Google Sharpens Its Cyber Knife
Published by The Lawfare Institute
in Cooperation With
Google Sharpens Its Cyber Knife
Google has announced it is starting a cyber "disruption unit" that will seek opportunities to proactively disrupt threat actor campaigns. This move reflects increased industry and government appetite for more aggressive private-sector approaches and also indicates a sensible incremental step toward government-endorsed private-sector hacking.
Sandra Joyce, vice president of Google Threat Intelligence Group, said at a conference Tuesday that … the company was looking for "legal and ethical disruption" options as part of the unit’s work.
"What we're doing in the Google Threat Intelligence Group is intelligence-led proactive identification of opportunities where we can actually take down some type of campaign or operation," she said at the Center for Cybersecurity Policy and Law event, where she called for partners in the project. "We have to get from a reactive position to a proactive one … if we're going to make a difference right now.
Google has already been involved in the court-endorsed botnet takedowns of Glupteba in 2021 and BadBox 2.0 in July. To put this in perspective, Microsoft pioneered court-ordered disruption operations way back in 2010 and has been involved in a string of takedowns since then.
Court-endorsed takedowns are not new, and two is not many. But at the very least, we’d expect this new unit to result in more of these operations.
We suspect, though, that Google wants to push the audacious edge of the envelope rather than deliver a higher volume of much of the same. Significantly, Joyce's announcement took place at a conference exploring the concept of hacking back, offensive cyber operations, and "charting a legal and strategic path forward."
Joyce said that more details would be revealed over time, but what could a more aggressive approach look like?
We already have a public example of the ethical use of hacking to protect a vendor's customers. In 2024, cybersecurity firm Sophos released details of what it described as a "counter offensive… to neutralize China-based threats."
After discovering that its firewalls were being targeted by a group in multiple campaigns, Sophos responded by increasing the variety and volume of telemetry being collected by its devices. Together with trial registration data, this was used to identify multiple devices that were being used by the threat actor for vulnerability research and exploit development. Per Seriously Risky Business at the time:
In late April 2020, Sophos started working on "forward deployment tooling," "a specialised kernel implant to deploy to devices that [the vendor] was highly confident were controlled by groups conducting malicious exploit research. The tool allowed for remote file and log collection without any visible userland artefacts."
Sophos deployed this implant to adversary-controlled test devices to observe exploit development and testing as it was taking place. The firm used this information to understand vulnerabilities and remediate them before they were widely exploited. It was also able to retrieve malware, including a UEFI bootkit and write detections before the malware was deployed in the wild.
Without going into details, Sophos CISO Ross McKerchar told Risky Business host Patrick Gray that end user license agreements were "certainly part of" getting approval from legal counsel and he noted that Sophos was "working with law enforcement at the time." Later in the interview, he said that cybersecurity authorities such as the National Security Agency and the U.K.'s National Cyber Security Centre had been "incredibly supportive and helpful throughout this."
Google is in a similar position to Sophos. Products such as Chrome and its Android devices are attractive targets for threat actors. Google's terms of service could be modified to give it the legal wiggle room to behave more aggressively against threat actors. The company has the expertise and depth to manage technical risks from operations that push boundaries, and we doubt that cybersecurity authorities and law enforcement would take issue with the company hitting back against abuse of its products.
One reason that controversial big-bang legislative proposals such as the cyber letters of marque we discussed last week are problematic is their potentially broad scope. The legislation proposed last month could authorize hacking against a wide array of criminals by people in the private sector.
By contrast, allowing companies to act against threat actors targeting their own products is reassuringly tightly scoped. From a government perspective, encouraging the most capable technology vendors to more aggressively protect their products just makes sense.
Sophos has demonstrated that legal hacking back is already here. Rather than spinning their wheels on controversial hackback-style legislation, policymakers should encourage more vendors to embrace it.
Salt Typhoon Outed but Not Evicted
Cybersecurity agencies from 13 countries have attributed the Salt Typhoon intrusions to three Chinese companies. These coordinated cyber attributions used to be a big deal, but in this case we are not so sure.
Salt Typhoon is a Chinese government-backed effort that has had outrageous success targeting telecommunications and other networks worldwide. This week, the FBI said the group had hit more than 80 countries and compromised more than 200 American organizations.
The advisory covers the group's targets:
People's Republic of China (PRC) state-sponsored cyber threat actors are targeting networks globally, including, but not limited to, telecommunications, government, transportation, lodging, and military infrastructure networks. While these actors focus on large backbone routers of major telecommunications providers, as well as provider edge (PE) and customer edge (CE) routers, they also leverage compromised devices and trusted connections to pivot into other networks.
And later described the impact of the hacks:
The data stolen through this activity against foreign telecommunications and Internet service providers (ISPs), as well as intrusions in the lodging and transportation sectors, ultimately can provide Chinese intelligence services with the capability to identify and track their targets' communications and movements around the world.
The advisory links these activities to three Chinese firms: Sichuan Juxinhe Network Technology, Beijing Huanyu Tianqiong Information Technology, and Sichuan Zhixin Ruijie Network Technology.
According to the advisory, the three provide "cyber-related products to China's intelligence services, including multiple units in the People's Liberation Army and Ministry of State Security."
