Axios Codebook

In what could become a landmark case limiting how government surveillance contractors can operate, Facebook is suing Israeli firm NSO Group for allegedly hacking WhatsApp in order to monitor users on behalf of foreign governments.

Why it matters: Firms like NSO sell software ostensibly intended to surveil potential criminals and terrorists. In practice, their tools have been used to commit human rights abuses.

The big picture: Western governments and human rights advocates have raised their voices about those abuses, but so far they have been unable to stop them. The WhatsApp suit represents a different and potentially stronger kind of threat to the surveillance industry.

• If NSO and other surveillance software companies lose the ability to transmit spyware over popular, private networks, their ability to infect targets would dramatically decline.
• "For years, we wondered when private companies were going to reach the breaking point and sue," said John Scott-Railton, senior researcher at Citizen Lab, a University of Toronto outfit dedicated to rooting out cyber weaponry used to commit human rights abuses. "WhatsApp may be the beginning of that other shoe dropping."
• Citizen Lab worked with Facebook to investigate illicit WhatsApp activity at the center of the lawsuit. The lab has been a thorn in the side of NSO for years, documenting oppressive regimes using the software to spy on journalists, opposition politicians, protesters and religious figures — even advocates for a tax on soda in a country whose leaders did not want a tax on soda.

Details: In the lawsuit, Facebook claims that NSO used WhatsApp to send malware to 1,400 targeted cellphones and mobile devices. A blog post from WhatsApp says that at least 100 of those were civil society targets.

• The spread of NSO's tools and other firms' spyware isn't limited to WhatsApp. Researchers have seen surveillance products spread using phishing messages on a variety of platforms.
• Potentially, other tech firms' apps could follow Facebook's lead and seek to enjoin NSO from using their networks. That could include Amazon, which Facebook claims played an unwitting role in NSO's operations by renting the group cloud servers used to anonymize the attacks. Amazon did not reply to questions about whether it would take similar actions.

Context: NSO is a major player in commercial spyware, but by no means alone.

• Other companies selling commercial spyware include Gamma, Hacking Team, Intellexa, Ability, Verint, Fifth Dimension, and Circles Technologies.

The catch: Spyware contractors operate with the express permission of governments and are based abroad, blurring the issue of U.S. judicial oversight, even as it relates to the use of private networks.

• "Some of the issues are ones that will need to be litigated out and may need to be negotiated diplomatically," said Michael Daniel, former White House coordinator for cybersecurity and current president and CEO of the Cyber Threat Alliance.

What they're saying: NSO fiercely denies the charges in the Facebook suit, saying in a statement that it "considers any other use of our products than to prevent serious crime and terrorism a misuse, which is contractually prohibited. ... This technology is rooted in the protection of human rights — including the right to life, security and bodily integrity."

• NSO has recently announced new measures that it says are aimed at eliminating the use of its product in human rights abuses.

In the first paragraph of Facebook's filings and the second paragraph of the NSO response to the press, both companies mention WhatsApp's use of end-to-end encryption. That encryption makes it difficult for intelligence agencies and law enforcement to intercept messages without a password.

The big picture: This issue doesn't matter to the underlying question in the lawsuit — no matter how the messaging network works, someone is using it to install malware to monitor a target's phone.

One reason encryption might have come up: The Department of Justice is currently pushing for tech industries to limit their use of end-to-end encryption.

• So when Facebook makes a point of saying NSO's malware was used in response to end-to-end encryption, it appears to be forwarding an argument that preventing end-to-end encryption would have further jeopardized the civil society individuals victimized by authoritarian governments.
• And when NSO responds, "The truth is that strongly encrypted platforms are often used by pedophile rings, drug kingpins and terrorists to shield their criminal activity," it really seems to be saying that if government fears about encryption are correct, it is offering a solution to the problem.

October was a big month for reports of Russian cyber campaigns from government intelligence agencies, private firms and researchers.

Why it matters: Of the four major cyber powers lined up against the United States (Iran, North Korea, China and Russia), Russia is the most technically advanced, and every documented Russian effort reminds Americans of that nation's outsized role in interference in the 2016 presidential election — and possibly that of 2020.

Driving the news:

• Fancy Bear, a Russian espionage hacking group best known for the 2016 breaches of the Democratic National Committee, is trying to hack email accounts of 16 sports and anti-doping groups, according to reports from Microsoft released Monday.
• Cozy Bear, a group likely associated with the Russian Federal Security Service (FSB) or Russia's Foreign Intelligence Service (SVR), had been thought to have gone quiet after being implicated in interfering in the U.S.' 2016 election. But recent reporting by ESET shows that the group was less quiet than previously thought, switching its toolkits after 2016 to conduct operations against European ministries of foreign affairs.
• U.S. and British intelligence agencies reported that Turla, an organization likely associated with FSB, had been co-opting Iranian hacking tools and piggybacking off Iran's hacking infrastructure without Iran's knowledge. Turla's actions were largely limited to the Middle East.
• Bonus round: While influence operations aren't hacking, Facebook this week removed 100 accounts that Russia's internet operatives used to sway African nations. That comes just over a week after it removed a network of influence campaigns targeting the U.S.

The big picture: As with all nations involved in espionage, Russia's efforts pursue all sorts of interests, and none of this is new for Russian hackers.

