Oct 3, 2019

Axios Codebook

Welcome to Codebook, the cybersecurity newsletter that goes down smooth.

Situational awareness: The Department of Justice will host a conference Friday on lawful access to data, an attempt to relaunch the encryption debate.

Today's Smart Brevity: 1,401 words, 5-minute read

1 big thing: Disinformation as a service crosses borders with ease

Illustration: Sarah Grillo/Axios

A growing industry of commercial disinformation services based in countries like Russia and the Philippines may seem like more of a threat abroad than here in the U.S. After all, could untrained Russian criminals have the language skills, local contacts and cultural background to influence an English language conversation half a world away?

Yes. They can and they do.

Driving the news: A new report from the security firm Recorded Future documents two campaigns that it paid Russian-speaking, dark web propagandists-for-hire to run.

  • One campaign promoted a fictitious temp agency, while the other attacked it.
  • The Russians, however, didn't know the company was fake.

What they're saying: "Troublingly, we realized the process was quite easy," said Roman Sannikov, one of the researchers behind the report.

Disinformation-as-a-service providers — rentable, private-sector contractors providing full-service disinformation for anybody who can pay for it have claimed to operate in English-speaking countries before. But the Recorded Future report appears to be the first time such activity in an English-speaking country has been documented by a third party.

  • There's a distinction here between for-hire services and government-sponsored operations, like the one by Russia's Internet Research Agency that spread propaganda on social media during the 2016 election.
  • "While it might be the first time researchers have written about it, given how polished the process was, I don't think this was the first time they've done something like that," said Sannikov.

The big picture: National boundaries and linguistic barriers did not hinder the two campaigns Recorded Future set up.

  • Beyond well-formed social media campaigns, the contractors hired by Recorded Future had reporters on retainer at key publications to place stories they drafted.
  • According to a menu of prices sent to the researchers, the contractors had plants in a variety of outlets, including a prominent design website ($8,404.80 an article), a major financial newspaper ($49,440), a famous list and news site (price not listed), and several local sites.
  • Recorded Future purchased and successfully placed 2 stories. While they didn't release the names of the publications — meaning actual access to the newspapers on the menu of options is not verified — they did say one of the articles ran in a well-established newspaper.
  • Between the two contractors, one was able to write an article in flawless English on the first draft, said Sannikov. The other's first draft read slightly like that of a non-native speaker, but was fixed when Recorded Future told them to do better.
  • The contractors offered a menu of services. The one hired to defame the fake firm even offered to make false police reports.

Codebook has discussed some of the implications of these commercial disinformation services in the past — namely, that no U.S. law would prevent a political campaign from contracting one to run a disinformation campaign on its behalf.

  • But as the report makes clear, the business applications of damaging a rival company online and in the press shouldn't be understated.

The bottom line: "A lot of the focus has been from the public side — impacting elections or law enforcement — as it should be," said Sannikov. "But we think that there hasn’t been as much discussion of the private sector as they could be."

2. How several governments digitally surveil or deter their citizens

Countries using cyber means to dissuade activists or surveil dissidents is no new phenomenon — there's a whole industry built to sell governments the tools to do so. But several new instances of governments spying on their people were uncovered this week.

Egyptian security forces surveilled opposition politicians, journalists, lawyers and academics, according to a new report by Check Point, first reported in the New York Times.

  • Check Point discovered the server used in the attacks was registered to the Egyptian Ministry of Communications and Information Technology and that geographic data in the malware used corresponded with Egyptian spy operations.
  • At least 3 victims of the campaign have been arrested or detained: Hassan Nafaa, a political scientist at Cairo University; Khaled Dawoud, a former journalist now heading the opposition Constitution Party; and Shady al-Ghazaly Harba, a surgeon accused of insulting the Egyptian president on Twitter.

Uzbek cyber operatives are now developing their own malware, after years of using commercial malware products for surveillance, according to a presentation given by Kaspersky's Brian Bartholomew at the Virus Bulletin conference in London (summarized here by CyberScoop).

