inter­nal­ly.

“It’s a ques­tion worth ask­ing, what’s Microsoft’s rec­om­men­da­tion going to be?,” the gov­ern­ment cyber­se­cu­ri­ty expert said. “They’ll say ‘Patch, but it’s bet­ter to go to the cloud.’ But how are they secur­ing their non-cloud prod­ucts? Let­ting them with­er on the vine.”

The gov­ern­ment cyber­se­cu­ri­ty expert said this most recent round of attacks is unchar­ac­ter­is­tic of the kinds of nation-state lev­el hack­ing typ­i­cal­ly attrib­uted to Chi­na, which tends to be fair­ly focused on com­pro­mis­ing spe­cif­ic strate­gic tar­gets.

“Its reck­less,” the source said. “It seems out of char­ac­ter for Chi­nese state actors to be this indis­crim­i­nate.”

Microsoft has said the incur­sions by Hafni­um on vul­ner­a­ble Exchange servers are in no way con­nect­ed to the sep­a­rate Solar­Winds-relat­ed attacks, in which a sus­pect­ed Russ­ian intel­li­gence group installed back­doors in net­work man­age­ment soft­ware used by more than 18,000 orga­ni­za­tions.

“We con­tin­ue to see no evi­dence that the actor behind Solar­Winds dis­cov­ered or exploit­ed any vul­ner­a­bil­i­ty in Microsoft prod­ucts and ser­vices,” the com­pa­ny said.

Nev­er­the­less, the events of the past few days may well end up far eclips­ing the dam­age done by the Solar­Winds intrud­ers.

...

————-

“At Least 30,000 U.S. Orga­ni­za­tions New­ly Hacked Via Holes in Microsoft’s Email Soft­ware”; Krebs on Secu­ri­ty; 03/05/2021

“Microsoft said the Exchange flaws are being tar­get­ed by a pre­vi­ous­ly uniden­ti­fied Chi­nese hack­ing crew it dubbed “Hafni­um,” and said the group had been con­duct­ing tar­get­ed attacks on email sys­tems used by a range of indus­try sec­tors, includ­ing infec­tious dis­ease researchers, law firms, high­er edu­ca­tion insti­tu­tions, defense con­trac­tors, pol­i­cy think tanks, and NGOs.”

Some­how Microsoft deter­mined this hack was car­ried out by a pre­vi­ous­ly uniden­ti­fied Chi­nese hack­ing crew. Again, we have no idea how they know this group was Chi­nese or how they know it’s not the same group behind the Solar­Winds hack or all sorts of oth­er hacks. We just know Microsoft was very con­fi­dent­ly declar­ing this mega-hack with extreme par­al­lels to Solar­Winds was­n’t car­ried out by the same crew. Instead, we’re con­fi­dent­ly assured it’s a Chi­nese nation-state-backed hack­ing group that has unchar­ac­ter­is­ti­cal­ly decid­ed to car­ry out what may be the largest hack ever, even larg­er than Solar­Winds. We just have to trust Microsoft:

...
Speak­ing on con­di­tion of anonymi­ty, two cyber­se­cu­ri­ty experts who’ve briefed U.S. nation­al secu­ri­ty advi­sors on the attack told Kreb­sOn­Se­cu­ri­ty the Chi­nese hack­ing group thought to be respon­si­ble has seized con­trol over “hun­dreds of thou­sands” of Microsoft Exchange Servers world­wide — with each vic­tim sys­tem rep­re­sent­ing approx­i­mate­ly one orga­ni­za­tion that uses Exchange to process email.

...

The gov­ern­ment cyber­se­cu­ri­ty expert said this most recent round of attacks is unchar­ac­ter­is­tic of the kinds of nation-state lev­el hack­ing typ­i­cal­ly attrib­uted to Chi­na, which tends to be fair­ly focused on com­pro­mis­ing spe­cif­ic strate­gic tar­gets.

“Its reck­less,” the source said. “It seems out of char­ac­ter for Chi­nese state actors to be this indis­crim­i­nate.”
...

It’s also worth not­ing that Microsoft did­n’t catch this vul­ner­a­bil­i­ty. It was Volex­i­ty, which detect­ed the first major attack coin­cid­ing with the Jan­u­ary 6 far right insur­rec­tion. We are told that the Chi­nese hack­ers qui­et­ly first start­ed the hack dur­ing the insur­rec­tion but tran­si­tioned towards an open smash-and-grab a few days lat­er. So that’s some pret­ty inter­est­ing tim­ing, but Volex­i­ty had an update. They found signs cyber­op­er­a­tions with this zero-day exploit on Jan­u­ary 3, 2021. So the tim­ing with the Capi­tol insur­rec­tion isn’t quite as inter­est­ing as ear­ly report­ing indi­cates.

Also recall how Volex­i­ty was the first com­pa­ny to iden­ti­fy the Solar­Winds mal­ware on their clients’ net­works back in July of 2020. Their warn­ings were ignored but they were the first to find it, at least on record. Volex­i­ty is appar­ent­ly the one com­pa­ny capa­ble of find­ing these cur­rent mega back­door hacks:

...
Microsoft’s ini­tial advi­so­ry about the Exchange flaws cred­it­ed Reston, Va. based Volex­i­ty for report­ing the vul­ner­a­bil­i­ties. Volex­i­ty Pres­i­dent Steven Adair said the com­pa­ny first saw attack­ers qui­et­ly exploit­ing the Exchange bugs on Jan. 6, 2021, a day when most of the world was glued to tele­vi­sion cov­er­age of the the riot at the U.S. Capi­tol.

But Adair said that over the past few days the hack­ing group has shift­ed into high gear, mov­ing quick­ly to scan the Inter­net for Exchange servers that weren’t yet pro­tect­ed by the secu­ri­ty updates Microsoft released Tues­day.
....

And in case the scale of the hack was­n’t clear, note how it appears to be vir­tu­al­ly every sin­gle self-host­ed Out­look Web Access (OWS) serv­er on the plan­et con­nect­ed to the inter­net. Every sin­gle one. It’s a glob­al dig­i­tal night­mare sce­nario:

...

“We’ve worked on dozens of cas­es so far where web shells were put on the vic­tim sys­tem back on Feb. 28 [before Microsoft announced its patch­es], all the way up to today,” Adair said. “Even if you patched the same day Microsoft pub­lished its patch­es, there’s still a high chance there is a web shell on your serv­er. The truth is, if you’re run­ning Exchange and you haven’t patched this yet, there’s a very high chance that your orga­ni­za­tion is already com­pro­mised.”

...

Adair said he’s field­ed dozens of calls today from state and local gov­ern­ment agen­cies that have iden­ti­fied the back­doors in their Exchange servers and are plead­ing for help. The trou­ble is, patch­ing the flaws only blocks the four dif­fer­ent ways the hack­ers are using to get in. But it does noth­ing to undo the dam­age that may already have been done.

...

By all accounts, root­ing out these intrud­ers is going to require an unprece­dent­ed and urgent nation­wide clean-up effort. Adair and oth­ers say they’re wor­ried that the longer it takes for vic­tims to remove the back­doors, the more like­ly it is that the intrud­ers will fol­low up by installing addi­tion­al back­doors, and per­haps broad­en­ing the attack to include oth­er por­tions of the victim’s net­work infra­struc­ture.

...

“It’s police depart­ments, hos­pi­tals, tons of city and state gov­ern­ments and cred­it unions,” said one source who’s work­ing close­ly with fed­er­al offi­cials on the mat­ter. “Just about every­one who’s run­ning self-host­ed Out­look Web Access and wasn’t patched as of a few days ago got hit with a zero-day attack.”
...

And final­ly, it’s hard to avoid mar­veling at the rather stun­ning assur­ances giv­en by Microsoft at this point regard­ing the Solar­Winds hack and the role Microsoft vul­ner­a­bil­i­ties played in that event: Microsoft tells us, “We con­tin­ue to see no evi­dence that the actor behind Solar­Winds dis­cov­ered or exploit­ed any vul­ner­a­bil­i­ty in Microsoft prod­ucts and ser­vices.” This was what Microsoft was telling the pub­lic in March of 2021. As we saw in the pre­vi­ous arti­cle excerpt, which was pub­lished about 6 weeks lat­er, the exploita­tion of Microsoft prod­ucts was the defin­ing fea­ture of the sec­ond phase the Solar­Winds attack. First the Solar­Winds Ori­on soft­ware deployed back­doors on all of the Solar­Winds cus­tomer net­works. Then the hack­ers used those back­doors to roam the net­work, look­ing for valu­able infor­ma­tion to steal. And that meant exploit­ing Microsoft vul­ner­a­bil­i­ties, which they appar­ent­ly did with aban­don. To claim there was no evi­dence that the actor behind Solar­Winds dis­cov­ered or exploit­ed any vul­ner­a­bil­i­ty in Microsoft prod­ucts and ser­vices just a lie. A lie that con­ve­nient­ly helped Microsoft avoid the uncom­fort­able ques­tions about whether or not this Microsoft Exchange mega-back­door and the Solar­Winds mega-back­door hack were part of some sort joint mega-back­door hack run by the same group of peo­ple:

...
Microsoft has said the incur­sions by Hafni­um on vul­ner­a­ble Exchange servers are in no way con­nect­ed to the sep­a­rate Solar­Winds-relat­ed attacks, in which a sus­pect­ed Russ­ian intel­li­gence group installed back­doors in net­work man­age­ment soft­ware used by more than 18,000 orga­ni­za­tions.

“We con­tin­ue to see no evi­dence that the actor behind Solar­Winds dis­cov­ered or exploit­ed any vul­ner­a­bil­i­ty in Microsoft prod­ucts and ser­vices,” the com­pa­ny said.

Nev­er­the­less, the events of the past few days may well end up far eclips­ing the dam­age done by the Solar­Winds intrud­ers.
...

And while Microsoft was aggre­sive­ly dis­tanc­ing itself and this hack from the Solar­Winds hack ear­ly on, with­in a week it was start­ing to look like Solar­Winds was the com­pa­ny that should be doing the dis­tanc­ing. Because this hack was look­ing much more than Solar­Winds. Like an automat­able Solar­Winds that was plun­dered to the full extent avail­able by a vari­ety of crim­i­nal actors. It was ‘Hafni­um’ who qui­et­ly and exclu­sive­ly used this zero-day exploit start­ing from Jan­u­ary 3 until the Microsoft announced the patch on March 2, at which point a crim­i­nal free-for-all that involved at least a half dozen oth­er hack­ing groups ensued to ran­sack any unpatched servers.

But per­haps the most scan­dalous aspect of all this is that zero-day exploit that enabled all this has appar­ent­ly been sit­ting in Microsoft­’s code for at least a decade. How much do you want to bet Jan 3 was­n’t the first time this exploit was exploit­ed?:

Data Cen­ter Knowl­edge

Microsoft Exchange Hack Could Be Worse Than Solar­Winds

The mas­sive hack’s scope keeps grow­ing. Unlike the Solar­Winds exploit, this one can be auto­mat­ed.

Maria Korolov | Mar 10, 2021

The scope of dam­age from the new­ly pub­lic Microsoft Exchange vul­ner­a­bil­i­ty keeps grow­ing, with some experts say­ing that it is “worse than Solar­Winds.”

As of last count, more than 60,000 orga­ni­za­tions have fall­en vic­tim to the attack.

“The scale of the attack is the biggest threat at this time,” said Mark Good­win, man­ag­ing senior ana­lyst at secu­ri­ty con­sult­ing firm Bish­op Fox.

Gov­ern­ment insti­tu­tions have been attacked, large cor­po­ra­tions, and small local busi­ness­es, he told DCK. Accord­ing to the inter­net scan­ning tool Shodan, more than 250,000 servers are vul­ner­a­ble, he added.

Unlike the Solar­Winds breach, the Microsoft Exchange vul­ner­a­bil­i­ty can be exploit­ed in an auto­mat­ed way. If a data cen­ter has an Exchange serv­er acces­si­ble via the pub­lic inter­net, assume it’s been com­pro­mised, he said.

The prob­lem is so severe that Microsoft has released patch­es even for old­er servers that are no longer sup­port­ed, Good­win said.

And, unlike the Solar­Winds breach, which was pri­mar­i­ly exploit­ed by a sin­gle state-spon­sored group, report­ed­ly from Rus­sia, the Microsoft Exchange vul­ner­a­bil­i­ty is open to every­body. Orig­i­nal­ly asso­ci­at­ed with a Chi­nese state-spon­sored group, Hafni­um, at last count half a dozen dif­fer­ent groups are active­ly attack­ing orga­ni­za­tions with vul­ner­a­ble servers.

The Microsoft Exchange vul­ner­a­bil­i­ty gives hack­ers full access to Microsoft Exchange servers which in turn can be lever­aged to com­pro­mise Active Direc­to­ry servers.

“Once you com­pro­mise Active Direc­to­ry, you can go after any­thing you want,” said Srikant Vis­sam­set­ti, senior VP of engi­neer­ing at Atti­vo Net­works, a cyber­se­cu­ri­ty ven­dor. “You get the keys to the king­dom.”

The big prob­lem is that Microsoft Exchange is designed to be accessed by exter­nal users, which means servers can be acces­si­ble via the inter­net – and attack­ers can find them when they scan for vul­ner­a­bil­i­ties.

“There are ways to scan every­thing con­nect­ed to the inter­net to find vul­ner­a­ble sys­tems,” said Jethro Beek­man, tech­ni­cal direc­tor at cyber­se­cu­ri­ty firm For­t­anix. “This has an enor­mous threat of mis­use.”

As a result, the Depart­ment of Home­land Secu­ri­ty last week issued an emer­gency direc­tive for fed­er­al agen­cies, warn­ing that the Microsoft Exchange vul­ner­a­bil­i­ty is being active­ly exploit­ed and order­ing them to take defen­sive action.

“This is a crazy huge hack,” said Chris Krebs, the for­mer direc­tor of the Cyber­se­cu­ri­ty and Infra­struc­ture Secu­ri­ty Agency, in a Tweet on Fri­day. “The num­bers I’ve heard dwarf what’s report­ed.”

Also on Fri­day, secu­ri­ty firm Huntress released a report of its analy­sis of 3,000 servers, most of which had antivirus or end­point secu­ri­ty solu­tions installed. Of those, 800 were still not patched, and there were more than 350 mali­cious web­shells already installed by attack­ers.

“This has seem­ing­ly slipped past a major­i­ty of pre­ven­ta­tive secu­ri­ty prod­ucts,” said Huntress senior secu­ri­ty researcher John Ham­mond in a report.

The num­ber of affect­ed enter­pris­es is so much high­er with this attack than with Solar­Winds because this attack can be high­ly auto­mat­ed, Attivo’s Vis­sam­set­ti told DCK.

“With some­thing like this, attack­ers can mobi­lize with­in a day,” he said. “They can script the whole thing in just a few hours.”

Cleanup Will Be Messy

Patch­ing the Microsoft Exchange serv­er is not enough if an orga­ni­za­tion has been com­pro­mised.

Enter­pris­es can look for indi­ca­tors of com­pro­mise in log files, but smart attack­ers may erase those traces as well.

Then, attack­ers may have installed back doors or cre­at­ed accounts for them­selves with high lev­els of access, or even con­duct­ed a “gold­en tick­et” attack on Active Direc­to­ry.

“Once you have a gold­en tick­et attack, you pret­ty much have to start over,” said Vis­sam­set­ti. “Chang­ing pass­words is not suf­fi­cient. They’ve got a super admin.”

And the pos­si­bil­i­ties for dam­age are near­ly end­less, he added.

“It will be messy to clean up,” said Oliv­er Tavakoli, CTO at Vec­tra Net­works. “It will effec­tive­ly require back­ing up data, re-imag­ing the Exchange serv­er, scrub­bing the back­up of any accounts which should not be present, reset­ting all pass­words and secrets, and restor­ing the remain­ing back­up data.”

This is while secu­ri­ty teams are already stretched thin by the Solar­Winds attack, he added.

“This hack will com­pete for the same inves­tiga­tive and reme­di­a­tion resources,” he told DCK. “So, hav­ing two such broad attacks occur near the same time places exor­bi­tant strain on the resources.”

And even if the Exchange servers are patched, back doors shut down, and attack­ers ful­ly cleaned out, that’s not the end of it, said Adrien Gen­dre, chief prod­uct and ser­vices offi­cer at Vade Secure.

“Based on our knowl­edge of pri­or inci­dents,” he said, “expect to see a rise in spear phish­ing attacks in the com­ing weeks.”

The attack­ers will be able to use the infor­ma­tion they’ve col­lect­ed while in the sys­tem, such as emails and oth­er doc­u­ments, to craft extreme­ly tar­get­ed and cred­i­ble scam emails, he said.

Time to Ditch Microsoft Exchange

Experts rec­om­mend that com­pa­nies replace on-prem deploy­ments of Microsoft Exchange with cloud-based alter­na­tives like Office 365, which are not vul­ner­a­ble to the attack.

And if there is an attack, the SaaS ven­dor sim­ply installs the patch them­selves. There’s no need for every sin­gle cus­tomer to install their own patch­es, dra­mat­i­cal­ly sim­pli­fy­ing secu­ri­ty.

If that’s not an option, the Exchange servers can be put behind VPNs, For­t­anix’s Beek­man told DCK.

“And there are web appli­ca­tion fire­walls that you can insert between the serv­er and the inter­net,” he added.

Data cen­ter providers that offer man­aged servers to clients are par­tic­u­lar­ly vul­ner­a­ble, because if they them­selves use a vul­ner­a­ble Microsoft Exchange serv­er and their envi­ron­ment is com­pro­mised, client infra­struc­ture could poten­tial­ly be at risk, he added.

This is where secu­ri­ty approach­es like zero trust and micro seg­men­ta­tion can be used to restrict lat­er­al move­ment, he said.

...

The Time­line of the Microsoft Exchange Hack

Secu­ri­ty experts began notic­ing signs of com­pro­mise in ear­ly Jan­u­ary, with the first attacks on Jan­u­ary 3, accord­ing to secu­ri­ty firm Volex­i­ty.

At first, these attacks, which exploit­ed a zero-day vul­ner­a­bil­i­ty, were lim­it­ed to Hafni­um.

Then, after Microsoft final­ly released patch­es on March 2, oth­er crim­i­nal groups start­ed using it in a race to attack as many servers as pos­si­ble before they were patched.

But the vul­ner­a­bil­i­ty has been present in the Microsoft Exchange code­base for a decade, said Ed Hunter, CISO at Infoblox, a cyber­se­cu­ri­ty com­pa­ny.

“One has to won­der how long this vul­ner­a­bil­i­ty has been a close­ly held – and used – tool in this threat actor’s tool­box,” he told DCK.

...

———–

“Microsoft Exchange Hack Could Be Worse Than Solar­Winds” by Maria Korolov; Data Cen­ter Knowl­edge; 03/10/2021

Unlike the Solar­Winds breach, the Microsoft Exchange vul­ner­a­bil­i­ty can be exploit­ed in an auto­mat­ed way. If a data cen­ter has an Exchange serv­er acces­si­ble via the pub­lic inter­net, assume it’s been com­pro­mised, he said.”

Not only is this hack the kind of hack that any com­mon hack­er crim­i­nal is capa­ble of exe­cut­ing once they know the exploit, but it’s the kind of hack that a sin­gle hack­er could the­o­ret­i­cal­ly turn into a mega-hack with a sim­ple script because this is an automat­able hack. That’s why you should assume you got hit if you were exposed. Every­one exposed got hit because it was easy for any­one to hit every­one.

But every­one was­n’t hit at first. It was “Hafni­um” who qui­et­ly start­ed hack­ing tar­gets, with Volex­i­ty first detect­ing the usage of the zero-day exploit on Jan­u­ary 3 (not Jan 6 as ear­li­er indi­cat­ed). It was after Microsoft released the patch­es on March 2 that oth­er crim­i­nal groups went on a glob­al spree, hit­ting every remain­ing unpatched Exchange serv­er on the plan­et con­nect­ed to the inter­net. As we’re going to see, when the US and its West­ern allies all issue coor­di­nat­ed for­mal state­ments in mid-July, for­mal­ly accus­ing Chi­na of exe­cut­ing the hack, we are told by unnamed sources famil­iar with the inves­ti­ga­tion that it is sus­pect­ed that Hafni­um knew Microsoft was going to close the zero-day vul­ner­a­bil­i­ties (which were no-longer zero-days at that point) and at that point hand­ed the exploits over to crim­i­nals. But we have no idea why that par­tic­u­lar sce­nario was sus­pect­ed, as opposed to Hafni­um being a crim­i­nal actor who sold their exploit to oth­er actors once the patch was released. Or anoth­er actor pre­tend­ing to be a Chi­nese state actor, although it’s unclear what if any ‘Chi­nese’ indi­ca­tors are being left by “Hafni­um”. Microsoft told us it was a nev­er-before Chi­nese state-backed group called Hafni­um and that dec­la­ra­tion alone is treat­ed as ade­quate evi­dence. As with the Solar­Winds hack, it’s faith-based pub­lic attri­bu­tions, which is a big part of the rea­son the read­ing-the-tea-leaves behind-the-scenes meth­ods of attri­bu­tion are so prob­lem­at­ic. That’s what we’re sup­posed to have faith in. Tea-leave-read­ing with huge con­flicts of inter­est:

...
And, unlike the Solar­Winds breach, which was pri­mar­i­ly exploit­ed by a sin­gle state-spon­sored group, report­ed­ly from Rus­sia, the Microsoft Exchange vul­ner­a­bil­i­ty is open to every­body. Orig­i­nal­ly asso­ci­at­ed with a Chi­nese state-spon­sored group, Hafni­um, at last count half a dozen dif­fer­ent groups are active­ly attack­ing orga­ni­za­tions with vul­ner­a­ble servers.

...

Secu­ri­ty experts began notic­ing signs of com­pro­mise in ear­ly Jan­u­ary, with the first attacks on Jan­u­ary 3, accord­ing to secu­ri­ty firm Volex­i­ty.

At first, these attacks, which exploit­ed a zero-day vul­ner­a­bil­i­ty, were lim­it­ed to Hafni­um.

Then, after Microsoft final­ly released patch­es on March 2, oth­er crim­i­nal groups start­ed using it in a race to attack as many servers as pos­si­ble before they were patched.
...

Also observ­er how Chris Krebs, the for­mer direc­tor of the Cyber­se­cu­ri­ty and Infra­struc­ture Secu­ri­ty Agency, was try­ing to make sense of the incred­i­bly aggres­sive nature of this hack by ques­tion­ing on Twit­ter if this was the work of an out of con­trol cyber­crime gang or con­trac­tors gone wild. Krebs is gen­er­al­ly con­sid­ered a pret­ty cred­i­ble word on these mat­ters. So he was not ready to jump on board the Chi­na-did-it band­wag­on at this point when we were being assured by Microsoft and oth­ers that yes, Chi­na did it. Just take their word for it. Krebs was­n’t tak­ing their word:

...
“This is a crazy huge hack,” said Chris Krebs, the for­mer direc­tor of the Cyber­se­cu­ri­ty and Infra­struc­ture Secu­ri­ty Agency, in a Tweet on Fri­day. “The num­bers I’ve heard dwarf what’s report­ed.”

...

But it isn’t just the automat­able nature of this hack­ing tech­nique that makes it so scary. It’s also the fact that the hack­ers could lever­age the com­plete con­trol over the Exchange serv­er to com­pro­mise the Active Direc­to­ry servers and that poten­tial­ly gives you the oppor­tu­ni­ty to con­duct a “gold­en tick­et” attack on the Active Direc­to­ry and the hack­ers can give them­selves super-user priv­i­leges. That’s the high­est lev­el. This is a poten­tial­ly dev­as­tat­ing hack. Com­plete con­trol is an apt descrip­tion of what it can con­fer. Thanks in part to a lot of Microsoft exploits:

...
The Microsoft Exchange vul­ner­a­bil­i­ty gives hack­ers full access to Microsoft Exchange servers which in turn can be lever­aged to com­pro­mise Active Direc­to­ry servers.

Once you com­pro­mise Active Direc­to­ry, you can go after any­thing you want,” said Srikant Vis­sam­set­ti, senior VP of engi­neer­ing at Atti­vo Net­works, a cyber­se­cu­ri­ty ven­dor. “You get the keys to the king­dom.”

...

Patch­ing the Microsoft Exchange serv­er is not enough if an orga­ni­za­tion has been com­pro­mised.

Enter­pris­es can look for indi­ca­tors of com­pro­mise in log files, but smart attack­ers may erase those traces as well.

Then, attack­ers may have installed back doors or cre­at­ed accounts for them­selves with high lev­els of access, or even con­duct­ed a “gold­en tick­et” attack on Active Direc­to­ry.

“Once you have a gold­en tick­et attack, you pret­ty much have to start over,” said Vis­sam­set­ti. “Chang­ing pass­words is not suf­fi­cient. They’ve got a super admin.”

And the pos­si­bil­i­ties for dam­age are near­ly end­less, he added.
...

It’s also worth not­ing anoth­er poten­tial­ly dev­as­tat­ing aspect of this night­mare and the fact that super-user admin priv­i­leges can be obtained by the hack­ers: data cen­ters run­ning Microsoft Exchange servers may have those super-user admin priv­i­leges stolen too. And that poten­tial­ly threat­ens all the data in that data cen­ter:

...
Data cen­ter providers that offer man­aged servers to clients are par­tic­u­lar­ly vul­ner­a­ble, because if they them­selves use a vul­ner­a­ble Microsoft Exchange serv­er and their envi­ron­ment is com­pro­mised, client infra­struc­ture could poten­tial­ly be at risk, he added.

This is where secu­ri­ty approach­es like zero trust and micro seg­men­ta­tion can be used to restrict lat­er­al move­ment, he said.
...

Final­ly, and sig­nif­i­cant­ly, note how long this vul­ner­a­bil­i­ty has exist­ed in Microsoft­’s code: a decade! As one secu­ri­ty expert astute­ly asks, “One has to won­der how long this vul­ner­a­bil­i­ty has been a close­ly held – and used – tool in this threat actor’s tool­box”:

...
But the vul­ner­a­bil­i­ty has been present in the Microsoft Exchange code­base for a decade, said Ed Hunter, CISO at Infoblox, a cyber­se­cu­ri­ty com­pa­ny.

“One has to won­der how long this vul­ner­a­bil­i­ty has been a close­ly held – and used – tool in this threat actor’s tool­box,” he told DCK.
...

For the last 10 years, any­one with access to that code could have poten­tial­ly spot­ted this vul­ner­a­bil­i­ty. Keep this in mind when Microsoft assures us that the theft of its code by the Solar­Winds hack­ers is of no con­se­quence.

SolarWinds Sanctions Arrive. Along With a Lesson in How Attribution Works By CrowdStrike’s Adam Meyers: Surprise! It’s a Hunt for “Cultural Artifacts” ‘Accidentally’ Left Behind

In the span of just four months the world was intro­duced to the two largest hacks on record. Quite a few lessons were hope­ful­ly learned. And if we lis­ten to Adam Mey­ers, the vice pres­i­dent for threat intel­li­gence at the cyber­se­cu­ri­ty firm Crowd­Strike who led the Solar­Winds inves­ti­ga­tion, it was a mas­ter class in hack­ing. That’s what Mey­ers expressed in a high­ly reveal­ing NPR inter­view in April. A mas­ter class in how to obscure one’s tracks.

As we’ll see, Mey­ers gives us fur­ther con­fir­ma­tion of some­thing that has long been clear but is rare said out loud so clear­ly: con­tem­po­rary cyber­at­tri­bu­tion real­ly does rely heav­i­ly on ‘clues’ like Cyril­lic char­ac­ters or Man­darin in the code and such ‘clues’ are fre­quent­ly found. At least that’s how Adam Mey­ers, the vice pres­i­dent for threat intel­li­gence at Crowd­Strike, described his approach to deter­min­ing the iden­ti­ty of the Solar­Winds hack­ers. Mey­ers express­es dis­may at how thor­ough the hack­ers were. Thor­ough in the sense that there was no ‘cul­tur­al arti­fact’ like Cyril­lic or Man­darin. Mey­ers describe the lack of any­thing that a human might have inad­ver­tent­ly left behind as a clue as “mind-blow­ing”. His response to the tiny piece of mal­ware used in the ini­tial Solar­Winds hack — dis­trib­uted to all 18,000 clients via the Ori­on soft­ware — and it’s lack of clues as “the cra­zi­est f***ing thing I’d ever seen.” Take a moment to process that.

So this April update on the Solar­Winds inves­ti­ga­tion includes an update on the gen­er­al state of affairs in cyber­at­tri­bu­tion. A state of affairs where mal­ware that’s cleaned and lacks a ‘cul­tur­al arti­fact’ is “the cra­zi­est f***ing thing I’d ever seen.” And yet, as we saw, there was vir­tu­al­ly no hes­i­tan­cy in attribut­ing the hack to ‘Cozy Bear’/APT29/‘Nobelium’. This is a good time to recall that the sto­ry of the Shad­ow Bro­kers and the CIA’s hack­ing toolk­it that includ­ed fea­tures like leav­ing Cyril­lic or Man­darin char­ac­ters to leave a false lead was con­firmed just four years ago.

Oh, and the US gov­ern­ment was ready to announce sanc­tions against Rus­sia for the hack. So at the same time sanc­tions were announced, we got an inter­view that fur­ther con­firmed the cyber­at­tri­bu­tion indus­try is pred­i­cat­ed on lunatic assump­tions. It real­ly does seem to be the case that every­one real­ly is play­ing dumb here. Dou­ble yikes.:

Nation­al Pub­lic Radio

A ‘Worst Night­mare’ Cyber­at­tack: The Untold Sto­ry Of The Solar­Winds Hack

Dina Tem­ple-Ras­ton
April 16, 2021 10:05 AM ET

“This release includes bug fix­es, increased sta­bil­i­ty and per­for­mance improve­ments.”

The rou­tine soft­ware update may be one of the most famil­iar and least under­stood parts of our dig­i­tal lives. A pop-up win­dow announces its arrival and all that is required of us is to plug every­thing in before bed. The next morn­ing, rather like the shoe­mak­er and the elves, our soft­ware is mag­i­cal­ly trans­formed.

Last spring, a Texas-based com­pa­ny called Solar­Winds made one such soft­ware update avail­able to its cus­tomers. It was sup­posed to pro­vide the reg­u­lar fare — bug fix­es, per­for­mance enhance­ments — to the com­pa­ny’s pop­u­lar net­work man­age­ment sys­tem, a soft­ware pro­gram called Ori­on that keeps a watch­ful eye on all the var­i­ous com­po­nents in a com­pa­ny’s net­work. Cus­tomers sim­ply had to log into the com­pa­ny’s soft­ware devel­op­ment web­site, type a pass­word and then wait for the update to land seam­less­ly onto their servers.

The rou­tine update, it turns out, is no longer so rou­tine.

Hack­ers believed to be direct­ed by the Russ­ian intel­li­gence ser­vice, the SVR, used that rou­tine soft­ware update to slip mali­cious code into Ori­on’s soft­ware and then used it as a vehi­cle for a mas­sive cyber­at­tack against Amer­i­ca.

“Eigh­teen thou­sand [cus­tomers] was our best esti­mate of who may have down­loaded the code between March and June of 2020,” Sud­hakar Ramakr­ish­na, Solar­Winds pres­i­dent and CEO, told NPR. “If you then take 18,000 and start sift­ing through it, the actu­al num­ber of impact­ed cus­tomers is far less. We don’t know the exact num­bers. We are still con­duct­ing the inves­ti­ga­tion.”

On Thurs­day, the Biden admin­is­tra­tion announced a ros­ter of tough sanc­tions against Rus­sia as part of what it char­ac­ter­ized as the “seen and unseen” response to the Solar­Winds breach.

NPR’s months-long exam­i­na­tion of that land­mark attack — based on inter­views with dozens of play­ers from com­pa­ny offi­cials to vic­tims to cyber foren­sics experts who inves­ti­gat­ed, and intel­li­gence offi­cials who are in the process of cal­i­brat­ing the Biden admin­is­tra­tion’s response — reveals a hack unlike any oth­er, launched by a sophis­ti­cat­ed adver­sary who took aim at a soft under­bel­ly of dig­i­tal life: the rou­tine soft­ware update.

By design, the hack appeared to work only under very spe­cif­ic cir­cum­stances. Its vic­tims had to down­load the taint­ed update and then actu­al­ly deploy it. That was the first con­di­tion. The sec­ond was that their com­pro­mised net­works need­ed to be con­nect­ed to the Inter­net, so the hack­ers could com­mu­ni­cate with their servers.

For that rea­son, Ramakr­ish­na fig­ures the Rus­sians suc­cess­ful­ly com­pro­mised about 100 com­pa­nies and about a dozen gov­ern­ment agen­cies. The com­pa­nies includ­ed Microsoft, Intel and Cis­co; the list of fed­er­al agen­cies so far includes the Trea­sury, Jus­tice and Ener­gy depart­ments and the Pen­ta­gon.

The hack­ers also found their way, rather embar­rass­ing­ly, into the Cyber­se­cu­ri­ty and Infra­struc­ture Secu­ri­ty Agency, or CISA — the office at the Depart­ment of Home­land Secu­ri­ty whose job it is to pro­tect fed­er­al com­put­er net­works from cyber­at­tacks.

The con­cern is that the same access that gives the Rus­sians the abil­i­ty to steal data could also allow them to alter or destroy it. “The speed with which an actor can move from espi­onage to degrad­ing or dis­rupt­ing a net­work is at the blink of an eye,” one senior admin­is­tra­tion said dur­ing a back­ground brief­ing from the White House on Thurs­day. “And a defend­er can­not move at that speed. And giv­en the his­to­ry of Rus­si­a’s mali­cious activ­i­ty in cyber­space and their reck­less behav­ior in cyber­space, that was a key con­cern.”

“The trade­craft was phe­nom­e­nal”

Net­work mon­i­tor­ing soft­ware is a key part of the back­room oper­a­tions we nev­er see. Pro­grams like Ori­on allow infor­ma­tion tech­nol­o­gy depart­ments to look on one screen and check their whole net­work: servers or fire­walls, or that print­er on the fifth floor that keeps going offline. By its very nature, it touch­es every­thing — which is why hack­ing it was genius.

“It’s real­ly your worst night­mare,” Tim Brown, vice pres­i­dent of secu­ri­ty at Solar­Winds, said recent­ly. “You feel a kind of hor­ror. This had the poten­tial to affect thou­sands of cus­tomers; this had the poten­tial to do a great deal of harm.”

When cyber­se­cu­ri­ty experts talk about harm, they’re think­ing about some­thing like what hap­pened in 2017, when the Russ­ian mil­i­tary launched a ran­somware attack known as Not­Petya. It, too, began with taint­ed soft­ware, but in that case the hack­ers were bent on destruc­tion. They plant­ed ran­somware that par­a­lyzed multi­na­tion­al com­pa­nies and per­ma­nent­ly locked peo­ple around the world out of tens of thou­sands of com­put­ers. Even this much lat­er, it is con­sid­ered the most destruc­tive and cost­ly cyber­at­tack in his­to­ry.

Intel­li­gence offi­cials wor­ry that Solar­Winds might presage some­thing on that scale. Cer­tain­ly, the hack­ers had time to do dam­age. They roamed around Amer­i­can com­put­er net­works for nine months, and it is unclear whether they were just read­ing emails and doing the things spies typ­i­cal­ly do, or whether they were plant­i­ng some­thing more destruc­tive for use in the future.

“When there’s cyber-espi­onage con­duct­ed by nations, Fire­Eye is on the tar­get list,” Kevin Man­dia, CEO of the cyber­se­cu­ri­ty firm Fire­Eye, told NPR, but he believes there are oth­er less obvi­ous tar­gets that now might need more pro­tect­ing. “I think util­i­ties might be on that list. I think health care might be on that list. And you don’t nec­es­sar­i­ly want to be on the list of fair game for the most capa­ble offense to tar­get you.”

The Solar­Winds attack­ers ran a mas­ter class in nov­el hack­ing tech­niques. They mod­i­fied sealed soft­ware code, cre­at­ed a sys­tem that used domain names to select tar­gets and mim­ic­ked the Ori­on soft­ware com­mu­ni­ca­tion pro­to­cols so they could hide in plain sight. And then, they did what any good oper­a­tive would do: They cleaned the crime scene so thor­ough­ly inves­ti­ga­tors can’t prove defin­i­tive­ly who was behind it. The White House has said unequiv­o­cal­ly that Russ­ian intel­li­gence was behind the hack. Rus­sia, for its part, has denied any involve­ment.

“The trade­craft was phe­nom­e­nal,” said Adam Mey­ers, who led the cyber foren­sics team that pawed through that taint­ed update on behalf of Solar­Winds, pro­vid­ing details for the first time about what they found. The code was ele­gant and inno­v­a­tive, he said, and then added, “This was the cra­zi­est f***ing thing I’d ever seen.”

Like razor blades in peanut but­ter cups

Mey­ers is the vice pres­i­dent for threat intel­li­gence at the cyber­se­cu­ri­ty firm Crowd­Strike, and he’s seen epic attacks up close. He worked on the 2014 Sony hack, when North Korea cracked into the com­pa­ny’s servers and released emails and first-run movies. A year lat­er, he was on the front lines when a sus­pect­ed Krem­lin-backed hack­ing team known as “Cozy Bear” stole, among oth­er things, a trove of emails from the Demo­c­ra­t­ic Nation­al Com­mit­tee. Wik­iLeaks then released them in the runup to the 2016 elec­tion.

“We’re involved in all kinds of inci­dents around the globe every day,” Mey­ers said. Typ­i­cal­ly he directs teams, he does­n’t run them. But Solar­Winds was dif­fer­ent: “When I start­ed get­ting briefed up, I real­ized [this] was actu­al­ly quite a big deal.”

The attack began with a tiny strip of code. Mey­ers traced it back to Sept. 12, 2019. “This lit­tle snip­pet of code does­n’t do any­thing,” Mey­ers said. “It’s lit­er­al­ly just check­ing to see which proces­sor is run­ning on the com­put­er, if it is a 32- or 64-bit proces­sor and if it is one or the oth­er, it returns either a zero or a one.”

The code frag­ment, it turns out, was a proof of con­cept — a lit­tle tri­al bal­loon to see if it was pos­si­ble to mod­i­fy Solar­Winds’ signed-and-sealed soft­ware code, get it pub­lished and then lat­er see it in a down­loaded ver­sion. And they real­ized they could. “So at this point, they know that they can pull off a sup­ply chain attack,” Mey­ers said. “They know that they have that capa­bil­i­ty.”

After that ini­tial suc­cess, the hack­ers dis­ap­peared for five months. When they returned in Feb­ru­ary 2020, Mey­ers said, they came armed with an amaz­ing new implant that deliv­ered a back­door that went into the soft­ware itself before it was pub­lished.

To under­stand why that was remark­able, you need to know that fin­ished soft­ware code has a kind of dig­i­tal fac­to­ry seal. If you break that seal, some­one can see it and know that the code might have been tam­pered with. Mey­ers said the hack­ers essen­tial­ly found a way to get under that fac­to­ry seal.

They began by implant­i­ng code that told them any time some­one on the Solar­Winds devel­op­ment team was get­ting ready to build new soft­ware. They under­stood that the process of cre­at­ing soft­ware or an update typ­i­cal­ly begins with some­thing rou­tine such as check­ing a code out of a dig­i­tal repos­i­to­ry, sort of like check­ing a book out of the library.

Under nor­mal cir­cum­stances, devel­op­ers take the code out of the repos­i­to­ry, make changes and then check it back in. Once they fin­ish tin­ker­ing, they ini­ti­ate some­thing called the build process, which essen­tial­ly trans­lates the code a human can read to the code a com­put­er does. At that point, the code is clean and test­ed. What the hack­ers did after that was the trick.

They would cre­ate a tem­po­rary update file with the mali­cious code inside while the Solar­Winds code was com­pil­ing. The hack­ers’ mali­cious code told the machine to swap in their tem­po­rary file instead of the Solar­Winds ver­sion. “I think a lot of peo­ple prob­a­bly assume that it is the source code that’s been mod­i­fied,” Mey­ers said, but instead the hack­ers used a kind of bait-and-switch.

But this, Mey­ers said, was inter­est­ing, too. The hack­ers under­stood that com­pa­nies such as Solar­Winds typ­i­cal­ly audit code before they start build­ing an update, just to make sure every­thing is as it should be. So they made sure that the switch to the tem­po­rary file hap­pened at the last pos­si­ble sec­ond, when the updates went from source code (read­able by peo­ple) to exe­cutable code (which the com­put­er reads) to the soft­ware that goes out to cus­tomers.

The tech­nique remind­ed Mey­ers of old fears around trick-or-treat­ing. For decades, there had been an urban myth that kids could­n’t eat any Hal­loween can­dy before check­ing the wrap­per seal because bad peo­ple might have put razor blades inside. What the hack­ers did with the code, Mey­ers said, was a lit­tle like that.

“Imag­ine those Reese’s Peanut But­ter Cups going into the pack­age and just before the machine comes down and seals the pack­age, some oth­er thing comes in and slides a razor blade into your Reese’s Peanut But­ter Cup,” he said. Instead of a razor blade, the hack­ers swapped the files so “the pack­age gets sealed and it goes out the door to the store.”

The update that went out to Solar­Winds’ cus­tomers was the dan­ger­ous peanut but­ter cup — the mali­cious ver­sion of the soft­ware includ­ed code that would give the hack­ers unfet­tered, unde­tect­ed access to any Ori­on user who down­loaded and deployed the update and was con­nect­ed to the Inter­net.

But there was some­thing else about that code that both­ered Mey­ers: It was­n’t just for Solar­Winds. “When we looked at [it], it could have been recon­fig­ured for any num­ber of soft­ware prod­ucts,” Mey­ers said. In oth­er words, any num­ber of oth­er soft­ware devel­op­ers using the same com­pil­er may also be on the receiv­ing end of a cyber­at­tack, he said, and they just don’t know it yet.

Pick­ing and choos­ing tar­gets

Mey­ers said it’s hard not to admire just how much thought the hack­ers put into this oper­a­tion. Con­sid­er the way they iden­ti­fied tar­gets. The down­side of break­ing into so many cus­tomer net­works all at once is that it is hard to decide what to exploit first. So the hack­ers cre­at­ed a pas­sive domain name serv­er sys­tem that sent lit­tle mes­sages with not just an IP address, which is just a series of num­bers, but also with a thumb­nail pro­file of a poten­tial tar­get.

“So they could then say, ‘OK, we’re going to go after this dot gov tar­get or what­ev­er,’ ” Mey­ers said. “I think lat­er it became clear that there were a lot of gov­ern­ment tech­nol­o­gy com­pa­nies being tar­get­ed.”

The hack­ers also reverse-engi­neered the way Ori­on com­mu­ni­cat­ed with servers and built their own cod­ing instruc­tions mim­ic­k­ing Ori­on’s syn­tax and for­mats. What that did is allow the hack­ers to look like they were “speak­ing” Ori­on, so their mes­sage traf­fic looked like a nat­ur­al exten­sion of the soft­ware.

“So once they deter­mined that a tar­get was of inter­est, they could say, ‘OK, let’s go active, let’s manip­u­late files, let’s change some­thing,’ ” Mey­ers said, and then they would slip in unno­ticed through the back­door they had cre­at­ed. “And there is one oth­er thing I should men­tion: This back­door would wait up to two weeks before it actu­al­ly went active on the host. This was a very patient adver­sary.”

None of the trip­wires put in place by pri­vate com­pa­nies or the gov­ern­ment seems to have seen the attack com­ing. Christo­pher Krebs, who had been in charge of the office that pro­tect­ed gov­ern­ment net­works at DHS dur­ing the Trump admin­is­tra­tion, told NPR that DHS’ cur­rent sys­tem, some­thing known (with­out irony) as Ein­stein, only catch­es known threats. The Solar­Winds breach, he said, was just “too nov­el.”

“Upwards of 90[%] to 95% of threats are based on known tech­niques, known cyber­ac­tiv­i­ty,” Krebs explained. “And that’s not just crim­i­nal actors, that’s state actors, too, includ­ing the Russ­ian intel­li­gence agen­cies and the Russ­ian mil­i­tary. This was a pre­vi­ous­ly uniden­ti­fied tech­nique.”

And there is some­thing else that Ein­stein does­n’t do: It does­n’t scan soft­ware updates. So even if the hack­ers had used code that Ein­stein would have rec­og­nized as bad, the sys­tem might not have seen it because it was deliv­ered in one of those rou­tine soft­ware updates.

The Nation­al Secu­ri­ty Agency and the mil­i­tary’s U.S. Cyber Com­mand were also caught flat-foot­ed. Broad­ly speak­ing, their cyber oper­a­tors sit in for­eign net­works look­ing for signs of cyber­at­tacks before they hap­pen. They can see sus­pi­cious activ­i­ty in much the same way a satel­lite might see troops amass­ing on the bor­der. Crit­ics said they should have seen the hack­ers from the Russ­ian intel­li­gence ser­vice, the SVR, prepar­ing this attack.

“The SVR has a pret­ty good under­stand­ing that the NSA is look­ing out,” Krebs said. “What the SVR was able to do was make the tran­si­tion from wher­ev­er they were oper­at­ing from into the U.S. net­works. They move like ghosts. They are very hard to track.”

The hack­ers did­n’t do any­thing fan­cy to give them the domes­tic foot­print, offi­cials con­firmed. In fact, they just rent­ed servers from Ama­zon and GoDad­dy.

Ear­ly warn­ings

There were some indi­ca­tions, else­where, though, that some­thing was wrong.

In ear­ly July, Steven Adair, the founder of a Wash­ing­ton, D.C.-based cyber­se­cu­ri­ty com­pa­ny called Volex­i­ty, saw some sus­pi­cious activ­i­ty on a clien­t’s com­put­ers. “We traced it back, and we thought it might be relat­ed to a bad update with Solar­Winds,” Adair told NPR. “We addressed the prob­lem, made sure no one was in our cus­tomers’ sys­tems, and we left it at that.”

Adair said he did­n’t feel he had enough detail to report the prob­lem to Solar­Winds or the U.S. gov­ern­ment. “We thought we did­n’t have enough evi­dence to reach out,” he said.

That was the first missed sign.

The sec­ond came three months lat­er when a Cal­i­for­nia-based cyber­se­cu­ri­ty com­pa­ny called Palo Alto Net­works dis­cov­ered a mali­cious back­door that seemed to emanate from the Ori­on soft­ware.

In that case, accord­ing to Solar­Winds’ Ramakr­ish­na, the secu­ri­ty teams at Solar­Winds and Palo Alto worked togeth­er for three months to try to pick up the thread of the prob­lem and walk it back. “None of us could pin­point a sup­ply chain attack at that point,” Ramakr­ish­na told NPR. “The tick­et got closed as a result of that. If we had the ben­e­fit of hind­sight, we could have traced it back” to the hack.

Palo Alto Net­works had agreed to speak to NPR about the inci­dent last month and then can­celed the inter­view just an hour before it was sup­posed to take place. A spokesper­son declined to say why and sent a few blog posts and wrote: “I’m afraid this is all we have to help at this time.”

“Just 3,500 lines long”

It was the cyber­se­cu­ri­ty firm Fire­Eye that final­ly dis­cov­ered the intru­sion. Man­dia, the com­pa­ny’s CEO, used to be in the U.S. Air Force Office of Spe­cial Inves­ti­ga­tions, so his spe­cial­ty was crim­i­nal cas­es and coun­ter­in­tel­li­gence. In the inter­ven­ing years, the kinds of pat­terns he learned to rec­og­nize in spe­cial inves­ti­ga­tions kept appear­ing in his cyber secu­ri­ty work.

The first indi­ca­tion that hack­ers had found their way into FireEye’s net­works came in an innocu­ous way. Some­one on the Fire­Eye secu­ri­ty team had noticed that an employ­ee appeared to have two phones reg­is­tered on his net­work, so she called him. “And that phone call is when we real­ized, hey, this isn’t our employ­ee reg­is­ter­ing that sec­ond phone, it was some­body else,” Man­dia said.

Man­dia had a secu­ri­ty brief­ing a short time lat­er and every­thing he heard remind­ed him of his pre­vi­ous work in the mil­i­tary. “There was a lot of pat­tern recog­ni­tion from me,” he told NPR. “I spent from 1996 to 1998 respond­ing to what I would equate to the Russ­ian For­eign Intel­li­gence Ser­vice, and there were some indi­ca­tors in the first brief­ing that were con­sis­tent with my expe­ri­ence in the Air Force.”

He called a board meet­ing the same day. “It just felt like the breach that I was always wor­ried about.”

What his team dis­cov­ered over the course of sev­er­al weeks was that not only was there an intrud­er in its net­work, but some­one had stolen the arse­nal of hack­ing tools Fire­Eye uses to test the secu­ri­ty of its own clients’ net­works. Fire­Eye called the FBI, put togeth­er a detailed report, and once it had deter­mined the Ori­on soft­ware was the source of the prob­lem, it called Solar­Winds.

Brown, vice pres­i­dent of secu­ri­ty at Solar­Winds, took the Sat­ur­day morn­ing phone call. “He said, ‘Essen­tial­ly, we’ve decom­piled your code. We found mali­cious code,’ ” Brown said. Fire­Eye was sure Solar­Winds “had shipped taint­ed code.”

The taint­ed code had allowed hack­ers into FireEye’s net­work, and there were bound to be oth­ers who were com­pro­mised, too. “We were hear­ing that dif­fer­ent reporters had the scoop already,” Man­dia said. “My phone actu­al­ly rang from a reporter and that per­son knew and I went, OK, we’re in a race.”

Man­dia thought they had about a day before the sto­ry would break.

After that, events seemed to speed up. Solar­Winds’ chief secu­ri­ty offi­cer, Brown, called Ron Ple­sco, a lawyer at the firm DLA Piper, and told him what had hap­pened. One of the first things com­pa­nies tend to do after cyber­at­tacks is hire lawyers, and they put them in charge of the inves­ti­ga­tion. They do this for a spe­cif­ic rea­son — it means every­thing they find is pro­tect­ed by attor­ney-client priv­i­lege and typ­i­cal­ly is not dis­cov­er­able in court.

Ple­sco, who has made cyber­crimes a spe­cial­ty of his prac­tice, knew that once the sto­ry broke it would be say­ing “to the world that, ready, set, go, come after it,” Ple­sco said. “So that puts you on an accel­er­at­ed time­line on two fronts: Fig­ure out what hap­pened if you can and get a fix out as soon as pos­si­ble.”

The com­pa­ny worked with DHS to craft a state­ment that went out on Dec. 13.

To inves­ti­gate a hack, you have to secure a dig­i­tal crime scene. Just as detec­tives in the phys­i­cal world have to bag the evi­dence and dust for prints for the inves­ti­ga­tion lat­er, Solar­Winds had to pull togeth­er com­put­er logs, make copies of files, ensure there was a record­ed chain of cus­tody, all while try­ing to ensure the hack­ers weren’t inside its sys­tem watch­ing every­thing they did.

“I’ve been in sit­u­a­tions where, while you’re in there doing the inves­ti­ga­tion, they’re watch­ing your email, they’re com­pro­mis­ing your phone calls or your Zooms,” Ple­sco said. “So they’re lit­er­al­ly lis­ten­ing in on how you’re going to try to get rid of them.”

By mid-Jan­u­ary, Mey­ers and the Crowd­Strike team had iso­lat­ed what they thought was the attack­’s tiny beat­ing heart. It was an ele­gant, encrypt­ed lit­tle blob of code “just 3,500 lines long,” he said. The best code is short and to the point, like a well-writ­ten sen­tence. This lit­tle encrypt­ed strip, Mey­ers thought, might help them fig­ure out who was behind the attack.

Lit­tle blobs of clues

Think of foren­sic cyber teams as dig­i­tal detec­tives look­ing for pat­terns. Cod­ing tics can some­times help iden­ti­fy per­pe­tra­tors or some­times foren­sic teams find small cul­tur­al arti­facts — such as Per­sian script, or Kore­an hangul. When an elite Russ­ian hack­ing team took over the elec­tri­cal grid in Ukraine in 2015, it had more lit­er­ary aspi­ra­tions: It sprin­kled its mali­cious code with ref­er­ences to Frank Her­bert’s Dune nov­els. That’s why Crowd­Strike found that lit­tle blob of mali­cious code so intrigu­ing.

After weeks of work­ing with the code, Mey­ers con­vened a Zoom call with lead­ers at Solar­Winds and mem­bers of his team from around the world. He shared his screen so every­one could all watch the encryp­tion fall away in real time. He began walk­ing the spec­ta­tors through the code as it was revealed, like a play-by-play analy­sis of a game. Mey­ers kept watch­ing for the big reveal. “We’re hop­ing it’s going to have, you know, vari­able names or maybe some com­ments in Cyril­lic or Man­darin to give us some clue who wrote this thing,” he said.

But as Crowd­Strike’s decryp­tion pro­gram chewed its way through the zeroes and ones, Mey­ers’ heart sank. The crime scene was a bust. It had been wiped down. “They’d washed the code,” Mey­ers said. “They’d cleaned it of any human arti­fact or tool mark. And that was kind of mind-blow­ing that [they] had the where­with­al to hide any­thing that a human might have inad­ver­tent­ly left behind as a clue.”

Holy s***, he thought to him­self, who does that?

...

Big­ger attacks

“It’s one of the most effec­tive cyber-espi­onage cam­paigns of all time,” said Alex Sta­mos, direc­tor of the Inter­net Obser­va­to­ry at Stan­ford Uni­ver­si­ty and the for­mer head of secu­ri­ty at Face­book. “In doing so, they demon­strat­ed not just tech­ni­cal acu­men, but the way they did this demon­strat­ed that they under­stand how tech com­pa­nies oper­ate, how soft­ware com­pa­nies oper­ate. ... This cer­tain­ly is going to change the way that large enter­pris­es think about the soft­ware they install and think about how they han­dle updates.”

Intel­li­gence ana­lysts, already years ahead of the rest of us, are paid to imag­ine the dark­est of sce­nar­ios. What if the hack­ers plant­ed the seeds of future attacks dur­ing that nine months they explored Solar­Winds’ cus­tomer net­works — did they hide code for back­doors that will allow them to come and go as they please at a time of their choos­ing? When hack­ers shut down the Ukraine’s pow­er grid in 2015 and dis­abled a Sau­di refin­ery with com­put­er code a year lat­er, they showed it was pos­si­ble to jump from a cor­po­rate net­work to sys­tem con­trols. Will we find out lat­er that the Solar­Winds hack set the stage for some­thing more sin­is­ter?

Even if this was just an espi­onage oper­a­tion, FireEye’s Man­dia said, the attack on Solar­Winds is an inflec­tion point. “We ... kind of mapped out the evo­lu­tion of threats and cyber,” he said. “And we would have land­ed at this day soon­er or lat­er, that at some point in time, soft­ware that many com­pa­nies depend on is going to get tar­get­ed and it’s going to lead to exact­ly what it led to,” Man­dia said. “But to see it hap­pen, that’s where you have a lit­tle bit of shock and sur­prise. OK, it’s here now, nations are tar­get­ing [the] pri­vate sec­tor, there’s no mag­ic wand you can shake. ... It’s a real com­plex issue to solve.”

...

“This was an intel­li­gence col­lec­tion oper­a­tion meant to steal infor­ma­tion, and it’s not the last time that’s going to hap­pen,” Crowd­Strike’s Mey­ers warned. “This is going to hap­pen every day. ... And I think there’s a lot that we all need to do to work togeth­er to stop this from hap­pen­ing.”

———–

“A ‘Worst Night­mare’ Cyber­at­tack: The Untold Sto­ry Of The Solar­Winds Hack” by Dina Tem­ple-Ras­ton; Nation­al Pub­lic Radio; 04/16/2021

“The Solar­Winds attack­ers ran a mas­ter class in nov­el hack­ing tech­niques. They mod­i­fied sealed soft­ware code, cre­at­ed a sys­tem that used domain names to select tar­gets and mim­ic­ked the Ori­on soft­ware com­mu­ni­ca­tion pro­to­cols so they could hide in plain sight. And then, they did what any good oper­a­tive would do: They cleaned the crime scene so thor­ough­ly inves­ti­ga­tors can’t prove defin­i­tive­ly who was behind it. The White House has said unequiv­o­cal­ly that Russ­ian intel­li­gence was behind the hack. Rus­sia, for its part, has denied any involve­ment.”

A hack­er mas­ter class. They were so smooth they wiped the crime scene of any evi­dence that could def­i­nite­ly prove who did it. The US gov­ern­ment nonethe­less has said unequiv­o­cal­ly that Russ­ian intel­li­gence was behind the hack. With­out delay. Fun­ny how that works.

And with that unequiv­o­cal attri­bu­tion came new US sanc­tions against Rus­sia in retal­i­a­tion for a hack that was so mas­sive even the Cyber­se­cu­ri­ty and Infra­struc­ture Secu­ri­ty Agency got hacked:

...
On Thurs­day, the Biden admin­is­tra­tion announced a ros­ter of tough sanc­tions against Rus­sia as part of what it char­ac­ter­ized as the “seen and unseen” response to the Solar­Winds breach.

...

For that rea­son, Ramakr­ish­na fig­ures the Rus­sians suc­cess­ful­ly com­pro­mised about 100 com­pa­nies and about a dozen gov­ern­ment agen­cies. The com­pa­nies includ­ed Microsoft, Intel and Cis­co; the list of fed­er­al agen­cies so far includes the Trea­sury, Jus­tice and Ener­gy depart­ments and the Pen­ta­gon.

The hack­ers also found their way, rather embar­rass­ing­ly, into the Cyber­se­cu­ri­ty and Infra­struc­ture Secu­ri­ty Agency, or CISA — the office at the Depart­ment of Home­land Secu­ri­ty whose job it is to pro­tect fed­er­al com­put­er net­works from cyber­at­tacks.
...

And note who led this inves­ti­ga­tion into the Solar­Winds hack: Adam Mey­ers, the vice pres­i­dent for threat intel­li­gence at the cyber­se­cu­ri­ty firm Crowd­Strike. Our under­stand­ing of the Solar­Winds hack is large­ly con­trolled by Crowd­Strike, the firm that pio­neered the con­tem­po­rary “pat­tern recog­ni­tion” cyber­at­tri­bu­tion par­a­digm. It’s one of the many clues that this inves­ti­ga­tion is com­pro­mised:

...
Net­work mon­i­tor­ing soft­ware is a key part of the back­room oper­a­tions we nev­er see. Pro­grams like Ori­on allow infor­ma­tion tech­nol­o­gy depart­ments to look on one screen and check their whole net­work: servers or fire­walls, or that print­er on the fifth floor that keeps going offline. By its very nature, it touch­es every­thing — which is why hack­ing it was genius.

“It’s real­ly your worst night­mare,” Tim Brown, vice pres­i­dent of secu­ri­ty at Solar­Winds, said recent­ly. “You feel a kind of hor­ror. This had the poten­tial to affect thou­sands of cus­tomers; this had the poten­tial to do a great deal of harm.”

...

“The trade­craft was phe­nom­e­nal,” said Adam Mey­ers, who led the cyber foren­sics team that pawed through that taint­ed update on behalf of Solar­Winds, pro­vid­ing details for the first time about what they found. The code was ele­gant and inno­v­a­tive, he said, and then added, “This was the cra­zi­est f***ing thing I’d ever seen.”

Like razor blades in peanut but­ter cups

Mey­ers is the vice pres­i­dent for threat intel­li­gence at the cyber­se­cu­ri­ty firm Crowd­Strike, and he’s seen epic attacks up close. He worked on the 2014 Sony hack, when North Korea cracked into the com­pa­ny’s servers and released emails and first-run movies. A year lat­er, he was on the front lines when a sus­pect­ed Krem­lin-backed hack­ing team known as “Cozy Bear” stole, among oth­er things, a trove of emails from the Demo­c­ra­t­ic Nation­al Com­mit­tee. Wik­iLeaks then released them in the runup to the 2016 elec­tion.

“We’re involved in all kinds of inci­dents around the globe every day,” Mey­ers said. Typ­i­cal­ly he directs teams, he does­n’t run them. But Solar­Winds was dif­fer­ent: “When I start­ed get­ting briefed up, I real­ized [this] was actu­al­ly quite a big deal.”
...

So what kind of evi­dence would have revealed the iden­ti­ties of these hack­ers that Mey­ers and the oth­er peo­ple work­ing on this case were look­ing for but nev­er found? This is the part of the arti­cle where we get con­fir­ma­tion that it’s as stu­pid as we should have sus­pect­ed. Because in the worlds of Mey­ers, a big part of what they found real­ly frus­trat­ing — and shock­ing — about this case was the lack of ‘a big reveal’ that sud­den­ly makes clear who was behind it. What kind of ‘big reveal’? As Mey­ers put it, “We’re hop­ing it’s going to have, you know, vari­able names or maybe some com­ments in Cyril­lic or Man­darin to give us some clue who wrote this thing.” That’s con­sid­ered to be a ‘big reveal’ from the Crowd­Strike fig­ure lead­ing the inves­ti­ga­tion. The most obvi­ous, eas­i­ly plant­ed ‘clues’. That’s what they were keen­ly look­ing out for to con­fi­dent­ly make an attri­bu­tion. But these devi­ous super-hack­ers man­aged to ‘wash the code’ of any human arti­fact, a move described as “mind-blow­ing” by Mey­ers. It’s that stu­pid.

It’s also the kind of anec­dote that does­n’t just raise mas­sive ques­tions about the verac­i­ty of the Solar­Winds inves­ti­ga­tion but basi­cal­ly every oth­er cyber inves­ti­ga­tion tak­ing place these days. Could the entire indus­try be oper­at­ing in this man­ner? Mak­ing con­clu­sion based on a Cyril­lic or Man­darin ‘big reveal’? Even after the Vault7 leak in 2017 demon­strat­ed to the world that the CIA uses hack­ing tools built to leave ‘clues’ like Cyril­lic and Man­darin char­ac­ters. It real­ly is play­ing dumb pro­fes­sion­al­ly.

Don’t for­get that busi­ness­es like Crowd­Strike and Fire­Eye aren’t just paid to remove mal­ware and pro­tect net­works. They’re paid to name cul­prits too, ide­al­ly. Keep that in mind when assess­ing the cred­i­bil­i­ty of this inves­ti­ga­tion. But also keep in mind that it was Crowd­Strike that blazed the trail in the cyber­at­tri­bu­tion indus­try over the last decade of sim­ply nam­ing nation-states like Chi­na or Rus­sia as the cul­prit for hacks with­out evi­dence as a means of address­ing the fact that hacks are the type of crime that crim­i­nals can, in the­o­ry, exe­cute in a fool-proof man­ner with­out leav­ing evi­dence. Con­fi­dent­ly declar­ing a geopo­lit­i­cal adver­sary like Russ­ian, Chi­na, or North Korea were behind a hack based on ‘pat­tern recog­ni­tion’ and ‘edu­cat­ed guess­es’ is as good a ser­vice as the cyber­se­cu­ri­ty indus­try can pro­vide. Cyber­at­tri­bu­tions are a real geopo­lit­i­cal tool/weapon and these com­pa­nies offer those attri­bu­tions as a com­mer­cial ser­vice. So that’s the ser­vice the world is get­ting: Edu­cat­ed guess­es passed off as con­fi­dent attri­bu­tions based on ‘big reveal’ clues like Man­darin or Cyril­lic in the code. Yes, that stu­pid. Pro­fes­sion­al­ly.

Also keep in mind that when Crowd­Strike’s Adam Mey­ers was mar­veled at how these hack­ers left no trace of Cyril­lic or Man­darin, he was mar­veling over that inten­tion­al­ly-com­pact 3,500 line piece of code. Like they’re going to have the ‘big reveal’ in their ultra-com­pact code. It rais­es the ques­tion of how often these cyber­se­cu­ri­ty com­pa­nies like Crowd­Strike or Fire­Eye real­ly do find a ‘big reveal’ like Cyril­lic or Man­darin in the code of mal­ware they’re inves­ti­gat­ing. Because it would­n’t be sur­prised if hack­ers just rou­tine­ly slip that in their at this point. Why not? It’s like a sure fire way to ensure your hack will get blamed on Rus­sia or Chi­na. Maybe Iran if you use Per­sian. The folks at Crowd­Strike will clear­ly be swayed by your ‘big reveal’ clues:

...
It was the cyber­se­cu­ri­ty firm Fire­Eye that final­ly dis­cov­ered the intru­sion. Man­dia, the com­pa­ny’s CEO, used to be in the U.S. Air Force Office of Spe­cial Inves­ti­ga­tions, so his spe­cial­ty was crim­i­nal cas­es and coun­ter­in­tel­li­gence. In the inter­ven­ing years, the kinds of pat­terns he learned to rec­og­nize in spe­cial inves­ti­ga­tions kept appear­ing in his cyber secu­ri­ty work.

The first indi­ca­tion that hack­ers had found their way into FireEye’s net­works came in an innocu­ous way. Some­one on the Fire­Eye secu­ri­ty team had noticed that an employ­ee appeared to have two phones reg­is­tered on his net­work, so she called him. “And that phone call is when we real­ized, hey, this isn’t our employ­ee reg­is­ter­ing that sec­ond phone, it was some­body else,” Man­dia said.

Man­dia had a secu­ri­ty brief­ing a short time lat­er and every­thing he heard remind­ed him of his pre­vi­ous work in the mil­i­tary. “There was a lot of pat­tern recog­ni­tion from me,” he told NPR. “I spent from 1996 to 1998 respond­ing to what I would equate to the Russ­ian For­eign Intel­li­gence Ser­vice, and there were some indi­ca­tors in the first brief­ing that were con­sis­tent with my expe­ri­ence in the Air Force.”

He called a board meet­ing the same day. “It just felt like the breach that I was always wor­ried about.”

...

By mid-Jan­u­ary, Mey­ers and the Crowd­Strike team had iso­lat­ed what they thought was the attack­’s tiny beat­ing heart. It was an ele­gant, encrypt­ed lit­tle blob of code “just 3,500 lines long,” he said. The best code is short and to the point, like a well-writ­ten sen­tence. This lit­tle encrypt­ed strip, Mey­ers thought, might help them fig­ure out who was behind the attack.

Lit­tle blobs of clues

Think of foren­sic cyber teams as dig­i­tal detec­tives look­ing for pat­terns. Cod­ing tics can some­times help iden­ti­fy per­pe­tra­tors or some­times foren­sic teams find small cul­tur­al arti­facts — such as Per­sian script, or Kore­an hangul. When an elite Russ­ian hack­ing team took over the elec­tri­cal grid in Ukraine in 2015, it had more lit­er­ary aspi­ra­tions: It sprin­kled its mali­cious code with ref­er­ences to Frank Her­bert’s Dune nov­els. That’s why Crowd­Strike found that lit­tle blob of mali­cious code so intrigu­ing.

After weeks of work­ing with the code, Mey­ers con­vened a Zoom call with lead­ers at Solar­Winds and mem­bers of his team from around the world. He shared his screen so every­one could all watch the encryp­tion fall away in real time. He began walk­ing the spec­ta­tors through the code as it was revealed, like a play-by-play analy­sis of a game. Mey­ers kept watch­ing for the big reveal. “We’re hop­ing it’s going to have, you know, vari­able names or maybe some com­ments in Cyril­lic or Man­darin to give us some clue who wrote this thing,” he said.

But as Crowd­Strike’s decryp­tion pro­gram chewed its way through the zeroes and ones, Mey­ers’ heart sank. The crime scene was a bust. It had been wiped down. “They’d washed the code,” Mey­ers said. “They’d cleaned it of any human arti­fact or tool mark. And that was kind of mind-blow­ing that [they] had the where­with­al to hide any­thing that a human might have inad­ver­tent­ly left behind as a clue.”

Holy s***, he thought to him­self, who does that?
...

Now, it’s worth point­ing out that there has actu­al­ly been some Russ­ian-lan­guage arti­facts appar­ent­ly left by the Solar­Winds hack­ers. That was in a report pub­lished by cyber­se­cu­ri­ty com­pa­ny Prodaft, which ana­lyzed a com­mand-and-con­trol (C&C) serv­er used in the Solar­Winds hack. On that serv­er they found an orga­ni­za­tion man­age­ment forum used by the teams of hack­ers where var­i­ous hacked tar­gets were dis­cussed for their poten­tial val­ue. Keep in mind they hacked like 18,000 orga­ni­za­tions at once with the hack so who­ev­er pulled this off prob­a­bly real­ly did have to have teams of hack­ers coor­di­nat­ing their efforts some­where. In that report, where they call the group “Sil­ver­Fish” instead of Nobeli­um, they state: “When tak­ing its first look inside the C&C serv­er, the PTI Team observed that main dash­board of the Sil­ver­Fish C&C pan­el fea­tures a sec­tion named ”Active Teams”, involv­ing sev­er­al com­ments entered by dif­fer­ent user groups such as Team 301, Team 302, etc. Such a design indi­cates that this infra­struc­ture is meant for mul­ti­ple teams. Most com­ments entered by attack­ers for each vic­tim are most­ly in Eng­lish and Russ­ian and include urban slang.” So we can actu­al­ly state that the hack­ers did leave behind Eng­lish and Russ­ian in their team orga­ni­za­tion soft­ware. And giv­en how impor­tant these kinds of ‘clues’ are in mak­ing attri­bu­tions it would­n’t be sur­pris­ing if those Russ­ian com­ments on that serv­er are a major part of what the ‘Rus­sia did it’ attri­bu­tion is based on. But it was the kind of evi­dence the hack­ers had to real­ize was left out in the open, at least once the serv­er is seized by author­i­ties, a sce­nario they had to real­ize was very pos­si­ble. It hap­pened, after all. Keep in mind this was the biggest hack ever and these are clear­ly expe­ri­enced hack­ers. They must real­ize com­mand-and-con­trol servers might be found by inves­ti­ga­tors which means com­ments made on that forum are going to be done with the real­iza­tion that arti­facts like the lan­guage used to make the com­ments could be used lat­er for attri­bu­tion pur­pos­es. These kinds of ‘clues’ play a huge role in mod­ern cyber­at­tri­bu­tion, as Mey­ers made abun­dant­ly clear with his dis­may at the lack of a ‘cul­tur­al arti­fact’ to make his attri­bu­tion on. And as the CIA’s hack­ing tool-kit, with its Russ­ian and Chi­nese lan­guage arti­fact-leav­ing fea­tures, exposed by the Shad­ow­Bro­ker leak made abun­dant­ly clear. These lit­tle lan­guage clues are stu­pid­ly tak­en very seri­ous­ly and the cyber­at­tri­bu­tion indus­try does­n’t even hide it. So did the super sophis­ti­cat­ed hack­ing group that pull off the biggest hack ever leave their Russ­ian lan­guage clues con­scious­ly or with­out real­iz­ing it? That’s what we are being asked to believe, although it’s not actu­al­ly clear if the Russ­ian lan­guage com­ments left in this com­mand-and-con­trol forum were the pri­ma­ry basis for the attri­bu­tion of the Solar­Winds hack to Rus­sia (as opposed to Chi­na) because we still have no idea what the attri­bu­tion was ulti­mate­ly based on. It’s faith-based.

