Dec 16, 2020

Axios Codebook

Hello, and welcome to the final Codebook of 2020. We're wishing you a happy and restful holidays, and hoping that 2021 is easier on us all.

Today's newsletter is 1,311 words, a 5-minute read.

1 big thing: Hack may have hit 18,000 institutions

Illustration: Sarah Grillo/Axios

The government is still getting its arms around the scope of the Russia-linked hack that penetrated the Pentagon, Treasury, Commerce, Homeland Security and State departments (at least), and other institutions are bracing for damage.

The big picture: The news, which Reuters broke Sunday, has shaken the government and larger cybersecurity world. The National Security Council reportedly held an emergency meeting over the weekend to discuss the breaches.

What we know:

  • Who was (probably) behind it. Cyber operators likely working for the SVR, a Russian intelligence service, compromised the software of IT contractor SolarWinds to gain access to these government networks — and have been potentially roaming in them since March.
  • The group's history. The same hacking unit, known as APT29 or Cozy Bear, hacked prominent cybersecurity vendor FireEye. Cozy Bear was also behind a major compromise in 2014 and 2015 of Pentagon, White House and State Department email systems.
    • In the FireEye breach, Russian spies stole the tools the U.S. firm’s own hackers used to see if clients’ networks were secure — tools that, in theory, Russia could repurpose for malign hacking. The operators also seemed interested in FireEye’s government clients.
  • The upper limit of the hack's potential reach: Some 18,000 SolarWinds customers — not individuals, institutions — may have been breached in the campaign, said SolarWinds.

What we don't know:

  • What they were after. The hackers appeared to gain access to email systems at affected agencies, though we don’t know whose emails, nor just how sensitive they are. It's possible they got deeper into government systems than merely scraping unclassified emails.
  • Whether the hackers are still active in victim networks. Once a determined and capable foreign intelligence service has forced its way into a system, it will seek new avenues to keep spying even if its initial access points get cut off. We don't know if, or how many, victim networks are still compromised.
  • The full list of victims. It likely includes currently unnamed “national security agencies and defense contractors” according to the Wall Street Journal’s Dustin Volz, on top of the growing list of other confirmed and reported victims.

What’s at stake: The Pentagon and State Department are — and will always be — premier targets for foreign intelligence services. But there’s plenty of potential interest to Russian intelligence within other agencies.

  • Treasury has multiple agencies and bureaus that focus on terror financing, sanctions and helping track the financial flows of suspected intelligence operatives and agencies worldwide.
  • Commerce's Bureau of Industry and Security identifies and sanctions firms and individuals secretly working for foreign governments or terror groups that are attempting to procure sensitive military technologies prohibited from export.
  • DHS’ Homeland Security Investigations arm does key work in countering nuclear proliferation, while the department's Cybersecurity and Infrastructure Security Agency is responsible for securing federal networks.

Between the lines: There’s no evidence that these particular parts of Treasury, Commerce or DHS were breached. But the point is that sensitive national security work is often done in lesser-known corners of the U.S. government.

What's next: It’s a strong bet there are other shoes waiting to drop.

  • SolarWinds' customers include most of the Fortune 500 and a wide swath of U.S. military and civilian government bodies, per a recently deleted page on SolarWinds' website.

Be smart: As stunning as the hack's apparent success may be, the effort behind it is par for the course in the world of cyber espionage. The general public just rarely gets a glimpse into the machinery of modern spying.

  • And while the SolarWinds hack is immensely serious, the targeting of government agencies is precisely the type of cyber spying that all capable intelligence services do — including those in the U.S.
2. Dueling online influence operations in Africa

Facebook took down three networks of accounts that were waging online influence campaigns in Africa, which researchers linked to an infamous Russian troll farm and the French military.

Why it matters: The report offers an unusual look into an antagonistic online influence campaign that pitted two adversaries against each other in real time.

  • It is also a rare window into an online influence campaign authored by a Western U.S. ally.

Details: The French and Russian operations, which targeted people in the Central African Republic (CAR) and other African countries, did not merely run in parallel, but often took shots at one another on Facebook, according to a new report by the social networks analytics firm Graphika and the Stanford Internet Observatory.

