U.S. Data Dumpster Fire Singes NSA + The Evolution of Election Disinformation

Editor’s Note: This newsletter is part of a collaboration between Lawfare and Risky Business. You can find the full version of the Seriously Risky Business newsletter and previous editions on Substack.

U.S. Data Dumpster Fire Singes NSA

The National Security Agency (NSA) has been embroiled in a U.S. senator’s campaign against intelligence agencies’ purchase and use of data obtained illegally by data brokers.

Sen. Ron Wyden, a member of the U.S. Senate Select Committee on Intelligence, is pushing to stop U.S. intelligence agencies from buying Americans’ personal data obtained illegally by data brokers.

Wyden announced the push in a recent press release in which he announced the release of letters saying the NSA was buying “internet records” that could reveal what websites Americans visited and the apps they used.

Wyden’s announcement then segues into a call for the Biden administration to stop agencies from buying personal data obtained illegally by brokers. Recent Federal Trade Commission (FTC) actions indicate that data brokers are sometimes not obtaining informed consent from people whose data they capture, implying that their products are illegal.

Gen. Paul Nakasone, director of the NSA, explained the NSA’s data purchase regime in a letter to Wyden, linked to from the senator’s press release.

In our view, the NSA’s regime is defensible, and Wyden would be better off focusing on other targets.

Nakasone admits that the NSA buys what he referred to as CAI, or commercially available information. However, he details the steps that the NSA takes to make sure that the CAI it buys is valuable to its intelligence and/or cybersecurity missions, that it is lawfully acquired, that information about U.S. persons is minimized, and that purchase of CAI is reassessed regularly for value rather than purchased on autopilot.

The NSA is also buying data that is filtered to focus on malicious activity, rather than providing a full picture of Americans’ movements and actions. That data is aggregated from network operators and internet service providers, rather than collected directly from individuals under potentially misleading terms and conditions.

Nakasone was at pains to make it clear that the NSA did not purchase the types of location data that have been the subject of the recent FTC actions. He wrote:

NSA does not buy and use location data collected from phones known to be used in the United States either with or without a court order. Similarly, NSA does not buy and use location data collected from automobile telematics systems from vehicles known to be located in the United States.

This is good news, because the sale of people’s location data is an extremely concerning practice. Geolocation data brokers claim their data is anonymous, but they typically use device identifiers that are stable over time. This means that devices can be correlated to individuals by looking at travel patterns, such as journeys between home and work addresses, for example.

Once a link between a device and a person is established, this identifier can then be used to unravel a person’s location history, including sites they might consider sensitive. We’ve previously covered the use of this type of data to harass a person before, and government purchases of this kind of data are problematic.

The NSA does, Nakasone explains, “buy and use commercially available netflow (i.e. non-content) data related to wholly domestic internet communications and internet communications where one side of the communication is a U.S. Internet Protocol address and the other is located abroad.”

Netflow is comprehensive summary data that captures how traffic flows across the internet and can hint at the type of data being sent.

We have previously covered the steps commercial vendors of netflow take to mitigate privacy risks. Unlike “protections” applied by geolocation data brokers, these are meaningful mitigations. For example, the data involved isn’t comprehensive but is instead filtered when it is ingested for flows that are known or suspected to be malicious.

Netflow records have legitimate cybersecurity uses too:

If the aggregated data covers a particular cyber security incident, researchers can drill down to see what traffic was occurring at a particular point in time. Joe Slowik, Principal Security Engineer at Gigamon [Ed: now at Mitre], says netflow “can be exceptionally valuable in monitoring [command and control] C2 channels to go from victim-facing C2 nodes to actual adversary infrastructure. It can also serve as ground-truth data for exfiltration activity."

We would be surprised if some U.S. government agencies had not purchased and used data obtained illegally by data brokers. But we don’t believe the NSA’s use of netflow falls into this category.

Microsoft’s Dark Winter Gets Colder

Microsoft’s Midnight Blizzard breach just keeps getting worse. The compromise, which we wrote about last week, took advantage of a string of security failures from Microsoft, but at the time, the attack appeared to be restricted to Microsoft itself.

The company’s Jan. 19 post announcing the incident said the Russian hackers had “access[ed] a very small percentage of Microsoft corporate email accounts, including members of our senior leadership team and employees in our cybersecurity, legal, and other functions.”

