Move over COVID. 2021 is turning out to be another year of the digital virus. One massive hacking story after another. Unrelated stories in many cases, we are told. In particular:
1. The SolarWinds mega-hack announced in December of 2020, blamed on Russia. Specifically, blamed on the hacking group known as ‘Cozy Bear’/APT29/Pawn Storm. Microsoft dubbed them Nobelium.
2. The Microsoft Exchange mega-hack disclosed in March 2021, blamed on China. Specifically, blamed on a previously unidentified state-backed group Microsoft dubbed Hafnium.
3. The revelations about NSO Group’s oversight (or lack thereof) of its powerful spyware sold to governments around the world.
4. The emerging story of Candiru, one of NSO Group’s fellow “commercial surveillance vendors”, selling toolkits overflowing with zero-day exploits, specializing in targeting Microsoft products.
But how unrelated are these stories? That’s the big question we’re going to explore in this post. A question punctuated by another meta-story we’ve looked at many times before: the meta-story of a cyberattribution paradigm seemingly designed to allow private companies and governments to concoct an attribution scenario for whatever guilty party they want to finger. As long as there was some sort of ‘clue’ found by investigators — like piece of Cyrillic or Mandarin text or malware previously attributed to a group — these clues were strung together in a “pattern recognition” manner to arrive at a conclusion about the identity of the perpetrators. Attribution conclusions often arrived at with incredible levels of confidence. Recall how the Japanese cybersecurity firm TrendMicro attributed a 2017 US Senate email phishing campaign to ‘Pawn Storm’/Fancy Bear with 100 percent certainty, and they made this highly certain attribution based heavily on how similar the hack was to the 2017 hacks of Emmanuel Macron’s emails via a phishing campaign that TrendMicro attributed at the time with 99 percent certainty to Pawn Storm/Fancy Bear and yet the ANSSI, the French government’s cybersecurity agency, was leaving open the possibility that the hack they could be the work of “other high-level” hackers trying to pin the blame on “Pawn Storm” (another name for “Fancy Bear”). TrendMicro was making 99 percent certain attributions that the French government said could be any range of actors. That was the state of affairs for cyberattributions in 2017 and nothing has changed in the years since. Highly certain attributions continued to be piled on top of highly certain attributions — almost always pointing towards Russian, Iran, China, or North Korea — built on a foundation of what appear to be largely guesswork. Often highly motivated guesswork.
It’s that willingness by cybersecurity firms and governments to make strong ‘100 percent certain’ declarations about who was behind a hack, based on seemingly no compelling evidence, that continues plague our collective understanding of global digital threats. A lack of understanding that could have grave global implications going forward. Because as we’re going to see, the repeated prevailing narrative encouraging the public to fixate their hacking fears on Russian and Chinese hackers is a narrative that conveniently leaves out the explosion over the last decade of a global industry of powerful legal cutting-edge spyware sold to governments around the world. Dozens of governments that didn’t previously have access to spyware of this caliber. In other words, the default ‘Russia or China did!’ narrative acts as a cover story to deflect suspicions from all the other countries (or private entities) with access to the kind of spyware previously assumed to be the exclusive to a handful of nations with known powerful hacking capabilities.
Also looming large in this discussion is the story of the “ShadowBrokers” story of 2016 and the leak of Vault7, the CIA’s hacking toolkit that included features explicitly designed to confuse this “pattern recognition” approach to cyberattribution. The toolkit literally contained features that injected Cyrillic or Mandarin or other ‘clues’ into the malware code. This was all revealed months before TrendMicro made its ‘100 percent certain’ attribution of the Macron email hacks based on pattern recognition. And yet, other than the acknowledgment by France’s ANSSI that someone could be intentionally leaving false ‘clues’, the story of the ShadowBrokers and the digital ‘clues’ left by Vault7 did not appear to impact the reporting or analysis of the Macron hack in any meaningful way. It’s a big part of the meta-story here: no matter how many reports come out that should raise major questions about the quality of current cyberattibutions based on “pattern recognition”, nothing actually changes in terms of how the cybersecurity carries out its attributions.
For example, as we’re going to see, when the SolarWinds hack was first uncovered, it was a team led Adam Meyers, the vice president for threat intelligence at CrowdStrike, who first examined the hack. In an interview describing their early investigation, Meyers claimed to be fully expecting to find some sort of ‘cultural artifact’ like Cyrillic or Mandarin and expressed dismay that nothing was found. They nonetheless attributed the hack to Russia. We’re never given a clear explanation why. The whole episode, and Meyers’s shock at a lack of any ‘clues’, suggests the elite cybersecurity firms like CrowdStrike are not only willing to utilize “pattern recognition” to carry out these attributions but are routinely doing so, raising the question of whether or not hackers these days just now know to leave ‘clues’ in order to satisfy the cybersecurity industry and their clients.
Now, when we learn that it was CrowdStrike who led the SolarWinds hack investigation relying heavily on looking for ‘cultural artifacts’ in the malware, it’s also import to recall how CrowdStrike itself was literally founded in 2011 by Dmitri Alperovitch on the conviction that hacks should be responded to with clear public attributions as a primary means of warding off future attacks. Before CrowdStrike, the idea of publicly naming culprits was anathema in the cyber security industry in large part because it is so difficult to truly know who the culprit is due to this hall-of-mirrors nature of digital evidence. So in that sense, we shouldn’t at all be surprised to learn that CrowdStrike continues to make baseless attributions. It’s CrowdStrike’s business model.
As we’re also going to see, it’s not like cybersecurity industry always plays dumb about the possibility of actors spoofing the ‘pattern recognition’ methods by intentionally leaving ‘clues’ like Cyrillic. When the SolarWinds mega-hack story broke, it broke in the wake of a disclosure by cybersecurity firm FireEye that its own “Red Team” suite of hacking tools — kits of known exploits used to test clients systems for vulnerabilities — was stolen by unknown hackers. Immediately, experts warned how a toolkit like that could be used by governments to cover their tracks. But that’s really the only time we’re going see this kind of basic insight plainly stated. Right at the start of it with the FireEye attack. For the rest of the time, this obvious problem with our global cyberattribution regime is systematically ignored. Still.
NSO Group: A Quick Review
First, recall how NSO Group first came to the public’s attention in relation to Michael Flynn’s appointment in May of 2016 to the advisory board of OSY Technologies and consulted for Francisco Partners. Francisco Partners was NSO Group’s owner at the time and OSY happened to be an NSO Group offshoot.
Next, recall how Francisco Partners ended up selling NSO Group to a European private equity firm, Novalpina, in early 2019 following the international outrage over the role NSO Group’s malware played in the assassination of Jamal Khashoggi. We’re going to learn more about that sale and why it happened (hint: Saudi Arabia’s access to that spyware was part of a larger diplomatic process).
So the picture that had already emerged about NSO Group was that of a provider of cutting-edge hacking toolkits to governments around the world, but also a point of leverage in Israel’s own diplomatic toolkit. It was the kind of corporate profile that suggests any scandals involving NSO Group are implicitly government-related scandals. And that picture of a company that distributes powerful hacking tools as part of Israel’s diplomatic efforts gets all the more intriguing when we factor in the chapter of the #TrumpRussia saga involving Michael Flynn, Eric Prince, Michael Cohen, and the Saudi/UAE scheme to build nuclear power plants across the Middle East (except for Iran). In other words, there’s no way of separating the NSO Group story from the larger story of the cozying relationship between Israel and its Sunni allies in a regional alliance against Iran and the still-unresolved agenda of Michael Flynn, Erik Prince, and the network of other US conservatives in Donalt Trump’s orbit who had major agenda’s of their own involving the Middle East.
That’s all part of the context we’re going to have to keep in mind when reading about these new revelations that appears to show the widespread use of NSO Group’s powerful malware against a number of journalist, activists, and even government ministers around the world. And the more we’re learning about the history of the NSO Group, the clearer it’s becoming that the NSO Group’s malware has been secretly used by dozens of governments around the world for at least decade now.
And as we’re going to see with the story of Candiru, it’s important to keep in mind that NSO Group is merely one of a number of secretive firms selling cutting-edge hacking toolkits to governments around the world. This is a global industry.
Finally, it’s important to keep in mind another major dimension of this story: the explosion of government access to these powerful hacking tools over the last decade has presumably coincided with an explosion of actual hacking. Well, that presumed explosion of actual hacking just happened to coincide with the emergence of highly ‘noisy’ and high-profile ‘Russian hacker’ campaigns. As we’ve seen, following the outbreak of conflict in Ukraine, a number of very publicly visible mass phishing attacks were waged against NATO governments and institutions. It was described by cybersecurity experts as a significant shift in the behavior of Russian government-backed hackers and yet we were nonetheless told that these high-profile hacks must be coming from Russia despite a lack of any solid technical evidence. It was the rise of the “pattern recognition” form of cyberattribution, which consistently found patterns of “Russian hackers”. Recall how the first hack of the DNC, the 2015 hack, took place amidst a giant phishing campaign that hit 50–60,000 email addresses and was described is very different from traditional Russian government hacker phishing campaigns that would normally just have 5 to 6 carefully crafted phishing emails. Nothing has done a more effective job at obscuring from the global public the emergence of this global super-hacking capability better than the prevailing narrative that all hacks are being done by Russia and China. Hardly anyone even bothers asking if it could be anyone else anymore.
Finally, it’s important to keep in mind another major dimension of this story: the explosion of government access to these powerful hacking tools over the last decade has presumably coincided with an explosion of actual hacking. Well, that presumed explosion of actual hacking just happened to coincide with the emergence of highly ‘noisy’ and high-profile ‘Russian hacker’ campaigns. As we’ve seen, following the outbreak of conflict in Ukraine, a number of very publicly visible mass phishing attacks were waged against NATO governments and institutions. It was described by cybersecurity experts as a significant shift in the behavior of Russian government-backed hackers and yet we were nonetheless told that these high-profile hacks must be coming from Russia despite a lack of any solid technical evidence. It was the rise of the “pattern recognition” form of cyberattribution, which consistently found patterns of “Russian hackers”. Recall how the first hack of the DNC, the 2015 hack, took place amidst a giant phishing campaign that hit 50–60,000 email addresses and was described is very different from traditional Russian government hacker phishing campaigns that would normally just have 5 to 6 carefully crafted phishing emails.
Let’s not forget that the globalization of NSA-level spyware was one of the obvious possible logical conclusions of the Snowden affair. Yes, it was remarkable what a stunning edge the NSA had over almost every other government. A desire for a leveling of the playing field was understandable and the globalization of super-spyware is one of the obvious ways to achieve that. There are no easy answer on this topic. It’s a ‘lesser evil’ situation.
So we have to ask: what role have these very high-profile public mass hacking campaigns waged over the last decade and blamed on ‘Russia hackers’ (or ‘Chinese hackers’) played in obscuring the reality that dozens of governments around the world suddenly got access to quiet super hacking tools? The timing sure has been convenient. And it’s not hard to imagine that the high profile ‘noisy’ phishing campaigns of the last decade simultaneously ran zero-click super-malware like NSO Group’s unstoppable WhatsApp exploit malware. One of the key selling points of this NSO Group malware is how difficult it is to detect. A lot of people and organizations have presumably been hacked without ever discovering the source of the hack. How often have organizations over the past decade, especially governments, discovered they were hacked by a company’s ‘legal’ hacker toolkit like NSO Group’s and just assumed it was ‘Russian hackers’ due to the waves of global high-profile ‘Russian hacker’ campaigns? It’s a question that looms ever larger as the client list of this global legal hacking industry continues to grow in the shadows.
**************************
Let’s Play “What’s Wrong With This Picture?”
Ok, so let’s start off with an overview of the articles we’re going to be reviewing. An overview that screams the question “What’s wrong with this picture?”. Again, it’s four major stories. Unrelated stories we are told: 1. The SolarWinds mega-hack of December 2020 (blamed on Russia). 2. The Microsoft Exchange mega-hack of March 2021 (blamed on China). 3. Revelations of NSO Group abuses. 4. Revelations that Candiru is selling cutting-edge spyware showing, specialized in targeting Microsoft’s systems. We are told those are four largely unrelated stories. What’s wrong with this picture?
* December 8, 2020: FireEye, a Top Cybersecurity Firm, Says It Was Hacked by a Nation-State:
The story that got the ball rolling. At least publicly. Cybersecurity firm FireEye informs the world of a nightmare scenario. FireEye’s “Red Team” code suite was stolen. So whoever managed to hack FireEye obtained a toolkit of virtually all the most powerful known exploits. A digital treasure trove that had suddenly fallen into the hands of whoever already had the wherewithal to pull off this hack. And as experts warned, nation-states could potentially hide their own tracks using this toolkit. This is basically going to be the only time we see an expert admit that governments around the world could be intentionally , an implicit admission as to how shoddy contemporary cyberattribution truly are today. So who did it? FireEye wasn’t ready to name a culprit. The FBI announced was it was confident it was carried out by a nation-state, and while they would name a specific nation it was pretty clear Russia was the prime suspect. No reason for these suspicions are given.
* December 14, 2020: Russian government hackers are behind a broad espionage campaign that has compromised U.S. agencies, including Treasury and Commerce:
The nightmare explodes. We learn it wasn’t just FireEye after FireEye informs SolarWinds that it was SolarWinds’s own Orion update software that delivered the malware onto FireEye’s systems. It was a rather ominous update given that the same Orion software is on another 18,000 client networks. Oh, and the US was already naming names: It was Russia again. Specificaly APT29/Cozy Bear/Pawn Storm, the infamous hacking group thought to work for Russia’s FSB (or SVR, it’s unclear) and that the US claims was behind the first hack of the Democratic National Committee (DNC) in 2015. Cozy Bear was also behind this new mega-hack. That was the line from the US a week after FireEye first announced the hack. Russia did it. No reasons for this attribution are given, of course, but is treated as more of a given since numerous US government agencies were hit. Simultaneously, we are told that the aggressive nature of this hack was unprecedented for Cozy Bear.
We also get an early important clue about how the SolarWinds hack was carried out: SolarWinds informed the world that it suspects Microsoft’s Office 365 email may have been “an attack vector” used by the hackers. In other words, the SolarWinds hack started with the hack of Microsoft’s products.
* December 15, 2020: FireEye Discovered SolarWinds Breach While Probing Own Hack:
In some additional reporting on the breaking SolarWinds news, we learn that FireEye isn’t actually ready to join the US government in attributing the hack to Russia due to a lack of evidence.
* December 15, 2020: Microsoft’s Role In SolarWinds Breach Comes Under Scrutiny:
More information is coming out about the role Microsoft product vulnerabilities played in the hack. The hackers were tricking Microsoft’s authentication controls. This includes forging authentication tokens for Microsoft’s Azure cloud services and creating password credentials for legitimate processes enabling them to read emails from Microsoft’s Exchange Online cloud-based email service. Keep in mind that the Microsoft-Exchange mega-hack that is announced in March was targeting the non-cloud self-hosted Microsoft Exchange email servers. So when the SolarWinds hackers demonstrate an ability to break into the cloud-based Exchange servers, they were demonstrating a capability that wasn’t exactly the same as that used to execute the Microsoft Exchange mega-hack but awfully close. And yet we will be assured by Microsoft that the Microsoft-Exchange hack was carried out by China.
* December 21, 2020: Treasury Department’s Senior Leaders Were Targeted by Hacking:
The US Treasury Department gives us an update on the scope of the hack. The hackers gained access to agency emails in July 2020, via the manipulation of internal software keys. Specifically, we are told the hackers performed a complex step inside Microsoft’s Office 365 system to create an encrypted “token” that identifies a computer to the larger network. This taken allowed the hackers to fool the system into thinking they were legitimate users. So spoofing Microsoft credentials appears to be one of the SolarWinds hacker specialties.
* Febuary 4, 2021: SolarWinds CEO Confirms Office 365 Email ‘Compromise’ Played Role In Broad-Based Attack:
It’s confirmed! SolarWinds confirms the hack started via a compromised Microsoft Office 365 email account. The hackers used a previously unknown zero-day vulnerability in Microsoft’s Officer 365 email software to gain access to and exploit the development environment for the SolarWinds Orion.
But beyond that, we learn that 30 percent of the private sector and government victims of the colossal hacking campaign had no direct connection to SolarWinds. It’s the kind of revelation that raises the disturbing question of whether or not these hackers had some other yet-to-be-discovered technique for infiltrating networks. Which obviously raises a number of questions about whether or not other Microsoft exploits were being used by these hackers. After all, the hackers managed to infiltrate SolarWinds’s own network via a zero-day Microsoft exploit. Why wouldn’t it work elsewhere? In other words, the SolarWinds mega-hack might actually be part of an even larger Microsoft super-mega-hack. A still unrecognized super-mega-Microsoft-hack.
* February 05, 2021: Microsoft: No Evidence SolarWinds Was Hacked Via Office 365:
Not true! None of it! That’s the line from Microsoft a day after SolarWinds’s CEO appears to confirm that the exploitation of a Microsoft Office 365 email vulnerability wasn’t just used in the hack but used to execute the initial compromise of SolarWinds’s software development environment. Microsoft does admit that Microsoft services were indeed targeted by the SolarWinds hackers, but insists that the hackers gained privileged credentials in another way, implying it was due to software configuration issues on the client end and not due to vulnerabilities in Microsoft’s products. And what about all the reports from SolarWinds and the US government that they found evidence of an Office 365 email exploit? “As we said at the time, and based upon all investigations since, we have found no indications that our systems were used to attack others.” That was Microsoft’s line. Still.
* February 19, 2021: SolarWinds Hackers Kept Going After Microsoft Until January:
Microsoft gave us an update on its SolarWinds investigation. The company acknowledge that its own networks were plundered during the attack, and even some of its source was stolen. The source code reported involved the cloud-based versions of Asure, Intune, and Exchange (email server software). We are also told the hackers were searching Microsoft’s networks for useful secrets like API keys, credentials, and security tokens that may have been embedded in the source code.
* March 5, 2021: At Least 30,000 U.S. Organizations Newly Hacked Via Holes in Microsoft’s Email Software:
A new mega-hack is upon us! Back-to-back mega-hacks. This time Microsoft is the main target. The software giant informed the world that hundreds of thousands of Microsoft Exchange Servers were attacked around the world. The attack was first detected by Volexity on January 6, during the Capitol insurrection, with a large download to an illegitimate user, although days later Volexity issued an update that it found evidence of the attack starting on January 3rd. Days later this quiet hack exploded into a loud global ransacking. Virtually every self-hosted Microsoft Exchange email server in the world connected to the internet was hit over the next two months. Or at least is assumed hit. That’s a lot of hacked email. And potentially voicemail. Microsoft was continuing to assure us the hack had nothing to do with the SolarWinds hack, and also that the SolarWinds hack had nothing to do with any Microsoft vulnerabilities. They were seriously touting the ‘don’t worry about Microsoft security’ line during the Exchange mega-hack disclosure.
* March 10, 2021: Microsoft Exchange Hack Could Be Worse Than SolarWinds:
With more information about the Hafnium hack coming in the more this is looking like the worst worst case scenario. Or at least worse than the SolarWinds hack, which would make this the worst yet. Literally the worst hack ever. So far. Give it a few months.
The hack started on Jan 3, with “Hafnium” quietly hacking away at dozens of targets until Microsoft issued a patch in early March. At that point, it was a criminal free-for-all race that included at least a dozen more criminal actors.
A big part of what make it the worst hack ever is the scale, with potentially hundreds of thousands of Exchange email servers all hit in short order but this is an attack that can be automated. The hackers needed scrips and time to let the scripts to their work.
But another part of what arguably makes this the worst hack ever is that the ability to remotely take over the Exchange server software doesn’t just potentially give the hackers the ability to read emails. It also potentially give hackers the ability to compromise the Microsoft Active Directory system, which is the system used for ID authentication across the Microsoft ecosystem of software. So if you corrupt the Active Directory system on a computer, you can potentially get super-user access to all the Microsoft software running on that computer’s network. And the catch here is that Microsoft Exchange server only runs on Windows. So anyone running it is running it on a Windows Server operating system. So compromising the Active Directory system on the computer running the Microsoft Exchange server software can hand over complete control of the server. This also means the hackers could have burrowed in all sorts of hidden backdoors all over the victim networks. This was a huge deep hack.
But here’s the big detail we learn from Ed Hunter, CISO at Infoblox, a cybersecurity company, who is commenting to a reporter about the hack: the vulnerability has been present in the Microsoft Exchange codebase for a decade. As Hunter put it, “one has to wonder how long this vulnerability has been a closely held – and used – tool in this threat actor’s toolbox.”
And, again, it was just two weeks earlier that Microsoft disclosed that the SolarWinds hackers stole Exchange source code for the cloud-based version of Exchange. But in this case, it was the self-host Exchange servers that got hacked. All of them. Hundreds of thousands of email servers around the world. Also keep in mind the SolarWinds hackers had already demonstrated zero-day abilities to manipulate Microsoft’s credential systems. So this hack sure seems closely related to the SolarWinds hackers, and yet Microsoft confidently assured us that this had nothing to do with the SolarWinds hack and was in fact carried out by a state-backed Chinese hacking group Microsoft dubbed “Hafnium”.
* April 16, 2021: A ‘Worst Nightmare’ Cyberattack: The Untold Story Of The SolarWinds Hack:
Four months after it was first announced, NPR has a big piece on the then-untold story of how the hack unfolded. By that point, the Biden White House was unequivically stating Russian intelligence was behind it. While the reason Russia is given the attribution is, as always, never given, there was by now enough known about the hack to determine that these really were exceptional hackers. Multiple never-before-seen “zero-day” exploits were utilized. Beyond that, the malware was introduced into the SolarWinds software development pipeline at the very last possible moment, during the compilation process, allowing it to evade the standard security checks for unwanted software. It was proof-of-concept and could be used against anyone else using the same compilation softare (they didn’t name the software). This ability to use this attack against other software developers is particularly acute when we recall that this attack created backdoors on the networks of the many of the largest software developers in the world. Including Microsoft. Yikes.
And it’s in this April 2021 NPR piece where we get further confirmation of something that has long been clear but is rare said out loud so clearly: contemporary cyberattribution really does rely heavily on ‘clues’ like Cyrillic characters or Mandarin in the code and such ‘clues’ are frequently found. At least that’s how Adam Meyers, the vice president for threat intelligence at CrowdStrike, described his approach to determining the identity of the SolarWinds hackers. And he was leading the team that first investigated it. Meyers expresses dismay at how thorough the hackers were. Thorough in the sense that there was no ‘cultural artifact’ like Cyrillic or Mandarin. Meyers describe the lack of anything that a human might have inadvertently left behind as a clue as “mind-blowing”. His response to the tiny piece of malware used in the initial SolarWinds hack — distributed to all 18,000 clients via the Orion software — and it’s lack of clues as “the craziest f***ing thing I’d ever seen.” So this update on the SolarWinds investigation includes an update on the general state of affairs in cyberattribution. A state of affairs where malware that’s cleaned and lacks a ‘cultural artifact’ is “the craziest f***ing thing I’d ever seen.” This is a good time to recall the story of the Shadow Brokers and the CIA’s hacking toolkit that included features like leaving Cyrillic or Mandarin characters to leave a false lead. This was confirmed just four years ago. Everyone really is playing dumb here. Double yikes.
* April 23, 2021: SolarWinds hacking campaign puts Microsoft in the hot seat:
Microsoft’s terrible, horrible, no good, very bad year continues. A week after that big NPR piece on SolarWinds, we learn new significant details on the SolarWinds hack in a new report put out by The Atlantic Council. The kind of details that have Microsoft scrambling for explanations. And culprits. Again. It turns out the delivery of the backdoor malware via the SolarWinds Orion updating software was just the first phase of the mega-hack. Once the hackers used those backdoors to gain access to victims’ networks they continued to exploit more vulnerabilities. In particular Microsoft vulnerabilities involving how Microsoft products validate user identities. Now, part of the reason Microsoft vulnerabilities were heavily targeted was because, well, these vulnerabilities exist. But the other big reason is that Microsoft has more than 85% of the market share for government and industry. In other words, the juiciest targets — especially government agencies — were almost all running Microsoft tools on their networks. Microsoft continued to deflect blame, suggesting poorly configured software by the clients was the cause. But according to Senator Ron Wyden, the software Microsoft supplies to US federal agencies is itself poorly configured with default log settings that won’t capture the information needed to catch attacks while they’re in progress.
* May 28, 2021: Microsoft says group behind SolarWinds hack now targeting government agencies, NGOs:
Cozy Bear/APT29/“Nobelium” is back at it. They’re up to their old tricks, according to Microsoft. Targeted phishing, with organizations who signed up to received communications from USAID being the targets. 3,000 email accounts at more than 150 different organizations. Somehow, the hackers managed to minick emails from the firm Constant Contact, the firm that handle’s USAID’s email communications, to make it look like a USAID communication. At least a quarter of the targeted organisations were involved in international development, humanitarian issues and human rights work. The US and UK blame Russia’s SVR (the same agency Cozy Bear/APT is said to work for...long with the FSB).
How did Microsoft determine that this was done by the same hackers who pulled off the SolarWinds hack? That’s never explained. It’s not due to technical similarities. In fact, the Microsoft blog post describing this USAID phishing scheme explicitly states that this new attack had few technical similarities to the SolarWinds hack and suggests the hackers intentionally changed their tactics after the SolarWinds hack was uncovered. Four new zero-day pieces of malware deployed on the computers of the victims that clicked on the malicious link, so keep in mind that if this was the same hacking group that is involved with the SolarWinds hack and/or Microsoft Exchange hack, this crew is sporting a significant number of zero-day exploits.
* June 25, 2021: Microsoft says new breach discovered in probe of suspected SolarWinds hackers:
Cozy Bear/APT29/“Nobelium” is at it again. Again. This time, Microsoft tells is the hackers somehow hacked a Microsoft agent who had access to Microsoft customer support tools with subscription information. Of course, we’ve already been told about how the SolarWinds hackers stole code involving how Microsoft tools verify identities, and the same hackers reportedly pulled this hack off. So it’s not hard to imagine some of those stolen insights were used to carry out this hack. But we aren’t told much else from Microsoft other than that it was definitely the SolarWinds hackers who are definitely working for the Russian state. Of that they are sure. Always and forever, except when it’s China.
* July 4, 2021: SolarWinds: How Russian spies hacked the Justice, State, Treasury, Energy and Commerce Departments:
Less than two weeks later, CBS has an article with more interviews of figures involved with the SolarWinds hack investigation, including Brad Smith, president of Microsoft. Smith points to the list of US government agencies hit by the hack and insists that means it was a foreign intelligence collection mission (which ignores the other 18,000 largely commercial group of victims also hit). The piece reveals that the SolarWinds hackers were on US federal networks reading emails and other traffic for months.
It ends an interview of Jon Miller, who runs a company Boldend, that sells cutting-edge cyber weapons to US intelligence agencies. Miller observes that the notable thing about the SolarWinds hack wasn’t the sophistication. He builds things much more sophisticated (presumably for his US intelligence clients). Instead, what makes this attack stand out is how aggressive it was. It’s the kind of assessment that suggests a lot of different actors could have pulled this attack of for some time and someone finally did it.
Miller also reminds us of another crucial aspect of both the SolarWinds and Exchange mega-hacks: It would be trivial to turn those backdoors into digital bombs that destroy victim networks. In other words, these mega-hacks could have been A LOT more damaging had the hackers wanted them to be. And since the hackers like embedded themselves in victim networks in ways not yet detected, they could decide to unleash those digital bombs in the future if they choose to in the future.
* July 15, 2021: Microsoft says Israeli group sold tools to hack Windows:
CitizenLab put out a report on an Israeli commercial hacking group behind malware discovered targeting Windows. But Candiru’s toolkit doesn’t just hit MIcrosoft products. It appears to be the same company Google had just attributed to a set of additional zero-day exploits targeting Google’s products that Citizen Lab also connected to Candiru. So Microsoft and Google both announced the discovery of Candiru zero-day exploits as roughly the same time.
* July 15, 2021: Microsoft says it blocked spying on rights activists, others:
In some more reporting on Candiru, we learn that the company goes by several names. We also learn that its spyware “infrastructure” includes webistes “masquerading as advocacy organizations” such as Amnesty International and Black Lives Matter.
* July 15, 2021: Safari Zero-Day Used in Malicious LinkedIn Campaign:
More on Google’s Threat Assessment Group (TAG) security announcement. A Russian-language group was exploiting a vulnerability in the Safari browser on iOS systems. Malicious links that executed the vulnerability were being sent to Western European government officials through LinkedIn’s direct message app. It is noted that the malicious link campaign coincided with a “Nobelium’s” USAID phishing campaign in May targeting Windows devices.
During this same report, Google’s TAG announced a new exploit it discovered that was used against Armenian activists in April. A zero-day exploit against Microsoft’s Internet Explorer.
The TAG team also announced three new zero-day exploits attributed to an unnamed “commercial surveillance vendor” (Candiru). Two vulnerabilities in Google’s Chrome and one in Microsoft’s Internet Explorer. These exploits were also used against Armenian targets but we are told that this was a separate campaign for the other Armenian hack, with one of the Chrome exploits discovered in February and the second in June.
Finally, the article notes that security researchers have identified 33 zero-day vulnerabilities until that point in 2021, which is 11 more than the 22 total found in 2020. That’s triple the rate of the previous year, which itself was a record year.
* July 17, 2021: Israeli Companies Aided Saudi Spying Despite Khashoggi Killing:
NSO Group’s recent headache has begun. The New York Times has an update on NSO Group and long-standing questions about the extent to which the license given to countries to buy NSO Group’s super-spyware is used as a tool of Israel’s foreign policy. It’s a question that relates to more than NSO Group but the entire Israeli ‘commercial surveillance’ industry that governments around the world turn to. As we should have expected, it turns out the super-spyware suites like NSO Group’s Pegasus software aren’t just super-spyware suites. They’re also diplomatic tools for the Israeli government. And that means sometimes NSO Groups might effectively be forced to keep selling to clients like Saudi Arabia even when its relationship with those clients becomes toxic. That’s apparently what happened following the Saudi government’s assassination of Jamal Khashoggi. NSO Group canceled the Saudi contract only to be pressured by the Israeli government to renew it. NSO Group was ultimately sold to new private equity owners and proceeded to renew the Saudi contract.
But the NSO Group reveals a far more legitimate excuse for its apparent negligence in regulating its super-spyware: the Israeli government approves of these sales. If you want a subscription for Pegasus, you better make sure you’re on at least least decent terms with the Israeli government. It’s pretty
* July 18, 2021: Private Israeli spyware used to hack cellphones of journalists, activists worldwide:
The Washington Post follows up with a huge report that confirmed a bunch of other things that have been suspected about NSO Group: People have long accused the company of not having any safeguards to ensure the super-spyware it sells to governments around the world around only used to track ‘terrorists and criminals’. And, yep, there are basically no safeguards. It’s up to the government to promise not to abuse the super spyware. Although there are geographic limitations. The spyware was configured to not work on US-based smartphones and could be limited to certain countries. But how it was used inside those approved geographic areas was up to the governments. In other words, Pegasus was abused. A lot. At least that’s according to an investigation released by Forbidden Stories, a Paris-based journalism nonprofit, and Amnesty International.
How much abused of the NSO Group’s super-spyware has been taking place? Well, this report was based on thousands phone numbers leaked that were purportedly the target phone numbers of NSO Group’s feared Pegasus spyware. Almost unstoppable spyware suits that can hit almost any smartphone. And if those thousands of numbers really are an accurate target list, it was rampant abuse, with activists and rival politicians frequently on the target list. 60 government agencies in 40 countries were allowed to buy subscriptions to the software and, again, they policed themselves.
NSO Group’s defense against charges that it was knowingly allowing governments to abuse its super-spyware was to point out that the company doesn’t police how governments use its software. It really is up to the governments to polices themselves, as confirmed by this study and the rampant abuse it reveals. It’s not actually a great defense if you think about it, but it gets better when you keep in mind this is all sanctioned and encouraged by the Israeli government (and probably the US government).
* July 19, 2021: Microsoft Exchange hack caused by China, US and allies say:
The US formally accuses Chinese state-backed hackers of carrying out the Microsoft Exchange mega-hack. At the same time, the US Justice Department announced charges against four Chinese nationals who prosecutors said were working with China’s Ministry of State Security in a different hacking campaign that targeted dozens of computer systems, including companies, universities and government entities. But beyond that, the US accused these state-backed Chinese hackers of carrying out ransomware and other for-profit extortion hacks for their own personal enrichment. In fact, an administration official told reporters that the formal attribution of the Exchange hack to China took this many months (recall Microsoft did it immediately) in part because of the ransomware and for-profit hacking operations. In other words, the hackers the US was accusing of working on behalf of the Chinese state were behaving like regular criminals. But we are nonetheless assured that, no, they were working for China. Dmitri Alperovitch — co-founder of CrowdStrike and the guy who pioneered the modern approach of making loud evidence-free hacking accusations against countries as a means of preventing future attacks — expresses a sense of puzzlement that sanctions against China haven’t been declared yet.
* July 20, 2021: China says Microsoft hacking accusations fabricated by US and allies:
The US’s allies (the UK, New Zealand, Australia, and EU) join the US in jointly condemning China for the Microsoft Exchange mega-hack. Anonymous Western security sources tell reports that they believe Hafnium new Microsoft was going to plug the Exchange vulnerability and so shared it with other China-based hackers, culminating in the giant global smash-and-grab. It’s another indication that the Microsoft Exchange mega-hack has the appearance of being a criminal smash-and-grab event and we are now told that this was all how China planned it to play out. And we are also told that Microsoft was about to plug this massive vulnerability but were thwarted by Chinese spies or something. The facts and details may change, but two things always stays the same: China did it and this definitely didn’t involve the SolarWinds hack.
* July 22, 2021: France’s Macron changes phone in light of Pegasus case:
The NSO Group scandal gets extra awkward when Emmanuel Macron’s administration officially acknowledges that it changed Macron’s mobile phone and phone number after the number showed up on a list of potential targets for surveillance by Morocco in the report by Forbidden Stories and Amnesty International. Israel has formed an inter-ministerial team to look into the export licenses issued by the Defence Export Controls Agency (DECA). NSO Group continues to defend itself by reiterating that it doesn’t know the identities of the people targeted by Pegasus. The company can, however, retroactively acquire the target lists in the event of a complaint and unilaterally shut down the offending government’s subscription following an investigation. So oversight only happens if a complaint is issued over the abuse of the super-secret difficult-to-find spyware. There presumably aren’t very many complaints.
*******************************
That’s the story we are being asked to buy. Or rather, those are the stories we are being asked to buy. Breaking stories about two record-breaking mega-hacks and revelatory stories about two cutting-edge ‘commercial surveillance vendors’ licensing selling zero-day exploits around the world. Separate stories, at least that’s what we are told. The SolarWinds hack and the Microsoft Exchange hack are two completely separate hacks, one executed by Russia and the other by China. The fact that the SolarWinds hackers possessed Microsoft zero-day exploits and appeared to initiate the hack using those exploits is just ignored. The fact that no actual evidence indicating it was Russia or China behind the hacks are also just ignored. And the fact that stories about a massive powerful global “commercial surveillance” industry selling super-exploits to governments around the world are also just ignored. Or other government hacking toolkits like the CIA’s Vault7, that had features specifically designed to spoof the “pattern recognition” approach to cyberattribution. Ignore all that. It’s a faith-based attribution paradigm, ripe for bad-faith attributions.
FireEye Wakes Up to a “Red Team Tools” Nightmare. Which Could Become Everyone’s Nightmare
December 8, 2020, was a dark day for digital security. A worst case scenario was playing out in real-time. Someone hacked the security firm and stole its “Red Team” code suite. A toolkit of virtually all the most powerful known exploits. And as experts warned, nation-states could potentially hide their own tracks using this toolkit. This is basically going to be the only time we see an expert admit that governments around the world could be intentionally. FireEye wasn’t ready to name a culprit. But the FBI announced was it was confident it was carried out by a nation-state, and while they would name a specific nation it was pretty clear Russia was the prime suspect. No reason for these suspicions are given:
The New York Times
FireEye, a Top Cybersecurity Firm, Says It Was Hacked by a Nation-State
The Silicon Valley company said hackers — almost certainly Russian — made off with tools that could be used to mount new attacks around the world.
By David E. Sanger and Nicole Perlroth
Published Dec. 8, 2020 Updated Feb. 6, 2021WASHINGTON — For years, the cybersecurity firm FireEye has been the first call for government agencies and companies around the world who have been hacked by the most sophisticated attackers, or fear they might be.
Now it looks like the hackers — in this case, evidence points to Russia’s intelligence agencies — may be exacting their revenge.
FireEye revealed on Tuesday that its own systems were pierced by what it called “a nation with top-tier offensive capabilities.” The company said hackers used “novel techniques” to make off with its own tool kit, which could be useful in mounting new attacks around the world.
It was a stunning theft, akin to bank robbers who, having cleaned out local vaults, then turned around and stole the F.B.I.’s investigative tools. In fact, FireEye said on Tuesday, moments after the stock market closed, that it had called in the F.B.I.
The $3.5 billion company, which partly makes a living by identifying the culprits in some of the world’s boldest breaches — its clients have included Sony and Equifax — declined to say explicitly who was responsible. But its description, and the fact that the F.B.I. has turned the case over to its Russia specialists, left little doubt who the lead suspects were and that they were after what the company calls “Red Team tools.”
These are essentially digital tools that replicate the most sophisticated hacking tools in the world. FireEye uses the tools — with the permission of a client company or government agency — to look for vulnerabilities in their systems. Most of the tools are based in a digital vault that FireEye closely guards.
The F.B.I. on Tuesday confirmed that the hack was the work of a state, but it also would not say which one. Matt Gorham, assistant director of the F.B.I. Cyber Division, said, “The F.B.I. is investigating the incident and preliminary indications show an actor with a high level of sophistication consistent with a nation-state.”
The hack raises the possibility that Russian intelligence agencies saw an advantage in mounting the attack while American attention — including FireEye’s — was focused on securing the presidential election system. At a moment that the nation’s public and private intelligence systems were seeking out breaches of voter registration systems or voting machines, it may have a been a good time for those Russian agencies, which were involved in the 2016 election breaches, to turn their sights on other targets.
The hack was the biggest known theft of cybersecurity tools since those of the National Security Agency were purloined in 2016 by a still-unidentified group that calls itself the ShadowBrokers. That group dumped the N.S.A.’s hacking tools online over several months, handing nation-states and hackers the “keys to the digital kingdom,” as one former N.S.A. operator put it. North Korea and Russia ultimately used the N.S.A.’s stolen weaponry in destructive attacks on government agencies, hospitals and the world’s biggest conglomerates — at a cost of more than $10 billion.
The N.S.A.’s tools were most likely more useful than FireEye’s since the U.S. government builds purpose-made digital weapons. FireEye’s Red Team tools are essentially built from malware that the company has seen used in a wide range of attacks.
Still, the advantage of using stolen weapons is that nation-states can hide their own tracks when they launch attacks.
“Hackers could leverage FireEye’s tools to hack risky, high-profile targets with plausible deniability,” said Patrick Wardle, a former N.S.A. hacker who is now a principal security researcher at Jamf, a software company. “In risky environments, you don’t want to burn your best tools, so this gives advanced adversaries a way to use someone else’s tools without burning their best capabilities.”
A Chinese state-sponsored hacking group was previously caught using the N.S.A.’s hacking tools in attacks around the world, ostensibly after discovering the N.S.A.’s tools on its own systems. “It’s like a no-brainer,” said Mr. Wardle.
The breach is likely to be a black eye for FireEye. Its investigators worked with Sony after the devastating 2014 attack that the firm later attributed to North Korea. It was FireEye that was called in after the State Department and other American government agencies were breached by Russian hackers in 2015. And its major corporate clients include Equifax, the credit monitoring service that was hacked three years ago, affecting nearly half of the American population.
In the FireEye attack, the hackers went to extraordinary lengths to avoid being seen. They created several thousand internet protocol addresses — many inside the United States — that had never before been used in attacks. By using those addresses to stage their attack, it allowed the hackers to better conceal their whereabouts.
“This attack is different from the tens of thousands of incidents we have responded to throughout the years,” said Kevin Mandia, FireEye’s chief executive. (He was the founder of Mandiant, a firm that FireEye acquired in 2014.)
But FireEye said it was still investigating exactly how the hackers had breached its most protected systems. Details were thin.
Mr. Mandia, a former Air Force intelligence officer, said the attackers “tailored their world-class capabilities specifically to target and attack FireEye.” He said they appeared to be highly trained in “operational security” and exhibited “discipline and focus,” while moving clandestinely to escape the detection of security tools and forensic examination. Google, Microsoft and other firms that conduct cybersecurity investigations said they had never seen some of these techniques.
FireEye also published key elements of its “Red Team” tools so that others around the world would see attacks coming.
American investigators are trying to determine if the attack has any relationship to another sophisticated operation that the N.S.A. said Russia was behind in a warning issued on Monday. That gets into a type of software, called VM for virtual machines, which is used widely by defense companies and manufacturers. The N.S.A. declined to say what the targets of that attack were. It is unclear whether the Russians used their success in that breach to get into FireEye’s systems.
...
On Tuesday, Russia’s National Association for International Information Security held a forum with global security experts where Russian officials again claimed that there was no evidence its hackers were responsible for attacks that have resulted in American sanctions and indictments.
Security firms have been a frequent target for nation-states and hackers, in part because their tools maintain a deep level of access to corporate and government clients all over the world. By hacking into those tools and stealing source code, spies and hackers can gain a foothold to victims’ systems.
McAfee, Symantec and Trend Micro were among the list of major security companies whose code a Russian-speaking hacker group claimed to have stolen last year. Kaspersky, the Russian security firm, was hacked by Israeli hackers in 2017. And in 2012, Symantec confirmed that a segment of its antivirus source code was stolen by hackers.
————
“FireEye revealed on Tuesday that its own systems were pierced by what it called “a nation with top-tier offensive capabilities.” The company said hackers used “novel techniques” to make off with its own tool kit, which could be useful in mounting new attacks around the world.”
FireEye couldn’t say who penetrated their systems. But they nonetheless confidently state it was the work a “a nation with top-tier offensive capabilities,” an assertion ostensibly rooted in the sophisticated nature of the attack, the discipine of the attackers, and the number of never-before-seen techniques used by these unknown hackers. In other words, a guess made based on pattern recognition, and not an assertion made with real certainty. FireEye didn’t actually know this attack came from a nation with top-tier offensive capabilities when it made that statement. FireEye couldn’t have truly ruled out a private actor when it made that confident statement. Or a nation without top-tier capabilites that purchased those top-tier capabilities from a top-tier commercial malware provider like NSO Group. But making attributions in cyber attacks is a service FireEye provides. It points towards one of the fundamental binds the cybersecurity industry faces: their clients are paying for answers, whether answers are feasible or not.
And when the FBI turned the case over to its Russia specialist, and ‘confirmed’ the hack was the work of a state, it was pretty clear where the blame was ultimately going to go. That ‘confirmation’ was no doubt predicated in part on the sophistication of the hack. And yet the apparent prize of this hack was FireEye’s “Red Team” tool kit that replicated the most sophisticated hacking tools in the world. Or at least the most sophisticated known hacking tools seen in the wild. It’s implicitly obvious in this very hack that the possession of world-class hacking tools isn’t limited to major nation-states like the US, Russia, and China. Beyond that, we are told how the theft of the FireEye Red Team kit was highly useful to nation-states because it would give them plausible deniability by allowing them to carry out risky hacks without using their ‘zero-day’ exploits, using someone else’s tools instead. All of the details about this story point towards the hall of mirrors nature of cyberattribution investigations:
...
It was a stunning theft, akin to bank robbers who, having cleaned out local vaults, then turned around and stole the F.B.I.’s investigative tools. In fact, FireEye said on Tuesday, moments after the stock market closed, that it had called in the F.B.I.The $3.5 billion company, which partly makes a living by identifying the culprits in some of the world’s boldest breaches — its clients have included Sony and Equifax — declined to say explicitly who was responsible. But its description, and the fact that the F.B.I. has turned the case over to its Russia specialists, left little doubt who the lead suspects were and that they were after what the company calls “Red Team tools.”
These are essentially digital tools that replicate the most sophisticated hacking tools in the world. FireEye uses the tools — with the permission of a client company or government agency — to look for vulnerabilities in their systems. Most of the tools are based in a digital vault that FireEye closely guards.
The F.B.I. on Tuesday confirmed that the hack was the work of a state, but it also would not say which one. Matt Gorham, assistant director of the F.B.I. Cyber Division, said, “The F.B.I. is investigating the incident and preliminary indications show an actor with a high level of sophistication consistent with a nation-state.”
...
The N.S.A.’s tools were most likely more useful than FireEye’s since the U.S. government builds purpose-made digital weapons. FireEye’s Red Team tools are essentially built from malware that the company has seen used in a wide range of attacks.
Still, the advantage of using stolen weapons is that nation-states can hide their own tracks when they launch attacks.
“Hackers could leverage FireEye’s tools to hack risky, high-profile targets with plausible deniability,” said Patrick Wardle, a former N.S.A. hacker who is now a principal security researcher at Jamf, a software company. “In risky environments, you don’t want to burn your best tools, so this gives advanced adversaries a way to use someone else’s tools without burning their best capabilities.”
A Chinese state-sponsored hacking group was previously caught using the N.S.A.’s hacking tools in attacks around the world, ostensibly after discovering the N.S.A.’s tools on its own systems. “It’s like a no-brainer,” said Mr. Wardle.
...
And as the article reminds us, despite all hype about the ‘Shadow Brokers’ being a Russian hacker group, the global community has still never truly determined their idenity. As is the case with nearly all major hacks, the identities of the perpetrators is ultimately unknowable based on the available evidence:
...
The hack was the biggest known theft of cybersecurity tools since those of the National Security Agency were purloined in 2016 by a still-unidentified group that calls itself the ShadowBrokers. That group dumped the N.S.A.’s hacking tools online over several months, handing nation-states and hackers the “keys to the digital kingdom,” as one former N.S.A. operator put it. North Korea and Russia ultimately used the N.S.A.’s stolen weaponry in destructive attacks on government agencies, hospitals and the world’s biggest conglomerates — at a cost of more than $10 billion.
...
It’s also worth observing how FireEye was declaring that the attackers tailored their world-class capabilities specifically to target and attack FireEye.” And yet, as we learn, this wasn’t a specific attack on FireEye at all. It was an attack on FireEye and SolarWinds’s 18,000 other customers. FireEye was just a very juicy target to pilfer amongst the thousands the hackers had to choose from:
...
But FireEye said it was still investigating exactly how the hackers had breached its most protected systems. Details were thin.Mr. Mandia, a former Air Force intelligence officer, said the attackers “tailored their world-class capabilities specifically to target and attack FireEye.” He said they appeared to be highly trained in “operational security” and exhibited “discipline and focus,” while moving clandestinely to escape the detection of security tools and forensic examination. Google, Microsoft and other firms that conduct cybersecurity investigations said they had never seen some of these techniques.
...
On Tuesday, Russia’s National Association for International Information Security held a forum with global security experts where Russian officials again claimed that there was no evidence its hackers were responsible for attacks that have resulted in American sanctions and indictments.
Security firms have been a frequent target for nation-states and hackers, in part because their tools maintain a deep level of access to corporate and government clients all over the world. By hacking into those tools and stealing source code, spies and hackers can gain a foothold to victims’ systems.
...
Finally, note that FireEye is far from the only cybersecurity firm to report having their code stolen by ‘a Russian-speaking hacker group’ last year. McAfee, Symantec, and TrendMicro all reported getting hit. Which mean the “Red Team code” kits from all those other firms are also floating around out there. And in each case, it was “Russian-speaking hackers”. Whoever has been hacking these other security firms was been leaving Russian language artifacts in their malware. It’s a thing:
...
McAfee, Symantec and Trend Micro were among the list of major security companies whose code a Russian-speaking hacker group claimed to have stolen last year. Kaspersky, the Russian security firm, was hacked by Israeli hackers in 2017. And in 2012, Symantec confirmed that a segment of its antivirus source code was stolen by hackers.
...
And yet, as we’re going to see, that’s not actually the case with the FireEye hack. No Russian language artifacts, or any other language artifacts, were left in the malware used to attack FireEye. And as we’re also going to see, this lack of language artifacts in the atttack — no Cyrillic, or Mandarin or Persion — was seen as a utter shock by the CrowdStrike figures tasked with studying the attack.
FireEye Didn’t Start the Fire. Welcome to the SolarWinds Nightmare. Brought to You by Cozy Bear, According to the FBI, although FireEye isn’t So Sure
The FireEye nightmare explodes into the SolarWinds waking worst nightmare. It was determined that SolarWinds’s Orion update software delivered the malware onto FireEye’s systems. It’s the kind of ominous discovery that comes with the implication that the other 18,000 SolarWinds clients running the Orion software got hit too. Which is basically what happened.
We also got an early hint from SolarWinds about how the hack started in the first place: in its corporate filing disclosing the hack with the SEC, SolarWinds indicated that Microsoft’s Office 365 email may have been “an attack vector” used by the hackers.
And as we can see, the FBI was ready to name names from the very onset of this investigation. It took basically no time at all: APT29 aka Cozy Bear is at it again. That was the line from the FBI. The infamous hacking group thought to work for Russia’s FSB (or SVR, it’s unclear) and that the US claims was behind the first hack of the Democratic National Committee (DNC) in 2015 was also behind the new SolarWinds mega-hack. No reasons for this attribution are given, of course:
The Washington Post
Russian government hackers are behind a broad espionage campaign that has compromised U.S. agencies, including Treasury and Commerce
By Ellen Nakashima and Craig Timberg
December 14, 2020 at 11:30 a.m. ESTRussian government hackers breached the Treasury and Commerce departments, along with other U.S. government agencies, as part of a global espionage campaign that stretches back months, according to people familiar with the matter.
Officials were scrambling over the weekend to assess the nature and extent of the intrusions and implement effective countermeasures, but initial signs suggested the breach was long-running and significant, the people familiar with the matter said.
The Russian hackers, known by the nicknames APT29 or Cozy Bear, are part of that nation’s foreign intelligence service, the SVR, and they breached email systems in some cases, said the people familiar with the intrusions, who spoke on the condition of anonymity because of the sensitivity of the matter. The same Russian group hacked the State Department and the White House email servers during the Obama administration.
The FBI is investigating the campaign, which may have begun as early as spring, and had no comment Sunday. The victims have included government, consulting, technology, telecom, and oil and gas companies in North America, Europe, Asia and the Middle East, according to FireEye, a cyber firm that itself was breached.
The Russian Embassy in Washington on Sunday called the reports of Russian hacking “baseless.” In a statement on Facebook it said, “attacks in the information space contradict” Russian foreign policy and national interests. “Russia does not conduct offensive operations” in the cyber domain.
All of the organizations were breached through the update server of a network management system made by the firm SolarWinds, FireEye said in a blog post Sunday.
The federal Cybersecurity and Infrastructure Security Agency issued an alert Sunday warning about an “active exploitation” of the SolarWinds Orion Platform, from versions of the software released in March and June. “CISA encourages affected organizations to read the SolarWinds and FireEye advisories for more information and FireEye’s GitHub page for detection countermeasures,” the alert said.
SolarWinds said Sunday in a statement that monitoring products it released in March and June of this year may have been surreptitiously weaponized in a “highly-sophisticated, targeted . . . attack by a nation state.”
The company filed a document Monday with the Securities and Exchange Commission saying that “fewer than 18,000” of its more than 300,000 customers may have installed a software patch enabling the Russian attack. It was not clear, the filing said, how many systems were actually hacked. The corporate filing also said that Microsoft’s Office 365 email may have been “an attack vector” used by the hackers.
Microsoft said in a blog post Sunday that it had not identified any Microsoft product or cloud service vulnerabilities in its investigation of the matter.
The scale of the Russian espionage operation appears to be large, said several individuals familiar with the matter. “This is looking very, very bad,” said one person. SolarWinds products are used by organizations across the world. They include all five branches of the U.S. military, the Pentagon, State Department, Justice Department, NASA, the Executive Office of the President and the National Security Agency, the world’s top electronic spy agency, according to the firm’s website.
Its clients also include the top 10 U.S. telecommunications companies.
“This is a big deal, and given what we now know about where breaches happened, I’m expecting the scope to grow as more logs are reviewed,” said John Scott-Railton, a senior researcher at Citizen Lab at the University of Toronto’s Munk School of Global Affairs and Public Policy. “When an aggressive group like this gets an open sesame to many desirable systems, they are going to use it widely.”
FireEye reported last week that it was breached and that hacking tools it uses to test clients’ computer defenses were stolen. The Washington Post reported that APT29 was the group behind that hack. FireEye and Microsoft, which were investigating the breach, discovered the hackers were gaining access to victims through updates to SolarWinds’ Orion network monitoring software, FireEye said in its blog post, without publicly naming the Russians.
...
At Commerce, the Russians targeted the National Telecommunications and Information Administration, an agency that handles Internet and telecommunications policy, Reuters reported. They have also been linked to attempts to steal coronavirus coronavirus research.
In 2014 and 2015, the same group carried out a wide-ranging espionage campaign that targeted thousands of organizations, including government agencies, foreign embassies, energy companies, telecommunications firms and universities.
As part of that operation, it hacked the unclassified email systems of the White House, the Pentagon’s Joint Chiefs of Staff and the State Department.
