The CyberWire Daily Podcast 7.20.21
Ep 1378 | 7.20.21

APT side hustles and evidence of espionage. NSO replies to the Pegasus Project, and AWS removes NSO from its CloudFront CDM. Other data breaches and ransomware incidents.


Dave Bittner: The U.S. says China contracted with criminals to carry out cyber-espionage campaigns. Norway says China was behind an attack on its parliamentary email system. China denounces accusations of cyber-espionage as slander and says it's the real victim because the CIA is the one stealing IP from China. AWS expels NSO Group from its CloudFront CDM. NSO denies it permits its intercept tools to be abused. Saudi Aramco sustains a data breach. Ben Yelin describes calls for bans on government use of facial recognition software. Our guest is Tom Kellermann from VMware on the potential cybersecurity threats facing the Olympic Games. And an MSP struggles with ransomware.

Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Tuesday, July 20, 2021. 

Dave Bittner: The U.S. has said that China's Ministry of State Security contracted at least part of its exploitation of Microsoft Exchange Servers to criminal organizations. In many cases, those gangs were permitted to profit directly from their activities, a White House statement charged. 

Dave Bittner: Quote, "the United States is deeply concerned that the PRC has fostered an intelligence enterprise that includes contract hackers who also conduct unsanctioned cyber operations worldwide, including for their own personal profit. As detailed in public charging documents unsealed in October 2018 and July and September 2020, hackers with a history of working for the PRC Ministry of State Security have engaged in ransomware attacks, cyber-enabled extortion, crypto-jacking and rank theft from victims around the world, all for financial gain. In some cases, we are aware that PRC government-affiliated cyber operators have conducted ransomware operations against private companies that have included ransom demands of millions of dollars. The PRC's unwillingness to address criminal activity by contract hackers harms governments, businesses and critical infrastructure operators through billions of dollars in lost intellectual property, proprietary information, ransom payments and mitigation efforts," end quote. 

Dave Bittner: This is more an APT side hustle than it is the sort of privateering the U.S. has accused Russia of tolerating. 

Dave Bittner: Reuters reports that among the governments calling out China for cyber-espionage is Norway's, which yesterday publicly attributed a March 10 attack on the parliamentary email system to Beijing. This official attribution has been expected for some time. Chinese intelligence services have been the leading suspect in this incident since early in their investigation. Norway made its attribution in connection with the general accusation by more than 30 nations that China had been engaged in widespread and damaging cyberattacks. 

Dave Bittner: China this morning answered the widespread condemnation of its operations with a denial and tu quoque accusations of American misconduct, The Washington Post reports. The rhetoric is in the increasingly familiar wolf-warrior style. Beijing spokesperson Zhao Lijian said, quote, "the United States ganged up with its allies to make unwarranted accusations against Chinese cybersecurity. This was made up out of thin air and confused right and wrong. It is purely a smear and suppression with political motives. China will never accept this," end quote. 

Dave Bittner: Beijing also reacted with displeasure at the U.S. indictment, published yesterday, of four Ministry of State Security operators on charges related to theft of intellectual property. It's the U.S. and its allies, Zhao said, who are actually the people engaged in industrial espionage. Quote, "China firmly opposes and combats any form of cyberattacks and will not encourage, support or condone any cyberattacks," end quote. Zhao added that the U.S. CIA has, for the past 11 years, been engaged in hacking aerospace research facilities, the oil industry, internet companies and various government agencies. That has had considerable malign effect, Zhao said, and severely compromised China's national and economic security. 

Dave Bittner: Zhao called upon the nations of the civilized world to acknowledge that they're the ones at fault, to stop the slander and to beware of Chinese retaliation. He said, quote, "China once again strongly demands that the United States and its allies stop cyber theft and attacks against China, stop throwing mud at China on cybersecurity issues and withdraw the so-called prosecution. China will take necessary measures to firmly safeguard China's cybersecurity and interests," end quote. 

Dave Bittner: The denials and counteraccusations aren't particularly plausible, but they're are a lot feistier than their Russian equivalents, which usually come down to something along the lines of, show us the evidence so we can all investigate this together, which is a lot more boring than, stop throwing mud - not more plausible, just more boring. 

