At a glance.
- Policy implications of alleged Pegasus abuse.
- Further comment on China's MSS and its exploitation of Exchange Server vulnerabilities.
- CISA urges responsible organizations to protect ICS from attack.
Pegasus, lawful intercept technology, and export control regimes.
NSO Group has categorically denied accusations of abuse reported by the Guardian and others, specifically stating that the leaked data cited in Forbidden Stories reports had no connection to any list of persons or devices targeted by NSO Group’s Pegasus tool, and that the data had any number of benign uses and explanations.
“NSO does not operate the systems that it sells to vetted government customers, and does not have access to the data of its customers’ targets. NSO does not operate its technology, does not collect, nor possesses, nor has any access to any kind of data of its customers. Due to contractual and national security considerations, NSO cannot confirm or deny the identity of our government customers, as well as identity of customers of which we have shut down systems,” their letter to the Guardian said.
NSO, after denying that its products were used in connection with the murder of Jamal Khashoggi, a killing which NSO called “heinous,” and reiterating its claim that its products can’t be used for surveillance of US citizens, said it was committed to doing all it can do to ensure that customers use Pegasus appropriately:
“NSO Group will continue to investigate all credible claims of misuse and take appropriate action based on the results of these investigations. This includes shutting down of a customers’ system, something NSO has proven its ability and willingness to do, due to confirmed misuse, has done multiple times in the past, and will not hesitate to do again if a situation warrants. This process is documented in NSO Group’s ‘Transparency and Responsibility Report’, which was released last month.”
The governments of Rwanda, Hungary, and Morocco told the Guardian that they either didn’t use Pegasus or that they didn’t understand what the paper was asking them about. India’s government replied to the Guardian by suggesting that their coverage exhibited bad faith.
While lawful intercept tools aren't weapons, strictly speaking, they serve an intrusive purpose. Paul Bischoff, privacy advocate at Comparitech, wrote to suggest that their regulation might usefully be considered along the analogy of arms control:
“NSO Group has been suspected of selling its spyware to some of the world's most oppressive governments and leaders. Amnesty International and Citizen Labs' findings further support these suspicions. NSO Group is in effect a weapons dealer, and there's very few restrictions on to whom it can sell its weapons.
"Pegasus is used by governments and other authorities to commit crimes, notably against journalists and political opponents. There is no legitimate and legal use for Pegasus.
"Amnesty International and Citizen Lab have demonstrated a failure of export controls to regulate the sale of malware. We need to end the commercial market for malware by putting a moratorium on the sale of all hacking tools.”
Brian Higgins, also a Comparitech security specialist, laments that this is an old story:
“Pegasus has been around for some time now and there have been a number of stories related to abuses of its design purpose. Unfortunately this kind of activity is nothing new in the world of tech. Bitcoin was developed as an alternative to Fiat banking systems and micro-payments but now it underpins the global criminal economy.
"Whilst the proprietary Pegasus software belongs to NSO Group and they do their best to control its deployment contractually, there will always be consumers who will seek to re-purpose its functionality to their own ends. This story is still developing but it is already apparent that the numbers of potential victims quoted do not accurately reflect the amount of malicious activity currently facilitated by this software.
"It is an unfortunate reality that talented developers can never totally understand the full spectrum of uses their ideas may fulfill in the future.”
Chinese cyber operations mutate under an aggressive intelligence agency.
Yesterday’s White House statement naming and shaming Beijing for the Microsoft Exchange Server incident called out the CCP’s reliance on “criminal contract hackers.” Charging documents made public in 2018 and 2020 previously detailed the crypto-jacking, ransomware, and cyber extortion track records of hoods affiliated with the Ministry of State Security (MSS). Yesterday’s release noted the state’s “unwillingness to address criminal activity by contract hackers” and publicized additional charges against four MSS operatives for their role in sustained attacks on defense, aviation, maritime, healthcare, and education assets. MSS affiliates’ Microsoft Exchange espionage campaign, the statement observed, follows a long pattern of PRC-endorsed IP theft for commercial gain. Axios reiterates that Beijing-sponsored breaches are often pursued for profit. It’s not immediately clear from the release whether contractors’ personal gain is a work perk or side hustle.
