The Taliban's victory in Afghanistan.
The effective collapse of Afghanistan's government last Sunday and the country's general fall to the Taliban represent a humanitarian disaster. From the US point-of-view, it seems to have been more policy failure than intelligence failure. The Taliban's ascendancy may also augur an increase in newly emboldened Islamist activity in cyberspace. Historically that had been largely concentrated on recruitment and operational planning (against both of which law enforcement and counter-terrorism authorities enjoyed some success), then on radicalization and inspiration (harder to restrain), and, of course, on website defacement.
The immediate and forthcoming human toll of the Taliban's success has rightly dominated coverage of the news from that country, but it's worth mentioning another, secondary risk: the threat to sensitive data the events present. The Washington Post observes that the US probably removed, rendered inaccessible in secure clouds, or simply destroyed data it held as its forces withdrew (and destruction can take many forms, including consumption by fire; see pages 2-13 and 2-14 of TC 3-23.30 for the uses of thermite). But the large amounts of information the US shared with the now-deposed Afghan government are almost certainly now in Taliban hands.
Among the material seized by the Taliban in Afghanistan are biometric registration and identification devices that had been used by the former government, the Intercept reports. The Handheld Interagency Identity Detection Equipment (HIIDE, for short) was used for such tactical purposes as checkpoint control and also in broader programs, like the preparation of identity documents. The biometric modalities collected by HIIDE include iris scans and fingerprints; the larger centralized databases to which the devices were connected held (and possibly still hold) biographical information on a large number of individuals whose biometrics had been registered by HIIDE.
As has been widely foreseen, the Taliban victory in Afghanistan has been generally celebrated in extreme Islamist quarters of the Internet. The Wall Street Journal has an overview of the relevant activity in social media. The faithful remnant of al-Qaeda (an ally the Taliban never repudiated) has been particularly prominent, seeing in the fall of Kabul a vindication of their patient endurance.
As social media platforms consider how to respond to the Taliban conquest of Afghanistan, the Washington Post says that the Taliban itself seems to be punctiliously toeing the line drawn by those platforms' terms and conditions.
T-Mobile is breached.
Criminals claimed over last weekend to have obtained a large set of customer data (claimed to be 100-million fullz) held by T-Mobile, Reuters reported.
T-Mobile responded to the breach it confirmed on August 17th with a range of customer protection and reassurance measures. The most serious risks appear to be, as WIRED reports (in an essay arguing that the incident was worse than it need have been) identity theft and SIM-swapping. The Washington Post shrugs that the general public has entered a period of learned helplessness with respect to big data breaches, and that no doubt this one will be largely forgotten within a week or so.
As WIRED summarizes, “T-Mobile says that of the people whose data was compromised, more than 40 million are former or prospective customers who had applied for credit with the carrier,” which is to say they’re not presently customers at all. An obvious question is why the mobile carrier maintained the data in the first place. What use did it have for prospective customers’ social security numbers and driver’s license information, for example?
WIRED adds, “Another 7.8 million are current ‘postpaid’ customers, which just means T-Mobile customers who get billed at the end of each month. Those roughly 48 million users had their full names, dates of birth, social security numbers, and driver’s license information stolen. An additional 850,000 prepaid customers—who fund their accounts in advance—had their names, phone numbers, and PINs exposed.” Thus the current tally of individuals affected is somewhere above 48 million. While that’s a lot by any reckoning, it’s far short of the hundred-million victims the crooks who offered the data in an underworld souk claimed.
It’s not clear how the attackers gained access to the data in the first place. T-Mobile was alerted to the problem by the hackers’ woofing on the dark web. To its customers the telco is offering two years of McAfee ID Protection, as well as access to T-Mobile’s own Scam Shield and Account Takeover Protection. The company advises customers to change PINs and passwords (even though it says these don’t appear to have been compromised), and that they consider putting a freeze on their credit if they think they’re likely to be the victims of credit fraud.
Apple's controversial steps against CSAM.
Apple defends its proposed Child Sexual Abuse Material (CSAM) detection technology, telling Vice that the version it will deploy isn't susceptible to the hash collision vulnerabilities researchers claim to have demonstrated. The proposed system would under certain circumstances scan for CSAM images flagged by a small set of international child-protection clearing houses, but critics remain unmollified. Reuters reports that various privacy and rights advocacy groups (the Center for Democracy and Technology among them) fear the technology could not only subvert end-to-end encryption, but could be readily adapted to screening for other content, and that there are insufficient protections against abuse by repressive governments. If, the critics ask, Apple moves against scanning for CSAM images in iCloud and messaging services, this puts them on the slippery slope to backdooring their systems under governmental pressure, and of putting larger censorship programs in place.