Dave Bittner: Amazon Web Services told Motherboard that the cloud provider has revoked NSO Group's access to its infrastructure. AWS said, when we learned of this activity - that is, the targeting of journalists, dissidents and others with NSO Group's Pegasus intercept tools - we acted quickly to shut down the relevant infrastructure and accounts. NSO Group had used Amazon Web Services' CloudFront content delivery network. It will no longer be able to do so. 

Dave Bittner: Amnesty International has published the forensic investigation it conducted into apparent use of Pegasus against the targets described by the Forbidden Stories Pegasus Project. The University of Toronto's Citizen Lab published what it characterized as an independent peer review of Amnesty's work. That review generally concurred with Amnesty's conclusions. 

Dave Bittner: NSO Group has categorically denied accusations of abuse reported by The Guardian and others, specifically stating that the leaked data cited in Forbidden Stories' reports had no connection to any list of persons or devices targeted by NSO Group's Pegasus tool and that the data had any number of benign uses and explanations. 

Dave Bittner: Their letter to The Guardian said, quote, "NSO does not operate the systems that it sells to vetted government customers and does not have access to the data of its customers' targets. NSO does not operate its technology, does not collect, nor possess, nor has any access to any kind of data of its customers. Due to contractual and national security considerations, NSO cannot confirm or deny the identity of our government customers, as well as identity of customers of which we have shut down systems," end quote. 

Dave Bittner: NSO, after denying that its products were used in connection with the murder of Jamal Khashoggi - a killing which NSO called heinous - and reiterating its claim that its products can't be used for surveillance of U.S. citizens, said it was committed to doing all it can do to ensure that customers use Pegasus appropriately. 

Dave Bittner: Quote, "NSO Group will continue to investigate all credible claims of misuse and take appropriate action based on the results of these investigations. This includes shutting down of a customer's system, something NSO has proven its ability and willingness to do, due to confirmed misuse, has done multiple times in the past and will not hesitate to do again if a situation warrants. This process is documented in NSO Group's Transparency and Responsibility Report, which was released last month," end quote. 

Dave Bittner: The governments of Rwanda, Hungary and Morocco told The Guardian that they either didn't use Pegasus or that they didn't understand what the paper was asking them about. India's government replied to The Guardian by suggesting that their coverage exhibited bad faith. 

Dave Bittner: A criminal organization that styles itself ZeroX is offering a terabyte of proprietary data stolen from Saudi Aramco. BleepingComputer says the gang claims the data includes personal information on over 14,000 employees, business documents and engineering information. According to Saudi Aramco, ZeroX obtained the data from third parties via exploitation of an unspecified zero-day. The attack did not involve ransomware and does not appear to be an extortion play, although a deadline the group imposed looks like a prelude to a ransom demand. The crooks called the deadline a puzzle for Aramco to solve. 

Dave Bittner: And, finally, Cloudstar, which The Record describes as a cloud and managed service provider with a large customer base in the mortgage, title insurance, real estate, legal finance and local government sectors, continues its recovery from a ransomware attack it detected Friday. The incident has interfered with real estate transactions, and The Record, betting on form, thinks recovery may be a matter of weeks as opposed to days. 

Dave Bittner: The Olympic Games have arrived, with the final preparations for the festivities in Tokyo taking place as we speak. As we learned from the most recent games in Korea, the Olympics represent a large, irresistible target for bad actors in the cyber realm. For details on what we might expect going into this year's Olympic Games, we checked in with Tom Kellermann, head of cybersecurity strategy for VMware and member of the U.S. Secret Service's Cyber Investigations Advisory Board. 

Tom Kellermann: Well, the Olympics present a huge challenge from a cybersecurity perspective, particularly when you have rogue nation-states that are going to manifest their angst for not being allowed to participate in the games through cyberattack. This is compounded by the reality that this will be one of the first Olympics where the majority of viewers and the majority of the audience will be virtual and primarily using computers, phones, tablets to watch the games. 

Dave Bittner: So how might that manifest itself? What sort of things are folks on the lookout for here? 