“That was the first time we saw the Russians become much more aggressive, and instead of simply fading away like ghosts when they were detected, they actually contested access to the networks,” said Michael Daniel, who was White House cybersecurity coordinator at the time.
One of its victims in 2015 was the Democratic National Committee. But unlike a rival Russian spy agency, the GRU, which also hacked the DNC, it did not leak the stolen material. In 2016, the GRU military spy agency leaked hacked emails to the online anti-secrecy organization WikiLeaks in an operation that disrupted the Democrats’ national convention in the midst of the presidential campaign.
The SVR, by contrast, generally steals information for traditional espionage purposes, seeking secrets that might help the Kremlin understand the plans and motives of politicians and policymakers. Its operators also have filched industrial data and hacked foreign ministries.
Because the Obama administration saw the APT29 operation as traditional espionage, it did not consider taking punitive measures, said Daniel, who is now president and chief executive of the Cyber Threat Alliance, an information-sharing group for cybersecurity companies.
“It was information collection, which is what nation states — including the United States — do,” he said. “From our perspective, it was more important to focus on shoring up defenses.”
But Chris Painter, State Department cyber coordinator in the Obama administration, said even if the Russian campaign is strictly about espionage and there’s no norm against spying, if the scope is broad there should be consequences. “We just don’t have to sit still for it and say ‘good job,’ ” he said.
Sanctions might be one answer, especially if done in concert with allies who were similarly affected, he said. “The problem is there’s not even been condemnation from the top. President Trump hasn’t wanted to say anything bad to Russia, which only encourages them to act irresponsibly across a wide range of activities.”
At the very least, he said, “you’d want to make clear to [Russian President Vladimir] Putin that this is unacceptable — the scope is unacceptable.”
So far there is no sign that the current campaign is being waged for purposes of leaking information or for disruption of critical infrastructure, such as electric grids.
SolarWinds’ monitoring tool has extremely deep “administrative” access to a network’s core functions, which means that hacking the tool would allow the Russians to freely root around victims’ systems.
APT29 compromised SolarWinds so that any time a customer checked in to request an update, the Russians could hitch a ride on the weaponized update to get into a victim’s system. FireEye dubbed the malware that the hackers used “Sunburst.”
“Monday may be a bad day for lots of security teams,” tweeted Dmitri Alperovitch, a cybersecurity expert and founder of the Silverado Policy Accelerator think tank.
———–
“The Russian hackers, known by the nicknames APT29 or Cozy Bear, are part of that nation’s foreign intelligence service, the SVR, and they breached email systems in some cases, said the people familiar with the intrusions, who spoke on the condition of anonymity because of the sensitivity of the matter. The same Russian group hacked the State Department and the White House email servers during the Obama administration.”
Less than a week after the FireEye nightmare hack is first announced to the world, we learn it was just one part of a much larger SolarWinds nightmare. A global espionage campaign that seemingly targeted US government agencies. And the US government had already determined the culprit: APT29/Cozy Bear was behind it. That’s the word we were getting from anonymous sources tied to the investigation. It was definitely Russia who had thoroughly hacked the US government’s networks starting in March of 2020 and was reading all those government emails and routing through US government networks this whole time:
...
The federal Cybersecurity and Infrastructure Security Agency issued an alert Sunday warning about an “active exploitation” of the SolarWinds Orion Platform, from versions of the software released in March and June. “CISA encourages affected organizations to read the SolarWinds and FireEye advisories for more information and FireEye’s GitHub page for detection countermeasures,” the alert said.SolarWinds said Sunday in a statement that monitoring products it released in March and June of this year may have been surreptitiously weaponized in a “highly-sophisticated, targeted . . . attack by a nation state.”
...
SolarWinds’ monitoring tool has extremely deep “administrative” access to a network’s core functions, which means that hacking the tool would allow the Russians to freely root around victims’ systems.
...
And note this ominous early detail: in its corporate filing disclosing the hack with the SEC, SolarWinds indicated that Microsoft’s Office 365 email may have been “an attack vector” used by the hackers. Now, it’s important to note that this language is somewhat vague as to whether or not Microsoft’s Office 365 was used for the initial attack to infect the SolarWinds network or it was used after the SolarWinds hack to further exploit the networks of the 18,000 victims. But as we’re going to see, SolarWinds does confirm two months later that, yes, this Microsoft Office 365 email vulnerability was used in the initial hack of the SolarWinds network:
...
The company filed a document Monday with the Securities and Exchange Commission saying that “fewer than 18,000” of its more than 300,000 customers may have installed a software patch enabling the Russian attack. It was not clear, the filing said, how many systems were actually hacked. The corporate filing also said that Microsoft’s Office 365 email may have been “an attack vector” used by the hackers.Microsoft said in a blog post Sunday that it had not identified any Microsoft product or cloud service vulnerabilities in its investigation of the matter.
...
Finally, observe how similar the narrative we’re hearing now is to exactly what we heard from the US government in 2016 following the remarkably ‘aggressive’ and ‘noisy’ second hack of the DNC that we are told was executed by ‘Fancy Bear’ of Russia’s GRU. Recall how, back in late July 2016, US investigators were suggesting Fancy Bear was trying to get caught in the DNC hack. That was the explanation given for the notable apparent lack of sophistication in the hack that was seen as very different from previous hacks attributed to Fancy Bear. So now we’re more or less hearing the same story in relation to Cozy Bear: this hack was highly uncharacteristic for Cozy Bear in the sense that the hackers actively fought to maintain their grip on the networks even after being caught. But we are nonetheless assured it’s Cozy Bear:
...
As part of that operation, it hacked the unclassified email systems of the White House, the Pentagon’s Joint Chiefs of Staff and the State Department.“That was the first time we saw the Russians become much more aggressive, and instead of simply fading away like ghosts when they were detected, they actually contested access to the networks,” said Michael Daniel, who was White House cybersecurity coordinator at the time.
One of its victims in 2015 was the Democratic National Committee. But unlike a rival Russian spy agency, the GRU, which also hacked the DNC, it did not leak the stolen material. In 2016, the GRU military spy agency leaked hacked emails to the online anti-secrecy organization WikiLeaks in an operation that disrupted the Democrats’ national convention in the midst of the presidential campaign.
The SVR, by contrast, generally steals information for traditional espionage purposes, seeking secrets that might help the Kremlin understand the plans and motives of politicians and policymakers. Its operators also have filched industrial data and hacked foreign ministries.
...
They weren’t behaving like Cozy Bear, which has never been known to behave this aggressively before. But it was definitely Cozy Bear. That’s what the US was confidently stating less than a week after the FireEye hack was disclosed. Yet FireEye wasn’t convinced. It’s one of the many data points pointing in the direction of contemporary cyber attributions being mostly just made up convenient narratives:
Bloomberg Quint
FireEye Discovered SolarWinds Breach While Probing Own Hack
Kartikay Mehrotra
Published Dec 15 2020, 7:32 AM
Updated Dec 16 2020, 7:25 AM(Bloomberg) — When FireEye Inc. discovered that it was hacked this month, the cybersecurity firm’s investigators immediately set about trying to figure out how attackers got past its defenses.
It wasn’t just FireEye that got attacked, they quickly found out. Investigators discovered a vulnerability in a product made by one of its software providers, Texas-based SolarWinds Corp.
“We looked through 50,000 lines of source code, which we were able to determine there was a backdoor within SolarWinds,” said Charles Carmakal, senior vice president and chief technical officer at Mandiant, FireEye’s incident response arm.
After discovering the backdoor, FireEye contacted SolarWinds and law enforcement, Carmakal said.
...
National Security Advisor Robert O’Brien cut short a trip to the Middle East and Europe to deal with the hack of U.S. government agencies. And Senator Richard Blumenthal, Democrat from Connecticut, said a classified briefing on “Russia’s cyber-attack left me deeply alarmed, in fact downright scared.”
s
The hackers who attacked FireEye stole sensitive tools that the company uses to find vulnerabilities in clients’ computer networks. While the hack on FireEye was embarrassing for a cybersecurity firm, Carmakal argued that it may prove to be a crucial mistake for the hackers.“If this actor didn’t hit FireEye, there is a chance that this campaign could have gone on for much, much longer,” Carmakal said. “One silver lining is that we learned so much about how this threat actor works and shared it with our law enforcement, intelligence community and security partners.” Carmakal said there is no evidence FireEye’s stolen hacking tools were used against U.S. government agencies.
“There will unfortunately be more victims that have to come forward in the coming weeks and months,” he said. While some have attributed the attack to a state-sponsored Russian group known as APT 29, or Cozy Bear, FireEye had not yet seen sufficient evidence to name the actor, he said. A Kremlin official denied that Russia had any involvement.
...
Carmakal said the hackers took advanced steps to conceal their actions. “Their level of operational security is truly exceptional,” he said, adding that the hackers would operate from servers based in the same city as an employee they were pretending to be in order to evade detection.
...
———–
““There will unfortunately be more victims that have to come forward in the coming weeks and months,” he said. While some have attributed the attack to a state-sponsored Russian group known as APT 29, or Cozy Bear, FireEye had not yet seen sufficient evidence to name the actor, he said. A Kremlin official denied that Russia had any involvement.”
That early hesitancy on FireEye’s behalf to name a culprit due to a lack of evidence is going to be important to keep in mind. Because as we see in an NPR article from April of 2021, four months after the attack, there wasn’t really any new conclusive information about the hackers that emerges. No clue that can positively identify the hackers and not even the joke ‘clues’ like Cyrillic or Mandarin characters. Nothing. The big shock expressed by Adam Meyers of CrowdStrike — the figure who led the early investigation of the SolarWinds hack — was that there wasn’t any ‘cultural artifact’ like Cyrillic or Mandarin. And yet we’re going to hear assertion after assertion that this was the work of Russian government hackers. Never an explanation why.
Is this the SolarWinds Mega-Hack? Or the Microsoft Mega-hack?
Similarly, note how SolarWinds was pointing an finger at a vulnerability in Microsoft’s Office 365 email as being a vector in the hack, and yet Microsoft was vociferously denying that a vulnerability in its own products played a role at all. As we’ll see, there’s never an explanation. Just faith. Faith in Microsoft. Faith that was again tested days after the initial disclosure of the hack when SolarWinds revealed more details on nature of the Microsoft exploits used by the hackers. Somehow the hackers were tricking Microsoft’s authentication controls. This includes forging authentication tokens for Microsoft’s Azure cloud services and creating password credentials for legitimate processes enabling them to read emails from Microsoft’s Exchange Online cloud-based email service. Keep in mind that the Microsoft-Exchange mega-hack that is announced in March was targeting the non-cloud self-hosted Microsoft Exchange email servers. So when the SolarWinds hackers demonstrate an ability to break into the cloud-based Exchange servers, they were demonstrating a capability that wasn’t exactly the same as that used to execute the Microsoft Exchange mega-hack but awfully close. And yet we will be repeatedly assured by Microsoft that the Microsoft-Exchange hack was carried out by China and not at all connected to the SolarWinds hack or “commercial surveillance vendors”. That’s part of what makes these early disclosures by Microsoft itself, that the SolarWinds hackers demonstrated a remarkable ability to manipulate Microsoft system credentials, is so significant. These are disclosures Microsoft seems to want to forget as this looks more and more like a Microsoft mega-hack:
CRN
Microsoft’s Role In SolarWinds Breach Comes Under Scrutiny
By Michael Novinson
December 15, 2020, 05:18 PM ESTMicrosoft has become ensnared in probes surrounding the recently disclosed colossal U.S. government hack, with media reports and company messages focusing on Office 365, Azure Active Directory and a key domain name.
Two key victims in the massive nation-state hacking campaign reportedly had their Microsoft Office 365 accounts broken into. The Russian intelligence service hackers for months monitored staff emails sent via Office 365 at the Commerce Department’s National Telecommunications and Information Administration (NTIA) after breaking into the NTIA’s office software, Reuters reported Sunday.
The hackers are “highly sophisticated” and were able to trick the Microsoft platform’s authentication controls, according to Reuters, citing a person familiar with the incident. The Commerce Department said that one of its bureaus had been breached, but didn’t respond to an inquiry about the role of Office 365 in the attack.
Microsoft didn’t provide an on-the-record response to CRN questions about if the company itself was breached as part of this campaign, and how significant Microsoft’s technology was in the hackers’ ability to exploit customers. Microsoft said in a blog post Sunday that its investigations haven’t identified any Microsoft product or cloud service vulnerabilities. Once an attacker has compromised a target network, they potentially have access to a range of systems, according to a source familiar with the situation.”
On Monday, SolarWinds said it was made aware of an attack vector that was used to compromise the company’s Microsoft Office 365 emails, according to a filing with the U.S. Securities and Exchange Commission (SEC). Hackers had gained access to numerous public and private organizations through trojanized updates to SolarWinds’ Orion network monitoring software, FireEye said in a blog Sunday.
That same attack vector might have provided access to other data contained in SolarWinds’ Office 365 office productivity tool, the company said. SolarWinds said it’s probing with Microsoft if any customer, personnel or other data was exfiltrated as a result of this compromise, but hasn’t uncovered any evidence at this time of exfiltration.
“SolarWinds, in collaboration with Microsoft, has taken remediation steps to address the compromise and is investigating whether further remediation steps are required, over what period of time this compromise existed and whether the compromise is associated with the attack on its Orion software build system,” the company wrote in its SEC filing.
As for Azure, the hackers were able to forge a token which claims to represent a highly privileged account in Azure Active Directory (AD), the Microsoft Security Research Center wrote in a blog Sunday. The hackers could also gain administrative Azure AD privileges with compromised credentials. Microsoft said this was particularly likely if the account in question is not protected by multi-factor authentication.
“Having gained a significant foothold in the on-premises environment, the actor has made modifications to Azure Active Directory settings to facilitate long term access,” the Microsoft Security Research Center wrote.
The hackers were observed adding new federation trusts to an existing tenant or modifying the properties of an existing federation trust to accept tokens signed with hacker-owned certificates, Microsoft said. They could also use their administrator privileges to grant additional permissions to the target Application or Service Principal, according to Microsoft.
Microsoft also observed the hackers adding password credentials or x509 certificates to legitimate processes, granting them the ability to read mail content from Exchange Online via Microsoft Graph or Outlook REST. Examples of this happening include mail archiving applications, the firm said. Permissions usually, but not always, considered only the app identity rather than the current user’s permissions.
And from a domain perspective, Microsoft on Monday took control over a key domain name that was used by the SolarWinds hackers to communicate with systems compromised by the backdoor Orion product updates, KrebsOnSecurity reported Tuesday. Microsoft has a long history of seizing control of domains involved with malware, particularly when those sites are being used to attack Windows clients.
Armed with that access, KrebsOnSecurity said Microsoft should soon have some idea which and how many SolarWinds customers were affected. That’s because Microsoft now has insight into which organizations have IT systems that are still trying to ping the malicious domain, KrebsOnSecurity said.
“However, because many Internet service providers and affected companies are already blocking systems from accessing that malicious control domain or have disconnected the vulnerable Orion services, Microsoft’s visibility may be somewhat limited,” KrebsOnSecurity cautioned.
...
———-
“Microsoft’s Role In SolarWinds Breach Comes Under Scrutiny” by Michael Novinson; CRN; 12/15/2020
“Two key victims in the massive nation-state hacking campaign reportedly had their Microsoft Office 365 accounts broken into. The Russian intelligence service hackers for months monitored staff emails sent via Office 365 at the Commerce Department’s National Telecommunications and Information Administration (NTIA) after breaking into the NTIA’s office software, Reuters reported Sunday.”
The ‘Russian hackers’ were reading government emails for months. And while we were getting assured that it was Russia behind it, it’s worth keeping in mind that the idea that it was Russia reading these emails is actually far more assuring than the idea of cyber criminals doing the same because at least Russia is less inclined to sell or release the data. In other words, these early aggressively highly confident attributions towards Russia aren’t just self-serving from the standpoint of aligning with US geopolitical interests. They’re also highly self-serving for Microsoft, SolarWinds, and the US government agencies that got hacked by downplaying the potential implications of the hack.
Now note these early details of how Microsoft vulnerabilities were used in the attack. The hackers were tricking Microsoft’s authentication controls. They could forge authentication tokens enabling access to Microsoft’s cloud-based Azure services. But critically, they were gaining access to read mail content from Exchange Online, effectively demonstrating the ability to hack Microsoft’s cloud-based Exchange email servers. This is going to be an important detail to keep in mind as we read about the Microsoft Exchange server mega-hack disclosed in March:
...
The hackers are “highly sophisticated” and were able to trick the Microsoft platform’s authentication controls, according to Reuters, citing a person familiar with the incident. The Commerce Department said that one of its bureaus had been breached, but didn’t respond to an inquiry about the role of Office 365 in the attack....
As for Azure, the hackers were able to forge a token which claims to represent a highly privileged account in Azure Active Directory (AD), the Microsoft Security Research Center wrote in a blog Sunday. The hackers could also gain administrative Azure AD privileges with compromised credentials. Microsoft said this was particularly likely if the account in question is not protected by multi-factor authentication.
...
Microsoft also observed the hackers adding password credentials or x509 certificates to legitimate processes, granting them the ability to read mail content from Exchange Online via Microsoft Graph or Outlook REST. Examples of this happening include mail archiving applications, the firm said. Permissions usually, but not always, considered only the app identity rather than the current user’s permissions.
...
And note that at this point Microsoft itself is also describing how it observed the hackers adding password credentials or x509 certificates to legitimate processes to enabling the reading of emails. Microsoft’s own security researchers were telling us about this. And yet, as we’ll see in the articles below from February, Microsoft insists that vulnerabilities in its software played no role at all in the hack and all such reports are misinformation.
A week into the SolarWinds hack disclosure, the US Treasury Department gives an update. We’re told the department’s hack started in July. And in another indication that the hackers had the ability to authenticate the credential needed to extract data from Microsoft’s Office 365 email software, we’re told that’s exactly what they were doing on the Treasury’s network. So both SolarWinds and the US Treasury were giving us strong hints early on that the story of the SolarWinds mega-hack is the story of a still-unrecognized Microsoft mega-hack:
The New York Times
Treasury Department’s Senior Leaders Were Targeted by Hacking
The disclosure was the first acknowledgment of a specific intrusion in the vast cyberattack. At the White House, national security leaders met to assess how to deal with the situation.
By David E. Sanger and Alan Rappeport
Published Dec. 21, 2020 Updated Jan. 6, 2021WASHINGTON — The Russian hackers who penetrated United States government agencies broke into the email system used by the Treasury Department’s most senior leadership, a Democratic member of the Senate Finance Committee said on Monday, the first detail of how deeply Moscow burrowed into the Trump administration’s networks.
In a statement after a briefing for committee staff members, Senator Ron Wyden of Oregon, who has often been among the sharpest critics of the National Security Agency and other intelligence agencies, said that the Treasury Department had acknowledged that “the agency suffered a serious breach, beginning in July, the full depth of which isn’t known.”
The Treasury Department ranks among the most highly protected corners of the government because of its responsibility for market-moving economic decisions, communications with the Federal Reserve and economic sanctions against adversaries. Mr. Wyden said the hackers had gained access to the email system by manipulating internal software keys.
The department learned of the breach not from any of the government agencies whose job is to protect against cyberattacks, but from Microsoft, which runs much of Treasury’s communications software, Mr. Wyden said. He said that “dozens of email accounts were compromised,” apparently including in what is called the departmental offices division, where the most senior officials operate.
“Treasury still does not know all of the actions taken by hackers, or precisely what information was stolen,” he said.
An aide to Mr. Wyden said the department’s officials indicated that Treasury Secretary Steven Mnuchin’s email account had not been breached.
The newest disclosures underscored the administration’s conflicting messages about the source of the attacks and the extent of the damage as more reports about the targets leak out. A Treasury Department spokeswoman did not immediately respond to a request for comment.
Mr. Mnuchin addressed the hacking earlier on Monday and said the department’s classified systems had not been breached.
“At this point, we do not see any break-in into our classified systems,” he said in an interview with CNBC. “Our unclassified systems did have some access.”
Mr. Mnuchin said that the hacking was related to third-party software. He added that there had been no damage or large amounts of information displaced as a result of the attack and that the agency had robust resources to protect the financial industry.
“I can assure you, we are completely on top of this,” he said. He did not explain how the Russian presence was not detected in the system for more than four months.
His statement came on the same day that Attorney General William P. Barr, at his final news conference before stepping down, sided with Secretary of State Mike Pompeo in saying that Moscow was almost certainly behind the hacking. The intrusion went through a commercial network management software package made by SolarWinds, a company based in Austin, Texas, and allowed the hackers broad access to government and corporate systems.
“I agree with Secretary Pompeo’s assessment: It certainly appears to be the Russians,” Mr. Barr said, further undercutting President Trump’s effort to cast doubt on whether the government of President Vladimir V. Putin of Russia was behind the attack. Mr. Trump appears to be alone in the administration in his contention that China might have been the source of the hacking.
Mr. Mnuchin was among several top officials in the government who met with national security officials for the first time at the White House on Monday to assess the damage and discuss how to deal with it.
The meeting was a principals committee session led by Robert C. O’Brien, the national security adviser. It was held two days after Mr. Trump said the attack on federal networks was “under control,” was being exaggerated by the news media and might have been carried out by China rather than Russia, which has been identified by intelligence agencies, other government officials and cybersecurity firms as the almost certain source of the hacking.
The session was classified, but if it was like the briefings to Congress in recent days, the intelligence officials expressed little doubt that the attack was most likely carried out by hackers associated with the S.V.R., Russia’s premier intelligence agency.
But on Monday there was no public declaration attributing the hacking to Russia, perhaps reflecting Mr. Trump’s reluctance to confront Moscow over the issue and the doubts he has expressed about the seriousness of the attack.
The meeting, according to one senior administration official, was intended to “take stock of the intelligence, the investigation and the actions being taken to remediate” the attack. Absent from that description was any preparation for imposing a cost on the attacker. Mr. Trump did not attend the meeting.
...
The list of attendees at the meeting was notable because it provided some indication of which parts of the government might have been affected. White House officials said Treasury Secretary Steven Mnuchin, Commerce Secretary Wilbur Ross, the acting homeland security secretary Chad F. Wolf and Energy Secretary Dan Brouillette were present. All of those agencies were previously identified by news organizations as targets of the hacking.
John Ratcliffe, the director of national intelligence, participated in the meeting; so did Gina Haspel, the C.I.A. director, and Gen. Paul M. Nakasone, the director of the National Security Agency and the commander of the United States Cyber Command. Secretary of State Mike Pompeo, who was the first high-ranking administration official to acknowledge that Russia was the most likely source of the attack before he was undercut by Mr. Trump, did not attend. His deputy, Stephen E. Biegun, stood in for him.
General Nakasone, an experienced cyberwarrior who is responsible for the defense of national security systems, has been silent since the hacking was revealed. At the N.S.A. and Cyber Command, officials said, there was extraordinary embarrassment that a private company, FireEye, had been the first to alert the government that it had been hacked.
According to the details released by Mr. Wyden, once the Russian hackers used the SolarWinds software update to get inside Treasury’s systems, they performed a complex step inside Microsoft’s Office 365 system to create an encrypted “token” that identifies a computer to the larger network.
That counterfeiting enabled them to fool the system into thinking they were legitimate users — and to sign on without trying to guess user names and passwords. Microsoft said last week that it had fixed the flaw that the Russians had exploited, but that did not answer the question of whether the hackers used their access to bore through other channels into the Treasury Department or other systems.
Formally determining who was responsible for a hacking like this one can be time-consuming work, though the administration did so twice in Mr. Trump’s first year in office, pointing to North Korea for the so-called WannaCry attack on the British health care system and Russia for the “NotPetya” attack that cost Maersk, Federal Express and other major corporations hundreds of millions of dollars.
In this case, officials say, a formal declaration of who was responsible for the attack — which is needed to start any form of retaliation — may not come until after Mr. Biden is inaugurated. That would leave the Trump administration to focus on damage control but skip the hard questions of how to deter Moscow from future attacks.
Capt. Katrina J. Cheesman, a spokeswoman for Cyber Command, said that so far the military had found “no evidence of compromises” in the Pentagon’s network. She said that parts of the Defense Department’s “software supply chain source have disclosed a vulnerability within their systems, but we have no indication the D.O.D. network has been compromised.”
———–
“The Treasury Department ranks among the most highly protected corners of the government because of its responsibility for market-moving economic decisions, communications with the Federal Reserve and economic sanctions against adversaries. Mr. Wyden said the hackers had gained access to the email system by manipulating internal software keys.”
It’s the second early indication that the SolarWinds hackers have some advanced Microsoft email exploits: Less than two weeks after the initial FireEye disclosure, the Treasury Department informs us that it was the manipulation of internal software keys that enabled access to the agency’s emails after the hackers entered the government networks via the SolarWinds backdoor. Specially Microsoft Office 365 identity tokens:
...
According to the details released by Mr. Wyden, once the Russian hackers used the SolarWinds software update to get inside Treasury’s systems, they performed a complex step inside Microsoft’s Office 365 system to create an encrypted “token” that identifies a computer to the larger network.That counterfeiting enabled them to fool the system into thinking they were legitimate users — and to sign on without trying to guess user names and passwords. Microsoft said last week that it had fixed the flaw that the Russians had exploited, but that did not answer the question of whether the hackers used their access to bore through other channels into the Treasury Department or other systems.
...
So claims about Microsoft’s Office 365 email vulnerabilities being exploited as part of the SolarWinds hack were coming from not just the SolarWinds company itself but also the US Treasury Department. Claims Microsoft continued to vociferously dispute for months.
And just note again how soon and definitive the attributions to Russia were coming from the Trump administration: they couldn’t explain how the hackers evaded detection for months, but everyone was ready to join Mike Pompeo in declaring that Moscow was almost certainly behind it. No reasons are given. None are necessary. It’s just a given: if there’s a major hack that hits Western 0government agencies, it’s either Russia or China. Because of course it is. Who else could it be? It’s the unquestioned operating paradigm for contemporary cyberattribution:
...
Mr. Mnuchin said that the hacking was related to third-party software. He added that there had been no damage or large amounts of information displaced as a result of the attack and that the agency had robust resources to protect the financial industry.“I can assure you, we are completely on top of this,” he said. He did not explain how the Russian presence was not detected in the system for more than four months.
His statement came on the same day that Attorney General William P. Barr, at his final news conference before stepping down, sided with Secretary of State Mike Pompeo in saying that Moscow was almost certainly behind the hacking. The intrusion went through a commercial network management software package made by SolarWinds, a company based in Austin, Texas, and allowed the hackers broad access to government and corporate systems.
“I agree with Secretary Pompeo’s assessment: It certainly appears to be the Russians,” Mr. Barr said, further undercutting President Trump’s effort to cast doubt on whether the government of President Vladimir V. Putin of Russia was behind the attack. Mr. Trump appears to be alone in the administration in his contention that China might have been the source of the hacking.
...
The session was classified, but if it was like the briefings to Congress in recent days, the intelligence officials expressed little doubt that the attack was most likely carried out by hackers associated with the S.V.R., Russia’s premier intelligence agency.
...
John Ratcliffe, the director of national intelligence, participated in the meeting; so did Gina Haspel, the C.I.A. director, and Gen. Paul M. Nakasone, the director of the National Security Agency and the commander of the United States Cyber Command. Secretary of State Mike Pompeo, who was the first high-ranking administration official to acknowledge that Russia was the most likely source of the attack before he was undercut by Mr. Trump, did not attend. His deputy, Stephen E. Biegun, stood in for him.
...
Keep in mind how disturbing these warnings about Microsoft vulnerabilities were at the time. We already knew by that point that someone planted backdoors on 18,000 of the companies and organizations around the world, including numerous government agencies. But we didn’t necessarily know what the hackers could do on all those networks after they walked through the backdoors. Learning about these Microsoft exploits told us at least some of what they could do on those networks. And given how ubiquitous Microsoft’s software is in large organizations, it’s a safe assumption that a large number of those SolarWinds clients were running Microsoft services on those networks.
SolarWinds Update: ‘It Started with a Zero-Day Microsoft Exploit.’ Microsoft Counter-Update: ‘No it Didn’t.’ CISA Update: ‘It’s Not Just SolarWinds.’
It was early February, less than two months after the initial FireEye disclosure, when we got a confirmation of sorts. The question of whether or not the Microsoft Office 365 email vulnerability characterized as an “attack vector” by SolarWinds in December was actually used to execute the initial hack of SolarWinds. SolarWinds CEO Sudhakar Ramakrishna appeared to confirm that, yes, a Microsoft vulnerability was used in the initial hack of the SolarWinds Orion software developer. A zero-day vulnerability never seen before. Although SolarWinds didn’t identify the specific Office 365 vulnerability.
But we also got another updated from Brandon Wales, acting director of the Cybersecurity and Infrastructure Security Agency: Roughly 30 percent of the victim organizations that found the backdoor malware on their network had no connection to SolarWinds. Other methods for creating backdoors were being deployed by these hackers. So we learn that the SolarWinds hack likely started with a Microsoft exploit and also that the hackers are infecting other networks through means other than the infected SolarWinds software. It’s not great news for Microsoft users:
CRN
SolarWinds CEO Confirms Office 365 Email ‘Compromise’ Played Role In Broad-Based Attack
SolarWinds CEO Sudhakar Ramakrishna has verified suspicious activity in its Office 365 environment, with a company email account compromised and used to access accounts of targeted SolarWinds staff in business and technical roles.
By Michael Novinson
February 04, 2021, 07:28 AM ESTSolarWinds CEO Sudhakar Ramakrishna verified Wednesday “suspicious activity” in its Office 365 environment allowed hackers to gain access to and exploit the SolarWinds Orion development environment.
Hackers most likely entered SolarWinds’s environment through compromised credentials and/or a third-party application that capitalized on a zero-day vulnerability, Ramakrishna said.
“We’ve confirmed that a SolarWinds email account was compromised and used to programmatically access accounts of targeted SolarWinds personnel in business and technical roles,” he said in the blog post. “By compromising credentials of SolarWinds employees, the threat actors were able to gain access to and exploit our Orion development environment.”
The beleaguered Austin, Texas-based IT infrastructure management vendor said a SolarWinds email account was compromised and used to programmatically access accounts of targeted SolarWinds personnel in business and technical roles.
By compromising the credentials of SolarWinds employees, Ramakrishna said the hackers were able to gain access to and exploit the development environment for the SolarWinds Orion network monitoring platform. SolarWinds was first notified by Microsoft about a compromise related to its Office 365 environment on Dec. 13, the same day news of the hack went public.
SolarWinds’s investigation has not identified a specific vulnerability in Office 365 that would have allowed the hackers to enter the company’s environment through Office 365, he said Wednesday. A day earlier, Ramakrishna told The Wall Street Journal that one of several theories the company was pursuing is that the hackers used an Office 365 account compromise as the initial point of entry into SolarWinds.
Microsoft declined to comment to CRN. Ramakrishna said SolarWinds has analyzed data from multiple systems and logs, including from our Office 365 and Azure tenants, as part of its investigation. The SolarWinds hack is believed to be the work of the Russian foreign intelligence service.
“While it’s widely understood any one company could not protect itself against a sustained and unprecedented nation-state attack of this kind, we see an opportunity to lead an industry-wide effort that makes SolarWinds a model for secure software environments, development processes, and products,” Ramakrishna wrote in a blog post Wednesday.
Some 30 percent of the private sector and government victims of the colossal hacking campaign had no direct connection to SolarWinds, Brandon Wales, acting director of the Cybersecurity and Infrastructure Security Agency, told The Wall Street Journal Friday. But he said investigators haven’t identified another company whose products were broadly compromised to infect other firms the way SolarWinds was.
SolarWinds’s investigations will be ongoing for at least several more weeks, and possibly months, due to the sophistication of the campaign and actions taken by the hackers to remove evidence of their activity, he said. SolarWinds has not determined the exact date hackers first gained unauthorized access to the company’s environment, though innocuous code changes were first made to Orion in October 2019.
The hackers deleted programs following use to avoid forensic discovery and masqueraded file names and activity to mimic legitimate applications and files, he said. The hackers had automated dormancy periods of two weeks or more prior to activation and utilized servers outside the monitoring authority of U.S. intelligence, he said.
...
———–
“By compromising the credentials of SolarWinds employees, Ramakrishna said the hackers were able to gain access to and exploit the development environment for the SolarWinds Orion network monitoring platform. SolarWinds was first notified by Microsoft about a compromise related to its Office 365 environment on Dec. 13, the same day news of the hack went public.”
It’s more or less confirmed: The SolarWinds hacked started with the exploitation of a vulnerability in Microsoft’s Office 365 email. The vulnerability gave the hackers access to the SolarWinds Orion software development environments. That’s where it all started.
Or at least that’s where the SolarWinds hack all started. As they note, some 30 percent of the victims of this hack don’t actually have a direct connection to SolarWinds, raising the possibility of that the SolarWinds hacks is really part of an even larger hack being executed by a group of actors with numerous powerful Microsoft exploit. In other words, we might not be looking at the SolarWinds mega-hack but instead a Microsoft mega-hack that just includes a large SolarWinds component:
...
Some 30 percent of the private sector and government victims of the colossal hacking campaign had no direct connection to SolarWinds, Brandon Wales, acting director of the Cybersecurity and Infrastructure Security Agency, told The Wall Street Journal Friday. But he said investigators haven’t identified another company whose products were broadly compromised to infect other firms the way SolarWinds was.
...
So if 30 percent of the victims weren’t running SolarWinds’s Orion software, what was the attack vector in their cases? That’s a mystery, but we have a pretty obvious clue if the SolarWinds hack started with a Microsoft exploit. It’s no wonder Microsoft’s public relations team was is hyper-damage-control mode, denying all reports going back to December that it’s products played any role at all in the attack. Recall how it was Microsoft’s own security team that was telling us back in December how the hackers were modifying credentials to read emails from Microsoft Exchange Online (the cloud Exchange service). But once it started looked like the SolarWinds mega-hack was really the Microsoft mega-hack, it was a complete denial from Microsoft. The company has nothing to do with any of this and anyone saying anything to the contrary they are misinterpreting or misreading the available data:
CRN
Microsoft: No Evidence SolarWinds Was Hacked Via Office 365
‘The wording of the SolarWinds 8K [regulatory] filing was unfortunately ambiguous, leading to erroneous interpretation and speculation, which is not supported by the results of our investigation,’ Microsoft said Thursday.
By Michael Novinson
February 05, 2021, 06:52 AM ESTMicrosoft said its investigation hasn’t found any evidence that SolarWinds was attacked through Office 365, meaning the hackers gained privileged credentials in some other way.
The Redmond, Wash.-based software giant said a Dec. 14 regulatory filing by SolarWinds gave the impression that SolarWinds was investigating an attack vector related to Microsoft Office 365. In the filing, SolarWinds said it’s aware of an attack vector used to compromise the company’s Office 365 emails that may have provided access to other data contained in the company’s office productivity tools.
“The wording of the SolarWinds 8K filing was unfortunately ambiguous, leading to erroneous interpretation and speculation, which is not supported by the results of our investigation,” the Microsoft Security Team wrote in a blog post Thursday.
SolarWinds’s investigation hasn’t identified a specific vulnerability in Office 365 that would have allowed the hackers to enter the company’s environment through Office 365, CEO Sudhakar Ramakrishna said Wednesday. A day earlier, he told The Wall Street Journal one of several theories the firm was pursuing is hackers used an Office 365 account compromise as the initial point of entry into SolarWinds.
Ramakrishna said Wednesday that SolarWinds has confirmed suspicious activity related to its Office 365 environment, with a company email account compromised and used to access accounts of targeted SolarWinds staff in business and technical roles. By compromising the credentials of SolarWinds staff, he said the hackers were able to gain access to and exploit the SolarWinds development environment.
Although data hosted in Microsoft services such as email was sometimes targeted by the SolarWinds hackers, Microsoft insists the attacker gained privileged credentials in another way. The Cybersecurity and Infrastructure Security Agency (CISA) isn’t aware of cloud software other than Microsoft’s targeted in the SolarWinds attack, Acting Director Brandon Wales told The Wall Street Journal Jan. 29.
In many of their break-ins, the SolarWinds hackers took advantage of known Microsoft configuration issues to trick systems into giving them access to emails and documents stored on the cloud, The Wall Street Journal said. Hackers can go from one cloud-computing account to another by taking advantage of little-known idiosyncrasies in the way software authenticates itself on the Microsoft service.
...
Reuters reported Dec. 17 that Microsoft was compromised via SolarWinds, with suspected Russian hackers then using Microsoft’s own products to further the attacks on other victims. Microsoft told CRN at the time that sources for the Reuters report are “misinformed or misinterpreting their information,“ but acknowledged the software giant had ”detected malicious SolarWinds binaries” in its environment.
“No, it [the Reuters article] is not accurate,” the Microsoft Security Team wrote in its blog post Thursday. “As we said at the time, and based upon all investigations since, we have found no indications that our systems were used to attack others.”
Microsoft acknowledged Dec. 31 that a company account compromised by the SolarWinds hackers had been used to view source code in a number of source code repositories. The compromised Microsoft account, however, didn’t have permissions to modify any code or engineering systems, and an investigation confirmed no changes were made, Microsoft said at the time.
The company also responded Thursday to criticism for not disclosing attack details as soon as Microsoft knew about them, saying that the company is restricted from sharing details in cases where Microsoft is providing investigative support to other organizations. In these types of engagements, Microsoft said the victim organizations have control in deciding what details to disclose and when to disclose them.
Investigators can additionally discover early indicators that require further research before they are actionable, Microsoft said. Taking the time to thoroughly investigate incidents is necessary to provide the best possible guidance to customers, partners, and the broader security community, Microsoft said.
...
———–
““The wording of the SolarWinds 8K filing was unfortunately ambiguous, leading to erroneous interpretation and speculation, which is not supported by the results of our investigation,” the Microsoft Security Team wrote in a blog post Thursday.”
The denials can’t get any stronger. A day after SolarWinds CEO Sudhakar Ramakrishna seem to more or less public confirm that a vulnerability in Microsoft’s Office 365 email played a direct role in the initial attack, Microsoft reiterates that all reports of Microsoft vulnerabilities playing any role in the SolarWinds hack of unsubstantiated and false. That’s the line.
And note how the company acknowledges its products were hacked in many cases on the SolarWinds victims network as part of the second phase of the hack, but Microsoft insists that the gained privileged credentials in another way. Now, in fairness, it’s possible Microsoft systems could be hacked on client networks for reasons that have nothing to do with vulnerabilities in Microsoft’s code and are instead the fault of misconfigured software on the client end. But that’s what Microsoft was insisting at that point in early February, a day after SolarWinds’s CEO seemed to confirm a Microsoft Office 365 email exploit was used to initiate the hack and well after the US government confirmed the SolarWinds hackers used a Microsoft Office 365 email exploit during its plundering of the Treasury Department’s networks. The plausible deniability of Microsoft’s insistence that client configuration issues were the cause of the hacked Microsoft products was rapidly dwindling. Microsoft’s insistence held strong:
...
Although data hosted in Microsoft services such as email was sometimes targeted by the SolarWinds hackers, Microsoft insists the attacker gained privileged credentials in another way. The Cybersecurity and Infrastructure Security Agency (CISA) isn’t aware of cloud software other than Microsoft’s targeted in the SolarWinds attack, Acting Director Brandon Wales told The Wall Street Journal Jan. 29.In many of their break-ins, the SolarWinds hackers took advantage of known Microsoft configuration issues to trick systems into giving them access to emails and documents stored on the cloud, The Wall Street Journal said. Hackers can go from one cloud-computing account to another by taking advantage of little-known idiosyncrasies in the way software authenticates itself on the Microsoft service.
...
Reuters reported Dec. 17 that Microsoft was compromised via SolarWinds, with suspected Russian hackers then using Microsoft’s own products to further the attacks on other victims. Microsoft told CRN at the time that sources for the Reuters report are “misinformed or misinterpreting their information,“ but acknowledged the software giant had ”detected malicious SolarWinds binaries” in its environment.
“No, it [the Reuters article] is not accurate,” the Microsoft Security Team wrote in its blog post Thursday. “As we said at the time, and based upon all investigations since, we have found no indications that our systems were used to attack others.”
Microsoft acknowledged Dec. 31 that a company account compromised by the SolarWinds hackers had been used to view source code in a number of source code repositories. The compromised Microsoft account, however, didn’t have permissions to modify any code or engineering systems, and an investigation confirmed no changes were made, Microsoft said at the time.
...
“As we said at the time, and based upon all investigations since, we have found no indications that our systems were used to attack others.” Have fun interpreting that one. But as a public statement, it sounds definitive. There were no Microsoft software vulnerabilities involved at all with the SolarWinds hack. Period. End of story.
Another Update from Microsoft: We Were Hacked and Our Source Code Was Viewed. Including for Microsoft Exchange. But Don’t Worry, Nothing was Compromised and Everything is Fine on Our End Now.
Two weeks later, the story got another update. From Microsoft: the SolarWinds hackers rooted around in Microsoft’s networks through January and managed to download some source code for its Azure, Exchange and Intune cloud-based products. Again, keep in mind that Microsoft will be forced to disclose the Microsoft Exchange mega-hack in a couple of weeks following this update, and in that new mega-hack it was the self-hosted non-cloud version of Microsoft Exchange that got hacked. So the hackers stole code pretty closely-related to the very system that got mega-hacked. We’re also going to learn that the Microsoft Exchange mega-hack apparently started in January, the same month the SolarWinds hackers were presumably (hopefully) kicked out of Microsoft’s networks. And we’ve already seen that the SolarWinds hackers have impressive never-before-seen abilities to trick Microsoft’s credential systems. That’s all part of what makes this latest update to the SolarWinds story so ominous: It sure seems like it’s related to the Microsoft Exchange mega-hack that Microsoft will disclose in March, even though Microsoft assures us it’s not and that’s a completely separate hack by different Chinese hackers:
CRN
SolarWinds Hackers Kept Going After Microsoft Until January
The SolarWinds hackers first viewed a file in a Microsoft source repository in November, and were able to download source code for its Azure, Exchange and Intune cloud-based products.
By Michael Novinson
February 19, 2021, 06:34 AM ESTThe SolarWinds hackers continued efforts to infiltrate Microsoft until early January, keeping up the assault even after Microsoft revealed its source code had been compromised.
The likely Russian hackers first viewed a file in a Microsoft source repository in late November, and the Redmond, Wash.-based software giant detected unusual activity in some internal accounts the next month. The hackers lost source repository access after Microsoft secured its compromised accounts, but the threat actor kept making unsuccessful attempts to regain access all the way until early January.
“A concerning aspect of this attack is that security companies were a clear target,” Vasu Jakkal, Microsoft’s corporate vice president of security, compliance and identity, wrote in a blog post Thursday. “Microsoft, given the expansive use of our productivity tools and leadership in security, of course was an early target.”
Microsoft admitted the SolarWinds hackers were able to download some source code for its Azure, Exchange and Intune cloud-based products. The downloaded Azure source code was for subsets of its service, security and identity components, according to Microsoft.
The search terms used by the SolarWinds hackers indicates they were attempting to find secrets such as API keys, credentials, and security tokens that may have been embedded in the source code, according to Microsoft. But the company said it has a development policy that prohibits storing secrets in source code and runs automated tools to verify compliance.
Microsoft said it subsequently confirmed that both current and historical branches of its source code repositories don’t contain any live production credentials. For nearly all the Microsoft code repositories accessed by the SolarWinds hackers, only a few individual files were viewed as a result of a repository search, according to the company.
...
Microsoft said the SolarWinds hackers weren’t able to access its privileged credentials or leverage Security Access Markup Language (SAML) techniques against the company’s corporate domains. But outside of Microsoft, U.S. investigators said one of the principal ways the hacker has collected victim information is by compromising the SAML signing certificate using escalated Active Directory privileges.
Organizations that delegate trust to on-premises components in deployments that connect on-premises infrastructure and the cloud end up with an additional seam they need to secure, the MSRC wrote. As a result, if an on-premises environment is compromised, Microsoft said there’s an opportunity for hackers to target cloud services.
“When you rely on on-premises services, like authentication server, it is up to a customer to protect their identity infrastructure,” Jakkal wrote in her blog post. “With a cloud identity, like Azure Active Directory, we protect the identity infrastructure from the cloud.”
At the same time, Jakkal said the SolarWinds hackers took advantage of abandoned app accounts with no multi-factor authentication to access cloud administrative settings with high privilege. As organizations transition from implicit trust to explicit verification, Jakkal said they first must focus on protecting identities, especially privileged user accounts.
“Gaps in protecting identities (or user credentials) like weak passwords or lack of multifactor authentication are opportunities for an actor to find their way into a system, elevate their status, and move laterally across the environments targeting email, source code, critical databases and more,” Jakkal said.
The SolarWinds hackers tried and failed to get into CrowdStrike and read their emails via a Microsoft reseller’s Azure account that was responsible for managing CrowdStrike’s Microsoft Office licenses. If a customer buys a cloud service from a reseller and allows the reseller to retain administrative access, then a compromise of reseller credentials would grant access to the customer’s tenant, Microsoft said.
But the abuse of administrative access wouldn’t be a compromise of Microsoft’s services themselves, the company told CRN on Dec. 24.
———–
“Microsoft admitted the SolarWinds hackers were able to download some source code for its Azure, Exchange and Intune cloud-based products. The downloaded Azure source code was for subsets of its service, security and identity components, according to Microsoft.”
It’s more than a little ominous. In February, weeks before the Microsoft Exchange mega-hack was disclosed, the company gave us an update on its SolarWinds investigation: source code was stolen. Source code involve the cloud-based versions of Azure, Intune, and Exchange. Sure, it sounds like it was only the self-hosted Exchange servers that got in the mega-hack, not the cloud-based Exchange systems. But when Microsoft admits the SolarWinds hackers obtained source code for Exchange’s cloud-based service, and then a couple weeks later we’re told the largest hack on record took place when virtually all of Exchange’s self-hosted servers got hacked in a zero-day exploit, it’s kind of hard to avoid suspicions the two events are related. And yet Microsoft assures us SolarWinds was the work of ‘Cozy Bear’ and the Exchange hack was from previously unknown state Chinese hackers. It’s all quite convenient for Microsoft. The kind of explanation that avoids a lot of messy questions:
...
The search terms used by the SolarWinds hackers indicates they were attempting to find secrets such as API keys, credentials, and security tokens that may have been embedded in the source code, according to Microsoft. But the company said it has a development policy that prohibits storing secrets in source code and runs automated tools to verify compliance.Microsoft said it subsequently confirmed that both current and historical branches of its source code repositories don’t contain any live production credentials. For nearly all the Microsoft code repositories accessed by the SolarWinds hackers, only a few individual files were viewed as a result of a repository search, according to the company.
...
But, again, keep in mind another major reason Microsoft might want to assure the world that it’s Russian and Chinese state actors who carried out these mega-hacks: state actors are far more likely hack for espionage purposes. And when you hack for espionage purposes you probably won’t sell the information you hacked. Criminal actors, on the other hand, have very different motivations. So for the general public, learning that Russia or China hacked into your organization is far less alarming that learning some criminal elite hacker group did it. Although, as we’ll see, the hackers we’re told are Chinese state hackers actually run their own personal for-profit ransom schemes.
A New(?) Mega-Hack is Upon Us: The Microsoft Exchange Mega-Hack. Which, Microsoft Promises, is Definitely Totally Unrelated to the SolarWinds Mega-Hack
Do you or your organization own a self-hosted Microsoft Exchange email server that was connected to the internet between January and March of this year? Congrats! It was hacked. Basically all of them got hacked. A global ransacking that was arguably larger than the SolarWinds hack. And much like the SolarWinds hack, these hackers had the potential to seed victim networks with backdoors or worse. So it’s another mega-hack that sets the hackers up for even bigger mega-hacks in the future. Another Microsoft mega-hack:
Krebs on Security
At Least 30,000 U.S. Organizations Newly Hacked Via Holes in Microsoft’s Email Software
March 5, 2021
At least 30,000 organizations across the United States — including a significant number of small businesses, towns, cities and local governments — have over the past few days been hacked by an unusually aggressive Chinese cyber espionage unit that’s focused on stealing email from victim organizations, multiple sources tell KrebsOnSecurity. The espionage group is exploiting four newly-discovered flaws in Microsoft Exchange Server email software, and has seeded hundreds of thousands of victim organizations worldwide with tools that give the attackers total, remote control over affected systems.
On March 2, Microsoft released emergency security updates to plug four security holes in Exchange Server versions 2013 through 2019 that hackers were actively using to siphon email communications from Internet-facing systems running Exchange.
Microsoft said the Exchange flaws are being targeted by a previously unidentified Chinese hacking crew it dubbed “Hafnium,” and said the group had been conducting targeted attacks on email systems used by a range of industry sectors, including infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks, and NGOs.
In the three days since then, security experts say the same Chinese cyber espionage group has dramatically stepped up attacks on any vulnerable, unpatched Exchange servers worldwide.
In each incident, the intruders have left behind a “web shell,” an easy-to-use, password-protected hacking tool that can be accessed over the Internet from any browser. The web shell gives the attackers administrative access to the victim’s computer servers.
Speaking on condition of anonymity, two cybersecurity experts who’ve briefed U.S. national security advisors on the attack told KrebsOnSecurity the Chinese hacking group thought to be responsible has seized control over “hundreds of thousands” of Microsoft Exchange Servers worldwide — with each victim system representing approximately one organization that uses Exchange to process email.
Microsoft’s initial advisory about the Exchange flaws credited Reston, Va. based Volexity for reporting the vulnerabilities. Volexity President Steven Adair said the company first saw attackers quietly exploiting the Exchange bugs on Jan. 6, 2021, a day when most of the world was glued to television coverage of the the riot at the U.S. Capitol.
But Adair said that over the past few days the hacking group has shifted into high gear, moving quickly to scan the Internet for Exchange servers that weren’t yet protected by the security updates Microsoft released Tuesday.
“We’ve worked on dozens of cases so far where web shells were put on the victim system back on Feb. 28 [before Microsoft announced its patches], all the way up to today,” Adair said. “Even if you patched the same day Microsoft published its patches, there’s still a high chance there is a web shell on your server. The truth is, if you’re running Exchange and you haven’t patched this yet, there’s a very high chance that your organization is already compromised.”
Reached for comment, Microsoft said it is working closely with the U.S. Cybersecurity & Infrastructure Security Agency (CISA), other government agencies, and security companies, to ensure it is providing the best possible guidance and mitigation for its customers.
“The best protection is to apply updates as soon as possible across all impacted systems,” a Microsoft spokesperson said in a written statement. “We continue to help customers by providing additional investigation and mitigation guidance. Impacted customers should contact our support teams for additional help and resources.”
Meanwhile, CISA has issued an emergency directive ordering all federal civilian departments and agencies running vulnerable Microsoft Exchange servers to either update the software or disconnect the products from their networks.
Adair said he’s fielded dozens of calls today from state and local government agencies that have identified the backdoors in their Exchange servers and are pleading for help. The trouble is, patching the flaws only blocks the four different ways the hackers are using to get in. But it does nothing to undo the damage that may already have been done.
White House press secretary Jen Psaki told reporters today the vulnerabilities found in Microsoft’s widely used Exchange servers were “significant,” and “could have far-reaching impacts.”
“We’re concerned that there are a large number of victims,” Psaki said.
By all accounts, rooting out these intruders is going to require an unprecedented and urgent nationwide clean-up effort. Adair and others say they’re worried that the longer it takes for victims to remove the backdoors, the more likely it is that the intruders will follow up by installing additional backdoors, and perhaps broadening the attack to include other portions of the victim’s network infrastructure.
Security researchers have published several tools for detecting vulnerable servers. One of those tools, a script from Microsoft’s Kevin Beaumont, is available from Github.
KrebsOnSecurity has seen portions of a victim list compiled by running such a tool, and it is not a pretty picture. The backdoor web shell is verifiably present on the networks of thousands of U.S. organizations, including banks, credit unions, non-profits, telecommunications providers, public utilities and police, fire and rescue units.
“It’s police departments, hospitals, tons of city and state governments and credit unions,” said one source who’s working closely with federal officials on the matter. “Just about everyone who’s running self-hosted Outlook Web Access and wasn’t patched as of a few days ago got hit with a zero-day attack.”
Another government cybersecurity expert who participated in a recent call with multiple stakeholders impacted by this hacking spree worries the cleanup effort required is going to be Herculean.
“On the call, many questions were from school districts or local governments that all need help,” the source said, speaking on condition they were not identified by name. “If these numbers are in the tens of thousands, how does incident response get done? There are just not enough incident response teams out there to do that quickly.”
When it released patches for the four Exchange Server flaws on Tuesday, Microsoft emphasized that the vulnerability did not affect customers running its Exchange Online service (Microsoft’s cloud-hosted email for businesses). But sources say the vast majority of the organizations victimized so far are running some form of Internet-facing Microsoft Outlook Web Access (OWA) email systems in tandem with Exchange servers internally.
“It’s a question worth asking, what’s Microsoft’s recommendation going to be?,” the government cybersecurity expert said. “They’ll say ‘Patch, but it’s better to go to the cloud.’ But how are they securing their non-cloud products? Letting them wither on the vine.”
The government cybersecurity expert said this most recent round of attacks is uncharacteristic of the kinds of nation-state level hacking typically attributed to China, which tends to be fairly focused on compromising specific strategic targets.
“Its reckless,” the source said. “It seems out of character for Chinese state actors to be this indiscriminate.”
