The Cyber Regime Change Pipe Dream
-(1).jpg?sfvrsn=8323a2d8_5)
Published by The Lawfare Institute
in Cooperation With
The Cyber Regime Change Pipe Dream
Disruptive U.S. cyber operations against Venezuela during President Trump's first term achieved their operational goals, according to new reporting from CNN. But they failed to meet the president's broader goal of ousting Venezuelan leader Nicolás Maduro.
Sources told CNN that during Trump's first term a CIA operation to disable the computer network of Maduro's intelligence service was perfectly successful. A separate Cyber Command operation interrupted the satellite communications of Wagner Group mercenaries who were sent to Venezuela to protect Maduro.
This adds to previous reporting from Wired late last year that revealed the CIA had temporarily disrupted the Venezuelan military's payroll system in the same campaign.
It's not surprising that these operations achieved their specific objectives. When it comes to cyber power, the United States is an orca and Venezuela is a sardine.
What seems to have been missing, though, was a realistic "theory of victory" spelling out how a disruptive cyber campaign would actually contribute to toppling Maduro's regime. Per CNN:
The hope was that aggressive covert action could cause enough discomfort and create sufficient disturbances that the military, which has played a critical role in keeping Maduro in power, would be convinced to switch sides and support the opposition, said the former White House official.
Of course, as the official continued, "hope is not a plan."
The most effective of the operations did appear to be the military pay disruption. A former national security official told Wired, "There was a fair amount of grumbling about not getting paid."
"Armies march on their stomach," the official said.
It's worth putting that disruption in context, though. Another former official said Venezuela was a humanitarian disaster at that time and that "the average person has lost 25 pounds [and] they have no food, they have no electricity, they have no jobs, they have no medicine."
Given that Maduro's domestic opposition wasn't organized enough to take advantage of that disastrous situation, it feels outrageously optimistic to have expected a short-term payroll hiccup to make much difference.
In the short term, these operations satisfied President Trump's desire to "do something" to Maduro without running the risk of getting the U.S. involved in yet another boots-on-the-ground quagmire. Cyber operations are a low-risk, nonkinetic option.
We're not experts in Venezuelan politics, but if the fundamental problem is "I don't like a country's leadership," cyber operations are unlikely to be a complete solution. We can't think of a single hack or cyber campaign that would undo the U.S. presidency, for example.
It appears that Trump spent his four years of downtime internalizing this lesson. This time around, the "do something" about Maduro involves an aircraft carrier and military strikes.
USA's Leaky Adtech Is Everyone's Problem
Out-of-control adtech isn't just a problem for American national security interests, it's a risk to any country enmeshed in the U.S. digital advertising ecosystem.
We've written many times about how the unconstrained collection, collation, and sale of geolocation data in particular is a national security risk for the United States. In one striking example, a Catholic substack publication identified a priest as a Grindr user through notionally anonymized app data supplied to it by a third party. In another example, researchers used smartphone data to track Securities and Exchange Commission personnel as they traveled around the country.
It doesn't take much imagination to see how these relatively unsophisticated techniques could be used to identify and track U.S. national security personnel. But a new report from a group of European investigative journalists lays bare how this is a global risk not just constrained to the free-market yahoos in North America.
The journalists behind the report, Databroker Files, were able to amass 13 billion location records "from almost every EU country, the United States, and many other parts of the world." They got this all for free, by posing as potential purchasers to data brokers.
The records covered high-profile locations including European Commission and NATO headquarters in Brussels. Every record was linked to a unique device identifier, making it trivial to build a pattern of daily life for an individual.
Within Brussels alone, the journalists were able to identify the home addresses of three senior EU employees, an EU member state diplomat, and employees of the European Parliament and the EU's diplomatic service, the European External Action Service.
Reporters involved in the Databroker Files looked at data from the Netherlands, Norway, Switzerland, and Ireland and found similarly alarming results. The Swiss report contains a striking dots-on-a-map visualization of an individual who was tracked throughout a typical day, from grocery shopping, to a fitness center and work. The investigators were even able to identify when she went on holiday to Italy.
All of this was possible despite the EU's General Data Protection Rule (GDPR), which is widely regarded as the model data privacy framework and has been emulated by other jurisdictions.
The report is intended as a wake-up call, but it is not surprising that this kind of analysis can be done. A 2022 Irish Council for Civil Liberties report into real-time bidding (RTB), one of the key mechanisms of internet advertising, found that Americans had their "online activity and location exposed 747 times every day" by RTB. Europeans fared better with 376 times per day. But they clearly weren't beyond advertising's dragnet.
For readers outside the U.S., the take-home message is that you do have a problem with the collection and sale of mobile geolocation data. You just don't have comprehensive reporting about it yet.
The Unusual Suspects
Organized crime groups are collaborating with cybercriminals to facilitate the real-world theft of cargo from logistics companies, according to a new report from Proofpoint.
The cyber portion of the crime involves compromising trucking and logistics companies by installing and abusing legitimate remote monitoring and management tools. The threat actors then hijack the companies' accounts on transport booking marketplaces and place bids for real loads. Proofpoint believes this process is used to identify and facilitate the theft of cargo loads that are likely to be profitable.
