Best Infosec-Related Long Reads of the Week, 4/22/23

Encrypted phones boosted busts, Runa Sandvik's rise, Ukraine's blurred cyber lines, Mexico's Pegasus use, Japan's cyber crisis, Gamers' intel threat, Narcissist Teixeira, Healthcare privacy crackdown

Metacurity is pleased to offer our free and paid subscribers this weekly digest of the best long form infosec-related pieces we couldn’t properly fit into our daily crush of news. So tell us what you think, and feel free to share your favorite long reads via email at info@metacurity.com. We’ll gladly credit you with a hat tip. Happy reading!

Crooks’ Mistaken Bet on Encrypted Phones

New Yorker contributing staff writer Ed Caeser walks through how encrypted phones, such as now-disbanded Sky E.C.C. and EncroChat, were coveted by EU criminals, making them a tempting target for law enforcement, who used intelligence from the surveilled phones to make major criminal busts across the continent.

Despite the networks’ shortcomings, they continued to find customers. The police in the Netherlands and in other countries started looking for weaknesses in the Continent’s two most popular networks: EncroChat and Sky E.C.C. In advertisements, EncroChat claimed that it housed its servers in secure locations “offshore.” This wasn’t true: they were in a regular data center in Roubaix, an industrial city in northeastern France. The French National Gendarmerie, having realized that all EncroChat communications appeared to route through Roubaix, investigated. In January, 2019, in the early stages of a joint French-Dutch operation, the Gendarmerie executed a warrant to secretly copy EncroChat’s servers. Analysts then began hunting for a flaw in the system that they could exploit.

They soon found one. According to one expert, the French had copied EncroChat’s development server, where new code is created and tested. Engineers were able to create a piece of malware and then ship it, disguised as an update, onto all EncroChat phones. The operation, which began in April, 2020, worked in two phases. First, it sent the police copies of all texts and images stored on EncroChat phones. (EncroChat normally deleted messages after seven days, but even just a week’s worth of texts provided rich insights about customer identities and behaviors.) In the second phase, which lasted about two months, the police figured out how to read messages in real time. Jannine van den Berg, a chief constable of the Dutch police, told reporters, “It was as if we were sitting at the table where criminals were chatting.” EncroChat was shut down in July, 2020. The investigation has had a particularly seismic effect in Britain, where the network had some ten thousand users. More than twenty-eight hundred arrests have been made in the U.K., and the British court system is still loaded up with EncroChat cases.

The Hacker

Maddy Crowell has this profile in the Columbia Journalism Review of hacker and cybersecurity specialist Runa Sandvik, who has risen to the top of the field from working on a grassroots operation helping anonymize the internet to becoming the New York Times’ head of information security and is now a much sought-out speaker and consultant.

Sandvik arrived in the United States in 2013, in the wake of the Arab Spring. Activists were using the internet in unprecedented ways. They were also being tracked as never before. “I saw how it was harder for people to access social media; governments started looking for ways to block Tor,” she said. In her new job, Sandvik worked with activists and journalists, and started asking herself questions: “Why is it that people in Ethiopia are having a hard time using the Tor sideboard?” “Exactly what is going on in Ethiopia?” “Why isn’t this piece of technology working the way that it should?” “Why is what these people are doing—the activists, the researchers, the journalists—somehow so contentious or problematic in the eyes of the government?” These questions led her into a new alcove of the tech industry: working as a privacy and security researcher for a nonprofit called the Freedom of the Press Foundation.

Sandvik had found her niche. She traveled the world, meeting far-flung members of her cohort at conferences and parties. One day in 2012, she and Michael headed for a vacation to Hawai‘i. Before the trip, Sandvik sent out a tweet advertising Tor swag. She received an email from a guy who introduced himself as Ed. “If shirts are available, black is preferable,” he wrote. Sandvik replied, saying that she’d be happy to supply him Tor attire. Then Ed wrote back, asking if she wanted to cohost a “CryptoParty” while she was in Honolulu—an underground gathering of Evangelists for Digital-Surveillance Wariness. Together, in a designer showroom, they gave presentations to about twenty people on how to encrypt their hard drives and browse the internet anonymously. “Ed” turned out to be Edward Snowden.