But there are tech­ni­cal details about that attack that are more than just spec­u­la­tion: We are told that the attack effec­tive began on Sept 12, 2019, when some­one appeared to exe­cute a proof-of-con­cept tri­al run of the plan that mere­ly inject­ed an innocu­ous snip­pet of code into the Solar­Winds update pack­age. The hack­ers were test­ing whether or not the code could be insert­ed into the next Solar­Winds update and dis­trib­uted to its cus­tomer net­works with­out Solar­Winds detect­ing it and they accom­plished this feat by inject­ing the code at the very last oppor­tu­ni­ty — dur­ing the com­pi­la­tion process — which effec­tive­ly bypassed all of the stan­dard secu­ri­ty mea­sures deployed by Solar­Winds to ensure only the intend­ed code is deliv­ered to its thou­sands of cus­tomers. It was a suc­cess­ful proof-of-con­cept test. The innocu­ous update was deliv­ered to Solar­Wind­s’s clients around the world. Five months lat­er, in Feb­ru­ary of 2020, the hack­ers returned to repeat the trick with mali­cious code that insert­ed a com­pact 3,500 line pay­load that intro­duced a back­door into the Solar­Winds soft­ware itself on the clients’ sys­tems. A back­door that could be remote­ly accessed. That’s how the hack­ers turned the hack of Solar­Winds into the mega-hack of the thou­sands of cor­po­ra­tions and gov­ern­ment agen­cies. The only thing hold­ing back the hack­ers was the abun­dance of oppor­tu­ni­ty and lim­i­ta­tions of time.

So we have a decent under­stand­ing of how this attack worked tech­ni­cal­ly and when it hap­pened but no clue who did it. No ‘big reveal’ clue was left in the code and they some­how man­aged to avoid leav­ing any Cyril­lic or Man­darin else­where on the Solar­Winds net­work dur­ing this long peri­od of time when the hack­ers clear­ly had deep access. But despite all that, they’re pret­ty sure it was Rus­sia. It’s how cyber­at­tri­bu­tion works in the mod­ern age. Gut feel­ings about the cul­prit. Read­ing the dig­i­tal tea leaves and arriv­ing at a gut feel­ing about the cul­prit and then con­fi­dent­ly declar­ing it to the world. Or just mak­ing it up and con­fi­dent­ly declar­ing it to the world. Con­fi­dent dec­la­ra­tions are the impor­tant part. The under­ly­ing facts the dec­la­ra­tions are based not so much:

...
The attack began with a tiny strip of code. Mey­ers traced it back to Sept. 12, 2019. “This lit­tle snip­pet of code does­n’t do any­thing,” Mey­ers said. “It’s lit­er­al­ly just check­ing to see which proces­sor is run­ning on the com­put­er, if it is a 32- or 64-bit proces­sor and if it is one or the oth­er, it returns either a zero or a one.”

The code frag­ment, it turns out, was a proof of con­cept — a lit­tle tri­al bal­loon to see if it was pos­si­ble to mod­i­fy Solar­Winds’ signed-and-sealed soft­ware code, get it pub­lished and then lat­er see it in a down­loaded ver­sion. And they real­ized they could. “So at this point, they know that they can pull off a sup­ply chain attack,” Mey­ers said. “They know that they have that capa­bil­i­ty.”

After that ini­tial suc­cess, the hack­ers dis­ap­peared for five months. When they returned in Feb­ru­ary 2020, Mey­ers said, they came armed with an amaz­ing new implant that deliv­ered a back­door that went into the soft­ware itself before it was pub­lished.

To under­stand why that was remark­able, you need to know that fin­ished soft­ware code has a kind of dig­i­tal fac­to­ry seal. If you break that seal, some­one can see it and know that the code might have been tam­pered with. Mey­ers said the hack­ers essen­tial­ly found a way to get under that fac­to­ry seal.

They began by implant­i­ng code that told them any time some­one on the Solar­Winds devel­op­ment team was get­ting ready to build new soft­ware. They under­stood that the process of cre­at­ing soft­ware or an update typ­i­cal­ly begins with some­thing rou­tine such as check­ing a code out of a dig­i­tal repos­i­to­ry, sort of like check­ing a book out of the library.

Under nor­mal cir­cum­stances, devel­op­ers take the code out of the repos­i­to­ry, make changes and then check it back in. Once they fin­ish tin­ker­ing, they ini­ti­ate some­thing called the build process, which essen­tial­ly trans­lates the code a human can read to the code a com­put­er does. At that point, the code is clean and test­ed. What the hack­ers did after that was the trick.

They would cre­ate a tem­po­rary update file with the mali­cious code inside while the Solar­Winds code was com­pil­ing. The hack­ers’ mali­cious code told the machine to swap in their tem­po­rary file instead of the Solar­Winds ver­sion. “I think a lot of peo­ple prob­a­bly assume that it is the source code that’s been mod­i­fied,” Mey­ers said, but instead the hack­ers used a kind of bait-and-switch.

But this, Mey­ers said, was inter­est­ing, too. The hack­ers under­stood that com­pa­nies such as Solar­Winds typ­i­cal­ly audit code before they start build­ing an update, just to make sure every­thing is as it should be. So they made sure that the switch to the tem­po­rary file hap­pened at the last pos­si­ble sec­ond, when the updates went from source code (read­able by peo­ple) to exe­cutable code (which the com­put­er reads) to the soft­ware that goes out to cus­tomers.
...

Then there’s the omi­nous obser­va­tion they made about the mal­ware that sur­rep­ti­tious­ly slipped the back­door mal­ware into the Ori­on client update soft­ware: the mal­ware that added the back­door at the last moment dur­ing the com­pi­la­tion process “could have been recon­fig­ured for any num­ber of soft­ware prod­ucts” that rely on the same com­pil­er, rais­ing the dis­tinct pos­si­bil­i­ty of this same attack being used against oth­er soft­ware devel­op­ers. All the hack­ers would need is access to the devel­op­ers’ com­put­ers when they’re com­pil­ing the code. And what did they gain from the Solar­Winds hack? Back­doors onto the net­work of every Solar­Winds client. In oth­er words, not only can the hack­ers use this same com­pil­er trick to embed back­doors in oth­er devel­op­ers soft­ware but they gained the incred­i­ble oppor­tu­ni­ty to do exact­ly that from the Solar­Winds hack. Thou­sands of Solar­Winds clients were undoubt­ed­ly devel­op­ing their own soft­ware using the same com­pil­er and the hack­ers could have deployed the same trick. Maybe they embed a back­door. Maybe some­thing else. It’s an omi­nous obser­va­tion and part of the rea­son the iden­ti­ties of the real hack­ers real­ly is a seri­ous glob­al con­cern. Who­ev­er did this had the oppor­tu­ni­ty to plant the seeds from some­thing orders of mag­ni­tude more dev­as­tat­ing involv­ing a wide array of dif­fer­ent soft­ware tools being devel­oped around the world:

...
But there was some­thing else about that code that both­ered Mey­ers: It was­n’t just for Solar­Winds. “When we looked at [it], it could have been recon­fig­ured for any num­ber of soft­ware prod­ucts,” Mey­ers said. In oth­er words, any num­ber of oth­er soft­ware devel­op­ers using the same com­pil­er may also be on the receiv­ing end of a cyber­at­tack, he said, and they just don’t know it yet.

...

The hack­ers also reverse-engi­neered the way Ori­on com­mu­ni­cat­ed with servers and built their own cod­ing instruc­tions mim­ic­k­ing Ori­on’s syn­tax and for­mats. What that did is allow the hack­ers to look like they were “speak­ing” Ori­on, so their mes­sage traf­fic looked like a nat­ur­al exten­sion of the soft­ware.

“So once they deter­mined that a tar­get was of inter­est, they could say, ‘OK, let’s go active, let’s manip­u­late files, let’s change some­thing,’ ” Mey­ers said, and then they would slip in unno­ticed through the back­door they had cre­at­ed. “And there is one oth­er thing I should men­tion: This back­door would wait up to two weeks before it actu­al­ly went active on the host. This was a very patient adver­sary.”

None of the trip­wires put in place by pri­vate com­pa­nies or the gov­ern­ment seems to have seen the attack com­ing. Christo­pher Krebs, who had been in charge of the office that pro­tect­ed gov­ern­ment net­works at DHS dur­ing the Trump admin­is­tra­tion, told NPR that DHS’ cur­rent sys­tem, some­thing known (with­out irony) as Ein­stein, only catch­es known threats. The Solar­Winds breach, he said, was just “too nov­el.”
...

And note the tim­ing here in the lead up to the Decem­ber 13, 2020, pub­lic announce­ment by Solar­Winds about acknowl­eg­ing the hack: We are told that the first clue some­thing was up took place in ear­ly July 2020, when Volex­i­ty found sus­pi­cious activ­i­ty on a clien­t’s com­put­er traced back to an update with Solar­Winds. We’re then told the sec­ond clue came sev­er­al months lat­er when Palo Alto Net­works con­tact­ed Solar­Winds about a mali­cious back door that appeared to be ema­nat­ing from the Ori­on soft­ware. Solar­Winds then tells us the com­pa­ny work with Palo Alto Net­works for sev­er­al months before giv­ing up and clos­ing the tick­et. If that’s all true, that tick­et must have been closed just days before Fire­Eye con­tact­ed Solar­Winds about its omi­nous dis­cov­ery. Because if the first call from Palo Alto Net­works came ‘sev­er­al months’ after an ‘ear­ly July’ first tip from Volex­i­ty, that call would have had to be around mid-to-late Sep­tem­ber to ear­ly Octo­ber if we inter­pret ‘sev­er­al months’ to be 10–13 weeks. And if Palo Alto Net­works and Solar­Winds then spent anoth­er ‘sev­er­al months’ study­ing the prob­lem before giv­ing up, that would put the ‘giv­ing up’ point at ear­ly Decem­ber at the ear­li­est. So when exact­ly did that tick­et get closed in rela­tion to FireEye’s tip about the larg­er hack? Solar­Winds did­n’t tell us and Palo Alto Net­works isn’t talk­ing:

...
In ear­ly July, Steven Adair, the founder of a Wash­ing­ton, D.C.-based cyber­se­cu­ri­ty com­pa­ny called Volex­i­ty, saw some sus­pi­cious activ­i­ty on a clien­t’s com­put­ers. “We traced it back, and we thought it might be relat­ed to a bad update with Solar­Winds,” Adair told NPR. “We addressed the prob­lem, made sure no one was in our cus­tomers’ sys­tems, and we left it at that.”

Adair said he did­n’t feel he had enough detail to report the prob­lem to Solar­Winds or the U.S. gov­ern­ment. “We thought we did­n’t have enough evi­dence to reach out,” he said.

That was the first missed sign.

The sec­ond came three months lat­er when a Cal­i­for­nia-based cyber­se­cu­ri­ty com­pa­ny called Palo Alto Net­works dis­cov­ered a mali­cious back­door that seemed to emanate from the Ori­on soft­ware.

In that case, accord­ing to Solar­Winds’ Ramakr­ish­na, the secu­ri­ty teams at Solar­Winds and Palo Alto worked togeth­er for three months to try to pick up the thread of the prob­lem and walk it back. “None of us could pin­point a sup­ply chain attack at that point,” Ramakr­ish­na told NPR. “The tick­et got closed as a result of that. If we had the ben­e­fit of hind­sight, we could have traced it back” to the hack.

Palo Alto Net­works had agreed to speak to NPR about the inci­dent last month and then can­celed the inter­view just an hour before it was sup­posed to take place. A spokesper­son declined to say why and sent a few blog posts and wrote: “I’m afraid this is all we have to help at this time.”
...

All in all, it’s hard to say that NPR piece should make read­er’s feel con­fi­dent hacks like this aren’t going to hap­pen again. Even when the hack was detect­ed on client sys­tems and inves­ti­ga­tions were start­ed they still could­n’t find it. Only Fire­Eye, itself a top tier secu­ri­ty firm, was able to detect it on its own sys­tems and all indi­ca­tions are the hack would be ongo­ing today had Fire­Eye not found it.

The Atlantic Council Confirms The SolarWinds Hackers Could Spoof Microsoft Credentials. Microsoft Blames Clients

And just a week after that NPR piece, we got anoth­er big reminder that the Solar­Winds hack was­n’t just a giant hack of the Solar­Winds com­pa­ny. It was a giant hack of Microsoft­’s prod­ucts. That was the mes­sage in a new report put out by The Atlantic Coun­cil, which appeared to con­firm what Microsoft had long been deny­ing: Once the hack­ers used those back­doors to gain access to vic­tims’ net­works they con­tin­ued to exploit more vul­ner­a­bil­i­ties. In par­tic­u­lar Microsoft vul­ner­a­bil­i­ties involv­ing how Microsoft prod­ucts val­i­date user iden­ti­ties. Now, part of the rea­son Microsoft vul­ner­a­bil­i­ties were heav­i­ly tar­get­ed was because, well, these vul­ner­a­bil­i­ties exist. But as the report notes, the oth­er big rea­son Microsoft was tar­get­ed so heav­i­ly is that Microsoft has more than 85% of the mar­ket share for gov­ern­ment and indus­try. In oth­er words, the juici­est tar­gets — espe­cial­ly gov­ern­ment agen­cies — were almost all run­ning Microsoft tools on their net­works.

So what was Microsoft­’s response to the Atlantic Coun­cil report? Microsoft con­tin­ued to deflect blame, sug­gest­ing poor­ly con­fig­ured soft­ware by the clients was the cause. But accord­ing to Sen­a­tor Ron Wyden, the soft­ware Microsoft sup­plies to US fed­er­al agen­cies is itself poor­ly con­fig­ured with default log set­tings that won’t cap­ture the infor­ma­tion need­ed to catch attacks while they’re in progress. As we can see, the Solar­Winds blame game is increas­ing­ly becom­ing Microsoft vs the World:

Asso­ci­at­ed Press

Solar­Winds hack­ing cam­paign puts Microsoft in the hot seat

By FRANK BAJAK
April 23, 2021

BOSTON (AP) — The sprawl­ing hack­ing cam­paign deemed a grave threat to U.S. nation­al secu­ri­ty came to be known as Solar­Winds, for the com­pa­ny whose soft­ware update was seed­ed by Russ­ian intel­li­gence agents with mal­ware to pen­e­trate sen­si­tive gov­ern­ment and pri­vate net­works.

Yet it was Microsoft whose code the cyber spies per­sis­tent­ly abused in the campaign’s sec­ond stage, rifling through emails and oth­er files of such high-val­ue tar­gets as then-act­ing Home­land Secu­ri­ty chief Chad Wolf — and hop­ping unde­tect­ed among vic­tim net­works.

This has put the world’s third-most valu­able com­pa­ny in the hot seat. Because its prod­ucts are a de fac­to mono­cul­ture in gov­ern­ment and indus­try — with more than 85% mar­ket share — fed­er­al law­mak­ers are insist­ing that Microsoft swift­ly upgrade secu­ri­ty to what they say it should have pro­vid­ed in the first place, and with­out fleec­ing tax­pay­ers.

Seek­ing to assuage con­cerns, Microsoft this past week offered all fed­er­al agen­cies a year of “advanced” secu­ri­ty fea­tures at no extra charge. But it also seeks to deflect blame, say­ing it is cus­tomers who do not always make secu­ri­ty a pri­or­i­ty.

Risks in Microsoft’s for­eign deal­ings also came into relief when the Biden admin­is­tra­tion imposed sanc­tions Thurs­day on a half-dozen Russ­ian IT com­pa­nies it said sup­port Krem­lin hack­ing. Most promi­nent was Pos­i­tive Tech­nolo­gies, which was among more than 80 com­pa­nies that Microsoft has sup­plied with ear­ly access to data on vul­ner­a­bil­i­ties detect­ed in its prod­ucts. Fol­low­ing the sanc­tions announce­ment, Microsoft said Pos­i­tive Tech was no longer in the pro­gram and removed its name from a list of par­tic­i­pants on its web­site.

The Solar­Winds hack­ers took full advan­tage of what George Kurtz, CEO of top cyber­se­cu­ri­ty firm Crowd­Strike, called “sys­tem­at­ic weak­ness­es” in key ele­ments of Microsoft code to mine at least nine U.S. gov­ern­ment agen­cies — the depart­ments of Jus­tice and Trea­sury, among them — and more than 100 pri­vate com­pa­nies and think tanks, includ­ing soft­ware and telecom­mu­ni­ca­tions providers.

The Solar­Winds hack­ers’ abuse of Microsoft’s iden­ti­ty and access archi­tec­ture — which val­i­dates users’ iden­ti­ties and grants them access to email, doc­u­ments and oth­er data — did the most dra­mat­ic harm, the non­par­ti­san Atlantic Coun­cil think tank said in a report. That set the hack apart as “a wide­spread intel­li­gence coup.” In near­ly every case of post-intru­sion mis­chief, the intrud­ers “silent­ly moved through Microsoft prod­ucts “vac­u­um­ing up emails and files from dozens of orga­ni­za­tions.”

Thanks in part to the carte blanche that vic­tim net­works grant­ed the infect­ed Solar­winds net­work man­age­ment soft­ware in the form of admin­is­tra­tive priv­i­leges, the intrud­ers could move lat­er­al­ly across them, even jump among orga­ni­za­tions. They used it to sneak into the cyber­se­cu­ri­ty firm Mal­ware­bytes and to tar­get cus­tomers of Mime­cast, an email secu­ri­ty com­pa­ny.

The campaign’s “hall­mark” was the intrud­ers’ abil­i­ty to imper­son­ate legit­i­mate users and cre­ate coun­ter­feit cre­den­tials that let them grab data stored remote­ly by Microsoft Office, the act­ing direc­tor of the Cyber­se­cu­ri­ty Infra­struc­ture and Secu­ri­ty Agency, Bran­don Wales, told a mid-March con­gres­sion­al hear­ing. “It was all because they com­pro­mised those sys­tems that man­age trust and iden­ti­ty on net­works,” he said.

Microsoft Pres­i­dent Brad Smith told a Feb­ru­ary con­gres­sion­al hear­ing that just 15% of vic­tims were com­pro­mised through an authen­ti­ca­tion vul­ner­a­bil­i­ty first iden­ti­fied in 2017 — allow­ing the intrud­ers to imper­son­ate autho­rized users by mint­ing the rough equiv­a­lent of coun­ter­feit pass­ports.

Microsoft offi­cials stress that the Solar­Winds update was not always the entry point; intrud­ers some­times took advan­tage of vul­ner­a­bil­i­ties such as weak pass­words and vic­tims’ lack of mul­ti-fac­tor authen­ti­ca­tion. But crit­ics say the com­pa­ny took secu­ri­ty too light­ly. Sen. Ron Wyden, D‑Ore., ver­bal­ly pum­meled Microsoft for not sup­ply­ing fed­er­al agen­cies with a lev­el of “event log­ging” that, if it had not detect­ed the Solar­Winds hack­ing in progress, would at least have pro­vid­ed respon­ders with a record of where the intrud­ers were and what they saw and removed.

“Microsoft choos­es the default set­tings in the soft­ware it sells, and even though the com­pa­ny knew for years about the hack­ing tech­nique used against U.S. gov­ern­ment agen­cies, the com­pa­ny did not set default log­ging set­tings to cap­ture infor­ma­tion nec­es­sary to spot hacks in progress,” Wyden said. He was not the only fed­er­al law­mak­er who com­plained.

When Microsoft on Wednes­day announced a year of free secu­ri­ty log­ging for fed­er­al agen­cies, for which it nor­mal­ly charges a pre­mi­um, Wyden was not appeased.

“This move is far short of what’s need­ed to make up for Microsoft’s recent fail­ures,” he said in a state­ment. “The gov­ern­ment still won’t have access to impor­tant secu­ri­ty fea­tures with­out hand­ing over even more mon­ey to the same com­pa­ny that cre­at­ed this cyber­se­cu­ri­ty sink­hole.”

...

Even the high­est lev­el of log­ging doesn’t pre­vent break-ins, though. It only makes it eas­i­er to detect them.

And remem­ber, many secu­ri­ty pro­fes­sion­als note, Microsoft was itself com­pro­mised by the Solar­Winds intrud­ers, who got access to some of its source code — its crown jew­els. Microsoft’s full suite of secu­ri­ty prod­ucts — and some of the industry’s most skilled cyber-defense prac­ti­tion­ers — had failed to detect the ghost in the net­work. Not until alert­ed to the hack­ing cam­paign by Fire­Eye, the cyber­se­cu­ri­ty firm that detect­ed it in mid-Decem­ber, did Microsoft respon­ders dis­cov­er the relat­ed breach of their sys­tems.

The intrud­ers in the unre­lat­ed hack of Microsoft Exchange email servers dis­closed in March — blamed on Chi­nese spies — used whol­ly dif­fer­ent infec­tion meth­ods. But they gained imme­di­ate high-lev­el access to users’ email and oth­er info.

Across the indus­try, Microsoft’s invest­ments in secu­ri­ty are wide­ly acknowl­edged. It is often first to iden­ti­fy major cyber­se­cu­ri­ty threats, its vis­i­bil­i­ty into net­works is so great. But many argue that as the chief sup­pli­er of secu­ri­ty solu­tions for its prod­ucts, it needs to be more mind­ful about how much it should prof­it off defense.

“The crux of it is that Microsoft is sell­ing you the dis­ease and the cure,” said Marc Maiffret, a cyber­se­cu­ri­ty vet­er­an who built a career find­ing vul­ner­a­bil­i­ties in Microsoft prod­ucts and has a new start­up in the works called Bin­Mave.

Last month, Reuters report­ed that a $150 mil­lion pay­ment to Microsoft for a “secure cloud plat­form” was includ­ed in a draft out­line for spend­ing the $650 mil­lion appro­pri­at­ed for the Cyber­se­cu­ri­ty and Infra­struc­ture Secu­ri­ty Agency in last month’s $1.9 tril­lion pan­dem­ic relief act.

A Microsoft spokesper­son would not say how much, if any, of that mon­ey it would be get­ting, refer­ring the ques­tion to the cyber­se­cu­ri­ty agency. An agency spokesman, Scott McConnell, would not say either. Langevin said he didn’t think a final deci­sion has been made.

In the bud­get year end­ing in Sep­tem­ber, the fed­er­al gov­ern­ment spent more than half a bil­lion dol­lars on Microsoft soft­ware and ser­vices.

Many secu­ri­ty experts believe Microsoft’s sin­gle sign-on mod­el, empha­siz­ing user con­ve­nience over secu­ri­ty, is ripe for retool­ing to reflect a world where state-backed hack­ers now rou­tine­ly run roughshod over U.S. net­works.

Alex Wein­ert, Microsoft’s direc­tor of iden­ti­ty secu­ri­ty, said it offers var­i­ous ways for cus­tomers to strict­ly lim­it users’ access to what they need to do their jobs. But get­ting cus­tomers to go along can be dif­fi­cult because it often means aban­don­ing three decades of IT habit and dis­rupt­ing busi­ness. Cus­tomers tend to con­fig­ure too many accounts with the broad glob­al admin­is­tra­tive priv­i­leges that allowed the Solar­Winds cam­paign abus­es, he said. “It’s not the only way they can do it, that’s for sure.”

In 2014–2015, lax restric­tions on access helped Chi­nese spies steal sen­si­tive per­son­al data on more than 21 mil­lion cur­rent, for­mer and prospec­tive fed­er­al employ­ees from the Office of Per­son­nel Man­age­ment.

Cur­tis Dukes was the Nation­al Secu­ri­ty Agency’s head of infor­ma­tion assur­ance at the time.

The OPM shared data across mul­ti­ple agen­cies using Microsoft’s authen­ti­ca­tion archi­tec­ture, grant­i­ng access to more users than it safe­ly should have, said Dukes, now the man­ag­ing direc­tor for the non­prof­it Cen­ter for Inter­net Secu­ri­ty.

“Peo­ple took their eye off the ball.”

———–

“Solar­Winds hack­ing cam­paign puts Microsoft in the hot seat” by FRANK BAJAK; Asso­ci­at­ed Press; 04/23/2021

This has put the world’s third-most valu­able com­pa­ny in the hot seat. Because its prod­ucts are a de fac­to mono­cul­ture in gov­ern­ment and indus­try — with more than 85% mar­ket share — fed­er­al law­mak­ers are insist­ing that Microsoft swift­ly upgrade secu­ri­ty to what they say it should have pro­vid­ed in the first place, and with­out fleec­ing tax­pay­ers.”

If you want to hack the US gov­ern­ment, be ready to hack Microsoft prod­ucts. That’s the unde­ni­able real­i­ty. Microsoft is basi­cal­ly the soft­ware sup­pli­er for the US gov­ern­ment and oth­er gov­ern­ments around the world. So it should come as no sur­prise to learn that the sec­ond phase of the Solar­Winds hack was basi­cal­ly the exploita­tion of Microsoft prod­uct weak­ness­es after the hack­ers gained access to client net­works. In par­tic­u­lar, vul­ner­a­bil­i­ties in Microsoft­’s iden­ti­ty and access archi­tec­ture which val­i­dates users’ iden­ti­ties and grants them access to email, doc­u­ments and oth­er data. The Solar­Winds hack­ers were repeat­ed­ly imper­son­at­ing legit­i­mate users and cre­at­ing coun­ter­feit cre­den­tials that let them grab data stored remote­ly by Microsoft Office. So the Solar­Winds hack did­n’t just involve the pil­fer­ing of vic­tims’ net­works but also the data stored remote­ly acces­si­ble through Microsoft Office. Those sound like some mas­sive vul­ner­a­bil­i­ties. The Solar­Winds hack was­n’t just the cre­ation and exploita­tion of back­doors placed on 18,000 client net­works. It was the exploita­tion of the infor­ma­tion stored remote­ly via Microsoft Office for those clients too:

...
The Solar­Winds hack­ers took full advan­tage of what George Kurtz, CEO of top cyber­se­cu­ri­ty firm Crowd­Strike, called “sys­tem­at­ic weak­ness­es” in key ele­ments of Microsoft code to mine at least nine U.S. gov­ern­ment agen­cies — the depart­ments of Jus­tice and Trea­sury, among them — and more than 100 pri­vate com­pa­nies and think tanks, includ­ing soft­ware and telecom­mu­ni­ca­tions providers.

The Solar­Winds hack­ers’ abuse of Microsoft’s iden­ti­ty and access archi­tec­ture — which val­i­dates users’ iden­ti­ties and grants them access to email, doc­u­ments and oth­er data — did the most dra­mat­ic harm, the non­par­ti­san Atlantic Coun­cil think tank said in a report. That set the hack apart as “a wide­spread intel­li­gence coup.” In near­ly every case of post-intru­sion mis­chief, the intrud­ers “silent­ly moved through Microsoft prod­ucts “vac­u­um­ing up emails and files from dozens of orga­ni­za­tions.”

Thanks in part to the carte blanche that vic­tim net­works grant­ed the infect­ed Solar­winds net­work man­age­ment soft­ware in the form of admin­is­tra­tive priv­i­leges, the intrud­ers could move lat­er­al­ly across them, even jump among orga­ni­za­tions. They used it to sneak into the cyber­se­cu­ri­ty firm Mal­ware­bytes and to tar­get cus­tomers of Mime­cast, an email secu­ri­ty com­pa­ny.

The campaign’s “hall­mark” was the intrud­ers’ abil­i­ty to imper­son­ate legit­i­mate users and cre­ate coun­ter­feit cre­den­tials that let them grab data stored remote­ly by Microsoft Office, the act­ing direc­tor of the Cyber­se­cu­ri­ty Infra­struc­ture and Secu­ri­ty Agency, Bran­don Wales, told a mid-March con­gres­sion­al hear­ing. “It was all because they com­pro­mised those sys­tems that man­age trust and iden­ti­ty on net­works,” he said.
...

But it gets worse for Microsoft because the hack­ers did­n’t sim­ply exploit vul­ner­a­bil­i­ties in Microsoft­’s prod­ucts. They also rifled through Microsoft­’s trea­sured source code look­ing for the code that valideates users’ iden­ti­ties and grants them access to email, doc­u­ments, and oth­er data. So these super-hack­ers like­ly learned hack to become even more super. At least more super against Microsoft:

...
And remem­ber, many secu­ri­ty pro­fes­sion­als note, Microsoft was itself com­pro­mised by the Solar­Winds intrud­ers, who got access to some of its source code — its crown jew­els. Microsoft’s full suite of secu­ri­ty prod­ucts — and some of the industry’s most skilled cyber-defense prac­ti­tion­ers — had failed to detect the ghost in the net­work. Not until alert­ed to the hack­ing cam­paign by Fire­Eye, the cyber­se­cu­ri­ty firm that detect­ed it in mid-Decem­ber, did Microsoft respon­ders dis­cov­er the relat­ed breach of their sys­tems.
...

But per­haps worst of all is how long these secu­ri­ty defi­cien­cies have been plagu­ing Microsoft. This isn’t a new prob­lem. Which is why it’s so prob­lem­at­ic and scan­dalous that, as Sen­a­tor Wyden angri­ly point­ed out dur­ing a recent con­gres­sion­al hear­ing, that Microsoft has been pro­vid­ing the US gov­ern­ing with prod­ucts that have the default “event log­ging” set­tings turned off. So by default, the US fed­er­al gov­ern­ment does­n’t log these hacks when they hap­pen. That’s appar­ent­ly the case, accord­ing to Sen­a­tor Wyden. The US gov­ern­men­t’s cyber-defens­es have to been fly­ing blind by default thanks to Microsoft:

...
Microsoft offi­cials stress that the Solar­Winds update was not always the entry point; intrud­ers some­times took advan­tage of vul­ner­a­bil­i­ties such as weak pass­words and vic­tims’ lack of mul­ti-fac­tor authen­ti­ca­tion. But crit­ics say the com­pa­ny took secu­ri­ty too light­ly. Sen. Ron Wyden, D‑Ore., ver­bal­ly pum­meled Microsoft for not sup­ply­ing fed­er­al agen­cies with a lev­el of “event log­ging” that, if it had not detect­ed the Solar­Winds hack­ing in progress, would at least have pro­vid­ed respon­ders with a record of where the intrud­ers were and what they saw and removed.

“Microsoft choos­es the default set­tings in the soft­ware it sells, and even though the com­pa­ny knew for years about the hack­ing tech­nique used against U.S. gov­ern­ment agen­cies, the com­pa­ny did not set default log­ging set­tings to cap­ture infor­ma­tion nec­es­sary to spot hacks in progress,” Wyden said. He was not the only fed­er­al law­mak­er who com­plained.

...

Even the high­est lev­el of log­ging doesn’t pre­vent break-ins, though. It only makes it eas­i­er to detect them.
...

Of course, keep in mind that a big advan­tage for the vic­tims of hacks when of no event-log­ging was employed: the less infor­ma­tion you have about what actu­al­ly hap­pened, the more you’re forced to spec­u­late about what hap­pened and the eas­i­er it is to just say it was prob­a­bly Rus­sia or Chi­na or who­ev­er you want to blame. Igno­rance can be both a cud­gel and shield when cyber­at­tri­bu­tion is wield­ed as a weapon.

Final­ly note how we are told the ‘Chi­nese hack­ers’ behind the Microsoft Exchange hack used whol­ly dif­fer­ent infec­tion meth­ods. Now, tech­ni­cal­ly, yes, they may have used a dif­fer­ent zero-day exploit tar­get dif­fer­ent Microsoft prod­ucts. As we’ve seen, it was report­ed­ly an Office 365 email exploit that the hack­ers used to ini­ti­ate the hack on Solar­Wind­s’s net­work and the US Trea­sury Depart­ment con­firmed that an Office 365 email exploit was used after the hack­ers infil­trat­ed their net­works via the back­door. Where­as in the Microsoft Exchange hack, it ws some sort of vul­ner­a­bil­i­ty in the Exchange soft­ware that was exploit­ed. So yes, these are two dif­fer­ent infec­tion meth­ods. But they both relied on manip­u­lat­ing Microsoft­’s cre­den­tial­ing sys­tems. From that per­spec­tive, it’s kind of the same under­ly­ing method:

...
The intrud­ers in the unre­lat­ed hack of Microsoft Exchange email servers dis­closed in March — blamed on Chi­nese spies — used whol­ly dif­fer­ent infec­tion meth­ods. But they gained imme­di­ate high-lev­el access to users’ email and oth­er info.
...

Keep in mind that point­ing out the dif­fer­ent attack meth­ods used in the Solar­Winds and Microsoft Exchange hacks, and cit­ing that as evi­dence of it being dif­fer­ent hack­ing groups, is anoth­er exam­ple of how vague tech­ni­cal ‘dig­i­tal fin­ger­prints’ like the par­tic­u­lar type of mal­ware or exploit used in a hack are used for cyber­at­tri­bu­tion pur­pos­es. It’s the kind of cyber­at­tri­bu­tion phe­nom­e­na that assumes the “com­mer­cial sur­veil­lance” indus­try isn’t sup­ply­ing incred­i­ble zero-day attacks to dozens of gov­ern­ments around the world simul­ta­ne­ous­ly.

The SolarWinds Hackers(?) Go Phishing. With USAID as the Bait.

The mul­ti­fac­eted abil­i­ty of the Solar­Winds hack­ers was on dis­play again with a new announce from Microsoft at the end of May: Remem­ber those warn­ings fol­low­ing the Microsoft Exchange hack about high­ly sophis­ti­cat­ed and tar­get­ed phish­ing cam­paigns emerg­ing from all the infor­ma­tion the hack­ers were able to extract from all those stolen emails? Well, a new high­ly sophis­ti­cat­ed and tar­get phish­ing cam­paign was indeed unleashed. But we are told “Nobeli­um” — the name Microsoft gave to Cozy Bear/APT29 — was the cul­prit. Approx­i­mate­ly 3,000 email accounts at more than 150 dif­fer­ent orga­ni­za­tions in 24 dif­fer­ent coun­tries received emails seem­ing­ly from the Unit­ed States Agency For Inter­na­tion­al Devel­op­ment (USAID), encour­ag­ing vic­tims to down­load a file about elec­tion fraud. The hack­ers car­ried out the hack by break­ing into an email mar­ket­ing account for Con­stant Con­tact, which is used by USAID for offi­cial com­mu­ni­ca­tions. From there, they launched the phish­ing attacks.

Microsoft assures us that no exploits of Microsoft prod­ucts were involved with this phish­ing attempt. At the same time, we’re told noth­ing about how this Con­stant Con­tact email mar­ket­ing account was bro­ken into in the first place. In fact, it’s not actu­al­ly clear at all what ties this phish­ing attack to the Solar­Winds hack. And yet are assured by Microsoft, with high con­fi­dence, that Rus­si­a’s SVR is behind it and that it appeared to be a con­tin­u­a­tion of mul­ti­ple efforts to tar­get gov­ern­ment agen­cies involved in for­eign pol­i­cy as part of intel­li­gence gath­er­ing efforts. And since the SVR is also blamed for the Solar­Winds hack, it’s there­fore behind this phish­ing attempt. That appears to be the ‘log­ic’ at work here.

Now, if we view the Microsoft blog post on this hack, there is one tech­ni­cal fact that relates back to the Solar­Winds hack: the use of zero-day exploits. Vic­tims who fell for the phish­ing emails had four zero-day pieces of mal­ware deployed on their com­put­ers accord­ing to a sec­ond Microsoft blog post about the attack. So the tech­ni­cal traits shared between this phish­ing attack in the ear­li­er Solar­Winds hack are the use of mul­ti­ple zero-day exploits. But dif­fer­ent exploits. The Microsoft blog post describ­ing this USAID phish­ing scheme explic­it­ly states that this new attack bears very lit­tle tech­ni­cal sim­i­lar­i­ties to the Solar­Winds hack and sug­gests the hack­ers inten­tion­al­ly changed their tac­tics after the dis­cov­ery of the Solar­Winds hack. So the pos­ses­sion of mul­ti­ple zero-day exploits is appar­ent­ly being used as a tech­ni­cal indi­ca­tor for attri­bu­tions. If a hack­er is sport­ing lots of zero-day exploits, it’s assumed to be the same hack­er who ran the last hack with lots of zero-day exploits. And since zero-day exploits are wide­ly assumed to large­ly be the exclu­sive prop­er­ty of well-financed nations (the US, Russ­ian, Chi­na, Israel, etc), when a hack involved lots of zero-day exploits the list of sus­pects gets nar­rowed down to that list. That appears to be the pat­tern play­ing out here. A pat­tern that ignores the exis­tence of a robust indus­try sell­ing zero-day exploits to dozens of gov­ern­ments around the world.

But also keep in mind that the Microsoft Exchange mega-hack announced in March also uti­lized zero-day exploits and this hack start­ed with the com­pro­mise of USAID’s Con­stant Con­tac­t’s email account. Is there an Exchange serv­er involved with this ser­vice? It was be nice to know but, again, we aren’t told how the hack start­ed. So how was Microsoft able to deduce that it was the Solar­Winds hacks and no the Exchange hack­ers or some oth­er group? We have no idea, but we are assured that Microsoft fig­ured it all out. We’ll just have to blind­ly trust them on this. As always:

Reuters
Tech­nol­o­gy

Microsoft says group behind Solar­Winds hack now tar­get­ing gov­ern­ment agen­cies, NGOs

Raphael Sat­ter, Kan­ish­ka Singh
May 28, 2021 12:53 PM CDT Updat­ed

May 28 (Reuters) — The group behind the Solar­Winds (SWI.N) cyber attack iden­ti­fied late last year is now tar­get­ing gov­ern­ment agen­cies, think tanks, con­sul­tants, and non-gov­ern­men­tal orga­ni­za­tions, Microsoft Corp (MSFT.O) said on Thurs­day.

“This week we observed cyber­at­tacks by the threat actor Nobeli­um tar­get­ing gov­ern­ment agen­cies, think tanks, con­sul­tants, and non-gov­ern­men­tal orga­ni­za­tions”, Microsoft said in a blog.

Nobeli­um, orig­i­nat­ing from Rus­sia, is the same actor behind the attacks on Solar­Winds cus­tomers in 2020, accord­ing to Microsoft.

The com­ments come weeks after a May 7 ran­somware attack on Colo­nial Pipeline shut the Unit­ed States’ largest fuel pipeline net­work for sev­er­al days, dis­rupt­ing the coun­try’s sup­ply.

“This wave of attacks tar­get­ed approx­i­mate­ly 3,000 email accounts at more than 150 dif­fer­ent orga­ni­za­tions”, Microsoft said on Thurs­day.

While organ­i­sa­tions in the Unit­ed States received the largest share of attacks, tar­get­ed vic­tims came from at least 24 coun­tries, Microsoft said.

At least a quar­ter of the tar­get­ed organ­i­sa­tions were involved in inter­na­tion­al devel­op­ment, human­i­tar­i­an issues and human rights work, Microsoft said in the blog.

Nobeli­um launched this week’s attacks by break­ing into an email mar­ket­ing account used by the Unit­ed States Agency For Inter­na­tion­al Devel­op­ment (USAID) and from there launch­ing phish­ing attacks on many oth­er organ­i­sa­tions, Microsoft said.

In state­ments issued Fri­day, the Depart­ment of Home­land Secu­ri­ty and USAID both said they were aware of the hack­ing and were inves­ti­gat­ing.

The hack of infor­ma­tion tech­nol­o­gy com­pa­ny Solar­Winds, which was iden­ti­fied in Decem­ber, gave access to thou­sands of com­pa­nies and gov­ern­ment offices that used its prod­ucts. Microsoft Pres­i­dent Brad Smith described the attack as “the largest and most sophis­ti­cat­ed attack the world has ever seen”. read more

...

The Unit­ed States and Britain have blamed Rus­si­a’s For­eign Intel­li­gence Ser­vice (SVR), suc­ces­sor to the for­eign spy­ing oper­a­tions of the KGB, for the hack which com­pro­mised nine U.S. fed­er­al agen­cies and hun­dreds of pri­vate sec­tor com­pa­nies.

The attacks dis­closed by Microsoft on Thurs­day appeared to be a con­tin­u­a­tion of mul­ti­ple efforts to tar­get gov­ern­ment agen­cies involved in for­eign pol­i­cy as part of intel­li­gence gath­er­ing efforts, Microsoft said.

The com­pa­ny said it was in the process of noti­fy­ing all of its tar­get­ed cus­tomers and had “no rea­son to believe” these attacks involved any exploita­tion or vul­ner­a­bil­i­ty in Microsoft­’s prod­ucts or ser­vices.
————–

“Microsoft says group behind Solar­Winds hack now tar­get­ing gov­ern­ment agen­cies, NGOs” by Raphael Sat­ter and Kan­ish­ka Singh; Reuters; 05/28/2021

“Nobeli­um launched this week’s attacks by break­ing into an email mar­ket­ing account used by the Unit­ed States Agency For Inter­na­tion­al Devel­op­ment (USAID) and from there launch­ing phish­ing attacks on many oth­er organ­i­sa­tions, Microsoft said.”

As Microsoft announced in May, the Solar­Winds attacks con­tin­ue. Sort of. This was­n’t an exten­sion of the Solar­Winds attack. At least we aren’t told so. Instead, we’re told that the same hack­ers, Nobeli­um, who car­ried out the Solar­Winds attack also car­ried out this new attack tar­get­ing the email mar­ket­ing firm, , that han­dles the emails for USAID. Some­how, the hack­ers were able to send out emails to 3,000 email accounts at more than 150 dif­fer­ent orga­ni­za­tions that looked like they came from USAID, and if vic­tims clicked on the links in the emails they received sophis­ti­cat­ed mal­ware like was deployed in the Solar­Winds attack. Again, Nobeli­um is Microsoft­’s name for APT29/Cozy Bear, the group accused of the 2015 DNC hack (the first DNC hack of the 2016 elec­tion sea­sons).

Now how did the Microsoft arrive at the con­clu­sion that this phish­ing attack was car­ried out by the same “Nobeli­um” Solar­Winds hack­ers? As we should expect, it’s entire­ly unclear. Microsoft first dubbed the Solar­Winds hack­ers “Nobeli­um” back in March of 2020 in a blog post describ­ing the comand-and-con­trol mal­ware from the Solar­Winds hack. ‘Zero-day’ Mal­ware that had nev­er been seen before, adding to the per­ceived sophis­ti­ca­tion of the hack­er. Of course, as we’re going to see with the NSO Group sto­ry, ultra-sophis­ti­cat­ed ‘zero-day’ hacks that have ‘nev­er been seen before’ are effec­tive­ly for sale to gov­ern­ments around world. Any gov­ern­ment with per­mis­sion to buy this soft­ware would sud­den­ly become an ultra-sophis­ti­cat­ed actor with an armory of zero-day exploits nev­er seen before.

So were more zero-day exploits found in this lat­est USAID phish­ing hack? Yes, there were four zero-day pieces of mal­ware deployed accord­ing to a sec­ond Microsoft blog post about the attack. So the tech­ni­cal traits shared between this phish­ing attack in the ear­li­er Solar­Winds hack are the use of mul­ti­ple zero-day exploits. But dif­fer­ent exploits. The Microsoft blog post describ­ing this USAID phish­ing scheme explic­it­ly states that this new attack bears very lit­tle tech­ni­cal sim­i­lar­i­ties to the Solar­Winds hack and sug­gests the hack­ers inten­tion­al­ly changed their tac­tics after the dis­cov­ery of the Solar­Winds hack. So the pos­ses­sion of mul­ti­ple zero-day exploits is appar­ent­ly being used as a tech­ni­cal indi­ca­tor for attri­bu­tions. If a hack­er is sport­ing lots of zero-day exploits, it’s assumed to be the same hack­er who ran the last hack with lots of zero-day exploits. And since zero-day exploits are wide­ly assumed to large­ly be the exclu­sive prop­er­ty of well-financed nations (the US, Russ­ian, Chi­na, Israel, etc), when a hack involved lots of zero-day exploits the list of sus­pects gets nar­rowed down to that list. That appears to be the pat­tern play­ing out here. A pat­tern that ignores the exis­tence of a robust indus­try sell­ing zero-day exploits to dozens of gov­ern­ments around the world.

And note how, while this attack clear­ly involves USAID, it’s not actu­al­ly tar­get­ing USAID. It was an attack that used USAID’s per­sona to tar­get­ing 150 dif­fer­ent orga­ni­za­tions in at least 24 coun­tries. And only around a quar­ter of those tar­get­ed organ­i­sa­tions were involved in inter­na­tion­al devel­op­ment, human­i­tar­i­an issues and human rights work. And yet Microsoft con­fi­dent­ly tells us this hack is a con­tin­u­a­tion of an SVR espi­onage cam­paign tar­get­ing gov­ern­ment agen­cies involved in for­eign pol­i­cy. It’s a remark­ably cher­ry-picked assess­ment:

...
“This wave of attacks tar­get­ed approx­i­mate­ly 3,000 email accounts at more than 150 dif­fer­ent orga­ni­za­tions”, Microsoft said on Thurs­day.

While organ­i­sa­tions in the Unit­ed States received the largest share of attacks, tar­get­ed vic­tims came from at least 24 coun­tries, Microsoft said.

At least a quar­ter of the tar­get­ed organ­i­sa­tions were involved in inter­na­tion­al devel­op­ment, human­i­tar­i­an issues and human rights work, Microsoft said in the blog.

...

The Unit­ed States and Britain have blamed Rus­si­a’s For­eign Intel­li­gence Ser­vice (SVR), suc­ces­sor to the for­eign spy­ing oper­a­tions of the KGB, for the hack which com­pro­mised nine U.S. fed­er­al agen­cies and hun­dreds of pri­vate sec­tor com­pa­nies.

The attacks dis­closed by Microsoft on Thurs­day appeared to be a con­tin­u­a­tion of mul­ti­ple efforts to tar­get gov­ern­ment agen­cies involved in for­eign pol­i­cy as part of intel­li­gence gath­er­ing efforts, Microsoft said.
...

So we have the Solar­Winds mega-hack dis­cov­ered in Decem­ber 2020 ini­tial­ly attrib­uted to a pre­vi­ous­ly unknown group — that gov­ern­ments nonethe­less assure us are the SVR — but lat­er attrib­uted to Cozy Bear/APT29 aka Nobeli­um. Then a May 2021 phish­ing cam­paign that does­n’t actu­al­ly share any of the tech­ni­cal traits of the Solar­Winds hack oth­er than the use of dif­fer­ent zero-day exploits is also attrib­uted to Cozy Bear. Why exact­ly it’s been deter­mined that these two sep­a­rate attacks were done by the same group is nev­er explained, let alone why they’ve deter­mined that group is Rus­si­a’s SVR.

The SolarWinds Hackers(?) Can’t Stop, Won’t Stop...Hacking Microsoft

It’s always a ‘trust us’ nar­ra­tive. A nar­ra­tive that sounds awful­ly sim­i­lar to the sto­ry we got a month lat­er in the last week of June, when Microsoft announced a new Nobelium/Cozy Bear attack. Although it’s more like an update on the May phish­ing attack. Like with the May phish­ing attack report, Microsoft assured us that this new attack is unre­lat­ed to the Solar­Winds hack. And yet Microsoft also assured us that the same group was behind it, Nobeli­um. The rea­son for this attri­bu­tion to Nobeli­um is nev­er giv­en. It’s anoth­er phish­ing attack that isn’t tech­ni­cal­ly relat­ed to the Solar­Winds hack but they’re still sure it’s the same group. The rea­sons nev­er giv­en. Sound­ing famil­iar yet?

But this June attack appears to dif­fer from the May phish­ing attack in a poten­tial­ly sig­nif­i­cant way: one of Microsoft­’s own agents was hacked and cus­tomer infor­ma­tion about Microsoft ser­vices were stolen, allow­ing for tai­lored phish­ing attacks. So who­ev­er pulled this off demon­strat­ed an eeri­ly sim­i­lar abil­i­ty to exploit pre­vi­ous­ly unknown Microsoft vul­ner­a­bil­i­ties. An abil­i­ty demon­strat­ed by both the Solar­Winds and Exchange hack­ers.

Microsoft did­n’t answer ques­tions of whether or not its agent was hacked dur­ing the ini­tial Solar­Winds hack. But we are told that Microsoft dis­cov­ered this phish­ing cam­paign and the hack­ing of its agent as a result of its inves­ti­ga­tion into the ear­li­er Solar­Winds hacks. Part of the rea­son this is poten­tial­ly sig­nif­i­cant is that it once again rais­es the ques­tion of whether or not this new hack of the Microsoft agent — where cus­tomer ser­vice infor­ma­tion was some­how accessed and used to tai­lor phish­ing emails — was exe­cut­ed with some sort of exploit tar­get­ing Microsoft sys­tems. And if that’s the case, we have to ask why these are nec­es­sar­i­ly the Solar­Winds hack­ers and not the Exchange hack­ers. Both pos­sessed Microsoft zero-day exploits.

But beyond the poten­tial rela­tion­ship between the Solar­Winds and Exchange hack­ers, it’s hard to ignore the sto­ry of NSO Group, Can­diru, and the exis­tence of the pri­vate indus­try that cre­ates and sells cut­ting edge mal­ware bristling with zero-day exploits — includ­ing zero-day exploits tar­get­ing Microsoft prod­ucts — that are sold to dozens of gov­ern­ments around the world. And yet ignor­ing the exis­tence of this pri­vate indus­try that makes cut­ting edge zero-day exploits avail­able to dozens of gov­ern­ments around the world is exact­ly what we are asked to do. Over and over. Every time there’s a new hack that shows a rea­son­able degree of sophis­ti­ca­tion or that hits a gov­ern­ment agency (even if many more non-gov­ern­ment agen­cies are hit too), it’s treat­ed as if the only pos­si­ble actors in the world who could have pulled off the hack were Rus­sia, Chi­na, Iran or North Korea. It is sys­tem­at­i­cal­ly ignored that dozens of gov­ern­ments around the world can and do buy the nec­es­sary ‘zero-day’ mal­ware toolk­its to pull off these hacks. Would Sau­di Ara­bia attempt a Solar­Winds-style mega-hack if if they new it was going to be blamed on Rus­sia or Chi­na? There’s no way to respon­si­bly avoid ask­ing these kind of ques­tions when we know Sau­di Ara­bia and dozens of oth­er coun­tries have already pur­chased the abil­i­ty to do so.

So we have a sec­ond phish­ing attack attrib­uted to Nobelium/Cozy Bear. But unlike the pre­vi­ous phish­ing attack, where Microsoft acknowl­edged there was no appar­ent tech­ni­cal link back to the ear­li­er Solar­Winds hack, this phish­ing attack appears to have employed some sort of vul­ner­a­bil­i­ty in Microsoft­’s prod­ucts. And at the same time Microsoft assures us this was­n’t tech­ni­cal­ly relat­ed to the Solar­Winds hack, Microsoft also reminds of us of what was dis­closed months agao: that data and insights were stolen from Microsoft dur­ing the ini­tial Solar­Winds attack, includ­ing soft­ware instruc­tions gov­ern­ing how Microsoft ver­i­fies user iden­ti­ties. Were any of those stolen vul­ner­a­bil­i­ties used in this hack? Microsoft isn’t say­ing. And that’s a big part of the larg­er sto­ry here: extreme­ly seri­ous alle­ga­tions about who was behind these cyber­at­tacks are being made — with all fin­gers point­ing towards the Russ­ian or Chi­nese gov­ern­ments — with almost no infor­ma­tion being released regard­ing why and how those attri­bu­tions are made. The entire cyber­at­tri­bu­tion indus­try is root­ed in a ‘just trust us on this’ ethos:

Reuters

Microsoft says new breach dis­cov­ered in probe of sus­pect­ed Solar­Winds hack­ers

Joseph Menn
June 25, 2021 8:59 PM CDT Updat­ed

SAN FRANCISCO, June 25 (Reuters) — Microsoft (MSFT.O) said on Fri­day an attack­er had won access to one of its cus­tomer-ser­vice agents and then used infor­ma­tion from that to launch hack­ing attempts against cus­tomers.

The com­pa­ny said it had found the com­pro­mise dur­ing its response to hacks by a team it iden­ti­fies as respon­si­ble for ear­li­er major breach­es at Solar­Winds (SWI.N) and Microsoft.

Microsoft said it had warned the affect­ed cus­tomers. A copy of one warn­ing seen by Reuters said the attack­er belonged to the group Microsoft calls Nobeli­um and that it had access dur­ing the sec­ond half of May.

“A sophis­ti­cat­ed Nation-State asso­ci­at­ed actor that Microsoft iden­ti­fies as NOBELLIUM accessed Microsoft cus­tomer sup­port tools to review infor­ma­tion regard­ing your Microsoft Ser­vices sub­scrip­tions,” the warn­ing reads in part. The U.S. gov­ern­ment has pub­licly attrib­uted the ear­li­er attacks to the Russ­ian gov­ern­ment, which denies involve­ment.

When Reuters asked about that warn­ing, Microsoft announced the breach pub­licly.

After com­ment­ing on a broad­er phish­ing cam­paign it said had com­pro­mised a small num­ber of enti­ties, Microsoft said it had also found the breach of its own agent, who it said had lim­it­ed pow­ers.

The agent could see billing con­tact infor­ma­tion and what ser­vices the cus­tomers pay for, among oth­er things.

“The actor used this infor­ma­tion in some cas­es to launch high­ly-tar­get­ed attacks as part of their broad­er cam­paign,” Microsoft said.

Microsoft warned affect­ed cus­tomers to be care­ful about com­mu­ni­ca­tions to their billing con­tacts and con­sid­er chang­ing those user­names and email address­es, as well as bar­ring old user­names from log­ging in.

Microsoft said it was aware of three enti­ties that had been com­pro­mised in the phish­ing cam­paign.

It did not imme­di­ate­ly clar­i­fy whether any had been among those whose data was viewed through the sup­port agent, or if the agent had been tricked by the broad­er cam­paign.

Microsoft did not say whether the agent was at a con­trac­tor or a direct employ­ee.

A spokesman said the lat­est breach by the threat actor was not part of Nobeli­um’s pre­vi­ous suc­cess­ful attack on Microsoft, in which it obtained some source code.

In the Solar­Winds attack, the group altered code at that com­pa­ny to access Solar­Winds cus­tomers, includ­ing nine U.S. fed­er­al agen­cies.

At the Solar­Winds cus­tomers and oth­ers, the attack­ers also took advan­tage of weak­ness­es in the way Microsoft pro­grams were con­fig­ured, accord­ing to the Depart­ment of Home­land Secu­ri­ty.

Microsoft lat­er said the group had com­pro­mised its own employ­ee accounts and tak­en soft­ware instruc­tions gov­ern­ing how Microsoft ver­i­fies user iden­ti­ties.

A White House offi­cial said the lat­est intru­sion and phish­ing cam­paign was far less seri­ous than the Solar­Winds fias­co.

“This appears to be large­ly unsuc­cess­ful, run-of-the-mill espi­onage,” the offi­cial said.

...

————

“Microsoft says new breach dis­cov­ered in probe of sus­pect­ed Solar­Winds hack­ers” by Joseph Menn; Reuters; 06/25/2021

““A sophis­ti­cat­ed Nation-State asso­ci­at­ed actor that Microsoft iden­ti­fies as NOBELLIUM accessed Microsoft cus­tomer sup­port tools to review infor­ma­tion regard­ing your Microsoft Ser­vices sub­scrip­tions,” the warn­ing reads in part. The U.S. gov­ern­ment has pub­licly attrib­uted the ear­li­er attacks to the Russ­ian gov­ern­ment, which denies involve­ment.”

Nobeli­um “accessed Microsoft cus­tomer sup­port tools to review infor­ma­tion.” That’s the lan­guage used by Microsoft to describe the hack­ing of its agent and use of the obtained infor­ma­tion to run tar­get­ed phish­ing cam­paigns. That’s what we know. What we don’t know is how the agent got hacked in the first place. Was is sim­ply exploit­ing a back­door cre­at­ed by the Solar­Winds hack? Microsoft isn’t say­ing. But we know Microsoft has pre­vi­ous­ly dis­closed that ‘Nobeli­um’ stole code involv­ing Microsoft­’s user ver­i­fi­ca­tion. And DHS tells us these same hack­ers are tak­ing advan­tage of weak­ness­es in the way Microsoft pro­grams were con­fig­ured. A lot of arrows are point­ing in the direc­tion of anoth­er Microsoft vul­ner­a­bil­i­ty being exploit­ed but as always we’re forced to guess:

...
A spokesman said the lat­est breach by the threat actor was not part of Nobeli­um’s pre­vi­ous suc­cess­ful attack on Microsoft, in which it obtained some source code.

...

At the Solar­Winds cus­tomers and oth­ers, the attack­ers also took advan­tage of weak­ness­es in the way Microsoft pro­grams were con­fig­ured, accord­ing to the Depart­ment of Home­land Secu­ri­ty.

Microsoft lat­er said the group had com­pro­mised its own employ­ee accounts and tak­en soft­ware instruc­tions gov­ern­ing how Microsoft ver­i­fies user iden­ti­ties.
...

The bad news sto­ries just keep pil­ing up. What’s next?

Backdoors aren’t Just Backdoors. They’re Digital Bombs Too.

What might be next is the ques­tion omi­nous­ly answered in a CBS News piece from July 4 that includes com­men­tary from Jon Miller, a for­mer hack­er who now runs a com­pa­ny called Bold­end tjat designs and sells cut­ting-edge cyber weapons to US intel­li­gence agen­cies. Accord­ing to Miller, what stood out for him in the Solar­Winds hack was­n’t the sophis­ti­ca­tion mal­ware. Miller claims to cre­ate much more sophis­ti­cat­ed mal­ware in his own work. What sur­prised him was the scope of the attack. Who­ev­er did this did­n’t even both­er try­ing to hide it and seemed to exe­cute it with no regard to the dam­age caused or poten­tial con­se­quences.

And then Miller drops the bomb: when asked if the hack­ers were capa­ble of doing more dam­age than they did and, for exam­ple, destroy all the com­put­ers on the net­work, Miller tells us that not only would that be pos­si­ble but it would be triv­ial. A few dozen addi­tion­al lines of code. So if the Solar­Winds hacks — or Microsoft Exchange hack­ers — want­ed to destroy the com­put­er sys­tems of orga­ni­za­tions around the world, they could have done so. Eas­i­ly.

The piece also include an inter­view of Brad Smith, pres­i­dent of Microsoft. Smith points to the numer­ous gov­ern­ment agen­cies to make the case that it must be a for­eign intel­li­gence operation‑, an obser­va­tion that sys­tem­at­i­cal­ly ignores all the non-gov­ern­ment com­mer­cial vic­tims that also got hit. Smith goes on to make an inter­est­ing defense of the US gov­ern­men­t’s inabil­i­ty to detect and stop the Solar­Winds hack: because the hack­ers launched the hack from US-based servers the NSA was­n’t legal­ly allowed to observe and pre­vent it. Domes­tic net­work secu­ri­ty in the US is the respon­si­bil­i­ty of the pri­vate sec­tor. How those poli­cies change in response to these mega-hacks will be some­thing to watch.

Then Smith issues a warn­ing that, when com­bined with Miller’s warn­ings about dig­i­tal bombs, should send chills down the spines of sys­tem admin­is­tra­tors every­where: Smith warns that its almost cer­tain the Solar­Winds hack­ers plant­ed addi­tion­al back­doors and spread to oth­er net­works. Keep in mind that Microsoft has been one of the lead inves­ti­ga­tors on this, so when Microsoft tells us the Solar­Winds hack­ers are prob­a­bly still resid­ing on these hacked net­works and spread to oth­ers that’s the kind of warn­ing we should take seri­ous­ly. So if you were hop­ing the dis­cov­ery of the Solar­Winds hack meant the clos­ing of all these back­doors on the net­works of thou­sands orga­ni­za­tions around the world your hopes should be dashed by now. Microsoft was basi­cal­ly telling us they don’t think they can real­is­ti­cal­ly expel the hack­ers from all these net­works. So if these hack­ers do decide to actu­al­ly destroy tens of thou­sands of hacked net­works around the world, or con­duct a glob­al ran­somware attack, they could prob­a­bly still do so:

CBS News

Solar­Winds: How Russ­ian spies hacked the Jus­tice, State, Trea­sury, Ener­gy and Com­merce Depart­ments

Bill Whitak­er reports on how Russ­ian spies used a pop­u­lar piece of soft­ware to unleash a virus that spread to 18,000 gov­ern­ment and pri­vate com­put­er net­works.

Cor­re­spon­dent Bill Whitak­er
2021 Jul 04

When Pres­i­dents Biden and Putin met in Gene­va last month – it was the first time that the threat of cyber war eclipsed that of nuclear war between the two old super-pow­ers… and “Solar­Winds” was one big rea­son why. Last year, in per­haps the most auda­cious cyber attack in his­to­ry, Russ­ian mil­i­tary hack­ers sab­o­taged a tiny piece of com­put­er code buried in a pop­u­lar piece of soft­ware called Solar­Winds. As we first report­ed in Feb­ru­ary, the hid­den virus spread to 18,000 gov­ern­ment and pri­vate com­put­er net­works by way of one of those soft­ware updates we all take for grant­ed. After it was installed, Russ­ian agents went rum­mag­ing through the dig­i­tal files of the U.S. depart­ments of Jus­tice, State, Trea­sury, Ener­gy, and Com­merce –among others—and for nine months, they had unfet­tered access to top-lev­el com­mu­ni­ca­tions, court doc­u­ments, even nuclear secrets.

Brad Smith: I think from a soft­ware engi­neer­ing per­spec­tive, it’s prob­a­bly fair to say that this is the largest and most sophis­ti­cat­ed attack the world has ever seen.

Brad Smith is pres­i­dent of Microsoft. He learned about the hack after the pres­i­den­tial elec­tion this past Novem­ber. By that time, the stealthy intrud­ers had spread through­out the tech giants’ com­put­er net­work and stolen some of its pro­pri­etary source code used to build its soft­ware prod­ucts. More alarm­ing: how the hack­ers got in… pig­gy-back­ing on a piece of third par­ty soft­ware used to con­nect, man­age and mon­i­tor com­put­er net­works.

Bill Whitak­er: What makes this so momen­tous?

Brad Smith: One of the real­ly dis­con­cert­ing aspects of this attack was the wide­spread and indis­crim­i­nate nature of it. What this attack­er did was iden­ti­fy net­work man­age­ment soft­ware from a com­pa­ny called Solar­Winds. They installed mal­ware into an update for a Solar­Winds prod­uct. When that update went out to 18,000 orga­ni­za­tions around the world, so did this mal­ware.

“Solar­Winds Ori­on” is one of the most ubiq­ui­tous soft­ware prod­ucts you prob­a­bly nev­er heard of, but to thou­sands of I.T. depart­ments world­wide, it’s indis­pens­able. It’s made up of mil­lions of lines of com­put­er code. 4,032 of them were clan­des­tine­ly re-writ­ten and dis­trib­uted to cus­tomers in a rou­tine update, open­ing up a secret back­door to the 18,000 infect­ed net­works. Microsoft has assigned 500 engi­neers to dig in to the attack. One com­pared it to a Rem­brandt paint­ing, the clos­er they looked, the more details emerged.

Brad Smith: When we ana­lyzed every­thing that we saw at Microsoft, we asked our­selves how many engi­neers have prob­a­bly worked on these attacks. And the answer we came to was, well, cer­tain­ly more than 1,000.

Bill Whitak­er: You guys are Microsoft. How did Microsoft miss this?

Brad Smith: I think that when you look at the sophis­ti­ca­tion of this attack­er there’s an asym­met­ric advan­tage for some­body play­ing offense.

Bill Whitak­er: Is it still going on?

Brad Smith: Almost cer­tain­ly, these attacks are con­tin­u­ing.

The world still might not know about the hack if not for Fire­Eye, a three-and-a-half bil­lion dol­lar cyber­se­cu­ri­ty com­pa­ny run by Kevin Man­dia, a for­mer Air Force intel­li­gence offi­cer.

...

They dis­cov­ered the mal­ware inside Solar­Winds and on Decem­ber 13 informed the world of the brazen attack.

Much of the dam­age had already been done. The U.S. Jus­tice Depart­ment acknowl­edged the Rus­sians spent months inside their com­put­ers access­ing email traf­fic – but the depart­ment won’t tell us exact­ly what was tak­en. It’s the same at Trea­sury, Com­merce, the NIH, Ener­gy. Even the agency that pro­tects and trans­ports our nuclear arse­nal. The hack­ers also hit the biggest names in high tech.

Bill Whitak­er: So, what does that tar­get list tell you?

Brad Smith: I think this tar­get list tells us that this is clear­ly a for­eign intel­li­gence agency. It expos­es the secrets poten­tial­ly of the Unit­ed States and oth­er gov­ern­ments as well as pri­vate com­pa­nies. I don’t think any­one knows for cer­tain how all of this infor­ma­tion will be used. But we do know this: It is in the wrong hands.

And Microsoft­’s Brad Smith told us it’s almost cer­tain the hack­ers cre­at­ed addi­tion­al back­doors and spread to oth­er net­works.

The rev­e­la­tion this past Decem­ber came at a fraught time in the U.S. Pres­i­dent Trump was dis­put­ing the elec­tion, and tweet­ed Chi­na might be respon­si­ble for the hack. With­in hours he was con­tra­dict­ed by his own sec­re­tary of state and attor­ney gen­er­al. They blamed Rus­sia. The Depart­ment of Home­land Secu­ri­ty, FBI and intel­li­gence agen­cies con­curred. The prime sus­pect: the SVR, one of sev­er­al Russ­ian spy agen­cies the U.S. labels “advanced per­sis­tent threats.” Rus­sia denies it was involved.

Brad Smith: I do think this was an act of reck­less­ness. The world runs on soft­ware. It runs on infor­ma­tion tech­nol­o­gy. But it can’t run with con­fi­dence if major gov­ern­ments are dis­rupt­ing and attack­ing the soft­ware sup­ply chain in this way.

Bill Whitak­er: That almost sounds like you think that they went in to foment chaos?

Brad Smith: What we are see­ing is the first use of this sup­ply chain dis­rup­tion tac­tic against the Unit­ed States. But it’s not the first time we’ve wit­nessed it. The Russ­ian gov­ern­ment real­ly devel­oped this tac­tic in Ukraine.

...

Bill Whitak­er: It’s hard to down­play the sever­i­ty of this.

Chris Inglis: It is hard to down­play the sever­i­ty of this. Because it’s only a stone’s throw from a com­put­er net­work attack.

Chris Inglis spent 28 years com­mand­ing the nation’s best cyber war­riors at the Nation­al Secu­ri­ty Agency – sev­en as its deputy direc­tor – and now sits on the Cyber­space Solar­i­um Com­mis­sion – cre­at­ed by Con­gress to come up with new ideas to defend our dig­i­tal domain.

Bill Whitak­er: Why did­n’t the gov­ern­ment detect this?

Chris Inglis: The gov­ern­ment is not look­ing on pri­vate sec­tor net­works. It does­n’t sur­veil pri­vate sec­tor net­works. That’s a respon­si­bil­i­ty that’s giv­en over to the pri­vate sec­tor. Fire­Eye found it on theirs, many oth­ers did not. The gov­ern­ment did not find it on their net­work, so that’s a dis­ap­point­ment.

Dis­ap­point­ment is an under­state­ment. The Depart­ment of Home­land Secu­ri­ty spent bil­lions on a pro­gram called “Ein­stein” to detect cyber attacks on gov­ern­ment agen­cies. The Rus­sians out­smart­ed it. They cir­cum­vent­ed the NSA, which gath­ers intel­li­gence over­seas, but is pro­hib­it­ed from sur­veilling U.S. com­put­er net­works. So the Rus­sians launched their attacks from servers set up anony­mous­ly in the Unit­ed States.

Bill Whitak­er: This hack hap­pened on Amer­i­can soil. It went through net­works based in the Unit­ed States. Are our defense capa­bil­i­ties con­strained?

Chris Inglis: U.S. Intel­li­gence Com­mu­ni­ty, U.S. Depart­ment of Defense, can sug­gest what the inten­tions of oth­er nations are based upon what they learn in their right­ful work over­seas. But they can’t turn around and focus their unblink­ing eye on the domes­tic infra­struc­ture. That winds up mak­ing it more dif­fi­cult for us.

