Jun 17, 2020

Axios Codebook

Welcome back to Codebook!

  • The new "Axios Today" podcast with host Niala Boodhoo launches Monday, June 22. It's a 10-minute daily listen — perfect for your morning commute between bedroom and living room. Subscribe here.

Today's newsletter is 1,736 words, a 6.5-minute read.

1 big thing: The pandemic unleashes a cyber crime wave

Illustration: Eniola Odetunde/Axios

Cyber criminal networks and individual opportunists have leveraged the coronavirus crisis to ramp up schemes to defraud businesses, credulous consumers and governments at all levels.

The big picture: This new wave of cyber crime, documented in a series of indictments, public disclosures and statements from U.S. officials, illustrates why the U.S. government sometimes refers to the “big four plus one” of cyber threats.

  • The big four are the traditional quartet of states known for their cyber capabilities: Russia, China, Iran and North Korea.
  • The “plus one” refers to cash-rich and increasingly adept cyber criminal operations that have now earned equal footing with nation-states.

What’s happening: Since the coronavirus crisis exploded domestically in March, U.S. authorities have mobilized to combat a torrent of related cyber crime. The Justice Department and FBI convened a COVID-19 Working Group, which coordinates closely with the U.S. Secret Service, Cybersecurity and Infrastructure Security Agency, and other agencies.

By the numbers: The scope of the problem is overwhelming. By late May, the FBI’s Internet Crime Complaint Center had received 320,000 complaints over the course of the year, compared to roughly 400,000 complaints in all of 2019.

The FBI: The agency has tracked an increase in online and other fraud related to the Paycheck Protection Program (PPP), which gives loans to small businesses to keep employees on the payroll.

  • The FBI has launched nearly 100 investigations into PPP-related fraud that involve $42 million in funds, and it's clawed back $900,000 from fraudsters.
  • But in some cases, cyber criminals have successfully had victims wire funds to international bank accounts shielded from U.S. law enforcement.

The Secret Service: The acute nature of coronavirus-related fraud has led the U.S. Secret Service, which plays a major role in federal cyber crime investigations, to focus on quickly disrupting these schemes and protecting victims, rather than building prosecutable cases against offenders.

  • Investigators are returning to the question of prosecution after these disruptions have taken place, knowing that quick action may have affected their ability to arrest wrongdoers.

Health care targets: Earlier this year, some cyber criminal groups announced that they were suspending their targeting of the health care sector during the coronavirus crisis. But attacks haven’t stopped.

Stimulus targets: Recently, large-scale stimulus fraud has become a major focus for cyber criminal groups.

  • For instance, cyber criminals, aware of U.S. government efforts to prop up consumer spending, have crafted their messages around recent individual payments to taxpayers, with these groups engaging in stimulus-themed spear-phishing campaigns.

PPE targets: Earlier in the outbreak, much coronavirus-related fraud involved the purchase of personal protective equipment (PPE), which cities and states scrambled to acquire in the initial aftermath of the outbreak in the United States.

  • Using middlemen, states and cities made PPE purchases, sometimes worth many millions of dollars, to procure PPE from foreign countries.
  • Price gouging has been common, and sometimes the transactions have been fraudulent — leading the FBI to step in and stop entire bulk purchases. (In some cases, the federal government and U.S. states battled over PPE orders, leading to charges of political intervention.)

The bottom line: The types of attacks and vectors used by cyber criminals haven't changed in the COVID-19 era.

  • These groups still favor business email compromise and ransomware, for example, often via social engineering schemes, but are updating their content to relate to the coronavirus.
  • From 2014 to late 2019, complaints to the FBI regarding business email compromise scams totaled “more than $2.1 billion in actual losses.”
2. CIA report: Spies failed to lock down their prize code

Systematic security failures at an elite CIA hacking unit helped lead to the biggest information breach in the agency’s history, according to a partially declassified CIA report provided to Sen. Ron Wyden’s office.

Details: The 2017 report, first reported by the Washington Post, is a postmortem on the 2016 breach, conducted by the CIA’s WikiLeaks task force.

  • WikiLeaks revealed the data leak, known as Vault 7, in early 2017. Vault 7 revealed operations and exploits conducted and developed by the CIA’s Center for Cyber Intelligence, which houses the agency’s elite hackers.

What it says: “CIA has moved too slowly to put in place the safeguards that we knew were necessary given successive breaches to other U.S. Government agencies,” the report states.

  • The lack of “user monitoring” and other audit capabilities meant the CIA was unaware of the breach until WikiLeaks had actually published documents from the stolen tranche.
  • If a traditional nation-state adversary had stolen the information, and kept its possession of it secret, the CIA might still not know that its data had been breached at such a massive scale, says the report.

By the numbers: Between 180 gigabytes and 34 terabytes of information were pilfered, says the report, “roughly equivalent to 11.6 million to 2.2 billion pages in Microsoft Word.”

  • This is a huge range that reveals just how much uncertainty exists within the CIA over the extent of the damage.