However, on Jan. 25, a follow-up announcement said that the vendor had since learned that “the same actor has been targeting other organizations and, as part of our usual notification processes, we have begun notifying these targeted organizations.”

In the same announcement, Microsoft also provided more information about the techniques used in the attack. This included more detail about initial access using a password spray (attempting to access a large number of accounts with a small number of popular passwords), creating a highly privileged OAuth application, and the use of residential proxies to obfuscate connections to command and control servers.

There is some careful wording here. The post doesn’t necessarily imply Midnight Blizzard had been successful attacking other organizations, or that it was able to take advantage of the same Microsoft SNAFU in these other attacks. However, on the Jan. 31 Risky Business podcast, Patrick Gray said that multiple sources were saying that the “number of victims of this particular set of TTP  was in the triple digits.” (Other journalists are hearing the same thing.)

One organization has already fessed up to being impacted by the same actor. Last week, Hewlett Packard Enterprise (HPE) filed its own SEC disclosure statement saying Midnight Blizzard had popped its cloud-based email environment (Microsoft Office 365) beginning around May last year.

In its latest post on the incident, Microsoft says these were all mistakes of the past and that its security has improved since then:

If the same team were to deploy the legacy tenant today [Ed: a legacy tenant was patient zero in this attack], mandatory Microsoft policy and workflows would ensure MFA and our active protections are enabled to comply with current policies and guidance, resulting in better protection against these sorts of attacks.

That’s so good! It’s only all of Microsoft’s previous customers that have to worry. What a relief!

Election Disinformation Continues to Evolve

A report from the Australian Strategic Policy Institute, released shortly after the Taiwan election, provides a first glimpse at the People’s Republic of China’s (PRC’s) evolving cyber-enabled interference tactics.

This newsletter’s last edition of 2023 examined election interference and pointed to the Taiwanese election as one to watch. The PRC has a strong preference for the opposition Kuomintang Party, which favors closer ties with the mainland, as compared to the incumbent pro-independence Democratic Progressive Party (DPP). It also feels free to engage in various types of election interference.

Prior to the election, for example, the PRC had used “friendship tours” to cultivate Taiwanese politicians, used economic coercion, and even threatened military action. Cyber-enabled interference is just one arrow in the quiver.

The election was held on Jan. 13 and was a win for the incumbent DPP. The report was released just five days later and—beyond now-standard spammy inauthentic social networks—shows increasing use of both artificial intelligence (AI) technologies and “leaking” of falsified information.

The report notes that generative AI technologies were used to create avatars and also content, including what appears to be a virtual presenter or “speaking portrait” the report says was created by U.S.-based company D-ID.

There are also attempts to provide what look to be forged documents with authenticity by distributing them as “leaks” on sites such as BreachForums. The report documents that an alleged leak of Taiwanese government documents and a fake DNA test that purported to show the Taiwanese vice president had an illegitimate child were posted to BreachForums. These posts were then amplified by inauthentic looking accounts on X, Facebook, YouTube, and other online forums.

This contrasts with the 2016 U.S. presidential election. In that election, Russian operatives stole genuine emails from various parts of the Democratic Party, and the impact of subsequent leaks of this material were amplified by the reporting of mainstream media.

In this Taiwanese election, the leaks weren’t genuine and the mainstream media didn’t amplify them. Perhaps, to some degree, Taiwanese society is even inoculated to this kind of interference. The government has raised awareness of the problem, and there are many civil society organizations that counter disinformation.

So, despite the PRC’s evolving efforts, the report assesses that these efforts had “minimal impact on the integrity of election results.”

Three Reasons to Be Cheerful This Week:

1. Prolific swatter arrested: U.S. law enforcement officers have reportedly arrested the country’s most prolific swatter, a 17-year-old from California known as “Torswats.”
2. Scattered Spider arrest: Krebs on Security reports that a Florida man arrested for SIM-swapping and related crimes, Noah Michael Urban, is a key suspect in the string of Scattered Spider aka Oktapus hacks. These incidents affected a swathe of high-profile U.S. technology companies during 2022.
3. U.S. disables Chinese hacking infrastructure: The U.S. has launched an operation to disable a botnet used by Chinese espionage groups, according to Reuters. Per Reuters, the government “sought and received legal authorization to remotely disable aspects of the Chinese hacking campaign.” We wonder if this is a lot of disabling, or just a little? Just a few weeks ago we wrote about the “KV botnet,” a botnet made up mostly of end-of-life devices and used by PRC cyber actors, including Volt Typhoon, a group that is worrying because of its apparent intentions to disrupt critical infrastructure in the event of military conflict.

