Best Infosec-Related Long Reads of the Week, 3/25/23

Iran's cyber army scorched earth tactics, Iranian activists appeal to tech giants, Israeli army's domestic psyops, Chinese firms try to pass as US-based, US Cyber policy enforcement challenges, more

Metacurity is pleased to offer our free and paid subscribers this weekly digest of the best long-form infosec pieces and related articles that we couldn’t properly fit into our daily crush of news. So tell us what you think, and feel free to share your favorite long reads via email at info@metacurity.com. We’ll gladly credit you with a hat tip. Happy reading!

The Scorched-Earth Tactics of Iran’s Cyber Army

Arian Khameneh in Wired examines how the Islamic Republic of Iran's cyber operation, known colloquially as Cyberi, uses old-school hacking and intense disinformation campaigns to sow doubt and create a climate of fear and intimidation among the Iranian people.

Although widespread vigilance against IRI state actors has made the public less susceptible to propaganda tactics, it has simultaneously created an environment of distrust, where anybody is potentially a regime goon.

A recent study by Hossein Kermani, a political communications researcher at the University of Vienna, outlines the various tactics deployed by the Iranian cyber army that muddy the waters: “Downgrading discussions to the level of the government, justifying the state’s policies, cheering up other users, portraying that everything is normal, redirecting debates, spreading fake news, trending misleading hashtags, and mocking dissidents and activists.”

Some of these strategies were used to accuse the two journalists who covered the death of Mahsa Amini of being Mossad agents, portraying the prominent Iran-based activist Sepideh Qolian as “mentally ill and hysterical,” and pretending to be activists calling for violent uprisings in order to justify violent crackdowns. Pro-regime accounts also mimicked and hijacked anti-regime hashtags, which were subsequently flooded with pro-regime misinformation. And IRI cyber forces boosted the “Do execute” hashtag in response to activists trending “Do not execute” against the string of death penalty verdicts against protesters.

Iranian Activists Want Tech Companies to Ban the Ayatollah

Peter Guest in Business Week offers another angle on how Iran uses its Islamic Revolutionary Guard Corps (IRGC) and other forces to spark an “unseen war” using social media against activists who have unsuccessfully tried to compel tech companies to take action against the Iranian government’s cyberattacks, propaganda and large-scale misinformation campaigns aimed at its own people.

So far, the activists have made little progress. They, like others who’ve tried to compel tech companies to take action against dangerous accounts, have found that the companies are shielded by Section 230 of the US Communications Decency Act of 1996, which says they aren’t considered publishers and therefore aren’t liable for their posts. The 26 most important words in tech, as the provision has been called, are being challenged at the US Supreme Court. In late February, the court heard oral arguments in Gonzalez v. Google LLC, brought by the family of an American student killed in a terrorist attack in Paris. The perpetrator was allegedly radicalized by content that YouTube’s algorithm recommended for him. (Twitter v. Taameneh, a second pending case brought by surviving family members of a terrorist attack victim, alleges that Facebook, Google and Twitter all bear responsibility for radicalizing users.)

In court, and in a subsequent statement, Google argued that Section 230 protects free expression and is “the economic backbone of the internet.” Meta Platforms Inc. and Twitter Inc. made the same case in briefs filed to the court in support of Google in the Gonzalez case. During oral arguments in the Taameneh case, Twitter’s counsel denied responsibility, arguing that allowing Islamic State on its platform doesn’t constitute knowing assistance to the militant al-Qaeda splinter group.

Israeli Army Conducted Online Psy-op Against Israeli Public During Gaza War

Hagar Shezaf and Yaniv Kubovich offer an in-depth look in Haaretz at how the Israel Defense Forces Spokesperson’s Unit conducted a psychological warfare operation against Israeli citizens during the May 2021 Guardian of the Walls campaign in Gaza using fake social media accounts to conceal the campaign’s origin.

Haaretz has learned that this “propaganda campaign” was launched several days into the fighting, after the IDF Spokesperson’s Unit felt that the Israeli public was more impressed by the rocket strikes launched against Israel by Gaza than by the IDF’s actions inside the Strip. According to internal discussions, the unit’s use of fake accounts – “bots” – was meant to prevent its “attribution” to the army. This, the army hoped, would make it look authentic, as if it originated organically from the public.