What they’re saying: “From January 2020 through to the moment of the takedown, the rival influence operations posted in the same groups, commented on each other’s posts, called each other out as ‘fake news,’ conducted basic open-source analysis to expose each other’s fake accounts, friended each other, shared each other’s posts, and even, according to one source, tried to entrap each other with direct messages,” per the report.

Yes, but: There were important differences in the French and Russian operations, notes the report. Though they did post pro-French military content, the French operatives eschewed the type of direct online electoral influence attempts pervasive in the Russian campaigns.

  • In CAR, the French “posted almost exclusively about Russian interference and Russian trolls,” says the report. “Unlike the Russian operation, it did not post systematically about electoral politics and avoided commenting on the upcoming election and its candidates.”

The bottom line: The use of covert online influence networks by France — a democratic Western power — still carries great risks of moral and ethical condemnation, says the report.

3. Russian intel hit team surveilled politician before poisoning

A team of nerve agent specialists from a secret Russian intelligence unit tracked Russia’s most prominent opposition leader, Alexei Navalny, in “at least 17 cities since 2017” before his near-fatal poisoning this year, according to CNN and the investigative outlet Bellingcat.



Why it matters: This report provides overwhelming evidence that Russia’s intelligence services are responsible for the attempted poisoning. It also reveals the existence of a dedicated Russian government hit squad devoted to using nerve agents to kill or sicken dissidents and defectors.

Details: Bellingcat obtained “thousands of phone records along with flight manifests and other documents” on the hit team, which is part of the FSB, a Russian intelligence agency that is the main successor to the Soviet-era KGB.

  • Investigators then pieced together the FSB team’s operations by comparing the team’s location and movements with that of Navalny.

Background: Navalny was poisoned in an assassination attempt in August while meeting with opposition figures in Siberia.

  • According to CNN and Bellingcat, a cellphone from the hit team pinged nearby where Navalny was staying the night of his poisoning.

The intrigue: The FSB hit team has close relations with very senior Russian officials.

  • Cellphone data from a senior FSB official involved in these operations shows this official “was also in touch with a senior Kremlin official and confidante of Putin on July 2” — just before Navalny’s wife was poisoned in a separate incident in the Russian exclave of Kaliningrad.
  • Flight manifests obtained by CNN and Bellingcat show that members of the nerve gas hit team traveled to the city at the same time as the Navalnys.
4. China escalates crackdown on Hong Kong

Illustration: Eniola Odetunde/Axios

The national security law imposed by Beijing on Hong Kong is playing out in line with the worst-case scenario its critics feared, reports Axios’ Bethany Allen-Ebrahimian.

Driving the news: A slew of arrests under the draconian law culminated last week with the denial of bail to pro-democracy media tycoon Jimmy Lai.

  • On Dec. 11, Lai, who publishes the Hong Kong tabloid Apple Daily, known for its open criticism of Beijing, was charged on suspicion of "colluding with foreign forces" under the law.
  • He was also denied bail, and court proceedings were delayed until April.
  • Prosecutors said they needed this extra time to go through more than 1,000 posts on Lai's Twitter account — a bald-faced admission that what's on trial is Lai's free speech.

The backstory: The national security law, which was forced on Hong Kong by China's legislature in Beijing, subverts the city's own once-independent judiciary and imposes harsh penalties for vaguely defined crimes, including secession, terrorism and sedition.

The bottom line: Lai's arrest shows the power and true intent of the law — to legally charge the pro-democracy movement with sedition, and to crush it accordingly.

5. Odds and ends
  • China has been spying on Americans’ phones via Caribbean telecom networks, says a security expert. (Guardian)
  • An Al Jazeera journalist is suing the leaders of Saudi Arabia and the United Arab Emirates in a U.S. court for allegedly hacking and dumping her private data online. (CyberScoop)
  • Somalia has severed diplomatic ties with Kenya over the disputed Somaliland territory. (Washington Post)
  • Imagining a “whole of government” approach to national security. (Just Security)
  • President Trump is still threatening to veto the National Defense Authorization Act, which contains a host of cybersecurity-related provisions — although lawmakers almost certainly have the votes to override a veto. (Reuters)