Best Infosec-Related Long Reads for the Week of 11/30/24

Happy Saturday morning! Metacurity is pleased to offer our free and premium subscribers this weekly digest of the best long-form (and longish) infosec-related pieces we couldn't properly fit into our daily news crush. So tell us what you think, and feel free to share your favorite long reads via email at info@metacurity.com.

In the meantime, please consider supporting Metacurity with a subscription upgrade.

Ransomware Gangs’ Merciless Attacks Bleed Small Companies Dry

Bloomberg's Ryan Gallagher tells the familiar but heartbreaking story of what a ransomware attack can do to small businesses, in this case, Knights of Old, a 158-year-old UK delivery company, which was forced into bankruptcy despite having a cyber insurance policy and having invested in cybersecurity preparation and training.

[Knight's co-owner Paul Abbott] said he and his partners decided not to negotiate with Akira or pay the gang anything, because there could be no guarantee the data could be fully recovered even with the decryption key. In response the hackers followed through on their threat, publishing more than 10,000 internal documents online—mostly employee payroll files, invoices and other financial information.

The company tried to rebuild its computers. Within a few days, Knights’ technicians had set up a new transport management system and recovered an old backup of the warehouse software. But the financial management databases couldn’t be immediately recovered, because hackers had destroyed another backup that was supposed to be stored securely elsewhere.

Facing cash-flow pressures, KNP sought a loan. Abbott says the bank would provide it only if the company could supply the missing financial records and performance reports. Still waiting on a payout from the insurance company, the ­co-owners tried to sell the company. A European businessman came close to buying. But, because of the missing financial records, the buyer insisted that the three partners personally guarantee the state of the company’s finances. They’d be putting their houses and savings on the line. The partners balked, according to Abbott. “My wife would never have let me do that, regardless of how confident we were in the business,” he says.

On Sept. 25, 2023, KNP Group entered administration, the British equivalent of bankruptcy. In Kettering, Abbott announced the news to his employees, some of whom he’d worked with for decades. Another company bought one of KNP’s subsidiaries, Nelson Distribution, saving about 170 jobs. But the rest of KNP’s 700 or so employees, the majority of them from Knights of Old, lost their livelihood. Jeff Maslin, who drove trucks for Knights, says drivers are still owed weeks’ worth of wages. “I know people who lost their house, lost their car and ended up divorced,” he says.

Beyond TikTok — The National Security Risks of Chinese Agricultural Drones

In War on the Rocks, independent researcher Claris Diaz and Emilian Kavalskim, the NAWA chair professor at the Center for International Studies and Development at the Jagiellonian University in Krakow, examine how Chinese-made agricultural drones equipped with dangerous data-collecting technology pose a far greater national security threat than TikTok and can help lead to warfare on an adversary's food supply.

As part of their investment strategy, the Chinese government has made military agreements with Chinese-owned agriculture drone manufacturers and agriculture research universities. Their Military-Civil Fusion strategy, integrating civilian technologies with military goals, enables the Chinese government to exploit critical farming data for economic and military advantages. To support sustainable food production by monitoring crop health and predicting crop yields, the drones collect alarmingly specific data about the crops and region of the customer using them. For example, a drone used for corn fields in the United States, one of the world’s biggest corn exporters, will collect detailed data about the area’s climate, soil conditions, and pest and disease susceptibility. The onboard AI can analyze this data to report crop vulnerabilities and identify optimum growth needs for these and other crops such as rice and wheat, foods on which much of the world’s population depends. From Brazil’s soy farms to Spain’s olive groves, the Chinese government can potentially access the farming data of any customer in any region.

This data exploitation will facilitate the Chinese government’s efforts to design “perfect” products that farmers will want for healthier crops and increased yield. Chinese drone manufacturer XAG has already signed agreements with Bayer and Chinese-owned Syngenta, two of the world’s foremost agricultural sciences corporations. Farming data shared with these research and development enterprises helps them create precisely what farmers need — fertilizers that optimize crop growth and quality, highly effective spray pesticides and fungicides, and genetically modified seeds that withstand drought and other extreme conditions. This may not matter now, but it will in the next few decades when farmers struggle to grow healthy crops, and there won’t be enough crops to feed the world.

