At a glance.
- TIA approves of Costa Rica’s cybersecurity improvements.
- China’s bug disclosure policy could allow for espionage.
- UK government backtracks on breaking encryption.
- Sanctioning privateers.
TIA approves of Costa Rica’s cybersecurity improvements.
The Telecommunications Industry Association (TIA) is voicing its support for Costa Rica’s efforts to bolster the nation’s cybersecurity. Among the actions recently taken, the government has pledged to partner with trusted vendors from democratic countries in the transition to 5G, mandated that vendors be certified against strong cybersecurity standards, and set up a national cybersecurity operations center. Costa Rican officials have partnered with the US in its cybersecurity efforts, and US President Joe Biden and Costa Rican President Rodrigo Chaves recently met at the White House to discuss their commitment to bilateral cybersecurity cooperation. TIA CEO Dave Stehlin stated, “This strategic approach to securing its critical infrastructure by design reflects Costa Rica’s forward-thinking mindset and strengthens the foundation for a technologically advanced future. We commend the Costa Rican and U.S. governments as they each demonstrate leadership in the critical area of cyber and supply chain risk management.”
China’s bug disclosure policy could allow for espionage.
The Atlantic Council just released a report on Chinese legislation that, for the past two years, has mandated that companies operating in China report unpatched vulnerabilities to the government. As Wired explains, the law states that tech firms are required by law to report any hackable bugs detected in their products to the Chinese Ministry of Industry and Information Technology within two days of discovery. The security flaws are then compiled in a database, the name of which translates to Cybersecurity Threat and Vulnerability Information Sharing Platform. While on the surface this policy might simply seem to be a smart way for the government to protect its citizens from potential hacks, for foreign companies with China-based operations, it means disclosing information that could make them targets for Chinese state-sponsored hackers.
The National Vulnerability Database is shared with China’s National Computer Network Emergency Response Technical Teams/Coordination Center, an agency responsible for defending Chinese networks. This agency, in turn, shares the data with technology "partners." One such partner includes the Beijing bureau of China's Ministry of State Security, the agency behind many of China’s state-sponsored hacking operations. The same can be said for other partners like Shanghai Jiaotong University and the security firm Beijing Topsec. As Dakota Cary, one of the authors on the Atlantic Council report, explains, “Now we've been able to show that there is real overlap between the people operating this mandated reporting structure who have access to the vulnerabilities reported and the people carrying out offensive hacking operations.” The researchers found that foreign companies like Beckhoff, D-Link, KUKA, Omron, Phoenix Contact, and Schneider Electric have been complying with the law.
UK government backtracks on breaking encryption.
Privacy activists and tech companies have been speaking out against a controversial clause in the UK’s Online Safety Bill that would essentially put an end to end-to-end encryption. However, it appears the clause could no longer be an issue. As Wired reports, the British government has admitted it doesn’t have the capability to securely scan encrypted messages. The law was intended to give the government the authority to search such messages for evidence of child sexual abuse material, or CSAM. Although UK officials never stated what tech would be used to scan the messages, the apparent solution was client-side scanning, a method that would allow message content to be examined on the user’s device before it was sent. Tech giants like Apple, however, said they couldn’t see how the tech could be used without infringing on user privacy. Privacy experts said the tech essentially amounted to spyware and would violate users’ rights, and messaging platforms like WhatsApp and Signal even threatened to leave the country if the bill was passed.
Now, it seems, that won’t be necessary. Meredith Whittaker, president of the Signal Foundation and vocal opponent of the bill, stated, “It’s absolutely a victory. It commits to not using broken tech or broken techniques to undermine end-to-end encryption.” Nonetheless, the clause remains within the Online Safety Bill, which is likely to be voted into law, and James Baker of the Open Rights Group says this means the threat of encryption-breaking surveillance still looms on the horizon. “It would be better if these powers were completely removed from the bill,” Baker stated. Matthew Hodgson, CEO of end-to-end encrypted messaging company Element, added, “It’s not a change, it’s kicking the can down the road.”
Sanctioning privateers.
In February the US and UK jointly imposed sanctions on members of Russia’s privateering TrickBot gang. We characterize them as “privateers” because, while they pursue profit, they do so at the sufferance of the Russian government, and with that government’s protection and encouragement.As the US Treasury Department put it at the time, “The Trickbot Group’s preparations in 2020 aligned them to Russian state objectives and targeting previously conducted by Russian Intelligence Services. This included targeting the U.S. government and U.S. companies.” Seven individuals were named in that round of sanctions.
This morning the two governments added eleven more members of the gang to the list of sanctioned individuals. They’re described as “administrators, managers, developers, and coders who have materially assisted the Trickbot group in its operations.” The sanctions require, as a minimum, that “all property and interests in property of the individuals that are in the United States or in the possession or control of U.S. persons must be blocked and reported to OFAC,” the Treasury Department’s Office of Foreign Assets Control. And the TrickBoteers will find it more difficult to do business with foreigners. The Treasury statement explains, “OFAC’s regulations generally prohibit all dealings by U.S. persons or within the United States (including transactions transiting the United States) that involve any property or interests in property of blocked or designated persons.”