...

It’s not every­day you meet some­one who builds cyber weapons as com­plex as those deployed by Russ­ian intel­li­gence. But Jon Miller, who start­ed off as a hack­er and now runs a com­pa­ny called Bold­end, designs and sells cut­ting-edge cyber weapons to U.S. intel­li­gence agen­cies.

Jon Miller: I build things much more sophis­ti­cat­ed than this. What’s impres­sive is the scope of it. This is a water­shed style attack. I would nev­er do some­thing like this. It cre­ates too much dam­age.

Miller says with the Solar­Winds attack, Rus­sia has demon­strat­ed that none of the soft­ware we take for grant­ed is tru­ly safe, includ­ing the apps on our tele­phones, lap­tops, and tablets. These days, he says, any device can be sab­o­taged.

Jon Miller: When you buy some­thing from a tech com­pa­ny, a new phone or a lap­top, you trust that that is secure when they give it to you. And what they’ve shown us in this attack is that is not the case. They have the abil­i­ty to com­pro­mise those sup­ply chains and manip­u­late what­ev­er they want. Whether it’s finan­cial data, source code, the func­tion­al­i­ty of these prod­ucts. They can take con­trol.

Bill Whitak­er: So, for instance, they could destroy all the com­put­ers on a net­work?

Jon Miller: Oh, eas­i­ly. The mal­ware that they deployed off of Solar­Winds, it did­n’t have the func­tion­al­i­ty in it to do that. But to do that is triv­ial. Cou­ple dozen lines of code.

...

———–

“Solar­Winds: How Russ­ian spies hacked the Jus­tice, State, Trea­sury, Ener­gy and Com­merce Depart­ments” by Bill Whitak­er; CBS News; 07/04/2021

“Much of the dam­age had already been done. The U.S. Jus­tice Depart­ment acknowl­edged the Rus­sians spent months inside their com­put­ers access­ing email traf­fic – but the depart­ment won’t tell us exact­ly what was tak­en. It’s the same at Trea­sury, Com­merce, the NIH, Ener­gy. Even the agency that pro­tects and trans­ports our nuclear arse­nal. The hack­ers also hit the biggest names in high tech.”

The Solar­Wind hack­ers spent months inside numer­ous US gov­ern­ment agency net­works. Pre­sum­ably from Feb­ru­ary 2020 until Decem­ber 2020. 10 or so months of emails. That’s a lot of gov­ern­ment emails. It makes the “Hillary’s emails” sto­ries sound like a sweet lul­la­by of yes­ter­year.

But the Solar­Winds hack was obvi­ous­ly not just tar­get­ing the US gov­ern­ment. Thou­sands of com­pa­nies were hit too. And yet, when asked, the Pres­i­dent of Microsoft insists, “I think this tar­get list tells us that this is clear­ly a for­eign intel­li­gence agency”. It’s what it looks like when every­one plays dumb pro­fes­sion­al­ly:

...
Bill Whitak­er: So, what does that tar­get list tell you?

Brad Smith: I think this tar­get list tells us that this is clear­ly a for­eign intel­li­gence agency. It expos­es the secrets poten­tial­ly of the Unit­ed States and oth­er gov­ern­ments as well as pri­vate com­pa­nies. I don’t think any­one knows for cer­tain how all of this infor­ma­tion will be used. But we do know this: It is in the wrong hands.

And Microsoft­’s Brad Smith told us it’s almost cer­tain the hack­ers cre­at­ed addi­tion­al back­doors and spread to oth­er net­works.

The rev­e­la­tion this past Decem­ber came at a fraught time in the U.S. Pres­i­dent Trump was dis­put­ing the elec­tion, and tweet­ed Chi­na might be respon­si­ble for the hack. With­in hours he was con­tra­dict­ed by his own sec­re­tary of state and attor­ney gen­er­al. They blamed Rus­sia. The Depart­ment of Home­land Secu­ri­ty, FBI and intel­li­gence agen­cies con­curred. The prime sus­pect: the SVR, one of sev­er­al Russ­ian spy agen­cies the U.S. labels “advanced per­sis­tent threats.” Rus­sia denies it was involved.
...

Also note how the fact that the Solar­Winds hack was con­duct­ed with US-based servers, and the fact that the NSA isn’t man­dat­ed with mon­i­tor­ing US net­works, is turn­ing into an argu­ment for giv­ing the NSA author­i­ty to mon­i­tor US net­works. This is a good to recall the sto­ry from ear­li­er this year about the DARPA projects involv­ing the cre­ation of autonomous anti-virus soft­ware that can tra­verse net­works that sound awful­ly sim­i­lar to the “Project TURBINE” plan for mass auto­mat­ed mal­ware implan­ta­tion. Auto­mat­ed ‘anti-mal­ware’ deliv­ered by good­ware. As ques­tions about the con­sti­tu­ion­al­i­ty of NSA mon­i­tor­ing of domes­tic net­works get raised, don’t be sur­prised if auto­mat­ed ‘good­ware’ solu­tions are offered:

...
Chris Inglis spent 28 years com­mand­ing the nation’s best cyber war­riors at the Nation­al Secu­ri­ty Agency – sev­en as its deputy direc­tor – and now sits on the Cyber­space Solar­i­um Com­mis­sion – cre­at­ed by Con­gress to come up with new ideas to defend our dig­i­tal domain.

Bill Whitak­er: Why did­n’t the gov­ern­ment detect this?

Chris Inglis: The gov­ern­ment is not look­ing on pri­vate sec­tor net­works. It does­n’t sur­veil pri­vate sec­tor net­works. That’s a respon­si­bil­i­ty that’s giv­en over to the pri­vate sec­tor. Fire­Eye found it on theirs, many oth­ers did not. The gov­ern­ment did not find it on their net­work, so that’s a dis­ap­point­ment.

Dis­ap­point­ment is an under­state­ment. The Depart­ment of Home­land Secu­ri­ty spent bil­lions on a pro­gram called “Ein­stein” to detect cyber attacks on gov­ern­ment agen­cies. The Rus­sians out­smart­ed it. They cir­cum­vent­ed the NSA, which gath­ers intel­li­gence over­seas, but is pro­hib­it­ed from sur­veilling U.S. com­put­er net­works. So the Rus­sians launched their attacks from servers set up anony­mous­ly in the Unit­ed States.

Bill Whitak­er: This hack hap­pened on Amer­i­can soil. It went through net­works based in the Unit­ed States. Are our defense capa­bil­i­ties con­strained?

Chris Inglis: U.S. Intel­li­gence Com­mu­ni­ty, U.S. Depart­ment of Defense, can sug­gest what the inten­tions of oth­er nations are based upon what they learn in their right­ful work over­seas. But they can’t turn around and focus their unblink­ing eye on the domes­tic infra­struc­ture. That winds up mak­ing it more dif­fi­cult for us.
...

Final­ly note the assess­ment about the rel­a­tive sophis­ti­ca­tion of the Solar­Winds source code by Jon Miller, the for­mer hack­er who now runs a com­pa­ny called Bold­end, designs and sells cut­ting-edge cyber weapons to U.S. intel­li­gence agen­cies. Miller was­n’t impressed by the sophis­ti­ca­tion. He admits to build­ing things much more sophis­ti­cat­ed (that is pre­sum­ably sold to US intel­li­gence agen­cies). What sur­prised Miller was the scale of the attack and that some­one actu­al­ly did some­thing that cre­at­ed so much dam­age. It’s the kind of response from an indus­try pro­fes­sion­al (who isn’t play­ing dumb pro­fes­sion­al­ly) that points towards a real­i­ty where large scale hacks of this nature have long been pos­si­ble, but assumed to be too inflam­ma­to­ry to exe­cute with­out incit­ing invit­ing seri­ous reper­cus­sions. As Miller point­ed out, this attack poten­tial­ly taint­ed the entire glob­al soft­ware sup­ply chain. The same com­pil­er attack that snuck the back­door into Solar­Wind­s’s Ori­on client tool could be reap­plied to the soft­ware being devel­oped by the tens of thou­sands of Solar­Winds cor­po­rate and gov­ern­ment clients. It real­ly was a mas­sive attack. But he’s not sur­prised some­one was able to pull it off tech­ni­cal­ly. He’s sur­prised some­one actu­al­ly did it. It’s an impor­tant dis­tinc­tion to keep in mind when assess­ing the nature of this attack. Thank­ful­ly, anoth­er pos­si­ble night­mare sce­nario was­n’t exe­cut­ed. That being a sce­nario where mal­ware is deployed that actu­al­ly caus­es these net­works to phys­i­cal­ly destroy them­selves. But it they could have if they want­ed to:

...
It’s not every­day you meet some­one who builds cyber weapons as com­plex as those deployed by Russ­ian intel­li­gence. But Jon Miller, who start­ed off as a hack­er and now runs a com­pa­ny called Bold­end, designs and sells cut­ting-edge cyber weapons to U.S. intel­li­gence agen­cies.

Jon Miller: I build things much more sophis­ti­cat­ed than this. What’s impres­sive is the scope of it. This is a water­shed style attack. I would nev­er do some­thing like this. It cre­ates too much dam­age.

Miller says with the Solar­Winds attack, Rus­sia has demon­strat­ed that none of the soft­ware we take for grant­ed is tru­ly safe, includ­ing the apps on our tele­phones, lap­tops, and tablets. These days, he says, any device can be sab­o­taged.

Jon Miller: When you buy some­thing from a tech com­pa­ny, a new phone or a lap­top, you trust that that is secure when they give it to you. And what they’ve shown us in this attack is that is not the case. They have the abil­i­ty to com­pro­mise those sup­ply chains and manip­u­late what­ev­er they want. Whether it’s finan­cial data, source code, the func­tion­al­i­ty of these prod­ucts. They can take con­trol.

Bill Whitak­er: So, for instance, they could destroy all the com­put­ers on a net­work?

Jon Miller: Oh, eas­i­ly. The mal­ware that they deployed off of Solar­Winds, it did­n’t have the func­tion­al­i­ty in it to do that. But to do that is triv­ial. Cou­ple dozen lines of code.
...

Miller is absolute­ly cor­rect. Solar­Winds was­n’t just the mega-hack of Solar­Winds and its thou­sands of clients. It was poten­tial­ly the hack of the glob­al tech­no­log­i­cal sup­ply chain. Some­one exe­cut­ed a very very big hack.

CitizenLab Issues a Warning to the World: Someone is Hacking the Sh*t Out of Microsoft. Legally. Meet Candiru

It was the mid­dle of July this year when the sto­ries of the mega-hacks took a sud­den turn. After months of dis­clos­ing (and deny­ing) one hack after anoth­er involv­ing a Microsoft vul­ner­a­bil­i­ty, Cit­i­zen­Lab had a dra­mat­ic, and the­mat­i­cal­ly appro­pri­ate, new secu­ri­ty warn­ing: a mer­ce­nary spy­ware com­pa­ny has been sell­ing an exploit used against Win­dows users in sev­er­al coun­tries, includ­ing Iran, Lebanon, Spain and the Unit­ed King­dom. Beyond that, the mal­ware has been found tar­get­ing activists, which isn’t par­tic­u­lar­ly sur­pris­ing giv­en the fact that Can­diru’s clients are gov­ern­ments. Can­diru’s exploits aren’t sole­ly against Microsoft prod­ucts. Google’s pop­u­lar Chrome brows­er is also a tar­get. But it sounds like Can­diru spe­cial­izes Microsoft prod­ucts.

Microsoft fixed the vul­ner­a­bil­i­ties iden­ti­fied in Cit­i­zen­Lab’s report. Curi­ous­ly, in its report on the fix, Microsoft nev­er refers to Can­diru by name. Instead, it refers to it as an “Israel-based pri­vate sec­tor offen­sive actor” which the com­pa­ny code­named Sour­gum. Google also issued a report on Can­diru’s tar­get­ing of activists and the zero-day exploits dis­cov­ered used against activists. Google also did­n’t refer to Can­diru by name.

So at least one Can­diru cus­tomer — but per­haps more than one — was run­ning around using zero-day exploits against activists and they got caught. Because it was blamed on Can­diru it could­n’t be attrib­uted to Rus­sia or Chi­na. So who got blamed for these dis­cov­ered hacks against activists? No one:

Reuters
Tech­nol­o­gy

Microsoft says Israeli group sold tools to hack Win­dows

Christo­pher Bing
July 15, 2021 4:45 PM CDT
Updat­ed

July 15 (Reuters) — An Israeli group sold a tool to hack into Microsoft Win­dows, Microsoft and tech­nol­o­gy human rights group Cit­i­zen Lab said on Thurs­day, shed­ding light on the grow­ing busi­ness of find­ing and sell­ing tools to hack wide­ly used soft­ware.

The hack­ing tool ven­dor, named Can­diru, cre­at­ed and sold a soft­ware exploit that can pen­e­trate Win­dows, one of many intel­li­gence prod­ucts sold by a secre­tive indus­try that finds flaws in com­mon soft­ware plat­forms for their clients, said a report by Cit­i­zen Lab.

Tech­ni­cal analy­sis by secu­ri­ty researchers details how Can­diru’s hack­ing tool spread around the globe to numer­ous unnamed cus­tomers, where it was then used to tar­get var­i­ous civ­il soci­ety orga­ni­za­tions, includ­ing a Sau­di dis­si­dent group and a left-lean­ing Indone­sian news out­let, the reports by Cit­i­zen Lab and Microsoft show.

...

Evi­dence of the exploit recov­ered by Microsoft Corp (MSFT.O) sug­gest­ed it was deployed against users in sev­er­al coun­tries, includ­ing Iran, Lebanon, Spain and the Unit­ed King­dom, accord­ing to the Cit­i­zen Lab report.

“Can­diru’s grow­ing pres­ence, and the use of its sur­veil­lance tech­nol­o­gy against glob­al civ­il soci­ety, is a potent reminder that the mer­ce­nary spy­ware indus­try con­tains many play­ers and is prone to wide­spread abuse,” Cit­i­zen Lab said in its report.

Microsoft fixed the dis­cov­ered flaws on Tues­day through a soft­ware update. Microsoft did not direct­ly attribute the exploits to Can­diru, instead refer­ring to it as an “Israel-based pri­vate sec­tor offen­sive actor” under the code­name Sour­gum.

“Sour­gum gen­er­al­ly sells cyber­weapons that enable its cus­tomers, often gov­ern­ment agen­cies around the world, to hack into their tar­gets’ com­put­ers, phones, net­work infra­struc­ture, and inter­net-con­nect­ed devices,” Microsoft wrote in a blog post. “These agen­cies then choose who to tar­get and run the actu­al oper­a­tions them­selves.”

Can­diru’s tools also exploit­ed weak­ness­es in oth­er com­mon soft­ware prod­ucts, like Google’s Chrome brows­er.

On Wednes­day, Google (GOOGL.O) released a blog post where it dis­closed two Chrome soft­ware flaws that Cit­i­zen Lab found con­nect­ed to Can­diru. Google also did not refer to Can­diru by name, but described it as a “com­mer­cial sur­veil­lance com­pa­ny.” Google patched the two vul­ner­a­bil­i­ties ear­li­er this year.

Cyber arms deal­ers like Can­diru often chain mul­ti­ple soft­ware vul­ner­a­bil­i­ties togeth­er to cre­ate effec­tive exploits that can reli­ably break into com­put­ers remote­ly with­out a tar­get’s knowl­edge, com­put­er secu­ri­ty experts say.

Those types of covert sys­tems cost mil­lions of dol­lars and are often sold on a sub­scrip­tion basis, mak­ing it nec­es­sary for cus­tomers to repeat­ed­ly pay a provider for con­tin­ued access, peo­ple famil­iar with the cyber arms indus­try told Reuters.

“No longer do groups need to have the tech­ni­cal exper­tise, now they just need resources,” Google wrote in its blog post.

———–

“Microsoft says Israeli group sold tools to hack Win­dows” by Christo­pher Bing; Reuters; 07/15/2021

“No longer do groups need to have the tech­ni­cal exper­tise, now they just need resources,” Google wrote in its blog post.”

Are you a gov­ern­ment with cash to burn? Wel­come to the world of elite hack­ers. Just be sure to main­tain your sub­scrip­tion fees.

Google’s researchers weren’t exag­ger­at­ing. It real­ly is just a mat­ter of hav­ing the resources — and per­mis­sion from the Israeli (and US?) government(s?) — for a gov­ern­ment to go from hav­ing vir­tu­al­ly no cyber capa­bil­i­ties to hav­ing a suite of zero-day exploits capa­ble of defeat­ing the top tech­nol­o­gy firms in the world.

And yet it’s kind of inter­est­ing that both Google and Microsoft did­n’t actu­al­ly name Can­diru in their reports. Microsoft refers to Can­diru with its own made up code­name Sour­gum. Although Microsoft does point out in its report that Cit­i­zen Lab iden­ti­fied the Sour­gum as Can­diru. But that’s the only ref­er­ence to Can­diru in the report. And Google’s report on Can­diru just refers to a “com­mer­cial sur­veil­lance com­pa­ny.” Recall that this is the same lan­guage Google used in its report on the three zero-day exploits dis­cov­ered tar­get­ing Arme­nia activists. So Google and Microsoft appear to go out of their way to avoid nam­ing names in its reports when the cul­prit is a pri­vate com­pa­ny:

...
Microsoft fixed the dis­cov­ered flaws on Tues­day through a soft­ware update. Microsoft did not direct­ly attribute the exploits to Can­diru, instead refer­ring to it as an “Israel-based pri­vate sec­tor offen­sive actor” under the code­name Sour­gum.

“Sour­gum gen­er­al­ly sells cyber­weapons that enable its cus­tomers, often gov­ern­ment agen­cies around the world, to hack into their tar­gets’ com­put­ers, phones, net­work infra­struc­ture, and inter­net-con­nect­ed devices,” Microsoft wrote in a blog post. “These agen­cies then choose who to tar­get and run the actu­al oper­a­tions them­selves.”

...

On Wednes­day, Google (GOOGL.O) released a blog post where it dis­closed two Chrome soft­ware flaws that Cit­i­zen Lab found con­nect­ed to Can­diru. Google also did not refer to Can­diru by name, but described it as a “com­mer­cial sur­veil­lance com­pa­ny.” Google patched the two vul­ner­a­bil­i­ties ear­li­er this year.
...

Also note how Can­diru’s toolk­it does­n’t just include an array of Microsoft exploits. It also hits oth­er com­mon non-Microsoft apps like Google’s Chrome. And as the arti­cle notes, cyber arms deal­ers like Can­diru often chain mul­ti­ple soft­ware vul­ner­a­bil­i­ties togeth­er to cre­ate effec­tive exploits. In oth­er words, these toolk­its have to con­sists of numer­ous zero-day exploits. That’s the under­ly­ing prod­uct these com­pa­nies are sell­ing: toolk­its that chain togeth­er mulit­ple zero-day exploits:

...
Can­diru’s tools also exploit­ed weak­ness­es in oth­er com­mon soft­ware prod­ucts, like Google’s Chrome brows­er.

...

Cyber arms deal­ers like Can­diru often chain mul­ti­ple soft­ware vul­ner­a­bil­i­ties togeth­er to cre­ate effec­tive exploits that can reli­ably break into com­put­ers remote­ly with­out a tar­get’s knowl­edge, com­put­er secu­ri­ty experts say.
...

Days after Microsoft was forced to patch these vul­ner­a­bil­i­ties, the com­pa­ny issued an update on the actions it was tak­ing against Can­diru’s mal­ware as well as the scope of the use of this mal­ware: Microsoft claimed it blocked tools used to spy on more than 100 peo­ple around the world, includ­ing politi­cians, human rights activists, jour­nal­ists, aca­d­e­mics and polit­i­cal dis­si­dents. Politi­cians got hit too. It’s not sur­pris­ing, but a notable admis­sion. Pre­ci­sion attacks were iden­ti­fied in the Pales­tin­ian ter­ri­to­ry, Israel, Iran, Lebanon, Yemen, Spain, the Unit­ed King­dom, Turkey, Arme­nia, and Sin­ga­pore.

Intrigul­ing, Cit­i­zen Lab said Candiru’s spy­ware infra­struc­ture includ­ed web­sites “mas­querad­ing as advo­ca­cy orga­ni­za­tions” such as Amnesty Inter­na­tion­al and Black Lives Mat­ter. So the next time you hear about a Black Lives Mat­ter web­site and it’s auto­mat­i­cal­ly attrib­uted to Russ­ian and the Inter­net Research Agency, keep this ‘fea­ture’ in mind. Can­diru was sell­ing tools specif­i­cal­ly to mim­ic left-wing orga­ni­za­tions. Also keep in mind that it’s Amnesty Inter­na­tion­al that releas­es a big NSO Group expose days after Can­diru’s mal­ware is revealed, so there’s prob­a­bly quite a few peo­ple in the cyber­se­cu­ri­ty indus­try itself with an inter­est in spy­ing on peo­ple affil­i­at­ed with Amnesty Inter­na­tion­al:

Asso­ci­at­ed Press

Microsoft says it blocked spy­ing on rights activists, oth­ers

By ALAN SUDERMAN
July 15, 2021

RICHMOND, Va. (AP) — Microsoft said Thurs­day it has blocked tools devel­oped by an Israeli hack­er-for-hire com­pa­ny that were used to spy on more than 100 peo­ple around the world, includ­ing politi­cians, human rights activists, jour­nal­ists, aca­d­e­mics and polit­i­cal dis­si­dents.

Microsoft issued a soft­ware update and worked with the Cit­i­zen Lab at the Uni­ver­si­ty of Toron­to to inves­ti­gate the secre­tive Israeli com­pa­ny behind the hack­ing efforts. Cit­i­zen Lab said the com­pa­ny goes by sev­er­al names includ­ing Can­diru, which accord­ing to leg­end is a par­a­sitic fish found in the Ama­zon that attacks human pri­vate parts.

Microsoft said peo­ple tar­get­ed in “pre­ci­sion attacks” by the spy­ware were locat­ed in the Pales­tin­ian ter­ri­to­ry, Israel, Iran, Lebanon, Yemen, Spain, the Unit­ed King­dom, Turkey, Arme­nia, and Sin­ga­pore. Microsoft did not name the tar­gets but described them gen­er­al­ly by cat­e­go­ry.

Cit­i­zen Lab said Candiru’s spy­ware infra­struc­ture includ­ed web­sites “mas­querad­ing as advo­ca­cy orga­ni­za­tions” such as Amnesty Inter­na­tion­al and Black Lives Mat­ter.

The reports by Microsoft and Cit­i­zen Lab shine new light on an opaque and lucra­tive indus­try of sell­ing sophis­ti­cat­ed hack­ing tools to gov­ern­ments and law enforce­ment agen­cies. Crit­ics say such tools are often mis­used by author­i­tar­i­an gov­ern­ments against inno­cent peo­ple.

“A world where pri­vate sec­tor com­pa­nies man­u­fac­ture and sell cyber­weapons is more dan­ger­ous for con­sumers, busi­ness­es of all sizes and gov­ern­ments,” Microsoft said in a blog post.

...

Microsoft said the busi­ness mod­el for com­pa­nies such as Can­diru is to sell its ser­vices to gov­ern­ment agen­cies, which then like­ly choose the tar­gets and run the oper­a­tions them­selves.

Cit­i­zen Lab pub­lished parts of what it said were a leaked pro­pos­al by Can­diru for hack­ing ser­vices that offered a la carte hack­ing options. For 16 mil­lion euros ($18.9 mil­lion), the com­pa­ny would allow the cus­tomer to mon­i­tor 10 devices simul­ta­ne­ous­ly in a sin­gle coun­try. For an extra 5.5 mil­lion euros ($6.5 mil­lion), 25 addi­tion­al devices could be mon­i­tored in five more coun­tries.

Cit­i­zen Lab said Candiru’s spy­ware tar­gets com­put­ers, mobile devices and cloud accounts.

Thursday’s dis­clo­sure by Microsoft was part of what the com­pa­ny said was a broad­er effort to “address the dan­gers” caused by hack­er-for-hire com­pa­nies. Microsoft is sup­port­ing Face­book in its law­suit against NSO Group, which is also based in Israel and is per­haps the most promi­nent pri­vate offen­sive spy­ware com­pa­ny.

Face­book filed a fed­er­al civ­il suit in 2019 alleged­ly that NSO Group tar­get­ed some 1,400 users of Facebook’s encrypt­ed mes­sag­ing ser­vice What­sApp with high­ly sophis­ti­cat­ed spy­ware.

————-

“Microsoft says it blocked spy­ing on rights activists, oth­ers” by ALAN SUDERMAN; Asso­ci­at­ed Press; 07/15/2021

“Microsoft issued a soft­ware update and worked with the Cit­i­zen Lab at the Uni­ver­si­ty of Toron­to to inves­ti­gate the secre­tive Israeli com­pa­ny behind the hack­ing efforts. Cit­i­zen Lab said the com­pa­ny goes by sev­er­al names includ­ing Can­diru, which accord­ing to leg­end is a par­a­sitic fish found in the Ama­zon that attacks human pri­vate parts.”

Can­diru is so secre­tive it uses secret iden­ti­ties. Secre­cy that’s prob­a­bly dri­ven, in part, by the fact that it’s craft­ing the dig­i­tal infra­struc­ture gov­ern­ments are using to hack civ­il soci­ety. Orga­ni­za­tions like Black LIves Mat­ter and Amnesty Inter­na­tion­al. That’s the kind of activ­i­ty one might hide from. Pre­sum­ably the util­i­ty of these fake web­sites is to direct peo­ple there to deliv­er the mal­ware which implies the tar­gets of this mal­ware were at least sym­pa­thet­ic to Black Lives Mat­ter and Amnesty Inter­na­tion­al. Just think about how many schemes tar­get­ing Black Lives Mat­ter attrib­uted to Russ­ian since 2016 that were actu­al­ly a prod­uct of Can­diru’s ready-to-use toolk­it. Or some oth­er “com­mer­cial sur­veil­lance ven­dor” sell­ing sim­i­lar tools:

...
Cit­i­zen Lab said Candiru’s spy­ware infra­struc­ture includ­ed web­sites “mas­querad­ing as advo­ca­cy orga­ni­za­tions” such as Amnesty Inter­na­tion­al and Black Lives Mat­ter.
...

And note the price. Yeah, your aver­age per­son can’t han­dle these kinds of sub­scrip­tion fees. But basi­cal­ly every gov­ern­ment on the plan­et can. Eas­i­ly:

...
Cit­i­zen Lab pub­lished parts of what it said were a leaked pro­pos­al by Can­diru for hack­ing ser­vices that offered a la carte hack­ing options. For 16 mil­lion euros ($18.9 mil­lion), the com­pa­ny would allow the cus­tomer to mon­i­tor 10 devices simul­ta­ne­ous­ly in a sin­gle coun­try. For an extra 5.5 mil­lion euros ($6.5 mil­lion), 25 addi­tion­al devices could be mon­i­tored in five more coun­tries.

Cit­i­zen Lab said Candiru’s spy­ware tar­gets com­put­ers, mobile devices and cloud accounts.
...

It’s too bad Cit­i­zen­Lab could­n’t get the actu­al sub­scrip­tion infor­ma­tion for Can­diru’s many clients to see just how many devices gov­ern­ments are pay­ing to hack. It’s almost $2 mil­lion per hacked device. That’s prob­a­bly a lot of peo­ple. And a lot of prof­it for Can­diru’s investors.

2021: Year of the Zero-Day

Just how much mon­ey is being made by this mer­ce­nary spy­ware indus­try? We’ll obvi­ous­ly nev­er know. But if the dis­cov­ery of new zero-day exploits are any indi­ca­tion of the indus­try’s work, we can say 2021 has been a robust year for the indus­try. As the fol­low­ing Threat­post piece from July 15 describes, there were 33 zero-day exploits report­ed by that date this year com­pared to 22 zero-day exploits in 2021 in total. At this point, 2021 will have triple the num­ber of zero-day exploits of 2020, and 2020 was a record year. There’s sim­ply been an explo­sion of dis­cov­ered zero-days. For exam­ple, at the same time Google issued its own mid-July report on Can­diru’s mal­ware being used against activist, it also dis­closed a new zero-day flaw against the iOS Safari brows­er that was tar­get­ing West­ern Euro­pean gov­ern­ment offi­cials. They note in the report that ‘Russ­ian-lan­guage actors’ were using the exploit at the same time ‘Nobeli­um’ was tar­get­ing users on Win­dows devices to deliv­er Cobalt Strike, sug­gest­ing the two are relat­ed.

Putting aside the already addressed prob­lems with plac­ing an empha­sis on the ‘cul­tur­al arti­fact’ lan­guage clues hack­ers leave, it’s worth not­ing that the Nobeli­um hack tar­get­ing users on Win­dows devices was a ref­er­ence to the USAID phish­ing attack. As we saw, Microsoft report­ed mul­ti­ple zero-day pieces of mal­ware deployed on the vic­tims’ net­works from the USAID attack. But Microsoft also report­ed the deploy­ment of Cobalt Strike in its ini­tial post about the phish­ing attack a day ear­li­er. Which should come as no sur­prise. Cobalt Strike, a legit­i­mate secu­ri­ty tool that finds vul­ner­a­bil­i­ties in net­works, has explod­ed in pop­u­lar­i­ty and gone main­stream among crim­i­nals. In oth­er words, we can’t infer much from the fact that both this iOS Safari hack and a hack attrib­uted to Nobeli­um both deployed Cobalt Strike. Cobalt Strike is what savvy cyber­crim­i­nals use these days, and there­fore not a trade­mark indi­ca­tor of a par­tic­u­lar actor. What is a notable coin­ci­dence between the USAID phish­ing hacks and the Safari hack is that both involve zero-day exploits. That’s the pri­ma­ry mean­ing­ful tech­ni­cal indi­ca­tor shared between all of the hacks we are dis­cussing here: Zero-day exploits were deployed. And yet, we can only infer so much. We don’t know who is devel­op­ing or deploy­ing all these zero-days. We just know it could be a much broad­er range of actors than just Russ­ian and Chi­na:

Threat­post

Safari Zero-Day Used in Mali­cious LinkedIn Cam­paign

Author: Eliz­a­beth Mon­tal­bano
July 15, 2021 7:04 am

Researchers shed light on how attack­ers exploit­ed Apple web brows­er vul­ner­a­bil­i­ties to tar­get gov­ern­ment offi­cials in West­ern Europe.

Threat actors used a Safari zero-day flaw to send mali­cious links to gov­ern­ment offi­cials in West­ern Europe via LinkedIn before researchers from Google dis­cov­ered and report­ed the vul­ner­a­bil­i­ty.

That’s the word from researchers from Google Threat Analy­sis Group (TAG) and Google Project Zero, who Wednes­day post­ed a blog shed­ding more light on sev­er­al zero-day flaws that they dis­cov­ered so far this year. Researchers in par­tic­u­lar detailed how attack­ers exploit­ed the vulnerabilities—the preva­lence of which are on the rise–before they were addressed by their respec­tive ven­dors.

TAG researchers dis­cov­ered the Safari WebKit flaw, tracked as CVE-?2021–1879, on March 19. The vul­ner­a­bil­i­ty allowed for the pro­cess­ing of mali­cious­ly craft­ed web con­tent for uni­ver­sal cross site script­ing and was addressed by Apple in an update lat­er that month.

Before the fix, researchers assert Russ­ian-lan­guage threat actors were exploit­ing the vul­ner­a­bil­i­ty in the wild by using LinkedIn Mes­sag­ing to send gov­ern­ment offi­cials from West­ern Euro­pean coun­tries mali­cious links that could col­lect web­site-authen­ti­ca­tion cook­ies, accord­ing to the post by Mad­die Stone and Clement Lecigne from Google TAG.

“If the tar­get vis­it­ed the link from an iOS device, they would be redi­rect­ed to an attack­er-con­trolled domain that served the next-stage pay­loads,” they wrote.

The exploit, which tar­get­ed iOS ver­sions 12.4 through 13.7, would turn off Same-Ori­gin-Pol­i­cy pro­tec­tions on an infect­ed device to col­lect authen­ti­ca­tion cook­ies from sev­er­al pop­u­lar websites–including Google, Microsoft, LinkedIn, Face­book and Yahoo–and then send them via Web­Sock­et to an attack­er-con­trolled IP, researchers wrote. The vic­tim would need to have a ses­sion open on these web­sites from Safari for cook­ies to be suc­cess­ful­ly exfil­trat­ed.

More­over, the cam­paign tar­get­ing iOS devices coin­cid­ed with oth­ers from the same threat actor—which Microsoft has iden­ti­fied as Nobelium–targeting users on Win­dows devices to deliv­er Cobalt Strike, researchers wrote. Secu­ri­ty firm Volex­i­ty described one of these attacks in a report post­ed online in May, the researchers added.

...

Oth­er Zero-Day Attacks

Google researchers also linked three addi­tion­al zero-day flaws they iden­ti­fied this year to a com­mer­cial sur­veil­lance ven­dor, accord­ing to Google TAG’s Shane Hunt­ley. Two of those vul­ner­a­bil­i­ties–CVE-2021–21166 and CVE-2021–30551—were found in Chrome, and one, tracked as CVE-2021–33742, in Inter­net Explor­er.

CVE-2021–21166 and CVE-2021–30551, two Chrome ren­dered remote-code exe­cu­tion (RCE) flaws, were iden­ti­fied sep­a­rate­ly but lat­er believed to be used by the same actor, researchers wrote in the blog. Google researchers dis­cov­ered the for­mer in Feb­ru­ary and the lat­ter in June.

“Both of these 0‑days were deliv­ered as one-time links sent by email to the tar­gets, all of whom we believe were in Arme­nia,” Stone and Lecigne wrote. “The links led to attack­er-con­trolled domains that mim­ic­ked legit­i­mate web­sites relat­ed to the tar­get­ed users.”

When prospec­tive vic­tims clicked the link, they were redi­rect­ed to a web­page that would fin­ger­print their device, col­lect sys­tem infor­ma­tion about the client, and gen­er­ate ECDH keys to encrypt the exploits, researchers wrote. This info—which includ­ed screen res­o­lu­tion, time­zone, lan­guages, brows­er plu­g­ins, and avail­able MIME types—would then be sent back to the exploit serv­er and used by attack­ers to decide whether or not an exploit should be deliv­ered to the tar­get, they said.

Researchers also iden­ti­fied a sep­a­rate cam­paigned in April that also tar­get­ed Armen­ian users by lever­ag­ing CVE-2021–26411, an RCE bug found in Inter­net Explor­er (IE). The cam­paign loaded web con­tent with­in IE that con­tained mali­cious Office doc­u­ments, researchers wrote.

“This hap­pened by either embed­ding a remote ActiveX object using a Shell.Explorer.1 OLE object or by spawn­ing an Inter­net Explor­er process via VBA macros to nav­i­gate to a web page,” Stone and Lecigne explained.

At the time, researchers said they were unable to recov­er the next-stage pay­load, but suc­cess­ful­ly recov­ered the exploit after dis­cov­er­ing an ear­ly June cam­paign from the same actors. Microsoft patched the flaw lat­er that month, they said.

Why There is an Increase in Zero-Days?

All in all, secu­ri­ty researchers have iden­ti­fied 33 zero-day flaws so far in 2021, which is 11 more than the total num­ber from 2020, accord­ing to the post.

While that trend reflects an increase in the num­ber of these types of vul­ner­a­bil­i­ties that exist, Google researchers “believe greater detec­tion and dis­clo­sure efforts are also con­tribut­ing to the upward trend,” they wrote.

Still, it’s high­ly pos­si­ble that attack­ers are indeed using more zero-day exploits for a few rea­sons, researchers not­ed. One is that the increase and mat­u­ra­tion of secu­ri­ty tech­nolo­gies and fea­tures means attack­ers also have to lev­el up, which in turn requires more zero-day vul­ner­a­bil­i­ties for func­tion­al attack chains, they said.

The growth of mobile plat­forms also has result­ed in an increase in the num­ber of prod­ucts that threat actors want to target—hence more rea­son to use zero-day exploits, researchers observed. Per­haps inspired by this increase in demand, com­mer­cial ven­dors also are sell­ing more access to zero-days than in the ear­ly 2010s, they said.

Final­ly, the mat­u­ra­tion of secu­ri­ty pro­tec­tions and strate­gies also inspires sophis­ti­ca­tion on the part of attack­ers as well, boost­ing the need for them to use zero-day flaws to con­vince vic­tims to install mal­ware, researchers not­ed.

“Due to advance­ments in secu­ri­ty, these actors now more often have to use 0‑day exploits to accom­plish their goals,” Stone and Lecigne wrote.

———-

“Safari Zero-Day Used in Mali­cious LinkedIn Cam­paign” by Eliz­a­beth Mon­tal­bano; Threat­post; 07/15/2021

“Before the fix, researchers assert Russ­ian-lan­guage threat actors were exploit­ing the vul­ner­a­bil­i­ty in the wild by using LinkedIn Mes­sag­ing to send gov­ern­ment offi­cials from West­ern Euro­pean coun­tries mali­cious links that could col­lect web­site-authen­ti­ca­tion cook­ies, accord­ing to the post by Mad­die Stone and Clement Lecigne from Google TAG.”

Russ­ian-lan­guage threat actors are behind the big vul­ner­a­bil­i­ty found in Safari tar­get­ing iPhones, accord­ing to Google’s Threat Assess­ment Group (TAG). Mali­cious links were sent via the LinkedIn Mes­sag­ing app to West­ern Euro­pean gov­ern­ment offi­cials that, when clicked, stole the authen­ti­ca­tion cre­den­tials for sites like Google, Microsoft, LinkedIn, Face­book and Yahoo. The kind of hack that opens the vic­tims up to more hacks, along with any orga­ni­za­tions they work for. And based on the tim­ing of this hack­ing cam­paign, and the fact that it coin­cid­ed with the ‘Nobeli­um’ USAID phish­ing cam­paign in May against Win­dows sys­tems that deliv­ered Cobalt Strike, sug­gests it’s the same actor behind both attacks.

But there’s a more sig­nif­i­cant tech­ni­cal link between the Safari hack­ing cam­paign tar­get­ing West­ern gov­ern­ment offi­cials and the USAID phish­ing cam­paign: both deployed zero-days. Microsoft report­ed the deploy­ment of Cobalt Strike in its ini­tial post about the hack but lat­er report­ed mul­ti­ple zero-day pieces of mal­ware deployed on the vic­tims’ net­works from the USAID attack. That’s the real ‘clue’ tying these two hacks. It was some­one sophis­ti­cat­ed enough to have an abun­dance of zero-day hacks. Except, with it’s not real­ly much of a clue the exis­tence of an indus­try filled with secre­tive com­pa­nies like Can­diru. Numer­ous actors on the stage have access to cut­ting-edge zero-days. For all we know the Safari zero-day cam­paign and USAID phish­ing cam­paigns could both be dif­fer­ent Can­diru cus­tomers using ‘Russ­ian lan­guage’ fea­tures to leave those ‘clues’ for Crowd­Strike and oth­ers to find:

...
More­over, the cam­paign tar­get­ing iOS devices coin­cid­ed with oth­ers from the same threat actor—which Microsoft has iden­ti­fied as Nobelium–targeting users on Win­dows devices to deliv­er Cobalt Strike, researchers wrote. Secu­ri­ty firm Volex­i­ty described one of these attacks in a report post­ed online in May, the researchers added.
...

Also note that the Microsoft zero-day exploits iden­ti­fied in a sep­a­rate cam­paign in April tar­get­ing Armen­ian activists is a ref­er­ences to the same Can­diru exploits Cit­i­zen­Lab was report­ing on. They aren’t all Microsoft vul­ner­a­bil­i­ties. Google’s Chrome brows­er was hit. But we’re hear­ing about vul­ner­a­bil­i­ties in Inter­net Explor­er, Office, and some oth­er mys­tery pay­load that could­n’t even be recov­ered ini­tial­ly. That’s a lot of Microsoft holes. It’s fits the Can­diru ‘pat­tern’:

...
Google researchers also linked three addi­tion­al zero-day flaws they iden­ti­fied this year to a com­mer­cial sur­veil­lance ven­dor, accord­ing to Google TAG’s Shane Hunt­ley. Two of those vul­ner­a­bil­i­ties–CVE-2021–21166 and CVE-2021–30551—were found in Chrome, and one, tracked as CVE-2021–33742, in Inter­net Explor­er.

CVE-2021–21166 and CVE-2021–30551, two Chrome ren­dered remote-code exe­cu­tion (RCE) flaws, were iden­ti­fied sep­a­rate­ly but lat­er believed to be used by the same actor, researchers wrote in the blog. Google researchers dis­cov­ered the for­mer in Feb­ru­ary and the lat­ter in June.

“Both of these 0‑days were deliv­ered as one-time links sent by email to the tar­gets, all of whom we believe were in Arme­nia,” Stone and Lecigne wrote. “The links led to attack­er-con­trolled domains that mim­ic­ked legit­i­mate web­sites relat­ed to the tar­get­ed users.”
...

All in all, it’s been such a parade of zero-day exploits that we’ve heard about this year hit­ting Microsoft that it should come as no sur­prise to learn that, just over mid way through this year there’s already been 50 per­cent more zero-days exploits announced than the entire year of 2020. That’s triple the pace of 2020 and 2020 was a record year. Why is this hap­pen­ing? Well, more report­ing is no doubt a fac­tor. But as the Google secu­ri­ty researcher admit, com­mer­cial ven­dors are sell­ing more access to zero-day exploits than they were a decade ago. There are sim­ply many more zero-day pieces of mal­ware in exis­tence and a grow­ing num­ber of actors with the abil­i­ty to deploy them:

...
All in all, secu­ri­ty researchers have iden­ti­fied 33 zero-day flaws so far in 2021, which is 11 more than the total num­ber from 2020, accord­ing to the post.

While that trend reflects an increase in the num­ber of these types of vul­ner­a­bil­i­ties that exist, Google researchers “believe greater detec­tion and dis­clo­sure efforts are also con­tribut­ing to the upward trend,” they wrote.

Still, it’s high­ly pos­si­ble that attack­ers are indeed using more zero-day exploits for a few rea­sons, researchers not­ed. One is that the increase and mat­u­ra­tion of secu­ri­ty tech­nolo­gies and fea­tures means attack­ers also have to lev­el up, which in turn requires more zero-day vul­ner­a­bil­i­ties for func­tion­al attack chains, they said.

The growth of mobile plat­forms also has result­ed in an increase in the num­ber of prod­ucts that threat actors want to target—hence more rea­son to use zero-day exploits, researchers observed. Per­haps inspired by this increase in demand, com­mer­cial ven­dors also are sell­ing more access to zero-days than in the ear­ly 2010s, they said.
...

We’ve seen a lot of omi­nous cyber warn­ings this year. But that stat of zero-days at triple last year’s rate is meta-omi­nous. It’s like the cyber ver­sion of the point in Mar­vel movies where the uni­verse on the cusp of explod­ing. Or implod­ing. Some­thing real­ly bad.

NSO Group: It’s Not Just a Cybermercenary. It’s a Tool of Israel’s Foreign Policy. A Very Important Tool MBS Covets

A cou­ple days lat­er, we get our first big NSO Group update of July. The New York Times has a piece giv­ing us a big update on the con­se­quences NSO Group paid over the role its Pega­sus soft­ware played in the killing of Sau­di dis­si­dent Jamal Khashog­gi. The com­pa­ny did pay a price. Or the own­ers. Although they were paid actu­al­ly: Fol­low­ing Khashog­gi’s killing, NSO Group inves­ti­ga­tion the Saudi’s use of its soft­ware and deter­mined the con­tract should be can­celed. And it was can­celed, at which point the full diplo­mat­ic nature of these ‘export licens­es’ became more appar­ent. The Israeli gov­ern­ment pres­sured NSO Group to renewed the Pega­sus con­tract. When that did­n’t hap­pen, the own­ers sold to a Euro­pean pri­vate equi­ty group and the Sau­di sub­scrip­tion to NSO Group’s tools was renewed. At the end of it all, the one par­ty involved with the Jamal Khashog­gi killing to pay a price was Khashog­gi:

The New York Times

Israeli Com­pa­nies Aid­ed Sau­di Spy­ing Despite Khashog­gi Killing

Ignor­ing con­cerns that Sau­di Ara­bia was abus­ing Israeli spy­ware to crush dis­sent at home and abroad, Israel encour­aged its com­pa­nies to work with the king­dom.

By Ronen Bergman and Mark Mazzetti
July 17, 2021

TEL AVIV — Israel secret­ly autho­rized a group of cyber-sur­veil­lance firms to work for the gov­ern­ment of Sau­di Ara­bia despite inter­na­tion­al con­dem­na­tion of the kingdom’s abuse of sur­veil­lance soft­ware to crush dis­sent, even after the Sau­di killing of the jour­nal­ist Jamal Khashog­gi, gov­ern­ment offi­cials and oth­ers famil­iar with the con­tracts said.

After the mur­der of Mr. Khashog­gi in 2018, one of the firms, NSO Group, can­celed its con­tracts with Sau­di Ara­bia amid accu­sa­tions that its hack­ing tools were being mis­used to abet heinous crimes.

But the Israeli gov­ern­ment encour­aged NSO and two oth­er com­pa­nies to con­tin­ue work­ing with Sau­di Ara­bia, and issued a new license for a fourth to do sim­i­lar work, over­rid­ing any con­cerns about human rights abus­es, accord­ing to one senior Israeli offi­cial and three peo­ple affil­i­at­ed with the com­pa­nies.

Since then, Sau­di Ara­bia has con­tin­ued to use the spy­ware to mon­i­tor dis­si­dents and polit­i­cal oppo­nents.

The fact that Israel’s gov­ern­ment has encour­aged its pri­vate com­pa­nies to do secu­ri­ty work for the king­dom — one of its his­toric adver­saries and a nation that still does not for­mal­ly rec­og­nize Israel — is yet more evi­dence of the reorder­ing of tra­di­tion­al alliances in the region and the strat­e­gy by Israel and sev­er­al Per­sian Gulf coun­tries to join forces to iso­late Iran.

NSO is by far the best known of the Israeli firms, large­ly because of rev­e­la­tions in the last few years that its Pega­sus pro­gram was used by numer­ous gov­ern­mens to spy on, and even­tu­al­ly imprison, human rights activists.

NSO sold Pega­sus to Sau­di Ara­bia in 2017. The king­dom used the spy­ware as part of a ruth­less cam­paign to crush dis­sent inside the king­dom and to hunt down Sau­di dis­si­dents abroad.

It is not pub­licly known whether Sau­di Ara­bia used Pega­sus or oth­er Israeli-made spy­ware in the plot to kill Mr. Khashog­gi. NSO has denied that its soft­ware was used.

Israel’s Min­istry of Defense also licensed for Sau­di work a com­pa­ny called Can­diru, which Microsoft accused last week of help­ing its gov­ern­ment clients spy on more than 100 jour­nal­ists, politi­cians, dis­si­dents and human rights advo­cates around the world.

Microsoft, which con­duct­ed its inves­ti­ga­tion in tan­dem with Cit­i­zen Lab, a research insti­tute at the Uni­ver­si­ty of Toron­to, said Can­diru had used mal­ware to exploit a vul­ner­a­bil­i­ty in Microsoft prod­ucts, enabling its gov­ern­ment clients to spy on per­ceived ene­mies.

Can­diru has had at least one con­tract with Sau­di Ara­bia since 2018.

Israel has also grant­ed licens­es to at least two oth­er firms, Verint, which was licensed before the Khashog­gi killing, and Quadream, which signed a con­tract with Sau­di Ara­bia after the killing.

A fifth com­pa­ny, Cellebrite, which man­u­fac­tures phys­i­cal hack­ing sys­tems for mobile phones, has also sold its ser­vices to the Sau­di gov­ern­ment, but with­out min­istry approval, accord­ing to the news­pa­per Haaretz.

Israel insists that if any Israeli spy­ware were used to vio­late civ­il rights that it would revoke the company’s license.

If the Defense Min­istry “dis­cov­ers that the pur­chased item is being used in con­tra­ven­tion of the terms of the license, espe­cial­ly after any vio­la­tion of human rights, a pro­ce­dure of can­cel­la­tion of the defense export license or of enforc­ing its terms is ini­ti­at­ed,” the min­istry said in a state­ment in response to ques­tions from The New York Times.

The min­istry declined to respond to spe­cif­ic ques­tions about the licens­es it gave to the Israeli firms, but said that “a wide range of secu­ri­ty, diplo­mat­ic and strate­gic con­sid­er­a­tions are tak­en into account” when con­sid­er­ing whether to grant a license to export offen­sive cyber tech­nol­o­gy.

Rev­e­la­tions about the abus­es of NSO prod­ucts led the com­pa­ny to hire a group of out­side con­sul­tants in 2018 to pro­vide advice about which new clients NSO should take on and which to avoid. The group includ­ed Daniel Shapiro, the for­mer Oba­ma admin­is­tra­tion ambas­sador to Israel, and Bea­con Glob­al Strate­gies, a Wash­ing­ton strate­gic con­sult­ing firm.

Bea­con is led by Jere­my Bash, a for­mer C.I.A. and Pen­ta­gon chief of staff; Michael Allen, a for­mer staff direc­tor for the House Intel­li­gence Com­mit­tee; and Andrew Shapiro, a for­mer top State Depart­ment offi­cial.

While the group’s man­date was to vet poten­tial new clients, the inter­na­tion­al out­rage over Mr. Khashoggi’s killing in Octo­ber 2018 led the group to advise NSO to can­cel its Sau­di con­tracts and shut down NSO sys­tems in the king­dom.

Sep­a­rate­ly, NSO con­duct­ed an inter­nal inves­ti­ga­tion into whether any of its tools were used by Sau­di offi­cials for the Khashog­gi oper­a­tion and con­clud­ed that they were not. How­ev­er a law­suit against NSO by a friend of Mr. Khashoggi’s claims that his phone had been hacked by Sau­di Ara­bia using Pega­sus, and that hack gave Sau­di offi­cials access to his con­ver­sa­tions with Mr. Khashog­gi, includ­ing com­mu­ni­ca­tions about oppo­si­tion projects.

Over sev­er­al days in late 2018, exec­u­tives both of NSO and the pri­vate equi­ty firm that owned it at the time, Fran­cis­co Part­ners, met in Wash­ing­ton with the advi­so­ry group.

Accord­ing to sev­er­al peo­ple famil­iar with the meet­ings, the NSO exec­u­tives argued that the Israeli gov­ern­ment was strong­ly encour­ag­ing the com­pa­ny to weath­er the storm and con­tin­ue its work in Sau­di Ara­bia. They also said that Israeli offi­cials had indi­cat­ed to them that the Trump admin­is­tra­tion also want­ed NSO’s work with Sau­di Ara­bia to con­tin­ue.

In the end, NSO man­age­ment heed­ed the advice of the out­side group and can­celed its con­tracts with Sau­di Ara­bia in late 2018. Mr. Shapiro, the for­mer ambas­sador to Israel, end­ed his work for the com­pa­ny short­ly after­ward.

Months lat­er, how­ev­er, after anoth­er pri­vate equi­ty firm bought NSO, the com­pa­ny was once again doing busi­ness with Sau­di Ara­bia.

NSO’s new own­er, Novalpina, reject­ed the advice of the out­side advi­so­ry group and NSO resumed its work in Sau­di Ara­bia in mid-2019. Around that time, Bea­con end­ed its work with NSO.

The new con­tract with the Saud­is came with some restric­tions. For exam­ple, NSO set up its sys­tem to block any attempts by Sau­di offi­cials to hack Euro­pean tele­phone num­bers, accord­ing to a per­son famil­iar with the pro­gram­ming.

But it is clear that Sau­di Ara­bia has con­tin­ued to use NSO soft­ware to spy on per­ceived oppo­nents abroad.

In one case that has come to light, three dozen phones belong­ing to jour­nal­ists at Al Jazeera, which Sau­di Ara­bia con­sid­ers a threat, were hacked using NSO’s Pega­sus soft­ware last year, accord­ing to Cit­i­zen Lab. Cit­i­zen Lab traced 18 of the attacks back to Sau­di intel­li­gence.

After the rev­e­la­tion of the attack on Al Jazeera jour­nal­ists, NSO recent­ly shut down the sys­tem, and at a meet­ing in ear­ly July, the company’s board decid­ed to declare new deals with Sau­di Ara­bia off lim­its, accord­ing to a per­son famil­iar with the deci­sion.

Israel’s defense min­istry is cur­rent­ly fight­ing law­suits by Israeli rights activists demand­ing that it release details about its process for grant­i­ng the licens­es.

The Israeli gov­ern­ment also impos­es strict secre­cy on the com­pa­nies that receive the licens­es, threat­en­ing to revoke them if the com­pa­nies speak pub­licly about the iden­ti­ty of their clients.

...

These busi­ness ties came as Israel was qui­et­ly build­ing rela­tion­ships direct­ly with the Sau­di gov­ern­ment.

Ben­jamin Netanyahu, then Israel’s prime min­is­ter, met sev­er­al times with Sau­di Arabia’s day-to-day ruler, Crown Prince Mohammed bin Salman, and mil­i­tary and intel­li­gence lead­ers of the two coun­tries meet fre­quent­ly.

While Sau­di Ara­bia was not offi­cial­ly par­ty to the Abra­ham Accords — the diplo­mat­ic ini­tia­tives dur­ing the end of the Trump admin­is­tra­tion nor­mal­iz­ing rela­tions between Israel and sev­er­al Arab coun­tries — Sau­di lead­ers worked behind the scenes to help bro­ker the deals.

————–

“Israeli Com­pa­nies Aid­ed Sau­di Spy­ing Despite Khashog­gi Killing” by Ronen Bergman and Mark Mazzetti; The New York Times; 07/17/2021

“The fact that Israel’s gov­ern­ment has encour­aged its pri­vate com­pa­nies to do secu­ri­ty work for the king­dom — one of its his­toric adver­saries and a nation that still does not for­mal­ly rec­og­nize Israel — is yet more evi­dence of the reorder­ing of tra­di­tion­al alliances in the region and the strat­e­gy by Israel and sev­er­al Per­sian Gulf coun­tries to join forces to iso­late Iran.

It was­n’t just a nation­al secu­ri­ty tool. Pega­sus was effec­tive­ly being used as a diplo­mat­ic tool. A diplo­mat­ic tool to help bring Sau­di Ara­bia and oth­er Per­sian Gulf neighors into an alliance against Iran. Which, we’ll recall, was the meta-theme through­out the #TrumpRus­sia adven­tures involv­ing Michael Fly­nn, Eric Prince, Michael Cohen, and the Saudi/UAE scheme to build nuclear pow­er plants across the Mid­dle East (except for Iran). The secu­ri­ty rela­tion­ship between the US, Israel, Sau­di Ara­bia, and the UAE got a lot deep­er over the last decade and it’s hard to avoid sus­pi­cions that shar­ing access to super spy­ware tools like NSO Group’s Pega­sus was part of that deep­en­ing rela­tion­ship. Just look at the lan­guage the Israeli Defense Min­istry used when describ­ing the process that goes into approv­ing one of these licens­es: ““a wide range of secu­ri­ty, diplo­mat­ic and strate­gic con­sid­er­a­tions are tak­en into account” when con­sid­er­ing whether to grant a license to export offen­sive cyber tech­nol­o­gy.” That’s one way to put it:

...
Israel insists that if any Israeli spy­ware were used to vio­late civ­il rights that it would revoke the company’s license.

If the Defense Min­istry “dis­cov­ers that the pur­chased item is being used in con­tra­ven­tion of the terms of the license, espe­cial­ly after any vio­la­tion of human rights, a pro­ce­dure of can­cel­la­tion of the defense export license or of enforc­ing its terms is ini­ti­at­ed,” the min­istry said in a state­ment in response to ques­tions from The New York Times.

The min­istry declined to respond to spe­cif­ic ques­tions about the licens­es it gave to the Israeli firms, but said that “a wide range of secu­ri­ty, diplo­mat­ic and strate­gic con­sid­er­a­tions are tak­en into account” when con­sid­er­ing whether to grant a license to export offen­sive cyber tech­nol­o­gy.
...

And as we saw, NSO Group isn’t the only com­pa­ny with hack­ing tools the Israeli gov­ern­ment was licens­ing to Sau­di Ara­bia at this time. One com­pa­ny, Quadream, even signed its con­tracts with Sau­di Ara­bia after Khoshog­gi’s killing. So when the NSO Group claims that it can­celed the Sau­di con­tracts in the wake of the Khashog­gi killings, but were then encour­age by the Israeli gov­ern­ment to con­tin­ue work­ing with Sau­di Ara­bia, it’s not an implau­si­ble sce­nario. The licens­ing of cut­ting-edge hack­ing tools is clear­ly part of the Israeli diplo­mat­ic play­book. Which isn’t a sur­prise. It’s a pow­er­ful diplo­mat­ic tool. Crazy dan­ger­ous, but pow­er­ful:

...
After the mur­der of Mr. Khashog­gi in 2018, one of the firms, NSO Group, can­celed its con­tracts with Sau­di Ara­bia amid accu­sa­tions that its hack­ing tools were being mis­used to abet heinous crimes.

But the Israeli gov­ern­ment encour­aged NSO and two oth­er com­pa­nies to con­tin­ue work­ing with Sau­di Ara­bia, and issued a new license for a fourth to do sim­i­lar work, over­rid­ing any con­cerns about human rights abus­es, accord­ing to one senior Israeli offi­cial and three peo­ple affil­i­at­ed with the com­pa­nies.

Since then, Sau­di Ara­bia has con­tin­ued to use the spy­ware to mon­i­tor dis­si­dents and polit­i­cal oppo­nents.

...

NSO sold Pega­sus to Sau­di Ara­bia in 2017. The king­dom used the spy­ware as part of a ruth­less cam­paign to crush dis­sent inside the king­dom and to hunt down Sau­di dis­si­dents abroad.

...

Israel’s Min­istry of Defense also licensed for Sau­di work a com­pa­ny called Can­diru, which Microsoft accused last week of help­ing its gov­ern­ment clients spy on more than 100 jour­nal­ists, politi­cians, dis­si­dents and human rights advo­cates around the world.

...

Israel has also grant­ed licens­es to at least two oth­er firms, Verint, which was licensed before the Khashog­gi killing, and Quadream, which signed a con­tract with Sau­di Ara­bia after the killing.

A fifth com­pa­ny, Cellebrite, which man­u­fac­tures phys­i­cal hack­ing sys­tems for mobile phones, has also sold its ser­vices to the Sau­di gov­ern­ment, but with­out min­istry approval, accord­ing to the news­pa­per Haaretz.

...

The Israeli gov­ern­ment also impos­es strict secre­cy on the com­pa­nies that receive the licens­es, threat­en­ing to revoke them if the com­pa­nies speak pub­licly about the iden­ti­ty of their clients.
...

But, again, the sale of this kind of super-hack­ing soft­ware to gov­ern­ments around the world prob­a­bly was­n’t just an Israeli gov­ern­ment project. The US gov­ern­ment would almost sure­ly have involved in giv­ing its approval, if infor­mal­ly. So we should­n’t be sur­prised to learn NSO Group hired DC-based Bea­con Glob­al Strate­gies — led by fig­ures US nation­al secu­ri­ty state com­mu­ni­ty fig­ure­heads like Jere­my Bash — to effec­tive­ly give its bless­ings to NSO Group’s more con­tro­ver­sial clients. The pic­ture that emerges from the var­i­ous accounts of NSO Group’s inter­nal delib­er­a­tions is a pic­ture where NSO Group want­ed to drop the con­tract but was feel­ing like it was effec­tive­ly being asked by the Israeli gov­ern­ment and Trump admin­is­tra­tion to con­tin­ue the Sau­di con­tract:

...
Rev­e­la­tions about the abus­es of NSO prod­ucts led the com­pa­ny to hire a group of out­side con­sul­tants in 2018 to pro­vide advice about which new clients NSO should take on and which to avoid. The group includ­ed Daniel Shapiro, the for­mer Oba­ma admin­is­tra­tion ambas­sador to Israel, and Bea­con Glob­al Strate­gies, a Wash­ing­ton strate­gic con­sult­ing firm.

Bea­con is led by Jere­my Bash, a for­mer C.I.A. and Pen­ta­gon chief of staff; Michael Allen, a for­mer staff direc­tor for the House Intel­li­gence Com­mit­tee; and Andrew Shapiro, a for­mer top State Depart­ment offi­cial.

While the group’s man­date was to vet poten­tial new clients, the inter­na­tion­al out­rage over Mr. Khashoggi’s killing in Octo­ber 2018 led the group to advise NSO to can­cel its Sau­di con­tracts and shut down NSO sys­tems in the king­dom.

Sep­a­rate­ly, NSO con­duct­ed an inter­nal inves­ti­ga­tion into whether any of its tools were used by Sau­di offi­cials for the Khashog­gi oper­a­tion and con­clud­ed that they were not. How­ev­er a law­suit against NSO by a friend of Mr. Khashoggi’s claims that his phone had been hacked by Sau­di Ara­bia using Pega­sus, and that hack gave Sau­di offi­cials access to his con­ver­sa­tions with Mr. Khashog­gi, includ­ing com­mu­ni­ca­tions about oppo­si­tion projects.

Over sev­er­al days in late 2018, exec­u­tives both of NSO and the pri­vate equi­ty firm that owned it at the time, Fran­cis­co Part­ners, met in Wash­ing­ton with the advi­so­ry group.

Accord­ing to sev­er­al peo­ple famil­iar with the meet­ings, the NSO exec­u­tives argued that the Israeli gov­ern­ment was strong­ly encour­ag­ing the com­pa­ny to weath­er the storm and con­tin­ue its work in Sau­di Ara­bia. They also said that Israeli offi­cials had indi­cat­ed to them that the Trump admin­is­tra­tion also want­ed NSO’s work with Sau­di Ara­bia to con­tin­ue.
....

And then, at the end of all that con­sult­ing about what to do about its Sau­di con­tract, NSO Group can­celed the con­tract. Months lat­er the com­pa­ny is sold to a new pri­vate equi­ty group and the con­tract is re-opened. The com­mit­ment on behalf of the Israeli gov­ern­ment and Trump admin­is­tra­tion to pro­vid­ing Sau­di Ara­bia with these hack­ing tools was so intense that NSO Group some­how found a new own­er who was open to that Sau­di con­tract:

...
In the end, NSO man­age­ment heed­ed the advice of the out­side group and can­celed its con­tracts with Sau­di Ara­bia in late 2018. Mr. Shapiro, the for­mer ambas­sador to Israel, end­ed his work for the com­pa­ny short­ly after­ward.

Months lat­er, how­ev­er, after anoth­er pri­vate equi­ty firm bought NSO, the com­pa­ny was once again doing busi­ness with Sau­di Ara­bia.

NSO’s new own­er, Novalpina, reject­ed the advice of the out­side advi­so­ry group and NSO resumed its work in Sau­di Ara­bia in mid-2019. Around that time, Bea­con end­ed its work with NSO.

The new con­tract with the Saud­is came with some restric­tions. For exam­ple, NSO set up its sys­tem to block any attempts by Sau­di offi­cials to hack Euro­pean tele­phone num­bers, accord­ing to a per­son famil­iar with the pro­gram­ming.

But it is clear that Sau­di Ara­bia has con­tin­ued to use NSO soft­ware to spy on per­ceived oppo­nents abroad.
...

It’s worth keep­ing in mind that it’s pos­si­ble Sau­di Ara­bia was task with a sim­i­lar role to one Israel has long played in the West­ern alliance: spy­ing on oth­er West­ern allies. Might that be part of the rea­son Israel and the US were insis­tent Sau­di Ara­bia get access to these tools? Out­source the out­source ally-spy­ing? Per­haps.

It’s also pos­si­ble the Saud­is were mak­ing access to NSO Group tools a require­ment for the broad­er Mid­dle East peace plan the Trump admin­is­tra­tion and Jared Kush­n­er were work­ing on and this sto­ry reflects those unusu­al cir­cum­stances the US and Israel were acqui­esc­ing to those demands. But these aren’t nor­mal demands. These are tools approach­ing the NSA and GCHQ capa­bil­i­ties in many respects. It’s hard to imag­ine the US and Israel casu­al­ly giv­ing this kind of pow­er away, even to a long-stand­ing mil­i­tary ally like Sau­di Ara­bia. That’s part why ques­tions about deep­er intel­li­gence-shar­ing pacts and/or illic­it quid-pro-quo spy­ing arrange­ments are so intrigu­ing in this sto­ry. NSO Group was ped­dling dig­i­tal nuclear weapons. That could­n’t have been treat­ed light­ly by the US and Israel. And yet 40 or so gov­ern­ments got their hands on these dig­i­tal nuclear weapons. What kind of arrange­ments were made to ensure the inevitable abus­es of these tools don’t tar­get US and Israeli inter­ests? A promise not to abuse it? It’s a mas­sive ques­tion loom­ing over this sto­ry (and the answers point towards lit­tle more than promis­es).

NSO Group’s Worst Nightmare: Sunshine. Lots of Sunshine on Its Shady Activities from Forbidden Stories and Amnesty International

A day after that explo­sive NY Times report, the Wash­ing­ton Post brings us a write up of a huge new inves­ti­ga­tion released by For­bid­den Sto­ries, a Paris-based jour­nal­ism non­prof­it, and Amnesty Inter­na­tion­al, based on thou­sands phone num­bers leaked that were pur­port­ed­ly the tar­get phone num­bers of NSO Group’s feared Pega­sus spy­ware. Phone num­bers that, as we’ll see, include major world lead­ers like Emmanuel Macron. And if those thou­sands of num­bers real­ly are an accu­rate tar­get list, it was ram­pant abuse, with activists and rival politi­cians fre­quent­ly on the tar­get list. There’s also a new unstop­pable zero-day exploit that worked sim­ply by send­ing a SMS text mes­sage or iMes­sage to smart­phones. 60 gov­ern­ment agen­cies in 40 coun­tries were allowed to buy sub­scrip­tions to the soft­ware and, again, they policed them­selves. It start­ed with Mex­i­co get­ting a sub­scrip­tion in 2011. So the Pega­sus super spy­ware has been sold for a decade now to a grow­ing list of gov­ern­ment agen­cies. Those unlucky Armen­ian activists had a lot of com­pa­ny.

What is NSO Group’s response to this report? By point­ing out that it’s up to the gov­ern­ments to decide who gets tar­get­ed and NSO Group does­n’t know. And while that may not be the best response to the crit­i­cism since it’s more or less an admis­sion the abuse alle­ga­tions are like­ly true, it’s an entire­ly plau­si­ble response. NSO Group’s tools are prob­a­bly entire­ly con­trolled by the gov­ern­ments who buy these sub­scrip­tions. It’s absurd to expect gov­ern­ments to hand infor­ma­tion like their intel­li­gence tar­gets over to NSO Group. That’s part of what’s so scan­dalous about this indus­try sup­ply super-spy­ware to gov­ern­ments: it’s hard to imag­ine a sce­nario where there’s mean­ing­ful over­sight pos­si­ble. It’s an indus­try built for unchecked secre­cy by the clients and that’s an indus­try built for abuse.

And yet we are told there are geolo­ca­tion restric­tions on the soft­ware and US-based smart­phones can’t be tar­get­ed by NSO Group’s tools. The phone num­ber list in the report appears to bear that out. So there is some degree of over­sight, sole­ly based on loca­tion. But that’s it. All oth­er over­sight is up to the client, hence all the activists, jour­nal­ists, and polit­i­cal oppo­nent phone num­bers that show up on the tar­get list:

The Wash­ing­ton Post

Pri­vate Israeli spy­ware used to hack cell­phones of jour­nal­ists, activists world­wide

NSO Group’s Pega­sus spy­ware, licensed to gov­ern­ments around the globe, can infect phones with­out a click

By Dana Priest, Craig Tim­berg and Souad Mekhen­net

Updat­ed July 18 at 8:15 p.m. Orig­i­nal­ly pub­lished July 18, 2021

Mil­i­tary-grade spy­ware licensed by an Israeli firm to gov­ern­ments for track­ing ter­ror­ists and crim­i­nals was used in attempt­ed and suc­cess­ful hacks of 37 smart­phones belong­ing to jour­nal­ists, human rights activists, busi­ness exec­u­tives and two women close to mur­dered Sau­di jour­nal­ist Jamal Khashog­gi, accord­ing to an inves­ti­ga­tion by The Wash­ing­ton Post and 16 media part­ners.

The phones appeared on a list of more than 50,000 num­bers that are con­cen­trat­ed in coun­tries known to engage in sur­veil­lance of their cit­i­zens and also known to have been clients of the Israeli firm, NSO Group, a world­wide leader in the grow­ing and large­ly unreg­u­lat­ed pri­vate spy­ware indus­try, the inves­ti­ga­tion found.

The list does not iden­ti­fy who put the num­bers on it, or why, and it is unknown how many of the phones were tar­get­ed or sur­veilled. But foren­sic analy­sis of the 37 smart­phones shows that many dis­play a tight cor­re­la­tion between time stamps asso­ci­at­ed with a num­ber on the list and the ini­ti­a­tion of sur­veil­lance, in some cas­es as brief as a few sec­onds.

For­bid­den Sto­ries, a Paris-based jour­nal­ism non­prof­it, and Amnesty Inter­na­tion­al, a human rights group, had access to the list and shared it with the news orga­ni­za­tions, which did fur­ther research and analy­sis. Amnesty’s Secu­ri­ty Lab did the foren­sic analy­ses on the smart­phones.