In U.S. Senate testimony, Donna Lemm on behalf of American Trucking Associations, said that "identify theft and advanced cyber tactics" are often used to facilitate what she called "strategic theft."
One form of strategic theft that is often cyber-enabled is "double brokering fraud." This can involve tricking unwitting carriers to transport the freight to a fraudulent address, where the criminal can take custody of the cargo. Lemm said criminals conducting this fraud are often outside the U.S. and never physically touch the freight.
Cargo theft is big business, with an estimated$35 billion in annual losses. Of course, there are plenty of traditional ways to get the job done, but Proofpoint has observed that logistics entities are increasingly being targeted. It has identified almost two dozen campaigns since August. In July, Proofpoint also reported on a different campaign focused on high-value electronics.
In her testimony, Lemm described an explosion of strategic theft and the rise of what she called organized theft groups (OTGs). Per her written testimony:
Some OTGs are so vast and sophisticated that they have established their own call centers to manage their illegal supply chains. In many cases, these groups also operate seemingly legitimate warehouses and online marketplaces to store and sell stolen goods. In these scenarios, stolen goods are often exported out of the United States, repackaged, and then sold, sometimes for more than market value.
Considering the scale of this enterprise, it's no surprise that these groups can afford to employ a few hacker nerd types to grease the wheels of their criminal enterprise. While we may be eternal cybersecurity optimists, we expect cyber-enabled real-world crime to continue growing.
Three Reasons to Be Cheerful This Week:
- Edge's scareware blocker works: Microsoft's Edge browser now blocks scareware, malware that tries to frighten victims into buying unwanted software. The blocker is enabled by default on most Windows and Mac devices and uses a local computer vision model to spot the scams. Microsoft says it protects users "from fresh scams hours or even days before they appear on global blocklists."
- Conti ransomware affiliate extradited: A Ukrainian national has been extradited to the U.S. from Ireland and charged with what the Department of Justice describes as "numerous" ransomware attacks. Oleksii Lytvynenko was allegedly still involved in cybercrime up until his arrest by Irish police, even after Conti had folded.
- On-premise Microsoft Exchange best practices: Cybersecurity and Infrastructure Security Agency (CISA) and global partners have published a Microsoft Exchange security guide targeted at on-premise Exchange servers. It's a case of better late than never, but it is good to see that CISA has been able to produce anything amid the federal government shutdown.
Shorts
FCC's Carr: U.S. Telco Security Is Fixed Now
The Federal Communications Commission will vote to eliminate a Biden-era ruling that telecommunications providers have an obligation to secure their networks.
That ruling, which was handed down in January, required that telcos "create, update and implement cybersecurity risk management plans." It was driven by the discovery of Salt Typhoon, a Chinese state-backed group that has been hacking telcos in the U.S. and globally. As recently as August, the FBI warned about the group's outrageous success.
FCC Chairman Brendan Carr referred to the vote to eliminate the ruling in a "Halloween Treats" blog post. He wrote that the ruling could be undone, in part, because "following extensive FCC engagement," U.S. telcos had taken "substantial steps" to improve their cybersecurity.
That's wonderful news! It is great to hear that telco security has improved so rapidly that the FCC is able to step back and wash its hands. Is there anything this administration can't do?!
Risky Biz Talks
In our latest "Between Two Nerds" discussion, Tom Uren and The Grugq discuss the futility of using aggressive cyber operations to send messages between states.
From Risky Bulletin:
U.S. indicts two rogue cybersecurity employees for ransomware attacks: The Department of Justice has charged employees at two cybersecurity firms with hacking U.S. companies and deploying ransomware.
According to court documents, charges have been levied against Kevin Tyler Martin, a former ransomware negotiator at DigitalMint, and Ryan Clifford Goldberg, a former incident response manager at cybersecurity company Sygnia.
The two worked with a third suspect to hack into U.S. companies, steal their data, encrypt computers, and then ask for huge ransoms in the realm of millions of U.S. dollars.
Norway skittish about its Chinese electric buses: Oslo's public transportation agency conducted a security audit of its electric buses and, to nobody's surprise, found that its Chinese models could be remotely disabled by their manufacturer.
According to a report from local newspaper Aftenposten, the agency, Ruter, tested and took two electric bus models inside a Faraday cage room.
Ruter found that electric buses from Chinese company Yutong could be remotely disabled via remote control capabilities found in the bus software, diagnostics module, and battery and power control systems.
Russia arrests Meduza Stealer group: Russian authorities have arrested three individuals believed to have created and sold the Meduza infostealer.
The suspects were arrested this week in the Moscow metropolitan area, according to Russia's Interior Ministry. A video from the raids is available on the ministry's media portal.
The ministry's spokesperson, Irina Volk, said the malware was used in attacks against at least one government network in the Astrakhan region. If found guilty, the suspects can face prison sentences of up to five years.
This is no surprise since the group appears to have failed to implement a "don't s**t where you eat" policy when they rented access to their infostealer via their Telegram channel.