Don Smith, Vice President of Threat Research at Secureworks, provided some background from Secureworks' own tracking of TrickBot. "Predominantly based in Russia, these individuals are believed to have held senior roles in cybercriminal ransomware operations related to Trickbot, tracked by Secureworks CTU as GOLD BLACKBURN," he wrote. "Trickbot botnet operations and the malware family were abandoned by the group in March 2022 in favor of other crimeware. In a departure from previous sanction lists, the law enforcement agency does not mention the specific current ransomware schemes in which the individuals may be involved."
He approves of the action by the US and UK authorities. "By targeting the specific named individuals in the sanctions today, the NCA and the U.S. Department of the Treasury’s Office of Foreign Assets Control and the U.K.’s Foreign, Commonwealth, and Development Office; and His Majesty’s Treasury, give law enforcement and financial institutions the mandates and mechanisms needed to seize assets and cause financial disruption to the designated individuals while avoiding criminalizing and re-victimising the victim by placing them in the impossible position of choosing between paying a ransom to recover their business or violating sanctions," he said. "An approach that does not tie named individuals to a current ransomware scheme gives law enforcement and financial institutions the mandate and mechanisms to act against the financial assets of the criminal operators without criminalizing the victims. Disruption efforts on financial transactions will be related to known assets, such as cryptocurrency wallets and bank accounts used by the designated individuals. The sanctions require accounts, funds or other economic assets to be frozen."
Jon Miller, CEO and co-founder of Halcyon, also welcomes the news. “The announcement that the U.S. and U.K. governments are sanctioning additional members of the Conti-Trickbot Ransomware Gang is welcome news. We hope to see more such actions taken to help stem this ransomware epidemic," he wrote. "But will these actions diminish the threat from ransomware attacks? No, not at all. Not even a little bit. While we have seen some scattered arrests of affiliates and other low-level threat actors in the ransomware space, overall law enforcement has had very little impact in regard to disrupting ransomware operations." The problem, of course, is that while the gangs are criminals, they're also privateers, and they've got their tacit letter of marque from the Kremlin. Miller explained, "That’s because the one thing the most notorious ransomware gangs have in common is their ties to Russia and the Putin regime. We know that groups like Conti are closely aligned - if not directly controlled to a degree – by the Russian government and its intelligence apparatus. This weird overlap of cybercriminal activity with nation-state-supported operations we see with the Russian ransomware model – which conveniently allows for plausible deniability for Russia - means we have elements acting that are not necessarily under the direct control of a government but are closely aligned. The Russians need to be very cautious about how they conduct such attacks so they don't trigger an international incident that would elicit a direct response from the US or their allies."
The privateers afford a degree of plausible deniability to the government that backs them. Miller went on to explain, "Using ransomware gangs like Conti as a proxy to conduct the attacks in order to maintain plausible deniability and thwart attribution is the strategy here. This is one of the key reasons cyber operations have become such an important aspect of larger geopolitical issues - attribution is hard. The U.S. and allied governments are in a tough position regarding what actions to take to stem this wave of ransomware attacks, namely because there is so much ambiguity in determining root attribution for the attacks."
Any actions against a privateer (and these fall short of a takedown, still less an arrest) are good in themselves, but they don't address root causes. "These actions against Conti-Trickbot members are necessary, but even if they are arrested, there will quickly be someone to take their place. Ultimately, it's the Russian government that is both providing safe harbor for criminal elements conducting ransomware attacks with impunity and is very likely even influencing some of their targeting," Miller concluded. "Until the US government directly sanctions the Putin regime for their direct or tacit support, we will not see this spate of ransomware attacks abate any time soon. It's only a matter of time before we see another massively disruptive attack against a critical infrastructure target, and by then it will be too late to act.”
(Added, 4:30 PM ET, September 7th, 2023.) Other industry experts also weighed in on this latest round of sanctions. Tom Kellermann, SVP of cyber strategy at Contrast Security, liked the move, and noted that it will be tough recovering laundered funds. “I applaud the sanctioning of this cybercrime cartel, especially since they enjoy a protection racket with the FSB. The challenge is that most of their funds are laundered through cryptocurrency like Monero and these sanctions will have minimal impact. It is high time cryptocurrencies and exchanges are regulated in order to truly disrupt the cybercriminal enterprise of Russia.”
Rosa Smothers, former CIA cyber threat analyst and current KnowBe4 executive, also thinks that attribution in cases like this will be problematic. "Unfortunately, since ransomware groups are increasingly sophisticated at obfuscating their identities, it is often a challenge for the target's organization to know who they're actually sending money to during a ransomware incident," he wrote. "The U.S. government has reason to believe that the Trickbot attack vector has connections to Russian intelligence and this group has targeted several large healthcare providers. It's probably not a coincidence that Conti has also focused their efforts on healthcare and first responders. CISA has reported that they're behind efforts targeting over 1,000 Conti ransomware attacks against the U.S. and international organizations which have risen to more than 1,000 international organizations."