Dark Reading casts it as the latter. While the indicted four allegedly stole sensitive research on diseases and transportation innovations in several countries at the CCP’s behest, MSS contractors, the piece contends, also moonlight as thugs. In line with what security experts consider the “strong nexus between the Chinese government, academic institutions, and criminal hacker groups around cyberespionage activity,” the arrangement amounts to a blind eye for a spy. National Cyber Security Alliance executive Lisa Plaggemier says the indictments show “just how warm the new 'cyber 'Cold War' has become.”
The Biden Administration is carefully weighing possible responses, Yahoo reports. In addition to sharing concerns with “senior PRC Government officials,” and the novel NATO condemnation and public-private mitigation efforts, “additional actions” are under consideration. President Biden’s reply to questions about the divergent responses to Russia and China failed to clarify the status of MSS operators. "They’re still determining exactly what happened," he said. Asked about the difference between the two countries’ behavior, he highlighted a possible similarity: “My understanding is that the Chinese government, not unlike the Russian government, is not doing this themselves but are protecting those who are doing it and maybe even accommodating them being able to do it. That may be the difference." On Yahoo’s view, the White House outlined China’s action as “recruiting a network of cybercriminals responsible for a web of attacks.”
Voice of America says the President will receive an additional briefing today, and relays Silverado Policy Accelerator Chairman Dmitri Alperovitch’s perspective that sanctions are in order. (Voice construes the White House’s account of contractors’ profits as documenting a work perk, not a side hustle.)
The FBI describes China’s cyber mischief as “increasingly sophisticated.” Wired thinks Chinese hacking took a turn—from “prolific” but discreet IP theft to a new “trail of chaos”—when MSS assumed the cyberespionage reins from the People’s Liberation Army in 2015. The piece characterizes the White House’s statement as a reprimand for outsourcing work to unbridled criminals, then either tolerating or encouraging lawless behavior, with the possibility of kickbacks for MSS officials. Center for Strategic and International Studies director James Lewis says Beijing emulates Russia, and we’re experiencing the resultant muddying of delinquency and official business.
The New York Times largely agrees, noting that MSS’ new “elite satellite network of contractors at front companies” isn’t just populated by basement baddies, but includes student recruits and prominent former engineers, with HR support from universities. So some uncertainty remains about the precise nature of MSS’ level of control over its sundry hires—and their freedom to opt out. Phil Straw, CEO of SoftIron, says that, while the attribution itself comes as no surprise to the security industry, he hopes the incident will lead to a larger consideration of "sovereign resilience in critical national infrastructure:"
“The latest news on state-sponsored attacks by China on Microsoft will not come as a shock to many in the security community. While these attacks are reportedly simple in nature we shouldn't assume that they are the only vectors of attack currently in play. A more insidious and potentially even more harmful vector of attack is in corrupting the supply chain of building our IT infrastructure at the hardware levels. Already highlighted by many G7 nations, including the US and Australia, the sovereign resilience is today put at risk due to the dominance of a few very big (often Chinese) companies in manufacturing the very components and systems on which we rely. Achieving Sovereign resilience will take a combination of skills, investment and incentive to achieve, collaborating with like minded nations to ensure that no one superpower can dominate in the future. In doing so we not only create a competitive global economy, but we also help to ensure the sovereignty of critical national infrastructure.”
Anurag Gurtu, CPO of StrikeReady, notes that the MSS uses both bespoke and commodity malware in its work:
"Just this year, many attack types, such as e-crime, APT and commodity, have been linked to China. As we all know, beginning this year, a state-sponsored threat actor called Hafnium was responsible for exploiting multiple vulnerabilities in Microsoft Exchange Server affecting thousands of small businesses, enterprise organizations and government agencies with on-premises email.
"For unauthorized access to victims' computers and networks, these Chinese adversaries use commercially available and custom-built malware. There are a number of malwares that are among this list, such as KeyBase, Netfilter, SPORTSBALL, CROSSWALK, Gelsevirine, SIMPLESEESHARP, and more."
CISA warns against threats to industrial control systems, NIST issues draft IoT security guidance.
The US Cybersecurity and Infrastructure Security Agency (CISA) doesn't want those responsible for critical infrastructure to forget that ICS systems have been and continue to be at risk. CISA today published an advisory, heavy on useful historical context, that reiterates best practices and lessons learned with respect to ICS security.
NIST has released draft guidelines for Federal agencies' IoT security.