The num­bers on the list are unat­trib­uted, but reporters were able to iden­ti­fy more than 1,000 peo­ple span­ning more than 50 coun­tries through research and inter­views on four con­ti­nents: sev­er­al Arab roy­al fam­i­ly mem­bers, at least 65 busi­ness exec­u­tives, 85 human rights activists, 189 jour­nal­ists, and more than 600 politi­cians and gov­ern­ment offi­cials — includ­ing cab­i­net min­is­ters, diplo­mats, and mil­i­tary and secu­ri­ty offi­cers. The num­bers of sev­er­al heads of state and prime min­is­ters also appeared on the list.

Among the jour­nal­ists whose num­bers appear on the list, which dates to 2016, are reporters work­ing over­seas for sev­er­al lead­ing news orga­ni­za­tions, includ­ing a small num­ber from CNN, the Asso­ci­at­ed Press, Voice of Amer­i­ca, the New York Times, the Wall Street Jour­nal, Bloomberg News, Le Monde in France, the Finan­cial Times in Lon­don and Al Jazeera in Qatar.

The tar­get­ing of the 37 smart­phones would appear to con­flict with the stat­ed pur­pose of NSO’s licens­ing of the Pega­sus spy­ware, which the com­pa­ny says is intend­ed only for use in sur­veilling ter­ror­ists and major crim­i­nals. The evi­dence extract­ed from these smart­phones, revealed here for the first time, calls into ques­tion pledges by the Israeli com­pa­ny to police its clients for human rights abus­es.

The media con­sor­tium, titled the Pega­sus Project, ana­lyzed the list through inter­views and foren­sic analy­sis of the phones, and by com­par­ing details with pre­vi­ous­ly report­ed infor­ma­tion about NSO. Amnesty’s Secu­ri­ty Lab exam­ined 67 smart­phones where attacks were sus­pect­ed. Of those, 23 were suc­cess­ful­ly infect­ed and 14 showed signs of attempt­ed pen­e­tra­tion.

For the remain­ing 30, the tests were incon­clu­sive, in sev­er­al cas­es because the phones had been replaced. Fif­teen of the phones were Android devices, none of which showed evi­dence of suc­cess­ful infec­tion. How­ev­er, unlike iPhones, Androids do not log the kinds of infor­ma­tion required for Amnesty’s detec­tive work. Three Android phones showed signs of tar­get­ing, such as Pega­sus-linked SMS mes­sages.

Amnesty shared back­up copies of data on four iPhones with Cit­i­zen Lab, which con­firmed that they showed signs of Pega­sus infec­tion. Cit­i­zen Lab, a research group at the Uni­ver­si­ty of Toron­to that spe­cial­izes in study­ing Pega­sus, also con­duct­ed a peer review of Amnesty’s foren­sic meth­ods and found them to be sound.

In lengthy respons­es before pub­li­ca­tion, NSO called the investigation’s find­ings exag­ger­at­ed and base­less. It also said it does not oper­ate the spy­ware licensed to its clients and “has no insight” into their spe­cif­ic intel­li­gence activ­i­ties.

After pub­li­ca­tion, NSO chief exec­u­tive Shalev Hulio expressed con­cern in a phone inter­view with The Post about some of the details he had read in Pega­sus Project sto­ries Sun­day, while con­tin­u­ing to dis­pute that the list of more than 50,000 phone num­bers had any­thing to do with NSO or Pega­sus.

“The com­pa­ny cares about jour­nal­ists and activists and civ­il soci­ety in gen­er­al,” Hulio said. “We under­stand that in some cir­cum­stances our cus­tomers might mis­use the sys­tem and, in some cas­es like we report­ed in [NSO’s] Trans­paren­cy and Respon­si­bil­i­ty Report, we have shut down sys­tems for cus­tomers who have mis­used the sys­tem.”

He said that in the past 12 months NSO had ter­mi­nat­ed two con­tracts over alle­ga­tions of human rights abus­es, but he declined to name the coun­tries involved.

“Every alle­ga­tion about mis­use of the sys­tem is con­cern­ing me,” he said. “It vio­lates the trust that we give cus­tomers. We are inves­ti­gat­ing every alle­ga­tion.”

NSO describes its cus­tomers as 60 intel­li­gence, mil­i­tary and law enforce­ment agen­cies in 40 coun­tries, although it will not con­firm the iden­ti­ties of any of them, cit­ing client con­fi­den­tial­i­ty oblig­a­tions. The con­sor­tium found many of the phone num­bers in at least 10 coun­try clus­ters, which were sub­ject­ed to deep­er analy­sis: Azer­bai­jan, Bahrain, Hun­gary, India, Kaza­khstan, Mex­i­co, Moroc­co, Rwan­da, Sau­di Ara­bia and the Unit­ed Arab Emi­rates. Cit­i­zen Lab also has found evi­dence that all 10 have been clients of NSO, accord­ing to Bill Mar­czak, a senior research fel­low.

For­bid­den Sto­ries orga­nized the media consortium’s inves­ti­ga­tion, and Amnesty pro­vid­ed analy­sis and tech­ni­cal sup­port but had no edi­to­r­i­al input. Amnesty has open­ly crit­i­cized NSO’s spy­ware busi­ness and sup­port­ed an unsuc­cess­ful law­suit against the com­pa­ny in an Israeli court seek­ing to have its export license revoked. After the inves­ti­ga­tion began, sev­er­al reporters in the con­sor­tium learned that they or their fam­i­ly mem­bers had been suc­cess­ful­ly attacked with Pega­sus spy­ware.

Beyond the per­son­al intru­sions made pos­si­ble by smart­phone sur­veil­lance, the wide­spread use of spy­ware has emerged as a lead­ing threat to democ­ra­cies world­wide, crit­ics say. Jour­nal­ists under sur­veil­lance can­not safe­ly gath­er sen­si­tive news with­out endan­ger­ing them­selves and their sources. Oppo­si­tion politi­cians can­not plot their cam­paign strate­gies with­out those in pow­er antic­i­pat­ing their moves. Human rights work­ers can­not work with vul­ner­a­ble peo­ple — some of whom are vic­tims of their own gov­ern­ments — with­out expos­ing them to renewed abuse.

For exam­ple, Amnesty’s foren­sics found evi­dence that Pega­sus was tar­get­ed at the two women clos­est to Sau­di colum­nist Khashog­gi, who wrote for The Post’s Opin­ions sec­tion. The phone of his fiancee, Hat­ice Cen­giz, was suc­cess­ful­ly infect­ed dur­ing the days after his mur­der in Turkey on Oct. 2, 2018, accord­ing to a foren­sic analy­sis by Amnesty’s Secu­ri­ty Lab. Also on the list were the num­bers of two Turk­ish offi­cials involved in inves­ti­gat­ing his dis­mem­ber­ment by a Sau­di hit team. Khashog­gi also had a wife, Hanan Ela­tr, whose phone was tar­get­ed by some­one using Pega­sus in the months before his killing. Amnesty was unable to deter­mine whether the hack was suc­cess­ful.

“This is nasty soft­ware — like elo­quent­ly nasty,” said Tim­o­thy Sum­mers, a for­mer cyber­se­cu­ri­ty engi­neer at a U.S. intel­li­gence agency and now direc­tor of IT at Ari­zona State Uni­ver­si­ty. With it “one could spy on almost the entire world pop­u­la­tion. … There’s not any­thing wrong with build­ing tech­nolo­gies that allows you to col­lect data; it’s nec­es­sary some­times. But human­i­ty is not in a place where we can have that much pow­er just acces­si­ble to any­body.”

In response to detailed ques­tions from the con­sor­tium before pub­li­ca­tion, NSO said in a state­ment that it did not oper­ate the spy­ware it licensed to clients and did not have reg­u­lar access to the data they gath­er. The com­pa­ny also said its tech­nolo­gies have helped pre­vent attacks and bomb­ings and bro­ken up rings that traf­ficked in drugs, sex and chil­dren. “Sim­ply put, NSO Group is on a life-sav­ing mis­sion, and the com­pa­ny will faith­ful­ly exe­cute this mis­sion unde­terred, despite any and all con­tin­ued attempts to dis­cred­it it on false grounds,” NSO said. “Your sources have sup­plied you with infor­ma­tion that has no fac­tu­al basis, as evi­denced by the lack of sup­port­ing doc­u­men­ta­tion for many of the claims.”

The com­pa­ny denied that its tech­nol­o­gy was used against Khashog­gi, or his rel­a­tives or asso­ciates.

...

Thomas Clare, a libel attor­ney hired by NSO, said that the con­sor­tium had “appar­ent­ly mis­in­ter­pret­ed and mis­char­ac­ter­ized cru­cial source data on which it relied” and that its report­ing con­tained flawed assump­tions and fac­tu­al errors.

“NSO Group has good rea­son to believe that this list of ‘thou­sands of phone num­bers’ is not a list of num­bers tar­get­ed by gov­ern­ments using Pega­sus, but instead, may be part of a larg­er list of num­bers that might have been used by NSO Group cus­tomers for oth­er pur­pos­es,” Clare wrote.

In response to fol­low-up ques­tions, NSO called the 50,000 num­ber “exag­ger­at­ed” and said it was far too large to rep­re­sent num­bers tar­get­ed by its clients. Based on the ques­tions it was being asked, NSO said, it had rea­son to believe that the con­sor­tium was bas­ing its find­ings “on mis­lead­ing inter­pre­ta­tion of leaked data from acces­si­ble and overt basic infor­ma­tion, such as HLR Lookup ser­vices, which have no bear­ing on the list of the cus­tomers tar­gets of Pega­sus or any oth­er NSO prod­ucts … we still do not see any cor­re­la­tion of these lists to any­thing relat­ed to use of NSO Group tech­nolo­gies.”

The term HLR, or Home Loca­tion Reg­is­ter, refers to a data­base that is essen­tial to oper­at­ing cel­lu­lar phone net­works. Such reg­is­ters keep records on the net­works of cell­phone users and their gen­er­al loca­tions, along with oth­er iden­ti­fy­ing infor­ma­tion that is used rou­tine­ly in rout­ing calls and texts. HLR lookup ser­vices oper­ate on the SS7 sys­tem that cel­lu­lar car­ri­ers use to com­mu­ni­cate with each oth­er. The ser­vices can be used as a step toward spy­ing on tar­gets.

Telecom­mu­ni­ca­tions secu­ri­ty expert Karsten Nohl, chief sci­en­tist for Secu­ri­ty Research Labs in Berlin, said that he does not have direct knowl­edge of NSO’s sys­tems but that HLR lookups and oth­er SS7 queries are wide­ly and inex­pen­sive­ly used by the sur­veil­lance indus­try — often for just tens of thou­sands of dol­lars a year.

“It’s not dif­fi­cult to get that access. Giv­en the resources of NSO, it’d be crazy to assume that they don’t have SS7 access from at least a dozen coun­tries,” Nohl said. “From a dozen coun­tries, you can spy on the rest of the world.”

Pega­sus was engi­neered a decade ago by Israeli ex-cyber­spies with gov­ern­ment-honed skills. The Israeli Defense Min­istry must approve any license to a gov­ern­ment that wants to buy it, accord­ing to pre­vi­ous NSO state­ments.

“As a mat­ter of pol­i­cy, the State of Israel approves the export of cyber prod­ucts exclu­sive­ly to gov­ern­men­tal enti­ties, for law­ful use, and only for the pur­pose of pre­vent­ing and inves­ti­gat­ing crime and coun­tert­er­ror­ism, under end-use/end user cer­tifi­cates pro­vid­ed by the acquir­ing gov­ern­ment,” a spokesper­son for the Israeli defense estab­lish­ment said Sun­day. “In cas­es where export­ed items are used in vio­la­tion of export licens­es or end-use cer­tifi­cates, appro­pri­ate mea­sures are tak­en.”

The num­bers of about a dozen Amer­i­cans work­ing over­seas were dis­cov­ered on the list, in all but one case while using phones reg­is­tered to for­eign cel­lu­lar net­works. The con­sor­tium could not per­form foren­sic analy­sis on most of these phones. NSO has said for years that its prod­uct can­not be used to sur­veil Amer­i­can phones. The con­sor­tium did not find evi­dence of suc­cess­ful spy­ware pen­e­tra­tion on phones with the U.S. coun­try code.

“We also stand by our pre­vi­ous state­ments that our prod­ucts, sold to vet­ted for­eign gov­ern­ments, can­not be used to con­duct cyber­sur­veil­lance with­in the Unit­ed States, and no cus­tomer has ever been grant­ed tech­nol­o­gy that would enable them to access phones with U.S. num­bers,” the com­pa­ny said in its state­ment. “It is tech­no­log­i­cal­ly impos­si­ble and reaf­firms the fact your sources’ claims have no mer­it.”

...

Some Pega­sus intru­sion tech­niques detailed in a 2016 report were changed in a mat­ter of hours after they were made pub­lic, under­scor­ing NSO’s abil­i­ty to adapt to coun­ter­mea­sures.

Pega­sus is engi­neered to evade defens­es on iPhones and Android devices and to leave few traces of its attack. Famil­iar pri­va­cy mea­sures like strong pass­words and encryp­tion offer lit­tle help against Pega­sus, which can attack phones with­out any warn­ing to users. It can read any­thing on a device that a user can, while also steal­ing pho­tos, record­ings, loca­tion records, com­mu­ni­ca­tions, pass­words, call logs and social media posts. Spy­ware also can acti­vate cam­eras and micro­phones for real-time sur­veil­lance.

“There is just noth­ing from an encryp­tion stand­point to pro­tect against this,” said Clau­dio Guarnieri, a.k.a. “Nex,” the Amnesty Secu­ri­ty Lab’s 33-year-old Ital­ian researcher who devel­oped and per­formed the dig­i­tal foren­sics on 37 smart­phones that showed evi­dence of Pega­sus attacks.

That sense of help­less­ness makes Guarnieri, who often dress­es head-to-toe in black, feel as use­less as a 14th-cen­tu­ry doc­tor con­fronting the Black Plague with­out any use­ful med­ica­tion. “Pri­mar­i­ly I’m here just to keep the death count,” he said.

The attack can begin in dif­fer­ent ways. It can come from a mali­cious link in an SMS text mes­sage or an iMes­sage. In some cas­es, a user must click on the link to start the infec­tion. In recent years, spy­ware com­pa­nies have devel­oped what they call “zero-click” attacks, which deliv­er spy­ware sim­ply by send­ing a mes­sage to a user’s phone that pro­duces no noti­fi­ca­tion. Users do not even need to touch their phones for infec­tions to begin.

Many coun­tries have laws per­tain­ing to tra­di­tion­al wire­tap­ping and inter­cep­tion of com­mu­ni­ca­tions, but few have effec­tive safe­guards against deep­er intru­sions made pos­si­ble by hack­ing into smart­phones. “This is more devi­ous in a sense because it real­ly is no longer about inter­cept­ing com­mu­ni­ca­tions and over­hear­ing con­ver­sa­tion. … This cov­ers all of them and goes way beyond that,” Guarnieri said. “It has raised a lot of ques­tions from not only human rights, but even nation­al con­sti­tu­tion­al laws as to is this even legal?”

Clare, NSO’s attor­ney, attacked the foren­sic exam­i­na­tions as “a com­pi­la­tion of spec­u­la­tive and base­less assump­tions” built on assump­tions based on ear­li­er reports. He also said, “NSO does not have insight into the spe­cif­ic intel­li­gence activ­i­ties of its cus­tomers.”

...

‘What a ques­tion!’

Some expressed out­rage even at the sug­ges­tion of spy­ing on jour­nal­ists.

A reporter for the French dai­ly Le Monde work­ing on the Pega­sus Project recent­ly posed such a ques­tion to Hun­gar­i­an Jus­tice Min­is­ter Judit Var­ga dur­ing an inter­view about the legal require­ments for eaves­drop­ping:

“If some­one asked you to tape a jour­nal­ist or an oppo­nent, you wouldn’t accept this?”

“What a ques­tion!” Var­ga respond­ed. “This is a provo­ca­tion in itself!” A day lat­er, her office request­ed that this ques­tion and her answer to it “be erased” from the inter­view.

In the past, NSO has blamed its client coun­tries for any alleged abus­es. NSO released its first “Trans­paren­cy and Respon­si­bil­i­ty Report” last month, argu­ing that its ser­vices are essen­tial to law enforce­ment and intel­li­gence agen­cies try­ing to keep up with the 21st cen­tu­ry.

“Ter­ror orga­ni­za­tions, drug car­tels, human traf­fick­ers, pedophile rings and oth­er crim­i­nal syn­di­cates today exploit off-the-shelf encryp­tion capa­bil­i­ties offered by mobile mes­sag­ing and com­mu­ni­ca­tions appli­ca­tions.

“These tech­nolo­gies pro­vide crim­i­nals and their net­works a safe haven, allow­ing them to ‘go dark’ and avoid detec­tion, com­mu­ni­cat­ing through impen­e­tra­ble mobile mes­sag­ing sys­tems. Law enforce­ment and coun­tert­er­ror­ism state agen­cies around the world have strug­gled to keep up.”

NSO also said it con­ducts rig­or­ous reviews of poten­tial cus­tomers’ human rights records before con­tract­ing with them and inves­ti­gates reports of abus­es, although it did not cite any spe­cif­ic cas­es. It assert­ed that it has dis­con­tin­ued con­tracts with five clients for doc­u­ment­ed vio­la­tions and that the company’s due dili­gence has cost it $100 mil­lion in lost rev­enue. A per­son famil­iar with NSO oper­a­tions who spoke on the con­di­tion of anonymi­ty to dis­cuss inter­nal com­pa­ny mat­ters not­ed that in the last year alone NSO had ter­mi­nat­ed con­tracts with Sau­di Ara­bia and Dubai in the Unit­ed Arab Emi­rates over human rights con­cerns.

“Pega­sus is very use­ful for fight­ing orga­nized crime,” said Guiller­mo Valdes Castel­lanos, head of Mexico’s domes­tic intel­li­gence agency CISEN from 2006 to 2011. “But the total lack of checks and bal­ances [in Mex­i­can agen­cies] means it eas­i­ly ends up in pri­vate hands and is used for polit­i­cal and per­son­al gain.”

Mex­i­co was NSO’s first over­seas client in 2011, less than a year after the firm was found­ed in Israel’s Sil­i­con Val­ley, in north­ern Tel Aviv.

In 2016 and 2017, more than 15,000 Mex­i­cans appeared on the list exam­ined by the media con­sor­tium, among them at least 25 reporters work­ing for the country’s major media out­lets, accord­ing to the records and inter­views.

One of them was Car­men Aris­tegui, one of the most promi­nent inves­tiga­tive jour­nal­ists in the coun­try and a reg­u­lar con­trib­u­tor to CNN. Aris­tegui, who is rou­tine­ly threat­ened for expos­ing the cor­rup­tion of Mex­i­can politi­cians and car­tels, was pre­vi­ous­ly revealed as a Pega­sus tar­get in sev­er­al media reports. At the time, she said in a recent inter­view, her pro­duc­er was also tar­get­ed. The new records and foren­sics show that Pega­sus links were detect­ed on the phone of her per­son­al assis­tant.

“Pega­sus is some­thing that comes to your office, your home, your bed, every cor­ner of your exis­tence,” Aris­tegui said. “It is a tool that destroys the essen­tial codes of civ­i­liza­tion.”

Unlike Aris­tegui, free­lance reporter Cecilio Pine­da was unknown out­side his vio­lence-wracked south­ern state of Guer­rero. His num­ber appears twice on the list of 50,000. A month after the sec­ond list­ing, he was gunned down while lying in a ham­mock at a car­wash while wait­ing for his car. It is unclear what role, if any, Pegasus’s abil­i­ty to geolo­cate its tar­gets in real time con­tributed to his mur­der. Mex­i­co is among the dead­liest coun­tries for jour­nal­ists; 11 were killed in 2017, accord­ing to Reporters With­out Bor­ders.

“Even if For­bid­den Sto­ries were cor­rect that an NSO Group client in Mex­i­co tar­get­ed the journalist’s phone num­ber in Feb­ru­ary 2017, that does not mean that the NSO Group client or data col­lect­ed by NSO Group soft­ware were in any way con­nect­ed to the journalist’s mur­der the fol­low­ing month,” Clare, NSO’s lawyer, wrote in his let­ter to For­bid­den Sto­ries. “Cor­re­la­tion does not equal cau­sa­tion, and the gun­men who mur­dered the jour­nal­ist could have learned of his loca­tion at a pub­lic car­wash through any num­ber of means not relat­ed to NSO Group, its tech­nolo­gies, or its clients.”

Mexico’s Pub­lic Secu­ri­ty Min­istry acknowl­edged last year that the domes­tic intel­li­gence agency, CISEN, and the attor­ney general’s office acquired Pega­sus in 2014 and dis­con­tin­ued its use in 2017 when the license expired. Mex­i­can media have also report­ed that the Defense Min­istry used the spy­ware.

Snowden’s lega­cy

Today’s thriv­ing inter­na­tion­al spy­ware indus­try dates back decades but got a boost after the unprece­dent­ed 2013 dis­clo­sure of high­ly clas­si­fied Nation­al Secu­ri­ty Agency doc­u­ments by con­trac­tor Edward Snow­den. They revealed that the NSA could obtain the elec­tron­ic com­mu­ni­ca­tions of almost any­one because it had secret access to the transna­tion­al cables car­ry­ing Inter­net traf­fic world­wide and data from Inter­net com­pa­nies such as Google and giant telecom­mu­ni­ca­tions com­pa­nies such as AT&T.

Even U.S. allies in Europe were shocked by the com­pre­hen­sive scale of the Amer­i­can dig­i­tal spy­ing, and many nation­al intel­li­gence agen­cies set out to improve their own sur­veil­lance abil­i­ties. For-prof­it firms staffed with mid­ca­reer retirees from intel­li­gence agen­cies saw a lucra­tive mar­ket-in-wait­ing free from the gov­ern­ment reg­u­la­tions and over­sight imposed on oth­er indus­tries.

The dra­mat­ic expan­sion of end-to-end encryp­tion by Google, Microsoft, Face­book, Apple and oth­er major tech­nol­o­gy firms also prompt­ed law enforce­ment and intel­li­gence offi­cials to com­plain they had lost access to the com­mu­ni­ca­tions of legit­i­mate crim­i­nal tar­gets. That in turn sparked more invest­ment in tech­nolo­gies, such as Pega­sus, that worked by tar­get­ing indi­vid­ual devices.

“When you build a build­ing, you want to make sure the build­ing holds up, so we fol­low cer­tain pro­to­cols,” said Ido Sivan-Sevil­la, an expert on cyber gov­er­nance at the Uni­ver­si­ty of Mary­land. By pro­mot­ing the sale of unreg­u­lat­ed pri­vate sur­veil­lance tools, “we encour­age build­ing build­ings that can be bro­ken into. We are build­ing a mon­ster. We need an inter­na­tion­al norms treaty that says cer­tain things are not okay.”

With­out inter­na­tion­al stan­dards and rules, there are secret deals between com­pa­nies like NSO and the coun­tries they ser­vice.

The unfet­tered use of a mil­i­tary-grade spy­ware such as Pega­sus can help gov­ern­ments to sup­press civic activism at a time when author­i­tar­i­an­ism is on the rise world­wide. It also gives coun­tries with­out the tech­ni­cal sophis­ti­ca­tion of such lead­ing nations as the Unit­ed States, Israel and Chi­na the abil­i­ty to con­duct far deep­er dig­i­tal cyberes­pi­onage than ever before.

‘Your body stops func­tion­ing’

Azer­bai­jan, a long­time ally of Israel, has been iden­ti­fied as an NSO client by Cit­i­zen Lab and oth­ers. The coun­try is a fam­i­ly-run klep­toc­ra­cy with no free elec­tions, no impar­tial court sys­tem and no inde­pen­dent news media. The for­mer Sovi­et ter­ri­to­ry has been ruled since the Sovi­et Union col­lapsed 30 years ago by the Aliyev fam­i­ly, whose theft of the country’s wealth and mon­ey-laun­der­ing schemes abroad have result­ed in for­eign embar­goes, inter­na­tion­al sanc­tions and crim­i­nal indict­ments.

Despite the dif­fi­cul­ties, rough­ly three dozen Azer­bai­jani reporters con­tin­ue to doc­u­ment the family’s cor­rup­tion. Some are hid­ing inside the coun­try, but most were forced into exile where they are not so easy to cap­ture. Some work for the Prague-based, U.S.-funded Radio Free Europe/Radio Lib­er­ty, which was kicked out of the coun­try in 2015 for its report­ing. The oth­ers work for an inves­tiga­tive report­ing non­prof­it called the Orga­nized Crime and Cor­rup­tion Report­ing Project, which is based in Sara­je­vo, the Bosn­ian cap­i­tal, and is one of the part­ners in the Pega­sus Project.

The fore­most inves­tiga­tive reporter in the region is Khadi­ja Ismay­ilo­va, whom the regime has worked for a decade to silence: It plant­ed a secret cam­era in her apart­ment wall, took videos of her hav­ing sex with her boyfriend and then post­ed them on the Inter­net in 2012; she was arrest­ed in 2014, tried and con­vict­ed on trumped-up tax-eva­sion and oth­er charges, and held in prison cells with hard­ened crim­i­nals. After glob­al out­rage and the high-pro­file inter­ven­tion of human rights attor­ney Amal Clooney, she was released in 2016 and put under a trav­el ban.

“It is impor­tant that peo­ple see exam­ples of jour­nal­ists who do not stop because they were threat­ened,” Ismay­ilo­va said in a recent inter­view. “It’s like a war. You leave your trench, then the attack­er comes in. … You have to keep your posi­tion, oth­er­wise it will be tak­en and then you will have less space, less space, the space will be shrink­ing and then you will find it hard to breathe.”

Last month, her health fail­ing, she was allowed to leave the coun­try. Col­leagues arranged to test her smart­phone imme­di­ate­ly. Foren­sics by Secu­ri­ty Lab deter­mined that Pega­sus had attacked and pen­e­trat­ed her device numer­ous times from March 2019 to as late as May of this year.

She had assumed some kind of sur­veil­lance, Ismay­ilo­va said, but was still sur­prised at the num­ber of attacks. “When you think maybe there’s a cam­era in the toi­let, your body stops func­tion­ing,” she said. “I went through this, and for eight or nine days I could not use the toi­let, any­where, not even in pub­lic places. My body stopped func­tion­ing.”

She stopped com­mu­ni­cat­ing with peo­ple because who­ev­er she spoke with end­ed up harassed by secu­ri­ty ser­vices. “You don’t trust any­one, and then you try not to have any long-term plans with your own life because you don’t want any per­son to have prob­lems because of you.”

Con­fir­ma­tion of the Pega­sus pen­e­tra­tion galled her. “My fam­i­ly mem­bers are also vic­tim­ized. The sources are vic­tim­ized. Peo­ple I’ve been work­ing with, peo­ple who told me their pri­vate secrets are vic­tim­ized,” she said. “It’s despi­ca­ble. … I don’t know who else has been exposed because of me, who else is in dan­ger because of me.”

Is the min­is­ter para­noid or sen­si­ble?

The fear of wide­spread sur­veil­lance impedes the already dif­fi­cult mechan­ics of civic activism.

“Some­times, that fear is the point,” said John Scott-Rail­ton, a senior researcher at Cit­i­zen Lab, who has researched Pega­sus exten­sive­ly. “The psy­cho­log­i­cal hard­ship and the self-cen­sor­ship it caus­es are key tools of mod­ern-day dic­ta­tors and author­i­tar­i­ans.”

When Sid­dharth Varadara­jan, co-founder of the Wire, an inde­pen­dent online out­let in India, learned that Secu­ri­ty Lab’s analy­sis showed that his phone had been tar­get­ed and pen­e­trat­ed by Pega­sus, his mind imme­di­ate­ly ran through his sen­si­tive sources. He thought about a min­is­ter in Prime Min­is­ter Naren­dra Modi’s gov­ern­ment who had dis­played an unusu­al con­cern about sur­veil­lance when they met.

The min­is­ter first moved the meet­ing from one loca­tion to anoth­er at the last moment, then switched off his phone and told Varadara­jan to do the same.

Then “the two phones were put in a room and music was put on in that room … and I thought: ‘Boy, this guy is real­ly para­noid. But maybe he was being sen­si­ble,’ ” Varadara­jan said in a recent inter­view.

When foren­sics showed his phone had been pen­e­trat­ed, he knew the feel­ing him­self. “You feel vio­lat­ed, there’s no doubt about it,” he said. “This is an incred­i­ble intru­sion, and jour­nal­ists should not have to deal with this. Nobody should have to deal with this.”

————-

“Pri­vate Israeli spy­ware used to hack cell­phones of jour­nal­ists, activists world­wide” by Dana Priest, Craig Tim­berg and Souad Mekhen­net; The Wash­ing­ton Post; 07/18/2021

“The tar­get­ing of the 37 smart­phones would appear to con­flict with the stat­ed pur­pose of NSO’s licens­ing of the Pega­sus spy­ware, which the com­pa­ny says is intend­ed only for use in sur­veilling ter­ror­ists and major crim­i­nals. The evi­dence extract­ed from these smart­phones, revealed here for the first time, calls into ques­tion pledges by the Israeli com­pa­ny to police its clients for human rights abus­es.

It’s long been jus­ti­fi­ably sus­pect­ed that NSO Group does­n’t actu­al­ly have safe­guards in place to ensure its unstop­pable hack­ing soft­ware isn’t being abused by its gov­ern­ment clients. Dozens and dozens of gov­ern­ment clients. But if the analy­sis of the lists of tar­get­ed phones and foren­sic analy­sis of a num­ber of those phones by For­bid­den Sto­ries and Amnesty Inter­na­tion­al is cor­rect, we have that evi­dence. NSO Group’s Pega­sus soft­ware has been wild­ly abused by its gov­ern­ment clients. Because of course it was. You could­n’t give dozens of gov­ern­ments around the world super hack­ing tools and not expect them to tar­get activists, jour­nal­ists, aca­d­e­mics, and oth­er gov­ern­ments.

How much abuse has tak­en place? We don’t know. And if we believe NSO Group, they don’t real­ly know either. They don’t oper­ate the soft­ware for the clients and “has no insight” into their spe­cif­ic intel­li­gence activ­i­ties. That’s what the com­pa­ny itself is claim­ing in its defense. It does­n’t know how its soft­ware is actu­al­ly used. That’s 60 intel­li­gence, mil­i­tary and law enforce­ment agen­cies in 40 coun­tries oper­at­ing under that see-no-evil-because-we-are-blind over­sight from the ven­dor.

And yet the com­pa­ny defends itself by point­ing out how it ter­mi­nat­ed two con­tracts over alle­ga­tions of abus­es in the last 12 months. Note the term “alle­ga­tions”. Not “inves­ti­ga­tion” or “rou­tine audit”. The con­tracts were can­celed after alle­ga­tions. Against Sau­di Ara­bia and Dubai. So NSO defend­ed itself against charges that it was allow­ing its clients to abuse its soft­ware by point­ing out that it can­celed Sau­di Ara­bi­a’s and Dubai’s con­tracts due to human rights con­cerns. Con­cerns obvi­ous­ly tied to the assas­si­na­tion of Jamal Khashog­gi and all of the pub­lic scruti­ny NSO received as a result. It’s not exact­ly proac­tive over­sight:

...
In lengthy respons­es before pub­li­ca­tion, NSO called the investigation’s find­ings exag­ger­at­ed and base­less. It also said it does not oper­ate the spy­ware licensed to its clients and “has no insight” into their spe­cif­ic intel­li­gence activ­i­ties.

After pub­li­ca­tion, NSO chief exec­u­tive Shalev Hulio expressed con­cern in a phone inter­view with The Post about some of the details he had read in Pega­sus Project sto­ries Sun­day, while con­tin­u­ing to dis­pute that the list of more than 50,000 phone num­bers had any­thing to do with NSO or Pega­sus.

“The com­pa­ny cares about jour­nal­ists and activists and civ­il soci­ety in gen­er­al,” Hulio said. “We under­stand that in some cir­cum­stances our cus­tomers might mis­use the sys­tem and, in some cas­es like we report­ed in [NSO’s] Trans­paren­cy and Respon­si­bil­i­ty Report, we have shut down sys­tems for cus­tomers who have mis­used the sys­tem.”

He said that in the past 12 months NSO had ter­mi­nat­ed two con­tracts over alle­ga­tions of human rights abus­es, but he declined to name the coun­tries involved.

“Every alle­ga­tion about mis­use of the sys­tem is con­cern­ing me,” he said. “It vio­lates the trust that we give cus­tomers. We are inves­ti­gat­ing every alle­ga­tion.”

NSO describes its cus­tomers as 60 intel­li­gence, mil­i­tary and law enforce­ment agen­cies in 40 coun­tries, although it will not con­firm the iden­ti­ties of any of them, cit­ing client con­fi­den­tial­i­ty oblig­a­tions. The con­sor­tium found many of the phone num­bers in at least 10 coun­try clus­ters, which were sub­ject­ed to deep­er analy­sis: Azer­bai­jan, Bahrain, Hun­gary, India, Kaza­khstan, Mex­i­co, Moroc­co, Rwan­da, Sau­di Ara­bia and the Unit­ed Arab Emi­rates. Cit­i­zen Lab also has found evi­dence that all 10 have been clients of NSO, accord­ing to Bill Mar­czak, a senior research fel­low.

...

“This is nasty soft­ware — like elo­quent­ly nasty,” said Tim­o­thy Sum­mers, a for­mer cyber­se­cu­ri­ty engi­neer at a U.S. intel­li­gence agency and now direc­tor of IT at Ari­zona State Uni­ver­si­ty. With it “one could spy on almost the entire world pop­u­la­tion. … There’s not any­thing wrong with build­ing tech­nolo­gies that allows you to col­lect data; it’s nec­es­sary some­times. But human­i­ty is not in a place where we can have that much pow­er just acces­si­ble to any­body.”

In response to detailed ques­tions from the con­sor­tium before pub­li­ca­tion, NSO said in a state­ment that it did not oper­ate the spy­ware it licensed to clients and did not have reg­u­lar access to the data they gath­er. The com­pa­ny also said its tech­nolo­gies have helped pre­vent attacks and bomb­ings and bro­ken up rings that traf­ficked in drugs, sex and chil­dren. “Sim­ply put, NSO Group is on a life-sav­ing mis­sion, and the com­pa­ny will faith­ful­ly exe­cute this mis­sion unde­terred, despite any and all con­tin­ued attempts to dis­cred­it it on false grounds,” NSO said. “Your sources have sup­plied you with infor­ma­tion that has no fac­tu­al basis, as evi­denced by the lack of sup­port­ing doc­u­men­ta­tion for many of the claims.”

...

Clare, NSO’s attor­ney, attacked the foren­sic exam­i­na­tions as “a com­pi­la­tion of spec­u­la­tive and base­less assump­tions” built on assump­tions based on ear­li­er reports. He also said, “NSO does not have insight into the spe­cif­ic intel­li­gence activ­i­ties of its cus­tomers.”

...

In the past, NSO has blamed its client coun­tries for any alleged abus­es. NSO released its first “Trans­paren­cy and Respon­si­bil­i­ty Report” last month, argu­ing that its ser­vices are essen­tial to law enforce­ment and intel­li­gence agen­cies try­ing to keep up with the 21st cen­tu­ry.

...

NSO also said it con­ducts rig­or­ous reviews of poten­tial cus­tomers’ human rights records before con­tract­ing with them and inves­ti­gates reports of abus­es, although it did not cite any spe­cif­ic cas­es. It assert­ed that it has dis­con­tin­ued con­tracts with five clients for doc­u­ment­ed vio­la­tions and that the company’s due dili­gence has cost it $100 mil­lion in lost rev­enue. A per­son famil­iar with NSO oper­a­tions who spoke on the con­di­tion of anonymi­ty to dis­cuss inter­nal com­pa­ny mat­ters not­ed that in the last year alone NSO had ter­mi­nat­ed con­tracts with Sau­di Ara­bia and Dubai in the Unit­ed Arab Emi­rates over human rights con­cerns.

...

Mex­i­co was NSO’s first over­seas client in 2011, less than a year after the firm was found­ed in Israel’s Sil­i­con Val­ley, in north­ern Tel Aviv.
...

But then there’s the NSO Group’s more legit­i­mate excuse for sell­ing this kind of pow­er­ful soft­ware to gov­ern­ments known for human rights abus­es: the Israeli Defense Min­istry has to approve of the NSO Group’s con­tracts. Beyond that, NSO Group claims its soft­ware can­not be used on US-based phones, rais­ing ques­tions about whether or not the US gov­ern­ment was also tac­it­ly giv­ing its approval for these con­tracts:

...
Pega­sus was engi­neered a decade ago by Israeli ex-cyber­spies with gov­ern­ment-honed skills. The Israeli Defense Min­istry must approve any license to a gov­ern­ment that wants to buy it, accord­ing to pre­vi­ous NSO state­ments.

“As a mat­ter of pol­i­cy, the State of Israel approves the export of cyber prod­ucts exclu­sive­ly to gov­ern­men­tal enti­ties, for law­ful use, and only for the pur­pose of pre­vent­ing and inves­ti­gat­ing crime and coun­tert­er­ror­ism, under end-use/end user cer­tifi­cates pro­vid­ed by the acquir­ing gov­ern­ment,” a spokesper­son for the Israeli defense estab­lish­ment said Sun­day. “In cas­es where export­ed items are used in vio­la­tion of export licens­es or end-use cer­tifi­cates, appro­pri­ate mea­sures are tak­en.”

The num­bers of about a dozen Amer­i­cans work­ing over­seas were dis­cov­ered on the list, in all but one case while using phones reg­is­tered to for­eign cel­lu­lar net­works. The con­sor­tium could not per­form foren­sic analy­sis on most of these phones. NSO has said for years that its prod­uct can­not be used to sur­veil Amer­i­can phones. The con­sor­tium did not find evi­dence of suc­cess­ful spy­ware pen­e­tra­tion on phones with the U.S. coun­try code.

“We also stand by our pre­vi­ous state­ments that our prod­ucts, sold to vet­ted for­eign gov­ern­ments, can­not be used to con­duct cyber­sur­veil­lance with­in the Unit­ed States, and no cus­tomer has ever been grant­ed tech­nol­o­gy that would enable them to access phones with U.S. num­bers,” the com­pa­ny said in its state­ment. “It is tech­no­log­i­cal­ly impos­si­ble and reaf­firms the fact your sources’ claims have no mer­it.”
...

But by the biggest rev­e­la­tion in this sto­ry is the nature of these NSO Group exploits being sold with the Pega­sus sys­tem: “zero-click” exploits that qui­et­ly deliv­er spy­ware sim­ply by send­ing a mes­sage to the tar­get’s phone. That is effec­tive­ly an unstop­pable attack. So NSO Group was sell­ing unstop­pable exploits that could tar­get any smart­phone in the world — with the pos­si­ble excep­tion of US phones if we believe the com­pa­ny’s assur­ances — to over 40 dif­fer­ent gov­ern­ments around the world, start­ing in 2011 with the con­tract with Mex­i­co. And as this inves­ti­ga­tion revealed, those unstop­pable exploits were wide­ly used by these gov­ern­ments for far more than just law enforce­ment and ter­ror­ism cas­es. That is a mas­sive rel­e­va­tion, in part because it means gov­ern­ments around the world have been empow­ered to secret­ly hack each oth­er for years now. But this was­n’t exact­ly a new rev­e­la­tion. We learned back in May 2019 about NSO Group’s unstop­pable exploit that could infect a phone sim­ply by call­ing them over the What­sApp call­ing fea­ture. The exploit worked when vic­tims did­n’t answer the call. So the exis­tence of ‘zero-click’ exploits isn’t exact­ly a new rev­e­la­tion, but it sounds like that What­sApp exploit was far from the only one. They’ve fig­ured out how to do it with SMS Text mes­sages or iMes­sages too. That cov­ers basi­cal­ly every smart­phone, whether you have What­sApp on it or not:

...
Some Pega­sus intru­sion tech­niques detailed in a 2016 report were changed in a mat­ter of hours after they were made pub­lic, under­scor­ing NSO’s abil­i­ty to adapt to coun­ter­mea­sures.

Pega­sus is engi­neered to evade defens­es on iPhones and Android devices and to leave few traces of its attack. Famil­iar pri­va­cy mea­sures like strong pass­words and encryp­tion offer lit­tle help against Pega­sus, which can attack phones with­out any warn­ing to users. It can read any­thing on a device that a user can, while also steal­ing pho­tos, record­ings, loca­tion records, com­mu­ni­ca­tions, pass­words, call logs and social media posts. Spy­ware also can acti­vate cam­eras and micro­phones for real-time sur­veil­lance.

“There is just noth­ing from an encryp­tion stand­point to pro­tect against this,” said Clau­dio Guarnieri, a.k.a. “Nex,” the Amnesty Secu­ri­ty Lab’s 33-year-old Ital­ian researcher who devel­oped and per­formed the dig­i­tal foren­sics on 37 smart­phones that showed evi­dence of Pega­sus attacks.

That sense of help­less­ness makes Guarnieri, who often dress­es head-to-toe in black, feel as use­less as a 14th-cen­tu­ry doc­tor con­fronting the Black Plague with­out any use­ful med­ica­tion. “Pri­mar­i­ly I’m here just to keep the death count,” he said.

The attack can begin in dif­fer­ent ways. It can come from a mali­cious link in an SMS text mes­sage or an iMes­sage. In some cas­es, a user must click on the link to start the infec­tion. In recent years, spy­ware com­pa­nies have devel­oped what they call “zero-click” attacks, which deliv­er spy­ware sim­ply by send­ing a mes­sage to a user’s phone that pro­duces no noti­fi­ca­tion. Users do not even need to touch their phones for infec­tions to begin.
...

Unstop­pable zero-day attacks and zero over­sight. What could pos­si­bly go wrong?

Forget All Those NSO Group and Candiru Stories: The US and Western Allies Accuse China of the Microsoft Exchange Hack

So how are gov­ern­ments respond­ing to this string of dev­as­tat­ing reports. First Can­diru’s zero-day mal­ware gets exposed being used against activists around the world. Then NSO Group is revealed to be the cyber equiv­a­lent of a nuclear mer­ce­nary. And a diplo­mat­ic tool. It was a rough week of report­ing on the “com­mer­cial sur­veil­lance” cyber indus­try. A lot of tough ques­tions for raised. And we got our answer one day after the Wash­ing­ton Post’s report: The US and West­ern allies were final­ly for­mal­ly accus­ing Chi­na of being behind the Microsoft Exchange hack first dis­closed back in March. It was great tim­ing.

And as we’ll see in the next arti­cle excerpt about the pub­lic accu­sa­tions by the US and its fel­low allies against China’s Min­istry of State Secu­ri­ty (MSS), Chi­na isn’t just accused of tol­er­at­ing smash-and-grab raids. The MSS-backed hack­er groups are also accused of tol­er­at­ing ran­somware attacks for their own per­son­al prof­it. So the hack­er groups accused of car­ry­ing out the Microsoft Exchange hack and oth­er hacks attrib­uted to Chi­na are also groups engag­ing in the kind of cyber-extor­tion and ran­somware schemes for their own prof­it that are tra­di­tion­al asso­ci­at­ed with stan­dard cyber crim­i­nals. That’s the evolv­ing nar­ra­tive in the face of evi­dence that the Microsoft Exchange hack was real­ly many hacks involv­ing mul­ti­ple crim­i­nal groups on a ram­pant spree that also run cyber-extor­tion schemes: They were Chi­nese state-backed hack­ers who also run pri­vate extortive crim­i­nal hacks on their own because Chi­na’s gov­ern­ment has decid­ed to give zero-day exploits to groups that take those zero-day exploits and go on a glob­al hack­ing spree. The Chi­nese gov­ern­ment endorsed or at least tol­er­at­ed that dra­mat­ic esca­la­tion. No longer espi­onage but glob­al smash-and-grab sprees. That’s the new nar­ra­tive. A new nar­ra­tive that’s evolv­ing in the face of the evi­dence that the peo­ple car­ry­ing out these mega-hacks are act­ing like tra­di­tion­al hack­ers and not state-backed espi­onage-focused groups.

Recall how the known time­line of the Exchange hack is that it start­ed on Jan­u­ary 3 (Volex­i­ty’s first detect­ed use of the zero-day exploit by “Hafni­um). It was Jan­u­ary 6, dur­ing the Capi­tol Insur­rec­tion, when Volex­i­ty first observed a large down­load to an unau­tho­rized address. Hafni­um qui­et­ly hit orga­ni­za­tions until Microsoft issued a patch on March 2. At that point, mul­ti­ple groups went on a glob­al race to hit every unpatched serv­er con­nect­ed to the inter­net. So giv­en that time­line, it’s like­ly that the groups that went on the race fol­low­ing the patch are the ones with a crim­i­nal for-prof­it track-record. And we are to assume “Hafni­um”, a state-backed Chi­nese hack­er group, hand­ed this zero-day exploit over to these groups and gave its bless­ing to the glob­al smash-and-grab. Which, if true, real­ly would be a dra­mat­ic esca­la­tion in hacks from Chi­na. It’s the “if true” part that’s the catch. Notice how no one even both­ers to pro­vide a pre­tense of evi­dence for any of these claims.

Amus­ing­ly, the gov­ern­ments mak­ing these accu­sa­tions against Chi­na had­n’t quite got­ten their sto­ries straight. Because as we just saw, much of the osten­si­ble alarm over these accu­sa­tions is that they sig­ni­fy a shift from qui­et espi­onage to in-your-face smash-and-grab raids by Chi­nese state-backed hack­er. And yet as we’ll see, U.K. For­eign Sec­re­tary Dominic Raab describe the attack “a reck­less but famil­iar pat­tern of behav­iour” by Chi­nese state-backed groups. So what is it? New reck­less behav­ior? Or famil­iar reck­less behav­ior? That part of the nar­ra­tive has yet to be decid­ed. But this was what major West­ern gov­ern­ments were talk­ing about a day about that NSO Group report: Chi­na:

Asso­ci­at­ed Press

Microsoft Exchange hack caused by Chi­na, US and allies say

By ERIC TUCKER
July 19, 2021

WASHINGTON (AP) — The Biden admin­is­tra­tion and West­ern allies for­mal­ly blamed Chi­na on Mon­day for a mas­sive hack of Microsoft Exchange email serv­er soft­ware and assert­ed that crim­i­nal hack­ers asso­ci­at­ed with the Chi­nese gov­ern­ment have car­ried out ran­somware and oth­er illic­it cyber oper­a­tions.

The announce­ments, though not accom­pa­nied by sanc­tions against the Chi­nese gov­ern­ment, were intend­ed as a force­ful con­dem­na­tion of activ­i­ties a senior Biden admin­is­tra­tion offi­cial described as part of a “pat­tern of irre­spon­si­ble behav­ior in cyber­space.” They high­light­ed the ongo­ing threat from Chi­nese hack­ers even as the admin­is­tra­tion remains con­sumed with try­ing to curb ran­somware attacks from Rus­sia-based syn­di­cates that have tar­get­ed crit­i­cal infra­struc­ture.

The broad range of cyberthreats from Bei­jing dis­closed on Mon­day includ­ed a ran­somware attack from gov­ern­ment-affil­i­at­ed hack­ers that tar­get­ed vic­tims — includ­ing in the U.S. — with demands for mil­lions of dol­lars. U.S offi­cials also alleged that crim­i­nal con­tract hack­ers asso­ci­at­ed with China’s Min­istry of State Secu­ri­ty have engaged in cyber extor­tion schemes and theft for their own prof­it.

Mean­while, the Jus­tice Depart­ment on Mon­day announced charges against four Chi­nese nation­als who pros­e­cu­tors said were work­ing with the MSS in a hack­ing cam­paign that tar­get­ed dozens of com­put­er sys­tems, includ­ing com­pa­nies, uni­ver­si­ties and gov­ern­ment enti­ties. The defen­dants are accused of tar­get­ing trade secrets and con­fi­den­tial busi­ness infor­ma­tion, includ­ing sci­en­tif­ic tech­nolo­gies and infec­tious-dis­ease research.

Unlike in April, when pub­lic fin­ger-point­ing of Russ­ian hack­ing was paired with a raft of sanc­tions against Moscow, the Biden admin­is­tra­tion did not announce any actions against Bei­jing. Nonethe­less, a senior admin­is­tra­tion offi­cial who briefed reporters said that the U.S. has con­front­ed senior Chi­nese offi­cials and that the White House regards the multi­na­tion sham­ing as send­ing an impor­tant mes­sage, even if no sin­gle action can change behav­ior.

Pres­i­dent Joe Biden told reporters “the investigation’s not fin­ished,” and White House press sec­re­tary Jen Psa­ki did not rule out future con­se­quences for Chi­na, say­ing, “This is not the con­clu­sion of our efforts as it relates to cyber activ­i­ties with Chi­na or Rus­sia.”

Even with­out fresh sanc­tions, Monday’s actions are like­ly to exac­er­bate ten­sions with Chi­na at a del­i­cate time. Just last week, the U.S. issued sep­a­rate stark warn­ings against trans­ac­tions with enti­ties that oper­ate in China’s west­ern Xin­jiang region, where Chi­na is accused of repress­ing Uyghur Mus­lims and oth­er minori­ties.

...

The Euro­pean Union and Britain were among the allies who called out Chi­na. The EU said mali­cious cyber activ­i­ties with “sig­nif­i­cant effects” that tar­get­ed gov­ern­ment insti­tu­tions, polit­i­cal orga­ni­za­tions and key indus­tries in the bloc’s 27 mem­ber states could be linked to Chi­nese hack­ing groups. The U.K.’s Nation­al Cyber Secu­ri­ty Cen­tre said the groups tar­get­ed mar­itime indus­tries and naval defense con­trac­tors in the U.S. and Europe and the Finnish par­lia­ment.

In a state­ment, EU for­eign pol­i­cy chief Josep Bor­rell said the hack­ing was “con­duct­ed from the ter­ri­to­ry of Chi­na for the pur­pose of intel­lec­tu­al prop­er­ty theft and espi­onage.”

The Microsoft Exchange cyber­at­tack “by Chi­nese state-backed groups was a reck­less but famil­iar pat­tern of behav­iour,” U.K. For­eign Sec­re­tary Dominic Raab said.

NATO, in its first pub­lic con­dem­na­tion of Chi­na for hack­ing activ­i­ties, called on Bei­jing to uphold its inter­na­tion­al com­mit­ments and oblig­a­tions “and to act respon­si­bly in the inter­na­tion­al sys­tem, includ­ing in cyber­space.” The alliance said it was deter­mined to “active­ly deter, defend against and counter the full spec­trum of cyber threats.”

That hack­ers affil­i­at­ed with the Min­istry of State Secu­ri­ty were engaged in ran­somware was sur­pris­ing and con­cern­ing to the U.S. gov­ern­ment, the senior admin­is­tra­tion offi­cial said. But the attack, in which an uniden­ti­fied Amer­i­can com­pa­ny received a high-dol­lar ran­som demand, also gave U.S. offi­cials new insight into what the offi­cial said was “the kind of aggres­sive behav­ior that we’re see­ing com­ing out of Chi­na.”

A spokesper­son for the Chi­nese Embassy in Wash­ing­ton, Liu Pengyu, said in a state­ment that the “U.S. has repeat­ed­ly made ground­less attacks and mali­cious smear against Chi­na on cyber­se­cu­ri­ty. Now this is just anoth­er old trick, with noth­ing new in it.” The state­ment called Chi­na “a severe vic­tim of the US cyber theft, eaves­drop­ping and sur­veil­lance.”

The major­i­ty of the most dam­ag­ing and high-pro­file recent ran­somware attacks have involved Russ­ian crim­i­nal gangs. Though the U.S. has some­times seen con­nec­tions between Russ­ian intel­li­gence agen­cies and indi­vid­ual hack­ers, the use of crim­i­nal con­tract hack­ers by the Chi­nese gov­ern­ment “to con­duct unsanc­tioned cyber oper­a­tions glob­al­ly is dis­tinct,” the offi­cial said.

Dmitri Alper­ovitch, the for­mer chief tech­nol­o­gy offi­cer of the cyber­se­cu­ri­ty firm Crowd­strike, said the announce­ment makes clear that MSS con­trac­tors who for years have worked for the gov­ern­ment and con­duct­ed oper­a­tions on its behalf have over time decid­ed — either with the approval or the “blind eye of their boss­es” — to ”start moon­light­ing and engag­ing in oth­er activ­i­ties that could put mon­ey in their pock­ets.”

The Microsoft Exchange hack that months ago com­pro­mised tens of thou­sands of com­put­ers around the world was swift­ly attrib­uted to Chi­nese cyber spies by Microsoft.

An admin­is­tra­tion offi­cial said the government’s attri­bu­tion to hack­ers affil­i­at­ed with the Min­istry of State Secu­ri­ty took until now in part because of the dis­cov­ery of the ran­somware and for-prof­it hack­ing oper­a­tions and because the admin­is­tra­tion want­ed to pair the announce­ment with guid­ance for busi­ness­es about tac­tics that the Chi­nese have been using.

Giv­en the scope of the attack, Alper­ovitch said it was “puz­zling” that the U.S. did not impose sanc­tions.

“They cer­tain­ly deserve it, and at this point, it’s becom­ing a glar­ing stand­out that we have not,” he said.

He added, in a ref­er­ence to a large Russ­ian cyberes­pi­onage oper­a­tion dis­cov­ered late last year, “There’s no ques­tion that the Exchange hacks have been more reck­less, more dan­ger­ous and more dis­rup­tive than any­thing the Rus­sians have done in Solar­Winds.

———-

“Microsoft Exchange hack caused by Chi­na, US and allies say” by ERIC TUCKER; Asso­ci­at­ed Press; 07/19/2021

“The broad range of cyberthreats from Bei­jing dis­closed on Mon­day includ­ed a ran­somware attack from gov­ern­ment-affil­i­at­ed hack­ers that tar­get­ed vic­tims — includ­ing in the U.S. — with demands for mil­lions of dol­lars. U.S offi­cials also alleged that crim­i­nal con­tract hack­ers asso­ci­at­ed with China’s Min­istry of State Secu­ri­ty have engaged in cyber extor­tion schemes and theft for their own prof­it.

Crim­i­nal con­tract hack­ers. That’s who China’s Min­istry of State Secu­ri­ty is appar­ent­ly hir­ing to car­ry out these mega hacks. That’s the accu­sa­tion com­ing from the US and allies. What evi­dence this asser­tion is based is of course nev­er giv­en, but the par­al­lel charges against four Chi­nese nation­als accuse of work­ing wit the MSS in a hack­ing cam­paign is pre­sum­ably sup­posed to serve as a kind of proxy evi­dence:

...
Mean­while, the Jus­tice Depart­ment on Mon­day announced charges against four Chi­nese nation­als who pros­e­cu­tors said were work­ing with the MSS in a hack­ing cam­paign that tar­get­ed dozens of com­put­er sys­tems, includ­ing com­pa­nies, uni­ver­si­ties and gov­ern­ment enti­ties. The defen­dants are accused of tar­get­ing trade secrets and con­fi­den­tial busi­ness infor­ma­tion, includ­ing sci­en­tif­ic tech­nolo­gies and infec­tious-dis­ease research.
...

But, again, observe how incon­sis­tent the accu­sa­tions are. The EU is refer­ring to hacks that could be linked to Chi­nese hack­ing groups while the UK’s For­eign Sec­re­tary calls it “a reck­less but famil­iar pat­tern of behav­iour”. And look at he US’s expla­na­tion for why it took this long to make the attri­bu­tion when Microsoft seem­ing­ly did it imme­di­ate­ly: the dis­cov­ery of ran­somware and for-prof­it schemes by these same hack­ers delayed the attri­bu­tion. In oth­er words, Microsoft­’s evi­dence-free ini­tial asser­tion that the hack was the respon­si­bil­i­ty of the Chi­nese (and def­i­nite­ly com­plete­ly unre­lat­ed to the Solar­Winds hack!) got com­pli­cat­ed after it was observed that the hack­ers were behav­ing like nor­mal crim­i­nals and engag­ing in ran­somware for-prof­it schemes. So they had to cre­ate a new nar­ra­tive about how the Chi­nese gov­ern­ment is now using con­tract crim­i­nal hack­ers to car­ry out their mega-hacks. Because why car­ry out a mega-hack on your own when you can share it with the crim­i­nal-under­world:

...
Even with­out fresh sanc­tions, Monday’s actions are like­ly to exac­er­bate ten­sions with Chi­na at a del­i­cate time. Just last week, the U.S. issued sep­a­rate stark warn­ings against trans­ac­tions with enti­ties that oper­ate in China’s west­ern Xin­jiang region, where Chi­na is accused of repress­ing Uyghur Mus­lims and oth­er minori­ties.

...

The Euro­pean Union and Britain were among the allies who called out Chi­na. The EU said mali­cious cyber activ­i­ties with “sig­nif­i­cant effects” that tar­get­ed gov­ern­ment insti­tu­tions, polit­i­cal orga­ni­za­tions and key indus­tries in the bloc’s 27 mem­ber states could be linked to Chi­nese hack­ing groups. The U.K.’s Nation­al Cyber Secu­ri­ty Cen­tre said the groups tar­get­ed mar­itime indus­tries and naval defense con­trac­tors in the U.S. and Europe and the Finnish par­lia­ment.

In a state­ment, EU for­eign pol­i­cy chief Josep Bor­rell said the hack­ing was “con­duct­ed from the ter­ri­to­ry of Chi­na for the pur­pose of intel­lec­tu­al prop­er­ty theft and espi­onage.”

The Microsoft Exchange cyber­at­tack “by Chi­nese state-backed groups was a reck­less but famil­iar pat­tern of behav­iour,” U.K. For­eign Sec­re­tary Dominic Raab said.

NATO, in its first pub­lic con­dem­na­tion of Chi­na for hack­ing activ­i­ties, called on Bei­jing to uphold its inter­na­tion­al com­mit­ments and oblig­a­tions “and to act respon­si­bly in the inter­na­tion­al sys­tem, includ­ing in cyber­space.” The alliance said it was deter­mined to “active­ly deter, defend against and counter the full spec­trum of cyber threats.”

That hack­ers affil­i­at­ed with the Min­istry of State Secu­ri­ty were engaged in ran­somware was sur­pris­ing and con­cern­ing to the U.S. gov­ern­ment, the senior admin­is­tra­tion offi­cial said. But the attack, in which an uniden­ti­fied Amer­i­can com­pa­ny received a high-dol­lar ran­som demand, also gave U.S. offi­cials new insight into what the offi­cial said was “the kind of aggres­sive behav­ior that we’re see­ing com­ing out of Chi­na.”

...

The major­i­ty of the most dam­ag­ing and high-pro­file recent ran­somware attacks have involved Russ­ian crim­i­nal gangs. Though the U.S. has some­times seen con­nec­tions between Russ­ian intel­li­gence agen­cies and indi­vid­ual hack­ers, the use of crim­i­nal con­tract hack­ers by the Chi­nese gov­ern­ment “to con­duct unsanc­tioned cyber oper­a­tions glob­al­ly is dis­tinct,” the offi­cial said.

...

The Microsoft Exchange hack that months ago com­pro­mised tens of thou­sands of com­put­ers around the world was swift­ly attrib­uted to Chi­nese cyber spies by Microsoft.

An admin­is­tra­tion offi­cial said the government’s attri­bu­tion to hack­ers affil­i­at­ed with the Min­istry of State Secu­ri­ty took until now in part because of the dis­cov­ery of the ran­somware and for-prof­it hack­ing oper­a­tions and because the admin­is­tra­tion want­ed to pair the announce­ment with guid­ance for busi­ness­es about tac­tics that the Chi­nese have been using.
...

Also keep in mind that the crim­i­nal hack­er groups did­n’t appear in the Exchange hack until March 2 accord­ing to our known time­line, the day Microsoft also issued its report that blamed the hack on state-spon­sored “Hafni­um”. So the crim­i­nal-like behav­ior of the groups with access to this exploit was­n’t nec­es­sar­i­ly appar­ent when Microsoft made its ini­tial “Hafni­um” attri­bu­tion

But note the one con­sis­tent actor here: Dmitri Alper­ovitch — co-founder of Crowd­Strike and the guy who pio­neered the mod­ern approach of mak­ing loud evi­dence-free hack­ing accu­sa­tions against coun­tries as a means of pre­vent­ing future attacks — is giv­ing us exact­ly the response we should expect by ask­ing why these accu­sa­tions haven’t led to new sanc­tions against Chi­na:

...
Dmitri Alper­ovitch, the for­mer chief tech­nol­o­gy offi­cer of the cyber­se­cu­ri­ty firm Crowd­strike, said the announce­ment makes clear that MSS con­trac­tors who for years have worked for the gov­ern­ment and con­duct­ed oper­a­tions on its behalf have over time decid­ed — either with the approval or the “blind eye of their boss­es” — to ”start moon­light­ing and engag­ing in oth­er activ­i­ties that could put mon­ey in their pock­ets.”

Giv­en the scope of the attack, Alper­ovitch said it was “puz­zling” that the U.S. did not impose sanc­tions.

“They cer­tain­ly deserve it, and at this point, it’s becom­ing a glar­ing stand­out that we have not,” he said.

He added, in a ref­er­ence to a large Russ­ian cyberes­pi­onage oper­a­tion dis­cov­ered late last year, “There’s no ques­tion that the Exchange hacks have been more reck­less, more dan­ger­ous and more dis­rup­tive than any­thing the Rus­sians have done in Solar­Winds.
...

Also note that Alper­ovitch is now the for­mer CTO of Crowd­strike, hav­ing left the com­pa­ny in 2020 to start a non-prof­it “pol­i­cy accel­er­a­tor” focused on cyber­se­cu­ri­ty in a geopo­lit­i­cal con­text. In oth­er words, Alper­ovtich start­ed a think-tank and lob­by shop ded­i­cat­ed to push for the kind of hack­ing-based sanc­tions against Russ­ian and Chi­na he’s long advo­cat­ed for any­way.
The BBC has a bit more on the sto­ry that gives us a bet­ter idea of how the West­ern gov­ern­ments of the­o­riz­ing Chi­na decid­ed to car­ry out this glob­al mega-hack using com­mon cyber-crim­i­nals as co-con­spir­a­tors: Hafni­um knew Microsoft planned to deal with the weak­ness and so shared it with oth­er Chi­na-based hack­ers. In oth­er words, the Chi­nese state-backed hack­ers real­ized the jig was up and hand­ed the zero-day exploit (which was no longer a zero-day) to crim­i­nals for some strate­gic rea­son.

Again, recall the time­line: Recall how the known time­line of the Exchange hack is that it start­ed on Jan­u­ary 3 (Volex­i­ty’s first detect­ed use of the zero-day exploit by “Hafni­um). It was Jan­u­ary 6, dur­ing the Capi­tol Insur­rec­tion, when Volex­i­ty first observed a large down­load to an unau­tho­rized address. Hafni­um qui­et­ly hit orga­ni­za­tions until Microsoft issued a patch on March 2, the same day it blamed the hack on Hafni­um, a state-backed Chi­nese hack­er group. That’s the day we are told mul­ti­ple crim­i­nal groups went on a glob­al race to hit every unpatched serv­er con­nect­ed to the inter­net.

So what would be the motive for Hafni­um to hand that zero-day exploit over to crim­i­nal groups and esca­late the hack to the lev­el of worst ever? Max­i­mize dam­age? Cov­er their tracks? It’s unclear what the the­o­rized ratio­nale would be. Microsoft blamed the hack on “Hafni­um” and called them a Chi­nese state-backed group dur­ing the ini­tial secu­ri­ty blog post that announced the Exchange patch to fix the exploit, which is when the crim­i­nal ran­sack­ing report­ed­ly start­ed. So it’s not like there was obvi­ous track cov­er­ing by Hafni­um to be done at that point. But that’s what we’re told by these West­ern gov­ern­ment sources: after get­ting caught with their qui­et tar­get hack, these state-backed hack­ers made a con­scious deci­sion to hand the super exploit over to crim­i­nals and tol­er­ate a glob­al ran­sack­ing:

BBC News

Chi­na says Microsoft hack­ing accu­sa­tions fab­ri­cat­ed by US and allies

Pub­lished
7/20/2021

Chi­na has denied alle­ga­tions that it car­ried out a major cyber-attack against tech giant Microsoft.

The US and oth­er West­ern coun­tries on Mon­day accused Chi­na of hack­ing Microsoft Exchange — a pop­u­lar email plat­form used by com­pa­nies world­wide.

They said it was part of a broad­er pat­tern of “reck­less” behav­iour that threat­ened glob­al secu­ri­ty.

Chi­na says it oppos­es all forms of cyber-crime, and has called the claims “fab­ri­cat­ed”.

Chi­na’s for­eign min­istry spokesman said the US had got its allies to make “unrea­son­able crit­i­cisms” against Chi­na.

The UK, EU, New Zealand, Aus­tralia and oth­ers joined the US to accuse Chi­nese state-spon­sored hack­ers.

...

Microsoft blamed a Chi­nese cyber-espi­onage group for tar­get­ing a weak­ness in Microsoft Exchange, which allowed hack­ers to get into email inbox­es.

It said the group, known as Hafni­um, was state-spon­sored and based in Chi­na.

West­ern secu­ri­ty sources believe Hafni­um knew Microsoft had planned to deal with the weak­ness, and so shared it with oth­er Chi­na-based hack­ers.

The sources say the hack seems to sig­nal a shift from a tar­get­ed espi­onage cam­paign to a smash-and-grab raid, lead­ing to con­cerns that Chi­nese cyber-behav­iour is esca­lat­ing.

The UK For­eign Office said the Chi­nese gov­ern­ment had “ignored repeat­ed calls to end its reck­less cam­paign, instead allow­ing state-backed actors to increase the scale of their attacks”.

US Pres­i­dent Joe Biden said the Chi­nese gov­ern­ment may not have been car­ry­ing out the attacks itself, but was “pro­tect­ing those who are doing it. And maybe even accom­mo­dat­ing them being able to do it”.

...

———–
“Chi­na says Microsoft hack­ing accu­sa­tions fab­ri­cat­ed by US and allies”; BBC News; 7/20/2021

“West­ern secu­ri­ty sources believe Hafni­um knew Microsoft had planned to deal with the weak­ness, and so shared it with oth­er Chi­na-based hack­ers.”

It’s quite a sce­nario described by the West­ern secu­ri­ty source for this arti­cle: Hafni­um found out Microsoft planned on clos­ing some vul­ner­a­bil­i­ties, prompt­ing Hafni­um to share the vul­ner­a­bil­i­ty with oth­er Chi­na-based hack­ers. Recall how, as we saw above, Volex­i­ty wit­nessed what was a qui­et infil­tra­tion of some sys­tems — using the zero-day exploits — on Jan­u­ary 6 dur­ing the Capi­tol insur­rec­tion. It was in the fol­low­ing days that the hack because much more wide­spread and open and aggres­sive. So we are prob­a­bly being asked to assume that the sec­ond noisy phase of the hack was after Hafni­um gave their incred­i­ble zero-day exploit to oth­er crim­i­nal hack­ers around Chi­na. And this was all qui­et­ly sanc­tioned by the Chi­nese gov­ern­ment. That’s the nar­ra­tive we are being asked to believe, this time with West­ern gov­ern­ments mak­ing the asser­tions, not Microsoft. And as always, we have no idea what evi­dence this belief is based on. The one thing we can state with con­fi­dence is that a large num­ber of the actors who used this exploit dur­ing that glob­al ran­sack­ing phase appear to be crim­i­nal.

But if we take the state-backed crim­i­nal-super-hack nar­ra­tive seri­ous­ly, we have to treat this as a major esca­la­tion by the Chi­nese gov­ern­ment. Which it very much would be if true. An insane esca­la­tion that could enrage the glob­al busi­ness com­mu­ni­ty. Not just gov­ern­ments:

...
The sources say the hack seems to sig­nal a shift from a tar­get­ed espi­onage cam­paign to a smash-and-grab raid, lead­ing to con­cerns that Chi­nese cyber-behav­iour is esca­lat­ing.
...

But, again, keep in mind that this entire dis­cus­sion about Hafni­um and crim­i­nal hack­ing groups was due to the US and its allies issue a big coor­di­nat­ed pub­lic rebuke of Chi­na’s involve­ment in the Exchange hack one day after the pair of NSO Group mega-scan­dal sto­ries. Sto­ries that raised enor­mous ques­tions about the hack­ing attri­bu­tions of the last decade, at a min­i­mum.

Macron to the World: New Phone, Who Dis?

And a few days after that coor­di­nat­ed pub­lic rebuke of Chi­na over “Hafni­um”, we get an update on the fall­out from the NSO Group sto­ry: Emmanuel Macron changed his phone. As a pre­cau­tion. His num­ber was on Moroc­co’s tar­get list. Awk­ward!

We also get an update from NSO Group on how its over­sight sys­tem works: while it does­n’t know the iden­ti­ties of the peo­ple tar­get­ed by Pega­sus, the com­pa­ny can retroac­tive­ly acquire the tar­get lists in the event of a com­plaint and uni­lat­er­al­ly shut down the offend­ing gov­ern­men­t’s sub­scrip­tion fol­low­ing an inves­ti­ga­tion. In oth­er words, NSO Group could in the­o­ry do ret­ro­spec­tive audits. But won’t unless there’s a com­plaint. A com­plaint about the super secret spy­ware you can’t find and don’t know about:

Reuters

France’s Macron changes phone in light of Pega­sus case

Michel Rose and Dan Williams
July 22, 2021 3:25 PM CDT Updat­ed

PARIS, July 22 (Reuters) — French Pres­i­dent Emmanuel Macron has changed his mobile phone and phone num­ber in light of the Pega­sus spy­ware case, a pres­i­den­cy offi­cial said on Thurs­day, in one of the first con­crete actions announced in rela­tion to the scan­dal.

