Sep 9, 2020

Axios Codebook

Axios

Hello, and welcome to this week’s Codebook, where we’re thinking about how distant — and yet how incredibly immediate — the 9/11 attacks feel, now 19 years later.

Today's newsletter is 1,231 words, a 5-minute read.

1 big thing: Ex-CIA officials with Trump ties assembled “purge list”

Illustration: Annelise Capossela/Axios

Even before President Donald Trump took office, an effort was underway to sniff out elements within the intelligence community perceived as disloyal, in yet another example of the deep tensions between the administration and its own intelligence agencies.

Driving the news: In 2017, former CIA officials close to the then-incoming Trump administration assembled a "purge list" of agency personnel they deemed ideologically unaligned with the administration or incompetent, two former agency officials told Axios.

Between the lines: "This was about cleaning house at CIA," said a former senior agency official familiar with the list. While some of the impetus for the list was "score settling," the person said, it was also "the deep state thing": ridding the CIA of "bad guys."

  • Deeply concerned, this official reported the activities of his former colleagues multiple times to his CIA superiors.
  • "This was not a passing thing," the person said. "They were serious about it."
  • At the time, “the Trump administration was paranoid,” recalls another former CIA official. “They thought everyone was going to work against them.”

Details: The list, which began being assembled during the presidential transition, was initially passed from Trump-aligned former agency officials to Steve Bannon, said the former senior CIA official.

  • Some of the personnel targeted for firing worked on Middle East or counterterrorism-oriented operations, said the former senior official. The targeted CIA officials are still working undercover, this person says.
  • The list's generators did possess high-level access within Langley: One such Trump-aligned former agency official was granted at least one in-person meeting with then-CIA Director Mike Pompeo, said the former senior CIA official.

Yes, but: In the end, the list’s authors failed to have the disfavored CIA personnel fired. "The irony is that they never did the purge," recalls the former senior official. "They just reorganized DNI. All the bluster has come to nothing."

Of note: At the time, word about the "purge list" was greeted within the agency more with incredulousness and bemusement than fear, said the former officials.

  • This was partly because of the Trump administration’s plans around the same time to have Stephen Feinberg, a private equity billionaire, undertake an outside review of the U.S. intelligence community.
  • That was considered a more significant and potentially far-reaching move, said the second former CIA official. (In 2018, Feinberg was named chairman of the President’s Intelligence Advisory Board.)

The big picture: Even when unsuccessful, Trump administration efforts to purge people viewed as insufficiently loyal to the president can damage morale and send career officials with institutional expertise looking for an exit. That’s a particular concern in matters of national security.

Meanwhile: The Open Technology Fund, a federally funded nonprofit that supports tech tools for dissidents living under authoritarian regimes abroad, is fighting its own battle over an apparent attempt to either purge its existing leadership or neuter it in favor of a Trump-loyalist alternative organization.

  • OTF is now calling for an inspector general investigation into the agency that funds it.
2. Iranian cyber group sold access to hacked networks

A hacker group associated with the Iranian government is selling “access to compromised networks on an underground forum,” likely without Tehran’s blessing, according to research by threat intelligence firm CrowdStrike.

Why it matters: That these Iranian hackers were apparently caught trying to make money on the side may show the dangers of relying on likely underpaid contractors to conduct sensitive offensive cyber operations.

What’s happening: The group, which CrowdStrike has named “Pioneer Kitten,” has been active since 2017, with its last known activity occurring in July 2020.

  • The group has focused on hacking North American and Israeli targets in the “technology, government, defense, healthcare, aviation, media, academic, engineering, consulting and professional services, chemical, manufacturing, financial services, insurance, and retail” sectors, says CrowdStrike, with a particular focus on government, defense and tech firms.
  • Pioneer Kitten often focuses on targets of opportunity, says CrowdStrike, such as unpatched devices, showing that you don’t need to employ advanced tactics to achieve operational results.

The intrigue: In late July, CrowdStrike observed someone associated with Pioneer Kitten selling access to hacked networks online.

  • CrowdStrike believes this commercial activity would not have been sanctioned by Tehran and that Pioneer Kitten may therefore consist of contractors associated with the Iranian government — not actual intelligence officers.
3. New report highlights vulnerabilities of the cloud

Illustration: Sarah Grillo/Axios

Moving data storage and processing to the cloud ameliorates some cybersecurity vulnerabilities while heightening others, according to a study published last week by the Carnegie Endowment for International Peace.

The big picture: More and more segments of both the public and private sectors are shifting their systems to the cloud, primarily relying in the U.S. on a handful of companies, chief among them Amazon, Microsoft and Google.

On the one hand, says the report, the centralization of data storage services provides many public and private entities with more advanced cybersecurity protections than what they possess internally.

  • “[T]he reality [is] that most organizations—governments and companies—cannot effectively protect themselves. Very few organizations can rival the security teams of the major CSPs [cloud service providers] and are therefore better off entrusting their security to these external firms’ security teams.”
  • “This does not mean that the cloud is secure,” says the report, “but it is more secure relative to the security measures most organizations could otherwise achieve.”

On the other hand, the report finds a significant “emerging problem is the systemic risk associated with a centralized approach.”

  • That is, the concentration of power and data among what the authors call the CSP “oligopoly” means that, though they may have advanced security infrastructure, a potential breach of even one of these services could be catastrophic.
  • Worries about over-reliance on a single CSP has led U.S. government agencies to move toward a "multicloud" strategy in order to minimize risks associated with relying on one firm, says the report.
  • That includes the CIA, which entered into a contract with Amazon Web Services to build it a bespoke cloud system in 2013 but is now in the process of soliciting bids for a multicloud solution.

Meanwhile: The major U.S.-based cloud services are also beginning to be challenged by Chinese firms like Alibaba and Tencent for market share across Asia, says the report, a finding that comes as the U.S. and China swap blows over mutual attempts to blunt each other’s technological influence around the world.

4. Chinese hacking group moves on from COVID

A Chinese government-associated hacking group that shifted its focus this spring toward collecting intelligence involving coronavirus response has again reoriented its work, this time to target Tibetan dissidents, according to security firm Proofpoint.

Between the lines: China’s intelligence services may now feel that, with the initial COVID-19 crisis in both Europe and China now receding, they can return to older, core priorities.

Details: Proofpoint connected the most recent activity to the same Chinese group behind the coronavirus campaign because of shared email accounts employed during phishing campaigns, use of the same "new malware family," and the group’s historical targeting patterns.

  • This Chinese hacking group has a well-documented history of targeting Tibetan dissident and exile organizations. Chinese intelligence places great emphasis on tracking human rights figures and dissidents abroad — and Tibetan groups are among its top targets.
  • Until now, the group of late had been targeting “European diplomatic and legislative bodies, non-profit policy research organizations, and global organizations dealing with economic affairs” in response to the pandemic, Proofpoint says.

Context: The push for Tibetan autonomy is one of what the Chinese Communist Party calls the “Five Poisons” that it believes threaten national unity and its power.

  • The others are the assertion of Taiwanese independence, the call for Uighur rights, pro-democracy movements, and Falun Gong, a spiritual practice banned in China.
  • Keeping a close eye on these is a core feature of Beijing’s internal and external counterintelligence strategies, including its cyber espionage efforts.
5. Odds and Ends
Axios