Best Infosec-Related Long Reads of the Week, 12/17/22
How Russia's cyber operations in Ukraine failed to meet expectations, Telehealth organizations are sharing users' sensitive data with Big Tech companies, A forgotten chapter in tech crime history
Metacurity is pleased to offer our free and paid subscribers this weekly digest of long-form infosec pieces and related articles that we couldn’t properly fit into our daily crush of news. Tell us what you think, and feel free to share your favorite long-reads via email at info@metacurity.com. We’ll gladly credit you with a hat tip. Happy reading!
Cyber Operations in Ukraine: Russia’s Unmet Expectations
Gavin Wilde has this in-depth examination for the Carnegie Endowment for International Peace that explores the “unique and oft-overlooked facets” of Moscow’s conceptualization of cyber as a domain to assess Russia’s performance in cyberspace in Ukraine which failed to meet expectations.
By practicing strategic empathy for Moscow’s historical views of the information space and the contest within it—particularly in the context of conventional armed conflict—analysts can avoid the false mirroring and faulty signaling that tends to plague discussions about offensive cyber operations and thus frame distorted expectations.103 With regards to the cyber aspects of Russia’s war on Ukraine, more robust insights into Moscow’s thinking may also help explain why these operations fell short of the strategic impact that Moscow envisioned.104 These three hypotheses—the infancy and putative focus of the VIO, the preponderance of cyber talent in the Russian national security ecosystem, and the pivotal nature of the initial period of war—share a common theme. Moscow’s information warfare thinking, its offensive cyber capabilities, and its organizational construct proved simply unfit for purpose in an event-driven, combined-arms campaign of the sort undertaken in February 2022.
Russia’s Wartime Cyber Operations in Ukraine: Military Impacts, Influences, and Implications
In another analysis for the Carnegie Endowment for International Peace, Jon Bateman examines the military effectiveness of Russia’s wartime cyber operations in Ukraine, why these operations have not had a more significant strategic impact, and the lessons other countries’ military cyber efforts can learn from Russia’s shortfall.
Even where analysts share a common set of facts about Russian hacking, they often seem to apply differing (or unclear) standards to judge military utility. Commentators of all stripes have framed Russia’s cyber efforts in binary terms: either as a failure or as a success. But analysts differ in where they set the dividing line between success and failure, causing people to talk past each other. On one side are cyber skeptics who often emphasize Russian hackers’ inability to paralyze Ukrainian decision-making and critical infrastructure via “shock and awe” tactics—a high bar indeed. On the other side are cyber proponents who tend to highlight any signs of coordination between Russian kinetic and cyber operations—no matter how inconsequential the results. Given these disparate yardsticks and shifting terms of debate, it isn’t always clear what analysts are arguing about, or whether they disagree at all. For example, Ciaran Martin expressed early cyber skepticism when he warned that “the cyber domain may influence the war at the margins, but it will not decide it.”Cattler and Black, both cyber proponents, came to a remarkably similar conclusion: “No single domain of operations has an independent, decisive effect on the course of war.”
‘Out of control’: Dozens of telehealth startups sent sensitive health information to big tech companies
An investigation co-reported by Stat and The Markup by Todd Feathers, Katie Palmer, and Simon Fondrie-Teitler discovered that 49 out of 50 direct-to-consumer telehealth companies share health data via big tech’s tracking tools, leaking sensitive medical information they collect to the world’s largest advertising platforms.
On 13 of the 50 websites, we documented at least one tracker—from Meta, Google, TikTok, Bing, Snap, Twitter, LinkedIn, or Pinterest—that collected patients’ answers to medical intake questions. Trackers on 25 sites, including those run by industry leaders Hims & Hers, Ro, and Thirty Madison, told at least one big tech platform that the user had added an item like a prescription medication to their cart, or checked out with a subscription for a treatment plan.
The trackers that STAT and The Markup were able to detect, and what information they sent, is a floor, not a ceiling. Companies choose where to install trackers on their websites and how to configure them. Different pages of a company’s website can have different trackers, and we did not test every page on each company’s site.
ARISTOCRAT INC.
Natalie So offers this nostalgic study in The Believer based on her own mother’s experience of a long-forgotten chapter in the history of technology crime, detailing the rise of highly organized Asian criminal gangs that specialized in the theft of computer chips, which gave rise to the first tech crimes unit in San Francisco.
After years of traditional investigation—including seven different confidential informants—yielded little about his inner circle, Lee’s team submitted an application to intercept all of Luong’s wireless and electronic communications. In August 1995, just days before the Aristocrat Inc. robbery, a judge authorized the wiretap.
As Lee began listening to Luong’s phone calls, she noticed something unusual. Often, Luong did not sound like he was talking about drugs. Luong and his associates frequently used coded language and nicknames, but Lee, who had spent years tracking Korean meth dealers in Hawaii, could easily recognize a language pattern that insinuated drugs. She also had a general idea of how much dealers paid for heroin and how much they sold it for, but the financial discussions she overheard did not seem to correlate. Luong and his men talked about “big jobs” and staffing those jobs. They talked about scouting job sites, which they often called “fishponds” or “stores.” They referred to goods as “food,” using different types of seafood (lobster and shrimp) to denote specific items. They talked about “tools” that were needed for the jobs, as well as U-Haul trucks, warehouses, and security. Testifying in court later, Lee’s colleague Nelson Low, a special agent on the Asian Organized Crime and Drug Squad, said, “We [started] picking up some sense that maybe these guys were involved in some robberies and things of that sort.”