Microsoft has said the incursions by Hafnium on vulnerable Exchange servers are in no way connected to the separate SolarWinds-related attacks, in which a suspected Russian intelligence group installed backdoors in network management software used by more than 18,000 organizations.
“We continue to see no evidence that the actor behind SolarWinds discovered or exploited any vulnerability in Microsoft products and services,” the company said.
Nevertheless, the events of the past few days may well end up far eclipsing the damage done by the SolarWinds intruders.
...
————-
“Microsoft said the Exchange flaws are being targeted by a previously unidentified Chinese hacking crew it dubbed “Hafnium,” and said the group had been conducting targeted attacks on email systems used by a range of industry sectors, including infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks, and NGOs.”
Somehow Microsoft determined this hack was carried out by a previously unidentified Chinese hacking crew. Again, we have no idea how they know this group was Chinese or how they know it’s not the same group behind the SolarWinds hack or all sorts of other hacks. We just know Microsoft was very confidently declaring this mega-hack with extreme parallels to SolarWinds wasn’t carried out by the same crew. Instead, we’re confidently assured it’s a Chinese nation-state-backed hacking group that has uncharacteristically decided to carry out what may be the largest hack ever, even larger than SolarWinds. We just have to trust Microsoft:
...
Speaking on condition of anonymity, two cybersecurity experts who’ve briefed U.S. national security advisors on the attack told KrebsOnSecurity the Chinese hacking group thought to be responsible has seized control over “hundreds of thousands” of Microsoft Exchange Servers worldwide — with each victim system representing approximately one organization that uses Exchange to process email....
The government cybersecurity expert said this most recent round of attacks is uncharacteristic of the kinds of nation-state level hacking typically attributed to China, which tends to be fairly focused on compromising specific strategic targets.
“Its reckless,” the source said. “It seems out of character for Chinese state actors to be this indiscriminate.”
...
It’s also worth noting that Microsoft didn’t catch this vulnerability. It was Volexity, which detected the first major attack coinciding with the January 6 far right insurrection. We are told that the Chinese hackers quietly first started the hack during the insurrection but transitioned towards an open smash-and-grab a few days later. So that’s some pretty interesting timing, but Volexity had an update. They found signs cyberoperations with this zero-day exploit on January 3, 2021. So the timing with the Capitol insurrection isn’t quite as interesting as early reporting indicates.
Also recall how Volexity was the first company to identify the SolarWinds malware on their clients’ networks back in July of 2020. Their warnings were ignored but they were the first to find it, at least on record. Volexity is apparently the one company capable of finding these current mega backdoor hacks:
...
Microsoft’s initial advisory about the Exchange flaws credited Reston, Va. based Volexity for reporting the vulnerabilities. Volexity President Steven Adair said the company first saw attackers quietly exploiting the Exchange bugs on Jan. 6, 2021, a day when most of the world was glued to television coverage of the the riot at the U.S. Capitol.But Adair said that over the past few days the hacking group has shifted into high gear, moving quickly to scan the Internet for Exchange servers that weren’t yet protected by the security updates Microsoft released Tuesday.
....
And in case the scale of the hack wasn’t clear, note how it appears to be virtually every single self-hosted Outlook Web Access (OWS) server on the planet connected to the internet. Every single one. It’s a global digital nightmare scenario:
...
“We’ve worked on dozens of cases so far where web shells were put on the victim system back on Feb. 28 [before Microsoft announced its patches], all the way up to today,” Adair said. “Even if you patched the same day Microsoft published its patches, there’s still a high chance there is a web shell on your server. The truth is, if you’re running Exchange and you haven’t patched this yet, there’s a very high chance that your organization is already compromised.”
...
Adair said he’s fielded dozens of calls today from state and local government agencies that have identified the backdoors in their Exchange servers and are pleading for help. The trouble is, patching the flaws only blocks the four different ways the hackers are using to get in. But it does nothing to undo the damage that may already have been done.
...
By all accounts, rooting out these intruders is going to require an unprecedented and urgent nationwide clean-up effort. Adair and others say they’re worried that the longer it takes for victims to remove the backdoors, the more likely it is that the intruders will follow up by installing additional backdoors, and perhaps broadening the attack to include other portions of the victim’s network infrastructure.
...
“It’s police departments, hospitals, tons of city and state governments and credit unions,” said one source who’s working closely with federal officials on the matter. “Just about everyone who’s running self-hosted Outlook Web Access and wasn’t patched as of a few days ago got hit with a zero-day attack.”
...
And finally, it’s hard to avoid marveling at the rather stunning assurances given by Microsoft at this point regarding the SolarWinds hack and the role Microsoft vulnerabilities played in that event: Microsoft tells us, “We continue to see no evidence that the actor behind SolarWinds discovered or exploited any vulnerability in Microsoft products and services.” This was what Microsoft was telling the public in March of 2021. As we saw in the previous article excerpt, which was published about 6 weeks later, the exploitation of Microsoft products was the defining feature of the second phase the SolarWinds attack. First the SolarWinds Orion software deployed backdoors on all of the SolarWinds customer networks. Then the hackers used those backdoors to roam the network, looking for valuable information to steal. And that meant exploiting Microsoft vulnerabilities, which they apparently did with abandon. To claim there was no evidence that the actor behind SolarWinds discovered or exploited any vulnerability in Microsoft products and services just a lie. A lie that conveniently helped Microsoft avoid the uncomfortable questions about whether or not this Microsoft Exchange mega-backdoor and the SolarWinds mega-backdoor hack were part of some sort joint mega-backdoor hack run by the same group of people:
...
Microsoft has said the incursions by Hafnium on vulnerable Exchange servers are in no way connected to the separate SolarWinds-related attacks, in which a suspected Russian intelligence group installed backdoors in network management software used by more than 18,000 organizations.“We continue to see no evidence that the actor behind SolarWinds discovered or exploited any vulnerability in Microsoft products and services,” the company said.
Nevertheless, the events of the past few days may well end up far eclipsing the damage done by the SolarWinds intruders.
...
And while Microsoft was aggresively distancing itself and this hack from the SolarWinds hack early on, within a week it was starting to look like SolarWinds was the company that should be doing the distancing. Because this hack was looking much more than SolarWinds. Like an automatable SolarWinds that was plundered to the full extent available by a variety of criminal actors. It was ‘Hafnium’ who quietly and exclusively used this zero-day exploit starting from January 3 until the Microsoft announced the patch on March 2, at which point a criminal free-for-all that involved at least a half dozen other hacking groups ensued to ransack any unpatched servers.
But perhaps the most scandalous aspect of all this is that zero-day exploit that enabled all this has apparently been sitting in Microsoft’s code for at least a decade. How much do you want to bet Jan 3 wasn’t the first time this exploit was exploited?:
Data Center Knowledge
Microsoft Exchange Hack Could Be Worse Than SolarWinds
The massive hack’s scope keeps growing. Unlike the SolarWinds exploit, this one can be automated.
Maria Korolov | Mar 10, 2021
The scope of damage from the newly public Microsoft Exchange vulnerability keeps growing, with some experts saying that it is “worse than SolarWinds.”
As of last count, more than 60,000 organizations have fallen victim to the attack.
“The scale of the attack is the biggest threat at this time,” said Mark Goodwin, managing senior analyst at security consulting firm Bishop Fox.
Government institutions have been attacked, large corporations, and small local businesses, he told DCK. According to the internet scanning tool Shodan, more than 250,000 servers are vulnerable, he added.
Unlike the SolarWinds breach, the Microsoft Exchange vulnerability can be exploited in an automated way. If a data center has an Exchange server accessible via the public internet, assume it’s been compromised, he said.
The problem is so severe that Microsoft has released patches even for older servers that are no longer supported, Goodwin said.
And, unlike the SolarWinds breach, which was primarily exploited by a single state-sponsored group, reportedly from Russia, the Microsoft Exchange vulnerability is open to everybody. Originally associated with a Chinese state-sponsored group, Hafnium, at last count half a dozen different groups are actively attacking organizations with vulnerable servers.
The Microsoft Exchange vulnerability gives hackers full access to Microsoft Exchange servers which in turn can be leveraged to compromise Active Directory servers.
“Once you compromise Active Directory, you can go after anything you want,” said Srikant Vissamsetti, senior VP of engineering at Attivo Networks, a cybersecurity vendor. “You get the keys to the kingdom.”
The big problem is that Microsoft Exchange is designed to be accessed by external users, which means servers can be accessible via the internet – and attackers can find them when they scan for vulnerabilities.
“There are ways to scan everything connected to the internet to find vulnerable systems,” said Jethro Beekman, technical director at cybersecurity firm Fortanix. “This has an enormous threat of misuse.”
As a result, the Department of Homeland Security last week issued an emergency directive for federal agencies, warning that the Microsoft Exchange vulnerability is being actively exploited and ordering them to take defensive action.
“This is a crazy huge hack,” said Chris Krebs, the former director of the Cybersecurity and Infrastructure Security Agency, in a Tweet on Friday. “The numbers I’ve heard dwarf what’s reported.”
This is a crazy huge hack. The numbers I’ve heard dwarf what’s reported here & by my brother from another mother (@briankrebs). Why, though? Is this a flex in the early days of the Biden admin to test their resolve? Is it an out of control cybercrime gang? Contractors gone wild? pic.twitter.com/cA4lkS4stg
— Chris Krebs (@C_C_Krebs) March 6, 2021
Also on Friday, security firm Huntress released a report of its analysis of 3,000 servers, most of which had antivirus or endpoint security solutions installed. Of those, 800 were still not patched, and there were more than 350 malicious webshells already installed by attackers.
“This has seemingly slipped past a majority of preventative security products,” said Huntress senior security researcher John Hammond in a report.
The number of affected enterprises is so much higher with this attack than with SolarWinds because this attack can be highly automated, Attivo’s Vissamsetti told DCK.
“With something like this, attackers can mobilize within a day,” he said. “They can script the whole thing in just a few hours.”
Cleanup Will Be Messy
Patching the Microsoft Exchange server is not enough if an organization has been compromised.
Enterprises can look for indicators of compromise in log files, but smart attackers may erase those traces as well.
Then, attackers may have installed back doors or created accounts for themselves with high levels of access, or even conducted a “golden ticket” attack on Active Directory.
“Once you have a golden ticket attack, you pretty much have to start over,” said Vissamsetti. “Changing passwords is not sufficient. They’ve got a super admin.”
And the possibilities for damage are nearly endless, he added.
“It will be messy to clean up,” said Oliver Tavakoli, CTO at Vectra Networks. “It will effectively require backing up data, re-imaging the Exchange server, scrubbing the backup of any accounts which should not be present, resetting all passwords and secrets, and restoring the remaining backup data.”
This is while security teams are already stretched thin by the SolarWinds attack, he added.
“This hack will compete for the same investigative and remediation resources,” he told DCK. “So, having two such broad attacks occur near the same time places exorbitant strain on the resources.”
And even if the Exchange servers are patched, back doors shut down, and attackers fully cleaned out, that’s not the end of it, said Adrien Gendre, chief product and services officer at Vade Secure.
“Based on our knowledge of prior incidents,” he said, “expect to see a rise in spear phishing attacks in the coming weeks.”
The attackers will be able to use the information they’ve collected while in the system, such as emails and other documents, to craft extremely targeted and credible scam emails, he said.
Time to Ditch Microsoft Exchange
Experts recommend that companies replace on-prem deployments of Microsoft Exchange with cloud-based alternatives like Office 365, which are not vulnerable to the attack.
And if there is an attack, the SaaS vendor simply installs the patch themselves. There’s no need for every single customer to install their own patches, dramatically simplifying security.
If that’s not an option, the Exchange servers can be put behind VPNs, Fortanix’s Beekman told DCK.
“And there are web application firewalls that you can insert between the server and the internet,” he added.
Data center providers that offer managed servers to clients are particularly vulnerable, because if they themselves use a vulnerable Microsoft Exchange server and their environment is compromised, client infrastructure could potentially be at risk, he added.
This is where security approaches like zero trust and micro segmentation can be used to restrict lateral movement, he said.
...
The Timeline of the Microsoft Exchange Hack
Security experts began noticing signs of compromise in early January, with the first attacks on January 3, according to security firm Volexity.
At first, these attacks, which exploited a zero-day vulnerability, were limited to Hafnium.
Then, after Microsoft finally released patches on March 2, other criminal groups started using it in a race to attack as many servers as possible before they were patched.
But the vulnerability has been present in the Microsoft Exchange codebase for a decade, said Ed Hunter, CISO at Infoblox, a cybersecurity company.
“One has to wonder how long this vulnerability has been a closely held – and used – tool in this threat actor’s toolbox,” he told DCK.
...
———–
“Unlike the SolarWinds breach, the Microsoft Exchange vulnerability can be exploited in an automated way. If a data center has an Exchange server accessible via the public internet, assume it’s been compromised, he said.”
Not only is this hack the kind of hack that any common hacker criminal is capable of executing once they know the exploit, but it’s the kind of hack that a single hacker could theoretically turn into a mega-hack with a simple script because this is an automatable hack. That’s why you should assume you got hit if you were exposed. Everyone exposed got hit because it was easy for anyone to hit everyone.
But everyone wasn’t hit at first. It was “Hafnium” who quietly started hacking targets, with Volexity first detecting the usage of the zero-day exploit on January 3 (not Jan 6 as earlier indicated). It was after Microsoft released the patches on March 2 that other criminal groups went on a global spree, hitting every remaining unpatched Exchange server on the planet connected to the internet. As we’re going to see, when the US and its Western allies all issue coordinated formal statements in mid-July, formally accusing China of executing the hack, we are told by unnamed sources familiar with the investigation that it is suspected that Hafnium knew Microsoft was going to close the zero-day vulnerabilities (which were no-longer zero-days at that point) and at that point handed the exploits over to criminals. But we have no idea why that particular scenario was suspected, as opposed to Hafnium being a criminal actor who sold their exploit to other actors once the patch was released. Or another actor pretending to be a Chinese state actor, although it’s unclear what if any ‘Chinese’ indicators are being left by “Hafnium”. Microsoft told us it was a never-before Chinese state-backed group called Hafnium and that declaration alone is treated as adequate evidence. As with the SolarWinds hack, it’s faith-based public attributions, which is a big part of the reason the reading-the-tea-leaves behind-the-scenes methods of attribution are so problematic. That’s what we’re supposed to have faith in. Tea-leave-reading with huge conflicts of interest:
...
And, unlike the SolarWinds breach, which was primarily exploited by a single state-sponsored group, reportedly from Russia, the Microsoft Exchange vulnerability is open to everybody. Originally associated with a Chinese state-sponsored group, Hafnium, at last count half a dozen different groups are actively attacking organizations with vulnerable servers....
Security experts began noticing signs of compromise in early January, with the first attacks on January 3, according to security firm Volexity.
At first, these attacks, which exploited a zero-day vulnerability, were limited to Hafnium.
Then, after Microsoft finally released patches on March 2, other criminal groups started using it in a race to attack as many servers as possible before they were patched.
...
Also observer how Chris Krebs, the former director of the Cybersecurity and Infrastructure Security Agency, was trying to make sense of the incredibly aggressive nature of this hack by questioning on Twitter if this was the work of an out of control cybercrime gang or contractors gone wild. Krebs is generally considered a pretty credible word on these matters. So he was not ready to jump on board the China-did-it bandwagon at this point when we were being assured by Microsoft and others that yes, China did it. Just take their word for it. Krebs wasn’t taking their word:
...
“This is a crazy huge hack,” said Chris Krebs, the former director of the Cybersecurity and Infrastructure Security Agency, in a Tweet on Friday. “The numbers I’ve heard dwarf what’s reported.”This is a crazy huge hack. The numbers I’ve heard dwarf what’s reported here & by my brother from another mother (@briankrebs). Why, though? Is this a flex in the early days of the Biden admin to test their resolve? Is it an out of control cybercrime gang? Contractors gone wild? pic.twitter.com/cA4lkS4stg
— Chris Krebs (@C_C_Krebs) March 6, 2021
...
But it isn’t just the automatable nature of this hacking technique that makes it so scary. It’s also the fact that the hackers could leverage the complete control over the Exchange server to compromise the Active Directory servers and that potentially gives you the opportunity to conduct a “golden ticket” attack on the Active Directory and the hackers can give themselves super-user privileges. That’s the highest level. This is a potentially devastating hack. Complete control is an apt description of what it can confer. Thanks in part to a lot of Microsoft exploits:
...
The Microsoft Exchange vulnerability gives hackers full access to Microsoft Exchange servers which in turn can be leveraged to compromise Active Directory servers.“Once you compromise Active Directory, you can go after anything you want,” said Srikant Vissamsetti, senior VP of engineering at Attivo Networks, a cybersecurity vendor. “You get the keys to the kingdom.”
...
Patching the Microsoft Exchange server is not enough if an organization has been compromised.
Enterprises can look for indicators of compromise in log files, but smart attackers may erase those traces as well.
Then, attackers may have installed back doors or created accounts for themselves with high levels of access, or even conducted a “golden ticket” attack on Active Directory.
“Once you have a golden ticket attack, you pretty much have to start over,” said Vissamsetti. “Changing passwords is not sufficient. They’ve got a super admin.”
And the possibilities for damage are nearly endless, he added.
...
It’s also worth noting another potentially devastating aspect of this nightmare and the fact that super-user admin privileges can be obtained by the hackers: data centers running Microsoft Exchange servers may have those super-user admin privileges stolen too. And that potentially threatens all the data in that data center:
...
Data center providers that offer managed servers to clients are particularly vulnerable, because if they themselves use a vulnerable Microsoft Exchange server and their environment is compromised, client infrastructure could potentially be at risk, he added.This is where security approaches like zero trust and micro segmentation can be used to restrict lateral movement, he said.
...
Finally, and significantly, note how long this vulnerability has existed in Microsoft’s code: a decade! As one security expert astutely asks, “One has to wonder how long this vulnerability has been a closely held – and used – tool in this threat actor’s toolbox”:
...
But the vulnerability has been present in the Microsoft Exchange codebase for a decade, said Ed Hunter, CISO at Infoblox, a cybersecurity company.“One has to wonder how long this vulnerability has been a closely held – and used – tool in this threat actor’s toolbox,” he told DCK.
...
For the last 10 years, anyone with access to that code could have potentially spotted this vulnerability. Keep this in mind when Microsoft assures us that the theft of its code by the SolarWinds hackers is of no consequence.
SolarWinds Sanctions Arrive. Along With a Lesson in How Attribution Works By CrowdStrike’s Adam Meyers: Surprise! It’s a Hunt for “Cultural Artifacts” ‘Accidentally’ Left Behind
In the span of just four months the world was introduced to the two largest hacks on record. Quite a few lessons were hopefully learned. And if we listen to Adam Meyers, the vice president for threat intelligence at the cybersecurity firm CrowdStrike who led the SolarWinds investigation, it was a master class in hacking. That’s what Meyers expressed in a highly revealing NPR interview in April. A master class in how to obscure one’s tracks.
As we’ll see, Meyers gives us further confirmation of something that has long been clear but is rare said out loud so clearly: contemporary cyberattribution really does rely heavily on ‘clues’ like Cyrillic characters or Mandarin in the code and such ‘clues’ are frequently found. At least that’s how Adam Meyers, the vice president for threat intelligence at CrowdStrike, described his approach to determining the identity of the SolarWinds hackers. Meyers expresses dismay at how thorough the hackers were. Thorough in the sense that there was no ‘cultural artifact’ like Cyrillic or Mandarin. Meyers describe the lack of anything that a human might have inadvertently left behind as a clue as “mind-blowing”. His response to the tiny piece of malware used in the initial SolarWinds hack — distributed to all 18,000 clients via the Orion software — and it’s lack of clues as “the craziest f***ing thing I’d ever seen.” Take a moment to process that.
So this April update on the SolarWinds investigation includes an update on the general state of affairs in cyberattribution. A state of affairs where malware that’s cleaned and lacks a ‘cultural artifact’ is “the craziest f***ing thing I’d ever seen.” And yet, as we saw, there was virtually no hesitancy in attributing the hack to ‘Cozy Bear’/APT29/‘Nobelium’. This is a good time to recall that the story of the Shadow Brokers and the CIA’s hacking toolkit that included features like leaving Cyrillic or Mandarin characters to leave a false lead was confirmed just four years ago.
Oh, and the US government was ready to announce sanctions against Russia for the hack. So at the same time sanctions were announced, we got an interview that further confirmed the cyberattribution industry is predicated on lunatic assumptions. It really does seem to be the case that everyone really is playing dumb here. Double yikes.:
National Public Radio
A ‘Worst Nightmare’ Cyberattack: The Untold Story Of The SolarWinds Hack
Dina Temple-Raston
April 16, 2021 10:05 AM ET“This release includes bug fixes, increased stability and performance improvements.”
The routine software update may be one of the most familiar and least understood parts of our digital lives. A pop-up window announces its arrival and all that is required of us is to plug everything in before bed. The next morning, rather like the shoemaker and the elves, our software is magically transformed.
Last spring, a Texas-based company called SolarWinds made one such software update available to its customers. It was supposed to provide the regular fare — bug fixes, performance enhancements — to the company’s popular network management system, a software program called Orion that keeps a watchful eye on all the various components in a company’s network. Customers simply had to log into the company’s software development website, type a password and then wait for the update to land seamlessly onto their servers.
The routine update, it turns out, is no longer so routine.
Hackers believed to be directed by the Russian intelligence service, the SVR, used that routine software update to slip malicious code into Orion’s software and then used it as a vehicle for a massive cyberattack against America.
“Eighteen thousand [customers] was our best estimate of who may have downloaded the code between March and June of 2020,” Sudhakar Ramakrishna, SolarWinds president and CEO, told NPR. “If you then take 18,000 and start sifting through it, the actual number of impacted customers is far less. We don’t know the exact numbers. We are still conducting the investigation.”
On Thursday, the Biden administration announced a roster of tough sanctions against Russia as part of what it characterized as the “seen and unseen” response to the SolarWinds breach.
NPR’s months-long examination of that landmark attack — based on interviews with dozens of players from company officials to victims to cyber forensics experts who investigated, and intelligence officials who are in the process of calibrating the Biden administration’s response — reveals a hack unlike any other, launched by a sophisticated adversary who took aim at a soft underbelly of digital life: the routine software update.
By design, the hack appeared to work only under very specific circumstances. Its victims had to download the tainted update and then actually deploy it. That was the first condition. The second was that their compromised networks needed to be connected to the Internet, so the hackers could communicate with their servers.
For that reason, Ramakrishna figures the Russians successfully compromised about 100 companies and about a dozen government agencies. The companies included Microsoft, Intel and Cisco; the list of federal agencies so far includes the Treasury, Justice and Energy departments and the Pentagon.
The hackers also found their way, rather embarrassingly, into the Cybersecurity and Infrastructure Security Agency, or CISA — the office at the Department of Homeland Security whose job it is to protect federal computer networks from cyberattacks.
The concern is that the same access that gives the Russians the ability to steal data could also allow them to alter or destroy it. “The speed with which an actor can move from espionage to degrading or disrupting a network is at the blink of an eye,” one senior administration said during a background briefing from the White House on Thursday. “And a defender cannot move at that speed. And given the history of Russia’s malicious activity in cyberspace and their reckless behavior in cyberspace, that was a key concern.”
“The tradecraft was phenomenal”
Network monitoring software is a key part of the backroom operations we never see. Programs like Orion allow information technology departments to look on one screen and check their whole network: servers or firewalls, or that printer on the fifth floor that keeps going offline. By its very nature, it touches everything — which is why hacking it was genius.
“It’s really your worst nightmare,” Tim Brown, vice president of security at SolarWinds, said recently. “You feel a kind of horror. This had the potential to affect thousands of customers; this had the potential to do a great deal of harm.”
When cybersecurity experts talk about harm, they’re thinking about something like what happened in 2017, when the Russian military launched a ransomware attack known as NotPetya. It, too, began with tainted software, but in that case the hackers were bent on destruction. They planted ransomware that paralyzed multinational companies and permanently locked people around the world out of tens of thousands of computers. Even this much later, it is considered the most destructive and costly cyberattack in history.
Intelligence officials worry that SolarWinds might presage something on that scale. Certainly, the hackers had time to do damage. They roamed around American computer networks for nine months, and it is unclear whether they were just reading emails and doing the things spies typically do, or whether they were planting something more destructive for use in the future.
“When there’s cyber-espionage conducted by nations, FireEye is on the target list,” Kevin Mandia, CEO of the cybersecurity firm FireEye, told NPR, but he believes there are other less obvious targets that now might need more protecting. “I think utilities might be on that list. I think health care might be on that list. And you don’t necessarily want to be on the list of fair game for the most capable offense to target you.”
The SolarWinds attackers ran a master class in novel hacking techniques. They modified sealed software code, created a system that used domain names to select targets and mimicked the Orion software communication protocols so they could hide in plain sight. And then, they did what any good operative would do: They cleaned the crime scene so thoroughly investigators can’t prove definitively who was behind it. The White House has said unequivocally that Russian intelligence was behind the hack. Russia, for its part, has denied any involvement.
“The tradecraft was phenomenal,” said Adam Meyers, who led the cyber forensics team that pawed through that tainted update on behalf of SolarWinds, providing details for the first time about what they found. The code was elegant and innovative, he said, and then added, “This was the craziest f***ing thing I’d ever seen.”
Like razor blades in peanut butter cups
Meyers is the vice president for threat intelligence at the cybersecurity firm CrowdStrike, and he’s seen epic attacks up close. He worked on the 2014 Sony hack, when North Korea cracked into the company’s servers and released emails and first-run movies. A year later, he was on the front lines when a suspected Kremlin-backed hacking team known as “Cozy Bear” stole, among other things, a trove of emails from the Democratic National Committee. WikiLeaks then released them in the runup to the 2016 election.
“We’re involved in all kinds of incidents around the globe every day,” Meyers said. Typically he directs teams, he doesn’t run them. But SolarWinds was different: “When I started getting briefed up, I realized [this] was actually quite a big deal.”
The attack began with a tiny strip of code. Meyers traced it back to Sept. 12, 2019. “This little snippet of code doesn’t do anything,” Meyers said. “It’s literally just checking to see which processor is running on the computer, if it is a 32- or 64-bit processor and if it is one or the other, it returns either a zero or a one.”
The code fragment, it turns out, was a proof of concept — a little trial balloon to see if it was possible to modify SolarWinds’ signed-and-sealed software code, get it published and then later see it in a downloaded version. And they realized they could. “So at this point, they know that they can pull off a supply chain attack,” Meyers said. “They know that they have that capability.”
After that initial success, the hackers disappeared for five months. When they returned in February 2020, Meyers said, they came armed with an amazing new implant that delivered a backdoor that went into the software itself before it was published.
To understand why that was remarkable, you need to know that finished software code has a kind of digital factory seal. If you break that seal, someone can see it and know that the code might have been tampered with. Meyers said the hackers essentially found a way to get under that factory seal.
They began by implanting code that told them any time someone on the SolarWinds development team was getting ready to build new software. They understood that the process of creating software or an update typically begins with something routine such as checking a code out of a digital repository, sort of like checking a book out of the library.
Under normal circumstances, developers take the code out of the repository, make changes and then check it back in. Once they finish tinkering, they initiate something called the build process, which essentially translates the code a human can read to the code a computer does. At that point, the code is clean and tested. What the hackers did after that was the trick.
They would create a temporary update file with the malicious code inside while the SolarWinds code was compiling. The hackers’ malicious code told the machine to swap in their temporary file instead of the SolarWinds version. “I think a lot of people probably assume that it is the source code that’s been modified,” Meyers said, but instead the hackers used a kind of bait-and-switch.
But this, Meyers said, was interesting, too. The hackers understood that companies such as SolarWinds typically audit code before they start building an update, just to make sure everything is as it should be. So they made sure that the switch to the temporary file happened at the last possible second, when the updates went from source code (readable by people) to executable code (which the computer reads) to the software that goes out to customers.
The technique reminded Meyers of old fears around trick-or-treating. For decades, there had been an urban myth that kids couldn’t eat any Halloween candy before checking the wrapper seal because bad people might have put razor blades inside. What the hackers did with the code, Meyers said, was a little like that.
“Imagine those Reese’s Peanut Butter Cups going into the package and just before the machine comes down and seals the package, some other thing comes in and slides a razor blade into your Reese’s Peanut Butter Cup,” he said. Instead of a razor blade, the hackers swapped the files so “the package gets sealed and it goes out the door to the store.”
The update that went out to SolarWinds’ customers was the dangerous peanut butter cup — the malicious version of the software included code that would give the hackers unfettered, undetected access to any Orion user who downloaded and deployed the update and was connected to the Internet.
But there was something else about that code that bothered Meyers: It wasn’t just for SolarWinds. “When we looked at [it], it could have been reconfigured for any number of software products,” Meyers said. In other words, any number of other software developers using the same compiler may also be on the receiving end of a cyberattack, he said, and they just don’t know it yet.
Picking and choosing targets
Meyers said it’s hard not to admire just how much thought the hackers put into this operation. Consider the way they identified targets. The downside of breaking into so many customer networks all at once is that it is hard to decide what to exploit first. So the hackers created a passive domain name server system that sent little messages with not just an IP address, which is just a series of numbers, but also with a thumbnail profile of a potential target.
“So they could then say, ‘OK, we’re going to go after this dot gov target or whatever,’ ” Meyers said. “I think later it became clear that there were a lot of government technology companies being targeted.”
The hackers also reverse-engineered the way Orion communicated with servers and built their own coding instructions mimicking Orion’s syntax and formats. What that did is allow the hackers to look like they were “speaking” Orion, so their message traffic looked like a natural extension of the software.
“So once they determined that a target was of interest, they could say, ‘OK, let’s go active, let’s manipulate files, let’s change something,’ ” Meyers said, and then they would slip in unnoticed through the backdoor they had created. “And there is one other thing I should mention: This backdoor would wait up to two weeks before it actually went active on the host. This was a very patient adversary.”
None of the tripwires put in place by private companies or the government seems to have seen the attack coming. Christopher Krebs, who had been in charge of the office that protected government networks at DHS during the Trump administration, told NPR that DHS’ current system, something known (without irony) as Einstein, only catches known threats. The SolarWinds breach, he said, was just “too novel.”
“Upwards of 90[%] to 95% of threats are based on known techniques, known cyberactivity,” Krebs explained. “And that’s not just criminal actors, that’s state actors, too, including the Russian intelligence agencies and the Russian military. This was a previously unidentified technique.”
And there is something else that Einstein doesn’t do: It doesn’t scan software updates. So even if the hackers had used code that Einstein would have recognized as bad, the system might not have seen it because it was delivered in one of those routine software updates.
The National Security Agency and the military’s U.S. Cyber Command were also caught flat-footed. Broadly speaking, their cyber operators sit in foreign networks looking for signs of cyberattacks before they happen. They can see suspicious activity in much the same way a satellite might see troops amassing on the border. Critics said they should have seen the hackers from the Russian intelligence service, the SVR, preparing this attack.
“The SVR has a pretty good understanding that the NSA is looking out,” Krebs said. “What the SVR was able to do was make the transition from wherever they were operating from into the U.S. networks. They move like ghosts. They are very hard to track.”
The hackers didn’t do anything fancy to give them the domestic footprint, officials confirmed. In fact, they just rented servers from Amazon and GoDaddy.
Early warnings
There were some indications, elsewhere, though, that something was wrong.
In early July, Steven Adair, the founder of a Washington, D.C.-based cybersecurity company called Volexity, saw some suspicious activity on a client’s computers. “We traced it back, and we thought it might be related to a bad update with SolarWinds,” Adair told NPR. “We addressed the problem, made sure no one was in our customers’ systems, and we left it at that.”
Adair said he didn’t feel he had enough detail to report the problem to SolarWinds or the U.S. government. “We thought we didn’t have enough evidence to reach out,” he said.
That was the first missed sign.
The second came three months later when a California-based cybersecurity company called Palo Alto Networks discovered a malicious backdoor that seemed to emanate from the Orion software.
In that case, according to SolarWinds’ Ramakrishna, the security teams at SolarWinds and Palo Alto worked together for three months to try to pick up the thread of the problem and walk it back. “None of us could pinpoint a supply chain attack at that point,” Ramakrishna told NPR. “The ticket got closed as a result of that. If we had the benefit of hindsight, we could have traced it back” to the hack.
Palo Alto Networks had agreed to speak to NPR about the incident last month and then canceled the interview just an hour before it was supposed to take place. A spokesperson declined to say why and sent a few blog posts and wrote: “I’m afraid this is all we have to help at this time.”
“Just 3,500 lines long”
It was the cybersecurity firm FireEye that finally discovered the intrusion. Mandia, the company’s CEO, used to be in the U.S. Air Force Office of Special Investigations, so his specialty was criminal cases and counterintelligence. In the intervening years, the kinds of patterns he learned to recognize in special investigations kept appearing in his cyber security work.
The first indication that hackers had found their way into FireEye’s networks came in an innocuous way. Someone on the FireEye security team had noticed that an employee appeared to have two phones registered on his network, so she called him. “And that phone call is when we realized, hey, this isn’t our employee registering that second phone, it was somebody else,” Mandia said.
Mandia had a security briefing a short time later and everything he heard reminded him of his previous work in the military. “There was a lot of pattern recognition from me,” he told NPR. “I spent from 1996 to 1998 responding to what I would equate to the Russian Foreign Intelligence Service, and there were some indicators in the first briefing that were consistent with my experience in the Air Force.”
He called a board meeting the same day. “It just felt like the breach that I was always worried about.”
What his team discovered over the course of several weeks was that not only was there an intruder in its network, but someone had stolen the arsenal of hacking tools FireEye uses to test the security of its own clients’ networks. FireEye called the FBI, put together a detailed report, and once it had determined the Orion software was the source of the problem, it called SolarWinds.
Brown, vice president of security at SolarWinds, took the Saturday morning phone call. “He said, ‘Essentially, we’ve decompiled your code. We found malicious code,’ ” Brown said. FireEye was sure SolarWinds “had shipped tainted code.”
The tainted code had allowed hackers into FireEye’s network, and there were bound to be others who were compromised, too. “We were hearing that different reporters had the scoop already,” Mandia said. “My phone actually rang from a reporter and that person knew and I went, OK, we’re in a race.”
Mandia thought they had about a day before the story would break.
After that, events seemed to speed up. SolarWinds’ chief security officer, Brown, called Ron Plesco, a lawyer at the firm DLA Piper, and told him what had happened. One of the first things companies tend to do after cyberattacks is hire lawyers, and they put them in charge of the investigation. They do this for a specific reason — it means everything they find is protected by attorney-client privilege and typically is not discoverable in court.
Plesco, who has made cybercrimes a specialty of his practice, knew that once the story broke it would be saying “to the world that, ready, set, go, come after it,” Plesco said. “So that puts you on an accelerated timeline on two fronts: Figure out what happened if you can and get a fix out as soon as possible.”
The company worked with DHS to craft a statement that went out on Dec. 13.
To investigate a hack, you have to secure a digital crime scene. Just as detectives in the physical world have to bag the evidence and dust for prints for the investigation later, SolarWinds had to pull together computer logs, make copies of files, ensure there was a recorded chain of custody, all while trying to ensure the hackers weren’t inside its system watching everything they did.
“I’ve been in situations where, while you’re in there doing the investigation, they’re watching your email, they’re compromising your phone calls or your Zooms,” Plesco said. “So they’re literally listening in on how you’re going to try to get rid of them.”
By mid-January, Meyers and the CrowdStrike team had isolated what they thought was the attack’s tiny beating heart. It was an elegant, encrypted little blob of code “just 3,500 lines long,” he said. The best code is short and to the point, like a well-written sentence. This little encrypted strip, Meyers thought, might help them figure out who was behind the attack.
Little blobs of clues
Think of forensic cyber teams as digital detectives looking for patterns. Coding tics can sometimes help identify perpetrators or sometimes forensic teams find small cultural artifacts — such as Persian script, or Korean hangul. When an elite Russian hacking team took over the electrical grid in Ukraine in 2015, it had more literary aspirations: It sprinkled its malicious code with references to Frank Herbert’s Dune novels. That’s why CrowdStrike found that little blob of malicious code so intriguing.
After weeks of working with the code, Meyers convened a Zoom call with leaders at SolarWinds and members of his team from around the world. He shared his screen so everyone could all watch the encryption fall away in real time. He began walking the spectators through the code as it was revealed, like a play-by-play analysis of a game. Meyers kept watching for the big reveal. “We’re hoping it’s going to have, you know, variable names or maybe some comments in Cyrillic or Mandarin to give us some clue who wrote this thing,” he said.
But as CrowdStrike’s decryption program chewed its way through the zeroes and ones, Meyers’ heart sank. The crime scene was a bust. It had been wiped down. “They’d washed the code,” Meyers said. “They’d cleaned it of any human artifact or tool mark. And that was kind of mind-blowing that [they] had the wherewithal to hide anything that a human might have inadvertently left behind as a clue.”
Holy s***, he thought to himself, who does that?
...
Bigger attacks
“It’s one of the most effective cyber-espionage campaigns of all time,” said Alex Stamos, director of the Internet Observatory at Stanford University and the former head of security at Facebook. “In doing so, they demonstrated not just technical acumen, but the way they did this demonstrated that they understand how tech companies operate, how software companies operate. ... This certainly is going to change the way that large enterprises think about the software they install and think about how they handle updates.”
Intelligence analysts, already years ahead of the rest of us, are paid to imagine the darkest of scenarios. What if the hackers planted the seeds of future attacks during that nine months they explored SolarWinds’ customer networks — did they hide code for backdoors that will allow them to come and go as they please at a time of their choosing? When hackers shut down the Ukraine’s power grid in 2015 and disabled a Saudi refinery with computer code a year later, they showed it was possible to jump from a corporate network to system controls. Will we find out later that the SolarWinds hack set the stage for something more sinister?
Even if this was just an espionage operation, FireEye’s Mandia said, the attack on SolarWinds is an inflection point. “We ... kind of mapped out the evolution of threats and cyber,” he said. “And we would have landed at this day sooner or later, that at some point in time, software that many companies depend on is going to get targeted and it’s going to lead to exactly what it led to,” Mandia said. “But to see it happen, that’s where you have a little bit of shock and surprise. OK, it’s here now, nations are targeting [the] private sector, there’s no magic wand you can shake. ... It’s a real complex issue to solve.”
...
“This was an intelligence collection operation meant to steal information, and it’s not the last time that’s going to happen,” CrowdStrike’s Meyers warned. “This is going to happen every day. ... And I think there’s a lot that we all need to do to work together to stop this from happening.”
———–
“The SolarWinds attackers ran a master class in novel hacking techniques. They modified sealed software code, created a system that used domain names to select targets and mimicked the Orion software communication protocols so they could hide in plain sight. And then, they did what any good operative would do: They cleaned the crime scene so thoroughly investigators can’t prove definitively who was behind it. The White House has said unequivocally that Russian intelligence was behind the hack. Russia, for its part, has denied any involvement.”
A hacker master class. They were so smooth they wiped the crime scene of any evidence that could definitely prove who did it. The US government nonetheless has said unequivocally that Russian intelligence was behind the hack. Without delay. Funny how that works.
And with that unequivocal attribution came new US sanctions against Russia in retaliation for a hack that was so massive even the Cybersecurity and Infrastructure Security Agency got hacked:
...
On Thursday, the Biden administration announced a roster of tough sanctions against Russia as part of what it characterized as the “seen and unseen” response to the SolarWinds breach....
For that reason, Ramakrishna figures the Russians successfully compromised about 100 companies and about a dozen government agencies. The companies included Microsoft, Intel and Cisco; the list of federal agencies so far includes the Treasury, Justice and Energy departments and the Pentagon.
The hackers also found their way, rather embarrassingly, into the Cybersecurity and Infrastructure Security Agency, or CISA — the office at the Department of Homeland Security whose job it is to protect federal computer networks from cyberattacks.
...
And note who led this investigation into the SolarWinds hack: Adam Meyers, the vice president for threat intelligence at the cybersecurity firm CrowdStrike. Our understanding of the SolarWinds hack is largely controlled by CrowdStrike, the firm that pioneered the contemporary “pattern recognition” cyberattribution paradigm. It’s one of the many clues that this investigation is compromised:
...
Network monitoring software is a key part of the backroom operations we never see. Programs like Orion allow information technology departments to look on one screen and check their whole network: servers or firewalls, or that printer on the fifth floor that keeps going offline. By its very nature, it touches everything — which is why hacking it was genius.“It’s really your worst nightmare,” Tim Brown, vice president of security at SolarWinds, said recently. “You feel a kind of horror. This had the potential to affect thousands of customers; this had the potential to do a great deal of harm.”
...
“The tradecraft was phenomenal,” said Adam Meyers, who led the cyber forensics team that pawed through that tainted update on behalf of SolarWinds, providing details for the first time about what they found. The code was elegant and innovative, he said, and then added, “This was the craziest f***ing thing I’d ever seen.”
Like razor blades in peanut butter cups
Meyers is the vice president for threat intelligence at the cybersecurity firm CrowdStrike, and he’s seen epic attacks up close. He worked on the 2014 Sony hack, when North Korea cracked into the company’s servers and released emails and first-run movies. A year later, he was on the front lines when a suspected Kremlin-backed hacking team known as “Cozy Bear” stole, among other things, a trove of emails from the Democratic National Committee. WikiLeaks then released them in the runup to the 2016 election.
“We’re involved in all kinds of incidents around the globe every day,” Meyers said. Typically he directs teams, he doesn’t run them. But SolarWinds was different: “When I started getting briefed up, I realized [this] was actually quite a big deal.”
...
So what kind of evidence would have revealed the identities of these hackers that Meyers and the other people working on this case were looking for but never found? This is the part of the article where we get confirmation that it’s as stupid as we should have suspected. Because in the worlds of Meyers, a big part of what they found really frustrating — and shocking — about this case was the lack of ‘a big reveal’ that suddenly makes clear who was behind it. What kind of ‘big reveal’? As Meyers put it, “We’re hoping it’s going to have, you know, variable names or maybe some comments in Cyrillic or Mandarin to give us some clue who wrote this thing.” That’s considered to be a ‘big reveal’ from the CrowdStrike figure leading the investigation. The most obvious, easily planted ‘clues’. That’s what they were keenly looking out for to confidently make an attribution. But these devious super-hackers managed to ‘wash the code’ of any human artifact, a move described as “mind-blowing” by Meyers. It’s that stupid.
It’s also the kind of anecdote that doesn’t just raise massive questions about the veracity of the SolarWinds investigation but basically every other cyber investigation taking place these days. Could the entire industry be operating in this manner? Making conclusion based on a Cyrillic or Mandarin ‘big reveal’? Even after the Vault7 leak in 2017 demonstrated to the world that the CIA uses hacking tools built to leave ‘clues’ like Cyrillic and Mandarin characters. It really is playing dumb professionally.
Don’t forget that businesses like CrowdStrike and FireEye aren’t just paid to remove malware and protect networks. They’re paid to name culprits too, ideally. Keep that in mind when assessing the credibility of this investigation. But also keep in mind that it was CrowdStrike that blazed the trail in the cyberattribution industry over the last decade of simply naming nation-states like China or Russia as the culprit for hacks without evidence as a means of addressing the fact that hacks are the type of crime that criminals can, in theory, execute in a fool-proof manner without leaving evidence. Confidently declaring a geopolitical adversary like Russian, China, or North Korea were behind a hack based on ‘pattern recognition’ and ‘educated guesses’ is as good a service as the cybersecurity industry can provide. Cyberattributions are a real geopolitical tool/weapon and these companies offer those attributions as a commercial service. So that’s the service the world is getting: Educated guesses passed off as confident attributions based on ‘big reveal’ clues like Mandarin or Cyrillic in the code. Yes, that stupid. Professionally.
Also keep in mind that when CrowdStrike’s Adam Meyers was marveled at how these hackers left no trace of Cyrillic or Mandarin, he was marveling over that intentionally-compact 3,500 line piece of code. Like they’re going to have the ‘big reveal’ in their ultra-compact code. It raises the question of how often these cybersecurity companies like CrowdStrike or FireEye really do find a ‘big reveal’ like Cyrillic or Mandarin in the code of malware they’re investigating. Because it wouldn’t be surprised if hackers just routinely slip that in their at this point. Why not? It’s like a sure fire way to ensure your hack will get blamed on Russia or China. Maybe Iran if you use Persian. The folks at CrowdStrike will clearly be swayed by your ‘big reveal’ clues:
...
It was the cybersecurity firm FireEye that finally discovered the intrusion. Mandia, the company’s CEO, used to be in the U.S. Air Force Office of Special Investigations, so his specialty was criminal cases and counterintelligence. In the intervening years, the kinds of patterns he learned to recognize in special investigations kept appearing in his cyber security work.The first indication that hackers had found their way into FireEye’s networks came in an innocuous way. Someone on the FireEye security team had noticed that an employee appeared to have two phones registered on his network, so she called him. “And that phone call is when we realized, hey, this isn’t our employee registering that second phone, it was somebody else,” Mandia said.
Mandia had a security briefing a short time later and everything he heard reminded him of his previous work in the military. “There was a lot of pattern recognition from me,” he told NPR. “I spent from 1996 to 1998 responding to what I would equate to the Russian Foreign Intelligence Service, and there were some indicators in the first briefing that were consistent with my experience in the Air Force.”
He called a board meeting the same day. “It just felt like the breach that I was always worried about.”
...
By mid-January, Meyers and the CrowdStrike team had isolated what they thought was the attack’s tiny beating heart. It was an elegant, encrypted little blob of code “just 3,500 lines long,” he said. The best code is short and to the point, like a well-written sentence. This little encrypted strip, Meyers thought, might help them figure out who was behind the attack.
Little blobs of clues
Think of forensic cyber teams as digital detectives looking for patterns. Coding tics can sometimes help identify perpetrators or sometimes forensic teams find small cultural artifacts — such as Persian script, or Korean hangul. When an elite Russian hacking team took over the electrical grid in Ukraine in 2015, it had more literary aspirations: It sprinkled its malicious code with references to Frank Herbert’s Dune novels. That’s why CrowdStrike found that little blob of malicious code so intriguing.
After weeks of working with the code, Meyers convened a Zoom call with leaders at SolarWinds and members of his team from around the world. He shared his screen so everyone could all watch the encryption fall away in real time. He began walking the spectators through the code as it was revealed, like a play-by-play analysis of a game. Meyers kept watching for the big reveal. “We’re hoping it’s going to have, you know, variable names or maybe some comments in Cyrillic or Mandarin to give us some clue who wrote this thing,” he said.
But as CrowdStrike’s decryption program chewed its way through the zeroes and ones, Meyers’ heart sank. The crime scene was a bust. It had been wiped down. “They’d washed the code,” Meyers said. “They’d cleaned it of any human artifact or tool mark. And that was kind of mind-blowing that [they] had the wherewithal to hide anything that a human might have inadvertently left behind as a clue.”
Holy s***, he thought to himself, who does that?
...
Now, it’s worth pointing out that there has actually been some Russian-language artifacts apparently left by the SolarWinds hackers. That was in a report published by cybersecurity company Prodaft, which analyzed a command-and-control (C&C) server used in the SolarWinds hack. On that server they found an organization management forum used by the teams of hackers where various hacked targets were discussed for their potential value. Keep in mind they hacked like 18,000 organizations at once with the hack so whoever pulled this off probably really did have to have teams of hackers coordinating their efforts somewhere. In that report, where they call the group “SilverFish” instead of Nobelium, they state: “When taking its first look inside the C&C server, the PTI Team observed that main dashboard of the SilverFish C&C panel features a section named ”Active Teams”, involving several comments entered by different user groups such as Team 301, Team 302, etc. Such a design indicates that this infrastructure is meant for multiple teams. Most comments entered by attackers for each victim are mostly in English and Russian and include urban slang.” So we can actually state that the hackers did leave behind English and Russian in their team organization software. And given how important these kinds of ‘clues’ are in making attributions it wouldn’t be surprising if those Russian comments on that server are a major part of what the ‘Russia did it’ attribution is based on. But it was the kind of evidence the hackers had to realize was left out in the open, at least once the server is seized by authorities, a scenario they had to realize was very possible. It happened, after all. Keep in mind this was the biggest hack ever and these are clearly experienced hackers. They must realize command-and-control servers might be found by investigators which means comments made on that forum are going to be done with the realization that artifacts like the language used to make the comments could be used later for attribution purposes. These kinds of ‘clues’ play a huge role in modern cyberattribution, as Meyers made abundantly clear with his dismay at the lack of a ‘cultural artifact’ to make his attribution on. And as the CIA’s hacking tool-kit, with its Russian and Chinese language artifact-leaving features, exposed by the ShadowBroker leak made abundantly clear. These little language clues are stupidly taken very seriously and the cyberattribution industry doesn’t even hide it. So did the super sophisticated hacking group that pull off the biggest hack ever leave their Russian language clues consciously or without realizing it? That’s what we are being asked to believe, although it’s not actually clear if the Russian language comments left in this command-and-control forum were the primary basis for the attribution of the SolarWinds hack to Russia (as opposed to China) because we still have no idea what the attribution was ultimately based on. It’s faith-based.
But there are technical details about that attack that are more than just speculation: We are told that the attack effective began on Sept 12, 2019, when someone appeared to execute a proof-of-concept trial run of the plan that merely injected an innocuous snippet of code into the SolarWinds update package. The hackers were testing whether or not the code could be inserted into the next SolarWinds update and distributed to its customer networks without SolarWinds detecting it and they accomplished this feat by injecting the code at the very last opportunity — during the compilation process — which effectively bypassed all of the standard security measures deployed by SolarWinds to ensure only the intended code is delivered to its thousands of customers. It was a successful proof-of-concept test. The innocuous update was delivered to SolarWinds’s clients around the world. Five months later, in February of 2020, the hackers returned to repeat the trick with malicious code that inserted a compact 3,500 line payload that introduced a backdoor into the SolarWinds software itself on the clients’ systems. A backdoor that could be remotely accessed. That’s how the hackers turned the hack of SolarWinds into the mega-hack of the thousands of corporations and government agencies. The only thing holding back the hackers was the abundance of opportunity and limitations of time.
So we have a decent understanding of how this attack worked technically and when it happened but no clue who did it. No ‘big reveal’ clue was left in the code and they somehow managed to avoid leaving any Cyrillic or Mandarin elsewhere on the SolarWinds network during this long period of time when the hackers clearly had deep access. But despite all that, they’re pretty sure it was Russia. It’s how cyberattribution works in the modern age. Gut feelings about the culprit. Reading the digital tea leaves and arriving at a gut feeling about the culprit and then confidently declaring it to the world. Or just making it up and confidently declaring it to the world. Confident declarations are the important part. The underlying facts the declarations are based not so much:
...
The attack began with a tiny strip of code. Meyers traced it back to Sept. 12, 2019. “This little snippet of code doesn’t do anything,” Meyers said. “It’s literally just checking to see which processor is running on the computer, if it is a 32- or 64-bit processor and if it is one or the other, it returns either a zero or a one.”The code fragment, it turns out, was a proof of concept — a little trial balloon to see if it was possible to modify SolarWinds’ signed-and-sealed software code, get it published and then later see it in a downloaded version. And they realized they could. “So at this point, they know that they can pull off a supply chain attack,” Meyers said. “They know that they have that capability.”
After that initial success, the hackers disappeared for five months. When they returned in February 2020, Meyers said, they came armed with an amazing new implant that delivered a backdoor that went into the software itself before it was published.
To understand why that was remarkable, you need to know that finished software code has a kind of digital factory seal. If you break that seal, someone can see it and know that the code might have been tampered with. Meyers said the hackers essentially found a way to get under that factory seal.
They began by implanting code that told them any time someone on the SolarWinds development team was getting ready to build new software. They understood that the process of creating software or an update typically begins with something routine such as checking a code out of a digital repository, sort of like checking a book out of the library.
Under normal circumstances, developers take the code out of the repository, make changes and then check it back in. Once they finish tinkering, they initiate something called the build process, which essentially translates the code a human can read to the code a computer does. At that point, the code is clean and tested. What the hackers did after that was the trick.
They would create a temporary update file with the malicious code inside while the SolarWinds code was compiling. The hackers’ malicious code told the machine to swap in their temporary file instead of the SolarWinds version. “I think a lot of people probably assume that it is the source code that’s been modified,” Meyers said, but instead the hackers used a kind of bait-and-switch.
But this, Meyers said, was interesting, too. The hackers understood that companies such as SolarWinds typically audit code before they start building an update, just to make sure everything is as it should be. So they made sure that the switch to the temporary file happened at the last possible second, when the updates went from source code (readable by people) to executable code (which the computer reads) to the software that goes out to customers.
...
Then there’s the ominous observation they made about the malware that surreptitiously slipped the backdoor malware into the Orion client update software: the malware that added the backdoor at the last moment during the compilation process “could have been reconfigured for any number of software products” that rely on the same compiler, raising the distinct possibility of this same attack being used against other software developers. All the hackers would need is access to the developers’ computers when they’re compiling the code. And what did they gain from the SolarWinds hack? Backdoors onto the network of every SolarWinds client. In other words, not only can the hackers use this same compiler trick to embed backdoors in other developers software but they gained the incredible opportunity to do exactly that from the SolarWinds hack. Thousands of SolarWinds clients were undoubtedly developing their own software using the same compiler and the hackers could have deployed the same trick. Maybe they embed a backdoor. Maybe something else. It’s an ominous observation and part of the reason the identities of the real hackers really is a serious global concern. Whoever did this had the opportunity to plant the seeds from something orders of magnitude more devastating involving a wide array of different software tools being developed around the world:
...