“He’s got sev­er­al phone num­bers. This does not mean he has been spied on. It’s just addi­tion­al secu­ri­ty,” the offi­cial told Reuters. Gov­ern­ment spokesman Gabriel Attal said the pres­i­den­t’s secu­ri­ty pro­to­cols were being adapt­ed in light of the inci­dent.

A glob­al out­cry was trig­gered when sev­er­al inter­na­tion­al media organ­i­sa­tions report­ed that the Pega­sus spy­ware was used in hack­ing smart­phones belong­ing to jour­nal­ists, human rights activists and gov­ern­ment offi­cials in sev­er­al coun­tries.

In Israel, home of Pega­sus devel­op­er NSO Group, a senior law­mak­er said a par­lia­men­tary pan­el may look into spy­ware export restric­tions. NSO says its soft­ware is used to fight crime and ter­ror­ism and has denied any wrong­do­ing.

“Obvi­ous­ly we’re tak­ing (this) very seri­ous­ly,” Attal told reporters hours after an emer­gency cab­i­net meet­ing focused on the Pega­sus alle­ga­tions.

Le Monde news­pa­per and Radio France broad­cast­er report­ed on Tues­day that Macron’s phone was on a list of poten­tial tar­gets for sur­veil­lance by Moroc­co. The two media said that they did not have access to Macron’s phone and could not ver­i­fy if his phone had indeed been spied on.

Moroc­co has reject­ed these alle­ga­tions.

A French lawyer for Moroc­co, Olivi­er Baratel­li, said the gov­ern­ment planned to lodge defama­tion law­suits in Paris against non­govern­men­tal organ­i­sa­tions Amnesty Inter­na­tion­al and For­bid­den Sto­ries, accord­ing to French news out­let fran­ce­in­fo on Thurs­day. The two groups par­tic­i­pat­ed in the Pega­sus probe and alleged Moroc­co had tar­get­ed French offi­cials for sur­veil­lance with the spy­ware.

Amid mount­ing EU con­cern, Ger­man Chan­cel­lor Angela Merkel told reporters in Berlin that spy­ware should be denied to coun­tries where there is no judi­cial over­sight.

Hun­gar­i­an pros­e­cu­tors on Thurs­day launched an inves­ti­ga­tion into mul­ti­ple com­plaints received in the wake of the reports.

Israel has appoint­ed an inter-min­is­te­r­i­al team to assess reports based on an inves­ti­ga­tion by 17 media organ­i­sa­tions that said Pega­sus had been used in attempt­ed or suc­cess­ful hacks of smart­phones using mal­ware that enables the extrac­tion of mes­sages, records calls and secret­ly acti­vates micro­phones.

...

“We cer­tain­ly have to look anew at this whole sub­ject of licences grant­ed by DECA,” Ram Ben-Barak, head of the Knes­set For­eign Affairs and Defence Com­mit­tee, told Israel’s Army Radio, refer­ring to the gov­ern­ment-run Defence Export Con­trols Agency.

The Israeli gov­ern­ment team “will con­duct its checks, and we will be sure to look into the find­ings and see if we need to fix things here”, said Ben-Barak. A for­mer deputy chief of Mossad, he said prop­er use of Pega­sus had “helped a great many peo­ple”.

DECA is with­in Israel’s Defence Min­istry and over­sees NSO exports. Both the min­istry and the firm have said that Pega­sus is meant to be used to track only ter­ror­ists or crim­i­nals, and that all for­eign clients are vet­ted gov­ern­ments.

NSO says it does not know the spe­cif­ic iden­ti­ties of peo­ple against whom clients use Pega­sus. If it receives a com­plaint of Pega­sus hav­ing been mis­used by a client, NSO can retroac­tive­ly acquire the tar­get lists and, should the com­plaint prove true, uni­lat­er­al­ly shut down that clien­t’s soft­ware, the com­pa­ny says.

Oth­er world lead­ers among those whose phone num­bers the news organ­i­sa­tions said were on a list of pos­si­ble tar­gets include Pak­istani Prime Min­is­ter Imram Khan and Moroc­co’s King Mohammed VI.

———-


France’s Macron changes phone in light of Pega­sus case” by Michel Rose and Dan Williams; Reuters; 07/22/2021

“NSO says it does not know the spe­cif­ic iden­ti­ties of peo­ple against whom clients use Pega­sus. If it receives a com­plaint of Pega­sus hav­ing been mis­used by a client, NSO can retroac­tive­ly acquire the tar­get lists and, should the com­plaint prove true, uni­lat­er­al­ly shut down that clien­t’s soft­ware, the com­pa­ny says.”

NSO Group can retroac­tive­ly acquire the tar­get lists to inves­ti­gate com­plaints. It’s the kind of descrip­tion that sounds like NSO Group would need to go to the clients to retrieve the list of tar­get phone num­bers or emails. That’s the kind of over­sight regime that rais­es ques­tions about whether or not these clients have the capa­bil­i­ty to scrub those tar­get lists before return­ing them to NSO Group. It’s also the kind of over­sight regime that rais­es ques­tions about how any sort of over­sight could ever hap­pen out­side of instances when there’s a news report about NSO Group mal­ware being dis­cov­ered and a ‘ret­ro­spec­tive inves­ti­ga­tion’ is con­duct­ed. Either an insid­er needs to leak about it or vic­tims need to dis­cov­er the mal­ware. Those are the only viable sce­nar­ios that could real­is­ti­cal­ly trig­ger an inves­ti­ga­tion and this is super-secret mal­ware that oper­at­ed with­out being detect­ed for years. Almost noth­ing oth­er than the inves­tiga­tive report­ing done by Amnesty Inter­na­tion­al and For­bid­den Sto­ries could real­is­ti­cal­ly cause a client to have their sub­scrip­tion revoked.

And as we saw in the case of Sau­di Ara­bia and the fall­out from the Jamal Khashog­gi assas­si­na­tion, the fall­out — in the form of NSO Group can­cel­ing Sau­di Ara­bi­a’s sub­scrip­tion, a move opposed by the Israeli gov­ern­ment — was ulti­mate­ly reversed after NSO Group was sud­den­ly sold to new investors. That’s part of the con­text of Israel’s assur­ances that it will be look anew at the licens­es grant­ed for these sub­scrip­tion. It can’t look anew. It would be a diplo­mat­ic night­mare for Israel. And per­haps not some­thing Israel can rea­son­ably uni­lat­er­al­ly decide on its own. If what we are look­ing at here is a broad­er West­ern-sanc­tioned glob­al sys­tem for dis­trib­ut­ing lim­it­ed super-hack­er capa­bil­i­ties, the fate of NSO Group and the entire Israeli “com­mer­cial sur­veil­lance” sec­tor sud­den­ly becomes a much more mul­ti­lat­er­al affair:

...
“We cer­tain­ly have to look anew at this whole sub­ject of licences grant­ed by DECA,” Ram Ben-Barak, head of the Knes­set For­eign Affairs and Defence Com­mit­tee, told Israel’s Army Radio, refer­ring to the gov­ern­ment-run Defence Export Con­trols Agency.

The Israeli gov­ern­ment team “will con­duct its checks, and we will be sure to look into the find­ings and see if we need to fix things here”, said Ben-Barak. A for­mer deputy chief of Mossad, he said prop­er use of Pega­sus had “helped a great many peo­ple”.

DECA is with­in Israel’s Defence Min­istry and over­sees NSO exports. Both the min­istry and the firm have said that Pega­sus is meant to be used to track only ter­ror­ists or crim­i­nals, and that all for­eign clients are vet­ted gov­ern­ments.
...

Will the Israeli gov­ern­ment con­duct a mean­ing­ful audit of its cyber mer­ce­nary export sec­tor? The sto­ry of the NSO Group and Jamal Khashog­gi’s mur­der sug­gests oth­er­wise.

NSO Group and Candiru: Joined at the Founding Financial Hip

We’re now at the end of our arti­cle marathon. This one isn’t from Decem­ber 2020-July 2021. It’s from Octo­ber 2019. So it was­n’t by and means old news as all of this as has been play­ing out. One mega-hack sto­ry after anoth­er. One Microsoft exploit after anoth­er. As the world turned to Microsoft to lead the inves­ti­ga­tion into this parade of Microsoft vul­ner­a­bil­i­ties (some might con­sid­er that a con­flict of inter­est), the fol­low­ing sto­ry for Octo­ber 2019 was sys­tem­at­i­cal­ly ignore: An intro­duc­tion to Can­diru, its pow­er­ful suite of Microsoft exploits, and the fact that its founders over­lap with the NSO Group’s founders.

Yep, in the fol­low­ing Forbes piece we learn how Can­diru has clients like Uzbek­istan, Sau­di Ara­bia, and the UAE. The main Can­diru finan­cial backer was Founders Group, which was co-found­ed by one of the three men who set up NSO Group, Omri Lavie. Addi­tion­al­ly, one of the lead investors is Founders Group man­ag­ing part­ner Isaac Zack. We’re also told that the indus­try is increas­ing­ly close to its finan­cial back­ers because, well, it’s become so con­tro­ver­sial there aren’t that many finan­cial back­ers avail­able. A hyper-secre­tive inces­tu­ous indus­try increas­ing­ly behold­en to the shrink­ing num­ber of peo­ple will­ing to go into some­thing this explo­sive­ly pow­er­ful:

Forbes

Meet Can­diru — The Mys­te­ri­ous Mer­ce­nar­ies Hack­ing Apple And Microsoft PCs For Prof­it

Thomas Brew­ster Forbes Staff
Cyber­se­cu­ri­ty
Asso­ciate edi­tor at Forbes, cov­er­ing cyber­crime, pri­va­cy, secu­ri­ty and sur­veil­lance.
Oct 3, 2019,06:06am EDT

Israel is home to scores of hack­er-for-hire busi­ness­es, but one of the most clan­des­tine has been Can­diru. With no web­site and few records avail­able, it’s oper­at­ed large­ly under the radar.

But now a researcher is claim­ing the elite Tel Aviv-based firm sold cyber weapons to the gov­ern­ment of Uzbek­istan, while indus­try sources tell Forbes the com­pa­ny is hack­ing both Microsoft Win­dows and Apple Macs for var­i­ous nation states.

In doing so it calls into ques­tion the company’s ethics for part­ner­ing with a gov­ern­ment brand­ed as an abuser of sur­veil­lance tools, just like the morals of its com­pa­tri­ot dig­i­tal arms deal­ers have come under scruti­ny over the last half decade.

Smash­ing Win­dows

Candiru’s spe­cial­i­ty, hack­ing Microsoft Win­dows for nation-state intel­li­gence agen­cies, is one key rev­enue stream. And one of those Can­diru cus­tomers is almost cer­tain­ly Uzbek­istan, accord­ing to Bri­an Bartholomew, a researcher at Russ­ian cyber­se­cu­ri­ty com­pa­ny Kasper­sky Lab. He claimed that a lapse in an Uzbek­istan intel­li­gence agency’s oper­a­tional secu­ri­ty allowed him to link mul­ti­ple Win­dows vul­ner­a­bil­i­ties used in Uzbek attacks back to Can­diru and two oth­er cus­tomers: Sau­di Ara­bia and the U.A.E.

Bartholomew detailed just how Uzbek­istan was slop­py to Forbes ahead of the pub­lic release of his research at London’s Virus Bul­letin con­fer­ence on Thurs­day, though he couldn’t pro­vide clear links between the leaked tools and the Israeli com­pa­ny.

Per­haps Uzbek­istan’s biggest mis­take was to set up a test com­put­er, exposed on the inter­net, that test­ed its hack­ing tools against var­i­ous antivirus sys­tems like Kasper­sky. Bartholomew’s team found that com­put­er online and not­ed that it reg­u­lar­ly con­nect­ed to a sin­gle Web address. And here’s where the Uzbek­istan gov­ern­ment exposed itself: Not only was that address reg­is­tered in Uzbek­istan, but the reg­is­trant was the appar­ent leader of “Mil­i­tary Unit 02616.” Though there was lit­tle infor­ma­tion on that divi­sion, Bart­hole­mew soon dis­cov­ered it was part of Uzbekistan’s sur­veil­lance agency, the Nation­al Secu­ri­ty Ser­vice (NSS).

Accord­ing to Bartholomew, the NSS is essen­tial­ly the suc­ces­sor to the Sovi­et KGB con­tin­gent, which trans­ferred pow­er in the ear­ly 1990s. “They have loads of pow­er. They can pret­ty much do what they want,” Bart­hole­mew said. The NSS also has a his­to­ry of buy­ing mal­ware from for­eign deal­ers, as revealed in the leaked 2015 emails of Ital­ian provider Hack­ing Team. Host­ed on Wik­ileaks, the emails con­tain fre­quent mes­sages about deals between Hack­ing Team and the unit; Bartholomew believes Uzbek­istan spent near­ly $1 mil­lion on the Ital­ian company’s ser­vices, look­ing at all the invoic­es in the leak.

But because the agency exposed its Win­dows exploits on the web, Kasper­sky researchers were able to link them to oth­er mali­cious soft­ware Bartholomew says were cre­at­ed by Can­diru, name­ly those that appeared to be con­trolled by Sau­di Ara­bia and the U.A.E. “Slop­py cus­tomers are bad cus­tomers,” the researcher said.

Human rights experts have now raised the alarm about Candiru’s cus­tomer base and the poten­tial for abuse. Bartholomew and anoth­er source with knowl­edge of the attacks said he dis­cov­ered Can­diru sur­veil­lance soft­ware was used in pre­vi­ous­ly report­ed hacks on Uzbek human rights activists and inde­pen­dent media.

“Each of these gov­ern­ments is a ser­i­al spy­ware abuser, and it is painful­ly pre­dictable that civ­il soci­ety got tar­get­ed again,” said John Scott-Rail­ton, a sur­veil­lance mar­ket researcher at the Uni­ver­si­ty of Toronto’s Cit­i­zen Lab. “For an indus­try that is try­ing to tell investors and reg­u­la­tors that it is work­ing to clean up its act, pro­vid­ing spy­ware to these auto­crat­ic regimes is a guar­an­teed way to get it abused.”

Rain­ing down on Macs

Can­diru spe­cial­izes in hack­ing Win­dows, but it’s also work­ing on tools to crack Apple’s MacOS oper­at­ing sys­tem, accord­ing to Tal Dil­ian, who claims to have part­nered with Can­diru as part of his work with his own sur­veil­lance start­up, Intellex­er. Though not sure, he also said Can­diru may also have a focus on iOS too.

Scott-Rail­ton said he was also con­vinced that Can­diru was devel­op­ing exploits for both Apple and Microsoft tech­nol­o­gy.

Israel’s dig­i­tal mer­ce­nar­ies unite

Out­side of Candiru’s appar­ent rela­tion­ship with Dilian’s spy­ware enterprises—WiSpear and Intellexa—it has at least one tie to the most con­tro­ver­sial of Israel’s sur­veil­lance providers: NSO Group. That’s because two indus­try sources said the main Can­diru finan­cial backer was Founders Group, cofound­ed by one of the three men who set up NSO, Omri Lavie.

As sur­veil­lance indus­try sources also told Forbes, one of the lead investors is Founders Group man­ag­ing part­ner Isaac Zack.. Accord­ing to Pitch­book, Zack is also a board mem­ber at wire­less charg­ing start­up Humavox and at Sepio Sys­tems. The lat­ter is a cyber­se­cu­ri­ty com­pa­ny, focused on doing the exact oppo­site of Can­diru: pro­tect­ing hard­ware from being turned into silent sur­veil­lance devices. Its board also includes Tamir Par­do, the for­mer head of the Mossad, Israel’s intel­li­gence agency.

Com­pa­nies like Can­diru are being forced to go to investors with whom they’re already on friend­ly terms because of an increas­ing antipa­thy towards the indus­try from typ­i­cal ven­ture cap­i­tal firms. “YL Ven­tures has not and will not invest in offen­sive cyber tech­nol­o­gy ven­dors,” said Yoav Leit­ers­dorf, man­ag­ing part­ner at YL Ven­tures. “The pri­ma­ry rea­son for this is eth­i­cal, since often­times the cus­tomers of these ven­dors end up using the tech­nol­o­gy in a way that vio­lates human rights, with or with­out the ven­dors’ knowl­edge. Such usage goes direct­ly against our val­ues and the val­ues of our lim­it­ed part­ners.”

Israeli firms have found them­selves at the cen­ter of an inter­na­tion­al con­tro­ver­sy over the sale of spy­ware to repres­sive gov­ern­ments. Can­diru has avoid­ed the spot­light up until now, but its rival NSO Group has become embroiled in sev­er­al con­tro­ver­sies. In Mex­i­co, the use of alleged NSO mal­ware Pega­sus by the gov­ern­ment to mon­i­tor jour­nal­ists, activists and lawyers work­ing on the 2014 killing of 43 stu­dents caused a major polit­i­cal scan­dal. And in Jan­u­ary, NSO chief Shalev Hulio had to state on the record that his firm had not worked with the Sau­di gov­ern­ment to mon­i­tor jour­nal­ist Jamal Khashog­gi in the months before his mur­der by Sau­di agents.

...

————

“Meet Can­diru — The Mys­te­ri­ous Mer­ce­nar­ies Hack­ing Apple And Microsoft PCs For Prof­it” by Thomas Brew­ster; Forbes; 10/03/2019

“Candiru’s spe­cial­i­ty, hack­ing Microsoft Win­dows for nation-state intel­li­gence agen­cies, is one key rev­enue stream. And one of those Can­diru cus­tomers is almost cer­tain­ly Uzbek­istan, accord­ing to Bri­an Bartholomew, a researcher at Russ­ian cyber­se­cu­ri­ty com­pa­ny Kasper­sky Lab. He claimed that a lapse in an Uzbek­istan intel­li­gence agency’s oper­a­tional secu­ri­ty allowed him to link mul­ti­ple Win­dows vul­ner­a­bil­i­ties used in Uzbek attacks back to Can­diru and two oth­er cus­tomers: Sau­di Ara­bia and the U.A.E.

Uzbek­istan, Sau­di Ara­bia, and the UAE. Those were three of Can­diru’s clients iden­ti­fied back in late 2019 when the com­pa­ny first received media expo­sure and it’s obvi­ous­ly a very incom­plete client list. The kind of client list where we can be con­fi­dent all sorts of oth­er ter­ri­fy­ing cus­tomers are being qui­et­ly ser­viced.

Also keep in mind that Uzbek­istan’s hack­ers would­n’t have any trou­ble leav­ing Russ­ian ‘cul­tur­al arti­fact’ clues. They all speak Russ­ian. Of course, as we saw with the Shad­ow­Bro­kers sto­ry, the CIA’s hack­ing toolk­it fea­tured tools to inject Russ­ian or Man­darin into the code to leave leave kinds of clues so it’s not like a hack­er nec­es­sar­i­ly needs to know Russ­ian or Man­darin to leave these kinds of ‘clues’. But still, since such ‘clues’ are giv­en so much weight when it comes to cyber­at­tri­bu­tion, it behooves us to note that the hack­ers work­ing for the many for­mer Sovi­et Republics are going to know Russ­ian. At least enough to stick it in their code or on forums or wher­ev­er to make sure every­one knows it was the ‘Rus­sians’. We now know all dozens of gov­ern­ments have been sub­scrib­ing to these mal­ware ser­vices over the last decade. What are the odds they haven’t been doing pre­cise­ly what the CIA’s toolk­its do and inject­ing their own ‘cul­tur­al arti­facts’? What are the odds these sub­scrip­tion toolk­its don’t already offer those exact fea­tures? Sau­di Ara­bia and the UAE, for exam­ple, would prob­a­bly real­ly enjoy those fea­tures:

...
Accord­ing to Bartholomew, the NSS is essen­tial­ly the suc­ces­sor to the Sovi­et KGB con­tin­gent, which trans­ferred pow­er in the ear­ly 1990s. “They have loads of pow­er. They can pret­ty much do what they want,” Bart­hole­mew said. The NSS also has a his­to­ry of buy­ing mal­ware from for­eign deal­ers, as revealed in the leaked 2015 emails of Ital­ian provider Hack­ing Team. Host­ed on Wik­ileaks, the emails con­tain fre­quent mes­sages about deals between Hack­ing Team and the unit; Bartholomew believes Uzbek­istan spent near­ly $1 mil­lion on the Ital­ian company’s ser­vices, look­ing at all the invoic­es in the leak.

But because the agency exposed its Win­dows exploits on the web, Kasper­sky researchers were able to link them to oth­er mali­cious soft­ware Bartholomew says were cre­at­ed by Can­diru, name­ly those that appeared to be con­trolled by Sau­di Ara­bia and the U.A.E. “Slop­py cus­tomers are bad cus­tomers,” the researcher said.

Human rights experts have now raised the alarm about Candiru’s cus­tomer base and the poten­tial for abuse. Bartholomew and anoth­er source with knowl­edge of the attacks said he dis­cov­ered Can­diru sur­veil­lance soft­ware was used in pre­vi­ous­ly report­ed hacks on Uzbek human rights activists and inde­pen­dent media.

“Each of these gov­ern­ments is a ser­i­al spy­ware abuser, and it is painful­ly pre­dictable that civ­il soci­ety got tar­get­ed again,” said John Scott-Rail­ton, a sur­veil­lance mar­ket researcher at the Uni­ver­si­ty of Toronto’s Cit­i­zen Lab. “For an indus­try that is try­ing to tell investors and reg­u­la­tors that it is work­ing to clean up its act, pro­vid­ing spy­ware to these auto­crat­ic regimes is a guar­an­teed way to get it abused.”
...

And look at the remark­able rela­tion­ship between NSO Group and Can­diru: the main Can­diru finan­cial backer was Founders Group, co-found­ed by one of the three men who set up NSO, Omri Lavie, and one of the lead investors is Founders Group man­ag­ing part­ner Isaac Zack:

...
Out­side of Candiru’s appar­ent rela­tion­ship with Dilian’s spy­ware enterprises—WiSpear and Intellexa—it has at least one tie to the most con­tro­ver­sial of Israel’s sur­veil­lance providers: NSO Group. That’s because two indus­try sources said the main Can­diru finan­cial backer was Founders Group, cofound­ed by one of the three men who set up NSO, Omri Lavie.

As sur­veil­lance indus­try sources also told Forbes, one of the lead investors is Founders Group man­ag­ing part­ner Isaac Zack.. Accord­ing to Pitch­book, Zack is also a board mem­ber at wire­less charg­ing start­up Humavox and at Sepio Sys­tems. The lat­ter is a cyber­se­cu­ri­ty com­pa­ny, focused on doing the exact oppo­site of Can­diru: pro­tect­ing hard­ware from being turned into silent sur­veil­lance devices. Its board also includes Tamir Par­do, the for­mer head of the Mossad, Israel’s intel­li­gence agency.
...

So when we read about NSO Group and Can­diru both being licensed out to coun­tries like Sau­di Ara­bia, it’s seems like kind of a pack­age deal. You get Can­diru for the Microsoft exploits and NSO Group for the oth­er things.

********************************

Ok, we’re almost done with our excerpt marathon. A marathon that was almost all from just a sev­en month peri­od start­ing in Decem­ber 2020. Fire­Eye deliv­ers what felt like a night­mare at the time. And was and is a night­mare. Just not our worst night­mare. Not even close. Our night­mare sce­nario kept get­ting worse. Keeps going. It nev­er ends.

And sure, it’s nev­er going to end by def­i­n­i­tion. As long as there are com­put­er there are going to be hack sto­ries and some of them major hacks. But as we’ve seen, this is been an unusu­al sev­en month peri­od. One mega-hack after anoth­er. It’s like cyber-cli­mate change just start­ed to become notice­able.

And through­out this wave of Microsoft mega-hacks, we’ve had Microsoft lead­ing the way in attri­bu­tions. It’s always a state-backed actor. Known with­in 24 to 48 hours. Con­clu­sive­ly. Rus­sia or Chi­na. Don’t ask why. Just accept the con­clu­sion. The high­ly self-serv­ing easy con­clu­sion that is far less ter­ri­fy­ing than the idea of crim­i­nals car­ry­ing out these mega-hacks. Yes, the US gov­ern­ment backs Microsoft on these attri­bu­tions. Also with­out pro­vid­ing any hint of the evi­dence it’s based on. Just accept what­ev­er attri­bu­tion peo­ple come up with uncrit­i­cal­ly because, hey, they’re experts. They must know, right? That’s the cli­mate of con­tem­po­rary cyber­at­tri­bu­tion: Watch­ing peo­ple engage it what appears to be read­ing the dig­i­tal tea leaves to come up with the cul­prit, who then pro­claim their find­ings like a foren­sic exam­i­na­tion deci­sive­ly con­clud­ed it. And for the most part this is absolute­ly unques­tioned.

Now, it’s impor­tant to keep one thing in mind in terms of this cyber­at­tri­bu­tion regime: part of the rea­son Microsoft and gov­ern­ments make these attri­bu­tion pro­nounce­ments with­out both­er­ing to give any evi­dence and act as if we should just trust them is because we more or less have to do exact­ly that. We have to just trust Microsoft and gov­ern­ments and who­ev­er else has access to the com­put­er sys­tems to study these hacks. Much of the evi­dence is pri­vate and some­one has to go in and the foren­sic cyber-inves­ti­ga­tions exam­in­ing mal­ware, look­ing for ‘cul­tur­al arti­facts’ or what­ev­er. That’s all well and good and part of how a tech­no­log­i­cal­ly com­plex soci­ety oper­ates. It’s heav­i­ly trust-based.

But that’s pre­cise­ly why the high­ly con­ve­nient and log­i­cal­ly sus­pect nar­ra­tives that con­tin­u­al­ly pop up around these mega-hacks — where the cul­prit is always Russ­ian or Chi­nese hack­ers, declared with­in days — is so prob­lem­at­ic. We’re forced to trust the inves­ti­ga­tors because no evi­dence is ever giv­en. And yet the con­clu­sions always seem like they were con­ve­nient­ly made up and vir­tu­al­ly nev­er acknowl­edge the exis­tence of a glob­al indus­try of com­pa­nies like NSO Group and Can­diru. If activists are tar­get­ed, sure, a gov­ern­ment run­ning “com­mer­cial sur­veil­lance ven­dor” soft­ware might be sus­pect­ed, as was the case with Can­diru’s mal­ware get­ting caught being used against activists. But that’s basi­cal­ly the only time we see this legal offen­sive cyber-for-hire indus­try come up in the attri­bu­tions. It’s near­ly always oth­er­wise attrib­uted to Rus­sia, Chi­na, North Korea or Iran. Maybe crim­i­nals if no gov­ern­ment net­works got it. But that’s basi­cal­ly it. That’s con­tem­po­rary cyber­at­tri­bu­tion regime. Those are the accept­able choic­es. Rus­sia, Chi­na, North Korea Iran, maybe crim­i­nals. While at least 40 gov­ern­ments around the world have NSO Group sub­scrip­tions. And sto­ries like the Vault7 hack­ing tools that plant­ed for­eign ‘cul­tur­al arti­facts’ are less than a decade all. Each indi­vid­ual hack might by hard to assess, but tak­en togeth­er it’s just implau­si­ble.

To get a sense of how implau­si­ble, here’s our final quick excerpt. It’s from Octo­ber 2020, about the find­ing in Microsoft Dig­i­tal Defence Report, which you can down­load here. The report includes a dia­gram (page 42) show­ing the per­cent break­down of the dif­fer­ent coun­tries for the state-backed attri­bu­tions made by Microsoft­’s Microsoft­’s Threat Intel­li­gence Cen­ter (MSTC) study between July 2019 and June 2020. So this is Microsoft telling us what it’s own secu­ri­ty experts found. There were just four coun­tries on the entire chart. Guess which four: 52 per­cent of hacked attrib­uted to state-backed actors were attrib­uted to Rus­sia, 25 per­cent to Iran, 12 to Chi­na, and 11 to North Korea. Now, take a moment to digest those num­bers. 52 + 25 + 12+ 11 = 100. 100 per­cent of the state-backed attri­bu­tions made between July 2019 and June 2020 by Microsoft were Rus­sia, Iran, Chi­na, or North Korea. All of them. That’s why the ‘trust us’ attri­bu­tion par­a­digm is slow prob­lem­at­ic. It’s hard to trust an implau­si­ble nar­ra­tive:

The Inde­pen­dent

Rus­sia respon­si­ble for over half of all state-spon­sored hack­ing, Microsoft says

Attacks focused on polit­i­cal groups, rather than nation­al infra­struc­ture, in an attempt to affect oth­er gov­ern­ments’ pol­i­cy

Adam Smith
Fri­day 02 Octo­ber 2020 14:57

Rus­sia is respon­si­ble for over half of all state-spon­sored hack­ing, vast­ly more than any oth­er state, accord­ing to a new report from Microsoft.

Russ­ian activ­i­ty made up 52 per cent of all attacks between July 2019 and June 2020, the soft­ware giant’s Dig­i­tal Defence Report states.

It is fol­lowed by Iran, which makes up 25 per cent of the attacks mon­i­tored.

Chi­na is respon­si­ble for 12 per cent of attacks, while North Korea and oth­er states make up the final 11 per cent.

The major­i­ty of their tar­gets have been in the Unit­ed States, which is tar­get­ed 69 per cent of the time. The Unit­ed King­dom is the next most pop­u­lar vic­tim, receiv­ing 19 per cent of attacks, fol­lowed by Cana­da, South Kora, and Sau­di Ara­bia.

While there has been much con­cern over recent years that coun­tries’ crit­i­cial nation­al infas­truc­ture – such as the nation­al grid of finan­cial ser­vices – could be tar­get­ed by hack­ers, Microsoft says that is not the most com­mon tar­get.

Accord­ing to the soft­ware giant, 90 per cent of attacks from nation-states have been focused on “non­govern­men­tal organ­i­sa­tions (NGOs), advo­ca­cy groups, human rights orga­ni­za­tions and think tanks focused on pub­lic pol­i­cy, inter­na­tion­al affairs or secu­ri­ty.”

The com­pa­ny sug­gests that nation-states are hop­ing to influ­ence gov­ern­ment pol­i­cy through sub­tler means, rather than tar­get­ing infra­struc­ture direct­ly.

...

————

“Rus­sia respon­si­ble for over half of all state-spon­sored hack­ing, Microsoft says” by Adam Smith; The Inde­pen­dent; 10/02/2020

Again, 52 + 25 + 12+ 11 = 100. Microsoft­’s threat assess­ment team can appar­ent­ly only deter­mine hacks came from those four coun­tries. Even at a time when dozens of gov­ern­ments have sub­scrip­tions soft­ware from com­pa­nies like NSO Group and Can­diru and none of this is real­ly a secret. It’s shame­less. No states decid­ed to abuse their super spy­ware? None at all? Just Russ­ian, Iran, Chi­na, and North Korea? Yes, that’s what we are being it’s to believe by Microsoft and Microsoft is the lead­ing fig­ure shap­ing this nar­ra­tive. A nar­ra­tive most­ly about Microsoft vul­ner­a­bil­i­ties of late. Lots of Microsoft vul­ner­a­bil­i­ties and yet almost no men­tions by Microsoft­’s threat assess­ment teams of Can­diru’s exis­tence. The com­pa­ny exists to sell super Microsoft exploits to gov­ern­ments around the world and yet, in this entire col­lec­tion of sto­ries we looked it, it was only after Cit­i­zen­Lab pub­licly iden­ti­fied new Microsoft zero-day exploits Can­diru’s clients were using against activists that we saw Microsoft even acknowl­edge the exis­tence of Can­diru.

But to real­ly appre­ci­ate why this prob­lem­at­ic cyber­at­tri­bu­tion nar­ra­tive — where it’s always Rus­sia, Iran, Chi­na, and North Korea — is so wild­ly dan­ger­ous to civ­i­liza­tion, we have to appre­ci­ate how the Solar­Winds hack and Microsoft Exchange mega-hacks relate to these seem­ing­ly sooth­ing words from Microsoft back in Octo­ber when it was assuag­ing con­cerns about attacks on crit­i­cal infra­struc­ture: nation-states are hop­ing to influ­ence gov­ern­ment pol­i­cy through sub­tler means, rather than tar­get­ing infra­struc­ture direct­ly:

...
While there has been much con­cern over recent years that coun­tries’ crit­i­cial nation­al infas­truc­ture – such as the nation­al grid of finan­cial ser­vices – could be tar­get­ed by hack­ers, Microsoft says that is not the most com­mon tar­get.

Accord­ing to the soft­ware giant, 90 per cent of attacks from nation-states have been focused on “non­govern­men­tal organ­i­sa­tions (NGOs), advo­ca­cy groups, human rights orga­ni­za­tions and think tanks focused on pub­lic pol­i­cy, inter­na­tion­al affairs or secu­ri­ty.”

The com­pa­ny sug­gests that nation-states are hop­ing to influ­ence gov­ern­ment pol­i­cy through sub­tler means, rather than tar­get­ing infra­struc­ture direct­ly.
...

Microsoft was telling us this as the Solar­Winds hack was ongo­ing and two months before it was revealed. And as we’ve seen, both the Solar­Winds and Microsoft Exchange mega-hacks could arguably be con­sid­ered attacks on crit­i­cal infra­struc­ture. They were a very big deal. Espe­cial­ly the Microsoft Exchange hacks that could be auto­mat­ed and were car­ried out by seem­ing­ly for-prof­it crim­i­nal actors. That’s an infra­struc­ture attack. Who­ev­er car­ried this out was con­duct­ing a kind of dig­i­tal infra­struc­ture attack. It was that vast and aggres­sive.

But beyond the imme­di­ate dam­age by these mega-hacks, it’s the poten­tial for seeds to have been sown for future even more dev­as­tat­ing hacks that make these sto­ries absolute­ly dev­as­tat­ing from a secu­ri­ty stand­point. Basi­cal­ly every major orga­ni­za­tion’s com­put­er net­works got hit by sophis­ti­cat­ed actors with a demon­strat­ed capac­i­ty to deploy mul­ti­ple zero-day exploits. We have every rea­son to believe the retained access to a large num­ber of these net­works. Remem­ber what Bill Whitak­er of Bold­en told us: it would have been triv­ial for the Solar­Winds hack­ers to have turned that mal­ware into the kind of stuff that caus­es the com­put­ers on those net­works to effec­tive­ly self-destruct. A few dozen more lines of code. That’s how eas­i­ly these kinds of mega-hacks can become major crises. Lethal crises. Imag­ine the dig­i­tal infra­struc­ture of most of the world get­ting crip­pled with ran­somware simul­ta­ne­ous­ly. A few dozen lines of code could have turned Solar­Winds or the Exchange hack into the kind of hack that crip­ples phys­i­cal infra­struc­ture.

Now imag­ine a glob­al strike like that that crip­ples every coun­ty’s dig­i­tal infra­struc­ture except, say, Rus­si­a’s. Or Chi­na’s. It would be treat­ed as an act of war. And we could be pret­ty con­fi­dent Microsoft and plen­ty of oth­er actors in the secu­ri­ty sec­tor would be more than hap­py to pro­vide those defin­i­tive attri­bu­tions that, yes, it was Rus­sia. Or Chi­na. Or Iran or North Korea or who­ev­er is most con­ve­nient. Hack­ing has become the per­fect crime in mul­ti­ple sens­es. Not only can a hack be exe­cut­ed in a man­ner where no one can deter­mine the iden­ti­ty of the cul­prit but, by virtue of that com­pli­ca­tion, any­one can become the cul­prit. True con­clu­sive attri­bu­tion is so dif­fi­cult, and yet increas­ing­ly impor­tant and urgent, that civ­i­liza­tion has col­lec­tive just turned to the dig­i­tal secu­ri­ty indus­try and gov­ern­ments and asked them to give us their best edu­cat­ed guess­es and then we treat those best edu­cat­ed guess­es as con­clu­sive find­ings. It real­ly is a faith-based attri­bu­tion sys­tem. Increas­ing­ly faith in Microsoft being hon­est about Microsoft mega-hacks. There’s bad faith. And blind faith. And then there’s that kind of faith. Blind dumb faith in Microsoft­’s hon­esty and integri­ty. It’s clear­ly very pop­u­lar these days. Enjoy it while you still can.

Discussion

8 comments for “Cyber Attribution, the Mega-Hacks of 2021, and the Existential Threat of Blind Faith in Bad-Faith”

  1. Wel­come to your new secu­ri­ty night­mare. Brought to you by Microsoft: The recent­ly com­pa­ny issued an update on a rel­a­tive new zero-day exploit. “Print­Night­mare”. The appro­pri­ate­ly named exploit real­ly is a secu­ri­ty night­mare. The vul­ner­a­bil­i­ty in Microsoft­’s print spool­ing soft­ware — the soft­ware that man­ages which doc­u­ments get print­ed next from the print­er — poten­tial­ly allowed hack­ers to install pro­grams, change data and cre­ate new accounts with full user rights, among oth­er actions. In oth­er words, your entire com­put­er net­work could be tak­en over.

    Microsoft­’s recent update on the vul­ner­a­bil­i­ties includes a new vul­ner­a­bil­i­ty that allows for the remote exe­cu­tion of any code on the sys­tem. It’s the kind of update that let’s us know this vul­ner­a­bil­i­ty was even big­ger than pre­vi­ous­ly acknowl­edged, which is pret­ty amaz­ing giv­en the scope of the ini­tial warn­ing. It’s like learn­ing you can be hacked even more thor­ough­ly.

    So what is Microsoft rec­om­mend­ing in response to this lat­est hyper-sys­temic vul­ner­a­bil­i­ty? Dis­able the print­er spool­ing ser­vices, for starters. Patch your servers. And final­ly, migrate to Microsoft­’s Cloud ser­vices. And that appears to be what the ulti­mate ‘fix’ is going to be as this era of mega-hacks accel­er­ates: flee to the safe­ty of the cloud. Of course, as we’re going to see, the cloud may not be as safe as adver­tised. Sur­prise!

    Ok, first, here’s a report from ear­ly July, when the world woke up to a newest Microsoft secu­ri­ty night­mare: the gen­uine­ly ter­ri­fy­ing ‘Print­Night­mare’:

    CRN

    Microsoft Patch­es ‘Print­Night­mare’ Vul­ner­a­bil­i­ty In Win­dows, Urges Imme­di­ate Install

    The vul­ner­a­bil­i­ty — offi­cial­ly dubbed CVE-2021–34527 — is found in how Print Spool­er improp­er­ly per­forms priv­i­leged file oper­a­tions, accord­ing to a Microsoft post.

    By Wade Tyler Mill­ward
    July 07, 2021, 03:48 PM EDT

    Microsoft has released secu­ri­ty updates to address a vul­ner­a­bil­i­ty in Win­dows print spool­er dubbed “Print­Night­mare,” rec­om­mend­ing that users “install these updates imme­di­ate­ly.”

    The vul­ner­a­bil­i­ty — offi­cial­ly dubbed “CVE-2021–34527” — is found in how print spool­er improp­er­ly per­forms priv­i­leged file oper­a­tions, accord­ing to a Microsoft post. An attack­er could use the vul­ner­a­bil­i­ty to install pro­grams, change data and cre­ate new accounts with full user rights, among oth­er actions.

    The vul­ner­a­bil­i­ty exist­ed before the June 8 secu­ri­ty update, accord­ing to Microsoft. Print spool­er is an exe­cutable file that man­ages the print­ing process.

    All ver­sions of Win­dows are vul­ner­a­ble and domain con­trollers are affect­ed if print spool­er ser­vice is enabled. Point and Print can be exploit­ed through the vul­ner­a­bil­i­ty as well. Sup­port­ed ver­sions of Win­dows with­out a secu­ri­ty update made avail­able Tues­day will “be updat­ed short­ly after July 6.” Secu­ri­ty updates are now avail­able for Win­dows ver­sions includ­ing Serv­er 2019, Serv­er 2016, Serv­er 2012 and ver­sions of Win­dows 7 and Win­dows 10.

    The updates also solve a sep­a­rate vul­ner­a­bil­i­ty dubbed CVE-2021–1675 iden­ti­fied in June. Microsoft described this vul­ner­a­bil­i­ty — iden­ti­fied on June 30 by the CERT Coor­di­na­tion Cen­ter non­prof­it — as “sim­i­lar but dis­tinct” from Print­Night­mare.

    ...

    Mul­ti­ple print spool­er vul­ner­a­bil­i­ties have been iden­ti­fied over the years.

    The past year, in par­tic­u­lar, has seen Microsoft get far more vocal and aggres­sive around the need for increas­ing secu­ri­ty, includ­ing an empha­sis on urg­ing busi­ness­es to shift to the cloud from on-premis­es infra­struc­ture.

    On Tues­day, CRN report­ed that hack­ers attempt­ed to use IT dis­trib­u­tor Syn­nex to gain access to cus­tomer appli­ca­tions with­in the Microsoft cloud envi­ron­ment in an attack pos­si­bly tied to the Kaseya ran­somware cam­paign.

    Mike Wil­son, chief tech­nol­o­gy offi­cer and a part­ner at Inter­link Cloud Advi­sors, a Mason, Ohio-based Microsoft Gold part­ner, said that Microsoft act­ed quick­ly on the patch–which was impor­tant because the vul­ner­a­bil­i­ty affect­ed all ver­sions of Win­dows and could lead to mal­ware embed­ding and a ran­somware attack.

    ...

    ———–

    “Microsoft Patch­es ‘Print­Night­mare’ Vul­ner­a­bil­i­ty In Win­dows, Urges Imme­di­ate Install” by Wade Tyler Mill­ward; CRN; 07/07/2021

    “The vul­ner­a­bil­i­ty — offi­cial­ly dubbed “CVE-2021–34527” — is found in how print spool­er improp­er­ly per­forms priv­i­leged file oper­a­tions, accord­ing to a Microsoft post. An attack­er could use the vul­ner­a­bil­i­ty to install pro­grams, change data and cre­ate new accounts with full user rights, among oth­er actions.

    Who knows why Microsoft allows print spool­ers to cre­ate new accounts with full user rights, but they did. And any­one who knew about this vul­ner­a­bil­i­ty could have poten­tial­ly tak­en over the entire con­nect­ed net­work.

    And CVE-2021–34527 is just one of the vul­ner­a­bil­i­ties of this nature recent­ly dis­cov­ered. There was also CVE-2021–1675 found in June that is appar­ent­ly sim­i­lar but dis­tinct:

    ...
    The updates also solve a sep­a­rate vul­ner­a­bil­i­ty dubbed CVE-2021–1675 iden­ti­fied in June. Microsoft described this vul­ner­a­bil­i­ty — iden­ti­fied on June 30 by the CERT Coor­di­na­tion Cen­ter non­prof­it — as “sim­i­lar but dis­tinct” from Print­Night­mare.
    ...

    It’s the kind of update that hints at more “sim­i­lar but dis­tinct” super exploits sit­ting there wait­ing to be found. And that’s exact­ly the warn­ing we appeared to get from Kel­ly Yeh, pres­i­dent of Chan­til­ly, Va.-based Microsoft part­ner Pha­lanx Tech­nol­o­gy Group last week after Microsoft dis­closed a new Win­dows Print Spool­er vul­ner­a­bil­i­ty. The new vul­ner­a­bil­i­ty allowed for remote code exe­cu­tion that would sim­i­lar­ly enable hack­ers to install pro­grams, cre­ate new accounts with full user rights and even view, change or delete data. As Yeh warns us, “This is going to be the first of many exploits that prob­a­bly come out.” And since this print spool­er exploit was the sec­ond vul­ner­a­bil­i­ty of this nature recent­ly dis­closed (the first one, CVE-2021–1675, came out in June), Yeh is already tech­ni­cal­ly cor­rect.

    What should orga­ni­za­tions do in response to one super-Microsoft vul­ner­a­bil­i­ty after anoth­er? Migrate to the cloud. That’s Yeh’s advice. Stop try­ing to local­ly man­age things and let Microsoft do the man­age­ment for you:

    CRN

    Microsoft Dis­clos­es Anoth­er Win­dows Print Vul­ner­a­bil­i­ty, Under­scor­ing Cloud Push For MSPs

    ‘We as MSPs were scram­bling to turn all the print ser­vices off,’ said Kel­ly Yeh, pres­i­dent of Chan­til­ly, Va.-based Microsoft part­ner Pha­lanx Tech­nol­o­gy Group. ‘It was kind of chaot­ic.’

    By Wade Tyler Mill­ward
    August 12, 2021, 06:36 PM EDT

    A day after Microsoft released more updates for the Win­dows vul­ner­a­bil­i­ties known as “Print­Night­mare,” the tech giant has issued anoth­er report on a Win­dows Print Spool­er vul­ner­a­bil­i­ty.

    Kel­ly Yeh, pres­i­dent of Chan­til­ly, Va.-based Microsoft part­ner Pha­lanx Tech­nol­o­gy Group, told CRN in an inter­view that the ongo­ing strug­gle to patch Win­dows Print Spool­er is a real-world exam­ple of why many Microsoft cus­tomers should move more process­es to the cloud.

    “This is going to be the first of many exploits that prob­a­bly come out,” Yeh said. “That exploit [Print­Night­mare] is actu­al­ly a pret­ty big exploit, from what we were read­ing it can do.”

    The lat­est dis­cov­ery is a remote code exe­cu­tion vul­ner­a­bil­i­ty when Win­dows Print Spool­er improp­er­ly per­forms priv­i­leged file oper­a­tions. Hack­ers could exploit the vul­ner­a­bil­i­ty to install pro­grams, cre­ate new accounts with full user rights and even view, change or delete data.

    “The workaround for this vul­ner­a­bil­i­ty is stop­ping and dis­abling the Print Spool­er ser­vice,” accord­ing to the Microsoft dis­clo­sure Wednes­day.

    The dis­clo­sure con­tin­ued: “We are devel­op­ing a secu­ri­ty update. Solu­tions to ver­i­fied secu­ri­ty issues are nor­mal­ly released via our month­ly Update Tues­day cadence.”

    In response to CRN ques­tions about this lat­est vul­ner­a­bil­i­ty, a Microsoft spokesper­son said in an email: “We are aware of the report and are inves­ti­gat­ing. An inter­im workaround is described here.”

    Yeh said that the vul­ner­a­bil­i­ty comes at a time when busi­ness­es are try­ing to return to the office and on-premis­es servers haven’t been patched and reboot­ed in some time. While he wish­es Microsoft had patched all ver­sions of the serv­er imme­di­ate­ly to avoid mul­ti­ple secu­ri­ty updates, Yeh has been turn­ing off vul­ner­a­ble servers to avoid the vul­ner­a­bil­i­ty.

    “We as MSPs were scram­bling to turn all the print ser­vices off,” Yeh said. “We then had to remap every­body direct­ly to the print­ers, so that we didn’t have to have print servers. And even then, hav­ing that ser­vice run­ning on the work­sta­tions also made the work­sta­tions vul­ner­a­ble. So it was kind of chaot­ic.”

    The inci­dent has led to more con­ver­sa­tions around why clients need to adopt more cloud prod­ucts and ser­vices. Microsoft’s Share­Point in Microsoft 365, for exam­ple, have ver­sion con­trol, auto­mat­ic pro­tec­tion from ran­somware, mul­ti-fac­tor imple­men­ta­tion and data-loss pre­ven­tion, Yeh said. Azure has secu­ri­ty fea­tures to pro­tect lega­cy sys­tems.

    ...

    ———–

    “Microsoft Dis­clos­es Anoth­er Win­dows Print Vul­ner­a­bil­i­ty, Under­scor­ing Cloud Push For MSPs” by Wade Tyler Mill­ward; CRN; 08/12/2021

    “This is going to be the first of many exploits that prob­a­bly come out,” Yeh said. “That exploit [Print­Night­mare] is actu­al­ly a pret­ty big exploit, from what we were read­ing it can do.””

    The first [actu­al­ly sec­ond] of many exploits to come. Prob­a­bly. Just wait. And in the mean time, we get to learn more about the known super-vul­ner­a­bil­i­ties. Like the abil­i­ty to remote­ly exe­cute code via the Print Spool­er. It’s like total orga­ni­za­tion­al access was built Microsoft­’s Print­er Spool­ing soft­ware:

    ...
    The lat­est dis­cov­ery is a remote code exe­cu­tion vul­ner­a­bil­i­ty when Win­dows Print Spool­er improp­er­ly per­forms priv­i­leged file oper­a­tions. Hack­ers could exploit the vul­ner­a­bil­i­ty to install pro­grams, cre­ate new accounts with full user rights and even view, change or delete data.

    “The workaround for this vul­ner­a­bil­i­ty is stop­ping and dis­abling the Print Spool­er ser­vice,” accord­ing to the Microsoft dis­clo­sure Wednes­day.

    The dis­clo­sure con­tin­ued: “We are devel­op­ing a secu­ri­ty update. Solu­tions to ver­i­fied secu­ri­ty issues are nor­mal­ly released via our month­ly Update Tues­day cadence.”
    ...

    And, again, this is just the lat­est Microsoft secu­ri­ty night­mare on top of all the rest. With more to come. What are cyber secu­ri­ty pro­fes­sion­als to do? Run to the sweet embrace of Microsoft­’s cloud ser­vices:

    ...
    Kel­ly Yeh, pres­i­dent of Chan­til­ly, Va.-based Microsoft part­ner Pha­lanx Tech­nol­o­gy Group, told CRN in an inter­view that the ongo­ing strug­gle to patch Win­dows Print Spool­er is a real-world exam­ple of why many Microsoft cus­tomers should move more process­es to the cloud.

    ...

    The inci­dent has led to more con­ver­sa­tions around why clients need to adopt more cloud prod­ucts and ser­vices. Microsoft’s Share­Point in Microsoft 365, for exam­ple, have ver­sion con­trol, auto­mat­ic pro­tec­tion from ran­somware, mul­ti-fac­tor imple­men­ta­tion and data-loss pre­ven­tion, Yeh said. Azure has secu­ri­ty fea­tures to pro­tect lega­cy sys­tems.
    ...

    Keep in mind that there isn’t any mag­i­cal about cloud envi­ron­ments. They can still be hacked but, ide­al­ly, there’s just a lot more resources focused on their secu­ri­ty. At the same time, gain­ing access to a cloud envi­ron­ment would be the ulti­mate hack­ing prize. Many peo­ple have to be work­ing on that chal­lenge and it’s hard to imag­ine they aren’t going to suc­ceed some day. And if we lis­ten to Crowd­Strike CEO George Kurtz in the fol­low­ing recent inter­view, that suc­cess has already been achieved. As Kurtz told the US Sen­ate back in Feb­ru­ary in response to the Solar­Winds hack, short­com­ings in how Microsoft authen­ti­cates cre­den­tials have been repli­cat­ed in the cloud. And don’t for­get what we already saw in reports days after the Solar­Winds hack was ini­tial­ly dis­closed in Decem­ber: the Solar­Winds hack­ers demon­strat­ed an abil­i­ty to cre­ate pass­word cre­den­tials for legit­i­mate process­es enabling, them to read emails from Microsoft’s Exchange Online cloud-based email ser­vice. So we’re already see­ing hints of some sort of future cloud-based mega-hack. As Kurtz put it in the inter­view, “In oth­er tech­nolo­gies, you can’t nec­es­sar­i­ly just steal pass­words and use those encrypt­ed pass­words to authen­ti­cate to some­thing...“But in the Microsoft world, you lit­er­al­ly can steal an encrypt­ed pass­word, with­out even decrypt­ing it, and pass that hash to anoth­er Microsoft sys­tem and access the sys­tem as if you knew what the pass­word was.”:

    CRN

    Strike First, Strike Hard: How George Kurtz Has Built Crowd­Strike Into A Cyber­se­cu­ri­ty Pow­er­house

    Crowd­Strike CEO George Kurtz is fired up as his elite end­point pro­tec­tion plat­form con­tin­ues to win over cus­tomers, and he’s pulling no punch­es when it comes to tak­ing on his rivals.

    By Michael Novin­son
    August 09, 2021, 09:30 AM EDT

    Black­Lake Secu­ri­ty was about to ini­ti­ate a three-year Crowd­Strike sub­scrip­tion renew­al for an oil-and-gas cus­tomer when it received shock­ing news: The cus­tomer had been wooed by low­er pric­ing and was switch­ing to Microsoft.

    But Black­Lake founder and CEO Mark Jones knew the cus­tomer didn’t ful­ly under­stand how much func­tion­al­i­ty and per­for­mance it would be giv­ing up if it made the change, so he con­vinced the cus­tomer, which Jones declined to name, to take a call with Black­Lake and Crowd­Strike to let them lay out all the ways CrowdStrike’s tech­nol­o­gy beats Microsoft’s.

    CrowdStrike’s engi­neer didn’t even make it halfway through the pre­sen­ta­tion before the cus­tomer changed its mind and decid­ed to renew, Jones said.

    “Microsoft will come in and give you a price that makes you go, ‘Wow, is Crowd­Strike real­ly that much bet­ter?’ Well, yeah, it actu­al­ly is,” Jones told CRN. “You get what you pay for.”

    With wins like that under his belt, it’s no won­der Crowd­Strike co-founder, Pres­i­dent and CEO George Kurtz is con­fi­dent in the company’s tech­nol­o­gy, pulling no punch­es whether he’s fight­ing off hack­ers with his company’s elite end­point pro­tec­tion plat­form or tak­ing on rivals like Microsoft and Sen­tinelOne by call­ing out where he says they fall short.

    “When you look at our suc­cess, we’ve got the finan­cial suc­cess and the per­for­mance, but that starts with hav­ing the best tech­nol­o­gy and the best plat­form, not just the best AV [anti-virus] prod­uct,” said Kurtz, who’s ranked as the ninth most influ­en­tial leader on CRN’s 2021 Top 100 Exec­u­tives list.

    CrowdStrike’s tech­nol­o­gy earns kudos from indus­try ana­lysts as well. The Sun­ny­vale, Calif.-based company’s Fal­con plat­form beat out 11 com­peti­tors to take the crown as Forrester’s top end­point secu­ri­ty SaaS prod­uct this year. And in Gartner’s 2021 Mag­ic Quad­rant for End­point Pro­tec­tion Plat­forms, Crowd­Strike, along with Microsoft, earned the high­est rat­ings by a sig­nif­i­cant mar­gin.

    Kurtz’s con­fi­dence also comes in part from CrowdStrike’s abil­i­ty to out­last many of its ear­ly foes. A slew of star­tups, includ­ing Crowd­Strike, emerged in the 2000s and ear­ly 2010s to take on weak­ness­es in Symantec’s and McAfee’s anti-virus prod­ucts with a mod­ern approach that’s pre­dic­tive, sig­na­ture-less and goes beyond pre­ven­tion. But most of those chal­lengers cashed in their chips in 2019, with Car­bon Black, Cylance and Endgame get­ting bought by VMware, Black­Ber­ry and Elas­tic, respec­tive­ly, for a com­bined $3.7 bil­lion.

    “They didn’t build a plat­form. They were one-trick ponies that built a slight­ly bet­ter AV prod­uct than the lega­cy play­ers that were out there,” Kurtz told CRN in an exclu­sive inter­view in July. “But for me, it was all about, ‘Let’s build the plat­form the right way. And let’s have investors that under­stand this is a long play.’ We saw the big play of being the Sales­force of secu­ri­ty.”

    Elas­tic told CRN that Endgame’s prod­uct com­bined anti-virus with end­point detec­tion and response. Black­Ber­ry and VMware Car­bon Black did not respond to a request for com­ment.

    Crowd­Strike went pub­lic in June 2019 at a then-indus­try record $6.6 bil­lion val­u­a­tion. It was the fastest-grow­ing pub­lic com­pa­ny in all of cyber­se­cu­ri­ty in 2020, with sales surg­ing 82 per­cent to $874.4 mil­lion. And the cus­tomer wins keep on rolling in this year, with rev­enue expect­ed to jump 56 per­cent to $1.36 bil­lion. Sev­en­ty-five per­cent of its sales come through the chan­nel.

    Crowd­Strike sub­stan­tial­ly increased its mar­ket share in 2020 to become the world’s sec­ond-largest cor­po­rate end­point secu­ri­ty ven­dor, cap­tur­ing 9.2 per­cent of the $8.2 bil­lion mar­ket. That trails only Trend Micro, accord­ing to research firm IDC. And as of press time, Crowd­Strike is worth $59.43 bil­lion, mak­ing it the most high­ly val­ued pure-play ven­dor in all of cyber­se­cu­ri­ty.

    ‘A Cri­sis In Trust Around Microsoft Tech­nolo­gies’

    Crowd­Strike has become one of Microsoft’s most vocal secu­ri­ty crit­ics, with Kurtz blast­ing “sys­temic weak­ness­es in the Win­dows authen­ti­ca­tion archi­tec­ture” for exac­er­bat­ing the impact of the Solar­Winds hack dur­ing writ­ten and oral tes­ti­mo­ny before the U.S. Sen­ate in Feb­ru­ary. Short­com­ings in how Microsoft authen­ti­cates cre­den­tials have been repli­cat­ed in the cloud, fur­ther­ing cus­tomer pain, he said.

    “In oth­er tech­nolo­gies, you can’t nec­es­sar­i­ly just steal pass­words and use those encrypt­ed pass­words to authen­ti­cate to some­thing,” Kurtz told CRN. “But in the Microsoft world, you lit­er­al­ly can steal an encrypt­ed pass­word, with­out even decrypt­ing it, and pass that hash to anoth­er Microsoft sys­tem and access the sys­tem as if you knew what the pass­word was.”

    Kurtz is far from the only Crowd­Strike employ­ee crit­i­ciz­ing Microsoft, with Vice Pres­i­dent of Pub­lic Sec­tor James Yea­ger putting the com­pa­ny on notice in late June after the Russ­ian for­eign intel­li­gence ser­vice breached a Microsoft sup­port agent’s machine and used the account infor­ma­tion it obtained to launch high­ly tar­get­ed attacks against cus­tomers.

    “[Microsoft] con­tin­ues to get exposed as a com­pa­ny [that] is com­plete­ly inca­pable of pro­vid­ing the most basic lev­el of pro­tec­tion for them­selves and their cus­tomers,” Yea­ger wrote on LinkedIn. “If you can­not secure your own infra­struc­ture, then why should any­one trust you to secure their crit­i­cal infra­struc­ture and data?”

    Frank Shaw, Microsoft’s head of com­mu­ni­ca­tions, fired back at Yea­ger, say­ing it’s irre­spon­si­ble to sug­gest that any com­pa­ny or per­son is immune to attacks in today’s threat land­scape. “It’s unfor­tu­nate to see some ven­dors attempt to fur­ther their posi­tion via innu­en­do and inac­cu­rate accu­sa­tions rather than seek­ing ways to con­tribute col­lab­o­ra­tive­ly,” Shaw wrote in a LinkedIn response to Yeager’s post.

    The com­pa­ny declined to respond to Kurtz’s spe­cif­ic alle­ga­tions, telling CRN only, “Microsoft is the world’s largest cyber­se­cu­ri­ty provider, secur­ing cus­tomers from the chip to the cloud, backed by more than 3,500 defend­ers at Microsoft and the more than 8 tril­lion secu­ri­ty sig­nals we process every day.”

    But from Kurtz’s per­spec­tive, com­pa­nies that use Microsoft secu­ri­ty prod­ucts to safe­guard Microsoft tech­nol­o­gy are expos­ing them­selves to “sys­temic risk” and would ben­e­fit from hav­ing prod­ucts and authen­ti­ca­tion stan­dards in place that weren’t built by just one com­pa­ny.

    “We’re see­ing a cri­sis in trust around Microsoft tech­nolo­gies,” Kurtz said. “Com­pa­nies are tak­ing a sec­ond look, say­ing, ‘Do I real­ly want my secu­ri­ty to be from the same ven­dor that is pro­vid­ing my oper­at­ing sys­tem?’ Look­ing at the his­to­ry of vul­ner­a­bil­i­ties that are out there and how they’ve been exploit­ed, they’re basi­cal­ly say­ing, ‘Maybe we should reduce the risk by going with anoth­er ven­dor.’”

    Microsoft’s biggest com­peti­tors in the end­point, email, iden­ti­ty and cloud secu­ri­ty spaces — Crowd­Strike, Proof­point, Okta and Net­skope, respec­tive­ly — came togeth­er in June 2020 to form the Spec­tra Alliance, which is focused on secur­ing remote work at scale and estab­lish­ing a zero trust secu­ri­ty pos­ture. Kurtz said Spec­tra Alliance cus­tomers ben­e­fit from the breadth of capa­bil­i­ties and ded­i­cat­ed secu­ri­ty focus.

    “If you look at Crowd­Strike, every day all we do is think about secu­ri­ty,” Kurtz said. “If you look at Microsoft, they’re think­ing about their cloud and office pro­duc­tiv­i­ty and gam­ing sys­tems. It isn’t their sole focus. Secu­ri­ty is a very broad land­scape. There’s not one secu­ri­ty com­pa­ny that does every­thing. It’s just very com­pli­cat­ed and broad. And I think hav­ing a ded­i­cat­ed focus … goes a long way.”

    Kurtz said Crowd­Strike cus­tomers also ben­e­fit from new fea­tures being pushed out via an agent rather than requir­ing an update of the entire oper­at­ing sys­tem like Microsoft, which adds some laten­cy.

    “Ours is a full plat­form approach that cov­ers mul­ti­ple oper­at­ing sys­tems with great capa­bil­i­ty. When you look at our Mac [plat­form], when you look at our Lin­ux [plat­form], our tech­nol­o­gy is far supe­ri­or to Microsoft,” Kurtz said. “It’s not a bolt-on to an oper­at­ing sys­tem. When you look at Microsoft’s tech­nol­o­gy, it is based on a 2004 acqui­si­tion they did. It still uses sig­na­tures. And it’s cov­er­ing a small slice of the over­all ecosys­tem.”

    Both the Spec­tra Alliance and Microsoft have cap­i­tal­ized on grow­ing demand for advanced secu­ri­ty capa­bil­i­ties, with cus­tomers opt­ing for a best-of-breed approach that includes Crowd­Strike when they have the exper­tise inter­nal­ly to tie togeth­er secu­ri­ty prod­ucts from dif­fer­ent ven­dors, accord­ing to a secu­ri­ty solu­tion provider exec­u­tive, who asked not to be named. The solu­tion provider works with both Crowd­Strike and Microsoft.

    But where Microsoft Defend­er for End­point tends to be most pop­u­lar is with enter­pris­es that val­ue sim­plic­i­ty and have already adopt­ed oth­er ele­ments of the company’s secu­ri­ty stack, accord­ing to the exec­u­tive, who said his com­pa­ny is see­ing Microsoft “more and more.”

    “If you’re already a Microsoft shop, some­times peo­ple say, ‘I might as well just extend my cur­rent archi­tec­ture and use Microsoft. I’m already Microsoft-heavy,’” the exec­u­tive said. “It is a solu­tion that works. It may not be best-of-breed, but it doesn’t nec­es­sar­i­ly require extra effort to cre­ate that inte­gra­tion.”

    ...

    ————-

    “Strike First, Strike Hard: How George Kurtz Has Built Crowd­Strike Into A Cyber­se­cu­ri­ty Pow­er­house” by Michael Novin­son; CRN; 08/09/2021

    Crowd­Strike has become one of Microsoft’s most vocal secu­ri­ty crit­ics, with Kurtz blast­ing “sys­temic weak­ness­es in the Win­dows authen­ti­ca­tion archi­tec­ture” for exac­er­bat­ing the impact of the Solar­Winds hack dur­ing writ­ten and oral tes­ti­mo­ny before the U.S. Sen­ate in Feb­ru­ary. Short­com­ings in how Microsoft authen­ti­cates cre­den­tials have been repli­cat­ed in the cloud, fur­ther­ing cus­tomer pain, he said.

    It’s pret­ty omi­nous. At the same time experts are encour­ag­ing a mass migra­tion to the cloud, we’re con­tin­u­ing to learn about new cloud-based vul­ner­a­bil­i­ties. Or not even cloud-spe­cif­ic vul­ner­a­bil­i­ties. That’s part of Kurtz’s cri­tique of Microsoft­’s secu­ri­ty ecosys­tem: pass­word hash­es can be passed around from Microsoft-tool-to-Microsoft-tool with­out even decrypt­ing them. Every­one is being asked to migrate their data and oper­a­tions to a giant fan­cy vault filled with secret entrances:

    ...
    “In oth­er tech­nolo­gies, you can’t nec­es­sar­i­ly just steal pass­words and use those encrypt­ed pass­words to authen­ti­cate to some­thing,” Kurtz told CRN. “But in the Microsoft world, you lit­er­al­ly can steal an encrypt­ed pass­word, with­out even decrypt­ing it, and pass that hash to anoth­er Microsoft sys­tem and access the sys­tem as if you knew what the pass­word was.”

    Kurtz is far from the only Crowd­Strike employ­ee crit­i­ciz­ing Microsoft, with Vice Pres­i­dent of Pub­lic Sec­tor James Yea­ger putting the com­pa­ny on notice in late June after the Russ­ian for­eign intel­li­gence ser­vice breached a Microsoft sup­port agent’s machine and used the account infor­ma­tion it obtained to launch high­ly tar­get­ed attacks against cus­tomers.

    “[Microsoft] con­tin­ues to get exposed as a com­pa­ny [that] is com­plete­ly inca­pable of pro­vid­ing the most basic lev­el of pro­tec­tion for them­selves and their cus­tomers,” Yea­ger wrote on LinkedIn. “If you can­not secure your own infra­struc­ture, then why should any­one trust you to secure their crit­i­cal infra­struc­ture and data?”

    ...

    But from Kurtz’s per­spec­tive, com­pa­nies that use Microsoft secu­ri­ty prod­ucts to safe­guard Microsoft tech­nol­o­gy are expos­ing them­selves to “sys­temic risk” and would ben­e­fit from hav­ing prod­ucts and authen­ti­ca­tion stan­dards in place that weren’t built by just one com­pa­ny.

    “We’re see­ing a cri­sis in trust around Microsoft tech­nolo­gies,” Kurtz said. “Com­pa­nies are tak­ing a sec­ond look, say­ing, ‘Do I real­ly want my secu­ri­ty to be from the same ven­dor that is pro­vid­ing my oper­at­ing sys­tem?’ Look­ing at the his­to­ry of vul­ner­a­bil­i­ties that are out there and how they’ve been exploit­ed, they’re basi­cal­ly say­ing, ‘Maybe we should reduce the risk by going with anoth­er ven­dor.’”
    ...

    Microsoft rep­re­sents a “sys­temic risk”. That’s how Crowd­Strike sees it, and its a risk that extend to the cloud. And yes, Crowd­Strike is Microsoft­’s direct com­peti­tor in the secu­ri­ty are­na so we should­n’t be sur­prised by the crit­i­cisms. But these aren’t just ran­dom crit­i­cisms. The secu­ri­ty issues with Microsoft are an empir­i­cal fact at this point. Crowd­Strike is only warn­ing about what our lying eyes and ears are already telling us.

    So that’s the lat­est Miicrosoft cyber­se­cu­ri­ty night­mare update. ‘Print­Night­mare’ is upon us and if you think there’s an easy solu­tion your head is in the clouds. Well, ok, you can dis­con­nect the print­er. It’s the rest of the sys­temic risk you’ll still need to wor­ry about.

    Posted by Pterrafractyl | August 17, 2021, 4:54 pm
  2. Here’s an update on the Solar­Winds mega-hack. Or rather, an update on Solar­Winds-relat­ed major soft­ware vul­ner­a­bil­i­ties. As we’re going to see, there have been two major addi­tion­al vul­ner­a­bil­i­ties dis­cov­ered in Solar­Winds soft­ware since the ini­tial dis­clo­sure of the Solar­Winds hack back in mid-Decem­ber 2020.

    Days after the first dis­clo­sure, there were reports of a sec­ond hack­ing team tar­get­ing Solar­Winds cus­tomers. Not much was dis­closed about the attack. We were told that this sec­ond piece of mal­ware, dubbed “Super­no­va”, also tar­get­ed the Solar­Winds Ori­on updat­ing soft­ware. But unlike with the first Solar­Winds hack­’s mal­ware (dubbed “Sun­burst”), this new mal­ware was­n’t “dig­i­tal­ly signed”. Recall how part of what made the first Solar­Winds hack so dis­turb­ing was how the hack­ers man­aged to sneak their mal­ware into the soft­ware devel­op­ment process at the very last pos­si­ble point, bypass­ing stan­dard secu­ri­ty mea­sures designed to catch unwant­ed soft­ware. That’s what made the mal­ware “dig­i­tal­ly signed”. So Super­no­va does­n’t appear to have been incor­po­rat­ed into the Solar­Winds Ori­on soft­ware in the same man­ner. That tech­ni­cal dif­fer­ence between the first and sec­ond Solar­Winds hack appears to be part of the rea­son secu­ri­ty researchers are assum­ing the two hacks were car­ried out by sep­a­rate groups. As we’re going to see, it’s not actu­al­ly a great rea­son for such an assump­tion.

    Anoth­er relat­ed tech­ni­cal dif­fer­ence between the first ‘Russ­ian’ Solar­Winds hack and this sec­ond hack is the need for access to the tar­get net­works. As we’ve see, part of what made the first Solar­Winds hack so poten­tial­ly dev­as­tat­ing is the fact that back­doors onto client net­works were deliv­ered by the mal­ware. The hack itself was what pro­vid­ed access to client net­works. But with this sec­ond hack, some sort of pre­vi­ous net­work access that allows the hack­ers to inter­act with the Ori­on soft­ware on the tar­get net­work is required.

