Welcome to Codebook, the cybersecurity newsletter returning from CyberwarCon.
If you've got tips or story ideas, I'd love to see. Just reply to this email.
1 big thing: How Yemen's civil war went cyber
The conflict tearing Yemen apart is a human catastrophe and a geopolitical mess. It's also providing a look at how today's shooting wars spill over into digital conflict, even in the poorer corners of the world, as two presentations at Wednesday's CyberwarCon in Washington, D.C., elucidated.
Background: Houthi rebels, backed by Iran, currently control the capital city of Sanaa — and with it the main internet service in the country, YemenNet.
- President Abed Rabbo Mansour Hadi's government, backed by the Saudis, control much of the rest of the country, save for a few territories controlled by al-Qaeda in the Arabian Peninsula. The Hadi government launched its own internet service in its territory, AdenNet.
By gaining control of YemenNet, the Houthis gained control of the “.ye” domain — the Yemeni equivalent of “.com.” At the conference, threat intelligence firm Recorded Future noted that the Houthis used that control to take over national websites and declare themselves the official government.
- It had already been reported that the Houthis disrupted access to social media networks and to any website showing troop positions. They also cut as much as 80% of the incoming submarine cables providing internet to disrupt international communications.
- New from Recorded Future's findings: It appears that the Houthis have installed cryptocurrency mining operations on the internet infrastructure in order to fund the regime.
The Hadi government built its AdenNet using Huawei routers. The Chinese telecommunications firm’s presence reflects China’s practice of using infrastructure assistance to secure valuable alliances (the Belt and Road initiative). Yemen is currently a war zone, but some day it will return to being a nation that controls important shipping lanes.
- Accepting China's infrastructure aid comes at a cost. Huawei is believed by most Western countries to sabotage its own equipment to facilitate Chinese spying.
The influence campaign: The Houthi government is also running social media influence campaigns to pressure the West and Saudi Arabia to stop bombing Yemen, Johns Hopkins student Dan O’Keefe reported at CyberwarCon.
- The campaigns use a "Twitter board" — essentially a massive collection of prewritten tweets focusing on a topic of the day.
- Citizens, including those directed to the boards from government websites, select tweets and post them rapid-fire to try to make issues trend.
- The campaigns suggest a maximum posting rate so the accounts don't get flagged as bots.
Though many big players are involved in bringing weapons to the region — with Saudi Arabia and Iran, both liberal users of surveillance technology, among them — it doesn't appear that there is a proxy war of surveillance tech underway in Yemen, yet.
- Recorded Future notes that the level of devastation in the conflict reduces surveillance's payoff: The humanitarian crisis limits the amount of tech being used in Yemen and makes guns a more "useful" export.
2. DOJ indicts 2 Iranians for SamSam ransomware
The Department of Justice announced it had indicted 2 Iranians Wednesday for creating and deploying the SamSam ransomware that plagued the city of Atlanta and several other high-profile targets.
Details: Faramarz Shahi Savandi and Mohammad Mehdi Shah Mansouri are accused of causing $30 million in losses from more than 200 victims in 10 states and Canada.
- SamSam encrypted data on victims' computers, offering to decrypt it for a fee.
- Targets included hospitals, municipalities and universities. High-profile targets included the city of Newark, the Port of San Diego and Hollywood Presbyterian Medical Center in Los Angeles.
3. Another possible solution to the Corsi-WikiLeaks puzzle
As pundits try to update their timeline for the 2016 Russia hacking scandal based on new emails and information from Roger Stone associate and conspiracy theorist Jerome Corsi, they are missing a key piece of the puzzle.
Background: This week, Corsi blew apart plea arrangements with the Mueller investigation, and now he publicly denies being an intermediary between Stone (a would-be proxy for the Trump campaign) and WikiLeaks or having any advance knowledge of the site's leak schedule.
- According to a draft plea agreement, Corsi emailed Stone that he did have that advance knowledge: "Word is friend in embassy plans 2 more dumps. One shortly after I’m back [from a vacation in August]. 2nd in Oct."
- But there was no August Wikileaks dump.
The big question: What was Corsi referring to with the leak planned for when he got back?
- Corsi claims he was guessing, but armchair investigators note it doesn't seem like that's what he was saying.
- "Word is" seems a little specific to have been referring to a guess, and "Would not hurt to start suggesting HRC ... has stroke. ... I expect that much of next dump focus," seems to predict Podesta emails would breathe life into baseless rumors about Clinton health problems.
So, what gives? Independent intelligence pundit Marcy Wheeler suggests Corsi may have been referring to a leak from Guccifer 2.0 in August that did materialize rather than a leak from WikiLeaks.
But there's an easier explanation: WikiLeaks, I'm told, was consistently behind schedule in releasing leaks, or at least behind the schedule Russia appears to have set for the site.
- In fact, you can see that in the way Guccifer 2.0 acted in the previous month. When I started receiving leaks — before WikiLeaks began publishing — Guccifer 2.0 made a point of telling me, "WikiLeaks is playing for time" with documents sent to the site.
- In Guccifer 2.0's first document dump on his own site he quietly picked only documents culled from the Democratic National Committee emails that Wikileaks had received but had not begun publishing yet.
- At the time, only WikiLeaks would have known this. In retrospect, it appears to have been a hurry-up notice.
Maybe Corsi's "friend in embassy" didn't leak documents in August because he was running late.
4. Dell resets passwords after breach
Dell acknowledged Wednesday it had detected a breach of its systems on Nov. 9, but has yet to find any evidence consumer data was taken.
Details: Dell says hackers tried, and failed, to steal names, passwords and email addresses.
- Out of caution, users will be asked to reset passwords the next time they log into Dell.com.
- Dell is working with law enforcement and a third-party incident response firm to investigate the breach.
5. Odds and ends
- The UK disclosed its decision process to determine which security glitches it will notify vendors about and which it will save for spies' use. It's the GCHQ equivalent of the United States' Vunerabiliity Equities Process. (GCHQ)
- Urban Massage, a massage booking app, lets masseuses internally comment on which clients were creeps. We know that, because the database was exposed online without a password. (TechCrunch)
- Dunkin' had an incident with its Perks program. (CTPost)
- New Zealand, too, is banning Huawei for 5G. (ZDNet)
- The FBI and cybersecurity firms thwarted a massive ad fraud scheme. (Axios)
Codebook will return on Tuesday, why not?