But there was something else about that code that bothered Meyers: It wasn’t just for SolarWinds. “When we looked at [it], it could have been reconfigured for any number of software products,” Meyers said. In other words, any number of other software developers using the same compiler may also be on the receiving end of a cyberattack, he said, and they just don’t know it yet....
The hackers also reverse-engineered the way Orion communicated with servers and built their own coding instructions mimicking Orion’s syntax and formats. What that did is allow the hackers to look like they were “speaking” Orion, so their message traffic looked like a natural extension of the software.
“So once they determined that a target was of interest, they could say, ‘OK, let’s go active, let’s manipulate files, let’s change something,’ ” Meyers said, and then they would slip in unnoticed through the backdoor they had created. “And there is one other thing I should mention: This backdoor would wait up to two weeks before it actually went active on the host. This was a very patient adversary.”
None of the tripwires put in place by private companies or the government seems to have seen the attack coming. Christopher Krebs, who had been in charge of the office that protected government networks at DHS during the Trump administration, told NPR that DHS’ current system, something known (without irony) as Einstein, only catches known threats. The SolarWinds breach, he said, was just “too novel.”
...
And note the timing here in the lead up to the December 13, 2020, public announcement by SolarWinds about acknowleging the hack: We are told that the first clue something was up took place in early July 2020, when Volexity found suspicious activity on a client’s computer traced back to an update with SolarWinds. We’re then told the second clue came several months later when Palo Alto Networks contacted SolarWinds about a malicious back door that appeared to be emanating from the Orion software. SolarWinds then tells us the company work with Palo Alto Networks for several months before giving up and closing the ticket. If that’s all true, that ticket must have been closed just days before FireEye contacted SolarWinds about its ominous discovery. Because if the first call from Palo Alto Networks came ‘several months’ after an ‘early July’ first tip from Volexity, that call would have had to be around mid-to-late September to early October if we interpret ‘several months’ to be 10–13 weeks. And if Palo Alto Networks and SolarWinds then spent another ‘several months’ studying the problem before giving up, that would put the ‘giving up’ point at early December at the earliest. So when exactly did that ticket get closed in relation to FireEye’s tip about the larger hack? SolarWinds didn’t tell us and Palo Alto Networks isn’t talking:
...
In early July, Steven Adair, the founder of a Washington, D.C.-based cybersecurity company called Volexity, saw some suspicious activity on a client’s computers. “We traced it back, and we thought it might be related to a bad update with SolarWinds,” Adair told NPR. “We addressed the problem, made sure no one was in our customers’ systems, and we left it at that.”Adair said he didn’t feel he had enough detail to report the problem to SolarWinds or the U.S. government. “We thought we didn’t have enough evidence to reach out,” he said.
That was the first missed sign.
The second came three months later when a California-based cybersecurity company called Palo Alto Networks discovered a malicious backdoor that seemed to emanate from the Orion software.
In that case, according to SolarWinds’ Ramakrishna, the security teams at SolarWinds and Palo Alto worked together for three months to try to pick up the thread of the problem and walk it back. “None of us could pinpoint a supply chain attack at that point,” Ramakrishna told NPR. “The ticket got closed as a result of that. If we had the benefit of hindsight, we could have traced it back” to the hack.
Palo Alto Networks had agreed to speak to NPR about the incident last month and then canceled the interview just an hour before it was supposed to take place. A spokesperson declined to say why and sent a few blog posts and wrote: “I’m afraid this is all we have to help at this time.”
...
All in all, it’s hard to say that NPR piece should make reader’s feel confident hacks like this aren’t going to happen again. Even when the hack was detected on client systems and investigations were started they still couldn’t find it. Only FireEye, itself a top tier security firm, was able to detect it on its own systems and all indications are the hack would be ongoing today had FireEye not found it.
The Atlantic Council Confirms The SolarWinds Hackers Could Spoof Microsoft Credentials. Microsoft Blames Clients
And just a week after that NPR piece, we got another big reminder that the SolarWinds hack wasn’t just a giant hack of the SolarWinds company. It was a giant hack of Microsoft’s products. That was the message in a new report put out by The Atlantic Council, which appeared to confirm what Microsoft had long been denying: Once the hackers used those backdoors to gain access to victims’ networks they continued to exploit more vulnerabilities. In particular Microsoft vulnerabilities involving how Microsoft products validate user identities. Now, part of the reason Microsoft vulnerabilities were heavily targeted was because, well, these vulnerabilities exist. But as the report notes, the other big reason Microsoft was targeted so heavily is that Microsoft has more than 85% of the market share for government and industry. In other words, the juiciest targets — especially government agencies — were almost all running Microsoft tools on their networks.
So what was Microsoft’s response to the Atlantic Council report? Microsoft continued to deflect blame, suggesting poorly configured software by the clients was the cause. But according to Senator Ron Wyden, the software Microsoft supplies to US federal agencies is itself poorly configured with default log settings that won’t capture the information needed to catch attacks while they’re in progress. As we can see, the SolarWinds blame game is increasingly becoming Microsoft vs the World:
Associated Press
SolarWinds hacking campaign puts Microsoft in the hot seat
By FRANK BAJAK
April 23, 2021BOSTON (AP) — The sprawling hacking campaign deemed a grave threat to U.S. national security came to be known as SolarWinds, for the company whose software update was seeded by Russian intelligence agents with malware to penetrate sensitive government and private networks.
Yet it was Microsoft whose code the cyber spies persistently abused in the campaign’s second stage, rifling through emails and other files of such high-value targets as then-acting Homeland Security chief Chad Wolf — and hopping undetected among victim networks.
This has put the world’s third-most valuable company in the hot seat. Because its products are a de facto monoculture in government and industry — with more than 85% market share — federal lawmakers are insisting that Microsoft swiftly upgrade security to what they say it should have provided in the first place, and without fleecing taxpayers.
Seeking to assuage concerns, Microsoft this past week offered all federal agencies a year of “advanced” security features at no extra charge. But it also seeks to deflect blame, saying it is customers who do not always make security a priority.
Risks in Microsoft’s foreign dealings also came into relief when the Biden administration imposed sanctions Thursday on a half-dozen Russian IT companies it said support Kremlin hacking. Most prominent was Positive Technologies, which was among more than 80 companies that Microsoft has supplied with early access to data on vulnerabilities detected in its products. Following the sanctions announcement, Microsoft said Positive Tech was no longer in the program and removed its name from a list of participants on its website.
The SolarWinds hackers took full advantage of what George Kurtz, CEO of top cybersecurity firm CrowdStrike, called “systematic weaknesses” in key elements of Microsoft code to mine at least nine U.S. government agencies — the departments of Justice and Treasury, among them — and more than 100 private companies and think tanks, including software and telecommunications providers.
The SolarWinds hackers’ abuse of Microsoft’s identity and access architecture — which validates users’ identities and grants them access to email, documents and other data — did the most dramatic harm, the nonpartisan Atlantic Council think tank said in a report. That set the hack apart as “a widespread intelligence coup.” In nearly every case of post-intrusion mischief, the intruders “silently moved through Microsoft products “vacuuming up emails and files from dozens of organizations.”
Thanks in part to the carte blanche that victim networks granted the infected Solarwinds network management software in the form of administrative privileges, the intruders could move laterally across them, even jump among organizations. They used it to sneak into the cybersecurity firm Malwarebytes and to target customers of Mimecast, an email security company.
The campaign’s “hallmark” was the intruders’ ability to impersonate legitimate users and create counterfeit credentials that let them grab data stored remotely by Microsoft Office, the acting director of the Cybersecurity Infrastructure and Security Agency, Brandon Wales, told a mid-March congressional hearing. “It was all because they compromised those systems that manage trust and identity on networks,” he said.
Microsoft President Brad Smith told a February congressional hearing that just 15% of victims were compromised through an authentication vulnerability first identified in 2017 — allowing the intruders to impersonate authorized users by minting the rough equivalent of counterfeit passports.
Microsoft officials stress that the SolarWinds update was not always the entry point; intruders sometimes took advantage of vulnerabilities such as weak passwords and victims’ lack of multi-factor authentication. But critics say the company took security too lightly. Sen. Ron Wyden, D‑Ore., verbally pummeled Microsoft for not supplying federal agencies with a level of “event logging” that, if it had not detected the SolarWinds hacking in progress, would at least have provided responders with a record of where the intruders were and what they saw and removed.
“Microsoft chooses the default settings in the software it sells, and even though the company knew for years about the hacking technique used against U.S. government agencies, the company did not set default logging settings to capture information necessary to spot hacks in progress,” Wyden said. He was not the only federal lawmaker who complained.
When Microsoft on Wednesday announced a year of free security logging for federal agencies, for which it normally charges a premium, Wyden was not appeased.
“This move is far short of what’s needed to make up for Microsoft’s recent failures,” he said in a statement. “The government still won’t have access to important security features without handing over even more money to the same company that created this cybersecurity sinkhole.”
...
Even the highest level of logging doesn’t prevent break-ins, though. It only makes it easier to detect them.
And remember, many security professionals note, Microsoft was itself compromised by the SolarWinds intruders, who got access to some of its source code — its crown jewels. Microsoft’s full suite of security products — and some of the industry’s most skilled cyber-defense practitioners — had failed to detect the ghost in the network. Not until alerted to the hacking campaign by FireEye, the cybersecurity firm that detected it in mid-December, did Microsoft responders discover the related breach of their systems.
The intruders in the unrelated hack of Microsoft Exchange email servers disclosed in March — blamed on Chinese spies — used wholly different infection methods. But they gained immediate high-level access to users’ email and other info.
Across the industry, Microsoft’s investments in security are widely acknowledged. It is often first to identify major cybersecurity threats, its visibility into networks is so great. But many argue that as the chief supplier of security solutions for its products, it needs to be more mindful about how much it should profit off defense.
“The crux of it is that Microsoft is selling you the disease and the cure,” said Marc Maiffret, a cybersecurity veteran who built a career finding vulnerabilities in Microsoft products and has a new startup in the works called BinMave.
Last month, Reuters reported that a $150 million payment to Microsoft for a “secure cloud platform” was included in a draft outline for spending the $650 million appropriated for the Cybersecurity and Infrastructure Security Agency in last month’s $1.9 trillion pandemic relief act.
A Microsoft spokesperson would not say how much, if any, of that money it would be getting, referring the question to the cybersecurity agency. An agency spokesman, Scott McConnell, would not say either. Langevin said he didn’t think a final decision has been made.
In the budget year ending in September, the federal government spent more than half a billion dollars on Microsoft software and services.
Many security experts believe Microsoft’s single sign-on model, emphasizing user convenience over security, is ripe for retooling to reflect a world where state-backed hackers now routinely run roughshod over U.S. networks.
Alex Weinert, Microsoft’s director of identity security, said it offers various ways for customers to strictly limit users’ access to what they need to do their jobs. But getting customers to go along can be difficult because it often means abandoning three decades of IT habit and disrupting business. Customers tend to configure too many accounts with the broad global administrative privileges that allowed the SolarWinds campaign abuses, he said. “It’s not the only way they can do it, that’s for sure.”
In 2014–2015, lax restrictions on access helped Chinese spies steal sensitive personal data on more than 21 million current, former and prospective federal employees from the Office of Personnel Management.
Curtis Dukes was the National Security Agency’s head of information assurance at the time.
The OPM shared data across multiple agencies using Microsoft’s authentication architecture, granting access to more users than it safely should have, said Dukes, now the managing director for the nonprofit Center for Internet Security.
“People took their eye off the ball.”
———–
“This has put the world’s third-most valuable company in the hot seat. Because its products are a de facto monoculture in government and industry — with more than 85% market share — federal lawmakers are insisting that Microsoft swiftly upgrade security to what they say it should have provided in the first place, and without fleecing taxpayers.”
If you want to hack the US government, be ready to hack Microsoft products. That’s the undeniable reality. Microsoft is basically the software supplier for the US government and other governments around the world. So it should come as no surprise to learn that the second phase of the SolarWinds hack was basically the exploitation of Microsoft product weaknesses after the hackers gained access to client networks. In particular, vulnerabilities in Microsoft’s identity and access architecture which validates users’ identities and grants them access to email, documents and other data. The SolarWinds hackers were repeatedly impersonating legitimate users and creating counterfeit credentials that let them grab data stored remotely by Microsoft Office. So the SolarWinds hack didn’t just involve the pilfering of victims’ networks but also the data stored remotely accessible through Microsoft Office. Those sound like some massive vulnerabilities. The SolarWinds hack wasn’t just the creation and exploitation of backdoors placed on 18,000 client networks. It was the exploitation of the information stored remotely via Microsoft Office for those clients too:
...
The SolarWinds hackers took full advantage of what George Kurtz, CEO of top cybersecurity firm CrowdStrike, called “systematic weaknesses” in key elements of Microsoft code to mine at least nine U.S. government agencies — the departments of Justice and Treasury, among them — and more than 100 private companies and think tanks, including software and telecommunications providers.The SolarWinds hackers’ abuse of Microsoft’s identity and access architecture — which validates users’ identities and grants them access to email, documents and other data — did the most dramatic harm, the nonpartisan Atlantic Council think tank said in a report. That set the hack apart as “a widespread intelligence coup.” In nearly every case of post-intrusion mischief, the intruders “silently moved through Microsoft products “vacuuming up emails and files from dozens of organizations.”
Thanks in part to the carte blanche that victim networks granted the infected Solarwinds network management software in the form of administrative privileges, the intruders could move laterally across them, even jump among organizations. They used it to sneak into the cybersecurity firm Malwarebytes and to target customers of Mimecast, an email security company.
The campaign’s “hallmark” was the intruders’ ability to impersonate legitimate users and create counterfeit credentials that let them grab data stored remotely by Microsoft Office, the acting director of the Cybersecurity Infrastructure and Security Agency, Brandon Wales, told a mid-March congressional hearing. “It was all because they compromised those systems that manage trust and identity on networks,” he said.
...
But it gets worse for Microsoft because the hackers didn’t simply exploit vulnerabilities in Microsoft’s products. They also rifled through Microsoft’s treasured source code looking for the code that valideates users’ identities and grants them access to email, documents, and other data. So these super-hackers likely learned hack to become even more super. At least more super against Microsoft:
...
And remember, many security professionals note, Microsoft was itself compromised by the SolarWinds intruders, who got access to some of its source code — its crown jewels. Microsoft’s full suite of security products — and some of the industry’s most skilled cyber-defense practitioners — had failed to detect the ghost in the network. Not until alerted to the hacking campaign by FireEye, the cybersecurity firm that detected it in mid-December, did Microsoft responders discover the related breach of their systems.
...
But perhaps worst of all is how long these security deficiencies have been plaguing Microsoft. This isn’t a new problem. Which is why it’s so problematic and scandalous that, as Senator Wyden angrily pointed out during a recent congressional hearing, that Microsoft has been providing the US governing with products that have the default “event logging” settings turned off. So by default, the US federal government doesn’t log these hacks when they happen. That’s apparently the case, according to Senator Wyden. The US government’s cyber-defenses have to been flying blind by default thanks to Microsoft:
...
Microsoft officials stress that the SolarWinds update was not always the entry point; intruders sometimes took advantage of vulnerabilities such as weak passwords and victims’ lack of multi-factor authentication. But critics say the company took security too lightly. Sen. Ron Wyden, D‑Ore., verbally pummeled Microsoft for not supplying federal agencies with a level of “event logging” that, if it had not detected the SolarWinds hacking in progress, would at least have provided responders with a record of where the intruders were and what they saw and removed.“Microsoft chooses the default settings in the software it sells, and even though the company knew for years about the hacking technique used against U.S. government agencies, the company did not set default logging settings to capture information necessary to spot hacks in progress,” Wyden said. He was not the only federal lawmaker who complained.
...
Even the highest level of logging doesn’t prevent break-ins, though. It only makes it easier to detect them.
...
Of course, keep in mind that a big advantage for the victims of hacks when of no event-logging was employed: the less information you have about what actually happened, the more you’re forced to speculate about what happened and the easier it is to just say it was probably Russia or China or whoever you want to blame. Ignorance can be both a cudgel and shield when cyberattribution is wielded as a weapon.
Finally note how we are told the ‘Chinese hackers’ behind the Microsoft Exchange hack used wholly different infection methods. Now, technically, yes, they may have used a different zero-day exploit target different Microsoft products. As we’ve seen, it was reportedly an Office 365 email exploit that the hackers used to initiate the hack on SolarWinds’s network and the US Treasury Department confirmed that an Office 365 email exploit was used after the hackers infiltrated their networks via the backdoor. Whereas in the Microsoft Exchange hack, it ws some sort of vulnerability in the Exchange software that was exploited. So yes, these are two different infection methods. But they both relied on manipulating Microsoft’s credentialing systems. From that perspective, it’s kind of the same underlying method:
...
The intruders in the unrelated hack of Microsoft Exchange email servers disclosed in March — blamed on Chinese spies — used wholly different infection methods. But they gained immediate high-level access to users’ email and other info.
...
Keep in mind that pointing out the different attack methods used in the SolarWinds and Microsoft Exchange hacks, and citing that as evidence of it being different hacking groups, is another example of how vague technical ‘digital fingerprints’ like the particular type of malware or exploit used in a hack are used for cyberattribution purposes. It’s the kind of cyberattribution phenomena that assumes the “commercial surveillance” industry isn’t supplying incredible zero-day attacks to dozens of governments around the world simultaneously.
The SolarWinds Hackers(?) Go Phishing. With USAID as the Bait.
The multifaceted ability of the SolarWinds hackers was on display again with a new announce from Microsoft at the end of May: Remember those warnings following the Microsoft Exchange hack about highly sophisticated and targeted phishing campaigns emerging from all the information the hackers were able to extract from all those stolen emails? Well, a new highly sophisticated and target phishing campaign was indeed unleashed. But we are told “Nobelium” — the name Microsoft gave to Cozy Bear/APT29 — was the culprit. Approximately 3,000 email accounts at more than 150 different organizations in 24 different countries received emails seemingly from the United States Agency For International Development (USAID), encouraging victims to download a file about election fraud. The hackers carried out the hack by breaking into an email marketing account for Constant Contact, which is used by USAID for official communications. From there, they launched the phishing attacks.
Microsoft assures us that no exploits of Microsoft products were involved with this phishing attempt. At the same time, we’re told nothing about how this Constant Contact email marketing account was broken into in the first place. In fact, it’s not actually clear at all what ties this phishing attack to the SolarWinds hack. And yet are assured by Microsoft, with high confidence, that Russia’s SVR is behind it and that it appeared to be a continuation of multiple efforts to target government agencies involved in foreign policy as part of intelligence gathering efforts. And since the SVR is also blamed for the SolarWinds hack, it’s therefore behind this phishing attempt. That appears to be the ‘logic’ at work here.
Now, if we view the Microsoft blog post on this hack, there is one technical fact that relates back to the SolarWinds hack: the use of zero-day exploits. Victims who fell for the phishing emails had four zero-day pieces of malware deployed on their computers according to a second Microsoft blog post about the attack. So the technical traits shared between this phishing attack in the earlier SolarWinds hack are the use of multiple zero-day exploits. But different exploits. The Microsoft blog post describing this USAID phishing scheme explicitly states that this new attack bears very little technical similarities to the SolarWinds hack and suggests the hackers intentionally changed their tactics after the discovery of the SolarWinds hack. So the possession of multiple zero-day exploits is apparently being used as a technical indicator for attributions. If a hacker is sporting lots of zero-day exploits, it’s assumed to be the same hacker who ran the last hack with lots of zero-day exploits. And since zero-day exploits are widely assumed to largely be the exclusive property of well-financed nations (the US, Russian, China, Israel, etc), when a hack involved lots of zero-day exploits the list of suspects gets narrowed down to that list. That appears to be the pattern playing out here. A pattern that ignores the existence of a robust industry selling zero-day exploits to dozens of governments around the world.
But also keep in mind that the Microsoft Exchange mega-hack announced in March also utilized zero-day exploits and this hack started with the compromise of USAID’s Constant Contact’s email account. Is there an Exchange server involved with this service? It was be nice to know but, again, we aren’t told how the hack started. So how was Microsoft able to deduce that it was the SolarWinds hacks and no the Exchange hackers or some other group? We have no idea, but we are assured that Microsoft figured it all out. We’ll just have to blindly trust them on this. As always:
Reuters
TechnologyMicrosoft says group behind SolarWinds hack now targeting government agencies, NGOs
Raphael Satter, Kanishka Singh
May 28, 2021 12:53 PM CDT UpdatedMay 28 (Reuters) — The group behind the SolarWinds (SWI.N) cyber attack identified late last year is now targeting government agencies, think tanks, consultants, and non-governmental organizations, Microsoft Corp (MSFT.O) said on Thursday.
“This week we observed cyberattacks by the threat actor Nobelium targeting government agencies, think tanks, consultants, and non-governmental organizations”, Microsoft said in a blog.
Nobelium, originating from Russia, is the same actor behind the attacks on SolarWinds customers in 2020, according to Microsoft.
The comments come weeks after a May 7 ransomware attack on Colonial Pipeline shut the United States’ largest fuel pipeline network for several days, disrupting the country’s supply.
“This wave of attacks targeted approximately 3,000 email accounts at more than 150 different organizations”, Microsoft said on Thursday.
While organisations in the United States received the largest share of attacks, targeted victims came from at least 24 countries, Microsoft said.
At least a quarter of the targeted organisations were involved in international development, humanitarian issues and human rights work, Microsoft said in the blog.
Nobelium launched this week’s attacks by breaking into an email marketing account used by the United States Agency For International Development (USAID) and from there launching phishing attacks on many other organisations, Microsoft said.
In statements issued Friday, the Department of Homeland Security and USAID both said they were aware of the hacking and were investigating.
The hack of information technology company SolarWinds, which was identified in December, gave access to thousands of companies and government offices that used its products. Microsoft President Brad Smith described the attack as “the largest and most sophisticated attack the world has ever seen”. read more
...
The United States and Britain have blamed Russia’s Foreign Intelligence Service (SVR), successor to the foreign spying operations of the KGB, for the hack which compromised nine U.S. federal agencies and hundreds of private sector companies.
The attacks disclosed by Microsoft on Thursday appeared to be a continuation of multiple efforts to target government agencies involved in foreign policy as part of intelligence gathering efforts, Microsoft said.
The company said it was in the process of notifying all of its targeted customers and had “no reason to believe” these attacks involved any exploitation or vulnerability in Microsoft’s products or services.
————–
“Nobelium launched this week’s attacks by breaking into an email marketing account used by the United States Agency For International Development (USAID) and from there launching phishing attacks on many other organisations, Microsoft said.”
As Microsoft announced in May, the SolarWinds attacks continue. Sort of. This wasn’t an extension of the SolarWinds attack. At least we aren’t told so. Instead, we’re told that the same hackers, Nobelium, who carried out the SolarWinds attack also carried out this new attack targeting the email marketing firm, , that handles the emails for USAID. Somehow, the hackers were able to send out emails to 3,000 email accounts at more than 150 different organizations that looked like they came from USAID, and if victims clicked on the links in the emails they received sophisticated malware like was deployed in the SolarWinds attack. Again, Nobelium is Microsoft’s name for APT29/Cozy Bear, the group accused of the 2015 DNC hack (the first DNC hack of the 2016 election seasons).
Now how did the Microsoft arrive at the conclusion that this phishing attack was carried out by the same “Nobelium” SolarWinds hackers? As we should expect, it’s entirely unclear. Microsoft first dubbed the SolarWinds hackers “Nobelium” back in March of 2020 in a blog post describing the comand-and-control malware from the SolarWinds hack. ‘Zero-day’ Malware that had never been seen before, adding to the perceived sophistication of the hacker. Of course, as we’re going to see with the NSO Group story, ultra-sophisticated ‘zero-day’ hacks that have ‘never been seen before’ are effectively for sale to governments around world. Any government with permission to buy this software would suddenly become an ultra-sophisticated actor with an armory of zero-day exploits never seen before.
So were more zero-day exploits found in this latest USAID phishing hack? Yes, there were four zero-day pieces of malware deployed according to a second Microsoft blog post about the attack. So the technical traits shared between this phishing attack in the earlier SolarWinds hack are the use of multiple zero-day exploits. But different exploits. The Microsoft blog post describing this USAID phishing scheme explicitly states that this new attack bears very little technical similarities to the SolarWinds hack and suggests the hackers intentionally changed their tactics after the discovery of the SolarWinds hack. So the possession of multiple zero-day exploits is apparently being used as a technical indicator for attributions. If a hacker is sporting lots of zero-day exploits, it’s assumed to be the same hacker who ran the last hack with lots of zero-day exploits. And since zero-day exploits are widely assumed to largely be the exclusive property of well-financed nations (the US, Russian, China, Israel, etc), when a hack involved lots of zero-day exploits the list of suspects gets narrowed down to that list. That appears to be the pattern playing out here. A pattern that ignores the existence of a robust industry selling zero-day exploits to dozens of governments around the world.
And note how, while this attack clearly involves USAID, it’s not actually targeting USAID. It was an attack that used USAID’s persona to targeting 150 different organizations in at least 24 countries. And only around a quarter of those targeted organisations were involved in international development, humanitarian issues and human rights work. And yet Microsoft confidently tells us this hack is a continuation of an SVR espionage campaign targeting government agencies involved in foreign policy. It’s a remarkably cherry-picked assessment:
...
“This wave of attacks targeted approximately 3,000 email accounts at more than 150 different organizations”, Microsoft said on Thursday.While organisations in the United States received the largest share of attacks, targeted victims came from at least 24 countries, Microsoft said.
At least a quarter of the targeted organisations were involved in international development, humanitarian issues and human rights work, Microsoft said in the blog.
...
The United States and Britain have blamed Russia’s Foreign Intelligence Service (SVR), successor to the foreign spying operations of the KGB, for the hack which compromised nine U.S. federal agencies and hundreds of private sector companies.
The attacks disclosed by Microsoft on Thursday appeared to be a continuation of multiple efforts to target government agencies involved in foreign policy as part of intelligence gathering efforts, Microsoft said.
...
So we have the SolarWinds mega-hack discovered in December 2020 initially attributed to a previously unknown group — that governments nonetheless assure us are the SVR — but later attributed to Cozy Bear/APT29 aka Nobelium. Then a May 2021 phishing campaign that doesn’t actually share any of the technical traits of the SolarWinds hack other than the use of different zero-day exploits is also attributed to Cozy Bear. Why exactly it’s been determined that these two separate attacks were done by the same group is never explained, let alone why they’ve determined that group is Russia’s SVR.
The SolarWinds Hackers(?) Can’t Stop, Won’t Stop...Hacking Microsoft
It’s always a ‘trust us’ narrative. A narrative that sounds awfully similar to the story we got a month later in the last week of June, when Microsoft announced a new Nobelium/Cozy Bear attack. Although it’s more like an update on the May phishing attack. Like with the May phishing attack report, Microsoft assured us that this new attack is unrelated to the SolarWinds hack. And yet Microsoft also assured us that the same group was behind it, Nobelium. The reason for this attribution to Nobelium is never given. It’s another phishing attack that isn’t technically related to the SolarWinds hack but they’re still sure it’s the same group. The reasons never given. Sounding familiar yet?
But this June attack appears to differ from the May phishing attack in a potentially significant way: one of Microsoft’s own agents was hacked and customer information about Microsoft services were stolen, allowing for tailored phishing attacks. So whoever pulled this off demonstrated an eerily similar ability to exploit previously unknown Microsoft vulnerabilities. An ability demonstrated by both the SolarWinds and Exchange hackers.
Microsoft didn’t answer questions of whether or not its agent was hacked during the initial SolarWinds hack. But we are told that Microsoft discovered this phishing campaign and the hacking of its agent as a result of its investigation into the earlier SolarWinds hacks. Part of the reason this is potentially significant is that it once again raises the question of whether or not this new hack of the Microsoft agent — where customer service information was somehow accessed and used to tailor phishing emails — was executed with some sort of exploit targeting Microsoft systems. And if that’s the case, we have to ask why these are necessarily the SolarWinds hackers and not the Exchange hackers. Both possessed Microsoft zero-day exploits.
But beyond the potential relationship between the SolarWinds and Exchange hackers, it’s hard to ignore the story of NSO Group, Candiru, and the existence of the private industry that creates and sells cutting edge malware bristling with zero-day exploits — including zero-day exploits targeting Microsoft products — that are sold to dozens of governments around the world. And yet ignoring the existence of this private industry that makes cutting edge zero-day exploits available to dozens of governments around the world is exactly what we are asked to do. Over and over. Every time there’s a new hack that shows a reasonable degree of sophistication or that hits a government agency (even if many more non-government agencies are hit too), it’s treated as if the only possible actors in the world who could have pulled off the hack were Russia, China, Iran or North Korea. It is systematically ignored that dozens of governments around the world can and do buy the necessary ‘zero-day’ malware toolkits to pull off these hacks. Would Saudi Arabia attempt a SolarWinds-style mega-hack if if they new it was going to be blamed on Russia or China? There’s no way to responsibly avoid asking these kind of questions when we know Saudi Arabia and dozens of other countries have already purchased the ability to do so.
So we have a second phishing attack attributed to Nobelium/Cozy Bear. But unlike the previous phishing attack, where Microsoft acknowledged there was no apparent technical link back to the earlier SolarWinds hack, this phishing attack appears to have employed some sort of vulnerability in Microsoft’s products. And at the same time Microsoft assures us this wasn’t technically related to the SolarWinds hack, Microsoft also reminds of us of what was disclosed months agao: that data and insights were stolen from Microsoft during the initial SolarWinds attack, including software instructions governing how Microsoft verifies user identities. Were any of those stolen vulnerabilities used in this hack? Microsoft isn’t saying. And that’s a big part of the larger story here: extremely serious allegations about who was behind these cyberattacks are being made — with all fingers pointing towards the Russian or Chinese governments — with almost no information being released regarding why and how those attributions are made. The entire cyberattribution industry is rooted in a ‘just trust us on this’ ethos:
Reuters
Microsoft says new breach discovered in probe of suspected SolarWinds hackers
Joseph Menn
June 25, 2021 8:59 PM CDT UpdatedSAN FRANCISCO, June 25 (Reuters) — Microsoft (MSFT.O) said on Friday an attacker had won access to one of its customer-service agents and then used information from that to launch hacking attempts against customers.
The company said it had found the compromise during its response to hacks by a team it identifies as responsible for earlier major breaches at SolarWinds (SWI.N) and Microsoft.
Microsoft said it had warned the affected customers. A copy of one warning seen by Reuters said the attacker belonged to the group Microsoft calls Nobelium and that it had access during the second half of May.
“A sophisticated Nation-State associated actor that Microsoft identifies as NOBELLIUM accessed Microsoft customer support tools to review information regarding your Microsoft Services subscriptions,” the warning reads in part. The U.S. government has publicly attributed the earlier attacks to the Russian government, which denies involvement.
When Reuters asked about that warning, Microsoft announced the breach publicly.
After commenting on a broader phishing campaign it said had compromised a small number of entities, Microsoft said it had also found the breach of its own agent, who it said had limited powers.
The agent could see billing contact information and what services the customers pay for, among other things.
“The actor used this information in some cases to launch highly-targeted attacks as part of their broader campaign,” Microsoft said.
Microsoft warned affected customers to be careful about communications to their billing contacts and consider changing those usernames and email addresses, as well as barring old usernames from logging in.
Microsoft said it was aware of three entities that had been compromised in the phishing campaign.
It did not immediately clarify whether any had been among those whose data was viewed through the support agent, or if the agent had been tricked by the broader campaign.
Microsoft did not say whether the agent was at a contractor or a direct employee.
A spokesman said the latest breach by the threat actor was not part of Nobelium’s previous successful attack on Microsoft, in which it obtained some source code.
In the SolarWinds attack, the group altered code at that company to access SolarWinds customers, including nine U.S. federal agencies.
At the SolarWinds customers and others, the attackers also took advantage of weaknesses in the way Microsoft programs were configured, according to the Department of Homeland Security.
Microsoft later said the group had compromised its own employee accounts and taken software instructions governing how Microsoft verifies user identities.
A White House official said the latest intrusion and phishing campaign was far less serious than the SolarWinds fiasco.
“This appears to be largely unsuccessful, run-of-the-mill espionage,” the official said.
...
————
““A sophisticated Nation-State associated actor that Microsoft identifies as NOBELLIUM accessed Microsoft customer support tools to review information regarding your Microsoft Services subscriptions,” the warning reads in part. The U.S. government has publicly attributed the earlier attacks to the Russian government, which denies involvement.”
Nobelium “accessed Microsoft customer support tools to review information.” That’s the language used by Microsoft to describe the hacking of its agent and use of the obtained information to run targeted phishing campaigns. That’s what we know. What we don’t know is how the agent got hacked in the first place. Was is simply exploiting a backdoor created by the SolarWinds hack? Microsoft isn’t saying. But we know Microsoft has previously disclosed that ‘Nobelium’ stole code involving Microsoft’s user verification. And DHS tells us these same hackers are taking advantage of weaknesses in the way Microsoft programs were configured. A lot of arrows are pointing in the direction of another Microsoft vulnerability being exploited but as always we’re forced to guess:
...
A spokesman said the latest breach by the threat actor was not part of Nobelium’s previous successful attack on Microsoft, in which it obtained some source code....
At the SolarWinds customers and others, the attackers also took advantage of weaknesses in the way Microsoft programs were configured, according to the Department of Homeland Security.
Microsoft later said the group had compromised its own employee accounts and taken software instructions governing how Microsoft verifies user identities.
...
The bad news stories just keep piling up. What’s next?
Backdoors aren’t Just Backdoors. They’re Digital Bombs Too.
What might be next is the question ominously answered in a CBS News piece from July 4 that includes commentary from Jon Miller, a former hacker who now runs a company called Boldend tjat designs and sells cutting-edge cyber weapons to US intelligence agencies. According to Miller, what stood out for him in the SolarWinds hack wasn’t the sophistication malware. Miller claims to create much more sophisticated malware in his own work. What surprised him was the scope of the attack. Whoever did this didn’t even bother trying to hide it and seemed to execute it with no regard to the damage caused or potential consequences.
And then Miller drops the bomb: when asked if the hackers were capable of doing more damage than they did and, for example, destroy all the computers on the network, Miller tells us that not only would that be possible but it would be trivial. A few dozen additional lines of code. So if the SolarWinds hacks — or Microsoft Exchange hackers — wanted to destroy the computer systems of organizations around the world, they could have done so. Easily.
The piece also include an interview of Brad Smith, president of Microsoft. Smith points to the numerous government agencies to make the case that it must be a foreign intelligence operation‑, an observation that systematically ignores all the non-government commercial victims that also got hit. Smith goes on to make an interesting defense of the US government’s inability to detect and stop the SolarWinds hack: because the hackers launched the hack from US-based servers the NSA wasn’t legally allowed to observe and prevent it. Domestic network security in the US is the responsibility of the private sector. How those policies change in response to these mega-hacks will be something to watch.
Then Smith issues a warning that, when combined with Miller’s warnings about digital bombs, should send chills down the spines of system administrators everywhere: Smith warns that its almost certain the SolarWinds hackers planted additional backdoors and spread to other networks. Keep in mind that Microsoft has been one of the lead investigators on this, so when Microsoft tells us the SolarWinds hackers are probably still residing on these hacked networks and spread to others that’s the kind of warning we should take seriously. So if you were hoping the discovery of the SolarWinds hack meant the closing of all these backdoors on the networks of thousands organizations around the world your hopes should be dashed by now. Microsoft was basically telling us they don’t think they can realistically expel the hackers from all these networks. So if these hackers do decide to actually destroy tens of thousands of hacked networks around the world, or conduct a global ransomware attack, they could probably still do so:
CBS News
SolarWinds: How Russian spies hacked the Justice, State, Treasury, Energy and Commerce Departments
Bill Whitaker reports on how Russian spies used a popular piece of software to unleash a virus that spread to 18,000 government and private computer networks.
Correspondent Bill Whitaker
2021 Jul 04When Presidents Biden and Putin met in Geneva last month – it was the first time that the threat of cyber war eclipsed that of nuclear war between the two old super-powers… and “SolarWinds” was one big reason why. Last year, in perhaps the most audacious cyber attack in history, Russian military hackers sabotaged a tiny piece of computer code buried in a popular piece of software called SolarWinds. As we first reported in February, the hidden virus spread to 18,000 government and private computer networks by way of one of those software updates we all take for granted. After it was installed, Russian agents went rummaging through the digital files of the U.S. departments of Justice, State, Treasury, Energy, and Commerce –among others—and for nine months, they had unfettered access to top-level communications, court documents, even nuclear secrets.
Brad Smith: I think from a software engineering perspective, it’s probably fair to say that this is the largest and most sophisticated attack the world has ever seen.
Brad Smith is president of Microsoft. He learned about the hack after the presidential election this past November. By that time, the stealthy intruders had spread throughout the tech giants’ computer network and stolen some of its proprietary source code used to build its software products. More alarming: how the hackers got in… piggy-backing on a piece of third party software used to connect, manage and monitor computer networks.
Bill Whitaker: What makes this so momentous?
Brad Smith: One of the really disconcerting aspects of this attack was the widespread and indiscriminate nature of it. What this attacker did was identify network management software from a company called SolarWinds. They installed malware into an update for a SolarWinds product. When that update went out to 18,000 organizations around the world, so did this malware.
“SolarWinds Orion” is one of the most ubiquitous software products you probably never heard of, but to thousands of I.T. departments worldwide, it’s indispensable. It’s made up of millions of lines of computer code. 4,032 of them were clandestinely re-written and distributed to customers in a routine update, opening up a secret backdoor to the 18,000 infected networks. Microsoft has assigned 500 engineers to dig in to the attack. One compared it to a Rembrandt painting, the closer they looked, the more details emerged.
Brad Smith: When we analyzed everything that we saw at Microsoft, we asked ourselves how many engineers have probably worked on these attacks. And the answer we came to was, well, certainly more than 1,000.
Bill Whitaker: You guys are Microsoft. How did Microsoft miss this?
Brad Smith: I think that when you look at the sophistication of this attacker there’s an asymmetric advantage for somebody playing offense.
Bill Whitaker: Is it still going on?
Brad Smith: Almost certainly, these attacks are continuing.
The world still might not know about the hack if not for FireEye, a three-and-a-half billion dollar cybersecurity company run by Kevin Mandia, a former Air Force intelligence officer.
...
They discovered the malware inside SolarWinds and on December 13 informed the world of the brazen attack.
Much of the damage had already been done. The U.S. Justice Department acknowledged the Russians spent months inside their computers accessing email traffic – but the department won’t tell us exactly what was taken. It’s the same at Treasury, Commerce, the NIH, Energy. Even the agency that protects and transports our nuclear arsenal. The hackers also hit the biggest names in high tech.
Bill Whitaker: So, what does that target list tell you?
Brad Smith: I think this target list tells us that this is clearly a foreign intelligence agency. It exposes the secrets potentially of the United States and other governments as well as private companies. I don’t think anyone knows for certain how all of this information will be used. But we do know this: It is in the wrong hands.
And Microsoft’s Brad Smith told us it’s almost certain the hackers created additional backdoors and spread to other networks.
The revelation this past December came at a fraught time in the U.S. President Trump was disputing the election, and tweeted China might be responsible for the hack. Within hours he was contradicted by his own secretary of state and attorney general. They blamed Russia. The Department of Homeland Security, FBI and intelligence agencies concurred. The prime suspect: the SVR, one of several Russian spy agencies the U.S. labels “advanced persistent threats.” Russia denies it was involved.
Brad Smith: I do think this was an act of recklessness. The world runs on software. It runs on information technology. But it can’t run with confidence if major governments are disrupting and attacking the software supply chain in this way.
Bill Whitaker: That almost sounds like you think that they went in to foment chaos?
Brad Smith: What we are seeing is the first use of this supply chain disruption tactic against the United States. But it’s not the first time we’ve witnessed it. The Russian government really developed this tactic in Ukraine.
...
Bill Whitaker: It’s hard to downplay the severity of this.
Chris Inglis: It is hard to downplay the severity of this. Because it’s only a stone’s throw from a computer network attack.
Chris Inglis spent 28 years commanding the nation’s best cyber warriors at the National Security Agency – seven as its deputy director – and now sits on the Cyberspace Solarium Commission – created by Congress to come up with new ideas to defend our digital domain.
Bill Whitaker: Why didn’t the government detect this?
Chris Inglis: The government is not looking on private sector networks. It doesn’t surveil private sector networks. That’s a responsibility that’s given over to the private sector. FireEye found it on theirs, many others did not. The government did not find it on their network, so that’s a disappointment.
Disappointment is an understatement. The Department of Homeland Security spent billions on a program called “Einstein” to detect cyber attacks on government agencies. The Russians outsmarted it. They circumvented the NSA, which gathers intelligence overseas, but is prohibited from surveilling U.S. computer networks. So the Russians launched their attacks from servers set up anonymously in the United States.
Bill Whitaker: This hack happened on American soil. It went through networks based in the United States. Are our defense capabilities constrained?
Chris Inglis: U.S. Intelligence Community, U.S. Department of Defense, can suggest what the intentions of other nations are based upon what they learn in their rightful work overseas. But they can’t turn around and focus their unblinking eye on the domestic infrastructure. That winds up making it more difficult for us.
...
It’s not everyday you meet someone who builds cyber weapons as complex as those deployed by Russian intelligence. But Jon Miller, who started off as a hacker and now runs a company called Boldend, designs and sells cutting-edge cyber weapons to U.S. intelligence agencies.
Jon Miller: I build things much more sophisticated than this. What’s impressive is the scope of it. This is a watershed style attack. I would never do something like this. It creates too much damage.
Miller says with the SolarWinds attack, Russia has demonstrated that none of the software we take for granted is truly safe, including the apps on our telephones, laptops, and tablets. These days, he says, any device can be sabotaged.
Jon Miller: When you buy something from a tech company, a new phone or a laptop, you trust that that is secure when they give it to you. And what they’ve shown us in this attack is that is not the case. They have the ability to compromise those supply chains and manipulate whatever they want. Whether it’s financial data, source code, the functionality of these products. They can take control.
Bill Whitaker: So, for instance, they could destroy all the computers on a network?
Jon Miller: Oh, easily. The malware that they deployed off of SolarWinds, it didn’t have the functionality in it to do that. But to do that is trivial. Couple dozen lines of code.
...
———–
“Much of the damage had already been done. The U.S. Justice Department acknowledged the Russians spent months inside their computers accessing email traffic – but the department won’t tell us exactly what was taken. It’s the same at Treasury, Commerce, the NIH, Energy. Even the agency that protects and transports our nuclear arsenal. The hackers also hit the biggest names in high tech.”
The SolarWind hackers spent months inside numerous US government agency networks. Presumably from February 2020 until December 2020. 10 or so months of emails. That’s a lot of government emails. It makes the “Hillary’s emails” stories sound like a sweet lullaby of yesteryear.
But the SolarWinds hack was obviously not just targeting the US government. Thousands of companies were hit too. And yet, when asked, the President of Microsoft insists, “I think this target list tells us that this is clearly a foreign intelligence agency”. It’s what it looks like when everyone plays dumb professionally:
...
Bill Whitaker: So, what does that target list tell you?Brad Smith: I think this target list tells us that this is clearly a foreign intelligence agency. It exposes the secrets potentially of the United States and other governments as well as private companies. I don’t think anyone knows for certain how all of this information will be used. But we do know this: It is in the wrong hands.
And Microsoft’s Brad Smith told us it’s almost certain the hackers created additional backdoors and spread to other networks.
The revelation this past December came at a fraught time in the U.S. President Trump was disputing the election, and tweeted China might be responsible for the hack. Within hours he was contradicted by his own secretary of state and attorney general. They blamed Russia. The Department of Homeland Security, FBI and intelligence agencies concurred. The prime suspect: the SVR, one of several Russian spy agencies the U.S. labels “advanced persistent threats.” Russia denies it was involved.
...
Also note how the fact that the SolarWinds hack was conducted with US-based servers, and the fact that the NSA isn’t mandated with monitoring US networks, is turning into an argument for giving the NSA authority to monitor US networks. This is a good to recall the story from earlier this year about the DARPA projects involving the creation of autonomous anti-virus software that can traverse networks that sound awfully similar to the “Project TURBINE” plan for mass automated malware implantation. Automated ‘anti-malware’ delivered by goodware. As questions about the constituionality of NSA monitoring of domestic networks get raised, don’t be surprised if automated ‘goodware’ solutions are offered:
...
Chris Inglis spent 28 years commanding the nation’s best cyber warriors at the National Security Agency – seven as its deputy director – and now sits on the Cyberspace Solarium Commission – created by Congress to come up with new ideas to defend our digital domain.Bill Whitaker: Why didn’t the government detect this?
Chris Inglis: The government is not looking on private sector networks. It doesn’t surveil private sector networks. That’s a responsibility that’s given over to the private sector. FireEye found it on theirs, many others did not. The government did not find it on their network, so that’s a disappointment.
Disappointment is an understatement. The Department of Homeland Security spent billions on a program called “Einstein” to detect cyber attacks on government agencies. The Russians outsmarted it. They circumvented the NSA, which gathers intelligence overseas, but is prohibited from surveilling U.S. computer networks. So the Russians launched their attacks from servers set up anonymously in the United States.
Bill Whitaker: This hack happened on American soil. It went through networks based in the United States. Are our defense capabilities constrained?
Chris Inglis: U.S. Intelligence Community, U.S. Department of Defense, can suggest what the intentions of other nations are based upon what they learn in their rightful work overseas. But they can’t turn around and focus their unblinking eye on the domestic infrastructure. That winds up making it more difficult for us.
...
Finally note the assessment about the relative sophistication of the SolarWinds source code by Jon Miller, the former hacker who now runs a company called Boldend, designs and sells cutting-edge cyber weapons to U.S. intelligence agencies. Miller wasn’t impressed by the sophistication. He admits to building things much more sophisticated (that is presumably sold to US intelligence agencies). What surprised Miller was the scale of the attack and that someone actually did something that created so much damage. It’s the kind of response from an industry professional (who isn’t playing dumb professionally) that points towards a reality where large scale hacks of this nature have long been possible, but assumed to be too inflammatory to execute without inciting inviting serious repercussions. As Miller pointed out, this attack potentially tainted the entire global software supply chain. The same compiler attack that snuck the backdoor into SolarWinds’s Orion client tool could be reapplied to the software being developed by the tens of thousands of SolarWinds corporate and government clients. It really was a massive attack. But he’s not surprised someone was able to pull it off technically. He’s surprised someone actually did it. It’s an important distinction to keep in mind when assessing the nature of this attack. Thankfully, another possible nightmare scenario wasn’t executed. That being a scenario where malware is deployed that actually causes these networks to physically destroy themselves. But it they could have if they wanted to:
...
It’s not everyday you meet someone who builds cyber weapons as complex as those deployed by Russian intelligence. But Jon Miller, who started off as a hacker and now runs a company called Boldend, designs and sells cutting-edge cyber weapons to U.S. intelligence agencies.Jon Miller: I build things much more sophisticated than this. What’s impressive is the scope of it. This is a watershed style attack. I would never do something like this. It creates too much damage.
Miller says with the SolarWinds attack, Russia has demonstrated that none of the software we take for granted is truly safe, including the apps on our telephones, laptops, and tablets. These days, he says, any device can be sabotaged.
Jon Miller: When you buy something from a tech company, a new phone or a laptop, you trust that that is secure when they give it to you. And what they’ve shown us in this attack is that is not the case. They have the ability to compromise those supply chains and manipulate whatever they want. Whether it’s financial data, source code, the functionality of these products. They can take control.
Bill Whitaker: So, for instance, they could destroy all the computers on a network?
Jon Miller: Oh, easily. The malware that they deployed off of SolarWinds, it didn’t have the functionality in it to do that. But to do that is trivial. Couple dozen lines of code.
...
Miller is absolutely correct. SolarWinds wasn’t just the mega-hack of SolarWinds and its thousands of clients. It was potentially the hack of the global technological supply chain. Someone executed a very very big hack.
CitizenLab Issues a Warning to the World: Someone is Hacking the Sh*t Out of Microsoft. Legally. Meet Candiru
It was the middle of July this year when the stories of the mega-hacks took a sudden turn. After months of disclosing (and denying) one hack after another involving a Microsoft vulnerability, CitizenLab had a dramatic, and thematically appropriate, new security warning: a mercenary spyware company has been selling an exploit used against Windows users in several countries, including Iran, Lebanon, Spain and the United Kingdom. Beyond that, the malware has been found targeting activists, which isn’t particularly surprising given the fact that Candiru’s clients are governments. Candiru’s exploits aren’t solely against Microsoft products. Google’s popular Chrome browser is also a target. But it sounds like Candiru specializes Microsoft products.
Microsoft fixed the vulnerabilities identified in CitizenLab’s report. Curiously, in its report on the fix, Microsoft never refers to Candiru by name. Instead, it refers to it as an “Israel-based private sector offensive actor” which the company codenamed Sourgum. Google also issued a report on Candiru’s targeting of activists and the zero-day exploits discovered used against activists. Google also didn’t refer to Candiru by name.
So at least one Candiru customer — but perhaps more than one — was running around using zero-day exploits against activists and they got caught. Because it was blamed on Candiru it couldn’t be attributed to Russia or China. So who got blamed for these discovered hacks against activists? No one:
Reuters
TechnologyMicrosoft says Israeli group sold tools to hack Windows
Christopher Bing
July 15, 2021 4:45 PM CDT
UpdatedJuly 15 (Reuters) — An Israeli group sold a tool to hack into Microsoft Windows, Microsoft and technology human rights group Citizen Lab said on Thursday, shedding light on the growing business of finding and selling tools to hack widely used software.
The hacking tool vendor, named Candiru, created and sold a software exploit that can penetrate Windows, one of many intelligence products sold by a secretive industry that finds flaws in common software platforms for their clients, said a report by Citizen Lab.
Technical analysis by security researchers details how Candiru’s hacking tool spread around the globe to numerous unnamed customers, where it was then used to target various civil society organizations, including a Saudi dissident group and a left-leaning Indonesian news outlet, the reports by Citizen Lab and Microsoft show.
...
Evidence of the exploit recovered by Microsoft Corp (MSFT.O) suggested it was deployed against users in several countries, including Iran, Lebanon, Spain and the United Kingdom, according to the Citizen Lab report.
“Candiru’s growing presence, and the use of its surveillance technology against global civil society, is a potent reminder that the mercenary spyware industry contains many players and is prone to widespread abuse,” Citizen Lab said in its report.
Microsoft fixed the discovered flaws on Tuesday through a software update. Microsoft did not directly attribute the exploits to Candiru, instead referring to it as an “Israel-based private sector offensive actor” under the codename Sourgum.
“Sourgum generally sells cyberweapons that enable its customers, often government agencies around the world, to hack into their targets’ computers, phones, network infrastructure, and internet-connected devices,” Microsoft wrote in a blog post. “These agencies then choose who to target and run the actual operations themselves.”
Candiru’s tools also exploited weaknesses in other common software products, like Google’s Chrome browser.
On Wednesday, Google (GOOGL.O) released a blog post where it disclosed two Chrome software flaws that Citizen Lab found connected to Candiru. Google also did not refer to Candiru by name, but described it as a “commercial surveillance company.” Google patched the two vulnerabilities earlier this year.
Cyber arms dealers like Candiru often chain multiple software vulnerabilities together to create effective exploits that can reliably break into computers remotely without a target’s knowledge, computer security experts say.
Those types of covert systems cost millions of dollars and are often sold on a subscription basis, making it necessary for customers to repeatedly pay a provider for continued access, people familiar with the cyber arms industry told Reuters.
“No longer do groups need to have the technical expertise, now they just need resources,” Google wrote in its blog post.
———–
“Microsoft says Israeli group sold tools to hack Windows” by Christopher Bing; Reuters; 07/15/2021
““No longer do groups need to have the technical expertise, now they just need resources,” Google wrote in its blog post.”
Are you a government with cash to burn? Welcome to the world of elite hackers. Just be sure to maintain your subscription fees.
Google’s researchers weren’t exaggerating. It really is just a matter of having the resources — and permission from the Israeli (and US?) government(s?) — for a government to go from having virtually no cyber capabilities to having a suite of zero-day exploits capable of defeating the top technology firms in the world.
And yet it’s kind of interesting that both Google and Microsoft didn’t actually name Candiru in their reports. Microsoft refers to Candiru with its own made up codename Sourgum. Although Microsoft does point out in its report that Citizen Lab identified the Sourgum as Candiru. But that’s the only reference to Candiru in the report. And Google’s report on Candiru just refers to a “commercial surveillance company.” Recall that this is the same language Google used in its report on the three zero-day exploits discovered targeting Armenia activists. So Google and Microsoft appear to go out of their way to avoid naming names in its reports when the culprit is a private company:
...
Microsoft fixed the discovered flaws on Tuesday through a software update. Microsoft did not directly attribute the exploits to Candiru, instead referring to it as an “Israel-based private sector offensive actor” under the codename Sourgum.“Sourgum generally sells cyberweapons that enable its customers, often government agencies around the world, to hack into their targets’ computers, phones, network infrastructure, and internet-connected devices,” Microsoft wrote in a blog post. “These agencies then choose who to target and run the actual operations themselves.”