A Five Eyes agency getting outed like Salt Typhoon has been here would be considered a massive failure. The U.S. and allies have traditionally focused on stealthy intelligence collection. Particularly for enduring targets, stealth enables long-term collection. If you don't get caught, you can keep on collecting valuable intelligence.
Indeed, a senior FBI official told CyberScoop that the Chinese government's use of contractor companies was a failure:
"These enabling companies, they failed," Jason Bilnoski, deputy assistant director in the FBI's cyber division, told CyberScoop. "This investigation, and that of our partners, are exposing that the use of these enabling companies by the CCP is a failure."
The lack of control China has over what those companies do precisely created an opening for investigators, Bilnoski said.
However, stealth isn't the only way to ensure enduring collection. Another way is to simply hack all the things and just not stop, even after you've been discovered.
This kind of digging-in is common when Chinese threat actors are pinged these days. See, for example, this year's SharePoint exploitation, the 2023 Barracuda email gateway hacks, the Microsoft Exchange free-for-all in 2021, and even the behavior of Salt Typhoon itself.
Sure, the outing of Salt Typhoon isn't ideal for the PRC. But we're hesitant to call it a failure. A failure would be the group's eviction from U.S. telecommunications networks. For now, the Chinese government can brush off any diplomatic blowback as a cost of doing business.
Death of Apple's U.K. Encryption Fight Greatly Exaggerated
The fight between Apple and the U.K. government over lawful access to iCloud user data has not been resolved, despite media reporting last week.
The Financial Times this week reported on documents filed with the Investigatory Powers Tribunal (IPT), an independent judicial body that examines complaints about U.K. intelligence services.
Back in January, Apple was provided with a government order known as a technical capability notice (TCN).
The Financial Times now suggests the TCN required Apple to provide broad access to iCloud data, including messages and passwords:
"The obligations included in the TCN are not limited to the UK or users of the service in the UK; they apply globally in respect of the relevant data categories of all iCloud users," the IPT filing adds.
So despite what Director of National Intelligence Tulsi Gabbard says on social media, this is still a live issue.
Three Reasons to Be Cheerful This Week:
- Spain cancels Huawei contract: The Spanish government has canceled a contract that would have deployed Huawei kit across RedIRIS, the country's research and academic network.
- The EU's Cybersecurity Reserve gets closer: The European Commission has appointed ENISA, the European Union's cybersecurity agency, to manage the EU's Cybersecurity Reserve. The reserve will use trusted providers to deliver surge incident response capacity in the event of a significant large-scale cybersecurity incident.
- Takedowns are affecting ransomware gangs: The ransomware ecosystem is splintering with new variants appearing in the wake of law enforcement takedowns, according to The Record. Increasing fragmentation and churn in ransomware variants is also accompanied by increasing distrust between individual cyber criminals. These are all good signs if you are an optimist, but we concede that there are no reliable metrics confirming the impact of the scourge has actually been reduced.
Risky Biz Talks
In our latest "Between Two Nerds" discussion, Tom Uren and The Grugq talk about how cyber threat actors are using AI tools to fill in the resource and skills gaps they have.
From Risky Bulletin:
YouTubers unmask and help dismantle giant Chinese scam ring: Two YouTube channels named Scammer Payback and Trilogy Media played a crucial role in unmasking and identifying members of a giant scam network that stole more than $65 million from U.S. seniors.
The Department of Justice used videos posted by the two channels in 2020 and 2021 to identify and then track down the network. Officials arrested 25 of the 28 suspects they identified during this investigation.
The group allegedly used call centers based in India to call U.S. seniors, posing as government officials, bank employees, and tech support agents.
Noem fires FEMA IT team over alleged cybersecurity failures: Department of Homeland Security head Kristi Noem has fired 24 employees of the Federal Emergency Management Agency (FEMA) IT department, citing an alleged data breach and a string of cybersecurity failures.
The firings included FEMA CIO Charles Armstrong and FEMA CISO Gregory Edwards.
In a somewhat unhinged press release, the department and Noem claim the fired employees were "entrenched bureaucrats" and "deep-state individuals" who "resisted any efforts to fix the problem," downplayed the issues, and "were more interested in covering up their failures."
FEMA insiders who spoke to CNN shortly after the firings last Friday painted a totally different picture and described the ousted IT team and its leaders as "extremely competent" and "highly respected."
npm attack uses AI prompts to steal creds, crypto-wallet keys: A novel supply-chain attack has hit the users of NX, a popular developer tool used to automate and optimize CI/CD pipelines.
The incident took place on Tuesday, after a threat actor compromised the npm token for one of the NX developers and then released malicious updates for several NX tools to the npm package repository.
The new versions contained a malicious script that:
- Attempted to run a prompt on local artificial intelligence (AI) command line interface tools like Claude, Gemini, and Q.
- The prompt instructed the AI agents to search the local filesystem for text-based files that may contain GitHub tokens, npm tokens, SSH keys, .env secrets, and wallet files.
- All found data was encoded and written into a file.
- Other commands would use the GitHub API to create a new public repository on the infected user's GitHub account and upload the file with all the stolen data.
- The script also adds a shutdown command to the local shell environment (~/.bashrc and ~/.zshrc) that would restart the developer's machine every time the terminal was started.