    Impor­tant­ly, the first and sec­ond Solar­Winds hacks serve two dif­fer­ent pur­pos­es. The first hack was a hack of the Ori­on soft­ware itself that deployed the “Sun­burst” back­doors on all of Solar­Winds 18,000 client net­works. The sec­ond “Super­no­va” hack is a hack that exploits a bug in Ori­on soft­ware to help spread the hack­ers across net­works they had already com­pro­mised. So you could imag­ine the same hack­er want­i­ng to use both hacks on the same net­work. This is impor­tant to keep in mind because we are told that the fact that one hack requires net­work access while the oth­er sug­gests it was car­ried out by two dif­fer­ent hack­ing groups.

    Also note anoth­er impor­tant detail about the Super­no­va mal­ware deployed in this sec­ond Solar­Winds hack: it exploits weak­ness­es in the .NET soft­ware devel­op­ment frame­work. That’s one of Microsoft­’s pro­pri­etary plat­forms.

    So who is believed to be behind this sec­ond Solar­Winds hack? Well, at the time it was first announced, researchers could­n’t say. But by Feb­ru­ary of this year, they were ready to name names: Chi­na did it! Because if it was­n’t Rus­sia, it has to be Chi­na. Or Iran or North Korea. One of those four.

    What’s the basis for this attri­bu­tion to a Chi­na-based group? Very lit­tle. Anony­mous sources first sug­gest­ing it was Chi­na back in Feb­ru­ary tell us the hack shared com­put­er infra­struc­ture and hack­ing tools with hacks pre­vi­ous­ly attrib­uted to Chi­nese hack­ers. That vague. The one some­what detailed clue we are giv­en is by secu­ri­ty researchers at Secure­works. The com­pa­ny found con­nec­tions between a Novem­ber 2020 Super­no­va attack on one of its clients and an August 2020 attack that did­n’t involve Super­no­va. That August 2020 attack was some­what mirac­u­lous­ly tied back to Chi­na when the hack­ers appar­ent­ly made the acci­dent of steal­ing Secure­work­s’s own end­point secu­ri­ty soft­ware from their hacked client and installed it on one of their own com­put­ers. The end­point soft­ware pre­dictably pinged Secure­work­s’s net­works. That appears to be the stole piece of evi­dence con­nect­ing this sec­ond hack back to Chi­na. So both ‘Russ­ian’ and ‘Chi­na’ were hack­ing the sh*t out of Solar­Winds in par­al­lel. That was the nar­ra­tive that had emerged by Feb­ru­ary of this year.

    Then, in July, we got reports of the oth­er new Solar­Winds hack. The new new hack. A third Solar­Winds hack that focus­es on exploit­ing vul­ner­a­bil­i­ties in the Serv‑U soft­ware made by Solar­Winds. Like the sec­ond Solar­Winds hack, the hack­ers need pri­or access to the vic­tim net­work. The hack revolves around send­ing com­mands to the Serv‑U soft­ware with out­put that can be read remote­ly and used to grab infor­ma­tion like pass­words or mod­i­fy files. It sounds like an incred­i­bly pow­er­ful exploit.

    And who is behind this third Solar­Winds hack? Chi­na did it! Again! But a dif­fer­ent group of Chi­nese hack­ers. We are told the vul­ner­a­bil­i­ty exists in the then-lat­est Serv‑U ver­sion 15.2.3 HF1, released on May 5, and all pri­or ver­sions. So this super-exploit, that could poten­tial­ly grant pow­er­ful access on the vic­tim net­works, had exist­ed ever since Serv‑U was first deployed.

    Now, why is this new hack attrib­uted to Chi­na? We have no idea and are nev­er told. Microsoft­’s threat assess­ment report on the hack sim­ply states twice that the group is based in Chi­na. That’s it. No oth­er details on why this is a Chi­na-based group.

    Oh, and there’s anoth­er impor­tant detail also left out of Microsoft­’s report: the Serv‑U vul­ner­a­bil­i­ty only exists if the Serv‑U is being run on Win­dows-based oper­at­ing sys­tems. Lin­ux-based sys­tems aren’t impact­ed. In oth­er words, this Serv‑U hack kind of sounds like a Microsoft hack. Kind of like how the Super­no­va hack was a hack of Microsoft­’s .NET frame­work. Some­how, the hack­ers were able to use the Serv‑U soft­ware to exploit under­ly­ing vul­ner­a­bil­i­ties in Win­dows. That’s the sto­ry we appear to be look­ing at. There is no men­tion of the fact that only Win­dows sys­tems were vul­ner­a­ble in the Microsoft threat assess­ment report. We have to look at the Solar­Winds report on the hack to learn about this. Yes, Microsoft left out of its threat assess­ment report the fact that they deployed Super­no­va and the fact that only Win­dows sys­tems were hit. Imag­ine that.

    So what’s the com­mon thread here? The same thread we’ve seen all along: the hack­ing attri­bu­tion indus­try is just kind of mak­ing it up. Weaponized attri­bu­tions, for prof­it. And in Microsoft­’s case, a nar­ra­tive nec­es­sar­i­ly shaped to defend itself from accu­sa­tions of shod­dy secu­ri­ty. Some­times appro­pri­ate skep­ti­cism is deployed and often it’s tossed out the win­dow. What stays the same is the con­ve­nience of the nar­ra­tives.

    Ok, first, here’s a Decem­ber 19, 2020, report that gives us the first glimpse of this sec­ond hack. Not much is known at this point oth­er than the fact that “Super­no­va” mal­ware imi­tate Solar­Wind­s’s Ori­on soft­ware, which is tech­ni­cal­ly very dif­fer­ent from the first hack where the mal­ware was embed­ded inside the Ori­on soft­ware. So this sec­ond hack required pri­or access to the vic­tim net­works:

    Reuters

    Sec­ond hack­ing team was tar­get­ing Solar­Winds at time of big breach

    By Christo­pher Bing
    Decem­ber 19, 2020 12:34 PM Updat­ed

    (Reuters) — A sec­ond hack­ing group, dif­fer­ent from the sus­pect­ed Russ­ian team now asso­ci­at­ed with the major Solar­Winds data breach, also tar­get­ed the company’s prod­ucts ear­li­er this year, accord­ing to a secu­ri­ty research blog by Microsoft.

    “The inves­ti­ga­tion of the whole Solar­Winds com­pro­mise led to the dis­cov­ery of an addi­tion­al mal­ware that also affects the Solar­Winds Ori­on prod­uct but has been deter­mined to be like­ly unre­lat­ed to this com­pro­mise and used by a dif­fer­ent threat actor,” the blog said.

    Secu­ri­ty experts told Reuters this sec­ond effort is known as “SUPERNOVA.” It is a piece of mal­ware that imi­tates Solar­Winds’ Ori­on prod­uct but it is not “dig­i­tal­ly signed” like the oth­er attack, sug­gest­ing this sec­ond group of hack­ers did not share access to the net­work man­age­ment company’s inter­nal sys­tems.

    It is unclear whether SUPERNOVA has been deployed against any tar­gets, such as cus­tomers of Solar­Winds. The mal­ware appears to have been cre­at­ed in late March, based on a review of the file’s com­pile times.

    The new find­ing shows how more than one sophis­ti­cat­ed hack­ing group viewed Solar­Winds, an Austin, Texas-based com­pa­ny that was not a house­hold name until this month, as an impor­tant gate­way to pen­e­trate oth­er tar­gets.

    ...

    ————–

    “Sec­ond hack­ing team was tar­get­ing Solar­Winds at time of big breach” by Christo­pher Bing; Reuters; 12/19/2020

    “Secu­ri­ty experts told Reuters this sec­ond effort is known as “SUPERNOVA.” It is a piece of mal­ware that imi­tates Solar­Winds’ Ori­on prod­uct but it is not “dig­i­tal­ly signed” like the oth­er attack, sug­gest­ing this sec­ond group of hack­ers did not share access to the net­work man­age­ment company’s inter­nal sys­tems.

    Note the exam­ple of attri­bu­tion log­ic being used here. The fact that this sec­ond hack did­n’t share the “dig­i­tal sig­na­ture” of the first hack is seen as a sug­ges­tion that this sec­ond group of hack­ers did not share access to the “net­work man­age­ment company’s inter­nal sys­tems”, which is a ref­er­ence to the first hack orig­i­nat­ed with a hack of the Solar­Winds Ori­on soft­ware devel­op­er’s com­put­er, allow­ing the embed­ding of the back­door mal­ware.

    Now, on the one hand, it’s a use­ful obser­va­tion to note that one hack required access to Solar­Wind­s’s own devel­op­er net­works, which end­ed up giv­ing access to client net­works, while this new­ly dis­cov­ered hack instead just requires access to the client net­works, keep in mind that it’s mere­ly a sug­ges­tion these are dif­fer­ent hack­ers. But it’s also impor­tant to keep in mind that there are sce­nar­ios where the same hack­ers could end up plant­i­ng both this Super­no­va mal­ware and the Ori­on back­door from the first hack on the same sys­tem.

    For exam­ple, we are told the first Solar­Winds hack start­ed in Feb­ru­ary of 2020, when the first com­pro­mised Ori­on updates went out to Solar­Wind­s’s 18,000 clients. But as we’re going to see, it’s sus­pect­ed that the ‘Chi­nese’ hack­ers behind this sec­ond Solar­Winds hack, which required pri­or access to vic­tim net­works, relied on a sep­a­rate Man­ageEngine Ser­viceDesk vul­ner­a­bil­i­ty to gain access to the net­works that was being exploit­ed as far back as 2018. And as we’re also going to see, this new­ly dis­cov­ered hack appears to allow the hack­ers to move lat­er­al­ly across vic­tim net­works, which serves a dif­fer­ent and very com­pat­i­ble pur­pose with the back­door cre­at­ed by the first Solar­Winds hack. But the nar­ra­tive right out of the gate with this sto­ry was that it was com­plete­ly uncon­nect­ed to the mega-hack dis­closed days ear­li­er based on the assump­tion that both exploits would­n’t be need­ed by the same actor.

    Next, here’s a Feb­ru­ary 2, 2021, Reuters piece where we get the first hint of an offi­cial attri­bu­tion for the hack. Chi­na did it. Of course. That’s the word from anony­mous sources involved with the inves­ti­ga­tion. We also learn from these anony­mous sources that the hack­ers used com­put­er infra­struc­ture and hack­ing tools pre­vi­ous­ly deployed by state-backed Chi­nese cyber-spies. That’s the extent of the details we are giv­en. A vague ref­er­ence to vague ‘pat­tern-recog­ni­tion’ based on some spoofa­ble tech­ni­cal indi­ca­tors. Solar­Winds, on the oth­er hand, that it had “not found any­thing con­clu­sive” to show who was respon­si­ble.

    And we also learn that this sec­ond hack served a dif­fer­ent pur­pose from the first Solar­Winds hack: it exploit­ed a bug in Ori­on that helped the hack­ers spread across vic­tim net­works. So this sec­ond hack sounds like a poten­tial­ly use­ful sec­ondary attack that could have been exploit­ed after the first Solar­Winds hack cre­ates the back­door grant­i­ng that ini­tial access:

    Reuters

    Exclu­sive: Sus­pect­ed Chi­nese hack­ers used Solar­Winds bug to spy on U.S. pay­roll agency – sources

    By Christo­pher Bing, Jack Stubbs, Raphael Sat­ter, Joseph Menn
    Feb­ru­ary 2, 2021 12:43 PM Updat­ed

    WASHINGTON (Reuters) — Sus­pect­ed Chi­nese hack­ers exploit­ed a flaw in soft­ware made by Solar­Winds Corp to help break into U.S. gov­ern­ment com­put­ers last year, five peo­ple famil­iar with the mat­ter told Reuters, mark­ing a new twist in a sprawl­ing cyber­se­cu­ri­ty breach that U.S. law­mak­ers have labeled a nation­al secu­ri­ty emer­gency.

    Two peo­ple briefed on the case said FBI inves­ti­ga­tors recent­ly found that the Nation­al Finance Cen­ter, a fed­er­al pay­roll agency inside the U.S. Depart­ment of Agri­cul­ture, was among the affect­ed orga­ni­za­tions, rais­ing fears that data on thou­sands of gov­ern­ment employ­ees may have been com­pro­mised.

    The soft­ware flaw exploit­ed by the sus­pect­ed Chi­nese group is sep­a­rate from the one the Unit­ed States has accused Russ­ian gov­ern­ment oper­a­tives of using to com­pro­mise up to 18,000 Solar­Winds cus­tomers, includ­ing sen­si­tive fed­er­al agen­cies, by hijack­ing the company’s Ori­on net­work mon­i­tor­ing soft­ware.

    Secu­ri­ty researchers have pre­vi­ous­ly said a sec­ond group of hack­ers was abus­ing Solar­Winds’ soft­ware at the same time as the alleged Russ­ian hack, but the sus­pect­ed con­nec­tion to Chi­na and ensu­ing U.S. gov­ern­ment breach have not been pre­vi­ous­ly report­ed.

    Reuters was not able to estab­lish how many orga­ni­za­tions were com­pro­mised by the sus­pect­ed Chi­nese oper­a­tion. The sources, who spoke on con­di­tion of anonymi­ty to dis­cuss ongo­ing inves­ti­ga­tions, said the attack­ers used com­put­er infra­struc­ture and hack­ing tools pre­vi­ous­ly deployed by state-backed Chi­nese cyber­spies.

    A USDA spokesman said in an email “USDA has noti­fied all cus­tomers (includ­ing indi­vid­u­als and orga­ni­za­tions) whose data has been affect­ed by the Solar­Winds Ori­on Code Com­pro­mise.”

    In a fol­low-up state­ment after the sto­ry was pub­lished, a dif­fer­ent USDA spokesman said the NFC was not hacked and that “there was no data breach relat­ed to Solar Winds” at the agency. He did not pro­vide fur­ther expla­na­tion.

    The Chi­nese for­eign min­istry said attribut­ing cyber­at­tacks was a “com­plex tech­ni­cal issue” and any alle­ga­tions should be sup­port­ed with evi­dence. “Chi­na res­olute­ly oppos­es and com­bats any form of cyber­at­tacks and cyber theft,” it said in a state­ment.

    Solar­Winds said it was aware of a sin­gle cus­tomer that was com­pro­mised by the sec­ond set of hack­ers but that it had “not found any­thing con­clu­sive” to show who was respon­si­ble. The com­pa­ny added that the attack­ers did not gain access to its own inter­nal sys­tems and that it had released an update to fix the bug in Decem­ber.

    In the case of the sole client it knew about, Solar­Winds said the hack­ers only abused its soft­ware once inside the client’s net­work. Solar­Winds did not say how the hack­ers first got in, except to say it was “in a way that was unre­lat­ed to Solar­Winds.”

    ...

    Although the two espi­onage efforts over­lap and both tar­get­ed the U.S. gov­ern­ment, they were sep­a­rate and dis­tinct­ly dif­fer­ent oper­a­tions, accord­ing to four peo­ple who have inves­ti­gat­ed the attacks and out­side experts who reviewed the code used by both sets of hack­ers.

    While the alleged Russ­ian hack­ers pen­e­trat­ed deep into Solar­Winds net­work and hid a “back door” in Ori­on soft­ware updates which were then sent to cus­tomers, the sus­pect­ed Chi­nese group exploit­ed a sep­a­rate bug in Orion’s code to help spread across net­works they had already com­pro­mised, the sources said.

    ‘EXTREMELY SERIOUS BREACH’

    The side-by-side mis­sions show how hack­ers are focus­ing on weak­ness­es in obscure but essen­tial soft­ware prod­ucts that are wide­ly used by major cor­po­ra­tions and gov­ern­ment agen­cies.

    “Appar­ent­ly Solar­Winds was a high val­ue tar­get for more than one group,” said Jen Miller-Osborn, the deputy direc­tor of threat intel­li­gence at Palo Alto Net­works’ Unit42.

    For­mer U.S. chief infor­ma­tion secu­ri­ty offi­cer Gre­go­ry Touhill said sep­a­rate groups of hack­ers tar­get­ing the same soft­ware prod­uct was not unusu­al. “It wouldn’t be the first time we’ve seen a nation-state actor surf­ing in behind some­one else, it’s like ‘draft­ing’ in NASCAR,” he said, where one rac­ing car gets an advan­tage by close­ly fol­low­ing another’s lead.

    The con­nec­tion between the sec­ond set of attacks on Solar­Winds cus­tomers and sus­pect­ed Chi­nese hack­ers was only dis­cov­ered in recent weeks, accord­ing to secu­ri­ty ana­lysts inves­ti­gat­ing along­side the U.S. gov­ern­ment.

    Reuters could not deter­mine what infor­ma­tion the attack­ers were able to steal from the Nation­al Finance Cen­ter (NFC) or how deep they bur­rowed into its sys­tems. But the poten­tial impact could be “mas­sive,” for­mer U.S. gov­ern­ment offi­cials told Reuters.

    The NFC is respon­si­ble for han­dling the pay­roll of mul­ti­ple gov­ern­ment agen­cies, includ­ing sev­er­al involved in nation­al secu­ri­ty, such as the FBI, State Depart­ment, Home­land Secu­ri­ty Depart­ment and Trea­sury Depart­ment, the for­mer offi­cials said.

    Records held by the NFC include fed­er­al employ­ee social secu­ri­ty num­bers, phone num­bers and per­son­al email address­es as well as bank­ing infor­ma­tion. On its web­site, the NFC says it “ser­vices more than 160 diverse agen­cies, pro­vid­ing pay­roll ser­vices to more than 600,000 Fed­er­al employ­ees.”

    “Depend­ing on what data were com­pro­mised, this could be an extreme­ly seri­ous breach of secu­ri­ty,” said Tom War­rick, a for­mer senior offi­cial at the U.S Depart­ment of Home­land Secu­ri­ty. “It could allow adver­saries to know more about U.S. offi­cials, improv­ing their abil­i­ty to col­lect intel­li­gence.”

    ————-

    “Exclu­sive: Sus­pect­ed Chi­nese hack­ers used Solar­Winds bug to spy on U.S. pay­roll agency – sources” By Christo­pher Bing, Jack Stubbs, Raphael Sat­ter, Joseph Menn; Reuters; 02/02/2021

    “Secu­ri­ty researchers have pre­vi­ous­ly said a sec­ond group of hack­ers was abus­ing Solar­Winds’ soft­ware at the same time as the alleged Russ­ian hack, but the sus­pect­ed con­nec­tion to Chi­na and ensu­ing U.S. gov­ern­ment breach have not been pre­vi­ous­ly report­ed.”

    It took a lit­tle over two months before ‘anony­mous sources’ start­ed point­ing the fin­ger at Chi­na. Which is actu­al­ly a lot more time than the mere days it took for the first Solar­Winds hack to get blamed on Rus­sia. So what evi­dence were these sources point­ing at? The hack­ers “used com­put­er infra­struc­ture and hack­ing tools.” No details or exam­ples of shared infra­struc­ture or tools. That’s it. It tells us noth­ing oth­er than the fact that shod­dy ‘pat­tern recog­ni­tion’ tech­niques were being relied on:

    ...
    Reuters was not able to estab­lish how many orga­ni­za­tions were com­pro­mised by the sus­pect­ed Chi­nese oper­a­tion. The sources, who spoke on con­di­tion of anonymi­ty to dis­cuss ongo­ing inves­ti­ga­tions, said the attack­ers used com­put­er infra­struc­ture and hack­ing tools pre­vi­ous­ly deployed by state-backed Chi­nese cyber­spies.

    ...

    Solar­Winds said it was aware of a sin­gle cus­tomer that was com­pro­mised by the sec­ond set of hack­ers but that it had “not found any­thing con­clu­sive” to show who was respon­si­ble. The com­pa­ny added that the attack­ers did not gain access to its own inter­nal sys­tems and that it had released an update to fix the bug in Decem­ber.

    ...

    Although the two espi­onage efforts over­lap and both tar­get­ed the U.S. gov­ern­ment, they were sep­a­rate and dis­tinct­ly dif­fer­ent oper­a­tions, accord­ing to four peo­ple who have inves­ti­gat­ed the attacks and out­side experts who reviewed the code used by both sets of hack­ers.
    ...

    But here’s where we learn some very impor­tant details about the nature of this hack: it was used to help spread across already-com­pro­mised net­works. Which make this the kind of exploit that sounds like a great part­ner with the first Solar­Winds hack that com­pro­mised 18,000 client net­works with back­doors:

    ...
    In the case of the sole client it knew about, Solar­Winds said the hack­ers only abused its soft­ware once inside the client’s net­work. Solar­Winds did not say how the hack­ers first got in, except to say it was “in a way that was unre­lat­ed to Solar­Winds.”

    ...

    While the alleged Russ­ian hack­ers pen­e­trat­ed deep into Solar­Winds net­work and hid a “back door” in Ori­on soft­ware updates which were then sent to cus­tomers, the sus­pect­ed Chi­nese group exploit­ed a sep­a­rate bug in Orion’s code to help spread across net­works they had already com­pro­mised, the sources said.

    ...

    For­mer U.S. chief infor­ma­tion secu­ri­ty offi­cer Gre­go­ry Touhill said sep­a­rate groups of hack­ers tar­get­ing the same soft­ware prod­uct was not unusu­al. “It wouldn’t be the first time we’ve seen a nation-state actor surf­ing in behind some­one else, it’s like ‘draft­ing’ in NASCAR,” he said, where one rac­ing car gets an advan­tage by close­ly fol­low­ing another’s lead.

    The con­nec­tion between the sec­ond set of attacks on Solar­Winds cus­tomers and sus­pect­ed Chi­nese hack­ers was only dis­cov­ered in recent weeks, accord­ing to secu­ri­ty ana­lysts inves­ti­gat­ing along­side the U.S. gov­ern­ment.
    ...

    A month lat­er, in ear­ly March, we get anoth­er update. An update that would appear to tie the hack to Chi­na. It came from the research team at Secure­work­s’s Counter Threat Unit (CTU), who informed us that they first encoun­tered the Super­no­va mal­ware in Novem­ber of 2020. Upon clos­er exam­i­na­tion, they found sim­i­lar­i­ties to a hack in August 2020 that was found to have been enable by a vul­ner­a­bil­i­ty in the Man­ageEngine Ser­viceDesk soft­ware that the hack­ers like­ly exploit­ed in ear­ly 2018. That Man­ageEngine Ser­viceDesk exploit is pre­vi­ous­ly known to have been used by Chi­nese hack­ers. And it was dur­ing the inves­ti­ga­tion of this August 2020 hack that the hack­ers decid­ed to install Secure­work­s’s own end­point soft­ware on one of their com­put­ers and con­nect it to the inter­net. The end­point soft­ware on the hack­ers’ com­put­er pre­dictably pinged Secure­work­s’s servers and the com­pa­ny had the infor­ma­tion it need­ed to con­nect that hack to Chi­na (which ignores the obvi­ous pos­si­bil­i­ty of remote­ly using a com­put­er from any­where). This appears to be the extent of the evi­dence that Super­no­va Solar­Winds hack is being car­ried out by Chi­nese hack­ers. Vague dig­i­tal spoofa­ble clues:

    Ars Tech­ni­ca

    Chi­nese hack­ers tar­get­ed Solar­Winds cus­tomers in par­al­lel with Russ­ian op
    New data sug­gests that Rus­sia was­n’t the only nation-state hack­ing cus­tomers.

    Dan Good­in — 3/8/2021, 6:36 PM

    By now, most peo­ple know that hack­ers tied to the Russ­ian gov­ern­ment com­pro­mised the Solar­Winds soft­ware build sys­tem and used it to push a mali­cious update to some 18,000 of the company’s cus­tomers. On Mon­day, researchers pub­lished evi­dence that hack­ers from Chi­na also tar­get­ed Solar­Winds cus­tomers in what secu­ri­ty ana­lysts have said was a dis­tinct­ly dif­fer­ent oper­a­tion.

    The par­al­lel hack cam­paigns have been pub­lic knowl­edge since Decem­ber, when researchers revealed that, in addi­tion to the sup­ply chain attack, hack­ers exploit­ed a vul­ner­a­bil­i­ty in Solar­Winds soft­ware called Ori­on. Hack­ers in the lat­ter cam­paign used the exploit to install a mali­cious web shell dubbed Super­no­va on the net­work of a cus­tomer who used the net­work man­age­ment tool. Researchers, how­ev­er, had few if any clues as to who car­ried out that attack.

    On Mon­day, researchers said the attack was like­ly car­ried out by a Chi­na-based hack­ing group they’ve dubbed “Spi­ral.” The find­ing, laid out in a report pub­lished on Mon­day by Secure­works’ Counter Threat Unit, is based on tech­niques, tac­tics, and pro­ce­dures in the hack that were either iden­ti­cal or very sim­i­lar to an ear­li­er com­pro­mise the researchers dis­cov­ered in the same net­work.

    Pum­meled on more than one front

    The find­ing comes on the heels of word that Chi­na-based hack­ers dubbed Hafni­um are one of at least five clus­ters of hack­ers behind attacks that installed mali­cious web shells on tens of thou­sands of Microsoft Exchange servers. Monday’s report shows that there’s no short­age of APTs—shorthand for advanced per­sis­tent threat hackers—determined to tar­get a wide swath of US-based orga­ni­za­tions.

    ...

    Counter Threat Unit researchers said they encoun­tered Super­no­va in Novem­ber as they respond­ed to the hack of a customer’s net­work. Like oth­er mali­cious web shells, Super­no­va got installed after the attack­ers had suc­cess­ful­ly gained the abil­i­ty to exe­cute mali­cious code on the target’s sys­tems. The attack­ers then used Super­no­va to send com­mands that stole pass­words and oth­er data that gave access to oth­er parts of the net­work.

    Secure­works CTU researchers already believed that the speed and sur­gi­cal pre­ci­sion of the move­ment inside the target’s net­work sug­gest­ed that Spi­ral had pri­or expe­ri­ence inside it. Then, the researchers noticed sim­i­lar­i­ties between the Novem­ber hack and one the researchers had uncov­ered in August 2020. The attack­ers in the ear­li­er hack like­ly gained ini­tial access as ear­ly as 2018 by exploit­ing a vul­ner­a­bil­i­ty in a prod­uct known as the Man­ageEngine Ser­viceDesk, the researchers said.

    “CTU researchers were ini­tial­ly unable to attribute the August activ­i­ty to any known threat groups,” the researchers wrote. “How­ev­er, the fol­low­ing sim­i­lar­i­ties to the SPIRAL intru­sion in late 2020 sug­gest that the SPIRAL threat group was respon­si­ble for both intru­sions:”

    * The threat actors used iden­ti­cal com­mands to dump the LSASS process via comsvcs.dll and used the same out­put file path (see Fig­ure 6).

    Enlarge / LSASS process dump from August 2020 using an iden­ti­cal com­mand to the Novem­ber 2020 inci­dent.

    * The same two servers were accessed: a domain con­troller and a serv­er that could pro­vide access to sen­si­tive busi­ness data.
    * The same ‘c:userspublic’ path (all low­er­case) was used as a work­ing direc­to­ry.
    * Three com­pro­mised admin­is­tra­tor accounts were used in both intru­sions.

    The CTU researchers already knew that Chi­nese hack­ers had been exploit­ing MangeEngine servers to gain long-term access to net­works of inter­est. But that alone wasn’t enough to deter­mine Spi­ral had its ori­gins in Chi­na. The researchers became more con­fi­dent in the con­nec­tion after notic­ing that the hack­ers in the August inci­dent acci­den­tal­ly exposed one of their IP address­es. It was geolo­cat­ed to Chi­na.

    The hack­ers exposed their IP address when they stole the end­point detec­tion soft­ware Ser­cure­works had sold to the hacked cus­tomer. For rea­sons that aren’t clear, the hack­ers then ran the secu­ri­ty prod­uct on one of their com­put­ers, at which point it exposed its IP address as it reached out to a Secure­works serv­er.

    The nam­ing con­ven­tion of the hack­ers’ com­put­er was the same as a dif­fer­ent com­put­er that the hack­ers had used when con­nect­ing to the net­work through a VPN. Tak­en togeth­er, the evi­dence col­lect­ed by CTU researchers gave them the con­fi­dence that both hacks were done by the same group and that the group was based in Chi­na.

    “Sim­i­lar­i­ties between SUPER­NO­VA-relat­ed activ­i­ty in Novem­ber and activ­i­ty that CTU researchers ana­lyzed in August sug­gest that the SPIRAL threat group was respon­si­ble for both intru­sions,” CTU researchers wrote. “Char­ac­ter­is­tics of these intru­sions indi­cate a pos­si­ble con­nec­tion to Chi­na.”

    ————-

    “Chi­nese hack­ers tar­get­ed Solar­Winds cus­tomers in par­al­lel with Russ­ian op” by Dan Good­in; Ars Tech­ni­ca; 03/08/2021

    On Mon­day, researchers said the attack was like­ly car­ried out by a Chi­na-based hack­ing group they’ve dubbed “Spi­ral.” The find­ing, laid out in a report pub­lished on Mon­day by Secure­works’ Counter Threat Unit, is based on tech­niques, tac­tics, and pro­ce­dures in the hack that were either iden­ti­cal or very sim­i­lar to an ear­li­er com­pro­mise the researchers dis­cov­ered in the same net­work.”

    Meet “Spi­ral”, who is def­i­nite­ly not “Hafni­um” and def­i­nite­ly not respon­si­ble for the first Solar­Winds hack. And not the Serv‑U Solar­Winds hack we’re going to learn about in July. Only this sec­ond Solar­Winds hack. And def­i­nite­ly from Chi­na.

    That’s what Secure­work­s’s CTU con­clud­ed based on tech­niques, tac­tics, and pro­ce­dures in the hack that were either iden­ti­cal or very sim­i­lar to an ear­li­er com­pro­mise of the same client: The August 2020 hack of the Secure­works client where the hack­ers stole Secur­work­s’s end­point soft­ware from the clien­t’s net­work, installed it on their own com­put­er in Chi­na, and allowed it to ping Secure­work­s’s servers. And the August 2020 hack­ers shared cer­tain traits like using the same com­mands and name like “c:userspublic” as a work­ing direc­to­ry name. So some tech­ni­cal pat­tern recog­ni­tion com­bined with reduc­tive rea­son­ing and/or wild guess­ing and/or con­ve­nient sto­ry-telling. This is the sausage-mak­ing of con­tem­po­rary cyber­at­tri­bu­tions:

    ...
    Counter Threat Unit researchers said they encoun­tered Super­no­va in Novem­ber as they respond­ed to the hack of a customer’s net­work. Like oth­er mali­cious web shells, Super­no­va got installed after the attack­ers had suc­cess­ful­ly gained the abil­i­ty to exe­cute mali­cious code on the target’s sys­tems. The attack­ers then used Super­no­va to send com­mands that stole pass­words and oth­er data that gave access to oth­er parts of the net­work.

    Secure­works CTU researchers already believed that the speed and sur­gi­cal pre­ci­sion of the move­ment inside the target’s net­work sug­gest­ed that Spi­ral had pri­or expe­ri­ence inside it. Then, the researchers noticed sim­i­lar­i­ties between the Novem­ber hack and one the researchers had uncov­ered in August 2020. The attack­ers in the ear­li­er hack like­ly gained ini­tial access as ear­ly as 2018 by exploit­ing a vul­ner­a­bil­i­ty in a prod­uct known as the Man­ageEngine Ser­viceDesk, the researchers said.

    CTU researchers were ini­tial­ly unable to attribute the August activ­i­ty to any known threat groups,” the researchers wrote. “How­ev­er, the fol­low­ing sim­i­lar­i­ties to the SPIRAL intru­sion in late 2020 sug­gest that the SPIRAL threat group was respon­si­ble for both intru­sions:

    * The threat actors used iden­ti­cal com­mands to dump the LSASS process via comsvcs.dll and used the same out­put file path (see Fig­ure 6).

    Enlarge / LSASS process dump from August 2020 using an iden­ti­cal com­mand to the Novem­ber 2020 inci­dent.

    * The same two servers were accessed: a domain con­troller and a serv­er that could pro­vide access to sen­si­tive busi­ness data.
    * The same ‘c:userspublic’ path (all low­er­case) was used as a work­ing direc­to­ry.
    * Three com­pro­mised admin­is­tra­tor accounts were used in both intru­sions.

    ...

    Also note the lan­guage in the Secure­works CTU report: “Char­ac­ter­is­tics of these intru­sions indi­cate a pos­si­ble con­nec­tion to Chi­na.” A pos­si­ble con­nec­tion to Chi­na. Which is real­ly all it is:

    ...
    The CTU researchers already knew that Chi­nese hack­ers had been exploit­ing MangeEngine servers to gain long-term access to net­works of inter­est. But that alone wasn’t enough to deter­mine Spi­ral had its ori­gins in Chi­na. The researchers became more con­fi­dent in the con­nec­tion after notic­ing that the hack­ers in the August inci­dent acci­den­tal­ly exposed one of their IP address­es. It was geolo­cat­ed to Chi­na.

    The hack­ers exposed their IP address when they stole the end­point detec­tion soft­ware Ser­cure­works had sold to the hacked cus­tomer. For rea­sons that aren’t clear, the hack­ers then ran the secu­ri­ty prod­uct on one of their com­put­ers, at which point it exposed its IP address as it reached out to a Secure­works serv­er.

    The nam­ing con­ven­tion of the hack­ers’ com­put­er was the same as a dif­fer­ent com­put­er that the hack­ers had used when con­nect­ing to the net­work through a VPN. Tak­en togeth­er, the evi­dence col­lect­ed by CTU researchers gave them the con­fi­dence that both hacks were done by the same group and that the group was based in Chi­na.

    “Sim­i­lar­i­ties between SUPER­NO­VA-relat­ed activ­i­ty in Novem­ber and activ­i­ty that CTU researchers ana­lyzed in August sug­gest that the SPIRAL threat group was respon­si­ble for both intru­sions,” CTU researchers wrote. “Char­ac­ter­is­tics of these intru­sions indi­cate a pos­si­ble con­nec­tion to Chi­na.”
    ...

    Now, jump for­ward to mid-July, and we learn about the third Solar­Winds hack. This one by a dif­fer­ent Chi­nese hack­ing crew. And this one sounds pret­ty seri­ous in terms of the con­trol it gives to the attack­ers. The Serv‑U attack allows hack­ers to install pro­grams, and change or delete infor­ma­tion. And every pre­vi­ous ver­sion of Serv‑U was vul­ner­a­ble (but as we’ll see, only on Win­dows servers):

    Ars Tech­ni­ca

    Microsoft dis­cov­ers crit­i­cal Solar­Winds zero-day under active attack
    Flaws allow attack­ers to run mali­cious code on machines host­ing Serv‑U prod­ucts.

    Dan Good­in — 7/12/2021, 2:25 PM

    Solar­Winds, the com­pa­ny at the cen­ter of a sup­ply chain attack that com­pro­mised nine US agen­cies and 100 pri­vate com­pa­nies, is scram­bling to con­tain a new secu­ri­ty threat: a crit­i­cal zero-day vul­ner­a­bil­i­ty in its Serv‑U prod­uct line.

    Microsoft dis­cov­ered the exploits and pri­vate­ly report­ed them to Solar­Winds, the lat­ter com­pa­ny said in an advi­so­ry pub­lished on Fri­day. Solar­Winds said the attacks are entire­ly unre­lat­ed to the sup­ply chain attack dis­cov­ered in Decem­ber.

    ...

    Only Solar­Winds Serv‑U Man­aged File Trans­fer and Serv‑U Secure FTP—and by exten­sion, the Serv‑U Gate­way, a com­po­nent of those two products—are affect­ed by this vul­ner­a­bil­i­ty, which allows attack­ers to remote­ly exe­cute mali­cious code on vul­ner­a­ble sys­tems.

    An attack­er can gain priv­i­leged access to exploit­ed machines host­ing Serv‑U prod­ucts and could then install pro­grams; view, change, or delete data; or run pro­grams on the affect­ed sys­tem. The vul­ner­a­bil­i­ty exists in the lat­est Serv‑U ver­sion 15.2.3 HF1, released on May 5, and all pri­or ver­sions.

    Solar­Winds has issued a hot­fix to mit­i­gate the attacks while the com­pa­ny works on a per­ma­nent solu­tion. Peo­ple run­ning Serv‑U ver­sion 15.2.3 HF1 should apply hot­fix (HF) 2; those using Serv‑U 15.2.3 should apply Serv‑U 15.2.3 HF1 and then apply Serv‑U 15.2.3 HF2; and those run­ning Serv‑U ver­sions pri­or to 15.2.3 should upgrade to Serv‑U 15.2.3, apply Serv‑U 15.2.3 HF1, and then apply Serv‑U 15.2.3 HF2. The com­pa­ny says cus­tomers should install the fix­es imme­di­ate­ly.

    The hot­fix­es are avail­able here. Dis­abling SSH access also pre­vents exploita­tion.

    The fed­er­al gov­ern­ment has attrib­uted last year’s sup­ply chain attack to hack­ers work­ing for Russia’s For­eign Intel­li­gence Ser­vice, abbre­vi­at­ed as the SVR, which for more than a decade has con­duct­ed mal­ware cam­paigns tar­get­ing gov­ern­ments, polit­i­cal think tanks, and oth­er orga­ni­za­tions in coun­tries includ­ing Ger­many, Uzbek­istan, South Korea, and the US. Tar­gets have includ­ed the US State Depart­ment and the White House in 2014.

    The hack­ers used that access to push a mali­cious soft­ware update to about 18,000 cus­tomers of Solar­Winds’ Ori­on net­work man­age­ment prod­uct. Of those cus­tomers, rough­ly 110 received a fol­low-on attack that installed a lat­er-stage pay­load that exfil­trat­ed pro­pri­etary data. The mal­ware installed in the attack cam­paign is known as Sun­burst. Again, Solar­Winds said the exploits under­way now have no con­nec­tion.

    Late last year, zero-day vul­ner­a­bil­i­ties in Solar­Winds’ Ori­on prod­uct came under exploit by a dif­fer­ent set of attack­ers that researchers have tied to China’s gov­ern­ment. Those attack­ers installed mal­ware that researchers call Super­No­va. Threat actors linked to Chi­na have also tar­get­ed Solar­Winds. At least one US gov­ern­ment agency was tar­get­ed in this oper­a­tion.

    —————-

    “Microsoft dis­cov­ers crit­i­cal Solar­Winds zero-day under active attack” by Dan Good­in; Ars Tech­ni­ca; 07/12/2021

    “Microsoft dis­cov­ered the exploits and pri­vate­ly report­ed them to Solar­Winds, the lat­ter com­pa­ny said in an advi­so­ry pub­lished on Fri­day. Solar­Winds said the attacks are entire­ly unre­lat­ed to the sup­ply chain attack dis­cov­ered in Decem­ber.

    It’s def­i­nite­ly entire­ly unre­lat­ed to the Solar­Winds hacks from Decem­ber. Both. They don’t know much but they know that. Some­how. And it’s a vul­ner­a­bil­i­ty that’s exist­ed in all pre­vi­ous ver­sions of Serv‑U, so any­one who knew about it had plen­ty of oppor­tu­ni­ty. And plen­ty of poten­tial for dam­age. The hack appears to give the attack­er admin con­trol over the com­put­er. They can install pro­grams, and add or delete infor­ma­tion. That’s mas­sive. Again, this is only going to be a vul­ner­a­bil­i­ty for Win­dows sys­tems run­ning Serv‑U:

    ...
    Only Solar­Winds Serv‑U Man­aged File Trans­fer and Serv‑U Secure FTP—and by exten­sion, the Serv‑U Gate­way, a com­po­nent of those two products—are affect­ed by this vul­ner­a­bil­i­ty, which allows attack­ers to remote­ly exe­cute mali­cious code on vul­ner­a­ble sys­tems.

    An attack­er can gain priv­i­leged access to exploit­ed machines host­ing Serv‑U prod­ucts and could then install pro­grams; view, change, or delete data; or run pro­grams on the affect­ed sys­tem. The vul­ner­a­bil­i­ty exists in the lat­est Serv‑U ver­sion 15.2.3 HF1, released on May 5, and all pri­or ver­sions.

    ...

    Late last year, zero-day vul­ner­a­bil­i­ties in Solar­Winds’ Ori­on prod­uct came under exploit by a dif­fer­ent set of attack­ers that researchers have tied to China’s gov­ern­ment. Those attack­ers installed mal­ware that researchers call Super­No­va. Threat actors linked to Chi­na have also tar­get­ed Solar­Winds. At least one US gov­ern­ment agency was tar­get­ed in this oper­a­tion.
    ...

    Now let’s take a quick look at one of the fun facts found in the Solar­Winds report on the Serv‑U hack: it only affects Win­dows com­put­ers. Lin­ux sys­tems aren’t impact­ed. In oth­er words, the Serv‑U hack has anoth­er Microsoft Win­dows vul­ner­a­bil­i­ty at its core:

    SolarWinds.com

    Serv‑U Remote Mem­o­ry Escape Vul­ner­a­bil­i­ty

    CVE-2021–35211

    Secu­ri­ty Vul­ner­a­bil­i­ty

    Released: July 9, 2021 Last updat­ed: July 15, 2021
    Assign­ing CNA: Solar­Winds

    ...

    Updat­ed July 13, 2021

    What prod­ucts are affect­ed?

    Only Solar­Winds Serv‑U Man­aged File Trans­fer and Serv‑U Secure FTP for Win­dows are affect­ed by this vul­ner­a­bil­i­ty. Please note the Serv‑U Gate­way is a com­po­nent of these two prod­ucts and is not a sep­a­rate prod­uct.

    The Lin­ux ver­sions of these prod­ucts are not vul­ner­a­ble to a RCE exploit of this secu­ri­ty vul­ner­a­bil­i­ty. The Lin­ux ver­sion of the Serv‑U prod­uct crash­es when the exploit is attempt­ed by a threat actor.

    ...

    ————-

    “Serv‑U Remote Mem­o­ry Escape Vul­ner­a­bil­i­ty”; SolarWinds.com; 07/15/2021

    Only Solar­Winds Serv‑U Man­aged File Trans­fer and Serv‑U Secure FTP for Win­dows are affect­ed by this vul­ner­a­bil­i­ty. Please note the Serv‑U Gate­way is a com­po­nent of these two prod­ucts and is not a sep­a­rate prod­uct.”

    Only Win­dows sys­tems are vul­ner­a­ble. Weird how Microsoft failed to men­tion that in its threat assess­ment report on this very same vul­ner­a­bil­i­ty.

    So we have not one but two addi­tion Solar­Winds hacks: one dis­closed days after the ini­tial hack and one sev­en months lat­er. Both unre­lat­ed to the ini­tial hack. Both from Chi­na. And both unre­lat­ed to each oth­er. That’s what we’ve been told. With basi­cal­ly no evi­dence. What evi­dence we do have — like Secure­works tying the Super­no­va hack back to an August 2020 hack that pinged from Chi­na — sug­gests the evi­dence behind these attri­bu­tions are ten­u­ous guess­work at best. But at least Secure­works even both­ers to vague­ly describe its evi­dence. That’s more than we get from most.

    And note how both of these new Solar­Winds hacks appear to be, at their core, Microsoft hacks. The Super­no­va hack exploits a Microsoft .NET frame­work vul­ner­a­bil­i­ty and the Serv‑U hack only impacts Win­dows sys­tems. And Microsoft is the com­pa­ny gen­er­al­ly lead­ing the glob­al secu­ri­ty respons­es to major hacks and defin­ing our nar­ra­tives. Again we have to ask, that’s a con­flict of inter­est, right? Blind faith in Microsoft is hard enough as is. We don’t need bla­tant con­flicts of inter­est with extra­or­di­nary stakes.
    All sorts of extra­or­di­nary stakes. Long-stand­ing stakes.

    Posted by Pterrafractyl | August 22, 2021, 11:30 pm
  3. When we learned that Mex­i­co was the first gov­ern­ment to get a sub­scrip­tion to NSO Group’s mal­ware back in 2011, one of the default ques­tions raised by the rev­e­la­tion was why Mex­i­co? Of course, there’s a pret­ty obvi­ous answer. Sad­ly a default answer for Mex­i­co: Orga­nized crime, in par­tic­u­lar in rela­tion to the drug war. It’s the kind of use case that would fit square­ly under the NSO Group’s list of offi­cial valid rea­sons for using its soft­ware. Ter­ror and orga­nized crime are pre­cise­ly what the com­mer­cial sur­veil­lance indus­try touts as why it should be allowed to exist. Mex­i­co cer­tain­ly had no short­age of drug relat­ed orga­nized crime in 2011.

    So with that osten­si­ble rea­son for Mex­i­co’s ear­ly access to the NSO Group’s soft­ware in mind, here’s a piece last month by Daniel Hop­sick­er with some pret­ty wild his­to­ry relat­ed to NSO Group, Mex­i­co’s use of com­mer­cial spy­ware, and the drug trade. And Car­los Slim:

    Before NSO Group’s rela­tion­ship with Mex­i­co, there was Verint, anoth­er Israeli spy­ware-for-hire com­pa­ny. Ver­in­t’s rela­tion­ship with Mex­i­co appears to have start­ed in 2003. That’s based on a press release issued in 2006 by Car­los Slim’s Telmex in response to anoth­er press release tout­ing the Bush State Depart­men­t’s spon­sor­ship of Ver­in­t’s pro­gram to mon­i­tor Telmex’s entire net­work. And since Telmex is Mex­i­co’s monop­oly tele­com provider, that was basi­cal­ly every phone in Mex­i­co get­ting spied on by Verint. This was, again, paid for by the US State Depart­ment.

    And then there’s the giant twist in Ver­in­t’s back­ground: It turns out it was Verint in 2003 — back was it was called ECI Tele­com — that leased the space for the head­quar­ters of Sky­Way Air­craft. As Daniel Hop­sick­er has cov­ered in a num­ber of arti­cles and shows, Sky­Way is like col­lage of intel­li­gence-pro­tect­ed illic­it activ­i­ty, with ties to every­thing from the April 2006 bust of 5.5 tons of cocaine on a Sky­Way Air­craft to the 9/11 hijack­ers in Flori­da. As the Intro­duc­tion of FTR#554 — and inter­view with Daniel Hop­sick­er — reminds us about the net­work of fig­ures and com­pa­nies sur­round­ing Sky­Way (own­ers of ‘Roy­al Sons’):

    Intro­duc­tion: Doc­u­ment­ing the career of Makram Chams, this pro­gram sets forth some facets of a man who must be the most remark­able con­ve­nience store own­er of all time. In addi­tion to being an inti­mate asso­ciate of, and appar­ent col­lab­o­ra­tor of, 9/11 hijack­ers Mohamed Atta and Mar­wan Al-She­hhi, Chams has appar­ent­ly worked as a “con­sul­tant” for Titan Cor­po­ra­tion, a major defense con­trac­tor. Chams also was part own­er of a casi­no boat, anoth­er of whose partners—Max Burge—owned the planes that oper­at­ed out of Huff­man Avi­a­tion. (Huff­man was the flight school through which Atta and oth­er 9/11 hijack­ers infil­trat­ed. For more about Huff­man Avi­a­tion and Hopsicker’s work, see—among oth­er programs—FTR#‘s 477, 482, 483, 484.) Burge had worked with Fred­er­ick Gef­fon, whose ‘Roy­al Sons’ com­pa­ny owned a DC9 that was bust­ed in Mex­i­co with 5.5 tons of cocaine on board. Trac­ing the own­er­ship of the DC9, the broad­cast notes that the plane has belonged to a series of intel­li­gence fronts asso­ci­at­ed with the CIA and Iran-Con­tra drug smug­gling. Among the pre­vi­ous own­ers of the plane was Adnan Khashog­gi, an Iran-Con­tra scan­dal play­er, financier of Al Qae­da and part­ner of John Gray, the New Age guru who has financed the 9/11-dis­in­for­ma­tion move­ment.Some con­ve­nience store own­er!

    Recall how “Roy­al Sons”, owned by Sky­Way, had an address that traced back to Huff­man Avi­a­tion’s hang­er at Venice Air­port. Sky­Way is a remark­ably shady com­pa­ny. As we’ll see, a sec­ond Sky­Way plane bust­ed for a mas­sive cocaine haul had pre­vi­ous­ly been used in CIA ren­di­tion flights. So Sky­Way has all the hall­marks of run­ning an intel­li­gence-con­nect­ed drug traf­fick­ing oper­a­tion and it was Verint that leased Sky­Way its office space in 2003, the same year Telmex tells us Ver­in­t’s mass spy­ing on Mex­i­can phones start­ed, paid for by the US State Depart­ment.

    And as we’ll also see, it appears that when Ver­in­t’s spy­ware was being used by the Mex­i­can gov­ern­ment dur­ing this peri­od to fight against the drug car­tels, there was one car­tel left out: the Sinaloa car­tel. In oth­er words, the spy­ware was being used to allow the gov­ern­ment of Mex­i­co to fight and win a drug war on behalf the chief car­tel in bed with the gov­ern­ment. With Slim in on the cut. Accord­ing to Hop­sick­er, that’s what hap­pened. Slim and the gov­ern­ment of Felipe Calderone used Verint, and the force of the Mex­i­can mil­i­tary and fed­er­al police, to fight a drug war the Sinaloa car­tel was sup­posed to win.

    There’s also a more direct con­nec­tion to NSO Group: In May of 2018, it was report­ed that NSO Group and Verint were merg­ing, although the talks were appar­ent­ly end­ed a cou­ple months lat­er. So Verint is alive and well it would seem, which is anoth­er aspect of this sto­ry:

    Mad­Cow­Prod

    Pega­sus Project’s “Mod­i­fied Lim­it­ed Hang­out”

    By Daniel Hop­sick­er -
    July 27, 2021

    “It’s dif­fi­cult to get a man to under­stand some­thing when his salary depends on his not under­stand­ing it.”—Upton Sin­clair

    “Nev­er argue with any­one whose job depends on not being convinced.”—H. L. Menck­en

    The drum­beat of dai­ly break­ing news about Pega­sus hack­ing soft­ware from Israeli spy­ware ven­dor NSO to some of the world’s most repres­sive regimes con­tains shock­ing dis­clo­sures. But, also, equal­ly shock­ing omis­sions.

    The Israeli mil­i­tary-grade spy­ware is being used, said the Pega­sus Project, against “Politi­cians, jour­nal­ists and human rights activists.”

    It’s a frothy and fre­quent­ly-repeat­ed equa­tion.

    The Wash­ing­ton Post’s head­line: “Pri­vate Israeli spy­ware used to hack cell phone of jour­nal­ists, activists world­wide.”

    And with­out ques­tion these groups have been tar­get­ed, often with trag­ic results. But they left some­thing out. Call it “com­pet­i­tive advan­tage.

    The coun­try with the largest num­ber of tar­get­ed names is Mex­i­co.

    “The great­est num­ber (of smart­phone num­bers) in the data dump were in Mex­i­co,” the Post report­ed, “more than 15,000 num­bers.”

    Mex­i­co is using the spy­ware to tar­get drug traf­fick­ers. Why? Because they’re not just “drug traf­fick­ers.” They’re rival drug traf­fick­ers.

    Plus, the Pega­sus Project doesn’t even men­tion Car­los Slim. He’s been using Israeli spy­ware in Mex­i­co since 2003.

    “Politi­cians, jour­nal­ists and human rights activists”

    When Mex­i­can Pres­i­dent Felipe Calderon sent thou­sands of troops and fed­er­al police to occu­py Ciu­dad Juarez, today known as “Mur­der City,” it wasn’t just to intim­i­date jour­nal­ists and human rights activists.

    The army of occu­pa­tion came to Ciu­dad Juarez to throw it’s mas­sive weight behind one side—the Sinaloa Cartel’s side—in the mur­der­ous drug war that had been rag­ing for con­trol of the Mex­i­can economy’s biggest industry—and largest source of income—the drug trade.

    “The gov­ern­ment declared war on us,” a Juarez Car­tel leader tells a reporter in “To Die in Mex­i­co,” a book by Mex­i­co City jour­nal­ist John Gibler.

    “Many of our mem­bers have been dis­ap­peared,” he con­tin­ued. “We know that it was sol­diers who took them out. They are cov­er­ing for the oth­er gang; they are pro­tect­ing them.”

    “If the Unit­ed States came in, maybe they’d lock us up,” he mus­es. “But here, no, they’re grab­bing up and they’re killing us. That is what is hap­pen­ing; it’s an exter­mi­na­tion.”

    The bat­tle even­tu­al­ly result­ed in defeat for the Juarez Car­tel, at the cost of an esti­mat­ed 20,000 lives.

    That’s how the Israeli spy­ware was used.

    Incon­ve­nient facts are ignored

    But the Pega­sus Project’s most egre­gious omis­sion con­cerns Mexico’s Car­los Slim—perhaps under­stand­ably, giv­en his recent role as the sav­ior of the New York Times.

    In some shocking—and con­ve­nient­ly ignored—recent his­to­ry, Car­los Slim, Mexico’s rich­est oli­garch, between 2003 and 2007 was doing busi­ness with these same Israeli spy­ware ven­dors, which are all spin-offs from the intel­li­gence unit of the Israeli Defense Forces, Unit 8200.

    Israeli spy­ware ven­dors have a rich his­to­ry of wrong­do­ing before 2012, includ­ing com­pa­nies with Unit 8200 intel­li­gence con­nec­tions every bit as strong as NSO’s. Both of NSO’s prin­ci­pals began their careers as part of the unit. The names of Israeli spy­ware ven­dors fre­quent­ly change. But who the play­ers ulti­mate­ly worked for did not. Pega­sus Project jour­nal­ists appear to know noth­ing about this.

    It’s the same ruse often used by Amer­i­can intel­li­gence. Erik Prince’s Black­wa­ter seemed to change it’s name with each new atroc­i­ty. When Claire Chennault’s Fly­ing Tigers from World War II trans­formed into Civ­il Air Trans­port and then trans­mo­gri­fied into Air Amer­i­ca, the names change, but the mis­sion remained the same.

    Today the NSO Group still oper­ates under var­i­ous monikers.

    The Wash­ing­ton Post back in 2017 report­ed trai­tor-for-hire Mike Fly­nn had been paid “rough­ly $100,000” as a “con­sul­tant” for OSY Tech­nolo­gies, as well as the pri­vate equi­ty firm Fran­cis­co Part­ners, which are, respec­tive­ly, NSO Group’s par­ent com­pa­ny and pre­vi­ous own­er. But these ties to the for­mer Defense Intel­li­gence Agency chief escaped close scruti­ny and embar­rass­ing ques­tions until just a few days ago.

    “A mod­i­fied, extreme­ly-lim­it­ed hang­out”

    By ignor­ing the NSO Group’s his­to­ry and pre­vi­ous iter­a­tions, The Pega­sus Project does the West­ern world a grave dis­ser­vice.

    The omis­sions expose a glob­al drug car­tel com­posed of gov­ern­ments and gang­sters.

    Mex­i­can oli­garch and the country’s wealth­i­est man Car­los Slim had a part­ner­ship with Israeli intel­li­gence-con­nect­ed VERINT, which signed a con­tract to wire­tap any phone in Mex­i­co. Slim’s Telmex con­trolled almost all of Mexico’s land­lines. Slim was also vir­tu­al­ly the only cell phone provider.

    The infor­ma­tion Israeli spy­ware from VERINT allowed Mex­i­can Pres­i­dents, Vicente Fox and Felipe Calderon to ren­der crit­i­cal aid to the Sinaloa Car­tel, then at war at the time with every oth­er car­tel in Mex­i­co.

    Who picked up the tab for VERINT’s con­tract in Mex­i­co? The Admin­is­tra­tion of Pres­i­dent George W. Bush.

    What does VERINT have to do with the sub­ject of Project Pega­sus, Israeli spy­ware com­pa­ny NSO Group? Just three years ago, in 2018, VERINT announced it was pur­chas­ing NSO for $1 bil­lion dol­lars. The buy-out was called off at the last minute, for undis­closed rea­sons, which only now become obvi­ous.

    But it was any­thing but a hos­tile takeover.

    ...

    “Dude, amaz­ing busi­ness syn­er­gy. Real­ly.”

    But there’s an even-more shock­ing rev­e­la­tion con­nect­ing Car­los Slim and Israeli intelligence’s spy­ware spin-off VERINT, sit­ting right out in the open.

    VERINT owned the cor­po­rate head­quar­ters in Clear­wa­ter leased by Sky­Way Air­craft, soo to be the proud own­ers of a DC‑9 (N900SA) bust­ed in the Yucatan on April 11, 2006 car­ry­ing a record—even for Mexico—seizure on an air­plane, 5.5 tons of cocaine.

    So VERINT (in it’s ear­li­er iter­a­tion as ECI Tele­com), had leased a huge 78,000 square foot complex—large enough to lat­er become a local college’s cam­pus— to a com­pa­ny Sky­Way in April 2003, which the com­pa­ny used to smug­gle cocaine.

    And it did this while tap­ping every cell phone in Mex­i­co.

    Sky­Way had report­ing zero earn­ings dur­ing the pre­vi­ous quar­ter, accord­ing to SEC fil­ings, and had exact­ly one employ­ee.

    With that kind of cred­it score, it would be hard to qual­i­fy for a one-bed­room apart­ment in a shab­by part of town. What gives? Maybe this:

    Short­ly there­after, Sky­Way bought twin DC‑9’s, one of which had been recent­ly “owned” by Ramy El-Batrawi, a Sau­di lieu­tenant of Adnan Khashoggi’s. The two men’s Jet­bourne Air­lines flew mis­siles to Iran for Lt. Colonel Oliv­er North dur­ing the Iran Con­tra scan­dal.

    “Not quite fair play, was it?”

    A num­ber of “anom­alies” sur­round­ed the mas­sive seizure.

    One was that Skyway’s bust­ed DC‑9 was impres­sive­ly tricked out to imper­son­ate air­craft from the U.S. Dept. of Home­land Secu­ri­ty, com­plete with an offi­cial-look­ing Seal depict­ing an Amer­i­can eagle clutch­ing a claw filled of arrows.

    What makes this fact even more curi­ous is that the plane was based at Clear­wa­ter-St Peters­burg Inter­na­tion­al Air­port, which also housed a fleet of planes which belonged to U.S. Cus­toms, and which were tasked with drug inter­dic­tion across the entire Caribbean Basin.

    They didn’t have to look far.

    Dur­ing that same year (2006), as SkyWay’s DC‑9 was busy fly­ing back and forth to South Amer­i­ca, the George W. Bush Admin­is­tra­tion picked SkyWay’s land­lord in Clear­wa­ter, VERINT, to install a $3 mil­lion tele­phone and Inter­net wire­tap­ping cen­ter in Mex­i­co, allow­ing author­i­ties there to eaves­drop on every land­line and cell phone call made in the coun­try.

    But SkyWay’s DC9 (N900SA) was just the first of two drug planes over an 18-month peri­od from St-Peters­burg-Clear­wa­ter Inter­na­tion­al Air­port caught car­ry­ing mul­ti-ton loads of cocaine in Mex­i­co with clear ties to the U.S. Gov­ern­ment

    The sec­ond drug plane, a Gulf­stream II busi­ness jet (N987SA), had been cit­ed by Euro­pean author­i­ties for fly­ing extra­or­di­nary ren­di­tions mis­sions for the CIA.

    As author and inves­tiga­tive jour­nal­ist James Bam­ford, who has bro­ken many sto­ries on the NSA, report­ed:

    “In 2006 the Bush Admin­is­tra­tion entered into a qui­et agree­ment with the Mex­i­can Gov­ern­ment to fund and build an enor­mous $3 mil­lion tele­phone and Inter­net eaves­drop­ping ven­dor that would reach into every town and vil­lage in the coun­try.”

    A press release herald­ing the con­tract read:

    “Com­verse (which soon changed its name to VERINT) Select­ed by Tele­fonos de Mex­i­co to Imple­ment a Wide­spread Expan­sion of Voice­mail Ser­vices.”

    Car­los Slim’s Telmex also issued a press release, which oblique­ly sug­gest­ed the pro­gram had actu­al­ly began in 2003.

    “The pur­pose is to cre­ate swift inves­tiga­tive mea­sures against orga­nized crime,” said Mex­i­can pres­i­dent Felipe Calderon at the time the deal was announced.”

    And in a May 2007 sto­ry in the Los Ange­les Times, Sam Enriquez report­ed:

    “Although the pro­pos­al stems from the president’s noble inten­tion of effi­cient­ly fight­ing orga­nized crime, the rem­e­dy seems worse than the prob­lem.”

    “The sys­tem the Bush Admin­is­tra­tion chose for Mex­i­co is sim­i­lar to the war­rant-less eaves­drop­ping oper­a­tion in the U.S., and used the same ven­dor, the Israeli com­pa­ny VERINT, found­ed by vet­er­ans of that country’s NSA, the hyper-secret Unit 9200.”

    “Paid for by the U.S. State Depart­ment, it was installed by a polit­i­cal­ly well-con­nect­ed firm based in Melville, N.Y., that spe­cial­izes in elec­tron­ic sur­veil­lance.”

    The real SLIM’s Shady

    When Ama­do Car­ril­lo Fuentes—known as Mexico’s “Lord of the Skies” for his vast arma­da of drug planes—died in 1997 while under­go­ing plas­tic surgery, he was worth $25 bil­lion, accord­ing to the AP. In oth­er words, dur­ing the time he large­ly ran the drug trade in Mex­i­co, Fuentes was able to salt away $10 bil­lion a decade.

    Con­trast his per­for­mance with that of Car­los Slim’s, it’s easy to see why Mexico’s rich­est oli­garch links to the drug trade have been the sub­ject of rumors for years.

    Accord­ing to numer­ous pub­lished reports, at the turn of the mil­len­ni­um, Car­los Slim was worth between $6 and $7 bil­lion dol­lars. Mex­i­co City’s May 7, 1999 La Jor­na­da, for exam­ple, report­ed Slim’s for­tune at “some­thing like $6 bil­lion.”

    Latin Trade mag­a­zine pegged Slim as being worth $7.2 bil­lion.

    In oth­er words, after work­ing hard for more than 40 years, Car­los Slim was worth the hefty sum of $7 bil­lion dol­lars.

    Yet less than nine years lat­er, when Slim made what became a high­ly-con­tro­ver­sial invest­ment in the New York Times in 2009, news accounts of the deal report­ed his net worth as being between 57 bil­lion and $60 bil­lion dol­lars.

    It took Car­los Slim 40 years to make his first $7 bil­lion. Less than ten years lat­er he’d amassed an addi­tion­al $50 bil­lion.

    What kind of busi­ness offers prof­it mar­gins of more than $5 bil­lon a year? Cer­tain­ly not cell phones. The con­clu­sion is inescapable. Mexico’s rich­est man—who owned a chunk of The New York Times—is dirty.

    Incon­ve­nient knowl­edge

    Dur­ing the glob­al finan­cial cri­sis between 2008 and 2012, as Car­los Slim was express­ing his touch­ing com­mit­ment to a free press with a $250 mil­lion dol­lar invest­ment in the New York Times, one per­son spoke out.

    Anto­nio Maria Cos­ta, head of the Unit­ed Nations’ watch­dog Office on Drugs and Crime, was impolitic enough to blurt out an incon­ve­nient fact:

    “In the midst of the cur­rent world finan­cial cri­sis, drug mon­ey is, in many instances, cur­rent­ly the only liq­uid invest­ment cap­i­tal,” Maria Cos­ta told Reuters.

    “Mon­ey made in the illic­it drug trade is being used to keep banks afloat in the glob­al finan­cial cri­sis The drug trade at this time could be the world’s only growth indus­try.”

    Right about then, in the midst of a glob­al depres­sion, Unit­ed Nations Drug Czar Anto­nio Maria Cos­ta told reporters that the only thing keep­ing many major banks sol­vent was drug mon­ey, which pro­vid­ed the West­ern world’s only liq­uid­i­ty at the time.

    Divulging the inner work­ings of the drug trade –where the mon­ey goes— remains one of West­ern journalism’s major taboos.

    Typ­i­cal news cov­er­age today reports whose car­tel is up, and which down, as if the drug trade were some kind of horse race report­ed by a sup­pos­ed­ly-dis­in­ter­est­ed track announc­er.

    The pro­ceeds of the drug indus­try con­sti­tutes the largest slush fund in the his­to­ry of the world. Pur­su­ing where that mon­ey ends up may be beyond the purview of jour­nal­is­tic efforts like The Pega­sus Project.

    But it shouldn’t be.

    ———-

    “Pega­sus Project’s “Mod­i­fied Lim­it­ed Hang­out”” by Daniel Hop­sick­er; Mad­Cow­Prod; 07/27/2021

    In some shocking—and con­ve­nient­ly ignored—recent his­to­ry, Car­los Slim, Mexico’s rich­est oli­garch, between 2003 and 2007 was doing busi­ness with these same Israeli spy­ware ven­dors, which are all spin-offs from the intel­li­gence unit of the Israeli Defense Forces, Unit 8200.”

    It is indeed remark­ably con­ve­nient for the pre-NSO Group his­to­ry of Car­los Slim, Verint, and Mex­i­co’s use of Israeli spy­ware. Because as we saw, it’s a his­to­ry involv­ing the gov­ern­ments of Mex­i­co, Israeli, and the US. A whole bunch of very con­ve­nient­ly timed arrange­ments took place in the 2003–2007 Bush era-peri­od. First, we learn that Car­los Slims tele­com monop­oly in Mex­i­co signed a con­tract with Israeli spy­ware firm Verint to spy on Slim’s net­work. This effec­tive­ly meant Verint was spy­ing on every phone in Mex­i­co. Verint remains active to this day. In May 2018, Verint was report­ed­ly in talks to merge with NSO Group. Those talks were announced called off two months lat­er (sev­er­al months before Jamal Khashog­gi’s assas­si­na­tion made NSO Group a prob­lem­at­ic merg­er part­ner). That the two firms got that far along in merg­er talks is a sign of how close they are:

    ...
    Mex­i­can oli­garch and the country’s wealth­i­est man Car­los Slim had a part­ner­ship with Israeli intel­li­gence-con­nect­ed VERINT, which signed a con­tract to wire­tap any phone in Mex­i­co. Slim’s Telmex con­trolled almost all of Mexico’s land­lines. Slim was also vir­tu­al­ly the only cell phone provider.

    ...

    Who picked up the tab for VERINT’s con­tract in Mex­i­co? The Admin­is­tra­tion of Pres­i­dent George W. Bush.

    What does VERINT have to do with the sub­ject of Project Pega­sus, Israeli spy­ware com­pa­ny NSO Group? Just three years ago, in 2018, VERINT announced it was pur­chas­ing NSO for $1 bil­lion dol­lars. The buy-out was called off at the last minute, for undis­closed rea­sons, which only now become obvi­ous.

    But it was any­thing but a hos­tile takeover.
    ...

    And Ver­in­t’s 2006 con­tract (then Com­verse) to spy on Slim’s entire net­work was paid for by the Bush State Depart­ment. The fact that Tele­fonos de Mex­i­co (Telmex) select­ed a com­pa­ny with roots in Israel’s Unit 9200 was tout­ed in a press release. And then Telmex issues a press release indi­cat­ing the eaves­drop­ping pro­gram actu­al­ly began in 2003. So Ver­in­t’s con­tract to spy on every phone in Mex­i­co was paid for by the US State Depart­ment and start­ed in 2003. This was the kind of stuff that was get­ting qui­et­ly under­way in those ear­ly War on Ter­ror years:

    ...
    As author and inves­tiga­tive jour­nal­ist James Bam­ford, who has bro­ken many sto­ries on the NSA, report­ed:

    “In 2006 the Bush Admin­is­tra­tion entered into a qui­et agree­ment with the Mex­i­can Gov­ern­ment to fund and build an enor­mous $3 mil­lion tele­phone and Inter­net eaves­drop­ping ven­dor that would reach into every town and vil­lage in the coun­try.”

    A press release herald­ing the con­tract read:

    “Com­verse (which soon changed its name to VERINT) Select­ed by Tele­fonos de Mex­i­co to Imple­ment a Wide­spread Expan­sion of Voice­mail Ser­vices.”

    Car­los Slim’s Telmex also issued a press release, which oblique­ly sug­gest­ed the pro­gram had actu­al­ly began in 2003.

    “The pur­pose is to cre­ate swift inves­tiga­tive mea­sures against orga­nized crime,” said Mex­i­can pres­i­dent Felipe Calderon at the time the deal was announced.”

    And in a May 2007 sto­ry in the Los Ange­les Times, Sam Enriquez report­ed:

    “Although the pro­pos­al stems from the president’s noble inten­tion of effi­cient­ly fight­ing orga­nized crime, the rem­e­dy seems worse than the prob­lem.”

    “The sys­tem the Bush Admin­is­tra­tion chose for Mex­i­co is sim­i­lar to the war­rant-less eaves­drop­ping oper­a­tion in the U.S., and used the same ven­dor, the Israeli com­pa­ny VERINT, found­ed by vet­er­ans of that country’s NSA, the hyper-secret Unit 9200.”

    “Paid for by the U.S. State Depart­ment, it was installed by a polit­i­cal­ly well-con­nect­ed firm based in Melville, N.Y., that spe­cial­izes in elec­tron­ic sur­veil­lance.”
    ...

    But wire­tap­ping Mex­i­co on the US State Depart­ments tab is only part of what makes Verint such a fas­ci­nat­ing com­pa­ny. As Hop­sick­er reminds us, it was none oth­er than Verint who leased the land to Sky­Way Air­craft. That was in 2003, when Verint — then called ECI Tele­com — leased the land to Sky­Way. It was April 2006 when Sky­Way’s DC‑9 (N900SA) bust­ed in the Yucatan on April 11, 2006 car­ry­ing a record—even for Mexico—seizure on an air­plane, 5.5 tons of cocaine. And as Hop­sick­er has dis­cussed many, many times, that plane is like the phys­i­cal embod­i­ment of the dark his­to­ry of intel­li­gence-pro­tect­ed drug-traf­fick­ing, going back to Oliv­er North’s Iran Con­tra oper­a­tions:

    ...
    VERINT owned the cor­po­rate head­quar­ters in Clear­wa­ter leased by Sky­Way Air­craft, soo to be the proud own­ers of a DC‑9 (N900SA) bust­ed in the Yucatan on April 11, 2006 car­ry­ing a record—even for Mexico—seizure on an air­plane, 5.5 tons of cocaine.

