Best Infosec-Related Long Reads of the Week, 7/8/23

Russia's new surveillance cottage industry, How the FBI took down Hive, America's defense and intel agencies are luring Israel's spyware workers, How the FBI queries Americans under Sec. 702

Metacurity is pleased to offer our free and paid subscribers this weekly digest of the best long-form infosec-related pieces we couldn’t properly fit into our daily crush of news. So tell us what you think, and feel free to share your favorite long reads via email at info@metacurity.com. We’ll gladly credit you with a hat tip. Happy reading!

Cracking Down on Dissent, Russia Seeds a Surveillance Supply Chain

Aaron Krolik, Paul Mozur, and Adam Satariano in the New York Times delve into how since the start of the war in Ukraine, the rise of a cottage industry of tech contractors has given the police and Russia’s Federal Security Service, or the FSB, access to surveillance capabilities focused on the day-to-day use of phones and websites, including technologies that can track encrypted app use.

One feature of NetBeholder harnesses a technique known as deep-packet inspection, which is used by telecom service providers to analyze where their traffic is going. Akin to mapping the currents of water in a stream, the software cannot intercept the contents of messages but can identify what data is flowing where.

That means it can pinpoint when someone sends a file or connects on a voice call on encrypted apps like WhatsApp, Signal or Telegram. This gives the F.S.B. access to important metadata, which is the general information about a communication such as who is talking to whom, when and where, as well as if a file is attached to a message.

To obtain such information in the past, governments were forced to request it from the app makers like Meta, which owns WhatsApp. Those companies then decided whether to provide it.

The new tools have alarmed security experts and the makers of the encrypted services. While many knew such products were theoretically possible, it was not known that they were now being made by Russian contractors, security experts said.

Some of the encrypted app tools and other surveillance technologies have begun spreading beyond Russia. Marketing documents show efforts to sell the products in Eastern Europe and Central Asia, as well as Africa, the Middle East and South America. In January, Citizen Lab reported that Protei equipment was used by an Iranian telecom company for logging internet usage and blocking websites. Ms. Ermoshina said the systems have also been seen in Russian-occupied areas of Ukraine.

For the makers of Signal, Telegram and WhatsApp, there are few defenses against such tracking. That’s because the authorities are capturing data from internet service providers with a bird’s-eye view of the network. Encryption can mask the specific messages being shared, but cannot block the record of the exchange.

How the FBI hacked Hive

Politico’s John Sakellariadis looks at how the FBI took down the Hive cybercrime gang with a sting operation, reflective of a bigger trend to disrupt malicious actors from afar rather than arresting them, which, given their foreign locales, is unrealistic.

Hive first came on the FBI’s radar in July 2021. As high-profile ransomware groups were launching a wave of crippling attacks on American gas pipelines and meat processors, the then-unknown Hive gang locked up the network of an undisclosed organization in Florida.

Because it was Hive’s first known attack within the United States, FBI procedure dictated that the Tampa field office, the bureau’s closest to the victim, would assume responsibility for all future Hive cases.

Justin Crenshaw, a supervisory special agent in the Tampa office, said he and his team “knew nothing” about the group at the time, but quickly dug in.

Over the next 18 months, Hive launched upward of 1,500 attacks across the globe and collected roughly $100 million in cryptocurrency from its victims, according to estimates from U.S. law enforcement. The group expanded so fast, in part, by turning ruthlessness into a powerful engine of growth, targeting organizations, such as hospitals and health care providers, that other cybercriminals had declared off limits.

As Hive launched one attack after another, the Tampa agents interviewed every victim who came forward to the bureau, a process that slowly yielded valuable intelligence about the gang.

They learned, for example, how Hive was not exactly one group but several, closer to a branded franchise like McDonald’s than a tight-knight mafia. The group ran what cybercrime experts call a ransomware-as-a-service model, in which the Hive’s core members rent encryption software to a vast web of other criminals, or “affiliates,” who specialize in penetrating networks and deploying the ransomware payload.

Twelve months after that first case hit the Tampa desk, Crenshaw finally had a breakthrough.

He found a way to break into the group’s remote administration panel, a digital nerve center where gang members safeguard the keys that allow them to scramble — and then “save” — the data of every hospital, school, and small business that fell within their grasp.

Headhunters and American Money Are Luring Israeli Hackers to New Cyber Firm

Haaretz’s Omer Benjakob discovered that Defense Prime, a new cyber company founded by Israeli expats living in the US, is trying to entice Israelis to abandon their work at firms like spyware maker NSO and opt to work in, or at least with, America, highlighting a trend where dozens of Israeli hackers and others employed in offensive cyber have left to work abroad for firms backed by the American defense establishment and intelligence community.

Defense Prime is but the newest and loudest of what sources say is a new crop of non-Israeli cyber firms currently on the ascent and taking a bite out of their Israeli competitors’ talent and market share. According to sources and an investigation by Haaretz, the firm joins a growing list of new or existing ones that have significantly expanded their operations over the past two years, in tandem with the attempts to rein in the Israeli cyber industry and stop the proliferation of commercial spyware.

In Europe, sources note existing firms like Memento Labs or Data Flow in Italy, Interrupt Labs in the U.K., and Varistone in Spain as having grown over the past 18 months - also with the help of Israeli talent. There are also new firms, especially in the U.S., which have emerged in tandem with U.S. pressure on Israel in the wake of the NSO affair.

Eqlipse Technologies, for example, was set up last year to offer what it termed “full-spectrum cyber and signals intelligence (‘SIGINT’)” capabilities for “key national security customers within the Department of Defense and Intelligence Community,” according to a press release by Arlington Capital, which is backing the company. “Full spectrum cyber” is an industry euphemism for both defensive and offensive capabilities. Eqlipse, despite its young age, already has over 600 workers and $200 million in annual revenue.

Another firm, Siege, also American, was set up in 2019 but has upped its operations in the past two years. It focuses exclusively on “providing mission critical offensive and defensive cyber capabilities to the U.S. Government,” according to its website.

How FBI Querying Under FISA Section 702 Works

Former NSA General Counsel Glenn Gerstell, now a Senior Advisor at the Center for Strategic & International Studies, explains how the FBI leverages the controversial Section 702 of the Foreign Intelligence Surveillance Act (FISA) to query foreign intelligence surveillance databases to obtain data on Americans.

The simplest analogy is to think of doing a search for an email in one’s inbox or other electronic folder. Assuming an agent has the proper authorizations, he or she first selects the appropriate databases in the FBI’s computer system that stores information lawfully acquired pursuant to the FBI’s dual missions (including the 702 database described above), and then enters a person’s name, email address, phone number or other information to initiate the search. The name might, for example, be the victim of a foreign espionage operation or the IP addresses of affiliates of a company subject to a foreign ransomware attack. The FBI’s computer system will tell the agent the number of “hits” or responsive results (including in the 702 database if selected). Oftentimes, searches turn up nothing.

There are separate procedures where the agent uses a search term pertaining to an American, such as a name or email address. In that case, the system won’t at that stage reveal the content of any 702 communications, such as the actual text of an email. But if there is a hit in the 702 database and the agent wants to see the contents of that result, then he or she must take an additional step to “opt in” to viewing the data with a justification for why a review of the content of communications in that database is appropriate.