Spain Leaves Key Under Mat for Huawei
.png?sfvrsn=7b3a1c5_3)
Published by The Lawfare Institute
in Cooperation With
Spain Leaves Key Under Mat for Huawei
Recent reporting that the Spanish government had awarded 12.3 million euros to Huawei to manage storage for the government's lawful intercept (LI) system struck us as a terrible idea.
Digging a bit deeper, it turns out the truth is more understandable but far worse. These contracts were awarded over the past few years and were a continuation of an existing arrangement. Huawei has been involved in Spain's LI system since 2004.
It is time to rip the Band-Aid off.
In LI systems, service providers intercept communications and provide them to officials from intelligence or law enforcement agencies when presented with a valid authorization such as a court order. LI is common enough that there are a number of ETSI standards for it.
While it is a valuable investigative tool for domestic law enforcement and counterintelligence purposes, LI systems are also a high-value target for foreign intelligence services.
Back in 2004, for example, in the lead-up to the Athens Olympics, local telecommunications provider Vodafone Greece was hacked. In this case, rogue software subverted the built-in LI capabilities of Ericsson telephone switches to effectively wiretap specified phone numbers. Over 100 phones were targeted, per IEEE Spectrum:
Besides the prime minister and his wife, phones belonging to the ministers of national defense, foreign affairs, and justice, the mayor of Athens, and the Greek European Union commissioner were all compromised. Others belonged to members of civil rights organizations, peace activists, and antiglobalization groups; senior staff at the ministries of National Defense, Public Order, Merchant Marine, and Foreign Affairs; the New Democracy ruling party; the Hellenic Navy general staff; and a Greek-American employee at the United States Embassy in Athens.
More recently, Chinese state-backed hackers Salt Typhoon targeted LI systems at U.S. telecommunications providers. It doesn't appear that they have been as successful as the hackers in the Athens example, per this Washington Post article:
Hackers have acquired access to the system that logs U.S. law enforcement requests for criminal wiretaps, allowing the Chinese to know who is of interest to authorities. There is no evidence so far that hackers have compromised the collection system itself through which law enforcement listens in on wiretapped calls, said U.S. officials, speaking on the condition of anonymity because of the matter's sensitivity.
Regardless of Salt Typhoon's success or lack thereof, the point here is that LI systems are a great place for foreign intelligence services to be. Even simply knowing who is being targeted is valuable. For the Chinese government, for example, knowing which of their potential spies is being surveilled would be tremendously useful.
Telecommunications equipment from any vendor is potentially hackable. But equipment from Chinese vendors is also subject to an entirely different type of risk, the risk that the Chinese government itself could compel a vendor to assist in its intelligence efforts. Article 7 of China's National Intelligence Law states that "[a]ll organizations and citizens shall support, assist, and cooperate with national intelligence efforts in accordance with law, and shall protect national intelligence work secrets they are aware of."
That law is part of the reason EU member states have restricted what the European Commission has called "high-risk suppliers," such as Huawei and ZTE, from their 5G networks. The justification for this restraint is that 5G infrastructure is critical and underpins other sectors such as energy, transport, and finance. This importance means that countries shouldn't take unnecessary risks.
Huawei's involvement in Spain's LI system long precedes growing concerns about the Chinese government's coercive powers and its intelligence law, which was passed in 2017. We get it, it can be tough to finally walk away from a decades-old relationship, even if the red flags and toxic traits are glaringly obvious to anyone on the outside. But it is past time to decide who gets the dog.
Arrests a Pause for Scattered Spider
Recent arrests of people linked to the Scattered Spider group are good news … with a caveat. While we expect some respite from the group's havoc, it will only be short term.
Late last week, the U.K.'s National Crime Agency announced the arrests of four individuals over attacks on U.K. retailers Marks & Spencer, Co-op, and Harrods. These incidents have been linked to Scattered Spider, a community of teenagers and young adults believed to be responsible for a string of high-profile, high-impact hacks.
Coincidentally, the arrests occurred the same day we wrote that just four key individuals were driving the activities of the group.
We think it very unlikely that all four of these key players live in the U.K., but Krebs on Security has learned the identity of two of the suspects and both have been involved in multiple high-impact hacks.
Nineteen-year-old Thalha Jubair is a founding member of a SIM swap Telegram channel called Star Fraud Chat. He’s also the founder of a criminal service that sold fraudulent emergency data requests (EDRs).
EDRs are used by police to get specific subscriber information from service providers without needing a warrant or subpoena, due to an imminent risk of harm or death. The criminal service that Jubair allegedly created used compromised email accounts from police or government agencies to send bogus EDRs. The information obtained from fraudulent EDRs is typically used for stalking, doxxing, and harassment or in social engineering efforts to obtain account access.
There is a theme here. The SIM swap and EDR services to which Jubair is linked take advantage of weak points in identity verification. His involvement in the founding of these two services suggests Jubair had a flair for identifying those weak points within systems.