• They've masqueraded as other nations' hackers before, including a concerted effort to appear to be North Korea during the release of the Olympic Destroyer malware used to interrupt the 2018 Olympics.
• Russia's expanding realm of influence in the Middle East makes the region a likely target of Russian spying.
• Russia has been monitoring European leaders since well before hacking was an option.

A hacker group linked to Chinese espionage is illicitly installing software at telecommunications companies to steal text messages from specific users and regarding specific topics, according to cybersecurity firm FireEye.

The big picture: While Chinese espionage is often linked to intellectual property theft, the targets in this case appear to be linked more to traditional espionage, including senior political and military figures and topics that could be of interest to Chinese policymakers.

The backdrop: The hacking group identified in this campaign, known as APT 41, is believed to have been active for nearly a decade.

• The group is interesting among Chinese spy groups because it appears to both spy for the government and commit cybercrime on the side to supplement its own incomes.

What's happening: FireEye has discovered "multiple" telecoms infected with the newly discovered malware, which has been dubbed Messagetap, Steven Stone, the firm's director of advanced practices, told Axios.

• It assumes that many more will soon be discovered.
• "We're at the front end of this discovery," Stone said, noting that the company decided that publishing a speedy warning was more important than taking time to assess the campaign's scope. "I'd be really surprised if they just used this against one nation."

Details: Messagetap installs onto telecommunication company-specific hardware.

• While APT 41 and other spy groups have hacked telecoms in the past to search for information on individuals, weeding out targets is usually done one at a time. This software automates the process, allowing spies to search for thousands of identifiers at the same time.
• FireEye told Axios that the software it discovered was searching for text messages to or from at least 7,000 different phone numbers or individual phone identifiers, known as IMSI numbers.

A high-ranking Ukrainian military official says that sanctions on Russia have thwarted Russia's longstanding efforts to jam Ukraine's unmanned autonomous vehicles in eastern Ukraine, according to Oriana Pawlyk of Military.com.

Why it matters: Ukraine has lost almost 100 drones (by its count) used for reconnaissance on Russian-backed separatists because of Russian GPS jamming equipment.

But, but, but: Sanctions have limited the ability of Russia to repair and replace faulty equipment, according to Ukrainian Col. Ivan Pavlenko, deputy chief of Combat Support Units of the Joint Forces Headquarters, who spoke at the Association of Old Crows annual meeting this week in Washington D.C.

"Sanctions [are] like a virus," he told Pawlyk after his speech.

In stark contrast to Facebook's pledge not to censor political ads, Twitter announced Wednesday it would not accept political ads.

The big picture: There is often an association made between political ads and Russian information campaigns, even though the Russian campaigns in 2016 and since then largely didn't use ads. Still, promoted tweets are a potential way for information operations to expand their reach, or for politicians to lie about opponents.

Civil liberties advocates like Privacy International praised the move, noting that while Twitter had special labeling for political ads in the U.S. and a handful of other countries, it didn't in more than 80% of nations worldwide.

There are a few hiccups ahead: Twitter's Vijaya Gadde clarified the policy to say the company's definition for political ads would include "1/ Ads that refer to an election or a candidate, or 2/ Ads that advocate for or against legislative issues of national importance (such as: climate change, healthcare, immigration, national security, taxes)."

• Many scientists will object to classifying "climate change" as a political issue.
• It's unclear how this policy will work around the edge cases. Would an automotive ad touting the environmental benefits of an electric car be banned?

President Trump's campaign manager, Brad Parscale, tweeted that the move to ban all political ads from all political parties worldwide was "yet another attempt by the left to silence Trump and conservatives."

Companies widen the workforce pipeline (Aspen Institute): The Aspen Institute announced Wednesday that 14 large companies and one industry consortium agreed to new recruiting standards to expand cybersecurity job applicant pools.

• The companies agreed to expand their recruitment focus beyond applicants with four-year degrees, to not bog down help wanted ads with skills not central to a job, and to use gender-neutral language in job descriptions.

North Korean malware was found at an Indian power plant (NPCIL, via ZDNet): The Nuclear Power Corporation of India Limited confirmed Wednesday that North Korean malware was found on a business computer system at an Indian power plant. ZDNet uploaded the press release from the NPCIL here.

• NPCIL had originally denied reports of malware on the power plant networks earlier in the week.
• The specific malware found on the network is typically associated with reconnaissance, not causing blackouts.

Georgia hit by massive cyberattack (BBC): A Monday cyberattack in Georgia (the nation, not the state) knocked 15,000 web pages offline.

• There has been no evidence presented about who is behind the attack.
• Websites were replaced with an image of former Georgian President Mikheil Saakashvili and the phrase "I'll be back."

• Defending Digital Campaigns, a nonprofit that steered an FEC ruling paving way for free and low-cost cybersecurity for political campaigns, announces its first board and CEO. (DDC)
• Maybe it's time for a West Point or Naval Academy-like U.S. Cyber Academy. (FCW)
• A worthwhile long read: The rise and fall of Tiversa. (New Yorker)
• Pwn2Own, a major competition to find security flaws in various products, adds an industrial security contest. (S4x20)
• Sen. Roy Blunt (R-Mo.) blocked a Democratic attempt to pass an election security bill. (The Hill)
• The FCC formally proposed a de facto ban on ZTE and Huawei telecom equipment that may require ripping out equipment already in place. (Ars Technica)
• In attacks on infrastructure, saboteurs try to damage critical processes rather than just turn off the computers. (Dragos)