Axios Codebook

Last week’s stunning indictment of three North Korean hackers laid bare both the advantages and drawbacks of the U.S. government’s evolving strategy of using high-profile prosecutions to publicize hostile nation-state cyber activities.

Why it matters: Criminal charges can help the U.S. establish clear norms in a murky and rapidly changing environment, but they may not deter future bad behavior and could even invite retaliation against U.S. intelligence officials.

Catch up quick: Last Wednesday, the Justice Department charged three alleged employees of North Korea’s Reconnaissance General Bureau with undertaking a massive, multiyear hacking spree.

The hackers conducted some activities — such as sending spear-phishing emails aimed at U.S. government employees and contractors — that are examples of workaday nation-state espionage. But they also took actions far outside these bounds that included:

• The 2014 attack on Sony Pictures.
• The creation and use of the destructive WannaCry 2.0 ransomware.
• A series of cyber-enabled bank hijackings across the globe wherein the spies tried to steal over $1.2 billion.
• The theft of cryptocurrency valued at tens of millions of dollars worldwide.

Between the lines: Pointing the finger in cyberspace can often put the U.S. in uncomfortably hypocritical territory, as all major powers (and many minor ones) engage in cyber spying.

• But the U.S. has the unambiguous ethical high ground with this latest indictment: U.S. intelligence agencies don’t hack banks to raise funds for the Treasury Department or seek vengeance over disfavored pieces of popular culture or create malicious cryptocurrency apps to steal from private companies to fund Washington’s weapons programs.
• The fact that the North Korean hackers were behaving, in many instances, like non-state cyber criminals made it easier for the U.S. government to treat them like criminals — and pursue legal action against them.

Context: The North Korea case is an extreme example of other states’ divergent views on the appropriate objectives of cyber operations.

• For instance, many states, including some close U.S. allies, regularly commit cyber-enabled economic espionage and theft of trade secrets to benefit their “national champion” companies.
• American officials insist the U.S. does not engage in economic espionage — making it something of an outlier in the intelligence world.

Be smart: North Korea won’t extradite the hackers, and they’ll presumably never stand trial. Yet the act of naming and shaming these individuals may still hold real value for the U.S.

• It may strengthen the international consensus against aberrant North Korean behavior (like massive bank theft).
• Cyber espionage-related “speaking indictments” also provide a public service, detailing foreign cyber spying operations in an unusually open manner, a benefit to private cybersecurity firms, journalists and the wider interested public.
• And these indictments extract costs on the named operatives, potentially complicating the individuals’ plans to, for instance, live in or visit countries that have extradition treaties with the U.S.

Yes, but: It’s unclear what, if any, deterrent effect these types of indictments actually have on foreign governments.

• North Korea probably won’t stop robbing banks because the U.S. charged three of its intelligence officials. Their cyber operators rob banks because that’s where the money is, and Pyongyang needs it.

There are other risks, too, to criminally charging state-backed cyber operators.

• One danger is that America’s adversaries will respond in kind, burning the identities and activities of U.S. intelligence personnel via criminal charges.
• There’s next to zero possibility a hostile foreign power will successfully prosecute an American cyber operator it has charged, but some U.S. intelligence operatives still shudder at the possibility that they will become pawns, via this type of legal move by Moscow or Beijing, in a great geopolitical game.

The bottom line: Evolving norms around spying cut both ways, and as the saying goes: “The enemy always gets a vote.”

A Chinese state hacker group known as APT31 or Zirconium secretly repurposed a zero-day exploit designed by NSA’s Equation Group hackers, years before it was leaked by the mysterious Shadow Brokers in 2017, according to analysts at Check Point Research.

Why it matters: The fact that a Chinese hacking group was able to capture the NSA exploit, known as EpMe, “in the wild” by 2014, reorders our understanding of who had access to certain stolen NSA tools — and when.

Details: APT31 used this NSA zero-day as the basis for its own exploit, which analysts have dubbed “Jian.”

• Jian began to appear in Chinese offensive cyber operations as early as 2015, said the analysts. The tool was used until 2017, when Microsoft quietly patched the vulnerability, likely in response to the Shadow Brokers revelations, says Check Point.
• Analysts initially believed Jian was wholly created by Chinese state hackers, until Check Point analysts looked at the shared code between the Chinese and NSA tools.