To echo the campaign further, the Spokesperson’s Unit discreetly teamed up with two popular Israeli Instagram accounts – @idftweets and @pazam_gram – which have hundreds of thousands of followers. On the first day of this campaign, @idftweets shared posts and stories of an IDF strike with the hashtag #Gazaregrets. The content received hundreds of likes and enthusiastic comments like “kill them all” or “why are any buildings still standing in Gaza?” @pazam_gram followed suit with stories on their accounts.

As TikTok faces a ban, other Chinese companies in US try to pass as locals

Viola Zhou and Russell Brandom reveal in Rest of World how Chinese companies are distancing themselves from their Chinese roots by setting up headquarters in California or New York, hiring American staff, and storing user data on non-Chinese servers to dodge US policymakers’ concerns over their data security and Chinese ties.

Tech companies founded in China often keep their development teams at home, and hire marketing and public relations workers in the U.S. to better engage with their customers. Jie Chen, a managing partner at venture capital firm Celtic House Asia Partners, told Rest of World China-linked companies could also mitigate political risk by bringing in international workers and investors. “They try to become more Americanized, in terms of operation, transparency, and ownership structure,” Chen said.

Consultants for Chinese companies say keeping user data outside of China also helps assuage security concerns. The founder of a software development startup, who requested anonymity to discuss sensitive issues, told Rest of World his company separated user data in China — stored on Alibaba Cloud — from user data in other countries, stored on Amazon Web Services.

The company is registered in California, even though it first launched services in China. “We are an American company,” the founder said. “From day one, we wanted to create a global product.”

Enforcement of Cybersecurity Regulations: Part 1

Jim Dempsey, senior policy advisor at the Stanford Cyber Policy Center, in Lawfare Blog examines how likely it is that the Biden administration will be successful in enforcing the mandatory cybersecurity requirements contained in its recently released National Cybersecurity Policy, offering examples that serve as a cautionary tale.

Consider Twitter. Among the many damning claims made last year by former Twitter security lead turned whistleblower Peiter Zatko was that the company had never complied with the 2011 Federal Trade Commission (FTC) order directing it to improve its data security. Indeed, among many other deficiencies cited by Zatko, he alleged that Twitter never fixed the very flaw—granting over half its employees administrative access—that the commission had called out in its initial complaint against the company in 2010. (A second Twitter engineer came forward more recently with a similar claim.) As of 2021, according to Zatko, still over half of Twitter’s 8,000 employees had privileged access to production systems and sensitive user data. This meant that the entire company could be compromised if any one of those workers fell for an attack—which in fact someone did in 2020, causing what cybersecurity authority Dimitri Alperovitch said at the time was the worst hack ever of a major social media platform.

One of the most remarkable aspects of this tale is that Twitter, as required by the 2011 FTC order, has been undergoing every two years an assessment of its cybersecurity practices by a supposedly independent third party, which concluded that Twitter’s security was just fine. Indeed, the assessment report for 2019 through 2021, the very time when the company suffered that major breach, stated that Twitter’s security controls met or exceeded the FTC’s requirements and operated throughout the reporting period “with sufficient effectiveness to provide reasonable assurance to protect the security, privacy, confidentiality, and integrity of non-public consumer information.”

Export Control is Not a Magic Bullet for Cyber Mercenaries

Winnona DeSombre Bernsen, a nonresident fellow with the Atlantic Council, argues in Lawfare Blog that US and EU export control initiatives to curb growth and hamper cyber mercenaries that sell spyware and other offensive cyber tools and conduct cyber operations on behalf of government customers are inadequate for solving the problems these mercenaries pose.

Even as countries become better at cracking down on export control violations, some of the shadier companies are turning to intermediaries in other nations to sell to authoritarian countries for them. Some companies even make their own intermediaries. The Israeli company Quadream, for example, sells its primary hacking tool through a sister company in Cyprus that holds Quadream stock, and sells Quadream tools, but is conveniently not subject to Israeli export control laws. Ultimately, because mercenary companies that refuse to abide by export controls can pack up and move jurisdictions, export controls will disproportionately impact the few vendors that want to abide by the controls—likely the same ones that sell only to Western countries. Meanwhile, cyber mercenaries are still able to get lucrative contracts from democratic institutions. For example, NSO Group sold its infamous Pegasus software to 14 EU governments. Pegasus is the same software used by authoritarian governments to threaten activists and dissidents worldwide.