...
On Wednesday, Google (GOOGL.O) released a blog post where it disclosed two Chrome software flaws that Citizen Lab found connected to Candiru. Google also did not refer to Candiru by name, but described it as a “commercial surveillance company.” Google patched the two vulnerabilities earlier this year.
...
Also note how Candiru’s toolkit doesn’t just include an array of Microsoft exploits. It also hits other common non-Microsoft apps like Google’s Chrome. And as the article notes, cyber arms dealers like Candiru often chain multiple software vulnerabilities together to create effective exploits. In other words, these toolkits have to consists of numerous zero-day exploits. That’s the underlying product these companies are selling: toolkits that chain together mulitple zero-day exploits:
...
Candiru’s tools also exploited weaknesses in other common software products, like Google’s Chrome browser....
Cyber arms dealers like Candiru often chain multiple software vulnerabilities together to create effective exploits that can reliably break into computers remotely without a target’s knowledge, computer security experts say.
...
Days after Microsoft was forced to patch these vulnerabilities, the company issued an update on the actions it was taking against Candiru’s malware as well as the scope of the use of this malware: Microsoft claimed it blocked tools used to spy on more than 100 people around the world, including politicians, human rights activists, journalists, academics and political dissidents. Politicians got hit too. It’s not surprising, but a notable admission. Precision attacks were identified in the Palestinian territory, Israel, Iran, Lebanon, Yemen, Spain, the United Kingdom, Turkey, Armenia, and Singapore.
Intriguling, Citizen Lab said Candiru’s spyware infrastructure included websites “masquerading as advocacy organizations” such as Amnesty International and Black Lives Matter. So the next time you hear about a Black Lives Matter website and it’s automatically attributed to Russian and the Internet Research Agency, keep this ‘feature’ in mind. Candiru was selling tools specifically to mimic left-wing organizations. Also keep in mind that it’s Amnesty International that releases a big NSO Group expose days after Candiru’s malware is revealed, so there’s probably quite a few people in the cybersecurity industry itself with an interest in spying on people affiliated with Amnesty International:
Associated Press
Microsoft says it blocked spying on rights activists, others
By ALAN SUDERMAN
July 15, 2021RICHMOND, Va. (AP) — Microsoft said Thursday it has blocked tools developed by an Israeli hacker-for-hire company that were used to spy on more than 100 people around the world, including politicians, human rights activists, journalists, academics and political dissidents.
Microsoft issued a software update and worked with the Citizen Lab at the University of Toronto to investigate the secretive Israeli company behind the hacking efforts. Citizen Lab said the company goes by several names including Candiru, which according to legend is a parasitic fish found in the Amazon that attacks human private parts.
Microsoft said people targeted in “precision attacks” by the spyware were located in the Palestinian territory, Israel, Iran, Lebanon, Yemen, Spain, the United Kingdom, Turkey, Armenia, and Singapore. Microsoft did not name the targets but described them generally by category.
Citizen Lab said Candiru’s spyware infrastructure included websites “masquerading as advocacy organizations” such as Amnesty International and Black Lives Matter.
The reports by Microsoft and Citizen Lab shine new light on an opaque and lucrative industry of selling sophisticated hacking tools to governments and law enforcement agencies. Critics say such tools are often misused by authoritarian governments against innocent people.
“A world where private sector companies manufacture and sell cyberweapons is more dangerous for consumers, businesses of all sizes and governments,” Microsoft said in a blog post.
...
Microsoft said the business model for companies such as Candiru is to sell its services to government agencies, which then likely choose the targets and run the operations themselves.
Citizen Lab published parts of what it said were a leaked proposal by Candiru for hacking services that offered a la carte hacking options. For 16 million euros ($18.9 million), the company would allow the customer to monitor 10 devices simultaneously in a single country. For an extra 5.5 million euros ($6.5 million), 25 additional devices could be monitored in five more countries.
Citizen Lab said Candiru’s spyware targets computers, mobile devices and cloud accounts.
Thursday’s disclosure by Microsoft was part of what the company said was a broader effort to “address the dangers” caused by hacker-for-hire companies. Microsoft is supporting Facebook in its lawsuit against NSO Group, which is also based in Israel and is perhaps the most prominent private offensive spyware company.
Facebook filed a federal civil suit in 2019 allegedly that NSO Group targeted some 1,400 users of Facebook’s encrypted messaging service WhatsApp with highly sophisticated spyware.
————-
“Microsoft issued a software update and worked with the Citizen Lab at the University of Toronto to investigate the secretive Israeli company behind the hacking efforts. Citizen Lab said the company goes by several names including Candiru, which according to legend is a parasitic fish found in the Amazon that attacks human private parts.”
Candiru is so secretive it uses secret identities. Secrecy that’s probably driven, in part, by the fact that it’s crafting the digital infrastructure governments are using to hack civil society. Organizations like Black LIves Matter and Amnesty International. That’s the kind of activity one might hide from. Presumably the utility of these fake websites is to direct people there to deliver the malware which implies the targets of this malware were at least sympathetic to Black Lives Matter and Amnesty International. Just think about how many schemes targeting Black Lives Matter attributed to Russian since 2016 that were actually a product of Candiru’s ready-to-use toolkit. Or some other “commercial surveillance vendor” selling similar tools:
...
Citizen Lab said Candiru’s spyware infrastructure included websites “masquerading as advocacy organizations” such as Amnesty International and Black Lives Matter.
...
And note the price. Yeah, your average person can’t handle these kinds of subscription fees. But basically every government on the planet can. Easily:
...
Citizen Lab published parts of what it said were a leaked proposal by Candiru for hacking services that offered a la carte hacking options. For 16 million euros ($18.9 million), the company would allow the customer to monitor 10 devices simultaneously in a single country. For an extra 5.5 million euros ($6.5 million), 25 additional devices could be monitored in five more countries.Citizen Lab said Candiru’s spyware targets computers, mobile devices and cloud accounts.
...
It’s too bad CitizenLab couldn’t get the actual subscription information for Candiru’s many clients to see just how many devices governments are paying to hack. It’s almost $2 million per hacked device. That’s probably a lot of people. And a lot of profit for Candiru’s investors.
2021: Year of the Zero-Day
Just how much money is being made by this mercenary spyware industry? We’ll obviously never know. But if the discovery of new zero-day exploits are any indication of the industry’s work, we can say 2021 has been a robust year for the industry. As the following Threatpost piece from July 15 describes, there were 33 zero-day exploits reported by that date this year compared to 22 zero-day exploits in 2021 in total. At this point, 2021 will have triple the number of zero-day exploits of 2020, and 2020 was a record year. There’s simply been an explosion of discovered zero-days. For example, at the same time Google issued its own mid-July report on Candiru’s malware being used against activist, it also disclosed a new zero-day flaw against the iOS Safari browser that was targeting Western European government officials. They note in the report that ‘Russian-language actors’ were using the exploit at the same time ‘Nobelium’ was targeting users on Windows devices to deliver Cobalt Strike, suggesting the two are related.
Putting aside the already addressed problems with placing an emphasis on the ‘cultural artifact’ language clues hackers leave, it’s worth noting that the Nobelium hack targeting users on Windows devices was a reference to the USAID phishing attack. As we saw, Microsoft reported multiple zero-day pieces of malware deployed on the victims’ networks from the USAID attack. But Microsoft also reported the deployment of Cobalt Strike in its initial post about the phishing attack a day earlier. Which should come as no surprise. Cobalt Strike, a legitimate security tool that finds vulnerabilities in networks, has exploded in popularity and gone mainstream among criminals. In other words, we can’t infer much from the fact that both this iOS Safari hack and a hack attributed to Nobelium both deployed Cobalt Strike. Cobalt Strike is what savvy cybercriminals use these days, and therefore not a trademark indicator of a particular actor. What is a notable coincidence between the USAID phishing hacks and the Safari hack is that both involve zero-day exploits. That’s the primary meaningful technical indicator shared between all of the hacks we are discussing here: Zero-day exploits were deployed. And yet, we can only infer so much. We don’t know who is developing or deploying all these zero-days. We just know it could be a much broader range of actors than just Russian and China:
Threatpost
Safari Zero-Day Used in Malicious LinkedIn Campaign
Author: Elizabeth Montalbano
July 15, 2021 7:04 amResearchers shed light on how attackers exploited Apple web browser vulnerabilities to target government officials in Western Europe.
Threat actors used a Safari zero-day flaw to send malicious links to government officials in Western Europe via LinkedIn before researchers from Google discovered and reported the vulnerability.
That’s the word from researchers from Google Threat Analysis Group (TAG) and Google Project Zero, who Wednesday posted a blog shedding more light on several zero-day flaws that they discovered so far this year. Researchers in particular detailed how attackers exploited the vulnerabilities—the prevalence of which are on the rise–before they were addressed by their respective vendors.
TAG researchers discovered the Safari WebKit flaw, tracked as CVE-?2021–1879, on March 19. The vulnerability allowed for the processing of maliciously crafted web content for universal cross site scripting and was addressed by Apple in an update later that month.
Before the fix, researchers assert Russian-language threat actors were exploiting the vulnerability in the wild by using LinkedIn Messaging to send government officials from Western European countries malicious links that could collect website-authentication cookies, according to the post by Maddie Stone and Clement Lecigne from Google TAG.
“If the target visited the link from an iOS device, they would be redirected to an attacker-controlled domain that served the next-stage payloads,” they wrote.
The exploit, which targeted iOS versions 12.4 through 13.7, would turn off Same-Origin-Policy protections on an infected device to collect authentication cookies from several popular websites–including Google, Microsoft, LinkedIn, Facebook and Yahoo–and then send them via WebSocket to an attacker-controlled IP, researchers wrote. The victim would need to have a session open on these websites from Safari for cookies to be successfully exfiltrated.
Moreover, the campaign targeting iOS devices coincided with others from the same threat actor—which Microsoft has identified as Nobelium–targeting users on Windows devices to deliver Cobalt Strike, researchers wrote. Security firm Volexity described one of these attacks in a report posted online in May, the researchers added.
...
Other Zero-Day Attacks
Google researchers also linked three additional zero-day flaws they identified this year to a commercial surveillance vendor, according to Google TAG’s Shane Huntley. Two of those vulnerabilities–CVE-2021–21166 and CVE-2021–30551—were found in Chrome, and one, tracked as CVE-2021–33742, in Internet Explorer.
CVE-2021–21166 and CVE-2021–30551, two Chrome rendered remote-code execution (RCE) flaws, were identified separately but later believed to be used by the same actor, researchers wrote in the blog. Google researchers discovered the former in February and the latter in June.
“Both of these 0‑days were delivered as one-time links sent by email to the targets, all of whom we believe were in Armenia,” Stone and Lecigne wrote. “The links led to attacker-controlled domains that mimicked legitimate websites related to the targeted users.”
When prospective victims clicked the link, they were redirected to a webpage that would fingerprint their device, collect system information about the client, and generate ECDH keys to encrypt the exploits, researchers wrote. This info—which included screen resolution, timezone, languages, browser plugins, and available MIME types—would then be sent back to the exploit server and used by attackers to decide whether or not an exploit should be delivered to the target, they said.
Researchers also identified a separate campaigned in April that also targeted Armenian users by leveraging CVE-2021–26411, an RCE bug found in Internet Explorer (IE). The campaign loaded web content within IE that contained malicious Office documents, researchers wrote.
“This happened by either embedding a remote ActiveX object using a Shell.Explorer.1 OLE object or by spawning an Internet Explorer process via VBA macros to navigate to a web page,” Stone and Lecigne explained.
At the time, researchers said they were unable to recover the next-stage payload, but successfully recovered the exploit after discovering an early June campaign from the same actors. Microsoft patched the flaw later that month, they said.
Why There is an Increase in Zero-Days?
All in all, security researchers have identified 33 zero-day flaws so far in 2021, which is 11 more than the total number from 2020, according to the post.
While that trend reflects an increase in the number of these types of vulnerabilities that exist, Google researchers “believe greater detection and disclosure efforts are also contributing to the upward trend,” they wrote.
Still, it’s highly possible that attackers are indeed using more zero-day exploits for a few reasons, researchers noted. One is that the increase and maturation of security technologies and features means attackers also have to level up, which in turn requires more zero-day vulnerabilities for functional attack chains, they said.
The growth of mobile platforms also has resulted in an increase in the number of products that threat actors want to target—hence more reason to use zero-day exploits, researchers observed. Perhaps inspired by this increase in demand, commercial vendors also are selling more access to zero-days than in the early 2010s, they said.
Finally, the maturation of security protections and strategies also inspires sophistication on the part of attackers as well, boosting the need for them to use zero-day flaws to convince victims to install malware, researchers noted.
“Due to advancements in security, these actors now more often have to use 0‑day exploits to accomplish their goals,” Stone and Lecigne wrote.
———-
“Before the fix, researchers assert Russian-language threat actors were exploiting the vulnerability in the wild by using LinkedIn Messaging to send government officials from Western European countries malicious links that could collect website-authentication cookies, according to the post by Maddie Stone and Clement Lecigne from Google TAG.”
Russian-language threat actors are behind the big vulnerability found in Safari targeting iPhones, according to Google’s Threat Assessment Group (TAG). Malicious links were sent via the LinkedIn Messaging app to Western European government officials that, when clicked, stole the authentication credentials for sites like Google, Microsoft, LinkedIn, Facebook and Yahoo. The kind of hack that opens the victims up to more hacks, along with any organizations they work for. And based on the timing of this hacking campaign, and the fact that it coincided with the ‘Nobelium’ USAID phishing campaign in May against Windows systems that delivered Cobalt Strike, suggests it’s the same actor behind both attacks.
But there’s a more significant technical link between the Safari hacking campaign targeting Western government officials and the USAID phishing campaign: both deployed zero-days. Microsoft reported the deployment of Cobalt Strike in its initial post about the hack but later reported multiple zero-day pieces of malware deployed on the victims’ networks from the USAID attack. That’s the real ‘clue’ tying these two hacks. It was someone sophisticated enough to have an abundance of zero-day hacks. Except, with it’s not really much of a clue the existence of an industry filled with secretive companies like Candiru. Numerous actors on the stage have access to cutting-edge zero-days. For all we know the Safari zero-day campaign and USAID phishing campaigns could both be different Candiru customers using ‘Russian language’ features to leave those ‘clues’ for CrowdStrike and others to find:
...
Moreover, the campaign targeting iOS devices coincided with others from the same threat actor—which Microsoft has identified as Nobelium–targeting users on Windows devices to deliver Cobalt Strike, researchers wrote. Security firm Volexity described one of these attacks in a report posted online in May, the researchers added.
...
Also note that the Microsoft zero-day exploits identified in a separate campaign in April targeting Armenian activists is a references to the same Candiru exploits CitizenLab was reporting on. They aren’t all Microsoft vulnerabilities. Google’s Chrome browser was hit. But we’re hearing about vulnerabilities in Internet Explorer, Office, and some other mystery payload that couldn’t even be recovered initially. That’s a lot of Microsoft holes. It’s fits the Candiru ‘pattern’:
...
Google researchers also linked three additional zero-day flaws they identified this year to a commercial surveillance vendor, according to Google TAG’s Shane Huntley. Two of those vulnerabilities–CVE-2021–21166 and CVE-2021–30551—were found in Chrome, and one, tracked as CVE-2021–33742, in Internet Explorer.CVE-2021–21166 and CVE-2021–30551, two Chrome rendered remote-code execution (RCE) flaws, were identified separately but later believed to be used by the same actor, researchers wrote in the blog. Google researchers discovered the former in February and the latter in June.
“Both of these 0‑days were delivered as one-time links sent by email to the targets, all of whom we believe were in Armenia,” Stone and Lecigne wrote. “The links led to attacker-controlled domains that mimicked legitimate websites related to the targeted users.”
...
All in all, it’s been such a parade of zero-day exploits that we’ve heard about this year hitting Microsoft that it should come as no surprise to learn that, just over mid way through this year there’s already been 50 percent more zero-days exploits announced than the entire year of 2020. That’s triple the pace of 2020 and 2020 was a record year. Why is this happening? Well, more reporting is no doubt a factor. But as the Google security researcher admit, commercial vendors are selling more access to zero-day exploits than they were a decade ago. There are simply many more zero-day pieces of malware in existence and a growing number of actors with the ability to deploy them:
...
All in all, security researchers have identified 33 zero-day flaws so far in 2021, which is 11 more than the total number from 2020, according to the post.While that trend reflects an increase in the number of these types of vulnerabilities that exist, Google researchers “believe greater detection and disclosure efforts are also contributing to the upward trend,” they wrote.
Still, it’s highly possible that attackers are indeed using more zero-day exploits for a few reasons, researchers noted. One is that the increase and maturation of security technologies and features means attackers also have to level up, which in turn requires more zero-day vulnerabilities for functional attack chains, they said.
The growth of mobile platforms also has resulted in an increase in the number of products that threat actors want to target—hence more reason to use zero-day exploits, researchers observed. Perhaps inspired by this increase in demand, commercial vendors also are selling more access to zero-days than in the early 2010s, they said.
...
We’ve seen a lot of ominous cyber warnings this year. But that stat of zero-days at triple last year’s rate is meta-ominous. It’s like the cyber version of the point in Marvel movies where the universe on the cusp of exploding. Or imploding. Something really bad.
NSO Group: It’s Not Just a Cybermercenary. It’s a Tool of Israel’s Foreign Policy. A Very Important Tool MBS Covets
A couple days later, we get our first big NSO Group update of July. The New York Times has a piece giving us a big update on the consequences NSO Group paid over the role its Pegasus software played in the killing of Saudi dissident Jamal Khashoggi. The company did pay a price. Or the owners. Although they were paid actually: Following Khashoggi’s killing, NSO Group investigation the Saudi’s use of its software and determined the contract should be canceled. And it was canceled, at which point the full diplomatic nature of these ‘export licenses’ became more apparent. The Israeli government pressured NSO Group to renewed the Pegasus contract. When that didn’t happen, the owners sold to a European private equity group and the Saudi subscription to NSO Group’s tools was renewed. At the end of it all, the one party involved with the Jamal Khashoggi killing to pay a price was Khashoggi:
The New York Times
Israeli Companies Aided Saudi Spying Despite Khashoggi Killing
Ignoring concerns that Saudi Arabia was abusing Israeli spyware to crush dissent at home and abroad, Israel encouraged its companies to work with the kingdom.
By Ronen Bergman and Mark Mazzetti
July 17, 2021TEL AVIV — Israel secretly authorized a group of cyber-surveillance firms to work for the government of Saudi Arabia despite international condemnation of the kingdom’s abuse of surveillance software to crush dissent, even after the Saudi killing of the journalist Jamal Khashoggi, government officials and others familiar with the contracts said.
After the murder of Mr. Khashoggi in 2018, one of the firms, NSO Group, canceled its contracts with Saudi Arabia amid accusations that its hacking tools were being misused to abet heinous crimes.
But the Israeli government encouraged NSO and two other companies to continue working with Saudi Arabia, and issued a new license for a fourth to do similar work, overriding any concerns about human rights abuses, according to one senior Israeli official and three people affiliated with the companies.
Since then, Saudi Arabia has continued to use the spyware to monitor dissidents and political opponents.
The fact that Israel’s government has encouraged its private companies to do security work for the kingdom — one of its historic adversaries and a nation that still does not formally recognize Israel — is yet more evidence of the reordering of traditional alliances in the region and the strategy by Israel and several Persian Gulf countries to join forces to isolate Iran.
NSO is by far the best known of the Israeli firms, largely because of revelations in the last few years that its Pegasus program was used by numerous governmens to spy on, and eventually imprison, human rights activists.
NSO sold Pegasus to Saudi Arabia in 2017. The kingdom used the spyware as part of a ruthless campaign to crush dissent inside the kingdom and to hunt down Saudi dissidents abroad.
It is not publicly known whether Saudi Arabia used Pegasus or other Israeli-made spyware in the plot to kill Mr. Khashoggi. NSO has denied that its software was used.
Israel’s Ministry of Defense also licensed for Saudi work a company called Candiru, which Microsoft accused last week of helping its government clients spy on more than 100 journalists, politicians, dissidents and human rights advocates around the world.
Microsoft, which conducted its investigation in tandem with Citizen Lab, a research institute at the University of Toronto, said Candiru had used malware to exploit a vulnerability in Microsoft products, enabling its government clients to spy on perceived enemies.
Candiru has had at least one contract with Saudi Arabia since 2018.
Israel has also granted licenses to at least two other firms, Verint, which was licensed before the Khashoggi killing, and Quadream, which signed a contract with Saudi Arabia after the killing.
A fifth company, Cellebrite, which manufactures physical hacking systems for mobile phones, has also sold its services to the Saudi government, but without ministry approval, according to the newspaper Haaretz.
Israel insists that if any Israeli spyware were used to violate civil rights that it would revoke the company’s license.
If the Defense Ministry “discovers that the purchased item is being used in contravention of the terms of the license, especially after any violation of human rights, a procedure of cancellation of the defense export license or of enforcing its terms is initiated,” the ministry said in a statement in response to questions from The New York Times.
The ministry declined to respond to specific questions about the licenses it gave to the Israeli firms, but said that “a wide range of security, diplomatic and strategic considerations are taken into account” when considering whether to grant a license to export offensive cyber technology.
Revelations about the abuses of NSO products led the company to hire a group of outside consultants in 2018 to provide advice about which new clients NSO should take on and which to avoid. The group included Daniel Shapiro, the former Obama administration ambassador to Israel, and Beacon Global Strategies, a Washington strategic consulting firm.
Beacon is led by Jeremy Bash, a former C.I.A. and Pentagon chief of staff; Michael Allen, a former staff director for the House Intelligence Committee; and Andrew Shapiro, a former top State Department official.
While the group’s mandate was to vet potential new clients, the international outrage over Mr. Khashoggi’s killing in October 2018 led the group to advise NSO to cancel its Saudi contracts and shut down NSO systems in the kingdom.
Separately, NSO conducted an internal investigation into whether any of its tools were used by Saudi officials for the Khashoggi operation and concluded that they were not. However a lawsuit against NSO by a friend of Mr. Khashoggi’s claims that his phone had been hacked by Saudi Arabia using Pegasus, and that hack gave Saudi officials access to his conversations with Mr. Khashoggi, including communications about opposition projects.
Over several days in late 2018, executives both of NSO and the private equity firm that owned it at the time, Francisco Partners, met in Washington with the advisory group.
According to several people familiar with the meetings, the NSO executives argued that the Israeli government was strongly encouraging the company to weather the storm and continue its work in Saudi Arabia. They also said that Israeli officials had indicated to them that the Trump administration also wanted NSO’s work with Saudi Arabia to continue.
In the end, NSO management heeded the advice of the outside group and canceled its contracts with Saudi Arabia in late 2018. Mr. Shapiro, the former ambassador to Israel, ended his work for the company shortly afterward.
Months later, however, after another private equity firm bought NSO, the company was once again doing business with Saudi Arabia.
NSO’s new owner, Novalpina, rejected the advice of the outside advisory group and NSO resumed its work in Saudi Arabia in mid-2019. Around that time, Beacon ended its work with NSO.
The new contract with the Saudis came with some restrictions. For example, NSO set up its system to block any attempts by Saudi officials to hack European telephone numbers, according to a person familiar with the programming.
But it is clear that Saudi Arabia has continued to use NSO software to spy on perceived opponents abroad.
In one case that has come to light, three dozen phones belonging to journalists at Al Jazeera, which Saudi Arabia considers a threat, were hacked using NSO’s Pegasus software last year, according to Citizen Lab. Citizen Lab traced 18 of the attacks back to Saudi intelligence.
After the revelation of the attack on Al Jazeera journalists, NSO recently shut down the system, and at a meeting in early July, the company’s board decided to declare new deals with Saudi Arabia off limits, according to a person familiar with the decision.
Israel’s defense ministry is currently fighting lawsuits by Israeli rights activists demanding that it release details about its process for granting the licenses.
The Israeli government also imposes strict secrecy on the companies that receive the licenses, threatening to revoke them if the companies speak publicly about the identity of their clients.
...
These business ties came as Israel was quietly building relationships directly with the Saudi government.
Benjamin Netanyahu, then Israel’s prime minister, met several times with Saudi Arabia’s day-to-day ruler, Crown Prince Mohammed bin Salman, and military and intelligence leaders of the two countries meet frequently.
While Saudi Arabia was not officially party to the Abraham Accords — the diplomatic initiatives during the end of the Trump administration normalizing relations between Israel and several Arab countries — Saudi leaders worked behind the scenes to help broker the deals.
————–
“The fact that Israel’s government has encouraged its private companies to do security work for the kingdom — one of its historic adversaries and a nation that still does not formally recognize Israel — is yet more evidence of the reordering of traditional alliances in the region and the strategy by Israel and several Persian Gulf countries to join forces to isolate Iran.”
It wasn’t just a national security tool. Pegasus was effectively being used as a diplomatic tool. A diplomatic tool to help bring Saudi Arabia and other Persian Gulf neighors into an alliance against Iran. Which, we’ll recall, was the meta-theme throughout the #TrumpRussia adventures involving Michael Flynn, Eric Prince, Michael Cohen, and the Saudi/UAE scheme to build nuclear power plants across the Middle East (except for Iran). The security relationship between the US, Israel, Saudi Arabia, and the UAE got a lot deeper over the last decade and it’s hard to avoid suspicions that sharing access to super spyware tools like NSO Group’s Pegasus was part of that deepening relationship. Just look at the language the Israeli Defense Ministry used when describing the process that goes into approving one of these licenses: ““a wide range of security, diplomatic and strategic considerations are taken into account” when considering whether to grant a license to export offensive cyber technology.” That’s one way to put it:
...
Israel insists that if any Israeli spyware were used to violate civil rights that it would revoke the company’s license.If the Defense Ministry “discovers that the purchased item is being used in contravention of the terms of the license, especially after any violation of human rights, a procedure of cancellation of the defense export license or of enforcing its terms is initiated,” the ministry said in a statement in response to questions from The New York Times.
The ministry declined to respond to specific questions about the licenses it gave to the Israeli firms, but said that “a wide range of security, diplomatic and strategic considerations are taken into account” when considering whether to grant a license to export offensive cyber technology.
...
And as we saw, NSO Group isn’t the only company with hacking tools the Israeli government was licensing to Saudi Arabia at this time. One company, Quadream, even signed its contracts with Saudi Arabia after Khoshoggi’s killing. So when the NSO Group claims that it canceled the Saudi contracts in the wake of the Khashoggi killings, but were then encourage by the Israeli government to continue working with Saudi Arabia, it’s not an implausible scenario. The licensing of cutting-edge hacking tools is clearly part of the Israeli diplomatic playbook. Which isn’t a surprise. It’s a powerful diplomatic tool. Crazy dangerous, but powerful:
...
After the murder of Mr. Khashoggi in 2018, one of the firms, NSO Group, canceled its contracts with Saudi Arabia amid accusations that its hacking tools were being misused to abet heinous crimes.But the Israeli government encouraged NSO and two other companies to continue working with Saudi Arabia, and issued a new license for a fourth to do similar work, overriding any concerns about human rights abuses, according to one senior Israeli official and three people affiliated with the companies.
Since then, Saudi Arabia has continued to use the spyware to monitor dissidents and political opponents.
...
NSO sold Pegasus to Saudi Arabia in 2017. The kingdom used the spyware as part of a ruthless campaign to crush dissent inside the kingdom and to hunt down Saudi dissidents abroad.
...
Israel’s Ministry of Defense also licensed for Saudi work a company called Candiru, which Microsoft accused last week of helping its government clients spy on more than 100 journalists, politicians, dissidents and human rights advocates around the world.
...
Israel has also granted licenses to at least two other firms, Verint, which was licensed before the Khashoggi killing, and Quadream, which signed a contract with Saudi Arabia after the killing.
A fifth company, Cellebrite, which manufactures physical hacking systems for mobile phones, has also sold its services to the Saudi government, but without ministry approval, according to the newspaper Haaretz.
...
The Israeli government also imposes strict secrecy on the companies that receive the licenses, threatening to revoke them if the companies speak publicly about the identity of their clients.
...
But, again, the sale of this kind of super-hacking software to governments around the world probably wasn’t just an Israeli government project. The US government would almost surely have involved in giving its approval, if informally. So we shouldn’t be surprised to learn NSO Group hired DC-based Beacon Global Strategies — led by figures US national security state community figureheads like Jeremy Bash — to effectively give its blessings to NSO Group’s more controversial clients. The picture that emerges from the various accounts of NSO Group’s internal deliberations is a picture where NSO Group wanted to drop the contract but was feeling like it was effectively being asked by the Israeli government and Trump administration to continue the Saudi contract:
...
Revelations about the abuses of NSO products led the company to hire a group of outside consultants in 2018 to provide advice about which new clients NSO should take on and which to avoid. The group included Daniel Shapiro, the former Obama administration ambassador to Israel, and Beacon Global Strategies, a Washington strategic consulting firm.Beacon is led by Jeremy Bash, a former C.I.A. and Pentagon chief of staff; Michael Allen, a former staff director for the House Intelligence Committee; and Andrew Shapiro, a former top State Department official.
While the group’s mandate was to vet potential new clients, the international outrage over Mr. Khashoggi’s killing in October 2018 led the group to advise NSO to cancel its Saudi contracts and shut down NSO systems in the kingdom.
Separately, NSO conducted an internal investigation into whether any of its tools were used by Saudi officials for the Khashoggi operation and concluded that they were not. However a lawsuit against NSO by a friend of Mr. Khashoggi’s claims that his phone had been hacked by Saudi Arabia using Pegasus, and that hack gave Saudi officials access to his conversations with Mr. Khashoggi, including communications about opposition projects.
Over several days in late 2018, executives both of NSO and the private equity firm that owned it at the time, Francisco Partners, met in Washington with the advisory group.
According to several people familiar with the meetings, the NSO executives argued that the Israeli government was strongly encouraging the company to weather the storm and continue its work in Saudi Arabia. They also said that Israeli officials had indicated to them that the Trump administration also wanted NSO’s work with Saudi Arabia to continue.
....
And then, at the end of all that consulting about what to do about its Saudi contract, NSO Group canceled the contract. Months later the company is sold to a new private equity group and the contract is re-opened. The commitment on behalf of the Israeli government and Trump administration to providing Saudi Arabia with these hacking tools was so intense that NSO Group somehow found a new owner who was open to that Saudi contract:
...
In the end, NSO management heeded the advice of the outside group and canceled its contracts with Saudi Arabia in late 2018. Mr. Shapiro, the former ambassador to Israel, ended his work for the company shortly afterward.Months later, however, after another private equity firm bought NSO, the company was once again doing business with Saudi Arabia.
NSO’s new owner, Novalpina, rejected the advice of the outside advisory group and NSO resumed its work in Saudi Arabia in mid-2019. Around that time, Beacon ended its work with NSO.
The new contract with the Saudis came with some restrictions. For example, NSO set up its system to block any attempts by Saudi officials to hack European telephone numbers, according to a person familiar with the programming.
But it is clear that Saudi Arabia has continued to use NSO software to spy on perceived opponents abroad.
...
It’s worth keeping in mind that it’s possible Saudi Arabia was task with a similar role to one Israel has long played in the Western alliance: spying on other Western allies. Might that be part of the reason Israel and the US were insistent Saudi Arabia get access to these tools? Outsource the outsource ally-spying? Perhaps.
It’s also possible the Saudis were making access to NSO Group tools a requirement for the broader Middle East peace plan the Trump administration and Jared Kushner were working on and this story reflects those unusual circumstances the US and Israel were acquiescing to those demands. But these aren’t normal demands. These are tools approaching the NSA and GCHQ capabilities in many respects. It’s hard to imagine the US and Israel casually giving this kind of power away, even to a long-standing military ally like Saudi Arabia. That’s part why questions about deeper intelligence-sharing pacts and/or illicit quid-pro-quo spying arrangements are so intriguing in this story. NSO Group was peddling digital nuclear weapons. That couldn’t have been treated lightly by the US and Israel. And yet 40 or so governments got their hands on these digital nuclear weapons. What kind of arrangements were made to ensure the inevitable abuses of these tools don’t target US and Israeli interests? A promise not to abuse it? It’s a massive question looming over this story (and the answers point towards little more than promises).
NSO Group’s Worst Nightmare: Sunshine. Lots of Sunshine on Its Shady Activities from Forbidden Stories and Amnesty International
A day after that explosive NY Times report, the Washington Post brings us a write up of a huge new investigation released by Forbidden Stories, a Paris-based journalism nonprofit, and Amnesty International, based on thousands phone numbers leaked that were purportedly the target phone numbers of NSO Group’s feared Pegasus spyware. Phone numbers that, as we’ll see, include major world leaders like Emmanuel Macron. And if those thousands of numbers really are an accurate target list, it was rampant abuse, with activists and rival politicians frequently on the target list. There’s also a new unstoppable zero-day exploit that worked simply by sending a SMS text message or iMessage to smartphones. 60 government agencies in 40 countries were allowed to buy subscriptions to the software and, again, they policed themselves. It started with Mexico getting a subscription in 2011. So the Pegasus super spyware has been sold for a decade now to a growing list of government agencies. Those unlucky Armenian activists had a lot of company.
What is NSO Group’s response to this report? By pointing out that it’s up to the governments to decide who gets targeted and NSO Group doesn’t know. And while that may not be the best response to the criticism since it’s more or less an admission the abuse allegations are likely true, it’s an entirely plausible response. NSO Group’s tools are probably entirely controlled by the governments who buy these subscriptions. It’s absurd to expect governments to hand information like their intelligence targets over to NSO Group. That’s part of what’s so scandalous about this industry supply super-spyware to governments: it’s hard to imagine a scenario where there’s meaningful oversight possible. It’s an industry built for unchecked secrecy by the clients and that’s an industry built for abuse.
And yet we are told there are geolocation restrictions on the software and US-based smartphones can’t be targeted by NSO Group’s tools. The phone number list in the report appears to bear that out. So there is some degree of oversight, solely based on location. But that’s it. All other oversight is up to the client, hence all the activists, journalists, and political opponent phone numbers that show up on the target list:
The Washington Post
Private Israeli spyware used to hack cellphones of journalists, activists worldwide
NSO Group’s Pegasus spyware, licensed to governments around the globe, can infect phones without a click
By Dana Priest, Craig Timberg and Souad Mekhennet
Updated July 18 at 8:15 p.m. Originally published July 18, 2021
Military-grade spyware licensed by an Israeli firm to governments for tracking terrorists and criminals was used in attempted and successful hacks of 37 smartphones belonging to journalists, human rights activists, business executives and two women close to murdered Saudi journalist Jamal Khashoggi, according to an investigation by The Washington Post and 16 media partners.
The phones appeared on a list of more than 50,000 numbers that are concentrated in countries known to engage in surveillance of their citizens and also known to have been clients of the Israeli firm, NSO Group, a worldwide leader in the growing and largely unregulated private spyware industry, the investigation found.
The list does not identify who put the numbers on it, or why, and it is unknown how many of the phones were targeted or surveilled. But forensic analysis of the 37 smartphones shows that many display a tight correlation between time stamps associated with a number on the list and the initiation of surveillance, in some cases as brief as a few seconds.
Forbidden Stories, a Paris-based journalism nonprofit, and Amnesty International, a human rights group, had access to the list and shared it with the news organizations, which did further research and analysis. Amnesty’s Security Lab did the forensic analyses on the smartphones.
The numbers on the list are unattributed, but reporters were able to identify more than 1,000 people spanning more than 50 countries through research and interviews on four continents: several Arab royal family members, at least 65 business executives, 85 human rights activists, 189 journalists, and more than 600 politicians and government officials — including cabinet ministers, diplomats, and military and security officers. The numbers of several heads of state and prime ministers also appeared on the list.
Among the journalists whose numbers appear on the list, which dates to 2016, are reporters working overseas for several leading news organizations, including a small number from CNN, the Associated Press, Voice of America, the New York Times, the Wall Street Journal, Bloomberg News, Le Monde in France, the Financial Times in London and Al Jazeera in Qatar.
The targeting of the 37 smartphones would appear to conflict with the stated purpose of NSO’s licensing of the Pegasus spyware, which the company says is intended only for use in surveilling terrorists and major criminals. The evidence extracted from these smartphones, revealed here for the first time, calls into question pledges by the Israeli company to police its clients for human rights abuses.
The media consortium, titled the Pegasus Project, analyzed the list through interviews and forensic analysis of the phones, and by comparing details with previously reported information about NSO. Amnesty’s Security Lab examined 67 smartphones where attacks were suspected. Of those, 23 were successfully infected and 14 showed signs of attempted penetration.
For the remaining 30, the tests were inconclusive, in several cases because the phones had been replaced. Fifteen of the phones were Android devices, none of which showed evidence of successful infection. However, unlike iPhones, Androids do not log the kinds of information required for Amnesty’s detective work. Three Android phones showed signs of targeting, such as Pegasus-linked SMS messages.
Amnesty shared backup copies of data on four iPhones with Citizen Lab, which confirmed that they showed signs of Pegasus infection. Citizen Lab, a research group at the University of Toronto that specializes in studying Pegasus, also conducted a peer review of Amnesty’s forensic methods and found them to be sound.
In lengthy responses before publication, NSO called the investigation’s findings exaggerated and baseless. It also said it does not operate the spyware licensed to its clients and “has no insight” into their specific intelligence activities.
After publication, NSO chief executive Shalev Hulio expressed concern in a phone interview with The Post about some of the details he had read in Pegasus Project stories Sunday, while continuing to dispute that the list of more than 50,000 phone numbers had anything to do with NSO or Pegasus.
“The company cares about journalists and activists and civil society in general,” Hulio said. “We understand that in some circumstances our customers might misuse the system and, in some cases like we reported in [NSO’s] Transparency and Responsibility Report, we have shut down systems for customers who have misused the system.”
He said that in the past 12 months NSO had terminated two contracts over allegations of human rights abuses, but he declined to name the countries involved.
“Every allegation about misuse of the system is concerning me,” he said. “It violates the trust that we give customers. We are investigating every allegation.”
NSO describes its customers as 60 intelligence, military and law enforcement agencies in 40 countries, although it will not confirm the identities of any of them, citing client confidentiality obligations. The consortium found many of the phone numbers in at least 10 country clusters, which were subjected to deeper analysis: Azerbaijan, Bahrain, Hungary, India, Kazakhstan, Mexico, Morocco, Rwanda, Saudi Arabia and the United Arab Emirates. Citizen Lab also has found evidence that all 10 have been clients of NSO, according to Bill Marczak, a senior research fellow.
Forbidden Stories organized the media consortium’s investigation, and Amnesty provided analysis and technical support but had no editorial input. Amnesty has openly criticized NSO’s spyware business and supported an unsuccessful lawsuit against the company in an Israeli court seeking to have its export license revoked. After the investigation began, several reporters in the consortium learned that they or their family members had been successfully attacked with Pegasus spyware.
Beyond the personal intrusions made possible by smartphone surveillance, the widespread use of spyware has emerged as a leading threat to democracies worldwide, critics say. Journalists under surveillance cannot safely gather sensitive news without endangering themselves and their sources. Opposition politicians cannot plot their campaign strategies without those in power anticipating their moves. Human rights workers cannot work with vulnerable people — some of whom are victims of their own governments — without exposing them to renewed abuse.
For example, Amnesty’s forensics found evidence that Pegasus was targeted at the two women closest to Saudi columnist Khashoggi, who wrote for The Post’s Opinions section. The phone of his fiancee, Hatice Cengiz, was successfully infected during the days after his murder in Turkey on Oct. 2, 2018, according to a forensic analysis by Amnesty’s Security Lab. Also on the list were the numbers of two Turkish officials involved in investigating his dismemberment by a Saudi hit team. Khashoggi also had a wife, Hanan Elatr, whose phone was targeted by someone using Pegasus in the months before his killing. Amnesty was unable to determine whether the hack was successful.
“This is nasty software — like eloquently nasty,” said Timothy Summers, a former cybersecurity engineer at a U.S. intelligence agency and now director of IT at Arizona State University. With it “one could spy on almost the entire world population. … There’s not anything wrong with building technologies that allows you to collect data; it’s necessary sometimes. But humanity is not in a place where we can have that much power just accessible to anybody.”
In response to detailed questions from the consortium before publication, NSO said in a statement that it did not operate the spyware it licensed to clients and did not have regular access to the data they gather. The company also said its technologies have helped prevent attacks and bombings and broken up rings that trafficked in drugs, sex and children. “Simply put, NSO Group is on a life-saving mission, and the company will faithfully execute this mission undeterred, despite any and all continued attempts to discredit it on false grounds,” NSO said. “Your sources have supplied you with information that has no factual basis, as evidenced by the lack of supporting documentation for many of the claims.”
The company denied that its technology was used against Khashoggi, or his relatives or associates.
...
Thomas Clare, a libel attorney hired by NSO, said that the consortium had “apparently misinterpreted and mischaracterized crucial source data on which it relied” and that its reporting contained flawed assumptions and factual errors.
“NSO Group has good reason to believe that this list of ‘thousands of phone numbers’ is not a list of numbers targeted by governments using Pegasus, but instead, may be part of a larger list of numbers that might have been used by NSO Group customers for other purposes,” Clare wrote.
In response to follow-up questions, NSO called the 50,000 number “exaggerated” and said it was far too large to represent numbers targeted by its clients. Based on the questions it was being asked, NSO said, it had reason to believe that the consortium was basing its findings “on misleading interpretation of leaked data from accessible and overt basic information, such as HLR Lookup services, which have no bearing on the list of the customers targets of Pegasus or any other NSO products … we still do not see any correlation of these lists to anything related to use of NSO Group technologies.”
The term HLR, or Home Location Register, refers to a database that is essential to operating cellular phone networks. Such registers keep records on the networks of cellphone users and their general locations, along with other identifying information that is used routinely in routing calls and texts. HLR lookup services operate on the SS7 system that cellular carriers use to communicate with each other. The services can be used as a step toward spying on targets.
Telecommunications security expert Karsten Nohl, chief scientist for Security Research Labs in Berlin, said that he does not have direct knowledge of NSO’s systems but that HLR lookups and other SS7 queries are widely and inexpensively used by the surveillance industry — often for just tens of thousands of dollars a year.
“It’s not difficult to get that access. Given the resources of NSO, it’d be crazy to assume that they don’t have SS7 access from at least a dozen countries,” Nohl said. “From a dozen countries, you can spy on the rest of the world.”
Pegasus was engineered a decade ago by Israeli ex-cyberspies with government-honed skills. The Israeli Defense Ministry must approve any license to a government that wants to buy it, according to previous NSO statements.
“As a matter of policy, the State of Israel approves the export of cyber products exclusively to governmental entities, for lawful use, and only for the purpose of preventing and investigating crime and counterterrorism, under end-use/end user certificates provided by the acquiring government,” a spokesperson for the Israeli defense establishment said Sunday. “In cases where exported items are used in violation of export licenses or end-use certificates, appropriate measures are taken.”
The numbers of about a dozen Americans working overseas were discovered on the list, in all but one case while using phones registered to foreign cellular networks. The consortium could not perform forensic analysis on most of these phones. NSO has said for years that its product cannot be used to surveil American phones. The consortium did not find evidence of successful spyware penetration on phones with the U.S. country code.
“We also stand by our previous statements that our products, sold to vetted foreign governments, cannot be used to conduct cybersurveillance within the United States, and no customer has ever been granted technology that would enable them to access phones with U.S. numbers,” the company said in its statement. “It is technologically impossible and reaffirms the fact your sources’ claims have no merit.”
...
Some Pegasus intrusion techniques detailed in a 2016 report were changed in a matter of hours after they were made public, underscoring NSO’s ability to adapt to countermeasures.
Pegasus is engineered to evade defenses on iPhones and Android devices and to leave few traces of its attack. Familiar privacy measures like strong passwords and encryption offer little help against Pegasus, which can attack phones without any warning to users. It can read anything on a device that a user can, while also stealing photos, recordings, location records, communications, passwords, call logs and social media posts. Spyware also can activate cameras and microphones for real-time surveillance.
“There is just nothing from an encryption standpoint to protect against this,” said Claudio Guarnieri, a.k.a. “Nex,” the Amnesty Security Lab’s 33-year-old Italian researcher who developed and performed the digital forensics on 37 smartphones that showed evidence of Pegasus attacks.
That sense of helplessness makes Guarnieri, who often dresses head-to-toe in black, feel as useless as a 14th-century doctor confronting the Black Plague without any useful medication. “Primarily I’m here just to keep the death count,” he said.
The attack can begin in different ways. It can come from a malicious link in an SMS text message or an iMessage. In some cases, a user must click on the link to start the infection. In recent years, spyware companies have developed what they call “zero-click” attacks, which deliver spyware simply by sending a message to a user’s phone that produces no notification. Users do not even need to touch their phones for infections to begin.
Many countries have laws pertaining to traditional wiretapping and interception of communications, but few have effective safeguards against deeper intrusions made possible by hacking into smartphones. “This is more devious in a sense because it really is no longer about intercepting communications and overhearing conversation. … This covers all of them and goes way beyond that,” Guarnieri said. “It has raised a lot of questions from not only human rights, but even national constitutional laws as to is this even legal?”
Clare, NSO’s attorney, attacked the forensic examinations as “a compilation of speculative and baseless assumptions” built on assumptions based on earlier reports. He also said, “NSO does not have insight into the specific intelligence activities of its customers.”
...
‘What a question!’
Some expressed outrage even at the suggestion of spying on journalists.
A reporter for the French daily Le Monde working on the Pegasus Project recently posed such a question to Hungarian Justice Minister Judit Varga during an interview about the legal requirements for eavesdropping:
“If someone asked you to tape a journalist or an opponent, you wouldn’t accept this?”
“What a question!” Varga responded. “This is a provocation in itself!” A day later, her office requested that this question and her answer to it “be erased” from the interview.
In the past, NSO has blamed its client countries for any alleged abuses. NSO released its first “Transparency and Responsibility Report” last month, arguing that its services are essential to law enforcement and intelligence agencies trying to keep up with the 21st century.
“Terror organizations, drug cartels, human traffickers, pedophile rings and other criminal syndicates today exploit off-the-shelf encryption capabilities offered by mobile messaging and communications applications.
“These technologies provide criminals and their networks a safe haven, allowing them to ‘go dark’ and avoid detection, communicating through impenetrable mobile messaging systems. Law enforcement and counterterrorism state agencies around the world have struggled to keep up.”
NSO also said it conducts rigorous reviews of potential customers’ human rights records before contracting with them and investigates reports of abuses, although it did not cite any specific cases. It asserted that it has discontinued contracts with five clients for documented violations and that the company’s due diligence has cost it $100 million in lost revenue. A person familiar with NSO operations who spoke on the condition of anonymity to discuss internal company matters noted that in the last year alone NSO had terminated contracts with Saudi Arabia and Dubai in the United Arab Emirates over human rights concerns.
“Pegasus is very useful for fighting organized crime,” said Guillermo Valdes Castellanos, head of Mexico’s domestic intelligence agency CISEN from 2006 to 2011. “But the total lack of checks and balances [in Mexican agencies] means it easily ends up in private hands and is used for political and personal gain.”
Mexico was NSO’s first overseas client in 2011, less than a year after the firm was founded in Israel’s Silicon Valley, in northern Tel Aviv.
In 2016 and 2017, more than 15,000 Mexicans appeared on the list examined by the media consortium, among them at least 25 reporters working for the country’s major media outlets, according to the records and interviews.
One of them was Carmen Aristegui, one of the most prominent investigative journalists in the country and a regular contributor to CNN. Aristegui, who is routinely threatened for exposing the corruption of Mexican politicians and cartels, was previously revealed as a Pegasus target in several media reports. At the time, she said in a recent interview, her producer was also targeted. The new records and forensics show that Pegasus links were detected on the phone of her personal assistant.
“Pegasus is something that comes to your office, your home, your bed, every corner of your existence,” Aristegui said. “It is a tool that destroys the essential codes of civilization.”
Unlike Aristegui, freelance reporter Cecilio Pineda was unknown outside his violence-wracked southern state of Guerrero. His number appears twice on the list of 50,000. A month after the second listing, he was gunned down while lying in a hammock at a carwash while waiting for his car. It is unclear what role, if any, Pegasus’s ability to geolocate its targets in real time contributed to his murder. Mexico is among the deadliest countries for journalists; 11 were killed in 2017, according to Reporters Without Borders.
“Even if Forbidden Stories were correct that an NSO Group client in Mexico targeted the journalist’s phone number in February 2017, that does not mean that the NSO Group client or data collected by NSO Group software were in any way connected to the journalist’s murder the following month,” Clare, NSO’s lawyer, wrote in his letter to Forbidden Stories. “Correlation does not equal causation, and the gunmen who murdered the journalist could have learned of his location at a public carwash through any number of means not related to NSO Group, its technologies, or its clients.”
Mexico’s Public Security Ministry acknowledged last year that the domestic intelligence agency, CISEN, and the attorney general’s office acquired Pegasus in 2014 and discontinued its use in 2017 when the license expired. Mexican media have also reported that the Defense Ministry used the spyware.
Snowden’s legacy
Today’s thriving international spyware industry dates back decades but got a boost after the unprecedented 2013 disclosure of highly classified National Security Agency documents by contractor Edward Snowden. They revealed that the NSA could obtain the electronic communications of almost anyone because it had secret access to the transnational cables carrying Internet traffic worldwide and data from Internet companies such as Google and giant telecommunications companies such as AT&T.
Even U.S. allies in Europe were shocked by the comprehensive scale of the American digital spying, and many national intelligence agencies set out to improve their own surveillance abilities. For-profit firms staffed with midcareer retirees from intelligence agencies saw a lucrative market-in-waiting free from the government regulations and oversight imposed on other industries.
The dramatic expansion of end-to-end encryption by Google, Microsoft, Facebook, Apple and other major technology firms also prompted law enforcement and intelligence officials to complain they had lost access to the communications of legitimate criminal targets. That in turn sparked more investment in technologies, such as Pegasus, that worked by targeting individual devices.
“When you build a building, you want to make sure the building holds up, so we follow certain protocols,” said Ido Sivan-Sevilla, an expert on cyber governance at the University of Maryland. By promoting the sale of unregulated private surveillance tools, “we encourage building buildings that can be broken into. We are building a monster. We need an international norms treaty that says certain things are not okay.”
Without international standards and rules, there are secret deals between companies like NSO and the countries they service.
The unfettered use of a military-grade spyware such as Pegasus can help governments to suppress civic activism at a time when authoritarianism is on the rise worldwide. It also gives countries without the technical sophistication of such leading nations as the United States, Israel and China the ability to conduct far deeper digital cyberespionage than ever before.
‘Your body stops functioning’
Azerbaijan, a longtime ally of Israel, has been identified as an NSO client by Citizen Lab and others. The country is a family-run kleptocracy with no free elections, no impartial court system and no independent news media. The former Soviet territory has been ruled since the Soviet Union collapsed 30 years ago by the Aliyev family, whose theft of the country’s wealth and money-laundering schemes abroad have resulted in foreign embargoes, international sanctions and criminal indictments.
Despite the difficulties, roughly three dozen Azerbaijani reporters continue to document the family’s corruption. Some are hiding inside the country, but most were forced into exile where they are not so easy to capture. Some work for the Prague-based, U.S.-funded Radio Free Europe/Radio Liberty, which was kicked out of the country in 2015 for its reporting. The others work for an investigative reporting nonprofit called the Organized Crime and Corruption Reporting Project, which is based in Sarajevo, the Bosnian capital, and is one of the partners in the Pegasus Project.
The foremost investigative reporter in the region is Khadija Ismayilova, whom the regime has worked for a decade to silence: It planted a secret camera in her apartment wall, took videos of her having sex with her boyfriend and then posted them on the Internet in 2012; she was arrested in 2014, tried and convicted on trumped-up tax-evasion and other charges, and held in prison cells with hardened criminals. After global outrage and the high-profile intervention of human rights attorney Amal Clooney, she was released in 2016 and put under a travel ban.
“It is important that people see examples of journalists who do not stop because they were threatened,” Ismayilova said in a recent interview. “It’s like a war. You leave your trench, then the attacker comes in. … You have to keep your position, otherwise it will be taken and then you will have less space, less space, the space will be shrinking and then you will find it hard to breathe.”
Last month, her health failing, she was allowed to leave the country. Colleagues arranged to test her smartphone immediately. Forensics by Security Lab determined that Pegasus had attacked and penetrated her device numerous times from March 2019 to as late as May of this year.
She had assumed some kind of surveillance, Ismayilova said, but was still surprised at the number of attacks. “When you think maybe there’s a camera in the toilet, your body stops functioning,” she said. “I went through this, and for eight or nine days I could not use the toilet, anywhere, not even in public places. My body stopped functioning.”
She stopped communicating with people because whoever she spoke with ended up harassed by security services. “You don’t trust anyone, and then you try not to have any long-term plans with your own life because you don’t want any person to have problems because of you.”
Confirmation of the Pegasus penetration galled her. “My family members are also victimized. The sources are victimized. People I’ve been working with, people who told me their private secrets are victimized,” she said. “It’s despicable. … I don’t know who else has been exposed because of me, who else is in danger because of me.”
Is the minister paranoid or sensible?
The fear of widespread surveillance impedes the already difficult mechanics of civic activism.
“Sometimes, that fear is the point,” said John Scott-Railton, a senior researcher at Citizen Lab, who has researched Pegasus extensively. “The psychological hardship and the self-censorship it causes are key tools of modern-day dictators and authoritarians.”