The objections raised by the Center for Democracy and Technology aren’t confined to adult civil liberties. The CDT is to some extent speaking in loco parentis, seeing as it does a large issue in LGBTQ+ children having their identities exposed to parents who may prove “unsympathetic,” and giving that issue particular prominence in its post on the matter.
The letter explains, after remarking on the unreliability of the algorithms used to identify CSAM content:
“Though these capabilities are intended to protect children and to reduce the spread of child sexual abuse material (CSAM), we are concerned that they will be used to censor protected speech, threaten the privacy and security of people around the world, and have disastrous consequences for many children.”
Poly Network gets its money back (and offers the thief a bug bounty, and then a job).
The Wall Street Journal reports that the thieves have returned almost all the $600-million-plus taken from Poly Network. All but $33 million has been returned, with the outstanding balance entirely in Tether tokens that Tether had frozen in an attempt to recover its funds.
Reuters confirms that Poly Network has offered the hacker a $500,000 "bug bounty." The company has also publicly thanked the hacker, whom they refer to as “Mr. White Hat,” for helping them improve their security, as well as hiring him as "Chief Security Advisor," Cointelegraph reports.
A question: is this a case in which the distinction between a bounty and an extortion payoff amounts to a distinction without a difference. It seems unlikely that a criminal would swap $600 million for $500,000, so the crooks may have felt the approach of the law, and decided that discretion was the better part of valor. Half a million dollars is an awfully big bounty.
An apparent non-state actor was responsible for the Iranian rail hacks.
An example of what a non-state actor can accomplish in the way of politically motivated cyberattacks may be seen in Iran’s recent experience. Check Point has more on the Indra Group, an Iranian opposition group it believes to have been responsible for recent cyberattacks affecting Iran's rail system. Some of the effects amounted to taunting defacement in station message boards, but Check Point says that there was more to it than that: the group deployed wipers against some of its targets, and the code suggests that they were also behind operations against a range of companies in Syria during 2019 and 2020. The company said, “[Check Point] analyzed artifacts left by the cyber attack on Iran’s train system, learning that the attack tools were technically and tactically similar to those used in malicious activity against multiple companies in Syria.”
The New York Times thinks the incidents illustrate the growing capability of non-state actors: “An opposition group without the budget, personnel or abilities of a government could still inflict a good deal of damage.”
Notes on Russian privateering.
Researchers at Analyst1 outline what they've found with respect to the Russian government's toleration and enabling of ransomware gangs. The firm says it’s established connections between Russia’s SVR and FSB (both successor agencies of the Soviet KGB) and some well-known gangs. They’re said to have employed individual criminals and their organizations in its operations. The FSB, Analyst1 says, employed one ransomware gang and a second criminal group that specialized in banking malware.
They’ve also seen code similarities between Ryuk ransomware and the Sidoh espionage tool, which suggests some cross-fertilization between gangland and Russian intelligence services. Sidoh was also used to collect data from the SWIFT banking system.
Operationally, the researchers perceive connections between the EvilCorp gang and the SilverFish APT implicated, along with Cozy Bear, in the 2020 exploitation of SolarWinds.
Several of the figures mentioned in dispatches will be familiar. Take one: Evgeniy Mikhaylovich Bogachev, a well-known Russian cybercriminal associated with the Zeus malware and indicted by the US on multiple counts back in 2012. Mr. Bogachev has, Analyst1 concludes, prepared a “new version of Zeus malware to infect government and military targets, including intelligence agencies affiliated with Ukraine, Turkey, and Georgia.”
Since his indictment, Mr. Bogachev has resided comfortably on the lam at home with his track suits and exotic cats as he remains out of the FBI’s reach.
Bogachev’s colleagues in the Business Club went on to organize, Analyst1 says, EvilCorp. And that gang has effectively worked as a privateer for Moscow’s security and intelligence organs.
Ransomware in Brazil's National Treasury.