Sources told Krebs that Jubair was also a core member of Lapsus$, a predecessor group that Scattered Spider evolved from. He had also been the administrator of the toxic online doxxing community Doxbin.
It's the kind of criminal resumé that would see Jubair at least shortlisted for one of those key player roles.
The other suspect identified by Krebs, Owen David Flowers, is alleged to have been involved in the Scattered Spider ransomware incident that shut down MGM Casino properties in September 2023. Other online identities Flowers is alleged to have used are also associated with Lapsus$.
The online communities that foster this behavior are pipelines that develop criminal talent from a young age. Flowers and Jubair developed their tradecraft over years. Krebs's investigations suggest the pair, both 19 now, have been involved in serious online crime at least since they were 15.
We are sure these online communities are currently upskilling young spiderlings, so while we're optimistic that last week's arrests will slow the group down, we're realistic that the respite won’t last.
After all, we’ve seen it before. In previous years, there have been quite a few arrests associated with Lapsus$ and Scattered Spider. The hacks slow down in the short term, but they don't go away for good. Key talent is arrested or retires, and new talent appears.
The good news: Companies now have a few months to improve their security!
Three Reasons to Be Cheerful This Week:
- Volt Typhoon a bust: Chinese government efforts to hack U.S. critical infrastructure for sabotage in the event of a military conflict have been a failure, according to FBI and NSA officials.
- Big Sleep to the rescue: Google announced that an AI agent it calls Big Sleep discovered an SQLite vulnerability after it was somehow tipped off by intel from Google Threat Intelligence. The post says, "Through the combination of threat intelligence and Big Sleep, Google was able to actually predict that a vulnerability was imminently going to be used and we were able to cut it off beforehand." We'd love to know the details behind this.
- U.K. announces Vulnerability Research Initiative: The U.K.'s National Cyber Security Centre has announced that it wants to "work with external experts to strengthen the U.K.'s ability to carry out vulnerability research." It can't do it all in-house, so it is a good move.
Shorts
FBI in Cyber Knife Fight
The Record has an interesting report on how the FBI engaged in what assistant director for cyber Brett Leatherman called "true cyberwarfare."
Leatherman said that after the FBI tried to take down a botnet used by Chinese state-backed group Flax Typhoon, the Chinese cyber espionage company Integrity Technology Group hit back with a distributed denial-of-service attack.
The two groups struggled for control until the FBI published a splash page announcing their presence, at which point the Flax Typhoon actors "burned down their own infrastructure," Leatherman said.
Offensive Cyber Operations Get Big $$$
President Trump's “big, beautiful bill” allocates $1 billion for offensive cyber operations. That's a lot of bytes. TechCrunch has further coverage.
Risky Biz Talks
In our latest "Between Two Nerds" discussion, Tom Uren and The Grugq examine whether U.S. cyber operations are too stealthy. Could they get more bang for the buck if they adopted a devil may care attitude to getting busted?
From Risky Bulletin:
Microsoft blocks filesystem redirection attacks in new security feature: Microsoft has added a new security feature to Windows 11 that will mitigate an entire class of filesystem redirection attacks.
The new RedirectionGuard feature is currently under testing in Windows 11 Insider builds.
It works by blocking a type of file redirection known as a junction, or a soft link. This allows users to create a link between two folders, so when users or processes access that folder, they get automatically redirected to the target directory somewhere else on the same system.
Major EoT/HoT vulnerability can bring trains to sudden stops: More than 12 years after the issue was first reported, the Association of American Railroads is replacing an insecure railroad protocol that can be abused to engage brakes and bring trains to sudden stops anywhere across North America.
The issue impacts a radio protocol that links locomotives (head-of-train) to devices mounted on the last wagon, a flashing red light known in the industry as an end-of-train device or a FRED (flashing red end device).
Back in 2012, a hardware security researcher named Neil Smith discovered that the radio protocol used to send commands from locomotives to end-of-train devices used a weak form of authentication—a simple BCH checksum.
Smith says that an attacker with hardware as cheap as $500 and a software-defined radio (SDR) could create packets and issue commands to the end-of-train device to suddenly engage the brakes.
Two billion eSIMs receive a crucial security patch: Security updates are being shipped out to mobile operators across the world to fix vulnerabilities in more than 2 billion eSIMs.
The vulnerabilities impact Kigen eUICC (embedded universal integrated circuit card), a software package provided to mobile network operators to support eSIM technology.
eSIMs allow mobile operators to ship a software-based SIM to a device. The technology is used mainly for issuing temporary SIMs to travelers and to add mobile connectivity to Internet of Things devices that can't fit a SIM card slot.
The team at AG Security Research, publicly known as Security Explorations, has discovered that some mobile operators ship a "test profile" for Kigen eUICC software that uses a default secret key to safeguard eSIM data.