The Iraqi government appeared to cut internet connectivity within the country on Wednesday in an apparent attempt to quell protestors, according to connectivity monitor NetBlocks. That came after NetBlocks reported earlier in the day that access to major social media networks Facebook, Twitter and WhatsApp had been blocked.

3. Silent Starling eats more than breadcrumbs

Silent Starling, a West African criminal group newly discovered and named by Agari, is using a technique known as vendor email compromise to scam entire supply chains.

The big picture: Vendor email compromise involves an attacker hacking the email account of one company's employee to send phishing emails to all the vendors that the company uses. It's a particularly nasty version of business email compromise.

  • Agari documented infiltration of at least 700 employee email accounts, spanning more than 500 companies in 14 countries. However, nearly all the stolen accounts came from the U.S., UK and Canada.
  • The company identified 3 main actors operating out of Nigeria, but believes the operation is much larger.
4. National Cybersecurity Awareness Month

There's plenty of announcements, conferences and other festivities planned throughout October, the 16th annual National Cybersecurity Awareness Month.

Just a sampling:

  • The National Association of Secretaries of State released a resource guide to election security this week featuring a number of the services offered by government agencies, nonprofits and companies.
  • The Aspen Institute held its cybersecurity conference in New York, which I live-tweeted here until my computer died. Then I stopped.
  • CyberScoop will host its CyberWeek events later this month.
  • CISA, Homeland Security's cyber division, launched a trivia game.
  • There are additional conferences nationwide, including Tennessee and Colorado.

And the best part about National Cybersecurity Awareness Month is that once November hits, you can go back to being cybersecurity ignorant.

5. Cyber Threat Alliance adds Verizon, others

The security industry's largest threat information sharing group, the Cyber Threat Alliance, announced that 3 new companies — K7 Computing, Scitum and Verizon — would join the fold Thursday.

Why it matters: The goal of CTA is to pool the resources of the industry for collective defense against the bad guys. The new adds, particularly mammoth service provider Verizon, bring tremendous new data to fuel that mission.

6. Other news from the last week

Tom Bossert. Photo: Saul Loeb/AFP/Getty Images

White House cyber controversies spin out of control (Axios, Washington Post): Days after a memo of a conversation with the president of Ukraine showed President Trump continuing to subscribe to an easily debunkable conspiracy theory about the cybersecurity firm CrowdStrike, former homeland security adviser Tom Bossert told ABC News he debunked that point directly to the president.

  • Meanwhile, the Washington Post reported that, during the 2017 White House meeting with Russian officials, President Trump said he was not concerned about Russian interference in the U.S. election.

Urgent11 gets urgent-er (Armis): Urgent11, a recently discovered set of vulnerabilities in the VxWorks operating system, impacts a number of previously unreported devices using different operating systems, according to a new alert.

  • VxWorks fuels a number of internet-connected devices in a way users don't usually get to see. The original alert by Armis pertains to everything from GE Healthcare devices to Schneider Electric industrial systems.
  • But the vulnerable component in VxWorks appears to be used in devices using other operating systems. Armis has now found Urgent11 problems in the BD Alaris PC Unit (a medical infusion product), HP Proliant iLO100 management engine, Canon MF4270 printer, ArrowSpan MeshAP 1100 mesh networking, and the Planex SPX-2420GL router.

MasterMana "hits all of the cyber bingo buzzwords" (Prevailion): At least, that's according to a report from Prevailion, which lists the bingo buzzwords as "business email compromise, backdoors, and cryptocurrency wallets."

  • A criminal group — Prevailion believes it might be one previously identified as the Gorgon Group — is using phishing emails to businesses (business email compromise) to install backdoors that can, among other things, steal cryptocurrency wallets. Bingo!
7. Odds and ends

We'll be back next week. Promise.

Improbable Codebook reader pick the Cleveland Browns looked like a real football team in a 40-25 win over a very good Ravens squad. And if the faith of the Codebook faithful isn't motivation enough for the Factory of Sadness, maybe they'll try extra hard to win fans free Arby's curly fries.