ZDNet reports that the Brazilian government has disclosed that a ransomware attack hit the National Treasury Friday, but without "structural damage" to trading platforms. The Ministry of the Economy said, in a statement, that they took prompt steps to contain the effects of the attack once it was discovered, and that it intends to be as transparent as possible about the incident. The Federal Police are investigating. Trading in Treasury Bonds, according to the Brazilian Report, remains unaffected.
InkySquid's socially engineered watering hole.
Volexity on Tuesday reported that the North Korean APT it tracks as "InkySquid" (also known as APT37) has compromised the NK News site into a watering hole serving Bluelight malware as its payload. NK News is a legitimate South Korean outlet focused on news about the DPRK.
And social engineering from Siamesekitten.
ClearSky has an update on the operations of Siamesekitten, an APT associated with the government of Iran that’s also known as “Lyceum” and “Hexane,” continues an espionage campaign that began in 2018 and targets organizations in Israel.
It proceeds by social engineering, typically with an approach to employees of IT and other tech or communication companies that offers a (bogus) job. The immediate goal is to direct the target to a site where they are induced to install a malicious payload, in recent cases an upgraded backdoor called “Shark” through which the DanBot remote access Trojan is downloaded.
The initial targets appear to be a means to an end, with Siamese Kitten interested in using them to pivot into their real targets. To lend plausibility to their approach, Siamese Kitten’s operators impersonated websites belonging to legitimate companies, ChipPC (an Israeli IT firm) and the large German tech company Software AG. Neither firm, needless to say, is complicit in the imposture.
Various ransomware gangs are exploiting the PrintNightmare Windows vulnerability, CyberScoop reports.
Crime and punishment.
A Bitcoin mixer, who shuffled funds for contraband traders through a double blind—he himself doesn’t know how much he laundered—to help them remain difficult to track, has taken a guilty plea in a US Federal court. The Washington Post reports that Larry Harmon, thirty-eight years old and a resident of the state of Ohio, on Wednesday admitted to a DC court that, between 2014 and 2017, he operated a service called “Helix” that tumbled hundreds of millions in Bitcoin. Mr. Harmon acknowledged that he sought the custom of drug traffickers and others who sought to evade law enforcement, and says he now intends to cooperate with Federal investigators looking into other money laundering operations.
Mr. Harmon arrived at his plea after the court rejected his earlier defense, that he couldn’t be guilty of money laundering because Bitcoin wasn’t really money. But Chief US District Judge Beryl A. Howell was having none of it, ruling, “‘Money’ commonly means a medium of exchange, method of payment, or store of value. Bitcoin is these things.”
A sentencing date has yet to be set. The Feds want to see how cooperative Mr. Harmon will be before they pencil him in on the calendar.
Courts and torts.
The US Federal Trade Commission (FTC) has filed an amended version of its anticompetitive practices complaint against Facebook. The eighty-page complaint is rich in historical detail, as is perhaps fitting for a revised complaint whose original version a court rejected in June for insufficient evidence. The acquisitions of Instagram and WhatsApp form the core of the FTC’s case that the company has engaged in impermissible monopolistic practices. The FTC maintains in its filing that Facebook has effectively been a monopoly “since at least 2011.”
The filing says in part, “Facebook has today, and has maintained since 2011, a dominant share of the relevant market for US personal social networking services.” The complaint goes on to allege that user metrics provide sufficient evidence that Facebook has attained “durable monopoly power in social networking services.”
Facebook, which has until October 4th to make its own legal response, understandably calls the FTC’s case “meritless.” In particular it objects to what it characterizes as the FTC’s capricious effort to rewrite settled legal decisions:
“There was no valid claim that Facebook was a monopolist — and that has not changed. Our acquisitions of Instagram and WhatsApp were reviewed and cleared many years ago, and our platform policies were lawful.
“The FTC's claims are an effort to rewrite antitrust laws and upend settled expectations of merger review, declaring to the business community that no sale is ever final.”
Policies, procurements, and agency equities.
China has passed its long anticipated data privacy law, the Personal Information Protection Law. It closely resembles, the Wall Street Journal says, the GDPR. It's likely to restrain corporate data collection, but is expected to have essentially no effect on government surveillance. CNBC sees the law as part of a general tightening of Beijing's regulation of the tech sector.
Fortunes of commerce.
Markets were quick to react to the story of T-Mobile's breach: Barron’s reported that T-Mobile stock was down by 3.5% in early trading after the story broke Monday morning.