Chinese companies are seeking to become the leading suppliers of smart agricultural technologies, which will help Beijing dominate the global food market. China can use price controls, set export restrictions, and implement trading fees for products that affect crop growth. This would also impact other sectors, such as the meat and dairy industry, since crops such as corn are used for livestock feed. In addition, China can establish trade agreements with other countries for food items they need, potentially reducing reliance on Western markets. This market influence strengthens China’s economic power and gives it significant political leverage. The Federal Bureau of Investigation has already warned about the Chinese Communist Party’s economic espionage efforts and plans to dominate the global market. In this respect, smart agriculture drones can become an important tool in China’s strategic outreach.

Hugging an FBI Most Wanted: The GRU Spy’s Homecoming

In VSqaure, Kato Kopaleishvili, Michael Weiss, Christo Grozev and Roman Dobrokhotov paint a vivid picture of how Russian GRU spy Pavel Rubtsov, who posed as Spanish journalist Pablo González, was warmly greeted by Oleg Sotnikov, a GRU officer on the FBI’s Most Wanted List for cyber-espionage, when returning to Moscow as part of an August 2024 major prisoner exchange with the West.

Sotnikov is well known to NATO counterintelligence. He’s an officer of the GRU, Russia’s military intelligence service. In October 2018, the U.S. District Court of the Western District of Pennsylvania indicted Sotnikov and six other GRU officers with “stealing private or otherwise sensitive information” to use as part of an “‘influence and disinformation’ campaign designed to undermine the legitimate interests of the victims, further Russian interests, retaliate against Russia’s detractors and sway public opinion in Russia’s favor.” 

Specifically, Sotnikov offered support to one of the GRU’s cyber operations teams, Unit 26165, in the “close access” hacking of the OPCW headquarters in The Hague. He turned up in the Netherlands with his co-conspirators to breach the chemical weapons watchdog’s WiFi network in April 2018; little did they know they were being trailed by Dutch General Intelligence and Security Services (AIVD) from the moment the team arrived at Schiphol Airport in Amsterdam. Just as they got to work from the parking lot of a Marriott hotel adjacent to the watchdog’s building, the entire team was all rounded up by the AIVD and expelled from the country. 

As of June 2013, Moscow’s residential database showed Sotnikov’s “permanent address” as Khoroshevskoye Chausse 76B, which happens to be the main address of GRU Headquarters.

For more than a decade, the GRU has conducted extensive cyberoperations aimed at exfiltrating sensitive information from international monitors and waged political campaigns in order to instrumentalize it to Moscow’s advantage. The Kremlin expends enormous energy and resources on obfuscating forensic evidence and denying its culpability in poisoning its enemies — and on covering up for its clients when they do the same. The OPCW, for instance, investigated Syrian chemical weapons attacks perpetrated by Russia’s client, Bashar al-Assad’s regime, and the 2018 Novichok poisoning of Sergei and Yulia Skripal in Salisbury, England, which was carried out by the GRU’s black ops team, known as Unit 29155. The hacking of anti-doping agencies, too, coincided with the 2016 Summer Olympics in Brazil, where, out of 389 athletes competing for Russia, 111 were disqualified because of their use of prohibited steroids and performance enhancing drugs.

“Fancy Bear,” as Unit 26165 has been nicknamed by cybersecurity experts, became notorious in 2018 when a dozen of its members were indicted by Special Counsel Robert Mueller for engaging in “a sustained effort” to hack into the digital correspondence of the Democratic Party and Hillary Clinton’s presidential campaign with the aim of swaying the 2016 U.S. election in favor of Donald Trump. 

Sponsor Message

Armed with a complete view of your organization’s software assets, Anchore allows you to find and prevent malicious content from reaching your users. Anchore’s end-to-end, SBOM-powered software supply chain security management platform protects you and your customers at every step, from SBOM monitoring to policy enforcement to remediation. Anchore integrates at every stage of the software development process, from source code to build to runtime. Every package, every library, every version is cataloged and stored. This enables organizations to find out where content is, where it came from, and how it changed.