Tom Kellermann: I'm very concerned about cyberattacks from North Korea and Russia - Russia because of the fact that they're not allowed to participate in the Olympics under the Russian flag as punishment for the doping scandal, and North Korea, obviously, because they're a rogue nation-state. They have tremendous angst towards Japan, historical angst, and they - this is their time to make a statement. And they'll do so with their Grade A hacker group, you know, HIDDEN COBRA. 

Tom Kellermann: That all being said, what I'm most concerned about is the platform via which we observe the Olympic Games being polluted and turned into watering holes. So whether Xfinity - you know, Comcast Xfinity's platform gets backdoored and then used to push malware or ransomware against the audiences who are implicitly trusting that feed, that's a great example of something that could occur. 

Dave Bittner: Do you think we might see something like DDoSing, where they could come at some of these networks to keep the feeds from successfully going out? 

Tom Kellermann: I do think denial-of-service will be a significant challenge. But more importantly, I'm concerned about those networks and their virtual platforms, their multimedia platforms, being commandeered to be pushing out ransomware against the audience. We're seeing in roughly, you know, 50% of all investigations nowadays that when an organization is breached via cyberattack, that that organization's infrastructure is then in turn used to attack their customers - what we call island hopping. 

Dave Bittner: What is your sense in terms of the Olympic Committee and the host country themselves of being adequately prepared for this? 

Tom Kellermann: The Japanese have a history of being proactive when it comes to cybersecurity. In terms of the Olympic Committee's security posture, I have no idea. I doubt they've paid as much attention to cybersecurity that they have to physical security, whether it's from terrorist attacks or the pandemic itself. And I do think that the dependence on multimedia platforms and the dependence on mobile applications for tracking and security at the games could present a greater attack surface for hackers around the world. 

Dave Bittner: What sort of things have we learned from past Olympics Games here? And we haven't had that many that have been, you know, in this online digital age that we find ourselves in here today. But what do we know from the last couple rounds? 

Tom Kellermann: And what we've learned is that countries who feel like they've been scorned or shunned from the Games by the Olympic Committee for past actions or malfeasance or the reality that they're, you know, an autocracy that is anti this type of, you know, sporting event, more than often not, they react in cyberspace. And what I'm concerned about now is that we're going to see attacks that go beyond denial-of-service and attacks that go beyond just merely trying to steal monies from the audience and the participants. But more importantly, I could see, you know, a phenomenon where you see a major cloud provider's infrastructure used to deliver ransomware attacks or a sea of destructive attacks against the Games themselves in a cyber construct. 

Tom Kellermann: Well, hopefully, you know, the committee and all organizations are conducting regular threat hunts within their environments to ascertain whether or not a backdoor or behavioral anomaly exists now, one that could manifest into a more systemic contagion and/or delivery mechanism for destructive attacks and/or ransomware. 

Dave Bittner: That's Tom Kellermann from VMware. 

Dave Bittner: And joining me once again is Ben Yelin. He's from the University of Maryland Center for Health and Homeland Security and also my co-host over on the "Caveat" podcast. Hello, Ben. 

Ben Yelin: Hello, Dave. 

Dave Bittner: Interesting story here from the Daily Dot, written by Andrew Wyrich. And it's titled "Calls for Biden to Ban Facial Recognition Grow After GAO Report's Findings." What's going on here, Ben? 

Ben Yelin: So the GAO, the Government Accountability Office, released this report that found that 20 federal agencies either owned or used facial recognition technology and that six of those agencies had employed the technology during the Black Lives Matter protests in the summer of 2020. So not only were they reporting that this technology is widely used within federal agencies, but that there was a lack of oversight on the part of these agencies. And 13 agencies have reported to the GAO that they didn't know what non-federal facial recognition systems were being used by their employees. 

Ben Yelin: So a few things are happening here. Basically, the GAO is saying we need a way to track whether non-federal systems - you know, systems that aren't subject to stringent federal oversight - are being used by employees, figure out what the risks are of these systems and put into place checks to make sure that these systems aren't being abused. 

Dave Bittner: OK. 

Ben Yelin: And, of course, the context of all this is we know some of the pitfalls of facial recognition technology. It has, of course, been found to have racial biases. 