Meet the hacker armies on Ukraine's cyber front line

The BBC’s Joe Tidy recounts his travels to Ukraine to meet the cyber warfighters, discovering that conflict in the region has blurred the lines between those working for the military and the unofficial activist hackers.

On both sides, lines between targeted, state-sanctioned cyber-attacks and ad-hoc vigilante hacking have been blurred. The consequences could be far-reaching.

On a visit to Ukraine's cyber defence HQ in Kyiv, officials claim they have evidence that the Russian hacktivist gang, Killnet, which has a Telegram group of nearly 100,000, is working directly with the cyber section of the Russian military.

"These groups, like Killnet or the Cyber Army of Russia, started off carrying out DDoS attacks - but have since recruited more talented and skilled people," says Viktor Zhora, deputy chairman of the State Service of Special Communications.

He alleges the groups have consultants from the Russian military and are now capable of launching sophisticated cyber attacks.

Russian commanders are uniting all of the hacktivist groups and activities into a single source of aggression in cyber-space against Ukraine and its allies, he claims.

The link would be problematic for Russia if proven.

How Mexico Became the Biggest User of the World’s Most Notorious Spy Tool

Natalie Kitroeff and Ronen Bergman of the New York Times offer an in-depth look into how Mexico became ground zero for the spread of NSO Group’s infamous Pegasus spyware, laying out the details of the secret dealings that enabled the country to become the most prolific user of the mobile malware even to this day despite the promises of Mexican president President Andrés Manuel López Obrador.

The military has a history of human rights abuses, and its role in the mass disappearance has been a focus of the investigation for years. As new allegations against the military surfaced in the case last year, the two advocates were targeted by Pegasus repeatedly, according to forensic testing conducted by Citizen Lab, a watchdog group based at the University of Toronto.

The Mexican military is the only entity in the country currently operating Pegasus, the four people familiar with the contracts said.

The Israeli defense ministry declined requests for comment. The Mexican defense ministry would not discuss the recent hack but said it followed the government’s position, which asserts that intelligence gathering is “in no way aimed” at invading the private life of political, civic and media figures.

This was the second wave of attacks on the phone of Santiago Aguirre, one of the human rights defenders. He had been targeted with Pegasus during the previous administration, too, Citizen Lab found.

“This government made so many promises that things would be different,” Mr. Aguirre said. “Our first reaction was to say, ‘This can’t be happening again.’”

Cybersecurity Nightmare in Japan Is Everyone Else’s Problem Too

Bloomberg’s Jamie Tarabay, Min Jeong Lee, and Takahiko Hyuga review the recent rise in cyberattacks in Japan, a critical player in the global supply chain, prompting the government to escalate its efforts to address the scourge.

For all of its advanced technological knowledge, Japan is also a place where traditional ways of doing business are deeply entrenched. When ransomware attacks occur, companies are often able to keep operations running using paper inventories and offline backup systems — reliable and unhackable, but also slow and cumbersome. And as companies slowly restore their systems, breaches are not always reported, according to industry officials and cyber experts.

Historically, Japanese companies avoided paying ransoms by relying on punishingly slow data-recovery firms to piece together corrupted networks, says Tatsuhiro Tanaka, a retired major general who is now a research principal at Fujitsu System Integration Laboratories Ltd. But the rising frequency of attacks means the recovery cost is increasing too.

“There are very few companies that employ a kind of incident commander, the person who deals with the cyber attack and business continuity,” Tanaka said. “We have to change the mindset.”

There’s also resistance within some Japanese companies to disclosing attacks and upgrading systems, which stems from societal norms around assigning blame, according to Scott Jarkoff, who heads the strategic threat advisory group for cyber firm CrowdStrike and has lived in Japan for more than three decades.