    So VERINT (in it’s ear­li­er iter­a­tion as ECI Tele­com), had leased a huge 78,000 square foot complex—large enough to lat­er become a local college’s cam­pus— to a com­pa­ny Sky­Way in April 2003, which the com­pa­ny used to smug­gle cocaine.

    And it did this while tap­ping every cell phone in Mex­i­co.

    Sky­Way had report­ing zero earn­ings dur­ing the pre­vi­ous quar­ter, accord­ing to SEC fil­ings, and had exact­ly one employ­ee.

    With that kind of cred­it score, it would be hard to qual­i­fy for a one-bed­room apart­ment in a shab­by part of town. What gives? Maybe this:

    Short­ly there­after, Sky­Way bought twin DC‑9’s, one of which had been recent­ly “owned” by Ramy El-Batrawi, a Sau­di lieu­tenant of Adnan Khashoggi’s. The two men’s Jet­bourne Air­lines flew mis­siles to Iran for Lt. Colonel Oliv­er North dur­ing the Iran Con­tra scan­dal.
    ...

    Adding to the evi­dence that Sky­Way Air­craft was an intel­li­gence pro­tect­ed oper­a­tion, the DC‑9 (N900SA), was designed to imper­son­ate offi­cial US DHS air­craft. And yet the plane was based at Clear­wa­ter-St Peters­burg Inter­na­tion­al Air­port, which also housed a fleet of planes which belonged to U.S. Cus­toms:

    ...
    A num­ber of “anom­alies” sur­round­ed the mas­sive seizure.

    One was that Skyway’s bust­ed DC‑9 was impres­sive­ly tricked out to imper­son­ate air­craft from the U.S. Dept. of Home­land Secu­ri­ty, com­plete with an offi­cial-look­ing Seal depict­ing an Amer­i­can eagle clutch­ing a claw filled of arrows.

    What makes this fact even more curi­ous is that the plane was based at Clear­wa­ter-St Peters­burg Inter­na­tion­al Air­port, which also housed a fleet of planes which belonged to U.S. Cus­toms, and which were tasked with drug inter­dic­tion across the entire Caribbean Basin.

    They didn’t have to look far.

    Dur­ing that same year (2006), as SkyWay’s DC‑9 was busy fly­ing back and forth to South Amer­i­ca, the George W. Bush Admin­is­tra­tion picked SkyWay’s land­lord in Clear­wa­ter, VERINT, to install a $3 mil­lion tele­phone and Inter­net wire­tap­ping cen­ter in Mex­i­co, allow­ing author­i­ties there to eaves­drop on every land­line and cell phone call made in the coun­try.
    ...

    Oh, and then oth­er Sky­Way drug plane bust­ed in a mul­ti-ton cocaine bust dur­ing this peri­od was pre­vi­ous­ly used in CIA ren­di­tion mis­sions. Keep in mind this was around 2006. Those were recent ren­di­tions:

    ...
    But SkyWay’s DC9 (N900SA) was just the first of two drug planes over an 18-month peri­od from St-Peters­burg-Clear­wa­ter Inter­na­tion­al Air­port caught car­ry­ing mul­ti-ton loads of cocaine in Mex­i­co with clear ties to the U.S. Gov­ern­ment

    The sec­ond drug plane, a Gulf­stream II busi­ness jet (N987SA), had been cit­ed by Euro­pean author­i­ties for fly­ing extra­or­di­nary ren­di­tions mis­sions for the CIA.
    ...

    And that’s all the con­text for how Verint was used in 2006 when Mex­i­co’s Pres­i­dent Felipe Calderon unleashed Ver­in­t’s spy­ware dur­ing Mex­i­co’s bat­tle with the car­tels. It was a bat­tle on the side of one car­tel. The Sinaloa Car­tel. Tak­ing down Sinaloa’s car­tel ene­mies was how Ver­in­t’s spy­ware was used. Paid for by the State Depart­ment:

    ...
    When Mex­i­can Pres­i­dent Felipe Calderon sent thou­sands of troops and fed­er­al police to occu­py Ciu­dad Juarez, today known as “Mur­der City,” it wasn’t just to intim­i­date jour­nal­ists and human rights activists.

    The army of occu­pa­tion came to Ciu­dad Juarez to throw it’s mas­sive weight behind one side—the Sinaloa Cartel’s side—in the mur­der­ous drug war that had been rag­ing for con­trol of the Mex­i­can economy’s biggest industry—and largest source of income—the drug trade.

    “The gov­ern­ment declared war on us,” a Juarez Car­tel leader tells a reporter in “To Die in Mex­i­co,” a book by Mex­i­co City jour­nal­ist John Gibler.

    “Many of our mem­bers have been dis­ap­peared,” he con­tin­ued. “We know that it was sol­diers who took them out. They are cov­er­ing for the oth­er gang; they are pro­tect­ing them.”

    “If the Unit­ed States came in, maybe they’d lock us up,” he mus­es. “But here, no, they’re grab­bing up and they’re killing us. That is what is hap­pen­ing; it’s an exter­mi­na­tion.”

    The bat­tle even­tu­al­ly result­ed in defeat for the Juarez Car­tel, at the cost of an esti­mat­ed 20,000 lives.

    That’s how the Israeli spy­ware was used.

    ...

    The infor­ma­tion Israeli spy­ware from VERINT allowed Mex­i­can Pres­i­dents, Vicente Fox and Felipe Calderon to ren­der crit­i­cal aid to the Sinaloa Car­tel, then at war at the time with every oth­er car­tel in Mex­i­co.
    ...

    These kinds of tools aren’t just per­fect for qui­et gov­ern­ment abuse. They’re also per­fect for the those net­works and agen­das were orga­nized crime, intel­li­gence, and pow­er pol­i­tics coin­cide. And while the orga­nized crime/intelligence/power pol­i­tics nexus isn’t exclu­sive­ly occu­pied by fas­cists, it’s con­cen­trat­ed with them. And that’s all part of the con­text of the con­tem­po­rary sto­ry of NSO Group, Can­diru, and the rest of the glob­al spy­ware indus­try. These tools real­ly are the per­fect tool for crim­i­nals. So, you know, maybe gov­ern­ments are actu­al­ly using these per­fect crim­i­nal tools to help their elite crim­i­nal friends. Maybe exten­sive­ly. Maybe espe­cial­ly when the State Depart­ment is pay­ing for it.

    Posted by Pterrafractyl | August 27, 2021, 1:45 am
  4. Here’s a recent sto­ry about anoth­er Israeli “com­mer­cial sur­veil­lance” com­pa­ny com­ing under inter­na­tion­al scruti­ny. This time it’s Cellebrite, the mak­er of spe­cial UFED devices used by law enforce­ment agen­cies around the world to break into smart­phones, includ­ing US law enforce­ment. Alarm­ing­ly, these devices have even been found for sale on eBay. And now Cellebrites investors are hop­ing to cash in on their cut­ting edge tech­nol­o­gy by issu­ing a pub­lic offer­ing. You too can own a slice of this cut­ting-edge spy­ware firm. The com­pa­ny is esti­mat­ed to be worth $2.4 bil­lion.

    But with the announced pub­lic offer­ing comes a com­pli­ca­tion: peo­ple are start­ing to take note of who Cellebrite’s clients are and how they’ve been using these devices. Clients like Belarus, Indone­sia, Sau­di Ara­bia, and Bangladesh. Inter­est­ing­ly, Rus­sia and Chi­na are also for­mer Cellebrite client, which is notable giv­en all of the indi­ca­tions that the US is, at a min­i­mum, qui­et­ly con­don­ing Israel’s glob­al sales of these tools, or out­right pay­ing for it, as was the case with the US State Depart­ment pay­ing for Ver­in­t’s wire­tap­ping of every phone in Mex­i­co. But it’s the sale of Cellebrite’s tools to Bangladesh that have become a par­tic­u­lar­ly sore point for the com­pa­ny’s pub­lic image. As the fol­low­ing piece by Richard Sil­ver­stein notes, Bangladesh’s Rapid Action Bat­tal­ion of elite secu­ri­ty forces have been known to engage in the tor­ture and sum­ma­ry exe­cu­tions of gays, athe­ists, and polit­i­cal dis­si­dents in a cam­paign that killed 465 peo­ple in 2018 alone. So Bangladesh has been unleash­ing what amounts to a state-sanc­tioned domes­tic ter­ror cam­paign dur­ing the time Cellebrite has been sell­ing the coun­try exact­ly the kinds of tools that would facil­i­tate that kind of domes­tic ter­ror.

    As we should expect, with Cellebrite get­ting ready to go pub­lic, the com­pa­ny is now tout­ing to the world how it refus­es to sell its tools to coun­tries with track human rights abuse track record, releas­ing the state­ment cit­ing Bangladesh, Belarus, Chi­na, Hong Kong, Macau, Rus­sia and Venezuela as exam­ples of coun­tries it refus­es to sells to. As Sil­ver­stein points out, part of the rea­son Cellebrite list­ed all those coun­tries is because they’re all for­mer clients:

    “Cellebrite does not sell to coun­tries sanc­tioned by the U.S., EU, UK or Israeli gov­ern­ments or that are on the Finan­cial Action Task Force (FATF) black­list,” Cellebrite said in its SEC fil­ing.

    “We pur­sue only those cus­tomers who we believe will act law­ful­ly and not in a man­ner incom­pat­i­ble with pri­va­cy rights or human rights. For exam­ple, we have cho­sen not to do busi­ness in Bangladesh, Belarus, Chi­na, Hong Kong, Macau, Rus­sia and Venezuela par­tial­ly due to con­cerns regard­ing human rights and data secu­ri­ty, and we may in the future decide not to oper­ate in oth­er coun­tries or with oth­er poten­tial cus­tomers for sim­i­lar rea­sons,” the doc­u­ment said. The August fil­ing includ­ed an update about the for­ma­tion of an “Ethics and Integri­ty Com­mit­tee,” whose mis­sion “is expect­ed to include advis­ing on eth­i­cal con­sid­er­a­tions relat­ed to the use of our tech­nolo­gies.”

    Notice how Sau­di Ara­bia was­n’t on that list. Giv­en what we know about the direct actions the Israeli gov­ern­ment took to ensure Sau­di Ara­bia main­tained a sub­scrip­tion to the NSO Group’s Pega­sus super-spy­ware even after NSO Group dropped the Saud­is in the wake of the glob­al out­rage over the killing of Jamal Khashog­gi, it’s not absurd to assume that Cellebrite’s sales to Bangladesh are an impor­tant diplo­mat­ic tool. As Sil­ver­stein notes, in May of this year Israel was urg­ing Bangladesh to nor­mal­ized its rela­tions with Israel. Those kinds of over­tures become much more dif­fi­cult when com­pa­nies like Cellebrite are forced to cut off access in the face of pub­lic out­rage. That’s all part of what makes this sto­ry of Cellebrite’s con­tro­ver­sial pub­lic offer­ing some­thing to watch going for­ward. It’s the kind of trans­ac­tion that could end up reveal­ing aspects of these shad­ow rela­tion­ships that meant to kept in the shad­ows:

    Tikun Olam

    As Cellebrite Pre­pares for Pub­lic Offer­ing, It’s Dirty Deeds Come Back to Haunt
    From Spy­ing on Putin and Lukashenko’s Ene­mies to Sum­ma­ry Exe­cu­tions in Bangladesh, the Israeli Spy­ware Com­pa­ny Has Blood on Its Hands

    by Richard Sil­ver­stein
    August 17, 2021

    The Israeli spy­ware com­pa­ny, Cellebrite is, along with its blood cousin, NSO Group, known in the cyber-sur­veil­lance sec­tor for pro­duc­ing the most advanced and intru­sive tech­nol­o­gy on the world mar­ket. They’re also among the prof­itable with mar­ket val­u­a­tions in the bil­lions. I’ve reg­u­lar­ly pro­filed the lat­ter com­pa­ny. But Cellebrite has evad­ed some of the more dam­ag­ing media expo­sure afflict­ing its dirty-ops cousin.

    As it pre­pares for a pub­lic offer­ing, the com­pa­ny is clean­ing up its act. Among the dirt­i­est of its clients have been Chi­na, Belarus, Indone­sia, Sau­di Ara­bia, and Bangladesh. Both Israeli com­pa­nies claim their prod­ucts are sold only to police agen­cies for the pur­pose of pre­vent­ing crime and cap­tur­ing crim­i­nals. But if that were ever the case, it is no longer. Cus­tomers are large­ly the secu­ri­ty ser­vices of repres­sive regimes seek­ing to iden­ti­fy and elim­i­nate legit­i­mate polit­i­cal dis­sent. Oh, and Cellebrite’s UFED device has even been list­ed for sale on eBay! So if you’re a ter­ror­ist or crim­i­nal seek­ing cyber-intel­li­gence on rivals or even your local police force, you know where to turn.

    86 Bangladeshi dis­si­dents have been dis­ap­peared by the Rapid Action Bat­tal­ion, a gov­ern­ment death squad

    The company’s flag­ship prod­uct is UFED, a device which, when con­nect­ed to a cell phone, can bypass its pass­word pro­tec­tion and encryp­tion to extract all its data and make it acces­si­ble to the client. US police depart­ments have spent mil­lions on it to gath­er evi­dence in crim­i­nal inves­ti­ga­tions. Even pub­lic schools have pur­chased the sys­tem to spy on their stu­dents. In Texas, a police offi­cer con­fis­cat­ed a student’s phone and used UFED to retrieve mes­sages between the lat­ter and a teacher which exposed a roman­tic rela­tion­ship and led to the teacher’s arrest.

    Bangladesh is a par­tic­u­lar­ly bru­tal exam­ple of Cellebrite’s clients. Since 2004, the country’s Rapid Action Bat­tal­ion has tar­get­ed gays, athe­ists, and polit­i­cal dis­si­dents in a cam­paign of sum­ma­ry exe­cu­tions, tor­ture, and dis­ap­pear­ances which killed 465 peo­ple in 2018 alone. A 2005 Human Rights Watch report said that it had killed 350 peo­ple in first year of its exis­tence. The Dha­ka Tri­bune attrib­uted near­ly 1,100 mur­ders to it from 2004–2008.

    An Israeli legal fil­ing protest­ing sale of the tech­nol­o­gy to Bangladesh not­ed:

    “Accord­ing to…human rights groups in Bangladesh…the Bangladesh secu­ri­ty forces have been accused of using drills to tor­ture their vic­tims, beat­ings, long deten­tions in sub­hu­man con­di­tions and even hang­ing peo­ple upside down,” Mack wrote, not­ing that there were also reports of vic­tims being shot in their knees; hav­ing their tes­ti­cles beat­en; their fin­ger­nails pulled out; their heads held under­wa­ter; along­side sex­u­al vio­lence, threats of rape and rape itself. “Mock and real exe­cu­tions,” the doc­u­ment also not­ed.

    As a Mus­lim coun­try, it does not offi­cial­ly do busi­ness with Israel. But the Israeli com­pa­ny eas­i­ly over­came that hur­dle by estab­lish­ing a Sin­ga­pore sub­sidiary which ful­filled the $350,000 con­tract, accord­ing to Al Jazeera. Nine secu­ri­ty agents were sent to Sin­ga­pore to train in the use of UFED. Nor is this an unusu­al com­mer­cial arrange­ment. Israeli spy mer­chants from Mat­ti Kochavi to NSO Group main­tain mul­ti­ple such cut-outs which per­mit them do bil­lions in busi­ness with Arab and Mus­lim coun­tries bypass­ing the boy­cott.

    Israeli human rights attor­ney, Eitay Mack, has cam­paigned for years to end the export of such dead­ly Israeli tech­nol­o­gy. The defense min­istry, which nom­i­nal­ly reviews and approves sales of advanced secu­ri­ty-mil­i­tary tech­nol­o­gy to for­eign nations, nev­er rejects such trade. After all, it is a huge mon­ey-mak­er for the Israeli econ­o­my. It also strength­ens rela­tion­ships between Israel and its client states (when you’re a pari­ah state, you need all the friends you can get).

    In fact, Cellebrite had done such a good job in assist­ing Bangladeshi death squads with their dirty work that the for­eign min­istry urged the coun­try to become the lat­est Mus­lim coun­try to nor­mal­ize rela­tions. Mack told me:

    On May 22, Gilad Cohen, Israel For­eign Ministry’s deputy direc­tor gen­er­al for Asia and the Pacif­ic, urged the Bangladesh gov­ern­ment to estab­lish diplo­mat­ic ties for the “ben­e­fit and pros­per­i­ty” of the peo­ple of the two coun­tries. [So] Celleberite’s announce­ment that it will stop sell­ing its hack­ing sys­tem to Bangladesh proves that the MOD [Min­istry of Defense] and these kinds of com­pa­nies only under­stand pub­lic and media pres­sure.

    When the min­istry refused to con­sid­er the moral ram­i­fi­ca­tions of sale of these prod­ucts, Mack turned to the Supreme Court. It too not only refused to act, it clamped a veil of secre­cy over all the pro­ceed­ings, includ­ing its deci­sions. Recent­ly, the Court has elim­i­nat­ed Mack’s recourse to it by rul­ing that it has no juris­dic­tion over mat­ters con­cern­ing the defense min­istry. That means he may no more bring such claims before it at all.

    ...

    While use of the spy­ware brings with it a trail of human suf­fer­ing, the cre­ators of the tech­nol­o­gy, like any ven­ture cap­i­tal­ist, have only one thing in mind: prof­it. The quick­est path to a big pay­day is tak­ing your com­pa­ny pub­lic. It per­mits ear­ly investors and com­pa­ny founders to turn their com­pa­ny shares into cash or oth­er types of liq­uid assets. In the case of Cellebrite, the SPAC will val­ue the com­pa­ny at $2.4‑billion. NSO, which has been treat­ed bru­tal­ly in the media after a recent expose of spy­ing on 50,000 cell phone num­bers belong­ing to pres­i­dents, prime min­is­ters and princes, hopes that a SPAC will enable it to avoid the process of find­ing a buy­er will­ing to ignore all that ter­ri­ble pub­lic­i­ty.

    In prepa­ra­tion for the big day, Cellebrite is wip­ing all the blood off its hands and face. In its fil­ings with the SEC it offers these sooth­ing pas­sages:

    “Cellebrite does not sell to coun­tries sanc­tioned by the U.S., EU, UK or Israeli gov­ern­ments or that are on the Finan­cial Action Task Force (FATF) black­list,” Cellebrite said in its SEC fil­ing.

    “We pur­sue only those cus­tomers who we believe will act law­ful­ly and not in a man­ner incom­pat­i­ble with pri­va­cy rights or human rights. For exam­ple, we have cho­sen not to do busi­ness in Bangladesh, Belarus, Chi­na, Hong Kong, Macau, Rus­sia and Venezuela par­tial­ly due to con­cerns regard­ing human rights and data secu­ri­ty, and we may in the future decide not to oper­ate in oth­er coun­tries or with oth­er poten­tial cus­tomers for sim­i­lar rea­sons,” the doc­u­ment said. The August fil­ing includ­ed an update about the for­ma­tion of an “Ethics and Integri­ty Com­mit­tee,” whose mis­sion “is expect­ed to include advis­ing on eth­i­cal con­sid­er­a­tions relat­ed to the use of our tech­nolo­gies.”

    That might sound good to an unin­formed indi­vid­ual. But the rea­son the list of coun­tries it refus­es to do busi­ness with for eth­i­cal rea­sons is so long and impres­sive, is that these are many of its most dead­ly for­mer clients. Cellebrite had ditched many of these coun­tries ear­li­er, after Mack’s research exposed its sor­did con­nec­tion to them. But Bangladesh was one of the last domi­noes to fall.

    Cellebrite, like NSO, can write a sooth­ing, reas­sur­ing bit of prose for a pub­lic dubi­ous of the heinous acts of which it’s accused. This is what it told Haaretz:

    …The com­pa­ny “is com­mit­ted to ethics as part of its core val­ues and prac­tice of work and has devel­oped a very strong com­pli­ance frame­work. Cellebrite has strict licens­ing poli­cies and restric­tions that gov­ern how cus­tomers may uti­lize our tech­nol­o­gy. Our sales deci­sions are also guid­ed by inter­nal para­me­ters, which con­sid­er a poten­tial customer’s human rights record and anti-cor­rup­tion poli­cies.”

    The com­pa­ny is also fol­low­ing in NSO’s foot­steps in telling the SEC it will cre­ate an ethics com­mit­tee to guide its busi­ness deci­sions. In truth, the smooth talk and the pablum about ethics are a fig leaf for its ugly deeds. It hopes they will fool reg­u­la­tors and put them into a deep sleep.

    Yet anoth­er rea­son why Con­gress must act against this vile, blood­thirsty indus­try. As Sen. Ron Wyden and six House mem­bers have declared: there must be fed­er­al penal­ties imposed on the mis­use of this tech­nol­o­gy. The penal­ties must also apply to the banks and pri­vate investors whose cap­i­tal enables the spy­ware busi­ness to be so lucra­tive.

    ———-

    “As Cellebrite Pre­pares for Pub­lic Offer­ing, It’s Dirty Deeds Come Back to Haunt” by Richard Sil­ver­stein; Tikun Olam; 08/17/2021

    “That might sound good to an unin­formed indi­vid­ual. But the rea­son the list of coun­tries it refus­es to do busi­ness with for eth­i­cal rea­sons is so long and impres­sive, is that these are many of its most dead­ly for­mer clients. Cellebrite had ditched many of these coun­tries ear­li­er, after Mack’s research exposed its sor­did con­nec­tion to them. But Bangladesh was one of the last domi­noes to fall.

    It’s a lot more com­pli­cat­ed sell­ing your mul­ti-bil­lion dol­lar spy­ware firm when every­one knows about the human rights abus­es with are going to be com­mit­ted with your spy­ware. But it gets even more com­pli­cat­ed with that pow­er­ful spy­ware dou­bles as a pow­er­ful diplo­mat­ic tool. it’s one rea­son we prob­a­bly should­n’t be sur­prised Bangladesh was the last of Cellebrites’s ‘prob­lem’ clients to get dropped. Ongo­ing diplo­mat­ic over­tures are get­ting in the way:

    ...
    The company’s flag­ship prod­uct is UFED, a device which, when con­nect­ed to a cell phone, can bypass its pass­word pro­tec­tion and encryp­tion to extract all its data and make it acces­si­ble to the client. US police depart­ments have spent mil­lions on it to gath­er evi­dence in crim­i­nal inves­ti­ga­tions. Even pub­lic schools have pur­chased the sys­tem to spy on their stu­dents. In Texas, a police offi­cer con­fis­cat­ed a student’s phone and used UFED to retrieve mes­sages between the lat­ter and a teacher which exposed a roman­tic rela­tion­ship and led to the teacher’s arrest.

    Bangladesh is a par­tic­u­lar­ly bru­tal exam­ple of Cellebrite’s clients. Since 2004, the country’s Rapid Action Bat­tal­ion has tar­get­ed gays, athe­ists, and polit­i­cal dis­si­dents in a cam­paign of sum­ma­ry exe­cu­tions, tor­ture, and dis­ap­pear­ances which killed 465 peo­ple in 2018 alone. A 2005 Human Rights Watch report said that it had killed 350 peo­ple in first year of its exis­tence. The Dha­ka Tri­bune attrib­uted near­ly 1,100 mur­ders to it from 2004–2008.

    ...

    In fact, Cellebrite had done such a good job in assist­ing Bangladeshi death squads with their dirty work that the for­eign min­istry urged the coun­try to become the lat­est Mus­lim coun­try to nor­mal­ize rela­tions. Mack told me:

    On May 22, Gilad Cohen, Israel For­eign Ministry’s deputy direc­tor gen­er­al for Asia and the Pacif­ic, urged the Bangladesh gov­ern­ment to estab­lish diplo­mat­ic ties for the “ben­e­fit and pros­per­i­ty” of the peo­ple of the two coun­tries. [So] Celleberite’s announce­ment that it will stop sell­ing its hack­ing sys­tem to Bangladesh proves that the MOD [Min­istry of Defense] and these kinds of com­pa­nies only under­stand pub­lic and media pres­sure.

    ...

    And note how the US gov­ern­ment could impose some sort of pun­ish­ment to the banks and pri­vate investors in these com­pa­nies. It could hap­pen, but does­n’t hap­pen. A kind of silent con­sent:

    ...
    Yet anoth­er rea­son why Con­gress must act against this vile, blood­thirsty indus­try. As Sen. Ron Wyden and six House mem­bers have declared: there must be fed­er­al penal­ties imposed on the mis­use of this tech­nol­o­gy. The penal­ties must also apply to the banks and pri­vate investors whose cap­i­tal enables the spy­ware busi­ness to be so lucra­tive.
    ...

    Again, don’t for­get that when NSO Group belat­ed­ly dropped Sau­di Ara­bia as a client fol­low­ing the glob­al out­rage over the assas­si­na­tion of Jamal Khashog­gi, it was­n’t just the Israeli gov­ern­ment that pres­sured NSO Group to keep its Sau­di clients. The Trump admin­is­tra­tion also report­ed­ly want­ed the Saud­is to main­tain access to the com­pa­ny’s spy­ware. And that’s why it’s hard to take Cellebrite’s pledges of being bet­ter seri­ous­ly. The com­pa­ny isn’t real­ly in a posi­tion to make these deci­sions on its own.

    Plus, the fact that this indus­try has a habit of set­ting up shad­ow sub­sidiaries in order to get around export restric­tions does­n’t exact­ly lend con­fi­dence to the idea that Cellebrite has sud­den­ly turned over a new leaf:

    ...
    As a Mus­lim coun­try, it does not offi­cial­ly do busi­ness with Israel. But the Israeli com­pa­ny eas­i­ly over­came that hur­dle by estab­lish­ing a Sin­ga­pore sub­sidiary which ful­filled the $350,000 con­tract, accord­ing to Al Jazeera. Nine secu­ri­ty agents were sent to Sin­ga­pore to train in the use of UFED. Nor is this an unusu­al com­mer­cial arrange­ment. Israeli spy mer­chants from Mat­ti Kochavi to NSO Group main­tain mul­ti­ple such cut-outs which per­mit them do bil­lions in busi­ness with Arab and Mus­lim coun­tries bypass­ing the boy­cott.
    ...

    You can build a secre­tive spy­ware firm, and you can take your com­pa­ny pub­lic, but tak­ing a super secret spy­ware firm pub­lic is obvi­ous­ly a lot eas­i­er said than done. And yet, as Cellebrite is poised to demon­strate, it’s appar­ent­ly doable.

    Posted by Pterrafractyl | August 29, 2021, 6:33 pm
  5. Here’s one of those sto­ries that should imme­di­ate­ly prompt a ‘wait­ing for the oth­er shoe to drop’ feel­ing:

    The US Air Force’s first chief soft­ware office just announced his res­ig­na­tion. But that was­n’t the only announce­ment in Nico­las Chail­lan’s res­ig­na­tion let­ter. Beyond the expect­ed charges of insti­tu­tion­al iner­tia, Chail­lan accused the Air Force of bor­der­line crim­i­nal neg­li­gence when it comes to basic IT secu­ri­ty prac­tices, start­ing with the habit of putting mid-rank­ing gen­er­al­ist offi­cers in charge of spe­cial­ist projects. But it’s his com­plaint on fis­cal-relat­ed issues that is per­haps the most shock­ing: The Air Force appar­ent­ly could­n’t come up with the $20 mil­lion for 2022 for the main project Chail­lan has been work­ing on. Yep, the US mil­i­tary just could­n’t find the mon­ey. After being repeat­ed­ly told that the project he was work­ing on was crit­i­cal and being asked to devel­op a “min­i­mum viable project” (MVP) — a scaled down basic ver­sion of a new soft­ware tool designed to be released with basic fea­tures in order to get user feed­back — in just four months, and after a mas­sive under­tak­ing and invest­ment in the project, the Air Force told Chail­lan that actu­al­ly the $20 mil­lion won’t be there after all.

    That painful dis­ap­point was clear­ly a big dri­ver in Chail­lan’s deci­sion to resign. But note that this project was­n’t exclu­sive­ly an Air Force project. It was a Joint All-Domain Com­mand and Con­trol (JADC2) Depart­ment of Defense-wide project focused on mak­ing sure data can be seam­less­ly shared across plat­forms. Which is was obvi­ous­ly a wild­ly impor­tant project impact­ing the entire US mil­i­tary. That’s the project the Air Force could­n’t find $20 mil­lion for next year. So on top of all the expect­ed rea­sons for Pen­ta­gon chal­lenges with IT secu­ri­ty — some under­stand­able and some less so — we can add a rea­son that has no fath­omable jus­ti­fi­ca­tion: that the US mil­i­tary some­how could­n’t find the mon­ey:

    The Reg­is­ter

    US Air Force chief soft­ware offi­cer quits after launch­ing Hell­fire mis­sile of a LinkedIn post at his for­mer boss­es
    Too many inex­pe­ri­enced project man­agers and not enough DevSec­Ops

    Gareth Cor­field
    Fri 3 Sep 2021 // 18:14 UTC

    The US Air Force’s first ever chief soft­ware offi­cer has quit the job after brand­ing it “prob­a­bly the most chal­leng­ing and infu­ri­at­ing of my entire career” in a remark­ably can­did blog post.

    Nico­las Chail­lan’s impres­sive­ly blunt leav­ing note, which he post­ed to his LinkedIn pro­file, cas­ti­gat­ed USAF senior hier­ar­chy for fail­ing to pri­ori­tise basic IT issues, say­ing: “A lack of response and align­ment is cer­tain­ly a con­trib­u­tor to my accel­er­at­ed exit.”

    Chail­lan took on his chief soft­ware offi­cer role in May 2019, hav­ing pre­vi­ous­ly worked at the US Depart­ment of Defense rolling out DevSec­Ops prac­tices to the Amer­i­can mil­i­tary. Before that he found­ed two com­pa­nies.

    In his mis­sive, Chail­lan also sin­gled out a part of mil­i­tary cul­ture that fea­tures in both the US and the UK: the prac­tice of appoint­ing mid-rank­ing gen­er­al­ist offi­cers to run spe­cial­ist projects.

    “Please,” he implored, “stop putting a Major or Lt Col (despite their devo­tion, excep­tion­al atti­tude, and cul­ture) in charge of ICAM, Zero Trust or Cloud for 1 to 4 mil­lion users when they have no pre­vi­ous expe­ri­ence in that field – we are set­ting up crit­i­cal infra­struc­ture to fail.”

    The for­mer chief soft­ware offi­cer con­tin­ued:

    We would not put a pilot in the cock­pit with­out exten­sive flight train­ing; why would we expect some­one with no IT expe­ri­ence to be close to suc­cess­ful? They do not know what to exe­cute on or what to pri­or­i­tize which leads to end­less risk reduc­tion efforts and dilut­ed focus. IT is a high­ly skilled and trained job; staff it as such.

    In the British armed forces mid-rank­ing offi­cers are post­ed, regard­less of qual­i­fi­ca­tions or pro­fes­sion­al expe­ri­ence, to man­age equip­ment-pur­chas­ing projects for the Min­istry of Defence. These post­ings are of fixed length and last for two years, mean­ing any project that takes more than two years has the poten­tial to end up turn­ing into a huge­ly expen­sive and unpro­duc­tive mess. The ori­gin of this pol­i­cy was a 1980s cor­rup­tion scan­dal where a civ­il ser­vant over­see­ing a long-term MoD con­tract was caught accept­ing bribes; to pre­vent it hap­pen­ing again, senior per­son­nel decid­ed to imple­ment the two-year-post­ing pol­i­cy.

    Chail­lan went on to com­plain that while he had man­aged to roll out DevSec­Ops prac­tices with­in his cor­ner of US DoD, his abil­i­ty to achieve larg­er scale projects was being ham­pered by insti­tu­tion­al iner­tia.

    “I told my lead­er­ship that I could have fixed Enter­prise IT in 6 months if empow­ered,” he wrote.

    Among the USAF’s sins-accord­ing-to-Chail­lan? The ser­vice is still using “out­dat­ed water-agile-fall acqui­si­tion prin­ci­ples to pro­cure ser­vices and tal­ent”, while he lament­ed the fail­ure of the Joint All-Domain Com­mand and Con­trol (JADC2) to secure its required $20m fund­ing in the USAF’s FY22 bud­get.

    He was also quite scathing about the USAF’s adop­tion – or lack there­of – of DevSec­Ops, the trendy name for efforts to make devel­op­ers include secu­ri­ty-relat­ed deci­sions at the same time as prod­uct-relat­ed deci­sions when writ­ing new soft­ware. It appears the ser­vice was­n’t quite as open-mind­ed as its over­seers in the wider DoD.

    “There is absolute­ly no valid rea­son not to use and man­date DevSec­Ops in 2021 for cus­tom soft­ware,” wrote Chail­lan. “It is bor­der­line crim­i­nal not to do so. It is effec­tive­ly guar­an­tee­ing a tremen­dous waste of tax­pay­er mon­ey and cre­ates mas­sive cyber­se­cu­ri­ty threats but also pre­vents us from deliv­er­ing capa­bil­i­ties at the pace of rel­e­vance, putting lives at risk, and poten­tial­ly pre­vent­ing capa­bil­i­ties to be made avail­able when need­ed when­ev­er world events demand, many times overnight.”

    Doubt­less his full post will chime with any­one else in a senior post at a tech com­pa­ny who even­tu­al­ly becomes fed-up enough not only to quit but also to tell the wider world exact­ly why.

    ...

    ———–

    “US Air Force chief soft­ware offi­cer quits after launch­ing Hell­fire mis­sile of a LinkedIn post at his for­mer boss­es” by Gareth Cor­field; The Reg­is­ter; 09/03/2021

    “Please,” he implored, “stop putting a Major or Lt Col (despite their devo­tion, excep­tion­al atti­tude, and cul­ture) in charge of ICAM, Zero Trust or Cloud for 1 to 4 mil­lion users when they have no pre­vi­ous expe­ri­ence in that field – we are set­ting up crit­i­cal infra­struc­ture to fail.

    Are peo­ple with no IT secu­ri­ty being put in charge of major IT projects for the mil­i­tary and set­ting up future mil­i­tary IT dis­as­ters? That’s what Chail­lan is accus­ing the Air Force of doing. Which might also par­tial­ly explain the oppo­si­tion to DevSec­Ops prac­tices that avoid the kind of secu­ri­ty night­mares Chail­lan is warn­ing us about:

    ...
    Chail­lan went on to com­plain that while he had man­aged to roll out DevSec­Ops prac­tices with­in his cor­ner of US DoD, his abil­i­ty to achieve larg­er scale projects was being ham­pered by insti­tu­tion­al iner­tia.

    “I told my lead­er­ship that I could have fixed Enter­prise IT in 6 months if empow­ered,” he wrote.

    ...

    He was also quite scathing about the USAF’s adop­tion – or lack there­of – of DevSec­Ops, the trendy name for efforts to make devel­op­ers include secu­ri­ty-relat­ed deci­sions at the same time as prod­uct-relat­ed deci­sions when writ­ing new soft­ware. It appears the ser­vice was­n’t quite as open-mind­ed as its over­seers in the wider DoD.

    “There is absolute­ly no valid rea­son not to use and man­date DevSec­Ops in 2021 for cus­tom soft­ware,” wrote Chail­lan. “It is bor­der­line crim­i­nal not to do so. It is effec­tive­ly guar­an­tee­ing a tremen­dous waste of tax­pay­er mon­ey and cre­ates mas­sive cyber­se­cu­ri­ty threats but also pre­vents us from deliv­er­ing capa­bil­i­ties at the pace of rel­e­vance, putting lives at risk, and poten­tial­ly pre­vent­ing capa­bil­i­ties to be made avail­able when need­ed when­ev­er world events demand, many times overnight.”
    ...

    But of all of Chail­lan’s com­plaints, the fact that the Air Force could­n’t find the mon­ey to fund a project its first chief soft­ware offi­cer is per­haps the most shock­ing. One does­n’t asso­ciate the US Air Force with being short on cash:

    ...
    Among the USAF’s sins-accord­ing-to-Chail­lan? The ser­vice is still using “out­dat­ed water-agile-fall acqui­si­tion prin­ci­ples to pro­cure ser­vices and tal­ent”, while he lament­ed the fail­ure of the Joint All-Domain Com­mand and Con­trol (JADC2) to secure its required $20m fund­ing in the USAF’s FY22 bud­get.
    ...

    And as the fol­low­ing arti­cle describes, that Joint All-Domain Com­mand and Con­trol (JADC2) project the Air Force could­n’t find the mon­ey for in 2022 was­n’t just a ran­dom project. It was the project the Air Force has been telling Chail­lan was absolute­ly crit­i­cal and they made a huge invest­ment in cre­at­ing a min­i­mum viable prod­uct (MVP) ver­sion of the project in a mat­ter of months to meet those needs. After all that, Chail­lan was told the mon­ey was­n’t going to be there. The Air Force can’t find the mon­ey. It’s like the DoD was trolling him. The kind of trolling that might trig­ger an angry pub­lic res­ig­na­tion:

    FCW

    Air Force chief soft­ware offi­cer to resign

    By Lau­ren C. Williams
    Sep 02, 2021

    The Air Force’s first chief soft­ware offi­cer, Nico­las Chail­lan, will step down from his role in Octo­ber, FCW has learned. His last day is planned for Oct. 2.

    “We are the largest soft­ware orga­ni­za­tion on the plan­et, and we have almost no shared repos­i­to­ries and lit­tle to no col­lab­o­ra­tion across DOD Ser­vices,” Chail­lan wrote in a res­ig­na­tion memo obtained by FCW.

    “At this point, I am just tired of con­tin­u­ous­ly chas­ing sup­port and mon­ey to do my job. My office still has no bil­let and no fund­ing, this year and the next.”

    Chail­lan start­ed his posi­tion in 2018 with the mis­sion of mak­ing DevSec­Ops the stan­dard busi­ness prac­tice and expand­ing the Kessel Run soft­ware fac­to­ry mod­el across the Air Force. He not­ed that the job was “prob­a­bly the most chal­leng­ing and infu­ri­at­ing of my entire career” but also “impact­ful” and “reward­ing.”

    Since join­ing the Air Force tech lead­er­ship, Chail­lan’s team has most notably helped stand up Plat­form One, which aims to make it eas­i­er for orga­ni­za­tions to cre­ate soft­ware fac­to­ries and deploy­ing trust­ed code to warfight­ers eas­i­er with cer­ti­fied tools. Chail­lan’s team was also behind migrat­ing Kuber­netes to the F‑16 fight­er jet. (Chail­lan was named a Fed100 award win­ner in 2021 for his work with Plat­form One.)

    Before becom­ing the Air Force CSO, he served as a lead on DOD’s enter­prise DevSec­Ops ini­tia­tive and cloud secu­ri­ty advi­sor to the under­sec­re­tary of defense for acqui­si­tion and sus­tain­ment in the Office of the Sec­re­tary of Defense.

    In the memo, Chail­lan not­ed that lack of fund­ing along with DOD bureau­cra­cy left his office and its mis­sion “unem­pow­ered to fix basic IT issues.” Specif­i­cal­ly, the soft­ware chief named his recent task of help­ing the Joint Chiefs of Staff with its efforts on Joint All Domain Com­mand and Con­trol, a DOD-wide effort to make sure data can be seam­less­ly shared across plat­forms.

    “They want­ed me to help deliv­er a min­i­mum viable prod­uct (MVP) with­in four months so that we would final­ly have a tan­gi­ble deliv­er­able to show for JADC2,” Chail­lan wrote.

    “After a mas­sive under­tak­ing and devel­op­ment of a scope of work, based on demands from our warfight­ers and [com­bat­ant com­mands], I had just start­ed the work and built-up excite­ment with teams and our mis­sion part­ners, when I was told by the Joint Staff that there was no [fis­cal year 2022] fund­ing to sup­port the MVP after all. After all the talk and con­tin­ued asser­tions that this was crit­i­cal work, DOD could not even find $20 [mil­lion] to build tremen­dous­ly ben­e­fi­cial warfight­er capa­bil­i­ties.”

    Chail­lan has been vocal about DOD lead­ers mak­ing good on their rhetoric. In an Air Force Mag­a­zine inter­view ear­li­er this month, he said “the lead­er­ship in the depart­ment always says the right things,” but “it’s a lit­tle bit hard­er to walk the walk.”

    ...

    ————

    “Air Force chief soft­ware offi­cer to resign” by Lau­ren C. Williams; FCW; 09/02/2021

    “In the memo, Chail­lan not­ed that lack of fund­ing along with DOD bureau­cra­cy left his office and its mis­sion “unem­pow­ered to fix basic IT issues.” Specif­i­cal­ly, the soft­ware chief named his recent task of help­ing the Joint Chiefs of Staff with its efforts on Joint All Domain Com­mand and Con­trol, a DOD-wide effort to make sure data can be seam­less­ly shared across plat­forms.

    One would think a DOD-wide effort to make sure data can be seam­less­ly shared across plat­forms would be the kind of project that gets bud­get pri­or­i­ty. Nope. The DoD could­n’t find the $20 mil­lion. This is after they ask Chail­lan, the Air Force’s first ever chief soft­ware offi­cer, to help with the project. And then they told him they could­n’t find the $20 mil­lion. Non-seam­less com­mu­ni­ca­tion it is then:

    ...
    “They want­ed me to help deliv­er a min­i­mum viable prod­uct (MVP) with­in four months so that we would final­ly have a tan­gi­ble deliv­er­able to show for JADC2,” Chail­lan wrote.

    “After a mas­sive under­tak­ing and devel­op­ment of a scope of work, based on demands from our warfight­ers and [com­bat­ant com­mands], I had just start­ed the work and built-up excite­ment with teams and our mis­sion part­ners, when I was told by the Joint Staff that there was no [fis­cal year 2022] fund­ing to sup­port the MVP after all. After all the talk and con­tin­ued asser­tions that this was crit­i­cal work, DOD could not even find $20 [mil­lion] to build tremen­dous­ly ben­e­fi­cial warfight­er capa­bil­i­ties.”
    ...

    Keep in mind that when the DoD said it could­n’t find $20 mil­lion for 2022 to sup­port this project, it sounds like that mon­ey was just for the build­ing the scaled down MVP. The full project would obvi­ous­ly cost much more. But that’s pos­si­bly part of what enraged Chail­lan. If the DoD can’t even come up with the mon­ey for a pilot project what are the odds it’s going be able to com­mit itself to the full project.

    But there’s anoth­er obvi­ous pos­si­bil­i­ty in terms of what drove the Air Force to pull the plug on Chail­lan’s JADC2 pilot project: some­one wants to redi­rect that project towards some­where else. It could be an intra-bureau­crat­ic turf war. Or per­haps some­one has a pri­vate con­trac­tor in mind?

    And that brings us to the oth­er major sto­ry that can’t be ignored in the con­text of the Air Force’s inabil­i­ty to com­mit to the JADC2 project: the Pen­tagon’s announce­ment in July that it was can­cel­ing Microsoft­’s giant $10 bil­lion JEDI con­tract that would accom­plish mush of what JADC2 would do in cre­at­ing inter­op­er­abil­i­ty across the DoD’s IT sys­tems. As we’ll see, when the DoD announced they were can­cel­ing the JEDI con­tract, JADC2’s over­lap­ping capa­bil­i­ties were cit­ed in the first para­graph of the press release giv­ing the rea­son­ing for the deci­sion.

    Instead of Microsoft hav­ing the JEDI con­tract, it sounds like it’s going to be divid­ed up between mul­ti­ple ven­dors, mean­ing com­peti­tors like Ama­zon and Palan­tir sud­den­ly got a new oppor­tu­ni­ty to com­pete for slides of that JEDI con­tract.

    So when we’re forced to inter­pret Chail­lan’s pub­lic warn­ing about the state of the mil­i­tary’s IT defi­cien­cies, keep in mind the the pulling of the plug of Chail­lan’s JADC2 project may have been one of the casu­al­ties in a giant con­trac­tor term war that opened up after Microsoft lost the JEDI con­tract:

    The New York Times

    Pen­ta­gon Can­cels a Dis­put­ed $10 Bil­lion Tech­nol­o­gy Con­tract

    The deci­sion puts an end to years of legal wran­gling over the con­tract, for 10 years of cloud-com­put­ing ser­vices.

    By Kate Con­ger and David E. Sanger
    July 6, 2021

    The Defense Depart­ment said on Tues­day that it would not go for­ward with a lucra­tive cloud-com­put­ing con­tract that had become the sub­ject of a con­tentious legal bat­tle amid claims of inter­fer­ence by the Trump admin­is­tra­tion.

    The Pen­ta­gon had warned Con­gress in Jan­u­ary that it might walk away from the con­tract if a fed­er­al court agreed to con­sid­er whether for­mer Pres­i­dent Don­ald J. Trump inter­fered in a process that award­ed the $10 bil­lion con­tract to Microsoft over its tech rival Ama­zon, say­ing that the ques­tion would result in lengthy lit­i­ga­tion and unten­able delays.

    The Defense Depart­ment said in a news release on Tues­day that the con­tract for the Joint Enter­prise Defense Infra­struc­ture, known as JEDI, “no longer meets its needs,” but it said it would solic­it bids from Ama­zon and Microsoft on future cloud-com­put­ing con­tracts.

    The Pen­ta­gon state­ment made for a qui­et end to years of legal wran­gling and duel­ing tech­nol­o­gy claims over what many con­sid­ered to be the mar­quee con­tract for pro­vid­ing cloud-com­put­ing ser­vices to the fed­er­al gov­ern­ment.

    A senior admin­is­tra­tion offi­cial said that soon after the Biden admin­is­tra­tion took office, it began a review that quick­ly con­clud­ed that the cost­ly argu­ments over JEDI had been so lengthy that the sys­tem would be out­dat­ed as soon as it was deployed.

    “With the shift­ing tech­nol­o­gy envi­ron­ment, it has become clear that the JEDI cloud con­tract, which has been long delayed, no longer meets the require­ments to fill the D.O.D.’s capa­bil­i­ty gaps,’’ the Pen­ta­gon said in an announce­ment.

    Instead, the Pen­ta­gon pro­posed a new cloud archi­tec­ture called the Joint Warfight­er Cloud Capa­bil­i­ty. And the Pen­ta­gon made clear that only Microsoft and Ama­zon Web Ser­vices had the capac­i­ty to build it. The Pentagon’s announce­ment sug­gest­ed that it would buy tech­nol­o­gy from both com­pa­nies, rather than award­ing one large con­tract to a sin­gle provider, as it had for JEDI.

    Secu­ri­ty con­cerns also played a role in the deci­sion to seek cloud ser­vices from mul­ti­ple com­pa­nies, offi­cials say. Recent breach­es of cloud ser­vices have made it clear that there are vul­ner­a­bil­i­ties, and the Pen­ta­gon did not want to be depen­dent on one com­pa­ny for its tech­nol­o­gy.

    The Defense Department’s deci­sion rep­re­sents a Pyrrhic vic­to­ry for Ama­zon, which is the lead­ing provider of com­mer­cial cloud-com­put­ing ser­vices and already has pro­vid­ed ser­vices to oth­er parts of the fed­er­al gov­ern­ment, such as the Cen­tral Intel­li­gence Agency.

    The deci­sion also comes days after Andy Jassy, the for­mer head of Amazon’s cloud busi­ness, took over as chief exec­u­tive from Amazon’s founder, Jeff Bezos. The appoint­ment of Mr. Jassy accen­tu­at­ed the impor­tance of cloud com­put­ing to big tech com­pa­nies, which have built giant data cen­ters all over the world to accom­mo­date new busi­ness and gov­ern­ment cus­tomers.

    The 10-year JEDI con­tract was award­ed to Microsoft in 2019 after a fight among Ama­zon and oth­er tech giants for the deal to mod­ern­ize the military’s cloud-com­put­ing sys­tems. Much of the mil­i­tary oper­ates on out­dat­ed com­put­er sys­tems, and the Defense Depart­ment has spent bil­lions of dol­lars try­ing to mod­ern­ize those sys­tems while pro­tect­ing clas­si­fied mate­r­i­al.

    Although some com­pa­nies, includ­ing the busi­ness soft­ware com­pa­ny Ora­cle, lob­bied for the Pen­ta­gon break the con­tract into pieces and award them to mul­ti­ple sup­pli­ers, the Defense Depart­ment pressed for­ward with its plan to use a sin­gle cloud provider, believ­ing that would be the most seam­less and secure approach.

    Because of the size and secu­ri­ty require­ments of the JEDI con­tract, Ama­zon was wide­ly con­sid­ered the front-run­ner. When the award fell to Microsoft, Ama­zon sued to block the con­tract, argu­ing that Microsoft did not have the tech­ni­cal capa­bil­i­ties to ful­fill the military’s needs and that the process had been biased against Ama­zon because of Mr. Trump’s repeat­ed crit­i­cisms of Mr. Bezos, who also owns The Wash­ing­ton Post.

    “For Microsoft, this went from a lot­tery deal to a court night­mare,” said Daniel Ives, the man­ag­ing direc­tor of equi­ty research at Wed­bush Secu­ri­ties. Microsoft said that Amazon’s claims of bias lacked evi­dence and that it was pre­pared to pro­vide the nec­es­sary tech­nol­o­gy to the mil­i­tary, while the Defense Depart­ment said Mr. Trump had not played a role in the deci­sion.

    The Wash­ing­ton Post aggres­sive­ly cov­ered the Trump admin­is­tra­tion, and Mr. Trump often referred to the news­pa­per as the “Ama­zon Wash­ing­ton Post” and accused it of spread­ing “fake news.” He also said com­pa­nies besides Ama­zon should be con­sid­ered for the JEDI con­tract, and Ama­zon argued he had used “improp­er pres­sure” to sway the Pen­ta­gon as it select­ed a tech­nol­o­gy ven­dor.

    In April, a fed­er­al court said it could not dis­miss the pos­si­bil­i­ty the Mr. Trump had med­dled in the process. The court’s rul­ing set the stage for the Pen­ta­gon, which had argued that the exten­sive delays sur­round­ing the con­tract caused nation­al secu­ri­ty con­cerns, to walk away from the con­tract.

    “We under­stand and agree with the D.O.D.’s deci­sion. Unfor­tu­nate­ly, the con­tract award was not based on the mer­its of the pro­pos­als and instead was the result of out­side influ­ence that has no place in gov­ern­ment pro­cure­ment,” said Drew Her­den­er, a spokesman for Ama­zon. “We look for­ward to con­tin­u­ing to sup­port the D.O.D.’s mod­ern­iza­tion efforts and build­ing solu­tions that help accom­plish their crit­i­cal mis­sions.”

    As the Biden admin­is­tra­tion exam­ined the years­long effort to build a com­put­ing cloud, offi­cials said they came to two con­clu­sions: The legal chal­lenges to JEDI could stretch on for years, and the tech­no­log­i­cal con­cept was already out­dat­ed. Agen­cies that pre­vi­ous­ly were using a sin­gle cloud provider — includ­ing the C.I.A. — were now look­ing for mul­ti­ple providers. Even inside the mil­i­tary, the Army, Navy, Air Force and oth­er ser­vices were already look­ing at build­ing their own clouds.

    ...

    Nor did the Pen­ta­gon refer to the grow­ing con­cerns about the secu­ri­ty of cloud ser­vices. While such ser­vices are gen­er­al­ly con­sid­ered safer than stor­ing data on indi­vid­ual com­put­er servers, some major breach­es over the past year have raised new wor­ries about vul­ner­a­bil­i­ties of soft­ware used by both the Pen­ta­gon and by defense con­trac­tors.

    ...

    ———-

    “Pen­ta­gon Can­cels a Dis­put­ed $10 Bil­lion Tech­nol­o­gy Con­tract” by Kate Con­ger and David E. Sanger; The New York Times; 06/06/2021

    The 10-year JEDI con­tract was award­ed to Microsoft in 2019 after a fight among Ama­zon and oth­er tech giants for the deal to mod­ern­ize the military’s cloud-com­put­ing sys­tems. Much of the mil­i­tary oper­ates on out­dat­ed com­put­er sys­tems, and the Defense Depart­ment has spent bil­lions of dol­lars try­ing to mod­ern­ize those sys­tems while pro­tect­ing clas­si­fied mate­r­i­al.”

    Microsoft won the big JEDI con­tract in 2019 to build the US mil­i­tary’s uni­fied cloud. But the Biden admin­is­tra­tion put the JEDI pro­gram on ice, allow­ing the Pen­ta­gon to reimag­ine the mil­i­tary’s shared cloud under a mul­ti-ser­vice-provider mod­el. Microsoft and Ama­zon are both going to build the Joint Warfight­er Cloud Capa­bil­i­ty (JWCC) next-gen­er­a­tion mil­i­tary cloud. And while con­cerns about the Trump admin­is­tra­tion’s skew­ing of the bid­ding process against Ama­zon may have play a role in this deci­sion, con­cerns about the inher­ent secu­ri­ty risks of using a sole cloud provider also played a role...along with the fact that there have been so many mega secu­ri­ty scares of late. If no cloud can tru­ly be relied on, the next best option is to rely on a many dif­fer­ent clouds to min­i­mize the inevitable dam­age:

    ...
    Instead, the Pen­ta­gon pro­posed a new cloud archi­tec­ture called the Joint Warfight­er Cloud Capa­bil­i­ty. And the Pen­ta­gon made clear that only Microsoft and Ama­zon Web Ser­vices had the capac­i­ty to build it. The Pentagon’s announce­ment sug­gest­ed that it would buy tech­nol­o­gy from both com­pa­nies, rather than award­ing one large con­tract to a sin­gle provider, as it had for JEDI.

    Secu­ri­ty con­cerns also played a role in the deci­sion to seek cloud ser­vices from mul­ti­ple com­pa­nies, offi­cials say. Recent breach­es of cloud ser­vices have made it clear that there are vul­ner­a­bil­i­ties, and the Pen­ta­gon did not want to be depen­dent on one com­pa­ny for its tech­nol­o­gy.

    ...

    Nor did the Pen­ta­gon refer to the grow­ing con­cerns about the secu­ri­ty of cloud ser­vices. While such ser­vices are gen­er­al­ly con­sid­ered safer than stor­ing data on indi­vid­ual com­put­er servers, some major breach­es over the past year have raised new wor­ries about vul­ner­a­bil­i­ties of soft­ware used by both the Pen­ta­gon and by defense con­trac­tors.
    ...

    But even com­part­men­tal­ized clouds pro­vid­ed by sep­a­rate con­trac­tors are still going to all have to inter­op­er­ate if the JEDI vision of seam­less inter­op­er­abil­i­ty is going to be real­ized. Com­part­men­tal­ized, seam­less inter­op­er­abil­i­ty. In oth­er words, you’re still going to need the kind of func­tion­al­i­ty Nico­las Chail­lan’s team was work­ing on for the Pen­tagon’s JADC2 project.

    And as the fol­low­ing Seek Alpha invest­ment arti­cle remind­ed us short­ly after the Pen­ta­gon can­celed the JEDI con­tract, if there’s one com­pa­ny out there in the com­mer­cial sec­tor that poised to fuse togeth­er the dif­fer­ent com­po­nents of the mil­i­tary’s cloud it’s Palan­tir. And yes, it’s a Palan­tir cheer­leader piece by some­one who wants Palan­tir’s stock to rise. But you can’t argue with them when they point out that Palan­tir is already a top favored soft­ware provider for the US mil­i­tary and has been build­ing and inte­grat­ing soft­ware across dif­fer­ent branch­es of the mil­i­tary and intel­li­gence com­mu­ni­ty for years. Through a series of bad deci­sions made with increas­ing fre­quen­cy over the years, Palan­tir has become one of the key soft­ware providers for the US nation­al secu­ri­ty state and con­nect­ing larg­er num­bers of data­bas­es into a sin­gle ana­lyt­i­cal plat­form is one of the com­pa­ny’s spe­cial­ties. In oth­er words, if it turns out that the rea­son the Air Force sud­den­ly ‘could­n’t find’ the $20 mil­lion need­ed for Chail­lan’s JADC2 pilot project was because some­one at the Pen­ta­gon has an alter­na­tive com­mer­cial provider for those kinds of ser­vices in mind, there’s a very good chance the provider they have in mind in Palan­tir:

    Seek­ing Alpha

    JEDI Can­ce­la­tion By The Pen­ta­gon Could Become Palan­tir’s Biggest Gain

    Steven Fio­r­il­lo
    Jul. 13, 2021 9:00 AM ET

    Sum­ma­ry

    * The $10 bil­lion JEDI Con­tract has been can­celed and will be recon­struct­ed by uti­liz­ing mul­ti­ple ven­dors instead of one enti­ty.
    * Joint All-Domain Com­mand and Con­trol and AI and Data Accel­er­a­tion are new ini­tia­tives respon­si­ble for the Pen­tagon’s deci­sion to can­cel JEDI and they fall into Palan­tir’s wheel­house.
    * In Q2 2021, Palan­tir has signed 16 new con­tracts with Uncle Sam with the poten­tial of being worth over $200 mil­lion.
    * Palan­tir is my largest con­vic­tion posi­tion for the 2020s and I am more bull­ish than ever for their future.

    Palan­tir (NYSE:PLTR) has become a bat­tle­ground stock on Seek­ing Alpha. Since my last PLTR arti­cle on 5/27/21, thir­ty-four have been pub­lished. Both the bear­ish and bull­ish view­points are filled with con­vic­tion, and only time will tell which camp is cor­rect. Among Seek­ing Alpha con­trib­u­tors, there is an over­all neu­tral rat­ing with a score of 3.42, and the sen­ti­ment is mutu­al on Wall Street as the aver­age score is 2.77 putting PLTR on neu­tral ground there as well. I believe the bears are incor­rect, and going into Q2 earn­ings, I am more bull­ish than ever on PLTR. Since my ini­tial block of shares I pur­chased as the direct offer­ing hit the Street, my cost basis has increased as I con­tin­u­ous­ly add to my posi­tion in PLTR. This is my largest con­vic­tion invest­ment for future cap­i­tal appre­ci­a­tion.

    I have read all the bear­ish arti­cles on Seek­ing Alpha because I like to chal­lenge my invest­ment the­sis. There is always a pos­si­bil­i­ty that I am incor­rect so read­ing oppos­ing views is crit­i­cal to indi­cate if I am miss­ing vital infor­ma­tion that could impact my bull­ish sen­ti­ment. After doing the home­work, I am more bull­ish than ever on PLTR and will con­tin­ue to add shares at more than dou­ble the price I ini­tial­ly paid when the Direct List­ing occurred. In my opin­ion, the bears are lack­ing vision and aren’t con­nect­ing the dots. Huge news just broke about the Pen­ta­gon can­cel­ing the JEDI Con­tract, leav­ing the door wide open for PLTR. Entire indus­tries are being con­nect­ed and mod­ern­ized through PLTR’s soft­ware, and some­times tak­ing a step back to con­nect the dots can reveal a rev­o­lu­tion­ary pic­ture. PLTR is a vision­ary com­pa­ny mak­ing the soft­ware of tomor­row. I believe we’re in the ear­ly innings, and through­out the 2020s, PLTR will evolve into one of the most impor­tant soft­ware com­pa­nies.

    The JEDI Con­tract can­cel­la­tion is leav­ing the door wide open for Palan­tir as its new ini­tia­tives fall right in Palan­tir’s wheel­house

    The Joint Enter­prise Defense Infra­struc­ture (JEDI) con­tract was a $10 bil­lion cloud com­put­ing con­tract through the Unit­ed States Depart­ment of Defense (DoD). On 9/4/2020, the DOD reaf­firmed the JEDI Con­tract award to Microsoft (NASDAQ:MSFT) after being sued by Ama­zon (NASDAQ:AMZN). The JEDI Cloud con­tract is a firm-fixed-price, indef­i­nite-deliv­ery/in­def­i­nite-quan­ti­ty con­tract that would have made a full range of cloud com­put­ing ser­vices avail­able to the DoD. JEDI was intend­ed to mod­ern­ize the Pen­tagon’s IT oper­a­tions through an attempt to bring thou­sands of DoD sys­tems under one umbrel­la. The over­all goal of this mas­sive under­tak­ing was to pro­vide real-time data ana­lyt­ics across the board to giv­ing the Pen­ta­gon every advan­tage through mod­ern tech­nol­o­gy.

    The Pen­ta­gon recent­ly can­celed the JEDI con­tract award to MSFT and will be launch­ing a mul­ti­ven­dor cloud com­put­ing con­tract. On 7/6/21, the DoD released a state­ment con­firm­ing the can­ce­la­tion of JEDI, which includ­ed this quote from John Sher­man, act­ing DoD Chief Infor­ma­tion Offi­cer:

    “JEDI was devel­oped at a time when the Depart­men­t’s needs were dif­fer­ent and both the CSPs tech­nol­o­gy and our cloud con­ver­san­cy was less mature. In light of new ini­tia­tives like JADC2 and AI and Data Accel­er­a­tion (ADA), the evo­lu­tion of the cloud ecosys­tem with­in DoD, and changes in user require­ments to lever­age mul­ti­ple cloud envi­ron­ments to exe­cute mis­sion, our land­scape has advanced and a new way-ahead is war­rant­ed to achieve dom­i­nance in both tra­di­tion­al and non-tra­di­tion­al warfight­ing domains.”

    While the DoD was can­cel­ing the JEDI Con­tract, IBM (NYSE:IBM) had a Palan­tir for Cloud Pak Event with an exclu­sive demo. This round­table event includ­ed key employ­ees from IBM and PLTR and dis­cussed trans­form­ing busi­ness with AI. The pre­sen­ta­tion includ­ed a sup­ply chain demo, use case dis­cus­sions, and a Q&A ses­sion with rep­re­sen­ta­tives from both IBM and PLTR.

    After research­ing every­thing that has occurred and learn­ing that the DoD will launch a mul­ti­ven­dor cloud com­put­ing con­tract, I can’t help but envi­sion PLTR pick­ing up addi­tion­al con­tracts. The DoD was explic­it­ly clear that their new ini­tia­tives includ­ed JADC2 (Joint All-Domain Com­mand and Con­trol) and AI and Data Accel­er­a­tion (ADA). In an offi­cial doc­u­ment from the Con­gres­sion­al Research Ser­vice, it states:

    “Joint All-Domain Com­mand and Con­trol (JADC2) is the Depart­ment of Defense’s (DOD’s) con­cept to con­nect sen­sors from all of the mil­i­tary ser­vices-Air Force, Army, Marine Corps, Navy, and Space Force-into a sin­gle net­work.”

    With the JEDI con­tract being dis­man­tled and the DoD tak­ing a mul­ti-ven­dor approach to accom­plish its pre­vi­ous goals and tack­le its new ini­tia­tives, it looks like sev­er­al roads will lead to PLTR. We know for cer­tain that JADC2 and ADA are top pri­or­i­ties and the main rea­sons why the JEDI Con­tract was can­celed. PLTR is already the main provider of soft­ware to the DoD. It has direct rela­tion­ships and con­tracts with the Unit­ed States Air Force, Depart­ment of Defense, Unit­ed States Army, Unit­ed States Navy, Unit­ed States Spe­cial Oper­a­tions Forces, and the Unit­ed States Coast Guard. Over the years, PLTR has become one of the lead­ing, if not the lead­ing, soft­ware ven­dor to the Pen­ta­gon and its indi­vid­ual branch­es. The descrip­tion of JADC2 and ADA sound like the DoD went to PLTR’s Q1 2021 pre­sen­ta­tion and used slide 19 for their descrip­tions:

    “In Q1 2021, Palan­tir’s soft­ware was lever­aged in the Glob­al Infor­ma-on Dom­i­nance Exper­i­ment, enabling all 11 DoD Com­bat­ant Com­mands to gen­er­ate glob­al­ly inte­grat­ed, strate­gic deci­sion advan­tage from intel­li­gence, oper­a­tions, logis­tics, and sup­ply data advanced by AI / ML.”

    In addi­tion to direct con­tracts through­out the DoD, PLTR also signed a major con­tract with the Depart­ment of Ener­gy on 3/31/21 with an ini­tial con­tract oblig­a­tion of $7 mil­lion. The Nation­al Nuclear Secu­ri­ty Admin­is­tra­tion (NNSA), which is a depart­ment with­in the Depart­ment of Ener­gy, select­ed PLTR to pro­vide their Office of Safe­ty, Infra­struc­ture, and Oper­a­tions with a soft­ware plat­form for NNSA’s Safe­ty Ana­lyt­ics, Fore­cast­ing, and Eval­u­a­tion Report­ing project named SAFER. The SAFER pro­gram will advance NNSA’s mis­sion of man­ag­ing nuclear secu­ri­ty.

    PLTR was select­ed to safe­guard the Unit­ed States nuclear stock­pile and has been select­ed to devel­op and inte­grate soft­ware through­out the Unit­ed States mil­i­tary branch­es. The can­ce­la­tion of the JEDI con­tract seems like a sig­nif­i­cant oppor­tu­ni­ty for PLTR, in my opin­ion. PLTR has been putting all of the pieces togeth­er to con­nect every aspect of our gov­ern­ment defense capa­bil­i­ties. The new ini­tia­tives from the Pen­ta­gon seem like an open invi­ta­tion for PLTR. I do not know what the gov­ern­ment will do, but when you look at what has recent­ly occurred and PLTR’s pre­vi­ous con­tracts with the gov­ern­ment, it’s not far-fetched that these new ini­tia­tives play right into PLTR’s wheel­house. The JEDI con­tract was worth $10 bil­lion, and with it being scrapped and becom­ing a mul­ti­ven­dor oppor­tu­ni­ty, I believe PLTR will get a por­tion of that pie.

    ...

    ———-

    “JEDI Can­ce­la­tion By The Pen­ta­gon Could Become Palan­tir’s Biggest Gain” by Steven Fio­r­il­lo; Seek­ing Alpha; 07/13/2021

    PLTR was select­ed to safe­guard the Unit­ed States nuclear stock­pile and has been select­ed to devel­op and inte­grate soft­ware through­out the Unit­ed States mil­i­tary branch­es. The can­ce­la­tion of the JEDI con­tract seems like a sig­nif­i­cant oppor­tu­ni­ty for PLTR, in my opin­ion. PLTR has been putting all of the pieces togeth­er to con­nect every aspect of our gov­ern­ment defense capa­bil­i­ties. The new ini­tia­tives from the Pen­ta­gon seem like an open invi­ta­tion for PLTR. I do not know what the gov­ern­ment will do, but when you look at what has recent­ly occurred and PLTR’s pre­vi­ous con­tracts with the gov­ern­ment, it’s not far-fetched that these new ini­tia­tives play right into PLTR’s wheel­house. The JEDI con­tract was worth $10 bil­lion, and with it being scrapped and becom­ing a mul­ti­ven­dor oppor­tu­ni­ty, I believe PLTR will get a por­tion of that pie.”

    Again, it was nev­er a good idea to allow a fas­cist-found­ed com­pa­ny like Palan­tir to devel­op such a cen­tral role in the US nation­al secu­ri­ty state’s dig­i­tal infra­struc­ture. But that hap­pened. Palan­tir was even just select­ed to play a nuclear stock­pile secu­ri­ty role. Those awful deci­sions were made and now it’s hard to argue with the core argu­ment behind this Palan­tir stock fan piece. The can­cel­la­tion of Microsoft­’s JEDI con­tract real­ly was fab­u­lous news for Palan­tir’s bot­tom line.

    And that’s also why the angry pub­lic res­ig­na­tion of Nico­las Chail­lan was also such good news for Palan­tir. If the DoD is los­ing inter­est in back­ing Chail­lan’s JADC2 pilot project, that’s just more room for a com­pa­ny like Palan­tir to swoop in and pro­vide those ser­vices under the new post-JEDI vision for the US mil­i­tary’s cloud. A vision that has yet to be final­ized:

    ...
    After research­ing every­thing that has occurred and learn­ing that the DoD will launch a mul­ti­ven­dor cloud com­put­ing con­tract, I can’t help but envi­sion PLTR pick­ing up addi­tion­al con­tracts. The DoD was explic­it­ly clear that their new ini­tia­tives includ­ed JADC2 (Joint All-Domain Com­mand and Con­trol) and AI and Data Accel­er­a­tion (ADA). In an offi­cial doc­u­ment from the Con­gres­sion­al Research Ser­vice, it states:

    “Joint All-Domain Com­mand and Con­trol (JADC2) is the Depart­ment of Defense’s (DOD’s) con­cept to con­nect sen­sors from all of the mil­i­tary ser­vices-Air Force, Army, Marine Corps, Navy, and Space Force-into a sin­gle net­work.”