The big picture: It’s unclear how widely Jian has been used on U.S. networks, but researchers at Lockheed Martin discovered it on at least one “U.S. private sector network” that was not the company’s own, reports Wired.

• The compromised network was unconnected to Lockheed’s supply chain and “was not part of the US defense industrial base,” said Wired.

The intrigue: The manner in which APT31 built the Jian exploit means the Chinese hackers likely “acquired the exploit samples themselves,” writes Check Point.

• This means the Chinese state hackers most likely captured the exploit when it identified the NSA trying to use it to spy on China or when it was spying on a network the U.S. was also spying on or when it was itself undertaking offensive cyber operations against NSA infrastructure, say the analysts.

The bottom line: It’s unclear precisely how APT31 got access to the NSA tool, say researchers. We don’t know if the U.S. government knows the full story, either.

Nearly 30,000 MacOS devices have been infected with a previously undiscovered strain of malware, according to researchers at cybersecurity company Red Canary.

Why it matters: The discovery of this mystery malware is another example of how even the most skillful defenders are sometimes only dimly aware of the threats arrayed against them.

• Dubbed “Silver Sparrow,” the new malware has affected devices in 153 countries, with “high volumes of detection in the United States, the United Kingdom, Canada, France, and Germany,” writes Red Canary, which worked with Malwarebytes and VMware Carbon Black in its analysis.
• But researchers don't know how the new malware actually wound up on all these machines.

Researchers say variants of the malware are designed to infect MacOS systems using older Intel chips, as well as Apple’s new M1 chips, which were just introduced in November 2020.

• This means the threat actor behind Silver Sparrow designed the malware to be “forward-looking,” given the small number of Mac OS devices currently using M1 chips, writes Red Canary.
• Additionally, researchers discovered that Silver Sparrow is designed to delete itself in order to evade detection — another sign that the malware was likely created by sophisticated hackers for an as-yet-unknown objective.

The bottom line: No devices compromised by Silver Sparrow appear to have actually been infected by a malicious payload yet. But the malware is clearly designed to provide that capability, say researchers. This “leav[es] the ultimate goal of Silver Sparrow activity a mystery,” writes Red Canary.

Threat actors using the Sodinokibi ransomware made “at least” $123 million in 2020, stealing roughly 21.6 terabytes of data, according to a new report by IBM researchers.

• Sodinokibi was the most-used ransomware observed by the researchers, accounting for 22% of all incidents in 2020. Cyber criminals using Sodinokibi demanded $42 million for a single ransom, writes IBM.

Why it matters: In 2020, ransomware actors “shifted tactics to not only encrypt data and render it impossible to access,” write the researchers. “They also stole it, and then threatened to leak sensitive data if a ransom was not paid.”

By the numbers: The Sodinokibi ransoms “peaked in June or July 2020 and then rose again after a brief lull in August and September, potentially related to threat actor availability, vacations, and alternate employment obligations,” write the researchers.

• Nearly two-thirds of Sodinokibi victims agreed to pay the requested ransom, writes IBM — but more than 40% of their victims still had their data leaked.
• By far, the most Sodinokibi victims — 58% — were based in the U.S., with the U.K. coming in second at 8%.
• The most targeted entities were companies in the manufacturing, professional services and wholesale sectors. “Nearly all” ransomware attacks on the retail sector made in 2020 were made via Sodinokibi, writes IBM.
• But the threat actors using Sodinokibi have also been perfectly happy to hold governments hostage, being responsible for almost half of all ransomware attacks on government entities in 2020, per the IBM researchers.

• Axios' Ina Fried has the big takeaway from the Senate's SolarWinds hearing. (Axios)
• How to improve the government’s vulnerabilities disclosure process. (Cyber Threat Alliance)
• How COVID-19 transformed the threat landscape in 2020. (BlackBerry)
• Sen. Ron Wyden sent a letter to the acting CISA director asking whether a more stringent firewall on government networks could have helped prevented SolarWinds. (Sen. Ron Wyden's office)
• The live audio on chat app Clubhouse may be insecure. (Bloomberg)
• The Biden administration is planning to sanction Russia for the SolarWinds hack. (Washington Post)