How Gamers Eclipsed Spies as an Intelligence Threat

Jonathan Askonas, an assistant professor of politics at the Catholic University of America, and Renée DiResta, a technical research manager at the Stanford Internet Observatory, explain in Foreign Policy how the motivations of Jack Teixeira, the Massachusetts Air National Guard member arrested for the Pentagon documents leak, are impossible to understand without grasping how the online world, with its promises of camaraderie, is fast replacing traditional espionage as a source of intelligence leaks.

While the trajectory of the documents may seem novel, a closer look reveals that many significant intelligence leaks over the past 15 years have been substantially motivated by online reality. These leaks are not the product of espionage, media investigations, or political activism, but 21st-century digital culture: specifically, by the desire to gain stature among online friends.

Beginning in 2021, for example, secret information about weapons systems design and performance has repeatedly been posted to forums related to War Thunder, a massively multiplayer combat video game featuring highly realistic weapons. Hoping to win arguments about such details as a tank turret’s rotation speed or cajole developers into improving the realism of virtual weapons, players have posted classified armor blueprints, restricted manuals for F-16 fighter jets, and Chinese tank specifications. War Thunder’s developers have had to implore users to stop posting classified materials to the game’s forums.

Even where ideological commitments have motivated leakers, internet culture has often played a major role. U.S. Army intelligence analyst Chelsea Manning’s involvement with WikiLeaks began when she started monitoring—and then actively participating in—the forum’s chat channel. Her decision to leak diplomatic cables was initially motivated by debates about Icelandic politics on the WikiLeaks channel. When one looks at Manning’s conversations with WikiLeaks founder Julian Assange and others on the channel, they read very much like someone trying to connect with and impress her new internet friends; later, it was a similar desire to connect online that led to her arrest. Edward Snowden, too, attributed his decision to leak documents about National Security Agency surveillance programs to his concerns that they undermined the values he cherished as an avid denizen of early internet forums and chatrooms: anonymity, self-expression, and the right to reinvent oneself. (Snowden is now a Russian citizen living in Moscow.)

The Discord Leaker Was a Narcissist, Not an Ideologue

Also in Foreign Policy, David V. Gioe, a British Academy Global Professor at the King’s College London Department of War Studies and a history fellow for the Army Cyber Institute at the U.S. Military Academy, and Joseph M. Hatfield, an assistant professor at the U. S. Naval Academy, argue that comparisons between Jack Teixeira and self-declared whistleblowers such as Edward Snowden and Chelsea Manning are misplaced.

The real but superficial comparisons to leakers like Snowden and Manning classify Teixeira as a mass leaker on a personal crusade. But this is incorrect. Snowden and Manning leaked classified documents to journalists and activists to help bring about the kind of world they wanted to live in—one of citizen-enforced governmental transparency where states have less power. While foolish and misguided, they were ideologically motivated in taking their reckless actions.

In contrast, it seems that Teixeira simply displayed terrible judgment and was showboating his access to privileged information to increase his street cred with pals on the internet. In that sense, he was more like an irresponsible teenager who took his parents’ Ferrari out joyriding with his gearhead friends. Teixeira isn’t a “new breed” of insider threat, and he certainly isn’t a whistleblower seeking to publicize some perceived wrong.

‘Shut it off immediately’: The health industry responds to data privacy crackdown

Politico’s Ruth Reader reports on how a series of federal data privacy crackdowns by the Biden administration has complicated the ability of healthcare companies to market their services online.

Data privacy advocates are urging the regulators on, arguing that health information deserves special protections and that enforcement needs to evolve now that the world has moved online. They expect companies can adjust.

“Advertising does not have to be privacy-invasive to be valuable or effective,” said Cobun Zweifel-Keegan, managing director of the Washington office of the International Association of Privacy Professionals.

And the industry is hardly putting up a united front in response.

Lartease Tiffith, the executive vice president for public policy at the Interactive Advertising Bureau, a trade group for online advertising firms, for example, said that recent enforcement actions target companies that explicitly misrepresented their data privacy policies by not telling customers they were sharing information about them with third parties.

“If you tell consumers, we’re not going to do X, and you do X, that’s a problem,” he said. “I don’t think it has anything to do with our industry.”