When Siddharth Varadarajan, co-founder of the Wire, an independent online outlet in India, learned that Security Lab’s analysis showed that his phone had been targeted and penetrated by Pegasus, his mind immediately ran through his sensitive sources. He thought about a minister in Prime Minister Narendra Modi’s government who had displayed an unusual concern about surveillance when they met.
The minister first moved the meeting from one location to another at the last moment, then switched off his phone and told Varadarajan to do the same.
Then “the two phones were put in a room and music was put on in that room … and I thought: ‘Boy, this guy is really paranoid. But maybe he was being sensible,’ ” Varadarajan said in a recent interview.
When forensics showed his phone had been penetrated, he knew the feeling himself. “You feel violated, there’s no doubt about it,” he said. “This is an incredible intrusion, and journalists should not have to deal with this. Nobody should have to deal with this.”
————-
“The targeting of the 37 smartphones would appear to conflict with the stated purpose of NSO’s licensing of the Pegasus spyware, which the company says is intended only for use in surveilling terrorists and major criminals. The evidence extracted from these smartphones, revealed here for the first time, calls into question pledges by the Israeli company to police its clients for human rights abuses.”
It’s long been justifiably suspected that NSO Group doesn’t actually have safeguards in place to ensure its unstoppable hacking software isn’t being abused by its government clients. Dozens and dozens of government clients. But if the analysis of the lists of targeted phones and forensic analysis of a number of those phones by Forbidden Stories and Amnesty International is correct, we have that evidence. NSO Group’s Pegasus software has been wildly abused by its government clients. Because of course it was. You couldn’t give dozens of governments around the world super hacking tools and not expect them to target activists, journalists, academics, and other governments.
How much abuse has taken place? We don’t know. And if we believe NSO Group, they don’t really know either. They don’t operate the software for the clients and “has no insight” into their specific intelligence activities. That’s what the company itself is claiming in its defense. It doesn’t know how its software is actually used. That’s 60 intelligence, military and law enforcement agencies in 40 countries operating under that see-no-evil-because-we-are-blind oversight from the vendor.
And yet the company defends itself by pointing out how it terminated two contracts over allegations of abuses in the last 12 months. Note the term “allegations”. Not “investigation” or “routine audit”. The contracts were canceled after allegations. Against Saudi Arabia and Dubai. So NSO defended itself against charges that it was allowing its clients to abuse its software by pointing out that it canceled Saudi Arabia’s and Dubai’s contracts due to human rights concerns. Concerns obviously tied to the assassination of Jamal Khashoggi and all of the public scrutiny NSO received as a result. It’s not exactly proactive oversight:
...
In lengthy responses before publication, NSO called the investigation’s findings exaggerated and baseless. It also said it does not operate the spyware licensed to its clients and “has no insight” into their specific intelligence activities.After publication, NSO chief executive Shalev Hulio expressed concern in a phone interview with The Post about some of the details he had read in Pegasus Project stories Sunday, while continuing to dispute that the list of more than 50,000 phone numbers had anything to do with NSO or Pegasus.
“The company cares about journalists and activists and civil society in general,” Hulio said. “We understand that in some circumstances our customers might misuse the system and, in some cases like we reported in [NSO’s] Transparency and Responsibility Report, we have shut down systems for customers who have misused the system.”
He said that in the past 12 months NSO had terminated two contracts over allegations of human rights abuses, but he declined to name the countries involved.
“Every allegation about misuse of the system is concerning me,” he said. “It violates the trust that we give customers. We are investigating every allegation.”
NSO describes its customers as 60 intelligence, military and law enforcement agencies in 40 countries, although it will not confirm the identities of any of them, citing client confidentiality obligations. The consortium found many of the phone numbers in at least 10 country clusters, which were subjected to deeper analysis: Azerbaijan, Bahrain, Hungary, India, Kazakhstan, Mexico, Morocco, Rwanda, Saudi Arabia and the United Arab Emirates. Citizen Lab also has found evidence that all 10 have been clients of NSO, according to Bill Marczak, a senior research fellow.
...
“This is nasty software — like eloquently nasty,” said Timothy Summers, a former cybersecurity engineer at a U.S. intelligence agency and now director of IT at Arizona State University. With it “one could spy on almost the entire world population. … There’s not anything wrong with building technologies that allows you to collect data; it’s necessary sometimes. But humanity is not in a place where we can have that much power just accessible to anybody.”
In response to detailed questions from the consortium before publication, NSO said in a statement that it did not operate the spyware it licensed to clients and did not have regular access to the data they gather. The company also said its technologies have helped prevent attacks and bombings and broken up rings that trafficked in drugs, sex and children. “Simply put, NSO Group is on a life-saving mission, and the company will faithfully execute this mission undeterred, despite any and all continued attempts to discredit it on false grounds,” NSO said. “Your sources have supplied you with information that has no factual basis, as evidenced by the lack of supporting documentation for many of the claims.”
...
Clare, NSO’s attorney, attacked the forensic examinations as “a compilation of speculative and baseless assumptions” built on assumptions based on earlier reports. He also said, “NSO does not have insight into the specific intelligence activities of its customers.”
...
In the past, NSO has blamed its client countries for any alleged abuses. NSO released its first “Transparency and Responsibility Report” last month, arguing that its services are essential to law enforcement and intelligence agencies trying to keep up with the 21st century.
...
NSO also said it conducts rigorous reviews of potential customers’ human rights records before contracting with them and investigates reports of abuses, although it did not cite any specific cases. It asserted that it has discontinued contracts with five clients for documented violations and that the company’s due diligence has cost it $100 million in lost revenue. A person familiar with NSO operations who spoke on the condition of anonymity to discuss internal company matters noted that in the last year alone NSO had terminated contracts with Saudi Arabia and Dubai in the United Arab Emirates over human rights concerns.
...
Mexico was NSO’s first overseas client in 2011, less than a year after the firm was founded in Israel’s Silicon Valley, in northern Tel Aviv.
...
But then there’s the NSO Group’s more legitimate excuse for selling this kind of powerful software to governments known for human rights abuses: the Israeli Defense Ministry has to approve of the NSO Group’s contracts. Beyond that, NSO Group claims its software cannot be used on US-based phones, raising questions about whether or not the US government was also tacitly giving its approval for these contracts:
...
Pegasus was engineered a decade ago by Israeli ex-cyberspies with government-honed skills. The Israeli Defense Ministry must approve any license to a government that wants to buy it, according to previous NSO statements.“As a matter of policy, the State of Israel approves the export of cyber products exclusively to governmental entities, for lawful use, and only for the purpose of preventing and investigating crime and counterterrorism, under end-use/end user certificates provided by the acquiring government,” a spokesperson for the Israeli defense establishment said Sunday. “In cases where exported items are used in violation of export licenses or end-use certificates, appropriate measures are taken.”
The numbers of about a dozen Americans working overseas were discovered on the list, in all but one case while using phones registered to foreign cellular networks. The consortium could not perform forensic analysis on most of these phones. NSO has said for years that its product cannot be used to surveil American phones. The consortium did not find evidence of successful spyware penetration on phones with the U.S. country code.
“We also stand by our previous statements that our products, sold to vetted foreign governments, cannot be used to conduct cybersurveillance within the United States, and no customer has ever been granted technology that would enable them to access phones with U.S. numbers,” the company said in its statement. “It is technologically impossible and reaffirms the fact your sources’ claims have no merit.”
...
But by the biggest revelation in this story is the nature of these NSO Group exploits being sold with the Pegasus system: “zero-click” exploits that quietly deliver spyware simply by sending a message to the target’s phone. That is effectively an unstoppable attack. So NSO Group was selling unstoppable exploits that could target any smartphone in the world — with the possible exception of US phones if we believe the company’s assurances — to over 40 different governments around the world, starting in 2011 with the contract with Mexico. And as this investigation revealed, those unstoppable exploits were widely used by these governments for far more than just law enforcement and terrorism cases. That is a massive relevation, in part because it means governments around the world have been empowered to secretly hack each other for years now. But this wasn’t exactly a new revelation. We learned back in May 2019 about NSO Group’s unstoppable exploit that could infect a phone simply by calling them over the WhatsApp calling feature. The exploit worked when victims didn’t answer the call. So the existence of ‘zero-click’ exploits isn’t exactly a new revelation, but it sounds like that WhatsApp exploit was far from the only one. They’ve figured out how to do it with SMS Text messages or iMessages too. That covers basically every smartphone, whether you have WhatsApp on it or not:
...
Some Pegasus intrusion techniques detailed in a 2016 report were changed in a matter of hours after they were made public, underscoring NSO’s ability to adapt to countermeasures.Pegasus is engineered to evade defenses on iPhones and Android devices and to leave few traces of its attack. Familiar privacy measures like strong passwords and encryption offer little help against Pegasus, which can attack phones without any warning to users. It can read anything on a device that a user can, while also stealing photos, recordings, location records, communications, passwords, call logs and social media posts. Spyware also can activate cameras and microphones for real-time surveillance.
“There is just nothing from an encryption standpoint to protect against this,” said Claudio Guarnieri, a.k.a. “Nex,” the Amnesty Security Lab’s 33-year-old Italian researcher who developed and performed the digital forensics on 37 smartphones that showed evidence of Pegasus attacks.
That sense of helplessness makes Guarnieri, who often dresses head-to-toe in black, feel as useless as a 14th-century doctor confronting the Black Plague without any useful medication. “Primarily I’m here just to keep the death count,” he said.
The attack can begin in different ways. It can come from a malicious link in an SMS text message or an iMessage. In some cases, a user must click on the link to start the infection. In recent years, spyware companies have developed what they call “zero-click” attacks, which deliver spyware simply by sending a message to a user’s phone that produces no notification. Users do not even need to touch their phones for infections to begin.
...
Unstoppable zero-day attacks and zero oversight. What could possibly go wrong?
Forget All Those NSO Group and Candiru Stories: The US and Western Allies Accuse China of the Microsoft Exchange Hack
So how are governments responding to this string of devastating reports. First Candiru’s zero-day malware gets exposed being used against activists around the world. Then NSO Group is revealed to be the cyber equivalent of a nuclear mercenary. And a diplomatic tool. It was a rough week of reporting on the “commercial surveillance” cyber industry. A lot of tough questions for raised. And we got our answer one day after the Washington Post’s report: The US and Western allies were finally formally accusing China of being behind the Microsoft Exchange hack first disclosed back in March. It was great timing.
And as we’ll see in the next article excerpt about the public accusations by the US and its fellow allies against China’s Ministry of State Security (MSS), China isn’t just accused of tolerating smash-and-grab raids. The MSS-backed hacker groups are also accused of tolerating ransomware attacks for their own personal profit. So the hacker groups accused of carrying out the Microsoft Exchange hack and other hacks attributed to China are also groups engaging in the kind of cyber-extortion and ransomware schemes for their own profit that are traditional associated with standard cyber criminals. That’s the evolving narrative in the face of evidence that the Microsoft Exchange hack was really many hacks involving multiple criminal groups on a rampant spree that also run cyber-extortion schemes: They were Chinese state-backed hackers who also run private extortive criminal hacks on their own because China’s government has decided to give zero-day exploits to groups that take those zero-day exploits and go on a global hacking spree. The Chinese government endorsed or at least tolerated that dramatic escalation. No longer espionage but global smash-and-grab sprees. That’s the new narrative. A new narrative that’s evolving in the face of the evidence that the people carrying out these mega-hacks are acting like traditional hackers and not state-backed espionage-focused groups.
Recall how the known timeline of the Exchange hack is that it started on January 3 (Volexity’s first detected use of the zero-day exploit by “Hafnium). It was January 6, during the Capitol Insurrection, when Volexity first observed a large download to an unauthorized address. Hafnium quietly hit organizations until Microsoft issued a patch on March 2. At that point, multiple groups went on a global race to hit every unpatched server connected to the internet. So given that timeline, it’s likely that the groups that went on the race following the patch are the ones with a criminal for-profit track-record. And we are to assume “Hafnium”, a state-backed Chinese hacker group, handed this zero-day exploit over to these groups and gave its blessing to the global smash-and-grab. Which, if true, really would be a dramatic escalation in hacks from China. It’s the “if true” part that’s the catch. Notice how no one even bothers to provide a pretense of evidence for any of these claims.
Amusingly, the governments making these accusations against China hadn’t quite gotten their stories straight. Because as we just saw, much of the ostensible alarm over these accusations is that they signify a shift from quiet espionage to in-your-face smash-and-grab raids by Chinese state-backed hacker. And yet as we’ll see, U.K. Foreign Secretary Dominic Raab describe the attack “a reckless but familiar pattern of behaviour” by Chinese state-backed groups. So what is it? New reckless behavior? Or familiar reckless behavior? That part of the narrative has yet to be decided. But this was what major Western governments were talking about a day about that NSO Group report: China:
Associated Press
Microsoft Exchange hack caused by China, US and allies say
By ERIC TUCKER
July 19, 2021WASHINGTON (AP) — The Biden administration and Western allies formally blamed China on Monday for a massive hack of Microsoft Exchange email server software and asserted that criminal hackers associated with the Chinese government have carried out ransomware and other illicit cyber operations.
The announcements, though not accompanied by sanctions against the Chinese government, were intended as a forceful condemnation of activities a senior Biden administration official described as part of a “pattern of irresponsible behavior in cyberspace.” They highlighted the ongoing threat from Chinese hackers even as the administration remains consumed with trying to curb ransomware attacks from Russia-based syndicates that have targeted critical infrastructure.
The broad range of cyberthreats from Beijing disclosed on Monday included a ransomware attack from government-affiliated hackers that targeted victims — including in the U.S. — with demands for millions of dollars. U.S officials also alleged that criminal contract hackers associated with China’s Ministry of State Security have engaged in cyber extortion schemes and theft for their own profit.
Meanwhile, the Justice Department on Monday announced charges against four Chinese nationals who prosecutors said were working with the MSS in a hacking campaign that targeted dozens of computer systems, including companies, universities and government entities. The defendants are accused of targeting trade secrets and confidential business information, including scientific technologies and infectious-disease research.
Unlike in April, when public finger-pointing of Russian hacking was paired with a raft of sanctions against Moscow, the Biden administration did not announce any actions against Beijing. Nonetheless, a senior administration official who briefed reporters said that the U.S. has confronted senior Chinese officials and that the White House regards the multination shaming as sending an important message, even if no single action can change behavior.
President Joe Biden told reporters “the investigation’s not finished,” and White House press secretary Jen Psaki did not rule out future consequences for China, saying, “This is not the conclusion of our efforts as it relates to cyber activities with China or Russia.”
Even without fresh sanctions, Monday’s actions are likely to exacerbate tensions with China at a delicate time. Just last week, the U.S. issued separate stark warnings against transactions with entities that operate in China’s western Xinjiang region, where China is accused of repressing Uyghur Muslims and other minorities.
...
The European Union and Britain were among the allies who called out China. The EU said malicious cyber activities with “significant effects” that targeted government institutions, political organizations and key industries in the bloc’s 27 member states could be linked to Chinese hacking groups. The U.K.’s National Cyber Security Centre said the groups targeted maritime industries and naval defense contractors in the U.S. and Europe and the Finnish parliament.
In a statement, EU foreign policy chief Josep Borrell said the hacking was “conducted from the territory of China for the purpose of intellectual property theft and espionage.”
The Microsoft Exchange cyberattack “by Chinese state-backed groups was a reckless but familiar pattern of behaviour,” U.K. Foreign Secretary Dominic Raab said.
NATO, in its first public condemnation of China for hacking activities, called on Beijing to uphold its international commitments and obligations “and to act responsibly in the international system, including in cyberspace.” The alliance said it was determined to “actively deter, defend against and counter the full spectrum of cyber threats.”
That hackers affiliated with the Ministry of State Security were engaged in ransomware was surprising and concerning to the U.S. government, the senior administration official said. But the attack, in which an unidentified American company received a high-dollar ransom demand, also gave U.S. officials new insight into what the official said was “the kind of aggressive behavior that we’re seeing coming out of China.”
A spokesperson for the Chinese Embassy in Washington, Liu Pengyu, said in a statement that the “U.S. has repeatedly made groundless attacks and malicious smear against China on cybersecurity. Now this is just another old trick, with nothing new in it.” The statement called China “a severe victim of the US cyber theft, eavesdropping and surveillance.”
The majority of the most damaging and high-profile recent ransomware attacks have involved Russian criminal gangs. Though the U.S. has sometimes seen connections between Russian intelligence agencies and individual hackers, the use of criminal contract hackers by the Chinese government “to conduct unsanctioned cyber operations globally is distinct,” the official said.
Dmitri Alperovitch, the former chief technology officer of the cybersecurity firm Crowdstrike, said the announcement makes clear that MSS contractors who for years have worked for the government and conducted operations on its behalf have over time decided — either with the approval or the “blind eye of their bosses” — to ”start moonlighting and engaging in other activities that could put money in their pockets.”
The Microsoft Exchange hack that months ago compromised tens of thousands of computers around the world was swiftly attributed to Chinese cyber spies by Microsoft.
An administration official said the government’s attribution to hackers affiliated with the Ministry of State Security took until now in part because of the discovery of the ransomware and for-profit hacking operations and because the administration wanted to pair the announcement with guidance for businesses about tactics that the Chinese have been using.
Given the scope of the attack, Alperovitch said it was “puzzling” that the U.S. did not impose sanctions.
“They certainly deserve it, and at this point, it’s becoming a glaring standout that we have not,” he said.
He added, in a reference to a large Russian cyberespionage operation discovered late last year, “There’s no question that the Exchange hacks have been more reckless, more dangerous and more disruptive than anything the Russians have done in SolarWinds.
———-
“The broad range of cyberthreats from Beijing disclosed on Monday included a ransomware attack from government-affiliated hackers that targeted victims — including in the U.S. — with demands for millions of dollars. U.S officials also alleged that criminal contract hackers associated with China’s Ministry of State Security have engaged in cyber extortion schemes and theft for their own profit.”
Criminal contract hackers. That’s who China’s Ministry of State Security is apparently hiring to carry out these mega hacks. That’s the accusation coming from the US and allies. What evidence this assertion is based is of course never given, but the parallel charges against four Chinese nationals accuse of working wit the MSS in a hacking campaign is presumably supposed to serve as a kind of proxy evidence:
...
Meanwhile, the Justice Department on Monday announced charges against four Chinese nationals who prosecutors said were working with the MSS in a hacking campaign that targeted dozens of computer systems, including companies, universities and government entities. The defendants are accused of targeting trade secrets and confidential business information, including scientific technologies and infectious-disease research.
...
But, again, observe how inconsistent the accusations are. The EU is referring to hacks that could be linked to Chinese hacking groups while the UK’s Foreign Secretary calls it “a reckless but familiar pattern of behaviour”. And look at he US’s explanation for why it took this long to make the attribution when Microsoft seemingly did it immediately: the discovery of ransomware and for-profit schemes by these same hackers delayed the attribution. In other words, Microsoft’s evidence-free initial assertion that the hack was the responsibility of the Chinese (and definitely completely unrelated to the SolarWinds hack!) got complicated after it was observed that the hackers were behaving like normal criminals and engaging in ransomware for-profit schemes. So they had to create a new narrative about how the Chinese government is now using contract criminal hackers to carry out their mega-hacks. Because why carry out a mega-hack on your own when you can share it with the criminal-underworld:
...
Even without fresh sanctions, Monday’s actions are likely to exacerbate tensions with China at a delicate time. Just last week, the U.S. issued separate stark warnings against transactions with entities that operate in China’s western Xinjiang region, where China is accused of repressing Uyghur Muslims and other minorities....
The European Union and Britain were among the allies who called out China. The EU said malicious cyber activities with “significant effects” that targeted government institutions, political organizations and key industries in the bloc’s 27 member states could be linked to Chinese hacking groups. The U.K.’s National Cyber Security Centre said the groups targeted maritime industries and naval defense contractors in the U.S. and Europe and the Finnish parliament.
In a statement, EU foreign policy chief Josep Borrell said the hacking was “conducted from the territory of China for the purpose of intellectual property theft and espionage.”
The Microsoft Exchange cyberattack “by Chinese state-backed groups was a reckless but familiar pattern of behaviour,” U.K. Foreign Secretary Dominic Raab said.
NATO, in its first public condemnation of China for hacking activities, called on Beijing to uphold its international commitments and obligations “and to act responsibly in the international system, including in cyberspace.” The alliance said it was determined to “actively deter, defend against and counter the full spectrum of cyber threats.”
That hackers affiliated with the Ministry of State Security were engaged in ransomware was surprising and concerning to the U.S. government, the senior administration official said. But the attack, in which an unidentified American company received a high-dollar ransom demand, also gave U.S. officials new insight into what the official said was “the kind of aggressive behavior that we’re seeing coming out of China.”
...
The majority of the most damaging and high-profile recent ransomware attacks have involved Russian criminal gangs. Though the U.S. has sometimes seen connections between Russian intelligence agencies and individual hackers, the use of criminal contract hackers by the Chinese government “to conduct unsanctioned cyber operations globally is distinct,” the official said.
...
The Microsoft Exchange hack that months ago compromised tens of thousands of computers around the world was swiftly attributed to Chinese cyber spies by Microsoft.
An administration official said the government’s attribution to hackers affiliated with the Ministry of State Security took until now in part because of the discovery of the ransomware and for-profit hacking operations and because the administration wanted to pair the announcement with guidance for businesses about tactics that the Chinese have been using.
...
Also keep in mind that the criminal hacker groups didn’t appear in the Exchange hack until March 2 according to our known timeline, the day Microsoft also issued its report that blamed the hack on state-sponsored “Hafnium”. So the criminal-like behavior of the groups with access to this exploit wasn’t necessarily apparent when Microsoft made its initial “Hafnium” attribution
But note the one consistent actor here: Dmitri Alperovitch — co-founder of CrowdStrike and the guy who pioneered the modern approach of making loud evidence-free hacking accusations against countries as a means of preventing future attacks — is giving us exactly the response we should expect by asking why these accusations haven’t led to new sanctions against China:
...
Dmitri Alperovitch, the former chief technology officer of the cybersecurity firm Crowdstrike, said the announcement makes clear that MSS contractors who for years have worked for the government and conducted operations on its behalf have over time decided — either with the approval or the “blind eye of their bosses” — to ”start moonlighting and engaging in other activities that could put money in their pockets.”Given the scope of the attack, Alperovitch said it was “puzzling” that the U.S. did not impose sanctions.
“They certainly deserve it, and at this point, it’s becoming a glaring standout that we have not,” he said.
He added, in a reference to a large Russian cyberespionage operation discovered late last year, “There’s no question that the Exchange hacks have been more reckless, more dangerous and more disruptive than anything the Russians have done in SolarWinds.
...
Also note that Alperovitch is now the former CTO of Crowdstrike, having left the company in 2020 to start a non-profit “policy accelerator” focused on cybersecurity in a geopolitical context. In other words, Alperovtich started a think-tank and lobby shop dedicated to push for the kind of hacking-based sanctions against Russian and China he’s long advocated for anyway.
The BBC has a bit more on the story that gives us a better idea of how the Western governments of theorizing China decided to carry out this global mega-hack using common cyber-criminals as co-conspirators: Hafnium knew Microsoft planned to deal with the weakness and so shared it with other China-based hackers. In other words, the Chinese state-backed hackers realized the jig was up and handed the zero-day exploit (which was no longer a zero-day) to criminals for some strategic reason.
Again, recall the timeline: Recall how the known timeline of the Exchange hack is that it started on January 3 (Volexity’s first detected use of the zero-day exploit by “Hafnium). It was January 6, during the Capitol Insurrection, when Volexity first observed a large download to an unauthorized address. Hafnium quietly hit organizations until Microsoft issued a patch on March 2, the same day it blamed the hack on Hafnium, a state-backed Chinese hacker group. That’s the day we are told multiple criminal groups went on a global race to hit every unpatched server connected to the internet.
So what would be the motive for Hafnium to hand that zero-day exploit over to criminal groups and escalate the hack to the level of worst ever? Maximize damage? Cover their tracks? It’s unclear what the theorized rationale would be. Microsoft blamed the hack on “Hafnium” and called them a Chinese state-backed group during the initial security blog post that announced the Exchange patch to fix the exploit, which is when the criminal ransacking reportedly started. So it’s not like there was obvious track covering by Hafnium to be done at that point. But that’s what we’re told by these Western government sources: after getting caught with their quiet target hack, these state-backed hackers made a conscious decision to hand the super exploit over to criminals and tolerate a global ransacking:
BBC News
China says Microsoft hacking accusations fabricated by US and allies
Published
7/20/2021China has denied allegations that it carried out a major cyber-attack against tech giant Microsoft.
The US and other Western countries on Monday accused China of hacking Microsoft Exchange — a popular email platform used by companies worldwide.
They said it was part of a broader pattern of “reckless” behaviour that threatened global security.
China says it opposes all forms of cyber-crime, and has called the claims “fabricated”.
China’s foreign ministry spokesman said the US had got its allies to make “unreasonable criticisms” against China.
The UK, EU, New Zealand, Australia and others joined the US to accuse Chinese state-sponsored hackers.
...
Microsoft blamed a Chinese cyber-espionage group for targeting a weakness in Microsoft Exchange, which allowed hackers to get into email inboxes.
It said the group, known as Hafnium, was state-sponsored and based in China.
Western security sources believe Hafnium knew Microsoft had planned to deal with the weakness, and so shared it with other China-based hackers.
The sources say the hack seems to signal a shift from a targeted espionage campaign to a smash-and-grab raid, leading to concerns that Chinese cyber-behaviour is escalating.
The UK Foreign Office said the Chinese government had “ignored repeated calls to end its reckless campaign, instead allowing state-backed actors to increase the scale of their attacks”.
US President Joe Biden said the Chinese government may not have been carrying out the attacks itself, but was “protecting those who are doing it. And maybe even accommodating them being able to do it”.
...
———–
“China says Microsoft hacking accusations fabricated by US and allies”; BBC News; 7/20/2021
“Western security sources believe Hafnium knew Microsoft had planned to deal with the weakness, and so shared it with other China-based hackers.”
It’s quite a scenario described by the Western security source for this article: Hafnium found out Microsoft planned on closing some vulnerabilities, prompting Hafnium to share the vulnerability with other China-based hackers. Recall how, as we saw above, Volexity witnessed what was a quiet infiltration of some systems — using the zero-day exploits — on January 6 during the Capitol insurrection. It was in the following days that the hack because much more widespread and open and aggressive. So we are probably being asked to assume that the second noisy phase of the hack was after Hafnium gave their incredible zero-day exploit to other criminal hackers around China. And this was all quietly sanctioned by the Chinese government. That’s the narrative we are being asked to believe, this time with Western governments making the assertions, not Microsoft. And as always, we have no idea what evidence this belief is based on. The one thing we can state with confidence is that a large number of the actors who used this exploit during that global ransacking phase appear to be criminal.
But if we take the state-backed criminal-super-hack narrative seriously, we have to treat this as a major escalation by the Chinese government. Which it very much would be if true. An insane escalation that could enrage the global business community. Not just governments:
...
The sources say the hack seems to signal a shift from a targeted espionage campaign to a smash-and-grab raid, leading to concerns that Chinese cyber-behaviour is escalating.
...
But, again, keep in mind that this entire discussion about Hafnium and criminal hacking groups was due to the US and its allies issue a big coordinated public rebuke of China’s involvement in the Exchange hack one day after the pair of NSO Group mega-scandal stories. Stories that raised enormous questions about the hacking attributions of the last decade, at a minimum.
Macron to the World: New Phone, Who Dis?
And a few days after that coordinated public rebuke of China over “Hafnium”, we get an update on the fallout from the NSO Group story: Emmanuel Macron changed his phone. As a precaution. His number was on Morocco’s target list. Awkward!
We also get an update from NSO Group on how its oversight system works: while it doesn’t know the identities of the people targeted by Pegasus, the company can retroactively acquire the target lists in the event of a complaint and unilaterally shut down the offending government’s subscription following an investigation. In other words, NSO Group could in theory do retrospective audits. But won’t unless there’s a complaint. A complaint about the super secret spyware you can’t find and don’t know about:
Reuters
France’s Macron changes phone in light of Pegasus case
Michel Rose and Dan Williams
July 22, 2021 3:25 PM CDT UpdatedPARIS, July 22 (Reuters) — French President Emmanuel Macron has changed his mobile phone and phone number in light of the Pegasus spyware case, a presidency official said on Thursday, in one of the first concrete actions announced in relation to the scandal.
“He’s got several phone numbers. This does not mean he has been spied on. It’s just additional security,” the official told Reuters. Government spokesman Gabriel Attal said the president’s security protocols were being adapted in light of the incident.
A global outcry was triggered when several international media organisations reported that the Pegasus spyware was used in hacking smartphones belonging to journalists, human rights activists and government officials in several countries.
In Israel, home of Pegasus developer NSO Group, a senior lawmaker said a parliamentary panel may look into spyware export restrictions. NSO says its software is used to fight crime and terrorism and has denied any wrongdoing.
“Obviously we’re taking (this) very seriously,” Attal told reporters hours after an emergency cabinet meeting focused on the Pegasus allegations.
Le Monde newspaper and Radio France broadcaster reported on Tuesday that Macron’s phone was on a list of potential targets for surveillance by Morocco. The two media said that they did not have access to Macron’s phone and could not verify if his phone had indeed been spied on.
Morocco has rejected these allegations.
A French lawyer for Morocco, Olivier Baratelli, said the government planned to lodge defamation lawsuits in Paris against nongovernmental organisations Amnesty International and Forbidden Stories, according to French news outlet franceinfo on Thursday. The two groups participated in the Pegasus probe and alleged Morocco had targeted French officials for surveillance with the spyware.
Amid mounting EU concern, German Chancellor Angela Merkel told reporters in Berlin that spyware should be denied to countries where there is no judicial oversight.
Hungarian prosecutors on Thursday launched an investigation into multiple complaints received in the wake of the reports.
Israel has appointed an inter-ministerial team to assess reports based on an investigation by 17 media organisations that said Pegasus had been used in attempted or successful hacks of smartphones using malware that enables the extraction of messages, records calls and secretly activates microphones.
...
“We certainly have to look anew at this whole subject of licences granted by DECA,” Ram Ben-Barak, head of the Knesset Foreign Affairs and Defence Committee, told Israel’s Army Radio, referring to the government-run Defence Export Controls Agency.
The Israeli government team “will conduct its checks, and we will be sure to look into the findings and see if we need to fix things here”, said Ben-Barak. A former deputy chief of Mossad, he said proper use of Pegasus had “helped a great many people”.
DECA is within Israel’s Defence Ministry and oversees NSO exports. Both the ministry and the firm have said that Pegasus is meant to be used to track only terrorists or criminals, and that all foreign clients are vetted governments.
NSO says it does not know the specific identities of people against whom clients use Pegasus. If it receives a complaint of Pegasus having been misused by a client, NSO can retroactively acquire the target lists and, should the complaint prove true, unilaterally shut down that client’s software, the company says.
Other world leaders among those whose phone numbers the news organisations said were on a list of possible targets include Pakistani Prime Minister Imram Khan and Morocco’s King Mohammed VI.
———-
“NSO says it does not know the specific identities of people against whom clients use Pegasus. If it receives a complaint of Pegasus having been misused by a client, NSO can retroactively acquire the target lists and, should the complaint prove true, unilaterally shut down that client’s software, the company says.”
NSO Group can retroactively acquire the target lists to investigate complaints. It’s the kind of description that sounds like NSO Group would need to go to the clients to retrieve the list of target phone numbers or emails. That’s the kind of oversight regime that raises questions about whether or not these clients have the capability to scrub those target lists before returning them to NSO Group. It’s also the kind of oversight regime that raises questions about how any sort of oversight could ever happen outside of instances when there’s a news report about NSO Group malware being discovered and a ‘retrospective investigation’ is conducted. Either an insider needs to leak about it or victims need to discover the malware. Those are the only viable scenarios that could realistically trigger an investigation and this is super-secret malware that operated without being detected for years. Almost nothing other than the investigative reporting done by Amnesty International and Forbidden Stories could realistically cause a client to have their subscription revoked.
And as we saw in the case of Saudi Arabia and the fallout from the Jamal Khashoggi assassination, the fallout — in the form of NSO Group canceling Saudi Arabia’s subscription, a move opposed by the Israeli government — was ultimately reversed after NSO Group was suddenly sold to new investors. That’s part of the context of Israel’s assurances that it will be look anew at the licenses granted for these subscription. It can’t look anew. It would be a diplomatic nightmare for Israel. And perhaps not something Israel can reasonably unilaterally decide on its own. If what we are looking at here is a broader Western-sanctioned global system for distributing limited super-hacker capabilities, the fate of NSO Group and the entire Israeli “commercial surveillance” sector suddenly becomes a much more multilateral affair:
...
“We certainly have to look anew at this whole subject of licences granted by DECA,” Ram Ben-Barak, head of the Knesset Foreign Affairs and Defence Committee, told Israel’s Army Radio, referring to the government-run Defence Export Controls Agency.The Israeli government team “will conduct its checks, and we will be sure to look into the findings and see if we need to fix things here”, said Ben-Barak. A former deputy chief of Mossad, he said proper use of Pegasus had “helped a great many people”.
DECA is within Israel’s Defence Ministry and oversees NSO exports. Both the ministry and the firm have said that Pegasus is meant to be used to track only terrorists or criminals, and that all foreign clients are vetted governments.
...
Will the Israeli government conduct a meaningful audit of its cyber mercenary export sector? The story of the NSO Group and Jamal Khashoggi’s murder suggests otherwise.
NSO Group and Candiru: Joined at the Founding Financial Hip
We’re now at the end of our article marathon. This one isn’t from December 2020-July 2021. It’s from October 2019. So it wasn’t old news as all of this as has been playing out. One mega-hack story after another. One Microsoft exploit after another. As the world turned to Microsoft to lead the investigation into this parade of Microsoft vulnerabilities (some might consider that a conflict of interest), the following story for October 2019 was systematically ignore: An introduction to Candiru, its powerful suite of Microsoft exploits, and the fact that its founders overlap with the NSO Group’s founders.
Yep, in the following Forbes piece we learn how Candiru has clients like Uzbekistan, Saudi Arabia, and the UAE. The main Candiru financial backer was Founders Group, which was co-founded by one of the three men who set up NSO Group, Omri Lavie. Additionally, one of the lead investors is Founders Group managing partner Isaac Zack. We’re also told that the industry is increasingly close to its financial backers because, well, it’s become so controversial there aren’t that many financial backers available. A hyper-secretive incestuous industry increasingly beholden to the shrinking number of people willing to go into something this explosively powerful:
Forbes
Meet Candiru — The Mysterious Mercenaries Hacking Apple And Microsoft PCs For Profit
Thomas Brewster Forbes Staff
Cybersecurity
Associate editor at Forbes, covering cybercrime, privacy, security and surveillance.
Oct 3, 2019,06:06am EDTIsrael is home to scores of hacker-for-hire businesses, but one of the most clandestine has been Candiru. With no website and few records available, it’s operated largely under the radar.
But now a researcher is claiming the elite Tel Aviv-based firm sold cyber weapons to the government of Uzbekistan, while industry sources tell Forbes the company is hacking both Microsoft Windows and Apple Macs for various nation states.
In doing so it calls into question the company’s ethics for partnering with a government branded as an abuser of surveillance tools, just like the morals of its compatriot digital arms dealers have come under scrutiny over the last half decade.
Smashing Windows
Candiru’s speciality, hacking Microsoft Windows for nation-state intelligence agencies, is one key revenue stream. And one of those Candiru customers is almost certainly Uzbekistan, according to Brian Bartholomew, a researcher at Russian cybersecurity company Kaspersky Lab. He claimed that a lapse in an Uzbekistan intelligence agency’s operational security allowed him to link multiple Windows vulnerabilities used in Uzbek attacks back to Candiru and two other customers: Saudi Arabia and the U.A.E.
Bartholomew detailed just how Uzbekistan was sloppy to Forbes ahead of the public release of his research at London’s Virus Bulletin conference on Thursday, though he couldn’t provide clear links between the leaked tools and the Israeli company.
Perhaps Uzbekistan’s biggest mistake was to set up a test computer, exposed on the internet, that tested its hacking tools against various antivirus systems like Kaspersky. Bartholomew’s team found that computer online and noted that it regularly connected to a single Web address. And here’s where the Uzbekistan government exposed itself: Not only was that address registered in Uzbekistan, but the registrant was the apparent leader of “Military Unit 02616.” Though there was little information on that division, Bartholemew soon discovered it was part of Uzbekistan’s surveillance agency, the National Security Service (NSS).
According to Bartholomew, the NSS is essentially the successor to the Soviet KGB contingent, which transferred power in the early 1990s. “They have loads of power. They can pretty much do what they want,” Bartholemew said. The NSS also has a history of buying malware from foreign dealers, as revealed in the leaked 2015 emails of Italian provider Hacking Team. Hosted on Wikileaks, the emails contain frequent messages about deals between Hacking Team and the unit; Bartholomew believes Uzbekistan spent nearly $1 million on the Italian company’s services, looking at all the invoices in the leak.
But because the agency exposed its Windows exploits on the web, Kaspersky researchers were able to link them to other malicious software Bartholomew says were created by Candiru, namely those that appeared to be controlled by Saudi Arabia and the U.A.E. “Sloppy customers are bad customers,” the researcher said.
Human rights experts have now raised the alarm about Candiru’s customer base and the potential for abuse. Bartholomew and another source with knowledge of the attacks said he discovered Candiru surveillance software was used in previously reported hacks on Uzbek human rights activists and independent media.
“Each of these governments is a serial spyware abuser, and it is painfully predictable that civil society got targeted again,” said John Scott-Railton, a surveillance market researcher at the University of Toronto’s Citizen Lab. “For an industry that is trying to tell investors and regulators that it is working to clean up its act, providing spyware to these autocratic regimes is a guaranteed way to get it abused.”
Raining down on Macs
Candiru specializes in hacking Windows, but it’s also working on tools to crack Apple’s MacOS operating system, according to Tal Dilian, who claims to have partnered with Candiru as part of his work with his own surveillance startup, Intellexer. Though not sure, he also said Candiru may also have a focus on iOS too.
Scott-Railton said he was also convinced that Candiru was developing exploits for both Apple and Microsoft technology.
Israel’s digital mercenaries unite
Outside of Candiru’s apparent relationship with Dilian’s spyware enterprises—WiSpear and Intellexa—it has at least one tie to the most controversial of Israel’s surveillance providers: NSO Group. That’s because two industry sources said the main Candiru financial backer was Founders Group, cofounded by one of the three men who set up NSO, Omri Lavie.
As surveillance industry sources also told Forbes, one of the lead investors is Founders Group managing partner Isaac Zack.. According to Pitchbook, Zack is also a board member at wireless charging startup Humavox and at Sepio Systems. The latter is a cybersecurity company, focused on doing the exact opposite of Candiru: protecting hardware from being turned into silent surveillance devices. Its board also includes Tamir Pardo, the former head of the Mossad, Israel’s intelligence agency.
Companies like Candiru are being forced to go to investors with whom they’re already on friendly terms because of an increasing antipathy towards the industry from typical venture capital firms. “YL Ventures has not and will not invest in offensive cyber technology vendors,” said Yoav Leitersdorf, managing partner at YL Ventures. “The primary reason for this is ethical, since oftentimes the customers of these vendors end up using the technology in a way that violates human rights, with or without the vendors’ knowledge. Such usage goes directly against our values and the values of our limited partners.”
Israeli firms have found themselves at the center of an international controversy over the sale of spyware to repressive governments. Candiru has avoided the spotlight up until now, but its rival NSO Group has become embroiled in several controversies. In Mexico, the use of alleged NSO malware Pegasus by the government to monitor journalists, activists and lawyers working on the 2014 killing of 43 students caused a major political scandal. And in January, NSO chief Shalev Hulio had to state on the record that his firm had not worked with the Saudi government to monitor journalist Jamal Khashoggi in the months before his murder by Saudi agents.
...
————
“Candiru’s speciality, hacking Microsoft Windows for nation-state intelligence agencies, is one key revenue stream. And one of those Candiru customers is almost certainly Uzbekistan, according to Brian Bartholomew, a researcher at Russian cybersecurity company Kaspersky Lab. He claimed that a lapse in an Uzbekistan intelligence agency’s operational security allowed him to link multiple Windows vulnerabilities used in Uzbek attacks back to Candiru and two other customers: Saudi Arabia and the U.A.E.”
Uzbekistan, Saudi Arabia, and the UAE. Those were three of Candiru’s clients identified back in late 2019 when the company first received media exposure and it’s obviously a very incomplete client list. The kind of client list where we can be confident all sorts of other terrifying customers are being quietly serviced.
Also keep in mind that Uzbekistan’s hackers wouldn’t have any trouble leaving Russian ‘cultural artifact’ clues. They all speak Russian. Of course, as we saw with the ShadowBrokers story, the CIA’s hacking toolkit featured tools to inject Russian or Mandarin into the code to leave leave kinds of clues so it’s not like a hacker necessarily needs to know Russian or Mandarin to leave these kinds of ‘clues’. But still, since such ‘clues’ are given so much weight when it comes to cyberattribution, it behooves us to note that the hackers working for the many former Soviet Republics are going to know Russian. At least enough to stick it in their code or on forums or wherever to make sure everyone knows it was the ‘Russians’. We now know all dozens of governments have been subscribing to these malware services over the last decade. What are the odds they haven’t been doing precisely what the CIA’s toolkits do and injecting their own ‘cultural artifacts’? What are the odds these subscription toolkits don’t already offer those exact features? Saudi Arabia and the UAE, for example, would probably really enjoy those features:
...
According to Bartholomew, the NSS is essentially the successor to the Soviet KGB contingent, which transferred power in the early 1990s. “They have loads of power. They can pretty much do what they want,” Bartholemew said. The NSS also has a history of buying malware from foreign dealers, as revealed in the leaked 2015 emails of Italian provider Hacking Team. Hosted on Wikileaks, the emails contain frequent messages about deals between Hacking Team and the unit; Bartholomew believes Uzbekistan spent nearly $1 million on the Italian company’s services, looking at all the invoices in the leak.But because the agency exposed its Windows exploits on the web, Kaspersky researchers were able to link them to other malicious software Bartholomew says were created by Candiru, namely those that appeared to be controlled by Saudi Arabia and the U.A.E. “Sloppy customers are bad customers,” the researcher said.
Human rights experts have now raised the alarm about Candiru’s customer base and the potential for abuse. Bartholomew and another source with knowledge of the attacks said he discovered Candiru surveillance software was used in previously reported hacks on Uzbek human rights activists and independent media.
“Each of these governments is a serial spyware abuser, and it is painfully predictable that civil society got targeted again,” said John Scott-Railton, a surveillance market researcher at the University of Toronto’s Citizen Lab. “For an industry that is trying to tell investors and regulators that it is working to clean up its act, providing spyware to these autocratic regimes is a guaranteed way to get it abused.”
...
And look at the remarkable relationship between NSO Group and Candiru: the main Candiru financial backer was Founders Group, co-founded by one of the three men who set up NSO, Omri Lavie, and one of the lead investors is Founders Group managing partner Isaac Zack:
...
Outside of Candiru’s apparent relationship with Dilian’s spyware enterprises—WiSpear and Intellexa—it has at least one tie to the most controversial of Israel’s surveillance providers: NSO Group. That’s because two industry sources said the main Candiru financial backer was Founders Group, cofounded by one of the three men who set up NSO, Omri Lavie.As surveillance industry sources also told Forbes, one of the lead investors is Founders Group managing partner Isaac Zack.. According to Pitchbook, Zack is also a board member at wireless charging startup Humavox and at Sepio Systems. The latter is a cybersecurity company, focused on doing the exact opposite of Candiru: protecting hardware from being turned into silent surveillance devices. Its board also includes Tamir Pardo, the former head of the Mossad, Israel’s intelligence agency.
...
So when we read about NSO Group and Candiru both being licensed out to countries like Saudi Arabia, it’s seems like kind of a package deal. You get Candiru for the Microsoft exploits and NSO Group for the other things.
********************************
Ok, we’re almost done with our excerpt marathon. A marathon that was almost all from just a seven month period starting in December 2020. FireEye delivers what felt like a nightmare at the time. And was and is a nightmare. Just not our worst nightmare. Not even close. Our nightmare scenario kept getting worse. Keeps going. It never ends.
And sure, it’s never going to end by definition. As long as there are computer there are going to be hack stories and some of them major hacks. But as we’ve seen, this is been an unusual seven month period. One mega-hack after another. It’s like cyber-climate change just started to become noticeable.
And throughout this wave of Microsoft mega-hacks, we’ve had Microsoft leading the way in attributions. It’s always a state-backed actor. Known within 24 to 48 hours. Conclusively. Russia or China. Don’t ask why. Just accept the conclusion. The highly self-serving easy conclusion that is far less terrifying than the idea of criminals carrying out these mega-hacks. Yes, the US government backs Microsoft on these attributions. Also without providing any hint of the evidence it’s based on. Just accept whatever attribution people come up with uncritically because, hey, they’re experts. They must know, right? That’s the climate of contemporary cyberattribution: Watching people engage it what appears to be reading the digital tea leaves to come up with the culprit, who then proclaim their findings like a forensic examination decisively concluded it. And for the most part this is absolutely unquestioned.
Now, it’s important to keep one thing in mind in terms of this cyberattribution regime: part of the reason Microsoft and governments make these attribution pronouncements without bothering to give any evidence and act as if we should just trust them is because we more or less have to do exactly that. We have to just trust Microsoft and governments and whoever else has access to the computer systems to study these hacks. Much of the evidence is private and someone has to go in and the forensic cyber-investigations examining malware, looking for ‘cultural artifacts’ or whatever. That’s all well and good and part of how a technologically complex society operates. It’s heavily trust-based.
But that’s precisely why the highly convenient and logically suspect narratives that continually pop up around these mega-hacks — where the culprit is always Russian or Chinese hackers, declared within days — is so problematic. We’re forced to trust the investigators because no evidence is ever given. And yet the conclusions always seem like they were conveniently made up and virtually never acknowledge the existence of a global industry of companies like NSO Group and Candiru. If activists are targeted, sure, a government running “commercial surveillance vendor” software might be suspected, as was the case with Candiru’s malware getting caught being used against activists. But that’s basically the only time we see this legal offensive cyber-for-hire industry come up in the attributions. It’s nearly always otherwise attributed to Russia, China, North Korea or Iran. Maybe criminals if no government networks got it. But that’s basically it. That’s contemporary cyberattribution regime. Those are the acceptable choices. Russia, China, North Korea Iran, maybe criminals. While at least 40 governments around the world have NSO Group subscriptions. And stories like the Vault7 hacking tools that planted foreign ‘cultural artifacts’ are less than a decade all. Each individual hack might by hard to assess, but taken together it’s just implausible.
To get a sense of how implausible, here’s our final quick excerpt. It’s from October 2020, about the finding in Microsoft Digital Defence Report, which you can download here. The report includes a diagram (page 42) showing the percent breakdown of the different countries for the state-backed attributions made by Microsoft’s Microsoft’s Threat Intelligence Center (MSTC) study between July 2019 and June 2020. So this is Microsoft telling us what it’s own security experts found. There were just four countries on the entire chart. Guess which four: 52 percent of hacked attributed to state-backed actors were attributed to Russia, 25 percent to Iran, 12 to China, and 11 to North Korea. Now, take a moment to digest those numbers. 52 + 25 + 12+ 11 = 100. 100 percent of the state-backed attributions made between July 2019 and June 2020 by Microsoft were Russia, Iran, China, or North Korea. All of them. That’s why the ‘trust us’ attribution paradigm is slow problematic. It’s hard to trust an implausible narrative:
The Independent
Russia responsible for over half of all state-sponsored hacking, Microsoft says
Attacks focused on political groups, rather than national infrastructure, in an attempt to affect other governments’ policy
Adam Smith
Friday 02 October 2020 14:57Russia is responsible for over half of all state-sponsored hacking, vastly more than any other state, according to a new report from Microsoft.
Russian activity made up 52 per cent of all attacks between July 2019 and June 2020, the software giant’s Digital Defence Report states.
It is followed by Iran, which makes up 25 per cent of the attacks monitored.
China is responsible for 12 per cent of attacks, while North Korea and other states make up the final 11 per cent.
The majority of their targets have been in the United States, which is targeted 69 per cent of the time. The United Kingdom is the next most popular victim, receiving 19 per cent of attacks, followed by Canada, South Kora, and Saudi Arabia.
While there has been much concern over recent years that countries’ criticial national infastructure – such as the national grid of financial services – could be targeted by hackers, Microsoft says that is not the most common target.
According to the software giant, 90 per cent of attacks from nation-states have been focused on “nongovernmental organisations (NGOs), advocacy groups, human rights organizations and think tanks focused on public policy, international affairs or security.”
The company suggests that nation-states are hoping to influence government policy through subtler means, rather than targeting infrastructure directly.
...
————
Again, 52 + 25 + 12+ 11 = 100. Microsoft’s threat assessment team can apparently only determine hacks came from those four countries. Even at a time when dozens of governments have subscriptions software from companies like NSO Group and Candiru and none of this is really a secret. It’s shameless. No states decided to abuse their super spyware? None at all? Just Russian, Iran, China, and North Korea? Yes, that’s what we are being it’s to believe by Microsoft and Microsoft is the leading figure shaping this narrative. A narrative mostly about Microsoft vulnerabilities of late. Lots of Microsoft vulnerabilities and yet almost no mentions by Microsoft’s threat assessment teams of Candiru’s existence. The company exists to sell super Microsoft exploits to governments around the world and yet, in this entire collection of stories we looked it, it was only after CitizenLab publicly identified new Microsoft zero-day exploits Candiru’s clients were using against activists that we saw Microsoft even acknowledge the existence of Candiru.
But to really appreciate why this problematic cyberattribution narrative — where it’s always Russia, Iran, China, and North Korea — is so wildly dangerous to civilization, we have to appreciate how the SolarWinds hack and Microsoft Exchange mega-hacks relate to these seemingly soothing words from Microsoft back in October when it was assuaging concerns about attacks on critical infrastructure: nation-states are hoping to influence government policy through subtler means, rather than targeting infrastructure directly:
...
While there has been much concern over recent years that countries’ criticial national infastructure – such as the national grid of financial services – could be targeted by hackers, Microsoft says that is not the most common target.According to the software giant, 90 per cent of attacks from nation-states have been focused on “nongovernmental organisations (NGOs), advocacy groups, human rights organizations and think tanks focused on public policy, international affairs or security.”
The company suggests that nation-states are hoping to influence government policy through subtler means, rather than targeting infrastructure directly.
...
Microsoft was telling us this as the SolarWinds hack was ongoing and two months before it was revealed. And as we’ve seen, both the SolarWinds and Microsoft Exchange mega-hacks could arguably be considered attacks on critical infrastructure. They were a very big deal. Especially the Microsoft Exchange hacks that could be automated and were carried out by seemingly for-profit criminal actors. That’s an infrastructure attack. Whoever carried this out was conducting a kind of digital infrastructure attack. It was that vast and aggressive.
But beyond the immediate damage by these mega-hacks, it’s the potential for seeds to have been sown for future even more devastating hacks that make these stories absolutely devastating from a security standpoint. Basically every major organization’s computer networks got hit by sophisticated actors with a demonstrated capacity to deploy multiple zero-day exploits. We have every reason to believe the retained access to a large number of these networks. Remember what Bill Whitaker of Bolden told us: it would have been trivial for the SolarWinds hackers to have turned that malware into the kind of stuff that causes the computers on those networks to effectively self-destruct. A few dozen more lines of code. That’s how easily these kinds of mega-hacks can become major crises. Lethal crises. Imagine the digital infrastructure of most of the world getting crippled with ransomware simultaneously. A few dozen lines of code could have turned SolarWinds or the Exchange hack into the kind of hack that cripples physical infrastructure.
Now imagine a global strike like that that cripples every county’s digital infrastructure except, say, Russia’s. Or China’s. It would be treated as an act of war. And we could be pretty confident Microsoft and plenty of other actors in the security sector would be more than happy to provide those definitive attributions that, yes, it was Russia. Or China. Or Iran or North Korea or whoever is most convenient. Hacking has become the perfect crime in multiple senses. Not only can a hack be executed in a manner where no one can determine the identity of the culprit but, by virtue of that complication, anyone can become the culprit. True conclusive attribution is so difficult, and yet increasingly important and urgent, that civilization has collective just turned to the digital security industry and governments and asked them to give us their best educated guesses and then we treat those best educated guesses as conclusive findings. It really is a faith-based attribution system. Increasingly faith in Microsoft being honest about Microsoft mega-hacks. There’s bad faith. And blind faith. And then there’s that kind of faith. Blind dumb faith in Microsoft’s honesty and integrity. It’s clearly very popular these days. Enjoy it while you still can.
Welcome to your new security nightmare. Brought to you by Microsoft: The recently company issued an update on a relative new zero-day exploit. “PrintNightmare”. The appropriately named exploit really is a security nightmare. The vulnerability in Microsoft’s print spooling software — the software that manages which documents get printed next from the printer — potentially allowed hackers to install programs, change data and create new accounts with full user rights, among other actions. In other words, your entire computer network could be taken over.