Shorts

SolarWinds Hits Back Against the SEC

SolarWinds has filed a motion to dismiss the Securities and Exchange Commission’s (SEC’s) complaint against the company and its chief information security officer, Tim Brown.

SolarWinds and some of its customers were compromised in a 2020 supply chain breach by Russian state-backed hackers.

The crux of the SEC’s case is that SolarWinds and Brown defrauded investors by “overstating SolarWinds’s cybersecurity practices and understating or failing to disclose known risks.” In its dismissal motion, SolarWinds argues it made “repeated warnings” about its vulnerability to “the pervasive risk of cybersecurity attacks.” And it also says that it promptly disclosed the attack after it discovered it had been compromised.

We have some sympathy for SolarWinds’s position here and sincerely doubt that investors care all that much about cybersecurity risk. It can cause serious disruption, but most of the time these ructions are short term and don’t seem to much affect the long-term value of a company.

However, part of the SEC’s argument was that SolarWinds’s disclosures were “boilerplate” and only contained “generic and hypothetical risks that most companies face.” So, although SolarWinds repeatedly warned of cybersecurity risks, those warnings were effectively meaningless.

Companies may as well just say, “We are a modern company, cybersecurity in general is difficult, and we could get massively pwned and rekt at any time,” and be just as accurate. That can’t be right either.

More on Ermakov

Krebs on Security wraps up what is known about Aleksandr Ermakov, the alleged Russian cyber criminal who was sanctioned by the Australian, U.S., and U.K. governments last week.

NSO Still Not Dead

NSO Group appears to be trying to rehabilitate its image and has issued a new transparency report. Wired wraps up the firm’s various lobbying efforts, including providing help to Israeli security services in the Israel-Hamas war.

Risky Biz Talks

In the latest “Between Two Nerds” discussion, Tom Uren and The Grugq talk about how the war in Ukraine is showing how useful mobile devices are in war. Using them is risky, but those risks need to be managed. This episode refers to this report on location tracking of phones on the battlefield.

From Risky Biz News:

GUR hack in Russia: One of Ukraine’s military intelligence agencies says it hacked and wiped servers at IPL Consulting, a Russian company that provides information technology services for Russia’s industrial sector. Officials from Ukraine’s Main Intelligence Directorate (GUR) say they wiped more than 60 terabytes of data from dozens of servers and databases. GUR officials say they also worked with a group of “unknown cyber volunteers in Russia” to cripple the infrastructure of Akado-Telecom, an internet service provider used by the Putin administration, the FSB (Federal Security Service), the FSO (Federal Protective Service), the Moscow local administration, and Sberbank.

DOJ and FTC tell companies to stop deleting chats: Federal investigators are warning companies not to delete chats and preserve conversations that have taken place via business collaboration and ephemeral messaging platforms.

In press releases on Friday, the U.S. Department of Justice and the U.S. Federal Trade Commission announced that they updated the language in their preservation letters and specifications—documents they send to companies under federal investigations.

The new language updates evidence preservation procedures to cover modern tech stacks such as Slack, Microsoft Teams, and Signal.

[more on Risky Business News, including reports of Amazon and Google executives using auto-deleting messages when faced with antitrust lawsuits]

Brazil spyware scandal: Brazilian authorities have started an investigation against the country’s former intelligence chief for organizing a mass surveillance campaign against the political rivals of former president Jair Bolsonaro. Brazilian Federal Police say they raided several homes owned by Alexandre Ramagem, the former head of ABIN, the country’s intelligence agency. Officials say Ramagem created a “parallel structure” inside ABIN that targeted state governors, lawmakers, judges, and journalists. The ABIN unit allegedly used a spying tool named FirstMile, developed by Israeli company Cognyte. [additional coverage in El Pais]