Tracking Indoor Location, Movement and Desk Occupancy in the Workplace

Wolfie Christl, founder of Viennese public interest technology research firm Cracked Labs, presents a case study from the ongoing “Surveillance and Digital Control at Work” project, exploring software systems and technologies that use personal data on employees to monitor room and desk occupancy and track employees’ location and movements inside offices and other corporate facilities and documenting how workers resisted the installation of motion sensors by their employers.

As offices, buildings and other corporate facilities become networked environments, there is a growing desire among employers to exploit data gathered from their existing digital infrastructure or additional sensors for various purposes. Whether intentionally or as a byproduct, this includes personal data about employees, their movements and behaviors.

Technology vendors are promoting solutions that repurpose an organization’s wireless networking infrastructure as a means to monitor and analyze the indoor movements of employees and others within buildings. While GPS technology is too imprecise to track indoor location, Wi-Fi access points that provide internet connectivity for laptops, smartphones, tables and other networked devices can be used to track the location of these devices. Bluetooth, another wireless technology, can also be used to monitor indoor location. This can involve Wi-Fi access points that track Bluetooth-enabled devices, so-called “beacons” that are installed throughout buildings and Bluetooth-enabled badges carried by employees. In addition, employers can utilize badging systems, security cameras and video conferencing technology installed in meeting rooms for behavioral monitoring, or even environmental sensors that record room temperature, humidity and light intensity. Several technology vendors provide systems that use motion sensors installed under desks or in the ceilings of rooms to track room and desk attendance

Is Anyone Happy With the UN Cybercrime Convention?

In Lawfare, Karine Bannelier, Associate Professor of International Law at the University Grenoble Alps (France) and Director of the Grenoble-Alps Cybersecurity Institute and Lawfare Senior Editor Eugenia Lostri explain how the new UN cybercrime convention has left no one happy, although a longer-term view indicates it is a victory for authoritarian countries.

After the UN adopted the draft convention by consensus, the backlash from the private sector and civil society was swift. Some groups, including in the U.S., called on states to abstain from adopting the convention, arguing that no convention at all would be better than this one. As Katitza Rodriguez, policy director for global privacy at the Electronic Frontier Foundation, wrote: “States should vote No when the UNGA votes on the UN Cybercrime Treaty.”

Among the main criticisms is the fact that “the e-evidence sharing chapter remains broad in scope, and the rights section unfortunately falls short. Indeed, instead of merely facilitating cooperation on core cybercrime, this convention authorizes open-ended evidence gathering and sharing for any serious crime that a country chooses to punish with a sentence of at least four years or more, without meaningful limitations.”

Western governments acknowledged these concerns but ultimately dismissed them. Representatives from the U.S. and the U.K., for example, argued that their countries needed to continue to support the convention to prevent being left out of the conversation. Even if their governments refrained, the convention would most likely still be adopted, and they would not be in a position to play a role in its interpretation and implementation of protections and safeguards provided within. There’s also, of course, a clear utility. As one U.S. official said, “[T]he treaty would expand the number of countries that would respond to U.S. warrants for arrest involving cybercrimes.”

They also argued that refraining at this stage, after adopting the text by consensus at the ad hoc committee, would break the trust built up during negotiations. Many of these partners are the middle countries, such as the Caribbean or African states that will end up benefiting from an increase in capacity building. In many ways, the convention accomplishes their objective: improved capacity to fight cybercrime. However, these same countries are also the most vulnerable to UN-washed requests from authoritarian governments. As Jason Pielemeier, executive director of the Global Network Initiative argued, the concern is less that the Russian government will misuse the convention against established democracies but, rather, that it will exploit the international acceptance of the language to make demands from third countries with weaker application of the rule of law. Another wrinkle lies in the possibility that authoritarian governments could argue that they are simply applying international law in their domestic context—a pretty straightforward way of covering up abuses.