Microsoft’s recent update on the vulnerabilities includes a new vulnerability that allows for the remote execution of any code on the system. It’s the kind of update that let’s us know this vulnerability was even bigger than previously acknowledged, which is pretty amazing given the scope of the initial warning. It’s like learning you can be hacked even more thoroughly.
So what is Microsoft recommending in response to this latest hyper-systemic vulnerability? Disable the printer spooling services, for starters. Patch your servers. And finally, migrate to Microsoft’s Cloud services. And that appears to be what the ultimate ‘fix’ is going to be as this era of mega-hacks accelerates: flee to the safety of the cloud. Of course, as we’re going to see, the cloud may not be as safe as advertised. Surprise!
Ok, first, here’s a report from early July, when the world woke up to a newest Microsoft security nightmare: the genuinely terrifying ‘PrintNightmare’:
“The vulnerability — officially dubbed “CVE-2021–34527” — is found in how print spooler improperly performs privileged file operations, according to a Microsoft post. An attacker could use the vulnerability to install programs, change data and create new accounts with full user rights, among other actions.”
Who knows why Microsoft allows print spoolers to create new accounts with full user rights, but they did. And anyone who knew about this vulnerability could have potentially taken over the entire connected network.
And CVE-2021–34527 is just one of the vulnerabilities of this nature recently discovered. There was also CVE-2021–1675 found in June that is apparently similar but distinct:
It’s the kind of update that hints at more “similar but distinct” super exploits sitting there waiting to be found. And that’s exactly the warning we appeared to get from Kelly Yeh, president of Chantilly, Va.-based Microsoft partner Phalanx Technology Group last week after Microsoft disclosed a new Windows Print Spooler vulnerability. The new vulnerability allowed for remote code execution that would similarly enable hackers to install programs, create new accounts with full user rights and even view, change or delete data. As Yeh warns us, “This is going to be the first of many exploits that probably come out.” And since this print spooler exploit was the second vulnerability of this nature recently disclosed (the first one, CVE-2021–1675, came out in June), Yeh is already technically correct.
What should organizations do in response to one super-Microsoft vulnerability after another? Migrate to the cloud. That’s Yeh’s advice. Stop trying to locally manage things and let Microsoft do the management for you:
““This is going to be the first of many exploits that probably come out,” Yeh said. “That exploit [PrintNightmare] is actually a pretty big exploit, from what we were reading it can do.””
The first [actually second] of many exploits to come. Probably. Just wait. And in the mean time, we get to learn more about the known super-vulnerabilities. Like the ability to remotely execute code via the Print Spooler. It’s like total organizational access was built Microsoft’s Printer Spooling software:
And, again, this is just the latest Microsoft security nightmare on top of all the rest. With more to come. What are cyber security professionals to do? Run to the sweet embrace of Microsoft’s cloud services:
Keep in mind that there isn’t any magical about cloud environments. They can still be hacked but, ideally, there’s just a lot more resources focused on their security. At the same time, gaining access to a cloud environment would be the ultimate hacking prize. Many people have to be working on that challenge and it’s hard to imagine they aren’t going to succeed some day. And if we listen to CrowdStrike CEO George Kurtz in the following recent interview, that success has already been achieved. As Kurtz told the US Senate back in February in response to the SolarWinds hack, shortcomings in how Microsoft authenticates credentials have been replicated in the cloud. And don’t forget what we already saw in reports days after the SolarWinds hack was initially disclosed in December: the SolarWinds hackers demonstrated an ability to create password credentials for legitimate processes enabling, them to read emails from Microsoft’s Exchange Online cloud-based email service. So we’re already seeing hints of some sort of future cloud-based mega-hack. As Kurtz put it in the interview, “In other technologies, you can’t necessarily just steal passwords and use those encrypted passwords to authenticate to something...“But in the Microsoft world, you literally can steal an encrypted password, without even decrypting it, and pass that hash to another Microsoft system and access the system as if you knew what the password was.”:
“CrowdStrike has become one of Microsoft’s most vocal security critics, with Kurtz blasting “systemic weaknesses in the Windows authentication architecture” for exacerbating the impact of the SolarWinds hack during written and oral testimony before the U.S. Senate in February. Shortcomings in how Microsoft authenticates credentials have been replicated in the cloud, furthering customer pain, he said.”
It’s pretty ominous. At the same time experts are encouraging a mass migration to the cloud, we’re continuing to learn about new cloud-based vulnerabilities. Or not even cloud-specific vulnerabilities. That’s part of Kurtz’s critique of Microsoft’s security ecosystem: password hashes can be passed around from Microsoft-tool-to-Microsoft-tool without even decrypting them. Everyone is being asked to migrate their data and operations to a giant fancy vault filled with secret entrances:
Microsoft represents a “systemic risk”. That’s how CrowdStrike sees it, and its a risk that extend to the cloud. And yes, CrowdStrike is Microsoft’s direct competitor in the security arena so we shouldn’t be surprised by the criticisms. But these aren’t just random criticisms. The security issues with Microsoft are an empirical fact at this point. CrowdStrike is only warning about what our lying eyes and ears are already telling us.
So that’s the latest Miicrosoft cybersecurity nightmare update. ‘PrintNightmare’ is upon us and if you think there’s an easy solution your head is in the clouds. Well, ok, you can disconnect the printer. It’s the rest of the systemic risk you’ll still need to worry about.
Here’s an update on the SolarWinds mega-hack. Or rather, an update on SolarWinds-related major software vulnerabilities. As we’re going to see, there have been two major additional vulnerabilities discovered in SolarWinds software since the initial disclosure of the SolarWinds hack back in mid-December 2020.
Days after the first disclosure, there were reports of a second hacking team targeting SolarWinds customers. Not much was disclosed about the attack. We were told that this second piece of malware, dubbed “Supernova”, also targeted the SolarWinds Orion updating software. But unlike with the first SolarWinds hack’s malware (dubbed “Sunburst”), this new malware wasn’t “digitally signed”. Recall how part of what made the first SolarWinds hack so disturbing was how the hackers managed to sneak their malware into the software development process at the very last possible point, bypassing standard security measures designed to catch unwanted software. That’s what made the malware “digitally signed”. So Supernova doesn’t appear to have been incorporated into the SolarWinds Orion software in the same manner. That technical difference between the first and second SolarWinds hack appears to be part of the reason security researchers are assuming the two hacks were carried out by separate groups. As we’re going to see, it’s not actually a great reason for such an assumption.
Another related technical difference between the first ‘Russian’ SolarWinds hack and this second hack is the need for access to the target networks. As we’ve see, part of what made the first SolarWinds hack so potentially devastating is the fact that backdoors onto client networks were delivered by the malware. The hack itself was what provided access to client networks. But with this second hack, some sort of previous network access that allows the hackers to interact with the Orion software on the target network is required.
Importantly, the first and second SolarWinds hacks serve two different purposes. The first hack was a hack of the Orion software itself that deployed the “Sunburst” backdoors on all of SolarWinds 18,000 client networks. The second “Supernova” hack is a hack that exploits a bug in Orion software to help spread the hackers across networks they had already compromised. So you could imagine the same hacker wanting to use both hacks on the same network. This is important to keep in mind because we are told that the fact that one hack requires network access while the other suggests it was carried out by two different hacking groups.
Also note another important detail about the Supernova malware deployed in this second SolarWinds hack: it exploits weaknesses in the .NET software development framework. That’s one of Microsoft’s proprietary platforms.
So who is believed to be behind this second SolarWinds hack? Well, at the time it was first announced, researchers couldn’t say. But by February of this year, they were ready to name names: China did it! Because if it wasn’t Russia, it has to be China. Or Iran or North Korea. One of those four.
What’s the basis for this attribution to a China-based group? Very little. Anonymous sources first suggesting it was China back in February tell us the hack shared computer infrastructure and hacking tools with hacks previously attributed to Chinese hackers. That vague. The one somewhat detailed clue we are given is by security researchers at Secureworks. The company found connections between a November 2020 Supernova attack on one of its clients and an August 2020 attack that didn’t involve Supernova. That August 2020 attack was somewhat miraculously tied back to China when the hackers apparently made the accident of stealing Secureworks’s own endpoint security software from their hacked client and installed it on one of their own computers. The endpoint software predictably pinged Secureworks’s networks. That appears to be the stole piece of evidence connecting this second hack back to China. So both ‘Russian’ and ‘China’ were hacking the sh*t out of SolarWinds in parallel. That was the narrative that had emerged by February of this year.
Then, in July, we got reports of the other new SolarWinds hack. The new new hack. A third SolarWinds hack that focuses on exploiting vulnerabilities in the Serv‑U software made by SolarWinds. Like the second SolarWinds hack, the hackers need prior access to the victim network. The hack revolves around sending commands to the Serv‑U software with output that can be read remotely and used to grab information like passwords or modify files. It sounds like an incredibly powerful exploit.
And who is behind this third SolarWinds hack? China did it! Again! But a different group of Chinese hackers. We are told the vulnerability exists in the then-latest Serv‑U version 15.2.3 HF1, released on May 5, and all prior versions. So this super-exploit, that could potentially grant powerful access on the victim networks, had existed ever since Serv‑U was first deployed.
Now, why is this new hack attributed to China? We have no idea and are never told. Microsoft’s threat assessment report on the hack simply states twice that the group is based in China. That’s it. No other details on why this is a China-based group.
Oh, and there’s another important detail also left out of Microsoft’s report: the Serv‑U vulnerability only exists if the Serv‑U is being run on Windows-based operating systems. Linux-based systems aren’t impacted. In other words, this Serv‑U hack kind of sounds like a Microsoft hack. Kind of like how the Supernova hack was a hack of Microsoft’s .NET framework. Somehow, the hackers were able to use the Serv‑U software to exploit underlying vulnerabilities in Windows. That’s the story we appear to be looking at. There is no mention of the fact that only Windows systems were vulnerable in the Microsoft threat assessment report. We have to look at the SolarWinds report on the hack to learn about this. Yes, Microsoft left out of its threat assessment report the fact that they deployed Supernova and the fact that only Windows systems were hit. Imagine that.
So what’s the common thread here? The same thread we’ve seen all along: the hacking attribution industry is just kind of making it up. Weaponized attributions, for profit. And in Microsoft’s case, a narrative necessarily shaped to defend itself from accusations of shoddy security. Sometimes appropriate skepticism is deployed and often it’s tossed out the window. What stays the same is the convenience of the narratives.
Ok, first, here’s a December 19, 2020, report that gives us the first glimpse of this second hack. Not much is known at this point other than the fact that “Supernova” malware imitate SolarWinds’s Orion software, which is technically very different from the first hack where the malware was embedded inside the Orion software. So this second hack required prior access to the victim networks:
“Security experts told Reuters this second effort is known as “SUPERNOVA.” It is a piece of malware that imitates SolarWinds’ Orion product but it is not “digitally signed” like the other attack, suggesting this second group of hackers did not share access to the network management company’s internal systems.”
Note the example of attribution logic being used here. The fact that this second hack didn’t share the “digital signature” of the first hack is seen as a suggestion that this second group of hackers did not share access to the “network management company’s internal systems”, which is a reference to the first hack originated with a hack of the SolarWinds Orion software developer’s computer, allowing the embedding of the backdoor malware.
Now, on the one hand, it’s a useful observation to note that one hack required access to SolarWinds’s own developer networks, which ended up giving access to client networks, while this newly discovered hack instead just requires access to the client networks, keep in mind that it’s merely a suggestion these are different hackers. But it’s also important to keep in mind that there are scenarios where the same hackers could end up planting both this Supernova malware and the Orion backdoor from the first hack on the same system.
For example, we are told the first SolarWinds hack started in February of 2020, when the first compromised Orion updates went out to SolarWinds’s 18,000 clients. But as we’re going to see, it’s suspected that the ‘Chinese’ hackers behind this second SolarWinds hack, which required prior access to victim networks, relied on a separate ManageEngine ServiceDesk vulnerability to gain access to the networks that was being exploited as far back as 2018. And as we’re also going to see, this newly discovered hack appears to allow the hackers to move laterally across victim networks, which serves a different and very compatible purpose with the backdoor created by the first SolarWinds hack. But the narrative right out of the gate with this story was that it was completely unconnected to the mega-hack disclosed days earlier based on the assumption that both exploits wouldn’t be needed by the same actor.
Next, here’s a February 2, 2021, Reuters piece where we get the first hint of an official attribution for the hack. China did it. Of course. That’s the word from anonymous sources involved with the investigation. We also learn from these anonymous sources that the hackers used computer infrastructure and hacking tools previously deployed by state-backed Chinese cyber-spies. That’s the extent of the details we are given. A vague reference to vague ‘pattern-recognition’ based on some spoofable technical indicators. SolarWinds, on the other hand, that it had “not found anything conclusive” to show who was responsible.
And we also learn that this second hack served a different purpose from the first SolarWinds hack: it exploited a bug in Orion that helped the hackers spread across victim networks. So this second hack sounds like a potentially useful secondary attack that could have been exploited after the first SolarWinds hack creates the backdoor granting that initial access:
“Security researchers have previously said a second group of hackers was abusing SolarWinds’ software at the same time as the alleged Russian hack, but the suspected connection to China and ensuing U.S. government breach have not been previously reported.”
It took a little over two months before ‘anonymous sources’ started pointing the finger at China. Which is actually a lot more time than the mere days it took for the first SolarWinds hack to get blamed on Russia. So what evidence were these sources pointing at? The hackers “used computer infrastructure and hacking tools.” No details or examples of shared infrastructure or tools. That’s it. It tells us nothing other than the fact that shoddy ‘pattern recognition’ techniques were being relied on:
But here’s where we learn some very important details about the nature of this hack: it was used to help spread across already-compromised networks. Which make this the kind of exploit that sounds like a great partner with the first SolarWinds hack that compromised 18,000 client networks with backdoors:
A month later, in early March, we get another update. An update that would appear to tie the hack to China. It came from the research team at Secureworks’s Counter Threat Unit (CTU), who informed us that they first encountered the Supernova malware in November of 2020. Upon closer examination, they found similarities to a hack in August 2020 that was found to have been enable by a vulnerability in the ManageEngine ServiceDesk software that the hackers likely exploited in early 2018. That ManageEngine ServiceDesk exploit is previously known to have been used by Chinese hackers. And it was during the investigation of this August 2020 hack that the hackers decided to install Secureworks’s own endpoint software on one of their computers and connect it to the internet. The endpoint software on the hackers’ computer predictably pinged Secureworks’s servers and the company had the information it needed to connect that hack to China (which ignores the obvious possibility of remotely using a computer from anywhere). This appears to be the extent of the evidence that Supernova SolarWinds hack is being carried out by Chinese hackers. Vague digital spoofable clues:
“On Monday, researchers said the attack was likely carried out by a China-based hacking group they’ve dubbed “Spiral.” The finding, laid out in a report published on Monday by Secureworks’ Counter Threat Unit, is based on techniques, tactics, and procedures in the hack that were either identical or very similar to an earlier compromise the researchers discovered in the same network.”
Meet “Spiral”, who is definitely not “Hafnium” and definitely not responsible for the first SolarWinds hack. And not the Serv‑U SolarWinds hack we’re going to learn about in July. Only this second SolarWinds hack. And definitely from China.
That’s what Secureworks’s CTU concluded based on techniques, tactics, and procedures in the hack that were either identical or very similar to an earlier compromise of the same client: The August 2020 hack of the Secureworks client where the hackers stole Securworks’s endpoint software from the client’s network, installed it on their own computer in China, and allowed it to ping Secureworks’s servers. And the August 2020 hackers shared certain traits like using the same commands and name like “c:userspublic” as a working directory name. So some technical pattern recognition combined with reductive reasoning and/or wild guessing and/or convenient story-telling. This is the sausage-making of contemporary cyberattributions:
Also note the language in the Secureworks CTU report: “Characteristics of these intrusions indicate a possible connection to China.” A possible connection to China. Which is really all it is:
Now, jump forward to mid-July, and we learn about the third SolarWinds hack. This one by a different Chinese hacking crew. And this one sounds pretty serious in terms of the control it gives to the attackers. The Serv‑U attack allows hackers to install programs, and change or delete information. And every previous version of Serv‑U was vulnerable (but as we’ll see, only on Windows servers):
“Microsoft discovered the exploits and privately reported them to SolarWinds, the latter company said in an advisory published on Friday. SolarWinds said the attacks are entirely unrelated to the supply chain attack discovered in December.”
It’s definitely entirely unrelated to the SolarWinds hacks from December. Both. They don’t know much but they know that. Somehow. And it’s a vulnerability that’s existed in all previous versions of Serv‑U, so anyone who knew about it had plenty of opportunity. And plenty of potential for damage. The hack appears to give the attacker admin control over the computer. They can install programs, and add or delete information. That’s massive. Again, this is only going to be a vulnerability for Windows systems running Serv‑U:
Now let’s take a quick look at one of the fun facts found in the SolarWinds report on the Serv‑U hack: it only affects Windows computers. Linux systems aren’t impacted. In other words, the Serv‑U hack has another Microsoft Windows vulnerability at its core:
“Only SolarWinds Serv‑U Managed File Transfer and Serv‑U Secure FTP for Windows are affected by this vulnerability. Please note the Serv‑U Gateway is a component of these two products and is not a separate product.”
Only Windows systems are vulnerable. Weird how Microsoft failed to mention that in its threat assessment report on this very same vulnerability.
So we have not one but two addition SolarWinds hacks: one disclosed days after the initial hack and one seven months later. Both unrelated to the initial hack. Both from China. And both unrelated to each other. That’s what we’ve been told. With basically no evidence. What evidence we do have — like Secureworks tying the Supernova hack back to an August 2020 hack that pinged from China — suggests the evidence behind these attributions are tenuous guesswork at best. But at least Secureworks even bothers to vaguely describe its evidence. That’s more than we get from most.
And note how both of these new SolarWinds hacks appear to be, at their core, Microsoft hacks. The Supernova hack exploits a Microsoft .NET framework vulnerability and the Serv‑U hack only impacts Windows systems. And Microsoft is the company generally leading the global security responses to major hacks and defining our narratives. Again we have to ask, that’s a conflict of interest, right? Blind faith in Microsoft is hard enough as is. We don’t need blatant conflicts of interest with extraordinary stakes.
All sorts of extraordinary stakes. Long-standing stakes.
When we learned that Mexico was the first government to get a subscription to NSO Group’s malware back in 2011, one of the default questions raised by the revelation was why Mexico? Of course, there’s a pretty obvious answer. Sadly a default answer for Mexico: Organized crime, in particular in relation to the drug war. It’s the kind of use case that would fit squarely under the NSO Group’s list of official valid reasons for using its software. Terror and organized crime are precisely what the commercial surveillance industry touts as why it should be allowed to exist. Mexico certainly had no shortage of drug related organized crime in 2011.
So with that ostensible reason for Mexico’s early access to the NSO Group’s software in mind, here’s a piece last month by Daniel Hopsicker with some pretty wild history related to NSO Group, Mexico’s use of commercial spyware, and the drug trade. And Carlos Slim:
Before NSO Group’s relationship with Mexico, there was Verint, another Israeli spyware-for-hire company. Verint’s relationship with Mexico appears to have started in 2003. That’s based on a press release issued in 2006 by Carlos Slim’s Telmex in response to another press release touting the Bush State Department’s sponsorship of Verint’s program to monitor Telmex’s entire network. And since Telmex is Mexico’s monopoly telecom provider, that was basically every phone in Mexico getting spied on by Verint. This was, again, paid for by the US State Department.
And then there’s the giant twist in Verint’s background: It turns out it was Verint in 2003 — back was it was called ECI Telecom — that leased the space for the headquarters of SkyWay Aircraft. As Daniel Hopsicker has covered in a number of articles and shows, SkyWay is like collage of intelligence-protected illicit activity, with ties to everything from the April 2006 bust of 5.5 tons of cocaine on a SkyWay Aircraft to the 9/11 hijackers in Florida. As the Introduction of FTR#554 — and interview with Daniel Hopsicker — reminds us about the network of figures and companies surrounding SkyWay (owners of ‘Royal Sons’):
Recall how “Royal Sons”, owned by SkyWay, had an address that traced back to Huffman Aviation’s hanger at Venice Airport. SkyWay is a remarkably shady company. As we’ll see, a second SkyWay plane busted for a massive cocaine haul had previously been used in CIA rendition flights. So SkyWay has all the hallmarks of running an intelligence-connected drug trafficking operation and it was Verint that leased SkyWay its office space in 2003, the same year Telmex tells us Verint’s mass spying on Mexican phones started, paid for by the US State Department.
And as we’ll also see, it appears that when Verint’s spyware was being used by the Mexican government during this period to fight against the drug cartels, there was one cartel left out: the Sinaloa cartel. In other words, the spyware was being used to allow the government of Mexico to fight and win a drug war on behalf the chief cartel in bed with the government. With Slim in on the cut. According to Hopsicker, that’s what happened. Slim and the government of Felipe Calderone used Verint, and the force of the Mexican military and federal police, to fight a drug war the Sinaloa cartel was supposed to win.
There’s also a more direct connection to NSO Group: In May of 2018, it was reported that NSO Group and Verint were merging, although the talks were apparently ended a couple months later. So Verint is alive and well it would seem, which is another aspect of this story:
“In some shocking—and conveniently ignored—recent history, Carlos Slim, Mexico’s richest oligarch, between 2003 and 2007 was doing business with these same Israeli spyware vendors, which are all spin-offs from the intelligence unit of the Israeli Defense Forces, Unit 8200.”
It is indeed remarkably convenient for the pre-NSO Group history of Carlos Slim, Verint, and Mexico’s use of Israeli spyware. Because as we saw, it’s a history involving the governments of Mexico, Israeli, and the US. A whole bunch of very conveniently timed arrangements took place in the 2003–2007 Bush era-period. First, we learn that Carlos Slims telecom monopoly in Mexico signed a contract with Israeli spyware firm Verint to spy on Slim’s network. This effectively meant Verint was spying on every phone in Mexico. Verint remains active to this day. In May 2018, Verint was reportedly in talks to merge with NSO Group. Those talks were announced called off two months later (several months before Jamal Khashoggi’s assassination made NSO Group a problematic merger partner). That the two firms got that far along in merger talks is a sign of how close they are:
And Verint’s 2006 contract (then Comverse) to spy on Slim’s entire network was paid for by the Bush State Department. The fact that Telefonos de Mexico (Telmex) selected a company with roots in Israel’s Unit 9200 was touted in a press release. And then Telmex issues a press release indicating the eavesdropping program actually began in 2003. So Verint’s contract to spy on every phone in Mexico was paid for by the US State Department and started in 2003. This was the kind of stuff that was getting quietly underway in those early War on Terror years:
But wiretapping Mexico on the US State Departments tab is only part of what makes Verint such a fascinating company. As Hopsicker reminds us, it was none other than Verint who leased the land to SkyWay Aircraft. That was in 2003, when Verint — then called ECI Telecom — leased the land to SkyWay. It was April 2006 when SkyWay’s DC‑9 (N900SA) busted in the Yucatan on April 11, 2006 carrying a record—even for Mexico—seizure on an airplane, 5.5 tons of cocaine. And as Hopsicker has discussed many, many times, that plane is like the physical embodiment of the dark history of intelligence-protected drug-trafficking, going back to Oliver North’s Iran Contra operations:
Adding to the evidence that SkyWay Aircraft was an intelligence protected operation, the DC‑9 (N900SA), was designed to impersonate official US DHS aircraft. And yet the plane was based at Clearwater-St Petersburg International Airport, which also housed a fleet of planes which belonged to U.S. Customs:
Oh, and then other SkyWay drug plane busted in a multi-ton cocaine bust during this period was previously used in CIA rendition missions. Keep in mind this was around 2006. Those were recent renditions:
And that’s all the context for how Verint was used in 2006 when Mexico’s President Felipe Calderon unleashed Verint’s spyware during Mexico’s battle with the cartels. It was a battle on the side of one cartel. The Sinaloa Cartel. Taking down Sinaloa’s cartel enemies was how Verint’s spyware was used. Paid for by the State Department:
These kinds of tools aren’t just perfect for quiet government abuse. They’re also perfect for the those networks and agendas were organized crime, intelligence, and power politics coincide. And while the organized crime/intelligence/power politics nexus isn’t exclusively occupied by fascists, it’s concentrated with them. And that’s all part of the context of the contemporary story of NSO Group, Candiru, and the rest of the global spyware industry. These tools really are the perfect tool for criminals. So, you know, maybe governments are actually using these perfect criminal tools to help their elite criminal friends. Maybe extensively. Maybe especially when the State Department is paying for it.
Here’s a recent story about another Israeli “commercial surveillance” company coming under international scrutiny. This time it’s Cellebrite, the maker of special UFED devices used by law enforcement agencies around the world to break into smartphones, including US law enforcement. Alarmingly, these devices have even been found for sale on eBay. And now Cellebrites investors are hoping to cash in on their cutting edge technology by issuing a public offering. You too can own a slice of this cutting-edge spyware firm. The company is estimated to be worth $2.4 billion.
But with the announced public offering comes a complication: people are starting to take note of who Cellebrite’s clients are and how they’ve been using these devices. Clients like Belarus, Indonesia, Saudi Arabia, and Bangladesh. Interestingly, Russia and China are also former Cellebrite client, which is notable given all of the indications that the US is, at a minimum, quietly condoning Israel’s global sales of these tools, or outright paying for it, as was the case with the US State Department paying for Verint’s wiretapping of every phone in Mexico. But it’s the sale of Cellebrite’s tools to Bangladesh that have become a particularly sore point for the company’s public image. As the following piece by Richard Silverstein notes, Bangladesh’s Rapid Action Battalion of elite security forces have been known to engage in the torture and summary executions of gays, atheists, and political dissidents in a campaign that killed 465 people in 2018 alone. So Bangladesh has been unleashing what amounts to a state-sanctioned domestic terror campaign during the time Cellebrite has been selling the country exactly the kinds of tools that would facilitate that kind of domestic terror.
As we should expect, with Cellebrite getting ready to go public, the company is now touting to the world how it refuses to sell its tools to countries with track human rights abuse track record, releasing the statement citing Bangladesh, Belarus, China, Hong Kong, Macau, Russia and Venezuela as examples of countries it refuses to sells to. As Silverstein points out, part of the reason Cellebrite listed all those countries is because they’re all former clients:
Notice how Saudi Arabia wasn’t on that list. Given what we know about the direct actions the Israeli government took to ensure Saudi Arabia maintained a subscription to the NSO Group’s Pegasus super-spyware even after NSO Group dropped the Saudis in the wake of the global outrage over the killing of Jamal Khashoggi, it’s not absurd to assume that Cellebrite’s sales to Bangladesh are an important diplomatic tool. As Silverstein notes, in May of this year Israel was urging Bangladesh to normalized its relations with Israel. Those kinds of overtures become much more difficult when companies like Cellebrite are forced to cut off access in the face of public outrage. That’s all part of what makes this story of Cellebrite’s controversial public offering something to watch going forward. It’s the kind of transaction that could end up revealing aspects of these shadow relationships that meant to kept in the shadows:
“That might sound good to an uninformed individual. But the reason the list of countries it refuses to do business with for ethical reasons is so long and impressive, is that these are many of its most deadly former clients. Cellebrite had ditched many of these countries earlier, after Mack’s research exposed its sordid connection to them. But Bangladesh was one of the last dominoes to fall.”
It’s a lot more complicated selling your multi-billion dollar spyware firm when everyone knows about the human rights abuses with are going to be committed with your spyware. But it gets even more complicated with that powerful spyware doubles as a powerful diplomatic tool. it’s one reason we probably shouldn’t be surprised Bangladesh was the last of Cellebrites’s ‘problem’ clients to get dropped. Ongoing diplomatic overtures are getting in the way:
And note how the US government could impose some sort of punishment to the banks and private investors in these companies. It could happen, but doesn’t happen. A kind of silent consent:
Again, don’t forget that when NSO Group belatedly dropped Saudi Arabia as a client following the global outrage over the assassination of Jamal Khashoggi, it wasn’t just the Israeli government that pressured NSO Group to keep its Saudi clients. The Trump administration also reportedly wanted the Saudis to maintain access to the company’s spyware. And that’s why it’s hard to take Cellebrite’s pledges of being better seriously. The company isn’t really in a position to make these decisions on its own.
Plus, the fact that this industry has a habit of setting up shadow subsidiaries in order to get around export restrictions doesn’t exactly lend confidence to the idea that Cellebrite has suddenly turned over a new leaf:
You can build a secretive spyware firm, and you can take your company public, but taking a super secret spyware firm public is obviously a lot easier said than done. And yet, as Cellebrite is poised to demonstrate, it’s apparently doable.
Here’s one of those stories that should immediately prompt a ‘waiting for the other shoe to drop’ feeling:
The US Air Force’s first chief software office just announced his resignation. But that wasn’t the only announcement in Nicolas Chaillan’s resignation letter. Beyond the expected charges of institutional inertia, Chaillan accused the Air Force of borderline criminal negligence when it comes to basic IT security practices, starting with the habit of putting mid-ranking generalist officers in charge of specialist projects. But it’s his complaint on fiscal-related issues that is perhaps the most shocking: The Air Force apparently couldn’t come up with the $20 million for 2022 for the main project Chaillan has been working on. Yep, the US military just couldn’t find the money. After being repeatedly told that the project he was working on was critical and being asked to develop a “minimum viable project” (MVP) — a scaled down basic version of a new software tool designed to be released with basic features in order to get user feedback — in just four months, and after a massive undertaking and investment in the project, the Air Force told Chaillan that actually the $20 million won’t be there after all.
That painful disappoint was clearly a big driver in Chaillan’s decision to resign. But note that this project wasn’t exclusively an Air Force project. It was a Joint All-Domain Command and Control (JADC2) Department of Defense-wide project focused on making sure data can be seamlessly shared across platforms. Which is was obviously a wildly important project impacting the entire US military. That’s the project the Air Force couldn’t find $20 million for next year. So on top of all the expected reasons for Pentagon challenges with IT security — some understandable and some less so — we can add a reason that has no fathomable justification: that the US military somehow couldn’t find the money:
“Please,” he implored, “stop putting a Major or Lt Col (despite their devotion, exceptional attitude, and culture) in charge of ICAM, Zero Trust or Cloud for 1 to 4 million users when they have no previous experience in that field – we are setting up critical infrastructure to fail.”
Are people with no IT security being put in charge of major IT projects for the military and setting up future military IT disasters? That’s what Chaillan is accusing the Air Force of doing. Which might also partially explain the opposition to DevSecOps practices that avoid the kind of security nightmares Chaillan is warning us about:
But of all of Chaillan’s complaints, the fact that the Air Force couldn’t find the money to fund a project its first chief software officer is perhaps the most shocking. One doesn’t associate the US Air Force with being short on cash:
And as the following article describes, that Joint All-Domain Command and Control (JADC2) project the Air Force couldn’t find the money for in 2022 wasn’t just a random project. It was the project the Air Force has been telling Chaillan was absolutely critical and they made a huge investment in creating a minimum viable product (MVP) version of the project in a matter of months to meet those needs. After all that, Chaillan was told the money wasn’t going to be there. The Air Force can’t find the money. It’s like the DoD was trolling him. The kind of trolling that might trigger an angry public resignation:
“In the memo, Chaillan noted that lack of funding along with DOD bureaucracy left his office and its mission “unempowered to fix basic IT issues.” Specifically, the software chief named his recent task of helping the Joint Chiefs of Staff with its efforts on Joint All Domain Command and Control, a DOD-wide effort to make sure data can be seamlessly shared across platforms.”
One would think a DOD-wide effort to make sure data can be seamlessly shared across platforms would be the kind of project that gets budget priority. Nope. The DoD couldn’t find the $20 million. This is after they ask Chaillan, the Air Force’s first ever chief software officer, to help with the project. And then they told him they couldn’t find the $20 million. Non-seamless communication it is then:
Keep in mind that when the DoD said it couldn’t find $20 million for 2022 to support this project, it sounds like that money was just for the building the scaled down MVP. The full project would obviously cost much more. But that’s possibly part of what enraged Chaillan. If the DoD can’t even come up with the money for a pilot project what are the odds it’s going be able to commit itself to the full project.
But there’s another obvious possibility in terms of what drove the Air Force to pull the plug on Chaillan’s JADC2 pilot project: someone wants to redirect that project towards somewhere else. It could be an intra-bureaucratic turf war. Or perhaps someone has a private contractor in mind?
And that brings us to the other major story that can’t be ignored in the context of the Air Force’s inability to commit to the JADC2 project: the Pentagon’s announcement in July that it was canceling Microsoft’s giant $10 billion JEDI contract that would accomplish mush of what JADC2 would do in creating interoperability across the DoD’s IT systems. As we’ll see, when the DoD announced they were canceling the JEDI contract, JADC2’s overlapping capabilities were cited in the first paragraph of the press release giving the reasoning for the decision.
Instead of Microsoft having the JEDI contract, it sounds like it’s going to be divided up between multiple vendors, meaning competitors like Amazon and Palantir suddenly got a new opportunity to compete for slides of that JEDI contract.
So when we’re forced to interpret Chaillan’s public warning about the state of the military’s IT deficiencies, keep in mind the the pulling of the plug of Chaillan’s JADC2 project may have been one of the casualties in a giant contractor term war that opened up after Microsoft lost the JEDI contract:
“The 10-year JEDI contract was awarded to Microsoft in 2019 after a fight among Amazon and other tech giants for the deal to modernize the military’s cloud-computing systems. Much of the military operates on outdated computer systems, and the Defense Department has spent billions of dollars trying to modernize those systems while protecting classified material.”
Microsoft won the big JEDI contract in 2019 to build the US military’s unified cloud. But the Biden administration put the JEDI program on ice, allowing the Pentagon to reimagine the military’s shared cloud under a multi-service-provider model. Microsoft and Amazon are both going to build the Joint Warfighter Cloud Capability (JWCC) next-generation military cloud. And while concerns about the Trump administration’s skewing of the bidding process against Amazon may have play a role in this decision, concerns about the inherent security risks of using a sole cloud provider also played a role...along with the fact that there have been so many mega security scares of late. If no cloud can truly be relied on, the next best option is to rely on a many different clouds to minimize the inevitable damage:
But even compartmentalized clouds provided by separate contractors are still going to all have to interoperate if the JEDI vision of seamless interoperability is going to be realized. Compartmentalized, seamless interoperability. In other words, you’re still going to need the kind of functionality Nicolas Chaillan’s team was working on for the Pentagon’s JADC2 project.
And as the following Seek Alpha investment article reminded us shortly after the Pentagon canceled the JEDI contract, if there’s one company out there in the commercial sector that poised to fuse together the different components of the military’s cloud it’s Palantir. And yes, it’s a Palantir cheerleader piece by someone who wants Palantir’s stock to rise. But you can’t argue with them when they point out that Palantir is already a top favored software provider for the US military and has been building and integrating software across different branches of the military and intelligence community for years. Through a series of bad decisions made with increasing frequency over the years, Palantir has become one of the key software providers for the US national security state and connecting larger numbers of databases into a single analytical platform is one of the company’s specialties. In other words, if it turns out that the reason the Air Force suddenly ‘couldn’t find’ the $20 million needed for Chaillan’s JADC2 pilot project was because someone at the Pentagon has an alternative commercial provider for those kinds of services in mind, there’s a very good chance the provider they have in mind in Palantir:
“PLTR was selected to safeguard the United States nuclear stockpile and has been selected to develop and integrate software throughout the United States military branches. The cancelation of the JEDI contract seems like a significant opportunity for PLTR, in my opinion. PLTR has been putting all of the pieces together to connect every aspect of our government defense capabilities. The new initiatives from the Pentagon seem like an open invitation for PLTR. I do not know what the government will do, but when you look at what has recently occurred and PLTR’s previous contracts with the government, it’s not far-fetched that these new initiatives play right into PLTR’s wheelhouse. The JEDI contract was worth $10 billion, and with it being scrapped and becoming a multivendor opportunity, I believe PLTR will get a portion of that pie.”
Again, it was never a good idea to allow a fascist-founded company like Palantir to develop such a central role in the US national security state’s digital infrastructure. But that happened. Palantir was even just selected to play a nuclear stockpile security role. Those awful decisions were made and now it’s hard to argue with the core argument behind this Palantir stock fan piece. The cancellation of Microsoft’s JEDI contract really was fabulous news for Palantir’s bottom line.
And that’s also why the angry public resignation of Nicolas Chaillan was also such good news for Palantir. If the DoD is losing interest in backing Chaillan’s JADC2 pilot project, that’s just more room for a company like Palantir to swoop in and provide those services under the new post-JEDI vision for the US military’s cloud. A vision that has yet to be finalized:
That’s all part of the context of Nicolas Chaillan’s public resignation involving the cutting of the JADC2 pilot project. It came two months after the cancellation of the Microsoft JEDI contract that opened up a new world of private contractor possibilities. And it sounds like those private contractor possibilities in this post-JEDI military cloud vision of the future include providing exactly the kind of JADC2 Chaillan was working on. And services Palantir appears well positions to fill, putting the company at the center of the US military’s digital networks.
So should we expect the imminent announcement of Palantir stepping in to provide the JADC2 interoperability service in the US military’s DoD-wide cloud of tomorrow? Putting Palantir at the very core of the US military’s ability to communicate with itself? It would obviously be a giant leap of faith by the US military about the company’s integrity, a leap the US national security state took a long time ago. This is probably a good time to recall that Avril Haines, the current head of the ODNI, was a Palantir employee before joining the Biden campaign in 2020. The company has all the connections it needs to become the digital fabric that holds the US military together. Including the nuclear stockpiles. It’s part of why the Palantir stock boosters aren’t just puffing smoke. It really is a company with spectacularly terrifying possibilities and those terrifying possibilities keep becoming more and more real every day.
Remember Ptech, the threat assessment software firm that became embroiled in post‑9/11 anti-terror investigations involving the Muslim Brotherhood’s network of front organizations? And remember how Ptech had a stunning list of government agencies for clients, including the US Air Force, making this a story about a possible Muslim Brotherhood-connected firm conducting threat assessments for the US government? It’s a company worth recall whenever we hear about massive systemic mega-hacks involving sophisticated spyware that can traverse an organization’s IT networks. Ptech’s services would probably be in extremely high demand these days.
And since the 20 year anniversary of 9/11 is upon us, here’s a look back a January 2003 article in Computerworld about the Ptech investigation for the purpose of asking an intriguing question that really hasn’t been asked: Was Palantir started as a kind of replacement for Ptech?
It’s hard to ignore the parallels. Highly sensitive US national-security-related contracts were at the core of the business model for both Ptech and Palantir. Both companies make threat assessment-related software, although it sounds like Ptech’s threat assessment capabilities were more focused on IT network architecture, which is far less generic than Palantir’s machine-learning-based threat assessment capabilities. But who knows what Ptech would be offering today if it had maintained its position as the US national security digital threat assessment contractor or choice. And it turns out Palantir was started in 2003, meaning it got started after Ptech suddenly became a problematic post‑9/11 national security contractor. So it’s worth asking: was Palantir formed as a replacement for Ptech? Because as the following 2003 article about Ptech’s investigative troubles make clear, the company really was a highly respected firm with a large number of important clients beyond the US government agencies. IBM even put Ptech’s flagship enterprise modeling product, FrameWork, at the center of IBM’s Enterprise Architecture Methodology. And this was still the case after all of the terror-related bad press for the company. In other words, Ptech was providing a product with a heavy demand. Then, all of sudden, Ptech becomes the kind of company other companies don’t want to do business with, hence the eventual name change to GoAgile. And that’s all why we have to ask: was Palantir started with the intent of replacing Ptech?
“Ptech’s crisis stems from a Dec. 5 consensual search by federal agents, which was broadly characterized by the media as an early-morning “raid” ((see story)). The search was part of an investigation of the company’s relationship with Yassin al-Qadi, a wealthy Saudi businessman and one of two “angel” investors who helped get Ptech on its feet in 1994. Al-Qadi, who was never a shareholder of record in Ptech and who later twice turned down Ptech requests for additional funding, is believed by the U.S. intelligence community to have financial ties to international terrorism.”
There’s bad PR and then there’s major terrorism-related bad PR. And in January of 2003, Ptech was suffering from a major case of the latter. The kind of terrorism-related bad PR that had its many government and Fortune 1000 clients taking a second look at whether or not that wanted to do business with the company. This was a company that rarely lost a competitive bid. And yet, even in the fact of this awful PR, we had companies like IBM more or less sticking with Ptech. Their network threat assessment software was just too important to give up, even in the face of an investigation into a possible connection to 9/11. Ptech was clearly developing something extremely important to a lot of people:
Later that year, Palantir was started by Peter Thiel with the help of the CIA’s In-Q-Tel seed money. And yes, Palantir products don’t do exactly the same thing Ptech did. But we wouldn’t necessarily expect that to be the case. The big question is whether or not Palantir was founded with the intent of filling the gap created by Ptech’s post‑9/11 pariah status. Not that it would change much of anything if this was the case. It’s more just an interesting historical question at this point. So in the spirit of ‘better late than never’ it’s worth asking: To what extent does Palantir owe its current status as the US national security state’s go-to big data threat assessment service provider to Ptech post‑9/11 demise? And, depending on the answer, maybe some follow up questions. Possibly a lot of follow up questions.
Here’s an NSO Group-related story where the big story is really all the questions it raises about what else is going on:
It turns out the NSO Group’s customer list includes Germany’s federal police, the Bundeskriminalamt (BKA). An inability to develop their own comparable hacking tools is reportedly part of the reasoning behind the purchase, which, if true, is an example of how cutting edge these toolkits really are.
Here’s the part that raises all sort of question about what else the German national security complex has been up to: The 2019 purchase of NSO Group’s Pegasus software was made despite initial concerns inside the BKA that use of the tools would violate the German constitution, which blocks wiretapping in all but the most extreme cases.
How serious were these concerns? It’s unclear from the report, but the fact that talks with NSO Group started in 2017 and the contract was inked in 2019 suggests those internal deliberations took a while. But in the end those concerns were somehow alleviated. Was this due to extensive safeguards being put in place to ensure the spyware was only used when absolutely necessary and protected by the German constitution? We have no idea.
It also sounds like the BKA’s contract with NSO Group is still in effect. The BKA first got access to Pegasus in late 2020 and reportedly used the tool in selection operations concerning terrorism and organized crime since March of this year.
There’s another angle to this story that’s worth keeping in mind: As we’ll see in the second article except below, it was only in 2020 when German courts rules that Germany’s constitutional rights to privacy extended to the citizens of other countries living abroad. The ruling was in response to a 2016 German law that granted Germany’s BND the right to spy non non-Germans abroad.
So in 2016, Germany passes a law giving the BND permission to spy abroad. And in 2017, negotiations between the NSO Group and the BKA are started completed by 2019. Then in May 2020, Germany’s courts rules the 2016 law was unconstitutional but the contract with NSO Group remained in place and the BKA first received the software later that year. We’re told the tools have been put to use since March of this year. So we have to ask, given how useful Pegasus would be to the BND, especially during the 2016–2020 window when the BND was given the powers to spy on the world, was the BND going to end up being one of the end users of Pegasus too? Perhaps informally? Yes, NSO Group reportedly places georestrictions on where its spyware can be used so that would theoretically prevent the BND from going wild globally with it, but who knows what kind of relationship Germany would be able to work out with NSO Group given the importance of the German-Israeli diplomatic relationship. Those negotiations with the BKA took quite a while to work out. That’s all part of what makes the story of the BKA getting its hands on Pegasus really part of a much larger story of Germany’s significant investment in digital spying capabilities:
“Despite initial legal concerns from within the BKA about the spyware, which allows its operators to take full control of any smartphones infected with Pegasus, a deal was inked with NSO in 2019.”
There were concerns, but those concerns were somehow addressed. We don’t know how, but the fact that deal was reached in 2019 tells how they were addressed one way or another. The unsettling part is that we know so little about the actual terms of the contact and how the Pegasus software was ultimately used that it’s entirely plausible these concerns were addressed by simply dropping them:
We know there were concerns, and we know those concerns were somehow addressed, but we know hardly anything about how the spyware was actually used and what sort of oversight was deployed.
But that doesn’t mean we can’t wager a reasonable guess as to how the Pegasus spyware would have been used. Because as as the following article from May of 2020 describes, it was only in 2016 when the German parliament passed a law allowing its intelligence services to spy on non-Germans abroad, something for which Pegasus would be an ideal fit. So while we don’t know if the 2017 NSO Group negotiations were directly tied to the passage of the 2016 spying law, it’s not too hard to connect these dots:
“The decision by the Constitutional Court found that parts of a 2016 law governing the country’s foreign intelligence agency, known by its German abbreviation BND, in part violated the universal right to privacy in communication. The ruling ordered the law to be rewritten to clarify the motivation for spying on individuals abroad, but it stopped short of banning the practice outright.”
Yes, it was 2016, the year before the BKA’s secret negotiations with the NSO Group started, when Germany passed a law allowing the BND to gather data on non-German’s outside Germany. This is the key context of the outreach to NSO Group the following year. Context that suddenly changed with that 2020 court ruling:
But how about after that 2020 court ruling? Are German intelligence services still using Pegasus? Yep. In fact, the BKA didn’t even receive delivery of Pegasus until late 2020 and only started using it in March of this year. So the BKA didn’t start using Pegasus until after German courts ended the history expansion of Germany’s legal wiretapping powers, which is either a good sign or a very bad sign in terms of the likelihood the spyware has already being abused:
“According to the Süddeutsche Zeitung, BKA Vice President Martina Link confirmed to lawmakers that her organization had purchased the software. In late 2020, the BKA acquired a version of the Pegasus Trojan virus software. It has been used in select operations concerning terrorism and organized crime since March of this year.”
As we can see, Germany’s federal police apparently received the Pegasus software in late 2020, months after the German court ruling finding the 2016 law permitting the spying on non-German citizens is unconstitutional. And we’re told it hasn’t been actually used until March of this year. So on the one hand, if we believe this timeline, it suggests the BKA hasn’t had a lot of time to abuse the Pegasus software yet. But it also highlights how Germany’s intelligence services were still willing to go ahead with the acquisition of Pegasus after a German court shot down the 2016 law granting those services the right to spy on the world. And when asked how NSO Group’s tools are being use, the government has repeatedly refused to say. Taken together, it’s the kind of constellation of data points all suggesting that Germany’s approach to addressing the potential constitution abuses of these spyware tools is to minimize the oversight so those abuses don’t come to light:
So the overarching story here is a story of one part of the German government asserting greater spying powers and taking steps to obtain those powers, while another side of the German government has ruled this is unconstitutional. And the way this bureaucratic impasse has been addressed is apparently for the BKA to just proceed with the Pegasus acquisition and for everyone else to just kind of pretend it’s not being used unconstitutionally while questions are deflected or ignored.
And, again, this is merely the story of how Germany’s government is handling the temptation of something like Pegasus. Answering the question of how many other German constitutional violations are casually being swept under the rug in a similar manner is the much bigger story here.
It seems like every other week these days there’s an announcement about new hacker-for-hire zero-day exploit that’s just been discovered. That was the case again last week when CitizenLab announced the discovery of a new zero-day exploit on the phone of a Saudi activist in March of 2021.
But there was a notable new detail with this latest discovery: the attribution was made to NSO Group based on technical similarities to previous NSO Group hacks. In other words, the “pattern recognition” methodology for making cyberattributions. Instead of the traditional “pattern recognition” conclusion (Russian, Chinese, or Iranian hackers), the “pattern recognition” technique is now being deployed against NSO Group.
What’s the technical pattern? There were two technical details in the Citizen Lab report they cite in making the NSO Group attribution:
1. The newly discovered malware, dubbed FORCEDENTRY, exploited another technique dubbed CASCADEFAIL, that is supposed to delete evidence of the malware’s manipulation from the victim phone’s sqlite database. There’s a single database entry of evidence left over. Citizen Lab’s researchers have only ever seen malware that leaves this last piece of leftover evidence in other NSO Group Pegasus malware.
2. The FORCEDENTRY malware generates multiple processes on the victim phone, assigning names to those processes. One of those process names, “setframed”, was the name of a process name used in another NSO Group malware CitizenLab discovered targeting an Al Jazeera journalist in July 2020. The Citizen Lab report adds, “Notably, we did not publish that detail at the time.”
So based on those two technical details, CitizenLab made a “high confidence” attribution of this malware to NSO Group. And part of that high confidence was rooted in the fact that CitizenLab never previously published that it found the same “setname” process name used in an earlier NSO Group attack.
Now, on the one hand, that sounds like a pretty reasonable conclusion to arrive at given the circumstances. Those circumstances being that this appears to be the initial publication of any details on these technical details and those details appear to be reasonably specific. But this is also turning int a wonderful example of how vulnerable technical “pattern recognition” really is to spoofing and erroneous conclusions. Because think about it: going forward, if malware if found to contain either of these two ‘features’, there’s this built-in bias that this is NSO Group malware. And it very well might be NSO Group malware making the same mistakes, but the fact that those two technical details are something a malware coding to easily incorporate into their malware design is an example of why the “pattern recognition” methodology is ripe for abuse.
It’s long been a fundamental challenge with the cyberattribution industry: Once the pattern is shared, that pattern is now shared knowledge that can be used to spoof future pattern recognition analyses. That’s why CitizenLab felt it relevant to emphasize that it hadn’t previously published the “setframed” process name. If it had previously published that process name, any malware designer could have easily intentionally had their malware use the “setframed” name to confuse cybersecurity analysts, which is now the case going forward.
Also keep in mind that the fact Citizen Lab never published the “setframed” process name from that previous NSO Group hack doesn’t mean the information wasn’t quietly shared with other entities. Trusted entities that end up passing it along to less trust-worthy entities that might end up abusing it and using it to cover their own hacking tracks. It’s not like there’s an impenetrable wall between the cybersecurity industry and the hacker-for-hire industry.
So that’s really the interesting to this story. In many ways, it’s just the latest in a seemingly endless string of hacker-for-hire exploits sold to another foul government and used against an activist. But the fact that this got attributed to NSO Group based on technical pattern recognition makes this the kind of story that could be a harbinger of many more NSO Group pattern recognition stories to come. Some of them might be real NSO Group stories and some where NSO Group was set up. Either way, it should be fun to watch. Except not so much fun for all the new victims.
And that brings us to another grimly interesting aspect of pattern recognition being used to attribute the highly sophisticated and target malware of this nature: A key issue with the prevailing “pattern recognition” attribution regime that seemed to always find a pattern from Russia, Iranian, Chin, or North Korea was how it was almost designed to encourage outside actors to join in on the fun. Just put your stupid ‘Russian’ patterns like Cyrillic characters and let Russsia take the blame. It encourages hacking that fit ‘the pattern’. And what’s the pattern in this case? Highly targeted hacks of prominent victims and activists using powerful zero-click exploits. Do folks want more of those?
So while it looks like Citizen Lab probably made the right call on this particular case of NSO Group “pattern recognition”, it’s going to be important to keep in mind that if we end up seeing a flood of copycat NSO Group malware stories based on similar patterns that may not just be an NSO Group group story. There’s a lot of competition in the global cybermercenary industry. Some might say too much competition:
“Citizen Lab said it was able to make a “high-confidence attribution” that the exploit had been created by NSO Group because they observed “multiple distinctive elements” in the spyware. An exploit is a technical vulnerability that allows spyware to infect a phone, and the code of the exploit discovered by Citizen Lab contained a specific bug that the researchers had only ever associated with NSO Group’s Pegasus in the past.”
We’re getting a peek at how the sausage is made. This was a high-confidence attribution made based on technical details tied back to previous hacks associated with Pegasus. The key terrifying feature this malware shares with a number of hacks associated with this mercenary hacking industry is the fact that it’s a zero-click hack that infects your phone whether you realize it or not. If it wasn’t NSO Group, it was another group with cutting-edge capabilities...willing to sell to Saudi Arabia:
And note that when we read about NSO Group dropping Saudi Arabia as a client in the wake of the Jamal Khashoggi killing, recall how NSO Group then changed ownership and once again took Saudi Arabia as a client. So that would actually be another data point pointing towards NSO Group: it’s like forced to supply the Saudis super spyware:
And NSO Group probably isn’t the only ‘commercial surveillance vendor’ the Saudis are getting their zero-click super-spyware from. Again, NSO Group has competitors.
Now here’s the Citizen Lab report itself giving us more details on what the malware does and how they made the attribution. The attacker sends a pdf disguised as a gif that causes an integer overflow vulnerability in Apple’s image rendering library, allowing for arbitrary code execution. A nightmare bug. And they’re highly confident this was NSO Group behind this nightmare bug based on the shared piece of non-deleted database evidence and the shared “setframed” process name. NSO Group got slightly sloppy:
“Citizen Lab forwarded the artifacts to Apple on Tuesday, September 7. On Monday, September 13, Apple confirmed that the files included a zero-day exploit against iOS and MacOS. They designated the FORCEDENTRY exploit CVE-2021–30860, and describe it as “processing a maliciously crafted PDF may lead to arbitrary code execution.””
Better watch out for the .gifs that are actually pdfs. Arbitrary code execution could be the result. Yikes! It’s certainly the kind of exploit that sounds like something NSO Group would be behind. And when it comes to this specific attribution, the pattern recognition based on two key pieces of technical evidence tying it back to NSO Group really do seem to be pretty solid evidence. The problem will be if the same clues are used in the future to tie hacks back to NSO Group. Anyone can make their malware leave behind these pieces of evidence. In other words, done right, the pattern recognition approach is kind of a one-off for a given pattern. Or at least until you share the pattern:
So we’ll see if there are more types of super-malware discovered with these technical details, and whether or not they’ll contain these technical details and get attributed back to NSO Group. But while it’s hard to have much sympathy for the company being set up to take the blame for other hackers, the fact that every hack misattributed to NSO Group is the cover story for another hacker is actually worth keeping in mind, quite possibly one of NSO Group’s competitors. Competitors with client governments feeling extra emboldened too.