    With the JEDI con­tract being dis­man­tled and the DoD tak­ing a mul­ti-ven­dor approach to accom­plish its pre­vi­ous goals and tack­le its new ini­tia­tives, it looks like sev­er­al roads will lead to PLTR. We know for cer­tain that JADC2 and ADA are top pri­or­i­ties and the main rea­sons why the JEDI Con­tract was can­celed. PLTR is already the main provider of soft­ware to the DoD. It has direct rela­tion­ships and con­tracts with the Unit­ed States Air Force, Depart­ment of Defense, Unit­ed States Army, Unit­ed States Navy, Unit­ed States Spe­cial Oper­a­tions Forces, and the Unit­ed States Coast Guard. Over the years, PLTR has become one of the lead­ing, if not the lead­ing, soft­ware ven­dor to the Pen­ta­gon and its indi­vid­ual branch­es. The descrip­tion of JADC2 and ADA sound like the DoD went to PLTR’s Q1 2021 pre­sen­ta­tion and used slide 19 for their descrip­tions:

    “In Q1 2021, Palan­tir’s soft­ware was lever­aged in the Glob­al Infor­ma-on Dom­i­nance Exper­i­ment, enabling all 11 DoD Com­bat­ant Com­mands to gen­er­ate glob­al­ly inte­grat­ed, strate­gic deci­sion advan­tage from intel­li­gence, oper­a­tions, logis­tics, and sup­ply data advanced by AI / ML.”

    In addi­tion to direct con­tracts through­out the DoD, PLTR also signed a major con­tract with the Depart­ment of Ener­gy on 3/31/21 with an ini­tial con­tract oblig­a­tion of $7 mil­lion. The Nation­al Nuclear Secu­ri­ty Admin­is­tra­tion (NNSA), which is a depart­ment with­in the Depart­ment of Ener­gy, select­ed PLTR to pro­vide their Office of Safe­ty, Infra­struc­ture, and Oper­a­tions with a soft­ware plat­form for NNSA’s Safe­ty Ana­lyt­ics, Fore­cast­ing, and Eval­u­a­tion Report­ing project named SAFER. The SAFER pro­gram will advance NNSA’s mis­sion of man­ag­ing nuclear secu­ri­ty.
    ...

    That’s all part of the con­text of Nico­las Chail­lan’s pub­lic res­ig­na­tion involv­ing the cut­ting of the JADC2 pilot project. It came two months after the can­cel­la­tion of the Microsoft JEDI con­tract that opened up a new world of pri­vate con­trac­tor pos­si­bil­i­ties. And it sounds like those pri­vate con­trac­tor pos­si­bil­i­ties in this post-JEDI mil­i­tary cloud vision of the future include pro­vid­ing exact­ly the kind of JADC2 Chail­lan was work­ing on. And ser­vices Palan­tir appears well posi­tions to fill, putting the com­pa­ny at the cen­ter of the US mil­i­tary’s dig­i­tal net­works.

    So should we expect the immi­nent announce­ment of Palan­tir step­ping in to pro­vide the JADC2 inter­op­er­abil­i­ty ser­vice in the US mil­i­tary’s DoD-wide cloud of tomor­row? Putting Palan­tir at the very core of the US mil­i­tary’s abil­i­ty to com­mu­ni­cate with itself? It would obvi­ous­ly be a giant leap of faith by the US mil­i­tary about the com­pa­ny’s integri­ty, a leap the US nation­al secu­ri­ty state took a long time ago. This is prob­a­bly a good time to recall that Avril Haines, the cur­rent head of the ODNI, was a Palan­tir employ­ee before join­ing the Biden cam­paign in 2020. The com­pa­ny has all the con­nec­tions it needs to become the dig­i­tal fab­ric that holds the US mil­i­tary togeth­er. Includ­ing the nuclear stock­piles. It’s part of why the Palan­tir stock boost­ers aren’t just puff­ing smoke. It real­ly is a com­pa­ny with spec­tac­u­lar­ly ter­ri­fy­ing pos­si­bil­i­ties and those ter­ri­fy­ing pos­si­bil­i­ties keep becom­ing more and more real every day.

    Posted by Pterrafractyl | September 7, 2021, 12:11 am
  6. Remem­ber Ptech, the threat assess­ment soft­ware firm that became embroiled in post‑9/11 anti-ter­ror inves­ti­ga­tions involv­ing the Mus­lim Broth­er­hood’s net­work of front orga­ni­za­tions? And remem­ber how Ptech had a stun­ning list of gov­ern­ment agen­cies for clients, includ­ing the US Air Force, mak­ing this a sto­ry about a pos­si­ble Mus­lim Broth­er­hood-con­nect­ed firm con­duct­ing threat assess­ments for the US gov­ern­ment? It’s a com­pa­ny worth recall when­ev­er we hear about mas­sive sys­temic mega-hacks involv­ing sophis­ti­cat­ed spy­ware that can tra­verse an orga­ni­za­tion’s IT net­works. Ptech’s ser­vices would prob­a­bly be in extreme­ly high demand these days.

    And since the 20 year anniver­sary of 9/11 is upon us, here’s a look back a Jan­u­ary 2003 arti­cle in Com­put­er­world about the Ptech inves­ti­ga­tion for the pur­pose of ask­ing an intrigu­ing ques­tion that real­ly has­n’t been asked: Was Palan­tir start­ed as a kind of replace­ment for Ptech?

    It’s hard to ignore the par­al­lels. High­ly sen­si­tive US nation­al-secu­ri­ty-relat­ed con­tracts were at the core of the busi­ness mod­el for both Ptech and Palan­tir. Both com­pa­nies make threat assess­ment-relat­ed soft­ware, although it sounds like Ptech’s threat assess­ment capa­bil­i­ties were more focused on IT net­work archi­tec­ture, which is far less gener­ic than Palan­tir’s machine-learn­ing-based threat assess­ment capa­bil­i­ties. But who knows what Ptech would be offer­ing today if it had main­tained its posi­tion as the US nation­al secu­ri­ty dig­i­tal threat assess­ment con­trac­tor or choice. And it turns out Palan­tir was start­ed in 2003, mean­ing it got start­ed after Ptech sud­den­ly became a prob­lem­at­ic post‑9/11 nation­al secu­ri­ty con­trac­tor. So it’s worth ask­ing: was Palan­tir formed as a replace­ment for Ptech? Because as the fol­low­ing 2003 arti­cle about Ptech’s inves­tiga­tive trou­bles make clear, the com­pa­ny real­ly was a high­ly respect­ed firm with a large num­ber of impor­tant clients beyond the US gov­ern­ment agen­cies. IBM even put Ptech’s flag­ship enter­prise mod­el­ing prod­uct, Frame­Work, at the cen­ter of IBM’s Enter­prise Archi­tec­ture Method­ol­o­gy. And this was still the case after all of the ter­ror-relat­ed bad press for the com­pa­ny. In oth­er words, Ptech was pro­vid­ing a prod­uct with a heavy demand. Then, all of sud­den, Ptech becomes the kind of com­pa­ny oth­er com­pa­nies don’t want to do busi­ness with, hence the even­tu­al name change to GoAg­ile. And that’s all why we have to ask: was Palan­tir start­ed with the intent of replac­ing Ptech?

    Com­put­er­world

    Ter­ror­ist probe hob­bles Ptech

    By Dan Ver­ton
    Jan 17, 2003 12:00 am PST

    The White House has giv­en Ptech Inc.‘s soft­ware a clean bill of health, and most of its cus­tomers and strate­gic busi­ness part­ners remain com­mit­ted to its tech­nol­o­gy. But the com­pa­ny, inves­ti­gat­ed for hav­ing an al-Qae­da con­nec­tion, has still become a casu­al­ty of the war on ter­ror­ism.

    In an exclu­sive series of inter­views with Com­put­er­world, Ptech CEO Ous­sama Ziade and sev­er­al for­mer employ­ees said the gov­ern­men­t’s inves­ti­ga­tion of a for­mer investor who is alleged to have ties to ter­ror­ism has dealt a near­ly fatal blow to the Quin­cy, Mass., soft­ware com­pa­ny ((see sto­ry)). And they fear that the same thing could hap­pen to oth­er com­pa­nies.

    Ptech’s cri­sis stems from a Dec. 5 con­sen­su­al search by fed­er­al agents, which was broad­ly char­ac­ter­ized by the media as an ear­ly-morn­ing “raid” ((see sto­ry)). The search was part of an inves­ti­ga­tion of the com­pa­ny’s rela­tion­ship with Yassin al-Qadi, a wealthy Sau­di busi­ness­man and one of two “angel” investors who helped get Ptech on its feet in 1994. Al-Qadi, who was nev­er a share­hold­er of record in Ptech and who lat­er twice turned down Ptech requests for addi­tion­al fund­ing, is believed by the U.S. intel­li­gence com­mu­ni­ty to have finan­cial ties to inter­na­tion­al ter­ror­ism.

    Since that search, Ptech, once a 65-employ­ee com­pa­ny that rarely lost a com­pet­i­tive con­tract bid, has been reduced to 10 peo­ple and has almost no new busi­ness on the hori­zon.

    “Almost imme­di­ate­ly we lost our rev­enue for Decem­ber and Jan­u­ary,” said Ziade. “Cus­tomers who know us and know our prod­uct have not walked away. They know there is noth­ing here relat­ed to ter­ror­ism.”

    But soon after the inves­ti­ga­tion broke, Ziade said, some large cus­tomers turned their backs on Ptech, refus­ing to com­ment pub­licly on their trust and con­fi­dence in the com­pa­ny and its enter­prise soft­ware, which enables its cus­tomers in the For­tune 1,000 and gov­ern­ment ranks to visu­al­ize and ana­lyze their tech­nol­o­gy infra­struc­ture and build mod­els to con­duct strate­gic busi­ness plan­ning. That sit­u­a­tion was con­firmed by Com­put­er­world in inter­views with those com­pa­nies.

    “When you sell to the For­tune 1,000, you are in the busi­ness of trust,” said Ziade. “But there were direc­tives com­ing out of the legal depart­ments in those com­pa­nies that said Ptech is a risk com­pa­ny.”

    For exam­ple, a sys­tems archi­tect at a major forestry prod­ucts firm that relies on Ptech soft­ware to con­duct strate­gic data min­ing and busi­ness plan­ning con­firmed the exis­tence of a cor­po­rate gag order. Yet noth­ing has changed in the com­pa­ny’s rela­tion­ship with Ptech, said the source, who request­ed anonymi­ty. “The com­pa­ny is fine, and the soft­ware is won­der­ful,” the source said. “There was nev­er any con­cern about the integri­ty of the soft­ware.”

    The same holds true for IBM Glob­al Ser­vices, which counts Ptech among its strate­gic busi­ness part­ners. Although Ziade said IBM ini­tial­ly tried to dis­tance itself from what looked like a major scan­dal in the mak­ing, Jeff Gluck, a spokesman for IBM, said the rela­tion­ship between the two com­pa­nies is “unchanged.”

    IBM placed Ptech’s flag­ship enter­prise mod­el­ing prod­uct, called Frame­Work, at the cen­ter of its Enter­prise Archi­tec­ture Method­ol­o­gy. In a white paper obtained by Com­put­er­world, IBM called the Ptech prod­uct “a pow­er­ful tool to rapid­ly col­lect, ana­lyze, orga­nize and present” infor­ma­tion. “Client accep­tance of the dynam­ic live deliv­er­able has been out­stand­ing,” the white paper con­clud­ed.

    “The fact that they’re a part­ner of ours speaks for itself as far as the qual­i­ty of the tech­nol­o­gy is con­cerned,” said Gluck.

    The CIO at a large ener­gy com­pa­ny, who also request­ed that he and his com­pa­ny not be named, said there was strong con­cern among senior man­age­ment when the sto­ry first broke. His IT team was charged with doc­u­ment­ing the com­pa­ny’s rela­tion­ship with Ptech, includ­ing when and where Ptech employ­ees may have been on-site.

    “I polled sev­er­al [user] con­tacts, includ­ing gov­ern­ment users, to assess their reac­tions and plans [and] also obtained the gov­ern­ment posi­tion on the soft­ware,” the CIO added. “This infor­ma­tion led us to decide to con­tin­ue lever­ag­ing our invest­ment in the Ptech prod­uct.”

    The CIO added that Ptech’s ser­vice and sup­port have remained “time­ly and thor­ough.”

    Yet none of that seems to mat­ter now, cur­rent and for­mer Ptech employ­ees said. They and secu­ri­ty experts warn that what hap­pened to Ptech can hap­pen to any com­pa­ny with an employ­ee or investor whose name shows up on a ter­ror­ist watch list.

    “Any com­pa­ny doing busi­ness in the clas­si­fied are­na must take steps to ensure its employ­ees are ful­ly vet­ted and mon­i­tored over time,” said Lar­ry John­son, a secu­ri­ty con­sul­tant and for­mer CIA offi­cer.

    For Ziade and com­pa­ny, the future is any­thing but cer­tain. Ptech’s tech­nol­o­gy is mature enough to remain unchanged for about a year, he said. The com­pa­ny has an unre­leased prod­uct that will also help buy Ziade, now one of Ptech’s prin­ci­pal coders as well as the CEO, addi­tion­al time.

    Hay­den Shulz, a for­mer prin­ci­pal engi­neer at Ptech, said the com­pa­ny will like­ly face unprece­dent­ed pres­sure to keep the soft­ware updat­ed in a rea­son­able time frame. “If the remain­ing 10 peo­ple sat down and cod­ed for a year, they could do it,” said Shulz. “But there’s going to be a con­stant give and pull between who’s going to go out to cus­tomers and who’s going to write code.”

    Ziade said he’s still assess­ing whether it makes sense to con­tin­ue releas­ing prod­ucts under the Ptech name. “We would love to keep it Ptech, but we don’t know what it will be a year from now,” he said.

    ...

    ———–

    “Ter­ror­ist probe hob­bles Ptech” by Dan Ver­ton; Com­put­er­world; 01/17/2003

    “Ptech’s cri­sis stems from a Dec. 5 con­sen­su­al search by fed­er­al agents, which was broad­ly char­ac­ter­ized by the media as an ear­ly-morn­ing “raid” ((see sto­ry)). The search was part of an inves­ti­ga­tion of the com­pa­ny’s rela­tion­ship with Yassin al-Qadi, a wealthy Sau­di busi­ness­man and one of two “angel” investors who helped get Ptech on its feet in 1994. Al-Qadi, who was nev­er a share­hold­er of record in Ptech and who lat­er twice turned down Ptech requests for addi­tion­al fund­ing, is believed by the U.S. intel­li­gence com­mu­ni­ty to have finan­cial ties to inter­na­tion­al ter­ror­ism.

    There’s bad PR and then there’s major ter­ror­ism-relat­ed bad PR. And in Jan­u­ary of 2003, Ptech was suf­fer­ing from a major case of the lat­ter. The kind of ter­ror­ism-relat­ed bad PR that had its many gov­ern­ment and For­tune 1000 clients tak­ing a sec­ond look at whether or not that want­ed to do busi­ness with the com­pa­ny. This was a com­pa­ny that rarely lost a com­pet­i­tive bid. And yet, even in the fact of this awful PR, we had com­pa­nies like IBM more or less stick­ing with Ptech. Their net­work threat assess­ment soft­ware was just too impor­tant to give up, even in the face of an inves­ti­ga­tion into a pos­si­ble con­nec­tion to 9/11. Ptech was clear­ly devel­op­ing some­thing extreme­ly impor­tant to a lot of peo­ple:

    ...
    Since that search, Ptech, once a 65-employ­ee com­pa­ny that rarely lost a com­pet­i­tive con­tract bid, has been reduced to 10 peo­ple and has almost no new busi­ness on the hori­zon.

    “Almost imme­di­ate­ly we lost our rev­enue for Decem­ber and Jan­u­ary,” said Ziade. “Cus­tomers who know us and know our prod­uct have not walked away. They know there is noth­ing here relat­ed to ter­ror­ism.”

    But soon after the inves­ti­ga­tion broke, Ziade said, some large cus­tomers turned their backs on Ptech, refus­ing to com­ment pub­licly on their trust and con­fi­dence in the com­pa­ny and its enter­prise soft­ware, which enables its cus­tomers in the For­tune 1,000 and gov­ern­ment ranks to visu­al­ize and ana­lyze their tech­nol­o­gy infra­struc­ture and build mod­els to con­duct strate­gic busi­ness plan­ning. That sit­u­a­tion was con­firmed by Com­put­er­world in inter­views with those com­pa­nies.

    “When you sell to the For­tune 1,000, you are in the busi­ness of trust,” said Ziade. “But there were direc­tives com­ing out of the legal depart­ments in those com­pa­nies that said Ptech is a risk com­pa­ny.”

    For exam­ple, a sys­tems archi­tect at a major forestry prod­ucts firm that relies on Ptech soft­ware to con­duct strate­gic data min­ing and busi­ness plan­ning con­firmed the exis­tence of a cor­po­rate gag order. Yet noth­ing has changed in the com­pa­ny’s rela­tion­ship with Ptech, said the source, who request­ed anonymi­ty. “The com­pa­ny is fine, and the soft­ware is won­der­ful,” the source said. “There was nev­er any con­cern about the integri­ty of the soft­ware.”

    The same holds true for IBM Glob­al Ser­vices, which counts Ptech among its strate­gic busi­ness part­ners. Although Ziade said IBM ini­tial­ly tried to dis­tance itself from what looked like a major scan­dal in the mak­ing, Jeff Gluck, a spokesman for IBM, said the rela­tion­ship between the two com­pa­nies is “unchanged.”

    IBM placed Ptech’s flag­ship enter­prise mod­el­ing prod­uct, called Frame­Work, at the cen­ter of its Enter­prise Archi­tec­ture Method­ol­o­gy. In a white paper obtained by Com­put­er­world, IBM called the Ptech prod­uct “a pow­er­ful tool to rapid­ly col­lect, ana­lyze, orga­nize and present” infor­ma­tion. “Client accep­tance of the dynam­ic live deliv­er­able has been out­stand­ing,” the white paper con­clud­ed.

    “The fact that they’re a part­ner of ours speaks for itself as far as the qual­i­ty of the tech­nol­o­gy is con­cerned,” said Gluck.
    ...

    Lat­er that year, Palan­tir was start­ed by Peter Thiel with the help of the CIA’s In-Q-Tel seed mon­ey. And yes, Palan­tir prod­ucts don’t do exact­ly the same thing Ptech did. But we would­n’t nec­es­sar­i­ly expect that to be the case. The big ques­tion is whether or not Palan­tir was found­ed with the intent of fill­ing the gap cre­at­ed by Ptech’s post‑9/11 pari­ah sta­tus. Not that it would change much of any­thing if this was the case. It’s more just an inter­est­ing his­tor­i­cal ques­tion at this point. So in the spir­it of ‘bet­ter late than nev­er’ it’s worth ask­ing: To what extent does Palan­tir owe its cur­rent sta­tus as the US nation­al secu­ri­ty state’s go-to big data threat assess­ment ser­vice provider to Ptech post‑9/11 demise? And, depend­ing on the answer, maybe some fol­low up ques­tions. Pos­si­bly a lot of fol­low up ques­tions.

    Posted by Pterrafractyl | September 11, 2021, 8:46 pm
  7. Here’s an NSO Group-relat­ed sto­ry where the big sto­ry is real­ly all the ques­tions it rais­es about what else is going on:

    It turns out the NSO Group’s cus­tomer list includes Ger­many’s fed­er­al police, the Bun­deskrim­i­nalamt (BKA). An inabil­i­ty to devel­op their own com­pa­ra­ble hack­ing tools is report­ed­ly part of the rea­son­ing behind the pur­chase, which, if true, is an exam­ple of how cut­ting edge these toolk­its real­ly are.

    Here’s the part that rais­es all sort of ques­tion about what else the Ger­man nation­al secu­ri­ty com­plex has been up to: The 2019 pur­chase of NSO Group’s Pega­sus soft­ware was made despite ini­tial con­cerns inside the BKA that use of the tools would vio­late the Ger­man con­sti­tu­tion, which blocks wire­tap­ping in all but the most extreme cas­es.

    How seri­ous were these con­cerns? It’s unclear from the report, but the fact that talks with NSO Group start­ed in 2017 and the con­tract was inked in 2019 sug­gests those inter­nal delib­er­a­tions took a while. But in the end those con­cerns were some­how alle­vi­at­ed. Was this due to exten­sive safe­guards being put in place to ensure the spy­ware was only used when absolute­ly nec­es­sary and pro­tect­ed by the Ger­man con­sti­tu­tion? We have no idea.

    It also sounds like the BKA’s con­tract with NSO Group is still in effect. The BKA first got access to Pega­sus in late 2020 and report­ed­ly used the tool in selec­tion oper­a­tions con­cern­ing ter­ror­ism and orga­nized crime since March of this year.

    There’s anoth­er angle to this sto­ry that’s worth keep­ing in mind: As we’ll see in the sec­ond arti­cle except below, it was only in 2020 when Ger­man courts rules that Ger­many’s con­sti­tu­tion­al rights to pri­va­cy extend­ed to the cit­i­zens of oth­er coun­tries liv­ing abroad. The rul­ing was in response to a 2016 Ger­man law that grant­ed Ger­many’s BND the right to spy non non-Ger­mans abroad.

    So in 2016, Ger­many pass­es a law giv­ing the BND per­mis­sion to spy abroad. And in 2017, nego­ti­a­tions between the NSO Group and the BKA are start­ed com­plet­ed by 2019. Then in May 2020, Ger­many’s courts rules the 2016 law was uncon­sti­tu­tion­al but the con­tract with NSO Group remained in place and the BKA first received the soft­ware lat­er that year. We’re told the tools have been put to use since March of this year. So we have to ask, giv­en how use­ful Pega­sus would be to the BND, espe­cial­ly dur­ing the 2016–2020 win­dow when the BND was giv­en the pow­ers to spy on the world, was the BND going to end up being one of the end users of Pega­sus too? Per­haps infor­mal­ly? Yes, NSO Group report­ed­ly places geo­re­stric­tions on where its spy­ware can be used so that would the­o­ret­i­cal­ly pre­vent the BND from going wild glob­al­ly with it, but who knows what kind of rela­tion­ship Ger­many would be able to work out with NSO Group giv­en the impor­tance of the Ger­man-Israeli diplo­mat­ic rela­tion­ship. Those nego­ti­a­tions with the BKA took quite a while to work out. That’s all part of what makes the sto­ry of the BKA get­ting its hands on Pega­sus real­ly part of a much larg­er sto­ry of Ger­many’s sig­nif­i­cant invest­ment in dig­i­tal spy­ing capa­bil­i­ties:

    Haaretz

    Germany’s ‘FBI’ Bought Israeli NSO’s Spy­ware Despite Knowl­edge of Rights Abus­es, Report Says
    Sources tell Die Zeit that after Ger­many’s Fed­er­al Crim­i­nal Police Office failed to devel­op their own spy­ware pro­gram, they turned to Israeli cyber-espi­onage firm

    Omer Ben­jakob
    Sep. 7, 2021

    Germany’s fed­er­al inves­tiga­tive police force held talks with Israeli cyber-espi­onage firm NSO Group and even pur­chased its infa­mous Pega­sus spy­ware, the Ger­man news­pa­per Die Zeit revealed Mon­day, cit­ing sources with­in the local defense estab­lish­ment.

    Accord­ing to the report by Hol­ger Stark, the Fed­er­al Crim­i­nal Police Office — known in Ger­many as the Bun­deskrim­i­nalamt, or BKA — first held talks with NSO in 2017. At the time, the report said, a del­e­ga­tion from NSO even trav­eled to Wies­baden, where the BKA is head­quar­tered, to show­case the capa­bil­i­ties of the Pega­sus spy­ware.

    Despite ini­tial legal con­cerns from with­in the BKA about the spy­ware, which allows its oper­a­tors to take full con­trol of any smart­phones infect­ed with Pega­sus, a deal was inked with NSO in 2019.

    The report also notes that the deci­sion to pur­chase the Israeli-made spy­ware was made after the BKA failed to devel­op its own spy­ware. If suc­cess­ful­ly installed, Pega­sus allows its oper­a­tors full access to the data of the infect­ed phone, and they can even remote­ly oper­ate its micro­phone and cam­era — unbe­knownst to the phone own­er.

    BREAKING: Ger­many’s Fed­er­al Police #BKA secret­ly bought noto­ri­ous #Pega­sus mer­ce­nary spy­ware.

    They’d have been aware of the grow­ing list of abus­es. Clear­ly they chose to ignore them.

    Embar­rass­ing retreat from cyber­space lead­er­ship by Ger­many.

    LINK (DE)https://t.co/jyaao0Ky4o

    — John Scott-Rail­ton (@jsrailton) Sep­tem­ber 7, 2021

    The BKA is under the over­sight of Ger­many’s Inte­ri­or Min­istry and legal offi­cials were con­cerned the spy­ware could not meet legal require­ments in Ger­many, which per­mits such snoop­ing only in very spe­cif­ic and extreme cas­es.

    Accord­ing to an expert who spoke to Die Zeit, none of the crim­i­nal cas­es pur­sued by the BKA dur­ing this time peri­od attempt­ed to make use of evi­dence col­lect­ed through Pega­sus. How­ev­er, accord­ing to sources that spoke with the Ger­man paper, offi­cials were adamant that any use of the spy­ware should be done only in cas­es it is autho­rized by Ger­man law. It is unclear, how­ev­er, what over­sight was done on the actu­al usage and in what con­text the pro­gram was used, if at all.

    ...

    The news comes two months after Project Pega­sus — a glob­al inves­ti­ga­tion led by For­bid­den Sto­ries and Amnesty Inter­na­tion­al into a leaked data­base of poten­tial tar­gets select­ed by NSO’s clients. The inves­ti­ga­tion was con­duct­ed togeth­er with a con­sor­tium of news out­lets across the globe, includ­ing Die Zeit and Haaretz, and has helped spark a debate about spy­ware and its mis­use by gov­ern­ments.

    At the time, the inves­ti­ga­tion revealed a long list of jour­nal­ists and human rights activists, as well as world lead­ers, select­ed for pos­si­ble snoop­ing by clients of NSO across the world. NSO denied the reports and labeled them an orches­trat­ed attempt to smear the com­pa­ny; it fur­ther said the list at the core of the inves­ti­ga­tion was arbi­trary and had no con­nec­tion to them or their clients. Since the inves­ti­ga­tion was pub­lished, dig­i­tal foren­sics in France and in the U.K. have con­firmed that a small hand­ful of those phone num­bers select­ed as poten­tial tar­gets actu­al­ly had their phones infect­ed.

    At the time of the Project Pega­sus pub­li­ca­tions, after it was revealed that a phone num­ber asso­ci­at­ed with French Pres­i­dent Macron was also select­ed for poten­tial tar­get­ing (most like­ly by the Moroc­can intel­li­gence ser­vice), oth­er Euro­pean lead­ers voiced their con­cern at NSO and its cyber wares. It is impor­tant that hack­ing soft­ware does not get into the wrong hands, Ger­man Chan­cel­lor Angela Merkel was quot­ed by Reuters as say­ing when asked about the Pega­sus spy­ware case at that time. She also told reporters that coun­tries with­out any judi­cial over­sight of how spy­ing soft­ware is used should not have access to it.

    ———–

    “Germany’s ‘FBI’ Bought Israeli NSO’s Spy­ware Despite Knowl­edge of Rights Abus­es, Report Says” by Omer Ben­jakob; Haaretz; 09/07/2021

    “Despite ini­tial legal con­cerns from with­in the BKA about the spy­ware, which allows its oper­a­tors to take full con­trol of any smart­phones infect­ed with Pega­sus, a deal was inked with NSO in 2019.”

    There were con­cerns, but those con­cerns were some­how addressed. We don’t know how, but the fact that deal was reached in 2019 tells how they were addressed one way or anoth­er. The unset­tling part is that we know so lit­tle about the actu­al terms of the con­tact and how the Pega­sus soft­ware was ulti­mate­ly used that it’s entire­ly plau­si­ble these con­cerns were addressed by sim­ply drop­ping them:

    ...
    Accord­ing to the report by Hol­ger Stark, the Fed­er­al Crim­i­nal Police Office — known in Ger­many as the Bun­deskrim­i­nalamt, or BKA — first held talks with NSO in 2017. At the time, the report said, a del­e­ga­tion from NSO even trav­eled to Wies­baden, where the BKA is head­quar­tered, to show­case the capa­bil­i­ties of the Pega­sus spy­ware.

    ...

    The report also notes that the deci­sion to pur­chase the Israeli-made spy­ware was made after the BKA failed to devel­op its own spy­ware. If suc­cess­ful­ly installed, Pega­sus allows its oper­a­tors full access to the data of the infect­ed phone, and they can even remote­ly oper­ate its micro­phone and cam­era — unbe­knownst to the phone own­er.

    ...

    The BKA is under the over­sight of Ger­many’s Inte­ri­or Min­istry and legal offi­cials were con­cerned the spy­ware could not meet legal require­ments in Ger­many, which per­mits such snoop­ing only in very spe­cif­ic and extreme cas­es.

    Accord­ing to an expert who spoke to Die Zeit, none of the crim­i­nal cas­es pur­sued by the BKA dur­ing this time peri­od attempt­ed to make use of evi­dence col­lect­ed through Pega­sus. How­ev­er, accord­ing to sources that spoke with the Ger­man paper, offi­cials were adamant that any use of the spy­ware should be done only in cas­es it is autho­rized by Ger­man law. It is unclear, how­ev­er, what over­sight was done on the actu­al usage and in what con­text the pro­gram was used, if at all.
    ...

    We know there were con­cerns, and we know those con­cerns were some­how addressed, but we know hard­ly any­thing about how the spy­ware was actu­al­ly used and what sort of over­sight was deployed.

    But that does­n’t mean we can’t wager a rea­son­able guess as to how the Pega­sus spy­ware would have been used. Because as as the fol­low­ing arti­cle from May of 2020 describes, it was only in 2016 when the Ger­man par­lia­ment passed a law allow­ing its intel­li­gence ser­vices to spy on non-Ger­mans abroad, some­thing for which Pega­sus would be an ide­al fit. So while we don’t know if the 2017 NSO Group nego­ti­a­tions were direct­ly tied to the pas­sage of the 2016 spy­ing law, it’s not too hard to con­nect these dots:

    The New York Times

    Right to Pri­va­cy Extends to For­eign Inter­net Users, Ger­man Court Rules

    The intel­li­gence ser­vices can­not ran­dom­ly search the dig­i­tal data of cit­i­zens of oth­er coun­tries liv­ing abroad, judges said, in a deci­sion wel­comed by civ­il rights activists.

    By Melis­sa Eddy
    May 19, 2020

    BERLIN — Pri­va­cy rights enshrined in Germany’s Con­sti­tu­tion extend to for­eign­ers liv­ing abroad and cov­er their online data, the country’s high­est court ruled on Tues­day, order­ing Chan­cel­lor Angela Merkel’s gov­ern­ment to over­haul a law gov­ern­ing the for­eign intel­li­gence agency.

    The deci­sion by the Con­sti­tu­tion­al Court found that parts of a 2016 law gov­ern­ing the country’s for­eign intel­li­gence agency, known by its Ger­man abbre­vi­a­tion BND, in part vio­lat­ed the uni­ver­sal right to pri­va­cy in com­mu­ni­ca­tion. The rul­ing ordered the law to be rewrit­ten to clar­i­fy the moti­va­tion for spy­ing on indi­vid­u­als abroad, but it stopped short of ban­ning the prac­tice out­right.

    In its cur­rent form, the law per­mits the BND to gath­er, eval­u­ate and even share data gen­er­at­ed by com­mu­ni­ca­tion between non-Ger­mans out­side the coun­try to counter poten­tial attacks or threats. Pas­sage of the law fueled an intense debate over secu­ri­ty and civ­il lib­er­ties in a coun­try where the lessons of dis­re­gard for indi­vid­ual pri­va­cy under the Nazi and Com­mu­nist regimes still res­onate strong­ly.

    The court found that the pre-emp­tive mea­sures stip­u­lat­ed in the law were not clear enough grounds for vio­lat­ing an individual’s pri­va­cy.

    “In par­tic­u­lar, the mon­i­tor­ing is not based on suf­fi­cient objec­tives and struc­tured in such a way that they are con­trol­lable; there is also a lack of var­i­ous safe­guards, for exam­ple to pro­tect jour­nal­ists or lawyers,” the court said. It added that the law lacked “a guar­an­tee of suf­fi­cient­ly weighty pro­tec­tion of legal inter­ests and suf­fi­cient thresh­olds for inter­ven­tion.”

    A group of jour­nal­ist and civ­il lib­er­ties orga­ni­za­tions brought the case before the Con­sti­tu­tion­al Court, argu­ing that the 2016 law hand­ed too much pow­er to the state and failed to uphold uni­ver­sal human rights to pri­va­cy guar­an­teed by Arti­cle 10 of the Con­sti­tu­tion. The rul­ing is the first time that the court has extend­ed rights guar­an­teed in the Con­sti­tu­tion to non-Ger­mans abroad.

    “The rul­ing sets new stan­dards in inter­na­tion­al human rights pro­tec­tion and for the free­dom of the press,” said the Soci­ety for Civ­il Rights, a Berlin-based non­prof­it orga­ni­za­tion that filed the suit along with sev­er­al jour­nal­ists’ orga­ni­za­tions.

    Out­rage about sur­veil­lance in Ger­many was prompt­ed by the exten­sive pri­va­cy breach­es by intel­li­gence ser­vices that were revealed by Edward J. Snow­den, a for­mer con­trac­tor for the U.S. Nation­al Secu­ri­ty Agency, and, short­ly after, by the dis­clo­sure that the N.S.A. had tapped the chancellor’s cell­phone.

    Around the same time, Ms. Merkel’s gov­ern­ment was strug­gling to respond to a series of Islamist ter­ror­ist attacks in the coun­try and seek­ing to expand Germany’s abil­i­ty to defend itself with­out rely­ing on the U.S. secu­ri­ty appa­ra­tus. The 2016 law was an attempt to bal­ance the con­sid­er­a­tions of pri­va­cy and secu­ri­ty, but the court decid­ed on Tues­day that the BND had been afford­ed too much pow­er.

    The rul­ing demand­ed that parts of the 2016 law be rewrit­ten by the end of 2021, stip­u­lat­ing that the indi­vid­ual right to pri­va­cy in com­mu­ni­ca­tion, whether by let­ter, tele­phone or online, be estab­lished as a uni­ver­sal right of any indi­vid­ual, any­where. The court also called for more con­trols over the BND and for lim­i­ta­tions on the abil­i­ty of the ser­vice to share infor­ma­tion with inter­na­tion­al part­ners.

    Nor­bert Röttgen, a mem­ber of Ms. Merkel’s con­ser­v­a­tive gov­ern­ing par­ty and a con­tender to suc­ceed her, crit­i­cized the rul­ing in a post on Twit­ter as “dif­fi­cult to explain abroad” because it “rais­es con­sid­er­able ques­tions about our strate­gic oper­a­tions and abil­i­ty to coop­er­ate in a time when out­side aggres­sion is increas­ing­ly com­plex.”

    ...

    ————


    Right to Pri­va­cy Extends to For­eign Inter­net Users, Ger­man Court Rules” by Melis­sa Eddy; The New York Times; 05/19/2020

    The deci­sion by the Con­sti­tu­tion­al Court found that parts of a 2016 law gov­ern­ing the country’s for­eign intel­li­gence agency, known by its Ger­man abbre­vi­a­tion BND, in part vio­lat­ed the uni­ver­sal right to pri­va­cy in com­mu­ni­ca­tion. The rul­ing ordered the law to be rewrit­ten to clar­i­fy the moti­va­tion for spy­ing on indi­vid­u­als abroad, but it stopped short of ban­ning the prac­tice out­right.”

    Yes, it was 2016, the year before the BKA’s secret nego­ti­a­tions with the NSO Group start­ed, when Ger­many passed a law allow­ing the BND to gath­er data on non-Ger­man’s out­side Ger­many. This is the key con­text of the out­reach to NSO Group the fol­low­ing year. Con­text that sud­den­ly changed with that 2020 court rul­ing:

    ...
    In its cur­rent form, the law per­mits the BND to gath­er, eval­u­ate and even share data gen­er­at­ed by com­mu­ni­ca­tion between non-Ger­mans out­side the coun­try to counter poten­tial attacks or threats. Pas­sage of the law fueled an intense debate over secu­ri­ty and civ­il lib­er­ties in a coun­try where the lessons of dis­re­gard for indi­vid­ual pri­va­cy under the Nazi and Com­mu­nist regimes still res­onate strong­ly.

    The court found that the pre-emp­tive mea­sures stip­u­lat­ed in the law were not clear enough grounds for vio­lat­ing an individual’s pri­va­cy.

    “In par­tic­u­lar, the mon­i­tor­ing is not based on suf­fi­cient objec­tives and struc­tured in such a way that they are con­trol­lable; there is also a lack of var­i­ous safe­guards, for exam­ple to pro­tect jour­nal­ists or lawyers,” the court said. It added that the law lacked “a guar­an­tee of suf­fi­cient­ly weighty pro­tec­tion of legal inter­ests and suf­fi­cient thresh­olds for inter­ven­tion.”

    A group of jour­nal­ist and civ­il lib­er­ties orga­ni­za­tions brought the case before the Con­sti­tu­tion­al Court, argu­ing that the 2016 law hand­ed too much pow­er to the state and failed to uphold uni­ver­sal human rights to pri­va­cy guar­an­teed by Arti­cle 10 of the Con­sti­tu­tion. The rul­ing is the first time that the court has extend­ed rights guar­an­teed in the Con­sti­tu­tion to non-Ger­mans abroad.
    ...

    But how about after that 2020 court rul­ing? Are Ger­man intel­li­gence ser­vices still using Pega­sus? Yep. In fact, the BKA did­n’t even receive deliv­ery of Pega­sus until late 2020 and only start­ed using it in March of this year. So the BKA did­n’t start using Pega­sus until after Ger­man courts end­ed the his­to­ry expan­sion of Ger­many’s legal wire­tap­ping pow­ers, which is either a good sign or a very bad sign in terms of the like­li­hood the spy­ware has already being abused:

    Deutsche Welle

    Ger­man police secret­ly bought NSO Pega­sus spy­ware

    Sources have con­firmed media reports that fed­er­al crim­i­nal police pur­chased and used the con­tro­ver­sial Israeli sur­veil­lance spy­ware despite lawyers’ objec­tions.

    Date Sep.09.2021

    The Ger­man Fed­er­al Crim­i­nal Police Office (BKA) bought noto­ri­ous Pega­sus spy­ware from the Israeli firm NSO in 2019, it was revealed Tues­day.

    The fed­er­al gov­ern­ment informed the Inte­ri­or Com­mit­tee of the Bun­destag of the pur­chase in a closed-doors ses­sion, par­lia­ment sources said. That con­firmed ear­li­er reports pub­lished in Ger­man news­pa­per Die Zeit.

    The soft­ware was pro­cured under “the utmost secre­cy,” accord­ing to Die Zeit, despite the hes­i­ta­tions of lawyers as the sur­veil­lance tool can do much more than Ger­man pri­va­cy laws per­mit.

    How­ev­er, the ver­sion pur­chased by the BKA had cer­tain func­tions blocked to pre­vent abuse, secu­ri­ty cir­cles told the paper ­— although it is unclear how that works on a prac­ti­cal lev­el.

    The rev­e­la­tions were a result of joint research by Die Zeit as well as dai­ly Süd­deutsche Zeitung and pub­lic broad­cast­ers NDR and WDR.

    What has the Ger­man gov­ern­ment said?

    Accord­ing to the Süd­deutsche Zeitung, BKA Vice Pres­i­dent Mar­ti­na Link con­firmed to law­mak­ers that her orga­ni­za­tion had pur­chased the soft­ware. In late 2020, the BKA acquired a ver­sion of the Pega­sus Tro­jan virus soft­ware. It has been used in select oper­a­tions con­cern­ing ter­ror­ism and orga­nized crime since March of this year.

    Ger­many’s Fed­er­al Con­sti­tu­tion­al Court has ruled that secu­ri­ty ser­vices are only per­mit­ted to use spy­ware on the cell­phones and com­put­ers of sur­veil­lance tar­gets in spe­cial cas­es, and can only ini­ti­ate cer­tain types of oper­a­tions.

    While the rule of law has placed lim­its, the tech­nol­o­gy avail­able has grown seem­ing­ly lim­it­less.

    The Ger­man gov­ern­ment has been asked specif­i­cal­ly about the use of NSO spy­ware three times in recent years and has large­ly refused to account for its use or sub­ject itself to scruti­ny for it.

    In a writ­ten state­ment to an offi­cial inquiry, Left Par­ty law­mak­er Mar­ti­na Ren­ner was told the par­lia­men­t’s right to infor­ma­tion con­flict­ed with the “con­fi­den­tial­i­ty inter­ests jus­ti­fied by the wel­fare of the state in excep­tion­al cas­es.”

    Nun ist es raus: #BKA nutzt Spy­ware #Pega­sus #NSO. Liest man meine Schriftliche Frage aus 5/19 erneut, heißt das wom­öglich, dass alle genan­nten Behör­den die Spi­onage­soft­ware nutzen, obwohl diese offenkundig grun­drechtswidrig ist. ?@zeitonline? ?@holger_stark? 1/2 pic.twitter.com/fuE0n2BXYi— Mar­ti­na Ren­ner (@MartinaRenner) Sep­tem­ber 7, 2021

    ...

    How has Ger­many react­ed?

    Green Par­ty mem­ber of par­lia­ment Kon­stan­tin von Notz called it a “night­mare for the rule of law.” He demand­ing “full clar­i­fi­ca­tion” from the fed­er­al gov­ern­ment as to who “specif­i­cal­ly bears respon­si­bil­i­ty for the pur­chase and use of the spy soft­ware.”

    Frank Über­all, the chair­man of the Ger­man Jour­nal­ists’ Asso­ci­a­tion, said the union want­ed to know “whether jour­nal­ists were spied on with­out their knowl­edge, whether their sources are still safe.”

    Über­all called the BKA’s action “incom­pre­hen­si­ble” and added Inte­ri­or Min­is­ter Horst See­hofer should “lay his cards on the table.”

    ———

    “Ger­man police secret­ly bought NSO Pega­sus spy­ware”; Deutsche Welle; 09/07/2021

    “Accord­ing to the Süd­deutsche Zeitung, BKA Vice Pres­i­dent Mar­ti­na Link con­firmed to law­mak­ers that her orga­ni­za­tion had pur­chased the soft­ware. In late 2020, the BKA acquired a ver­sion of the Pega­sus Tro­jan virus soft­ware. It has been used in select oper­a­tions con­cern­ing ter­ror­ism and orga­nized crime since March of this year.

    As we can see, Ger­many’s fed­er­al police appar­ent­ly received the Pega­sus soft­ware in late 2020, months after the Ger­man court rul­ing find­ing the 2016 law per­mit­ting the spy­ing on non-Ger­man cit­i­zens is uncon­sti­tu­tion­al. And we’re told it has­n’t been actu­al­ly used until March of this year. So on the one hand, if we believe this time­line, it sug­gests the BKA has­n’t had a lot of time to abuse the Pega­sus soft­ware yet. But it also high­lights how Ger­many’s intel­li­gence ser­vices were still will­ing to go ahead with the acqui­si­tion of Pega­sus after a Ger­man court shot down the 2016 law grant­i­ng those ser­vices the right to spy on the world. And when asked how NSO Group’s tools are being use, the gov­ern­ment has repeat­ed­ly refused to say. Tak­en togeth­er, it’s the kind of con­stel­la­tion of data points all sug­gest­ing that Ger­many’s approach to address­ing the poten­tial con­sti­tu­tion abus­es of these spy­ware tools is to min­i­mize the over­sight so those abus­es don’t come to light:

    ...
    Ger­many’s Fed­er­al Con­sti­tu­tion­al Court has ruled that secu­ri­ty ser­vices are only per­mit­ted to use spy­ware on the cell­phones and com­put­ers of sur­veil­lance tar­gets in spe­cial cas­es, and can only ini­ti­ate cer­tain types of oper­a­tions.

    While the rule of law has placed lim­its, the tech­nol­o­gy avail­able has grown seem­ing­ly lim­it­less.

    The Ger­man gov­ern­ment has been asked specif­i­cal­ly about the use of NSO spy­ware three times in recent years and has large­ly refused to account for its use or sub­ject itself to scruti­ny for it.
    ...

    So the over­ar­ch­ing sto­ry here is a sto­ry of one part of the Ger­man gov­ern­ment assert­ing greater spy­ing pow­ers and tak­ing steps to obtain those pow­ers, while anoth­er side of the Ger­man gov­ern­ment has ruled this is uncon­sti­tu­tion­al. And the way this bureau­crat­ic impasse has been addressed is appar­ent­ly for the BKA to just pro­ceed with the Pega­sus acqui­si­tion and for every­one else to just kind of pre­tend it’s not being used uncon­sti­tu­tion­al­ly while ques­tions are deflect­ed or ignored.

    And, again, this is mere­ly the sto­ry of how Ger­many’s gov­ern­ment is han­dling the temp­ta­tion of some­thing like Pega­sus. Answer­ing the ques­tion of how many oth­er Ger­man con­sti­tu­tion­al vio­la­tions are casu­al­ly being swept under the rug in a sim­i­lar man­ner is the much big­ger sto­ry here.

    Posted by Pterrafractyl | September 19, 2021, 7:53 pm
  8. It seems like every oth­er week these days there’s an announce­ment about new hack­er-for-hire zero-day exploit that’s just been dis­cov­ered. That was the case again last week when Cit­i­zen­Lab announced the dis­cov­ery of a new zero-day exploit on the phone of a Sau­di activist in March of 2021.

    But there was a notable new detail with this lat­est dis­cov­ery: the attri­bu­tion was made to NSO Group based on tech­ni­cal sim­i­lar­i­ties to pre­vi­ous NSO Group hacks. In oth­er words, the “pat­tern recog­ni­tion” method­ol­o­gy for mak­ing cyber­at­tri­bu­tions. Instead of the tra­di­tion­al “pat­tern recog­ni­tion” con­clu­sion (Russ­ian, Chi­nese, or Iran­ian hack­ers), the “pat­tern recog­ni­tion” tech­nique is now being deployed against NSO Group.

    What’s the tech­ni­cal pat­tern? There were two tech­ni­cal details in the Cit­i­zen Lab report they cite in mak­ing the NSO Group attri­bu­tion:

    1. The new­ly dis­cov­ered mal­ware, dubbed FORCEDENTRY, exploit­ed anoth­er tech­nique dubbed CASCADEFAIL, that is sup­posed to delete evi­dence of the mal­ware’s manip­u­la­tion from the vic­tim phone’s sqlite data­base. There’s a sin­gle data­base entry of evi­dence left over. Cit­i­zen Lab’s researchers have only ever seen mal­ware that leaves this last piece of left­over evi­dence in oth­er NSO Group Pega­sus mal­ware.

    2. The FORCEDENTRY mal­ware gen­er­ates mul­ti­ple process­es on the vic­tim phone, assign­ing names to those process­es. One of those process names, “set­framed”, was the name of a process name used in anoth­er NSO Group mal­ware Cit­i­zen­Lab dis­cov­ered tar­get­ing an Al Jazeera jour­nal­ist in July 2020. The Cit­i­zen Lab report adds, “Notably, we did not pub­lish that detail at the time.”

    So based on those two tech­ni­cal details, Cit­i­zen­Lab made a “high con­fi­dence” attri­bu­tion of this mal­ware to NSO Group. And part of that high con­fi­dence was root­ed in the fact that Cit­i­zen­Lab nev­er pre­vi­ous­ly pub­lished that it found the same “set­name” process name used in an ear­li­er NSO Group attack.

    Now, on the one hand, that sounds like a pret­ty rea­son­able con­clu­sion to arrive at giv­en the cir­cum­stances. Those cir­cum­stances being that this appears to be the ini­tial pub­li­ca­tion of any details on these tech­ni­cal details and those details appear to be rea­son­ably spe­cif­ic. But this is also turn­ing int a won­der­ful exam­ple of how vul­ner­a­ble tech­ni­cal “pat­tern recog­ni­tion” real­ly is to spoof­ing and erro­neous con­clu­sions. Because think about it: going for­ward, if mal­ware if found to con­tain either of these two ‘fea­tures’, there’s this built-in bias that this is NSO Group mal­ware. And it very well might be NSO Group mal­ware mak­ing the same mis­takes, but the fact that those two tech­ni­cal details are some­thing a mal­ware cod­ing to eas­i­ly incor­po­rate into their mal­ware design is an exam­ple of why the “pat­tern recog­ni­tion” method­ol­o­gy is ripe for abuse.

    It’s long been a fun­da­men­tal chal­lenge with the cyber­at­tri­bu­tion indus­try: Once the pat­tern is shared, that pat­tern is now shared knowl­edge that can be used to spoof future pat­tern recog­ni­tion analy­ses. That’s why Cit­i­zen­Lab felt it rel­e­vant to empha­size that it had­n’t pre­vi­ous­ly pub­lished the “set­framed” process name. If it had pre­vi­ous­ly pub­lished that process name, any mal­ware design­er could have eas­i­ly inten­tion­al­ly had their mal­ware use the “set­framed” name to con­fuse cyber­se­cu­ri­ty ana­lysts, which is now the case going for­ward.

    Also keep in mind that the fact Cit­i­zen Lab nev­er pub­lished the “set­framed” process name from that pre­vi­ous NSO Group hack does­n’t mean the infor­ma­tion was­n’t qui­et­ly shared with oth­er enti­ties. Trust­ed enti­ties that end up pass­ing it along to less trust-wor­thy enti­ties that might end up abus­ing it and using it to cov­er their own hack­ing tracks. It’s not like there’s an impen­e­tra­ble wall between the cyber­se­cu­ri­ty indus­try and the hack­er-for-hire indus­try.

    So that’s real­ly the inter­est­ing to this sto­ry. In many ways, it’s just the lat­est in a seem­ing­ly end­less string of hack­er-for-hire exploits sold to anoth­er foul gov­ern­ment and used against an activist. But the fact that this got attrib­uted to NSO Group based on tech­ni­cal pat­tern recog­ni­tion makes this the kind of sto­ry that could be a har­bin­ger of many more NSO Group pat­tern recog­ni­tion sto­ries to come. Some of them might be real NSO Group sto­ries and some where NSO Group was set up. Either way, it should be fun to watch. Except not so much fun for all the new vic­tims.

    And that brings us to anoth­er grim­ly inter­est­ing aspect of pat­tern recog­ni­tion being used to attribute the high­ly sophis­ti­cat­ed and tar­get mal­ware of this nature: A key issue with the pre­vail­ing “pat­tern recog­ni­tion” attri­bu­tion regime that seemed to always find a pat­tern from Rus­sia, Iran­ian, Chin, or North Korea was how it was almost designed to encour­age out­side actors to join in on the fun. Just put your stu­pid ‘Russ­ian’ pat­terns like Cyril­lic char­ac­ters and let Russ­sia take the blame. It encour­ages hack­ing that fit ‘the pat­tern’. And what’s the pat­tern in this case? High­ly tar­get­ed hacks of promi­nent vic­tims and activists using pow­er­ful zero-click exploits. Do folks want more of those?

    So while it looks like Cit­i­zen Lab prob­a­bly made the right call on this par­tic­u­lar case of NSO Group “pat­tern recog­ni­tion”, it’s going to be impor­tant to keep in mind that if we end up see­ing a flood of copy­cat NSO Group mal­ware sto­ries based on sim­i­lar pat­terns that may not just be an NSO Group group sto­ry. There’s a lot of com­pe­ti­tion in the glob­al cyber­merce­nary indus­try. Some might say too much com­pe­ti­tion:

    The Guardian

    Israeli spy­ware firm tar­get­ed Apple devices via iMes­sage, researchers say

    Dis­cov­ery was shared with Apple, which on Mon­day released a patch to fix the vul­ner­a­bil­i­ty

    Stephanie Kirch­gaess­ner in Wash­ing­ton
    Mon 13 Sep 2021 22.51 EDT

    First pub­lished on Mon 13 Sep 2021 16.48 EDT

    Secu­ri­ty researchers at Cit­i­zen Lab have dis­cov­ered an exploit that they believe has been used by gov­ern­ment clients of NSO Group, the Israeli spy­ware com­pa­ny, to silent­ly hack into iPhones and oth­er Apple devices since Feb­ru­ary 2021.

    The dis­cov­ery, which was made as the researchers were exam­in­ing the mobile phone of a Sau­di activist, was shared with Apple, which on Mon­day released a patch to fix the vul­ner­a­bil­i­ty.

    ...

    When it is suc­cess­ful­ly deployed against a tar­get, NSO Group’s spy­ware, called Pega­sus, can silent­ly hack into a phone, col­lect a user’s per­son­al and pri­vate infor­ma­tion, inter­cept calls and mes­sages, and even turn a mobile phone into a remote lis­ten­ing device.

    NSO Group has said that its spy­ware is only meant to be used by licensed law enforce­ment agen­cies to tar­get crim­i­nals and ter­ror­ists. But inves­ti­ga­tions – includ­ing the recent pub­li­ca­tion of the Pega­sus Project by the Guardian and oth­er out­lets – have revealed ways in which the spy­ware has been used by gov­ern­ment clients to tar­get jour­nal­ists and human rights activists around the world.

    Asked for com­ment, NSO Group issued a state­ment say­ing: “NSO Group will con­tin­ue to pro­vide intel­li­gence and law enforce­ment agen­cies around the world with life-sav­ing tech­nolo­gies to fight ter­ror and crime.”

    Cit­i­zen Lab said it was able to make a “high-con­fi­dence attri­bu­tion” that the exploit had been cre­at­ed by NSO Group because they observed “mul­ti­ple dis­tinc­tive ele­ments” in the spy­ware. An exploit is a tech­ni­cal vul­ner­a­bil­i­ty that allows spy­ware to infect a phone, and the code of the exploit dis­cov­ered by Cit­i­zen Lab con­tained a spe­cif­ic bug that the researchers had only ever asso­ci­at­ed with NSO Group’s Pega­sus in the past.

    “We believe that the bug is dis­tinc­tive enough to point back to NSO,” Cit­i­zen Lab said in a blog­post.

    The researchers also found that the spy­ware, which they have called FORCEDENTRY, used mul­ti­ple process names – iden­ti­fy­ing fea­tures of the mal­ware code – includ­ing one that was used in a pre­vi­ous attack that used NSO Group spy­ware on an Al Jazeera jour­nal­ist in July 2020.

    NSO Group has said it can­not reveal the iden­ti­ty of its clients. But the Guardian has pre­vi­ous­ly report­ed that NSO Group dropped Sau­di Ara­bia as a client in the wake of Cit­i­zen Lab’s report that the king­dom was the like­ly cul­prit behind dozens of attacks against Al Jazeera jour­nal­ists in 2020.

    The devel­op­ment marks more bad news for Apple. Foren­sic exam­i­na­tions of mobile phones con­duct­ed both by Cit­i­zen Lab and Amnesty International’s secu­ri­ty lab have found that even the most up-to-date iPhones, using the most up to date oper­at­ing sys­tem, have been vul­ner­a­ble to attacks by Pega­sus.

    Ivan Krstic, head of Apple secu­ri­ty engi­neer­ing and archi­tec­ture, said in a state­ment to the Guardian: “After iden­ti­fy­ing the vul­ner­a­bil­i­ty used by this exploit for iMes­sage, Apple rapid­ly devel­oped and deployed a fix in iOS 14.8 to pro­tect our users. We’d like to com­mend Cit­i­zen Lab for suc­cess­ful­ly com­plet­ing the very dif­fi­cult work of obtain­ing a sam­ple of this exploit so we could devel­op this fix quick­ly.”

    He added: “Attacks like the ones described are high­ly sophis­ti­cat­ed, cost mil­lions of dol­lars to devel­op, often have a short shelf life, and are used to tar­get spe­cif­ic indi­vid­u­als. While that means they are not a threat to the over­whelm­ing major­i­ty of our users, we con­tin­ue to work tire­less­ly to defend all our cus­tomers, and we are con­stant­ly adding new pro­tec­tions for their devices and data.”

    Cit­i­zen Lab said in its state­ment that the com­pa­ny was releas­ing a fix for the exploit on Mon­day, and urged all Apple users to update devices as soon as pos­si­ble, includ­ing all Apple devices that use iOS ver­sions pri­or to 14.8.

    The exploit dis­cov­ered by Cit­i­zen Lab is known as a “zero-day” vul­ner­a­bil­i­ty, which allows users of the spy­ware to infect a phone with­out the user hav­ing any idea that their mobile phones have been hacked. In this case, the FORCEDENTRY exploit used a weak­ness in Apple’s iMes­sage func­tion to silent­ly send cor­rupt files to a phone that appeared to be GIF exten­sions, but were actu­al­ly Adobe PDF files con­tain­ing mali­cious code.

    “Our lat­est dis­cov­ery of yet anoth­er Apple zero-day employed as part of NSO Group’s arse­nal fur­ther illus­trates that com­pa­nies like NSO Group are facil­i­tat­ing ‘despo­tism-as-a-ser­vice’ for unac­count­able gov­ern­ment secu­ri­ty agen­cies,” researchers said.

    Bill Mar­czak, who first dis­cov­ered the exploit at Cit­i­zen Lab, said the find­ings also high­light­ed the impor­tance of secur­ing pop­u­lar mes­sag­ing apps, which were increas­ing­ly being used as a tar­get by sophis­ti­cat­ed threat actors.

    “As present­ly engi­neered, many chat apps have become an irre­sistible soft tar­get. With­out intense engi­neer­ing focus, we believe that they will con­tin­ue to be heav­i­ly tar­get­ed, and suc­cess­ful­ly exploit­ed,” Cit­i­zen Lab said.

    ———–

    “Israeli spy­ware firm tar­get­ed Apple devices via iMes­sage, researchers say” by Stephanie Kirch­gaess­ner; The Guardian; 09/13/2021

    Cit­i­zen Lab said it was able to make a “high-con­fi­dence attri­bu­tion” that the exploit had been cre­at­ed by NSO Group because they observed “mul­ti­ple dis­tinc­tive ele­ments” in the spy­ware. An exploit is a tech­ni­cal vul­ner­a­bil­i­ty that allows spy­ware to infect a phone, and the code of the exploit dis­cov­ered by Cit­i­zen Lab con­tained a spe­cif­ic bug that the researchers had only ever asso­ci­at­ed with NSO Group’s Pega­sus in the past.”

    We’re get­ting a peek at how the sausage is made. This was a high-con­fi­dence attri­bu­tion made based on tech­ni­cal details tied back to pre­vi­ous hacks asso­ci­at­ed with Pega­sus. The key ter­ri­fy­ing fea­ture this mal­ware shares with a num­ber of hacks asso­ci­at­ed with this mer­ce­nary hack­ing indus­try is the fact that it’s a zero-click hack that infects your phone whether you real­ize it or not. If it was­n’t NSO Group, it was anoth­er group with cut­ting-edge capabilities...willing to sell to Sau­di Ara­bia:

    ...
    “We believe that the bug is dis­tinc­tive enough to point back to NSO,” Cit­i­zen Lab said in a blog­post.

    The researchers also found that the spy­ware, which they have called FORCEDENTRY, used mul­ti­ple process names – iden­ti­fy­ing fea­tures of the mal­ware code – includ­ing one that was used in a pre­vi­ous attack that used NSO Group spy­ware on an Al Jazeera jour­nal­ist in July 2020.

    ...

    The exploit dis­cov­ered by Cit­i­zen Lab is known as a “zero-day” vul­ner­a­bil­i­ty, which allows users of the spy­ware to infect a phone with­out the user hav­ing any idea that their mobile phones have been hacked. In this case, the FORCEDENTRY exploit used a weak­ness in Apple’s iMes­sage func­tion to silent­ly send cor­rupt files to a phone that appeared to be GIF exten­sions, but were actu­al­ly Adobe PDF files con­tain­ing mali­cious code.
    ...

    And note that when we read about NSO Group drop­ping Sau­di Ara­bia as a client in the wake of the Jamal Khashog­gi killing, recall how NSO Group then changed own­er­ship and once again took Sau­di Ara­bia as a client. So that would actu­al­ly be anoth­er data point point­ing towards NSO Group: it’s like forced to sup­ply the Saud­is super spy­ware:

    ...
    NSO Group has said it can­not reveal the iden­ti­ty of its clients. But the Guardian has pre­vi­ous­ly report­ed that NSO Group dropped Sau­di Ara­bia as a client in the wake of Cit­i­zen Lab’s report that the king­dom was the like­ly cul­prit behind dozens of attacks against Al Jazeera jour­nal­ists in 2020.
    ...

    And NSO Group prob­a­bly isn’t the only ‘com­mer­cial sur­veil­lance ven­dor’ the Saud­is are get­ting their zero-click super-spy­ware from. Again, NSO Group has com­peti­tors.

    Now here’s the Cit­i­zen Lab report itself giv­ing us more details on what the mal­ware does and how they made the attri­bu­tion. The attack­er sends a pdf dis­guised as a gif that caus­es an inte­ger over­flow vul­ner­a­bil­i­ty in Apple’s image ren­der­ing library, allow­ing for arbi­trary code exe­cu­tion. A night­mare bug. And they’re high­ly con­fi­dent this was NSO Group behind this night­mare bug based on the shared piece of non-delet­ed data­base evi­dence and the shared “set­framed” process name. NSO Group got slight­ly slop­py:

    Cit­i­zen Lab

    FORCEDENTRY NSO Group iMes­sage Zero-Click Exploit Cap­tured in the Wild

    By Bill Mar­czak, John Scott-Rail­ton, Bahr Abdul Raz­zak, Noura Al-Jiza­wi, Siena Anstis, Kristin Berdan, and Ron Deib­ert

    Sep­tem­ber 13, 2021

    Sum­ma­ry

    * While ana­lyz­ing the phone of a Sau­di activist infect­ed with NSO Group’s Pega­sus spy­ware, we dis­cov­ered a zero-day zero-click exploit against iMes­sage. The exploit, which we call FORCEDENTRY, tar­gets Apple’s image ren­der­ing library, and was effec­tive against Apple iOS, MacOS and WatchOS devices.
    * We deter­mined that the mer­ce­nary spy­ware com­pa­ny NSO Group used the vul­ner­a­bil­i­ty to remote­ly exploit and infect the lat­est Apple devices with the Pega­sus spy­ware. We believe that FORCEDENTRY has been in use since at least Feb­ru­ary 2021.
    * The Cit­i­zen Lab dis­closed the vul­ner­a­bil­i­ty and code to Apple, which has assigned the FORCEDENTRY vul­ner­a­bil­i­ty CVE-2021–30860 and describes the vul­ner­a­bil­i­ty as “pro­cess­ing a mali­cious­ly craft­ed PDF may lead to arbi­trary code exe­cu­tion.”
    * Today, Sep­tem­ber 13th, Apple is releas­ing an update that patch­es CVE-2021–30860. We urge read­ers to imme­di­ate­ly update all Apple devices.

    ...

    Dis­cov­ery

    In March 2021, we exam­ined the phone of a Sau­di activist who has cho­sen to remain anony­mous, and deter­mined that they had been hacked with NSO Group’s Pega­sus spy­ware. Dur­ing the course of the analy­sis we obtained an iTunes back­up of the device.

    Recent re-analy­sis of the back­up yield­ed sev­er­al files with the “.gif” exten­sion in Library/SMS/Attachments that we deter­mined were sent to the phone imme­di­ate­ly before it was hacked with NSO Group’s Pega­sus spy­ware.

    Pay­load

    The files were:

    * 27 copies of an iden­ti­cal file with the “.gif” exten­sion. Despite the exten­sion, the file was actu­al­ly a 748-byte Adobe PSD file. Each copy of this file caused an IMTranscoder­A­gent crash on the device. These files each had ran­dom-look­ing ten-char­ac­ter file­names.
    * Four dif­fer­ent files with the “.gif” exten­sion that were actu­al­ly Adobe PDF files con­tain­ing a JBIG2-encod­ed stream. Two of these files had 34-char­ac­ter names, and two had 97-char­ac­ter names.
    * The out­put of the pdfid tool on these four “.gif” files was (NB: the stream had vary­ing length):

    ...

    Dis­cov­ery and Dis­clo­sure

    Because the for­mat of the files matched two types of crash­es we had observed on anoth­er phone when it was hacked with Pega­sus, we sus­pect­ed that the “.gif” files might con­tain parts of what we are call­ing the FORCEDENTRY exploit chain.

    Cit­i­zen Lab for­ward­ed the arti­facts to Apple on Tues­day, Sep­tem­ber 7. On Mon­day, Sep­tem­ber 13, Apple con­firmed that the files includ­ed a zero-day exploit against iOS and MacOS. They des­ig­nat­ed the FORCEDENTRY exploit CVE-2021–30860, and describe it as “pro­cess­ing a mali­cious­ly craft­ed PDF may lead to arbi­trary code exe­cu­tion.

    The exploit works by exploit­ing an inte­ger over­flow vul­ner­a­bil­i­ty in Apple’s image ren­der­ing library (Core­Graph­ics). We are pub­lish­ing lim­it­ed tech­ni­cal infor­ma­tion about CVE-2021–30860 at this time.

    Attri­bu­tion to NSO Group

    We observed mul­ti­ple dis­tinc­tive ele­ments that allowed us to make a high-con­fi­dence attri­bu­tion to NSO Group:

    * The spy­ware installed by the FORCEDENTRY exploit exhib­it­ed a foren­sic arti­fact that we call CASCADEFAIL, which is a bug where­by evi­dence is incom­plete­ly delet­ed from the phone’s DataUsage.sqlite file. In CASCADEFAIL, an entry from the file’s ZPROCESS table is delet­ed, but not entries in the ZLIVEUSAGE table that refer to the delet­ed ZPROCESS entry. We have only ever seen this type of incom­plete dele­tion asso­ci­at­ed with NSO Group’s Pega­sus spy­ware, and we believe that the bug is dis­tinc­tive enough to point back to NSO. The spe­cif­ic CASCADEFAIL arti­fact can be detect­ed by

    SELECT “CASCADEFAIL” FROM ZLIVEUSAGE WHERE ZLIVEUSAGE.ZHASPROCESS NOT IN (SELECT Z_PK FROM ZPROCESS);

    * The spy­ware installed by the FORCEDENTRY exploit used mul­ti­ple process names, includ­ing the name “set­framed”. That process name was used in an attack with NSO Group’s Pega­sus spy­ware on an Al Jazeera jour­nal­ist in July 2020. Notably, we did not pub­lish that detail at the time.

    ...

    ———–

    “FORCEDENTRY NSO Group iMes­sage Zero-Click Exploit Cap­tured in the Wild” by Bill Mar­czak, John Scott-Rail­ton, Bahr Abdul Raz­zak, Noura Al-Jiza­wi, Siena Anstis, Kristin Berdan, and Ron Deib­ert; Cit­i­zen Lab; 09/13/2021

    “Cit­i­zen Lab for­ward­ed the arti­facts to Apple on Tues­day, Sep­tem­ber 7. On Mon­day, Sep­tem­ber 13, Apple con­firmed that the files includ­ed a zero-day exploit against iOS and MacOS. They des­ig­nat­ed the FORCEDENTRY exploit CVE-2021–30860, and describe it as “pro­cess­ing a mali­cious­ly craft­ed PDF may lead to arbi­trary code exe­cu­tion.””

    Bet­ter watch out for the .gifs that are actu­al­ly pdfs. Arbi­trary code exe­cu­tion could be the result. Yikes! It’s cer­tain­ly the kind of exploit that sounds like some­thing NSO Group would be behind. And when it comes to this spe­cif­ic attri­bu­tion, the pat­tern recog­ni­tion based on two key pieces of tech­ni­cal evi­dence tying it back to NSO Group real­ly do seem to be pret­ty sol­id evi­dence. The prob­lem will be if the same clues are used in the future to tie hacks back to NSO Group. Any­one can make their mal­ware leave behind these pieces of evi­dence. In oth­er words, done right, the pat­tern recog­ni­tion approach is kind of a one-off for a giv­en pat­tern. Or at least until you share the pat­tern:

    ...
    We observed mul­ti­ple dis­tinc­tive ele­ments that allowed us to make a high-con­fi­dence attri­bu­tion to NSO Group:

    * The spy­ware installed by the FORCEDENTRY exploit exhib­it­ed a foren­sic arti­fact that we call CASCADEFAIL, which is a bug where­by evi­dence is incom­plete­ly delet­ed from the phone’s DataUsage.sqlite file. In CASCADEFAIL, an entry from the file’s ZPROCESS table is delet­ed, but not entries in the ZLIVEUSAGE table that refer to the delet­ed ZPROCESS entry. We have only ever seen this type of incom­plete dele­tion asso­ci­at­ed with NSO Group’s Pega­sus spy­ware, and we believe that the bug is dis­tinc­tive enough to point back to NSO. The spe­cif­ic CASCADEFAIL arti­fact can be detect­ed by

    SELECT “CASCADEFAIL” FROM ZLIVEUSAGE WHERE ZLIVEUSAGE.ZHASPROCESS NOT IN (SELECT Z_PK FROM ZPROCESS);

    * The spy­ware installed by the FORCEDENTRY exploit used mul­ti­ple process names, includ­ing the name “set­framed”. That process name was used in an attack with NSO Group’s Pega­sus spy­ware on an Al Jazeera jour­nal­ist in July 2020. Notably, we did not pub­lish that detail at the time.
    ...

    So we’ll see if there are more types of super-mal­ware dis­cov­ered with these tech­ni­cal details, and whether or not they’ll con­tain these tech­ni­cal details and get attrib­uted back to NSO Group. But while it’s hard to have much sym­pa­thy for the com­pa­ny being set up to take the blame for oth­er hack­ers, the fact that every hack mis­at­trib­uted to NSO Group is the cov­er sto­ry for anoth­er hack­er is actu­al­ly worth keep­ing in mind, quite pos­si­bly one of NSO Group’s com­peti­tors. Com­peti­tors with client gov­ern­ments feel­ing extra embold­ened too.

    Posted by Pterrafractyl | September 21, 2021, 10:55 pm

Post a comment