Dave Bittner: Right. 

Ben Yelin: And, you know, while the federal government hasn't really taken action to curb the use of facial recognition technology, we have seen cities, states, localities start to curb or put rules and regulations on the use of this tool because of its potential for abuse. 

Ben Yelin: So this GAO report, I think, is going to be pretty widely read among some of the more civil libertarian-oriented members in Congress. There was legislation introduced in the previous Congress to try and rein in the use of facial recognition technology. And that effort has been replicated in the current Congress. A bill has been proposed, just introduced in the last month, that would put a moratorium on the technology by the federal government until, in the words of one political leader, we figure out what the heck is going on. 

Dave Bittner: (Laughter). 

Ben Yelin: So I think that's something that we really could see happen, where Congress puts in a moratorium on the use of facial recognition technology, unless the specific technology or system is approved by an act of Congress, among other things, as part of those reform pieces of legislation. 

Dave Bittner: We've seen some agencies kind of using end-arounds. If there's a piece of technology that they want to use but maybe it's not directly accessible to them, they will engage with a contractor who then gets to use that. Is this addressing any of that sort of thing? 

Ben Yelin: Yeah, it does. I think what the GAO is saying, what other civil liberties organizations are saying is unless we put widely applicable broad rules on law enforcement's use of facial recognition technology, they are going to keep finding these loopholes. So that's why the administration and Congress need to take action now, because otherwise, the agencies themselves are going to be unfettered in trying, you know, to do an end-around to current regulations. 

Ben Yelin: You know, the fact that 13 of the 14 agencies they interviewed aren't tracking which commercial facial recognition products their employees are using is a pretty big wake-up call that there is just not sufficient oversight here. Of course, you understand why law enforcement needs to use facial recognition technology, wants to use it. 

Dave Bittner: Right. 

Ben Yelin: It's very useful in apprehending criminals, especially when you have these wide-scale investigations where there's very little actual evidence and you're, you know - one thing I'm certainly thinking about is the January 6 insurrection investigation, where you have thousands, millions of pictures and images and you're trying to match up potential criminals to their faces. You can understand why it's an effective tool. 

Dave Bittner: Right, who was where when. 

Ben Yelin: Exactly. 

Dave Bittner: Yeah. 

Ben Yelin: But, you know, without having any sort of uniform rules in place about how this technology is used, about what systems in particular are being used, then it certainly is a recipe for disaster. So I think - and, you know, that's what the GAO is for. They put out these reports because members of Congress don't have the time or resources to do that research themselves necessarily and figure out, you know, these oversight gaps. So... 

Dave Bittner: Is there generally - I mean, is there bipartisan support for this sort of thing? Are folks on both sides of the aisle cautious when it comes to facial recognition? 

Ben Yelin: Yes. I will say two things, though. There's bipartisan support for more regulation of facial recognition software and bipartisan opposition. 

Dave Bittner: Oh, interesting. 

Ben Yelin: I just think it doesn't fall neatly along partisan lines. I think there - it's kind of a horseshoe thing where you have extreme left-wing civil libertarians saying, you know, this has significant racial biases; we need to put a stop to this, you know, before it perpetuates systemic racism. 

Dave Bittner: Right. 

Ben Yelin: And then on the other side, you know, people on the right wing who say this is Big Brother; this is government overreach; this is targeting, you know, our... 

Dave Bittner: There's something here for everyone to hate. 

Ben Yelin: Exactly. 

Dave Bittner: (Laughter). 

Ben Yelin: And then there's, you know, people in the middle of the horseshoe on both sides of the aisle who are like, I kind of like to have this as a, you know... 

Dave Bittner: We can see how this is an effective law enforcement tool. 

Ben Yelin: Yeah. So it just doesn't really neatly divide along those partisan lines, which I always find interesting. 

Dave Bittner: Yeah, yeah. 

Ben Yelin: Yeah. 

Dave Bittner: That is interesting. 

Dave Bittner: All right. Well, Ben Yelin, thanks for joining us. 

Ben Yelin: Thank you. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at 

Dave Bittner: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Puru Prakash, Justin Sabie, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe. And I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.