State of play: In 2018, U.S. prosecutors charged Joshua Schulte, a former CIA employee, of being WikiLeaks’ source for the Vault 7 leaks.

  • In March, Schulte’s trial ended in a hung jury, though he was convicted of lesser charges.
  • Prosecutors plan on retrying Schulte on espionage-related charges.
3. Chinese officer’s LA arrest sharpens tensions

Last week, U.S. officials unsealed an indictment charging Xin Wang, a medical researcher affiliated with the Chinese military, of lying about his affiliation with the People’s Liberation Army (PLA) on his visa application.

Why it matters: In a sign of increasing tensions, Wang, a PLA employee, is now in U.S. custody, a rarity in the U.S.-China intelligence battle.

Wang was granted an educational visa in 2018 to study at the University of California San Francisco, one of the country’s foremost academic medical institutions. In 2019 he began his research there.

But Wang knowingly lied about his continuing PLA affiliation on his visa application, say prosecutors.

  • He was continuing to draw a PLA stipend while in the United States.
  • He was tasked by his superiors at a PLA military laboratory to “observe the layout of the UCSF lab and bring back information on how to replicate it in China,” say prosecutors.
  • Wang, who held the equivalent rank of major in the PLA, was also transporting studies from UCSF back to China to share with his fellow PLA military researchers, according to prosecutors.

Between the lines: Wang’s arrest fits a pattern of Chinese nationals obscuring their PLA affiliation in order to gather intelligence within U.S. educational or research facilities, according to the U.S. government.

  • In February, for example, prosecutors charged Yanqing Ye, a PLA colonel, with lying about her current military service when applying for a visa to study at Boston University’s Department of Physics, Chemistry and Biomedical Engineering.
  • According to prosecutors, Ye’s PLA superiors continued to task her to gather data on U.S. military projects while in the United States, as well as to compile information on American professors working in high-tech areas.

The big picture: In late May, Trump administration officials announced that it was canceling educational and research visas for Chinese nationals affiliated with the PLA or whose Chinese universities receive PLA funding, a policy shift expected to affect roughly 3,000 of the 360,000 U.S.-based Chinese students.

What to watch: Some universities and civil rights groups fear the move is a prelude to a broader crackdown on Chinese students in the United States.

4. Former DIA director's chronicle of racism

Lt. Gen. Vincent Stewart. Photo: Samuel Corum/Anadolu Agency/Getty Images

Lt. Gen. Vincent Stewart, who retired from government in 2019 as deputy commander of U.S. Cyber Command, details the discrimination he experienced while serving in government and the bigotry he and his family have faced in a harrowing autobiographical piece for Task and Purpose.

Context: Stewart, who was director of the Defense Intelligence Agency from 2015 to 2017, is the first black American to lead it.

What he’s saying: “Imagine the pain — my pain — of being described as the best black officer in a unit — never described as the best officer in the unit — or never being the first choice for visible prominent assignments, despite a superior record of performance than my peers,” writes Stewart.

  • Stewart also reveals a shocking encounter as DIA director when a sitting congressman intimated that he had only received his appointment because “I ‘must be close to [President Obama].’” Stewart was forced to convince the congressman that his promotion “wasn’t a gratuitous appointment.”
  • Stewart, a three-star general, also describes a time he was taken to jail, without any cause, as a young man while working as a door-to-door salesman, where the sheriff “asked if I wanted to see a house that had recently burned to the ground, just one day before a black family had planned to move in.” Stewart also describes other instances of profiling, mistreatment and malicious stereotyping directed at him and his children.

Stewart concludes with an exhortation for greater action: “Who are you lifting up and helping to get across the finish line? What are you doing to affect positive change in America? Encouraging words are nice, but this country needs action. If you are in a position of power and privilege, I challenge you to mentor and advocate for people who don’t look like you,” he writes.

5. Facebook commissioned hack for FBI to capture sex predator

In an eyebrow-raising move, Facebook hired a contractor to develop an exploit that the contractor then passed to the FBI in order to catch a sex predator who had coerced users on Facebook for years, according to a Vice investigation.

Driving the news: The offender, Buster Hernandez, known as “Brian Kil,” had used sophisticated anonymizing tools to elude Facebook security employees and state and federal law enforcement officials for years. Hernandez terrorized women into sending him nude pictures and also made death threats against his victims.

  • Facebook’s long-standing frustrations with being unable to stop Hernandez’s predations led them to enlist a contractor to develop a “zero day” — that is, a vulnerability unknown to the developers of a type of software or hardware — to provide to the FBI. The FBI then used that exploit to finally locate Hernandez through one of his victims.

Between the lines: While the arrest of a notorious sex criminal is an unabashed victory, Facebook’s role in providing the exploit to the FBI introduces novel, and potentially worrying, issues, writes Lorenzo Franceschi-Bicchierai in Vice.

Why it matters: Since the zero day was unknown to the developers of the privacy software that Hernandez used and the contractor hacked, in theory, the FBI or other U.S. government entities could have used that exploit to hack other targets — at least until the vulnerability was patched.

6. Odds and ends