The deluge of NSO Group-related stories does not appear to be letting up any time soon. We just got a report on another instance of a rogue undemocratic government using the spyware on journalists. This time, it’s Viktor Orban’s rogue undemocratic of Hungary, making this just the latest EU-related NSO Group story. Recall the recent reports on Germany’s federal police also obtaining NSO Group tools.
But while the story out of Germany was about the acquisition of spyware tools that are ripe for abuse, the story out of Hungary is about actual identified abuses. Specifically, an investigation by Direkt36 — an investigative media outlet and member of the Pegagus Project consortium — discovered signs of the Pegasus spyware on the phone of Budapest-based photojournalist Dániel Németh. The hacks took place at some point in July 2021, while Németh was reporting on the whereabouts of Lorinc Mészáros, a former gas fitter who has become one of Hungary’s richest men in the past few years. Mészáros also happens to be a childhood friend of Oban and once attributed his success to “God, luck and Viktor Orbán”.
And it’s that twist — that a journalist who was tracking a close personal friend of Orban got hacked — raises one of the obvious questions about this entire business model of selling super sophisticated spyware to governments around the world: given that most governments are run by people who are personal friends or business partners with the most powerful private interests in the nation (or the world), what’s to prevent those associates from asking the government to target a particular individual on their behalf? As we’ve seen, NSO Group’s go-to defense when faced with accusations about the abuse of its spyware is to point out that the company itself has no information on how its spyware is used. In other words, there’s basically no safeguard against a government running hacks on behalf of powerful friends of the government. It’s up to the integrity of the government itself. And as we’ll see, in the case of Hungary, the intelligence services can order surveillance with no judicial oversight, only the signature of the minister of justice, in cases where ‘national security is at stake’.
Let’s also keep in mind that there’s nothing ensuring governments are only runing special favor hacks for the powerful people in that country. Anyone around the world with connections to the government could potentially ask for such a favor. So with Viktor Orban having successfully transformed Hungary into a kind of global far right networking hub, the question of who may be asking Orban for special hacking favors is far from obvious. Heck, Tucker Carlson probably possibly in a favor with Orban at this point. That’s the bigger story here. It’s a facet of the NSO Group story that the globe has yet to even recognize, let alone address:
“A security officer formerly with one of Hungary’s intelligence services told Direkt36 that, according to his knowledge, Hungarian services started using Pegasus in 2018. The Hungarian government has not denied that it uses Pegasus, nor did it deny the surveillance of the people Direkt36 has reported about.”
Hungary isn’t even denying it. Nor are they citing a ‘national security’ interest. You have to wonder if that’s part of a tactic to intimidate journalists and let them know they can expect to be hacked, or if its just a reflection of Orban’s sense of impunity. Either way, it’s pretty clear Orban’s government intends to keep extremely close tabs on Németh’s whereabouts and communications. They literally hacked an older phone the day after it was activated:
And note how the government doesn’t even bother to explain why Németh was hacked, despite not denying it happened. That’s all part of why it’s hard to avoid suspicions that that was anything other than a favor by Viktor Orban for a wealthy and powerful friend who happened to be the target of Németh’s investigation:
Keep in mind it’s possible Orban ordered the surveillance on his own, without Mészáros requesting it. After all, if Mészáros made his fortune due to Orban’s will, odds are there’s some incredible graft that goes along with that story. Orban probably has a lot of Mészáros-related activities he’d prefer remain out of site. But, again, while we have no idea who actually ordered the hacks and why, what we do know is that the system is perfectly set up to enable private ‘favor’ abuses. Because we know there’s virtually no oversight of how these tools are used. NSO Group makes that clear in its public ‘defenses’ every time one of these abuse stories hit the wires. It’s solely up to the government client on whether or not abuses take place and whether or not those abuses are done for government interests or private interests:
How many of Orban’s friends around the globe have quietly asked for hacking ‘favors’ of this nature? That probably depends to some extent on what types of geolocation restrictions NSO Group imposed on Hungary’s contract. Recall how NSO Group will grant permissions to hack phones from particular countries for a client, but while we’ve been told that phones from a few countries like the US are off limits, we’ve never really heard about other geolocation restrictions. In other words, we don’t have a good sense of how much of the rest of the world for which Viktor Orban’s government could be granted hacking permissions. Can he only hack inside Hungary? How about neighboring countries? How about distant countries half way across the world? We have no idea.
But what we do know is that dozens of governments around the world are NSO Group clients, so if someone wants to hack you, odds are there are multiple governments out there with permissions from NSO Group to do exactly that. And while we don’t know if governments around the world are carrying out hacking ‘favors’ for powerful private interests using NSO Group’s tools, we can be confident the company is doing absolutely nothing to prevent it because it’s doing absolutely nothing to prevent any client abuses, whether or not that government client is conducting the hack for its own purposes or on behalf of some powerful private friends. We can be confident of all this because the company keep reminding us of how it does nothing to prevent abuses every time there’s another abuse story. It’s the kind of corporate alibi that could only leave NSO Group’s guilty clients feeling extra emboldened to getting guiltier.
Here’s a story related to the Microsoft Exchange mega-hack that could end up becoming part of the January 6 Capitol insurrection story. Or perhaps become part of just another GOP corruption scandal. We’ll see, but it’s the kind of hacking story that has immense potential to go in a lot of different due to the fact the that victim in this story happens to be the GOP. And when an notoriously corrupt entity gets hacked, it’s safe to assume the hackers are in possession of at least some evidence of that corruption. Nothing tells the tale of wrongdoing quite like an emails trail.
Specifically, the Republican Governors Association (RGA) announced that it was a victim of the Exchange server hack first announced in March of this year. The RGA said it was hit at some point between February and March of 2021.
It’s unclear about the extent of what was stolen. The group appeared to be minimizing the potential impact by implying only a small portion of its email: “RGA determined that the threat actors accessed a small portion of RGA’s email environment between February 2021 and March 2021, and that personal information may have been accessible to the threat actor(s) as a result.”
It’s the kind of vague assurance that could mean almost anything. After all, by what metric are they measuring a “small portion of the RGA’s email environment”? Keep in mind that nature of the Exchange hack, where hackers have the potential to not just steal the emails stored in the Exchange server but take control of the computer hosting the Exchange server itself and spread across the victim’s network. The scale of the potential damage is so vast that there’s no meaningful way to interpret what “a small portion of RGA’s email environment” actually means in a technical sense. For all we know it’s just the RGA’s way of sugarcoating the damage by vaguely pointing out that only the emails were stolen and the rest of their network wasn’t ransacked. We’re left to guess, but we know at least some information was stolen.
Beyond that, we can be pretty confident about the content of any stolen emails. At least some of them. This was February, after all, when the ‘stolen election’ and state election audits would have been front and center for entire Republican Party, more so than even today. So what did the hackers actually get their hands on? We’re told some people had sensitive personal information like Social Security numbers stolen, but what would sensitive embarrassing emails revealing the intra-party struggle over how to proceed with the ‘stolen election’ narrative taking place inside the RGA at the time. There’s no indication such emails were obtained but we wouldn’t expect an indication if they were. At least not from the RGA. If we’re going to receive any indication the hackers stole embarrassing or sensitive emails it’s the hackers who are going to reveal it.
Adding to the political dynamic here is the fact that Microsoft and the US government have already attributed the Exchange hack to a state-backed Chinese hacker group, Hafnium. At least the initial Exchange hack that reportedly started on or around January 6. Recall how we are told that “Hafnium” was quietly exploited the vulnerability from early January up until March, when the vulnerability was announced by Microsoft and criminal hacker groups apparently then went on a global spree hitting virtually everyone remaining vulnerable Exchange server connected to the internet. So based on that timeline and the fact that the RGA hack took place in February, it would suggest that the RGA was hit by the initial Hafnium hacker group.
So while the attribution of the original hack to a state-backed Chinese hacking crew never appeared to be based on any evidence and instead appeared to be the latest instance of a cyberattribution being conveniently made out of thin air, the fact that it was officially attributed to China is the kind of fun fact that potentially plays into the GOP’s whole ‘Chinese hackers stole the election from Trump’ narrative. A narrative the RGA was probably still hammering out during the time those emails were stolen.
How will the attribution to Chinese hackers play into how this hacker story plays out? That presumably depends a lot on whether or not this becomes a bigger story which, in turn, likely depends on whether or not the hackers end up exposing some of those stolen emails and whether nor not the emails happen to be scandalously embarrassing:
“Following an investigation started after March 10, “RGA determined that the threat actors accessed a small portion of RGA’s email environment between February 2021 and March 2021, and that personal information may have been accessible to the threat actor(s) as a result.””
The hackers just accessed a small portion of the RGA’s email environment, and maybe some personal information was stolen. It’s a remarkably downplayed statement. Nothing to worry outside of concerns about stolen Social Security or credit card information. But, of course, for an organization like the RGA, credit card and social security information isn’t the kind of sensitive information they have to worry about.
It’s also rather notable that the RGA isn’t yet making hay about the alleged Chinese origin of the hack. Isn’t this kind of free propaganda? Why isn’t more being made of it? Instead, we get this vague, terse statement about some possible stolen personal information from a small portion of the Exchange environment.
It raises the question of how we might expect the RGA to react if it did indeed determine that highly embarrassing emails were stolen. Would we expect them to preemptively go on the offensive and make a huge story about Chinese blackmail in or to mitigate the possible future damage? Or would we expect the kind of downplayed response we actually got? That’s the big question raised by this story. When the GOP passes up an opportunity for bombast and bluster we have to ask why.
Here’s a pair of articles about another emerging NSO Group-related scandal. It’s the kind of scandal that underscores what is perhaps the greatest danger of the explosion this global marketplace for cutting-edge spyware sold to government: beyond the fact that there’s not guarantee the spyware is going to be exclusively used for legitimate government interests, there’s also no guarantee the spyware is necessarily going to be used by the governments themselves. As NSO Group reiterates every time there’s a new scandal about a client abuses its toolkits, the company isn’t tracking who its clients target. And that means there’s nothing to prevent those government clients from lending these tools out to private interests. As we saw with the story of a Hungarian journalist who had his phone hacked with Pegasus in what appeared to be retaliation for his reporting on one of Viktor Orban’s close friends, there really doesn’t appear to be any control over not just how these tools are actually used but on whose behalf.
And that brings us to the follow reports of a letter sent by Mexico’s president to the Israeli government asking for the extradition of a former top Mexican security official, Tomás Zerón, who fled to Israel in August 2019. It’s suspected Zerón has connections to NSO Group. Recall how Mexico was NSO Group’s first foreign client starting back in 2011.
Yes, NSO Group’s first foreign client is asking Israel to extradite Mexico’s Why the interest former top Mexican security official, who also happens to have ties to NSO Group. It raises the obvious question of whether or not Zerón fled Mexico for reasons having to do with Mexico’s purchase of NSO Group’s Pegasus spyware.
So what are the charges against Zerón? It appears to be focused on the role Zerón played in overseeing the criminal investigation agency of the Attorney General’s Office. In particular, Zerón oversight of the forensic work done on the investigation of the 2014 disappearance and murder of 43 Mexican college students. The students all hailed from a training college with a history of left-wing activism and the students reportedly regularly took part in protests. The students were traveling back to their college when they were confronted by municipal police who opened fire on the buses. 43 students vanished after the clash and are suspect of having been handed over to local drug cartels by the police officers. Zerón’s investigation had long been criticized by the families of the student. Two independent teams of experts have cast doubt on the insistence of Mexican officials that the students bodies were incinerated in a huge fire at a trash dump. Additionally, many of the suspects arrested in the case were later released, but claimed they had been tortured by police or the military. So the overall investigation into Zerón focuses on what is now believed to be an intentionally botched investigation that literally tortured witnesses as part of the corrupt cover up.
It’s a genuinely horrific case point to the depths of the corruption inside the Mexican government. But it also demonstrates the depths of the ties between the Mexican government and the drug cartels that Mexico was ostensibly allowed to by NSO Group’s Pegasus software to combat. That’s why we have to ask: is the government of Mexico sharing Pegasus with the cartels its in bed with? And why aren’t similar questions valid for every other corrupt government with access to these tools?
But as we’re going to see in the second article except below from the Daily Beast, there suspicions that NSO Group’s tools could have been shared with drug cartels aren’t just circumstantial. Because it turns out there’s a Mexico drug cartel connection with the story of how NSO Group first got Mexico as a client back in 2011. Yep!
And there’s a rather wild twist to this story. The kind of twist that, at this point, shouldn’t really be all that surprising: one of the figures who played a key role in connecting the Mexican government to NSO Group was none other than Elliot Broidy. It’s a name that’s become increasingly familiar as the guy has managed to pop up in connection with almost every Trump-related scandal over the past four years. For example, recall how Broidy, the former finance chair for the RNC, has simultaneously been operating as a foreign agent. For example, Broidy worked closely with George Nader as foreign agents for the UAE and Saudi Arabia and was deeply enmeshed in many of the under-investigated aspects of the 2016 Trump campaign shenanigans involving. Also recall how Nader, Erik Prince, and PsyGroup’s Joel Zamel were involved in a secret Saudi/UAE-funded effort to help get Donald Trump elected in 2016 via tactics like social media manipulation campaigns. Broidy, like his partner Nader, really is an international man of mystery. The kind of sordid scandalous mystery fitting for a story about corrupt Mexican spyware deals.
And as we’re going to see, Broidy’s history of sordid mysteries includes the mystery of the role in played in facilitating Mexico’s first NSO Group contract back in 2011. Broidy continues to deny he played any role at all and that any such talk is libelous. He wants not part of it. Perhaps because, in the end, it sounds like he was ultimately robbed of being part of the final deal after his partner in the deal discovered Broidy was planning on going behind his back and creating a separate deal. It was a tri-middle-man deal: Broidy, his former employee Matn Caspi — whose Israeli technology export company had already signed up to help export NSO Group’s technology when he reached out to Broidy about Mexico — and “Mr Lambo” Jose Susumo Azano Matsura. Azano is the middle-man on the Mexican side. He owned the technology company that ended up getting the NSO Group license for Pegasus. It was Azano’s company that licensed Pegasus to the Mexican military.
Azano also happens to have apparent ties to Mexican drug traffickers and was under FBI investigation in relation to that less than a decade before they were putting together this deal. And while Broidy was ultimately cut out of this tri-middle-man arrangement, Azano wasn’t. His company got the power to issue Pegasus licenses in Mexico, which raises basic questions like whether or not his company had access to the software itself. Was Azano’s company effectively acting as a proxy overseer of how Pegasus was being used? We have no idea, and NSO Group isn’t saying whether or not it has similar middle-man deals with other client states. But whether or not Azano’s company somehow played a role in making Pegasus available to Mexico’s drug cartels, it isn’t really necessary. Mexico’s government is clearly in bed deeply enough with the cartels that it’s probably ready and willing to just operate Pegasus on the cartels’ behalf. They’re partners. So as we watch to see how the Mexican extradition request of Tomás Zerón plays out and whether or not new insights are learned about the slaughter of those students, it’s going to be worth keeping in mind that this might be an NSO-related story for more reasons than just the fact that Zerón fled to Israel and happens to know the NSO Group founders. It’s a story about the Mexican government being deeply in bed with the drug cartels at the same time NSO Group was selling Mexico the kind of super spyware cartels would most definitely kill for:
“The supposition is that Zerón and others tortured witnesses, illegally detained suspects and mishandled evidence to try to bring the investigation to a quick conclusion or cover up what really happened.”
It’s not hard to see why Zerón is a prime suspect here. Not only were the students initial attacked by the police but the witnesses were allegedly tortured. It was the worst kind of cover up. And then he fled the country. As the saying goes, it’s the cover up, not the crime. But when the cover up is this openly violent and corrupt, it’s also still very much the crime. Something horrid remains hidden. A relationship between the Mexican government and drug cartels that’s probably even worse than suspected:
And while there’s not yet any direct connection between the 2014 slayings of those 43 students and Mexico’s NSO Group contract, it’s hard to ignore the fact that Zerón had the kind of job that would have likely given him access to Pegasus, is known to have ties to the founders of NSO Group, and ended up fleeing to Israel. It’s the kind of constellation of facts demanding that we ask what the NSO Group angle is to the slayings of those 43 students.
And that brings us to the following Daily Beast story from a couple months ago describing the previously unknown role played by Elliot Broidy in brokering the initial NSO Group contract with Mexico. One of three middle-men between NSO Group and the Mexican government. Broidy’s former employee Matan Caspi reached out to him in 2010 on behalf of Caspi’s Israeli technology export company hoping to use Broidy’s contacts in Mexico to export Pegasus. Broidy points him towards “Mr. Lambo” Jose Susumo Azano Matsura, whose company Security Tracking Devices SA de CV, ended up getting the exclusive right to sell NSO Group licenses in Mexico. Azano then licenses it to the Mexican military for a higher price. That’s the original tri-middle-man relationship. The fact that Azano had been under US investigations in association with Mexican drug traffickers less than a decade earlier wasn’t a dealbreaker.
But Broidy apparently never got his cut, after he tried to cut Caspi out of the deal and Caspi cut him out first. At least that’s what various parties claimed in a lawsuit that erupted over the kickbacks in 2015. Broidy claims he knows absolutely nothing about NSO Group or any of this and it’s all lies:
“The documents do, however, raise troubling questions about the Israeli spyware maker’s recent claim that its products are intended for “the sole use of thoroughly vetted and approved governmental agencies charged with maintaining public safety and security.” Broidy’s contact in Mexico—a man nicknamed “Mr. Lambo” for his love of Italian sports cars—later served time in a U.S. federal prison for making illegal foreign contributions in an American election. A document filed by federal prosecutors in San Diego revealed that “Mr. Lambo” was investigated by U.S. authorities for a host of other crimes for which he wasn’t charged, including drug smuggling.”
Elliot Broidy sure knows a lot of interesting people. People like “Mr. Lambo”, his contact in Mexico. This is how Broidy was playing the middle-man role: Broidy had the contacts in Mexico and NSO Group. And playing such a middle-man role in international business isn’t necessarily scandalous. But when you’re in the middle of a peddler of super spyware like NSO Group on one side and a businessman billionaire, Jose Susumo Azano Matsura, with a history of being under US Mexican drug-trafficking-related investigations on the other side, that’s when being a commercial middle man becomes much more scandalous. Broidy was the matchmaker that set up a particularly dangerous relationship. Especially dangerous to the people of Mexico if Azano’s suspected drug cartel associates ever got access to something like Pegasus:
What should have added to everyone’s concern at the time is the fact that NSO Group wasn’t even directly licensing Pegasus to the Mexican government. It was licensing it to Azano’s company, when proceeded to re-license it to the Mexican military for a higher price. A great arrangement for arranging everyone’s kickbacks. And who knows what kind of freedom this arrangement gave to Azano to quietly distribute Pegasus to other parties. It’s a highly suspicious arrangement for a lot or reasons:
Another reason Elliott Broidy has to deny any association with NSO Group is that it didn’t sound like he was simply a Middle-Man looking for a finders fee commission. He was operating as an NSO Group representative, along with Matan Caspi — Broidy’s former employee who returned to Israel to co-found Rayzone Group, an Israeli cybersecurity firm that offers “boutique intelligence-based solutions for national agencies” — and Caspi’s partner. Broidy was likely set up to get a serious commission. Those are Caspi’s allegations in the lawsuit that broke out between the different people involved with this sale. Again, Broidy has a lot of reason to deny knowing anything about this:
But, in the end, Broidy was locked out. After he apparently got greedy and tried to create a direct relationship with NSO Group. In other words, Caspi was playing a middle-man role too. Broidy and Casp were each other’s middle-men, with Azano playing a third middle-man role of sorts. Quite a deal. And Broidy tried to cut out one of the three middle-men but the middle-man found out cut Broidy out first instead. It’s hard to have much sympathy based on the available facts. Recall that we are told Caspi was the one who approached Broidy this whole thing:
Given that history of how Mexico’s notoriously corrupt government became NSO Group’s first foreign client, and given the story of the Mexican government’s extradition request for Tomás Zerón, who was known to be close to the founders of NSO Group, it’s worth asking what the odds are that the story of Zerón’s cover up investigation of the slaughter of those students happens to include an angle involving the corruption use of Pegasus on those students. Don’t forget, these were activists students who were slaughtered. For the municipal police to attack those buses and hand the kids over to drug cartels to be slaughtered, they presumably had a reason to want at least soem of those kids very dead. Pegasus spyware on the phones of these activist students would have been a very convenient way for corrupt parties to acquire a reason to want to see some of them very dead. It raises the grim question of whether or not those students were about to break a big story on some sort of deep corruption between the police and cartels. Were these students Pegasus targets before the slaughter? We don’t know, but based on the CitizenLab Pegasus investigation we know Pegasus was used against top Mexican lawyers, journalists and anti-corruption activists. Maybe by corrupt police? Maybe by cartels that got their hands on the super-spyware from those corrupt police? Or maybe they got it through their connections to Azano’s middle-man Pegasus distribution company? Who knows. We just know we have every reason to suspect, yes, Pegasus could have been used on these students. It’s been that kind of situation in Mexico since 2011:
So that’s all part of what makes the story of the Tomás Zerón extradition request something to watch. Zerón is clearly deeply implicated in the wildly scandalous sham investigation of the 2014 activist student slaughter. And, circumstantially speaking, those students appear to fit the profile of the kind of people known to be targeted by Pegasus. They certainly sound like anti-corruption activists. The whole sequence of events that led up to the attack on the student convey involved the traditional student temporary commandeering of buses from Iguala, intended to be driven back to the rural college to take the student to a march in Mexico City comemmorating the 1968 Tlatelolco student massacre.
Is there a Pegasus abuse angle to the story of the 2014 student slaughter? We’ll see if the extradition requests of Tomás Zerón and Zerón’s ties to NSO Group ends up leading to the asking of that question. It’s possible there’s no Pegasus angle at all with the slaughter of those students. One theory is that the students inadvertently commandeered a bus containing police-protect heroin intended to be shipped to Chicago. Under that scenario, it would just be bad luck that triggered the events. Hopefully one day we get some clarity on what actually happened. But regardless of what actually happened in that case, the fact of the matter is the slaughter of those students happened during a period when the Mexican government had access to nearly unstoppable spyware while it was in bed with drug cartels.
And that’s just Mexico. A similar situation probably exists between the rest of the NSO Group’s government clients of those clients’ shadiest and most powerful criminal friends. In countries where you can’t separate the underworld from the overworld there’s no realistic way to keep something like Pegasus out of the wrong hands. Mexico is just an early example of what must be going on all over the world thanks to the explosion of the super-spyware global marketplace over the last decade.
Oh, and it’s worth pointing out that Elliott Broidy has a close working relationship with A LOT of other known NSO Group clients. Mexico was NSO Group’s first foreign client. So the guy that got iced out at the last minute of the Mexico deal under what appears to be shady circumstances (initiated by Broidy’s greed to cut out Caspi), also happens to have spent much of the last decade working as a foreign agent for a whole bunch of other very eager NSO Group clients. Did Elliott Broidy get to play middle-man for any of those other countries? Let’s hope investigators somewhere end up investigating that question. Elliott Broidy doth protest waaay too much on this one.
Oh look, another mega-hack. Yep, an obscure company few have ever heard of just quietly let the world know that potentially billions of people had their private information stolen. A LOT of private information potentially. So much so, one privacy expert suggested the hackers could know more about you than your doctor. The hackers could have accessed metadata such as length and cost, caller and receiver’s numbers, the location of the parties in the call, as well as the content of SMS text messages. Information who you called, when you called, where you called, how long you called. Plus text message content. It’s a remarkable data profile on almost any individual.
And thanks to that text message access, the hackers can potentially interfere with 2‑factor authentication schemes. That means they could have had indirect access to internet accounts protected with SMS 2‑factor authentication like Google, Microsoft, Facebook, Twitter, and Amazon. That’s why this is potentially such a massive hack.
That’s the news from Syniverse, a company that handles billions of text messages for telecommunications companies across the world. Ninety-five of the top 100 mobile carriers in the world, including the big three U.S. ones (AT&T, Verizon, T‑Mobile), are Syniverse customers. The company informed the world of the hack in documents it filed with the SEC back in August in anticipation of IPO.
So when did this occur? May of 2016. Who whoever did this has had access to this treasure trove of information for over 5 years. And, again, we only learned about this from the company’s SEC filings in anticipation of going public. In other words, the company was put in a position where it kind of had to disclose to the public the existence of this hack. It would be pretty scandalous to conduct an IPO without revealing that. Who knows how long this would have remained under wraps had the company not been forced to disclose it to the SEC.
It also all raises the question of who the private owners are that are taking this company public: Carlyle Group. The private equity firm purchased Syniverse in 2011 for $2.6 billion. As we’ll see in the second excerpt below, Carlyle intends to remain a minority shareholder following the IPO.
So one of the largest hacks ever took place in 2016. We have no idea when Syniverse actually discovered the hack, are are only learning about it now, five years later, in a quiet SEC filing the company issued back in August in anticipation of going public. Brought to you by the Carlyle Group:
““With all that information, I could build a profile on you. I’ll know exactly what you’re doing, who you’re calling, what’s going on. I’ll know when you get a voicemail notification. I’ll know who left the voicemail. I’ll know how long that voicemail was left for. When you make a phone call, I’ll know exactly where you made that phone call from,” a telecom industry insider, who asked to remain anonymous as he was not authorized to speak to the press, told Motherboard in a call. “i’ll know more about you than your doctor.””
Syniverse knows more about you than your doctor. Ninety-five of the top 100 mobile carriers in the world, including the big three U.S. ones, use Syniverse. And now whoever hacked Syniverse potentially know all that information too. On potentially billions of people. Since May 2016. Beyond that, the hack potentially allowed for the interception of the texting-based 2‑factor authentication systems (where a web service sends your phone a one-time pass key to log in). It’s the kind of hack that could be perfect for gaining access to major internet services like Google, Microsoft, Facebook, Twitter, Amazon. That’s why scale of this hack is so stunning. It’s potentially a mega-hack. Another mega-hack:
The hack is also obviously “espionage gold” as Senator Wyden put it, which already has fingers pointing toward a state-sponsored actor. And while it’s certainly possible a state actor was behind this, let’s not pretend that the commercial value of a hack like this isn’t immense. Also note how there are zero clues about the perpetrator so far:
Nest, note the assurances for Syniverse: don’t worry too much because no damage has actually been detected. It’s not exactly reassuring. But also keep in mind the nature of this hack: it allowed hackers to collect mobile-phone metadata on people and potentially compromise web site credentials, allowing the hackers to access services like Google or Amazon. That’s not necessarily the kind of damage that’s going to leave an obvious evidentiary trail leading back to this hack. In other words, given the nature of this hack, we shouldn’t really expect Syniverse to be in possession of evidence of how the hack was actually used:
Now here’s a quick reminder tha the current owners of Syniverse who brought the world this mega-hack, the Carlyle Group, are going to remain minority owners once they’re done taking Syniverse public again:
“The Carlyle Group will also stay on as a minority owner. Two other firms, Oak Hill Advisors and Brigade Capital Management, will invest $265 million through the purchase of stock at below market value.”
Let’s hope the public ownership of Syniverse somehow leads to more effective management now that the Carlyle Group is poised to partially cash out. But whoever ends up owning Syniverse after this IPO is all over has already learned a powerful and important lesson: one of the largest hacks ever can take place on your watch for years, it may have been covered up, and there’s basically no consequence to the owners. That may not be the lesson we want Syniverse’s new owners to take from this whole thing, but it’s hard to see how that’s not the lesson they’re learning right now.
Here’s a pair of articles about NSO Group’s mysterious competitor, Candiru, and their mutual relationship with each other as competitors but also possible partners. The first article excerpt also directly relates to the fascinating story of internation man of mystery Elliott Broidy and the 2011 role he played in securing NSO Group’s first foreign client, Mexico:
First, recall how NSO Group and Candiru both specialized in mutually compatible hacking products, with NSO Group focusing on smartphone hacks (iPhones and Android devices) while Candiru appears to have a specialty in hacking Microsoft products. Also recall how one of Candiru’s financial backers is NSO Group co-founder Isaac Zack. So it already looked like the two firms are sister-mercenary hacking companies.
Well, according to the follow Haaretz article from September of 2020 about a lawsuit between Candiru and a vice president of sales for the company from 2015–2018 who is referred to as “S” in the article. S makes a number of conflict-of-allegations against Zack, who is not just the chairman of the company but also the chair of the agent committee that overseas the “agent” intermediaries in client countries who facilitate the transactions. Agents who receive 15% commissions, according to documents filed in the case. Recall how the NSO Group sale to Mexico in 2011 that Elliott Broidy was involved with included the “Mr. Lambo” Mexican businessman who was basically acting as an intermediary along with Broidy. It really does sound like S was playing a Broidy-like role for Candiru, hooking the company up with governments. And for significant commissions. 15% is potentially tens of millions of dollars for S based on the revenues also cited in those documents.
The lawsuit appears to center around commissions S feels they are stilled owed. The anonymous “S” claims Candiru had no clients and was only in two negotiations when he joined at the end of 2015. By the beginning of 2016, Candiru had “a large number deals in the advanced stage with clients in Europe, the former Soviet Union, the Persian Gulf, Asia and Latin America.” In other words, “S” is claiming they showed up and brought in a large number of deals that were rapidly moved to advanced stages in a matter of months. And this figured stayed on until 2018. So “S” is presumably someone involved with a large number of Candiru’s client deals.
You have to wonder about the identity of “S”. How connected are they? That’s like Elliott Broidy-league shady connections, but “S” doesn’t appear to be Broidy. Who was able to show up at Candiru and generate high-end offensive cyber-sales to countries around the globe? We don’t know, but whoever they are they are pissed about how they were treated for their stellar cybersales performance. So if what “S” is claiming is true, it’s possible for a new super-spyware company to go from zero clients to clients around the world almost overnight. S did it. Yikes.
S points to Zack’s obvious conflict of interest in overseeing sales of Candiru’s products given Zack’s ownership of shares in NSO Group at the time. Recall how NSO Group’s ownership changed hands in 2019 following the Jamaal Khashoggi assassination, suggesting Zack’s ownership in NSO Group may have ended at that point.
But S’s conflict-of-interest accusations against Zack go much deeper and point at the synergistic nature of Candiru’s and NSO Group’s strengths: NSO Group specializes in hacking smartphones and Candiru specializes in Microsoft products. Governments have a strong incentive to hire both firms. But as we’ve seen, Candiru has also been moving into non-Microsoft hacks, like Chrome hacks. S claims Candiru decided in 2017 to develop non-Microsoft hacks for smartphones — NSO Group’s territory — but Zack suddenly blocked and sales of marketing of those new exploits in early 2018. Was Zack protecting NSO Group? That’s the obvious implication of S’s complaint, with the other implication that this ban on non-Microsoft exploits crimped S’s commissions.
Candiru counters that S broke the agent rules protecting against bribery and corruption. This is one of those times where it’s worth noting that both Candiru’s and S’s claims to be true. They aren’t mutually exclusive. Zack may really have taken conflicted steps to protect NSO Group’s exploit dominance in the marketplace. And S may have broken the bribery and corruption rules. These aren’t mutually exclusive scenarios:
“The company helps law enforcement and intelligence agencies in various countries hack into computer systems without permission, to conduct surveillance, steal information and even cause damage. But what the company actually does remains largely a riddle. However, a lawsuit filed by a former employee sheds light on some of their operations, which it seems the firm would prefer be kept in the dark.”
If you want to learn about a super-secretive industry, follow the legal disputes. That’s one of the lessons in this story. Because as was the case with Elliott Broidy and the 2011 role he played in NSO Group securing its first foreign client in Mexico, where contract disputes between the multiple-middle-men sales team became a key source of knowledge of how the industry operates, we’re seeing the same scenario play out with Candiru. We know nothing about how the company operates outside of what we’re learning in this sales agent contract dispute lawsuit. These companies operate like black boxes. That’s why these lawsuits are so important for our general understanding of this relatively new industry that secretly exploded over the last decade.
And observe how explosive that growth appeared to be for Candiru. It’s what the lawsuit is all about. S claims to be the source of much of that initial growth and was working there from November 2015 to December 2018. So it’s probably unfinished 2018 deals that the suit revolves around:
But it’s the accusations involving Candiru’s largest shareholder, Isaac Zack, that are the most interesting in terms of establishing what the relationship really is between Candiru and NSO Group. Again, NSO Group’s ownership changed hands in 2019 following the Jamaal Khashoggi assassination, suggesting Zack’s ownership in NSO Group may have ended at that point. And “S” was at Candiru from 2015 to 2018. So during S’s time at Candiru, Zack was the largest shareholder and sat on the agents committee, but was also a shareholder at NSO Group. Plus, Candiru and NSO Group literally share law firms. And industry observers expect Candiru and NSO Group to eventually merge, due, in part, to their synergistic toolkits. That’s all part of the conflict of interest charge S is alleging in the lawsuit. The guy overseeing the Candiru sales team had large investments in one of Candiru’s main competitors. Those are the claims of “S”, who also claims to have brought in enormous numbers of new government clients almost overnight after joining at the end of 2015 and who clearly doesn’t feel like they were adequately compensated:
But it’s S’s claims about Zack’s nixing of the sales of Candiru’s smartphone-targeting malware in early 2018 that are particularly interesting in terms of what’s in store for the future of Candiru and NSO Group. That’s when S alleges the sale and marketing of newly developed line of “cellular attacks” (smartphone hacks) that Candiru decided to develop in 2017 were halted by Zack. Hacks that more or less overlap with what NSO Group specializes in. Keep in mind that we’ve seen non-Microsoft exploits attributed to Candiru in 2021, so Candiru appears to have gone ahead with the sale of non-Microsoft exploits in the end. But it still points towards the obvious potential synergy of merging these two companies:
It’s worth keeping in mind that, while it’s entirely possible plans for a future NSO Group/Candiru merger were behind Zack’s decision to halt the sales and marketing of Candiru’s smartphone attacks, it’s also possible there’s an active desire to compartmentalize the industry by the types of attack. An oligopoly of monopolies. Like it might be better for one company to specialize in attack Microsoft products while another specializes in iPhones, etc. There’s the obvious monopoly logic just in terms of competing for precious elite hacker talent. But beyond that there’s the simple fact that the more competition there is in the creation of these elite hacking tools, the greater the rate the industry is going to burn through zero-day exploits. There are only so many possible zero-day exploits at any given point, many with redundant purposes, which is why you don’t necessarily want to deploy redundant zero-day’s at the same time, running the risk that more of your bag if tricks will get discovered unnecessarily. This is an industry where collusion between the competition can create powerful win-win situations
Interestingly, given the rapid number of deals “S” claims to have developed almost immediately for Candiru in late 2015/early 2016, Candiru responded to the lawsuit by arguing that “S” was breaking the agent committee rules set up to prevent bribery and corruption. So we have dueling, but not mutually exclusive, pictures. It’s the kind of dueling accusations that raise obvious questions about what sorts of bribery and corruption was S engaged in to secure all those deals? Unfortunately, Candiru doesn’t want to share that publicly and pushed for the trial to be conducted behind closed doors:
Finally, regarding the claims by both Candiru and NSO Group that the malware can’t be deployed in the US, Israel, Russia and China, take a look at the next article from last week about a new report on where Candiru’s malware just showed up:
Four countries are on the do-no-deploy blacklist. But as the following article suggests, it might be more of a greylist. Because Candiru’s malware was just found on computers in Russia and Israel according to the September report by cybersecurity company ESET. They’re described as infected “computers” in the report, suggesting these aren’t smartphones. They might be laptops, which raises the distinct possibility they were hacked outside of these countries. We don’t know. But it’s a reminder that even citizens and residents of declared do-not-hack countries can’t really expect to be protected once they leave their do-not-hack countries:
“ESET researchers, the report says, “Discovered indications of DevilsTongue malware in our telemetry data, affecting about 10 computers” in Albania, Russia and the Middle East. The malware was found in Israel, the Palestinian territories, Turkey and other parts of the region.”
Of the 10 computers ESET found with Candiru’s malware, 2 of them came from the do-not-hack countries Candiru claims its malware can’t hack. Maybe these 2 computers were hacked in different countries. We don’t know. We we do know is that any new meaningful insights into how companies like Candiru or NSO Group actually operate — from how they sign up clients to the oversight or lack thereof of those clients after they’re given the super-malware — will likely only be learned from more “agent” lawsuits.
We’ve long been told that the NSO Group’s spyware can’t target US and UK-based phones. But how true is that really? Is this like a built-in safeguard, where the Pegasus spyware automatically prevents the targeting of phones with numbers that start with a ‘+1′ or ‘+44’ (the US and UK country codes)? Or is it a ban purely rooted in policy, where NSO Group merely asks clients not to hack US or UK phones but clients could do so if they chose to? We may be getting an indirect answer to those basic questions about what the NSO Group’s 40+ state-clients are capable of doing with this super-spyware.
Can US and UK government officials get hacked by any of those 40+ NSO Group clients or not? It’s kind of a huge question. After all, think about how the 2016 hack of the DNC and all of the events surrounding that can be reinterpreted when we factor in the possibility that dozens of nation states had the capacity to hack the sh$t out of US political and government figures. We can’t forget that the crown princes of Saudi Arabia and the UAE were literally offering secret political manipulation campaigns to assist Trump campaign. Political manipulation campaigns that would use the services of elite Israeli IT mercenary firms like PsyGroup. So if that’s what we know they were directly offering the Trump campaign, what about tools like NSO Group’s Pegasus that both the Saudis and UAE had access to? Was that offered to the Trump campaign too in 2016? It’s a question that’s rarely asked in the context of the NSO Group story, and yet if we learn that Pegasus could indeed hack US and UK-based phones it’s hard to see why the possible use of NSO Group spyware in 2016 shouldn’t immediately become a major question.
That all part of what makes the unfolding story about the ruler of Dubai’s hack of his estranged ex-wife potentially such a big story. Because we’re now learning that, yes, UK phones are hackable. The ruler of Dubai — Sheikh Mohammed bin Rashid al-Maktoum, who is also the vice president and prime minister of the UAE — ordered the hacking of his ex-wife’s phone. Along with the phones of her lawyer and security team. The hacking apparently took place during the couple’s ongoing custody battle in London over their children. So it sounds like the hacking took place in the UK. And it turns out Princess Haya bint al-Hussein’s lawyer just happens to be Fiona Shackleton, a lawmaker in Britain’s House of Lords. So a member of the UK parliament was hacked in London using Pegasus. The ruler of Dubai was capable of ordering this last year.
The hack was reportedly discovered when a cybert expert studying the possible use of Pegasus against a UAE activist realized the phones were being hacked and passed on the information (presumably to CitizenLab or a similar group). Interestingly, NSO Group claims it also learned about the hack more or less at the same time from a whistleblower who informed the company that Pegasus was being misused against the princess and her legal team. NSO Group informed Cherie Blair (Tony Blair’s wife), who was hired by NSO Group to work as an external adviser on human rights, and asked her to get a warning to the princess. It’s a rather convenient story for NSO Group. We aren’t told anything more about this alleged whistleblower. NSO Group informs us it then cut the UAE’s contract. The move presumably made al-Maktoum a lot less popular with all the UAE’s other rulers trying to hack their own ex-wifes’ phones.
But then there’s still the question: did these phones have UK (or US) phone numbers, which we are told Pegasus can’t target? That would be kind of a huge contradiction of NSO Group’s repeated assurances, after all. And to get that answer we can look back at some early reporting on this princess hacking story from back in early August, when we were learning about a group of other figures close to the princess who were also hacked, including British human right’s lawyer and David Haigh. Haigh is the former managing director of Leeds United Football Club and current Chairman of Leeds United Ladies Football Club. Haigh also happens to be an outspoken critic of Dubai and spent time in prison there over charges of embezzlement. He claims to have been tortured while in prison. So Haigh is a figure the government of Dubai would have all sorts of reason to want to hack. But, in theory, he should have been protected as a UK citizen. Instead, Haigh’s hacked phone happened to have a ‘+44’ UK number. That’s our answer. UK phones are hackable. And therefore presumably US phones too.
And politicians are hackable in in these countries. That’s what we are learning from this story. It’s quite an update to the NSO Group story. And potentially a major update to quite a few other hacking-related stories. For a decade now, dozens of countries around the world have been gaining the ability to execute super secret hacks, and politicians and world leaders are all potential targets. Even the US and UK politicians who are supposed to be safe. That’s the picture that’s emerging. And yet, as we’ve seen, this is all more or less directly tolerated by the Israeli government and indirectly tolerated by the US government. It’s a wild story that keeps getting wilder.
Ok, first, here’s an article from earlier this month about the cancellation of the UAE’s NSO Group contracts over the hacking of Princess Haya and her legal team. A legal team that includes her lawyer Fiona Shackleton, a lawmaker in Britain’s House of Lords:
“Sheikh Mohammed bin Rashid al-Maktoum, vice president and prime minister of the UAE, instructed the hacking of six phones belonging to Princess Haya bint al-Hussein, her lawyers and security team, England’s High Court ruled in a judgment which was made public on Wednesday. read more”
The ruler of Dubai, who also happened to the the UAE’s prime minister, instructed the hacking. That’s what the court in London concluded as part of the legal fight between Sheikh Mohammed bin Rashid al-Maktoum and Princess Haya bint al-Hussein in their custody battle. A hacking that took place during the custody battle last year in London. It’s a damning detail for NSO Group if Haya was in London during the time of the hack. And especially damning if she had a UK-based phone number:
But it’s the hacking of Haya’s lawyer, Fiona Shackleton that is utterly damning for NSO Group’s claims that the UK is protected from its spyware. A member of the House of Lords got hacked with Pegasus:
And now here’s a WaPo report from early August about the revelation that figures close to Princess Haya in the UK were hacked last August. Figures like David Haigh, who had been secretly exchanging videos and text messages with the princess for more than a year and half from a phone smuggled into the Dubai villa where she was being held. She stopped responding on July 21, 2020. Haigh’s phone was hacked two weeks later. It’s the kind of anecdote that shows what must be the irresistible allure of the power of this spyware. Once Sheikh Maktoum found her phone and knew who to hack, they could hack them. Two weeks later Haigh was hacked and there was basically nothing he could do about it. It’s incredible power. Ever more so when it can be wielded in the UK. Or the US. Based on what we can infer from the available data, UK phones, and logically US phones too, were viable targets as long as clients were willing to break the rules. Just imagine how many entities out there with access to these tools may have wanted to hack the Democrats in 2015 or 2016. They all could have done it:
“Haigh said he had been exchanging videos and text messages for more than a year and a half with Princess Latifa through a phone that had been smuggled into the Dubai villa where she was being held. She stopped responding on July 21, 2020, according to a screenshot of the messages Haigh shared. The analysis shows that Haigh’s phone was hacked two weeks later.”
It must have been very clear who to hack once they got their hands on Princess Haya’s phone. David Haigh had been secretly swapping videos and texts with her for years. And it took the government of Dubai basically no time to hack Haigh and learn whatever he knew. The power that comes from abusing these tools is incredible:
The fact that Haigh’s number doesn’t appear on the leaked list of 50,000 published Pegasus suspected targets because the hacking happened after 2019 is worth noting in part because it’s a reminder that the number of targets global is actually likely far higher than that leaked list. But the fact that Haigh’s number is the first time Amnesty’s researchers had identified ad successful Pegasus attack on a UK phone number answers once and for all if UK-based phones can even be targeted by rogue clients. Yes they can:
But the revelation about the first UK phone targeted by Pegasus then raises the major question that looms over this story: was this the first instance of a NSO Group breaking the rules and targeting UK-based phones? Or is this abuse routine? There aren’t any UK or US phone numbers that show up in 50k list of numbers in the leaked Forbidden Stories/Amnesty International report on Pegasus. So is that prior lack of UK or US numbers of reflection of no abuse of this nature? Or a reflection of the fact that these kinds of abuses were hidden even from the source where the leak came from?
Keep in mind the Pegasus leak presumably came from someone at NSO Group or in contact with some there. Or maybe someone who hacked the company, ironically. But it didn’t come from all the clients separately. And that means if the clients were able to hide their targeting of US‑, UK‑, or any other blacklist countries-phones from NSO Group, then we shouldn’t necessarily expect the leaked list of Pegasus targets to include any US or UK targets. The clients all self-filtered that so they wouldn’t get their subscriptions cut off like the UAE. And therefore a lack of and UK or US numbers on that last shouldn’t necessarily be seen as an indication that these kinds of abuses weren’t taking place pre-2020.
All in all, this story about the hacking of Princess Haya could end up being the most consequential NSO Group story so far. There’s no shortage of questions raised by all this. Like whether or not Candiru cut the UAE off too after all this was discovered or just raised the rates and offered more products.
Here’s a pair of articles about one of the biggest questions facing the entire topic of the global offensive cyber-mercenary industry: the question of whether or not the Five Eyes countries are vulnerable to this super-spyware too. Just how much hacking of the US and UK governments has been quietly taking place over the last decade? Recall the recent reports about NSO Group cutting off the UAE’s access to Pegasus after it was discovered the head of Dubai was using the software to spy on his ex-wife, Princess Haya, along with a number of other members of her security and legal team based in the UK. Including her lawyer Fiona Shackleton, who happens to be a member of the House of Lords. Beyond that, their hacked phones at +44 UK phone numbers, something that shouldn’t be possible.
And as we’re going to see in the first excerpt below from several weeks ago, just days after the story of the NSO Group dropping the UAE as a client was first reported, NSO Group made a remarkable admission: following the apparent discovery inside NSO Group about the abuse of Pegasus, NSO Group immediately implemented a change to the Pegasus software that banned the targeting of +44 phone numbers. It’s the kind of admission that confirms the obvious: NSO Group clients have been able to target +44 numbers all along.
But it gets worse. Because as we’re going to see in the second excerpt below, from back in July when the story of the 50,000+ target numbers was first breaking, there were reports about a remarkable observation in that list of numbers: 400+ of them were +44 UK numbers, going back to 2017. And while most of the +44 numbers are believed to have been entered by the UAE, the Saudis are also responsible for some of them. Which means the UAE was rampantly target UK phone numbers for years.
So what are the odds NSO Group didn’t know about this? Well, that’s where the suspicious coincidental timing of the twin and allegedly independent discoveries of the UAE targeting of UK phones should serve as a hint. Recall how NSO Group claims it independently learned about the targeting of Princess Haya at the same time an independent researcher discovered evidence of Pegasus targeting members of Shackleton’s law firm. As we’ll see in the following report, an anonymous source close to the company assures us “It is a coincidence” that both of these discoveries were made on the exact same date. We’re also told that the code modifications that stopped the targeting of +44 numbers were implemented within hours of NSO Group learning about the abuses. It’s a rather dubious claim. NSO Group and this independent researcher just happened to learn about it all simultaneously and independently. You have to wonder if the researcher’s prodding on the infected phone was literally what tipped off NSO Group that he found the evidence. Keep in mind that the hacking of Princess Haya had already been alleged weeks earlier, as we’ll see in the excerpt from July. It’s not like NSO Group could claim it hadn’t already heard about this. So NSO Group’s story of how it first confirmed the hacking of the +44 numbers doesn’t really logically check out. Yet that’s the story being pushed by the anonymous source close to the company. So it’s noteworthy that this same anonymous source also assures us that this vulnerability for +44 doesn’t apply to +1 (US) or any other Five Eyes numbers.
Yes, the anonymous source giving us a highly dubious assurance about about NSO Group also claims there’s nothing to worry about when it comes to the hacking of the rest of the Five Eyes. It’s not exactly reassuring. And, more to the point, it’s the kind of scenario that suggests NSO Group knew all along the targeting of +44 numbers was happening and was fine with it. Beyond that, it’s hard not to notice that the UK government itself doesn’t seem very perturbed by this story. Or of the other Five Eyes governments who really should view this as one of the greatest security threats in history. It’s the kind of situation that suggests a major part of this scandal is the fact that the Five Eyes governments may have been fine with this. What kind of arrangements are being quietly worked out between the client stages given access to these tools and the Five Eyes network that appears to be a kind of tacit sponsor of this cyber industry? It’s a fascinating question at the heart of this story.
Ok, here’s the October 8 report that came out just days after we first learned about the UAE losing its hacking privileges over the Haya hacks, with NSO Group assuring everyone that it fixed the problem. A problem with Pegasus seemingly having no problem at all hacking +44 numbers. The fix was apparently so easy to do, NSO Group implemented it within hours of learning about the abuses. And it’s apparently just a coincidence that NSO Group didn’t decide to make this easy remote fix until the company ‘coincidentally’ confirmed the abuses on the exact same date as an independent researcher with access to Shackleton’s phone. It’s not exactly a compelling cover story:
“NSO Group, the Israeli maker of the Pegasus surveillance tool, implemented a change preventing client countries from targeting +44 numbers, the sources said, after it became aware of the British hacking scandal on 5 August last year.”
It’s confirmed. NSO Group clients did indeed have the technical capacity to target +44 UK numbers up until August 5 of 2020. This was, of course, after over 400 UK numbers showed up in the giant investigative leak of 50,000+ suspected target numbers. But we’re also getting another confirmation: NSO Group had the technical capacity to easily make it impossible for clients to target +44 numbers but didn’t use that capacity until the Princess Haya scandal. NSO Group could have easily prevented this entire scandal but didn’t do so. Why is that?
So what about the rest of the Five Eyes nations? We’re these numbers targetable too? We are told by an anonymous source close to NSO Group that, no, Pegasus can’t target these other nations. And yet this same anonymous source also assures us that it’s purely a coincidence that NSO Group became aware of the targeting of Princess Haya and others close to her on the same day an independent computer forensics researcher discovered the same hacks. So it was on the same day that an independent researcher effectively threatened to make this scandal public that NSO Group magically stumbled upon the same problematic behavior and finally put it to an end. It’s the kind of narrative that suggests this anonymous source is basically just pushing NSO Group’s cover story. Which also means we should probably assume that the targeting of numbers of the US, Uk, Australia, Canada, and New Zealand was also technically possible for NSO Group clients up until August of 2020:
Adding to the circumstantial evidence of a major undiscovered scandal here is the fact that the list of 50,000+ suspected target phone numbers only came from around 10 of NSO Group’s clients. Which means there’s around 30 more clients that we know nothing about...other than the fact that they presumably had the same capacity to target Five Eyes numbers as the UAE:
Next, here’s a Guardian report from back in July about the 400+ UK phone numbers discovered in the leaked list of 50,000+ target numbers. As we’ll see, NSO Group didn’t simply deny that Pegasus was used to target UK phone numbers. The company suggested it was technically impossible for Pegasus software to do so. That was the message coming out of NSO Group a couple weeks before the August 5 emergency change made to Pegasus’s code following the ‘discovery’ by NSO Group that the UAE was indeed targeting UK phone numbers. And not just a few UK phone numbers. Of the 400+ UK phone numbers in the list, the bulk of them were entered by the UAE. This one client was allowed to serially violate the nation blacklist rules. For years:
“The principal government responsible for selecting the UK numbers appears to be the United Arab Emirates, according to analysis of the data. The UAE is one of 40 countries that had access to the NSO spyware that is able to hack into and secretly take control of a mobile phone.”
Yes, it appears the UAE is the principle NSO Group client state responsible for the 400+ UK phone numbers that appeared on the list of 50,000+ suspected target numbers released in the Forbidden Papers leak. And the dates corresponding to the numbers indicates this targeting of UK-based phones was taking place from 2017–2019. The UAE was allowed to become a serial offender of one of the NSO Groups’s core rules.
So just how much more extensive was this abuse? It remains a significant unanswered question in this story. But don’t forget that the 50,000+ list of numbers was apparently only based on 10 NSO Group clients and the company has over 40 clients. That list is just a snapshot of what NSO Group’s clients have been up to. But we don’t have to entirely speculate about which other clients have been hacking UK phone numbers. Saudi Arabia had already been caught going it too. But note the interesting suggestion made by NSO Group lawyers when the issue of Saudi targeting of UK phones was brought up: they suggested it was “technically impossible”. Keep in mind this suggestion was given back in July, before the admission from NSO Group a few weeks ago that it only retroactively modified the Pegasus code to block the targeting of UK phone numbers. In other words, past assurances about the technical impossibility of the targeting of blacklisted country phone numbers are bogus. Which should immediately raise major questions about the technical possibility for the hacking of the rest of the “Five Eyes” nations on that blacklist:
But while a scenario where NSO Group clients have had the technical capability of hacking Five Eye phones certainly looks likely at this point, there’s another plausible worth considering: that the UAE and Saudi governments were given special permission to hack UK phones...perhaps on behalf of the UK’s own intelligence services. A domestic spying arrangement that relies on the outsourcing of the spying to friendly allied states outside of the Five-Eyes. Could we be looking at a situation like that? Because while it’s not hard to imagine that the UAE had plenty of interest in spying on all sort of activists or politicians living in the UK, it’s also not hard to imagine the UK’s own intelligence services having an interest in spying on these same groups. It would at least explain why the UK government seems almost uninterested in a scandal that has the appearance of having significant espionage implications: