Best Infosec-Related Long Reads for the Week of 3/9/24

The abuse perpetrated by members of com groups is extreme. They have coerced children into sexual abuse or self-harm, causing them to deeply lacerate their bodies to carve “cutsigns” of an abuser’s online alias into their skin. Victims have flushed their heads in toilets, attacked their siblings, killed their pets, and in some extreme instances, attempted or died by suicide. Court records from the United States and European nations reveal participants in this network have also been accused of robberies, in-person sexual abuse of minors, kidnapping, weapons violations, swatting, and murder.

Some members of the network extort children for sexual pleasure, some for power and control. Some do it merely for the kick that comes from manipulation. Others sell the explicit CSAM content produced by extortion on the dark web.

“Their main aim is to traumatize you,” says Anna, a young woman groomed and victimized by 764, one of the most notorious groups under the com umbrella. “They want to make you suffer. And for you to take your own life. They really are very sadistic people.”

The nonprofit National Center for Missing & Exploited Children received hundreds of reports of minors extorted into hurting themselves in 2023, says NCMEC’s CyberTipline director Fallon McNulty, a sharp rise over previous years. The organization, which routes reports from social media companies and the public to law enforcement, still receives dozens each month, she says.

“From 2022 into last year, especially, the scale of what's coming through seems like it's continuing to grow,” McNulty says, adding that in 2022 NCMEC only saw “a handful” of such extortion reports.

These online groups, she says, are responsible for “some of the most egregious online enticement reports that we’re seeing in terms of what these children are being coerced to do.”

For Putin’s Russia, “information-psychological warfare”—as a Russian military textbook calls it—is intended to “erode the morale and psychological spirit” of an enemy population. A central aspect of a wider war against the West, it is conducted online through relentless barrages of fake, real, and misrepresented news, through a cultivated network of witting and unwitting shills such as Carlson. The Kremlin’s messaging has an extraordinary reach: In the first year of the Ukraine war alone, posts by Kremlin-linked accounts were viewed at least 16 billion times by Westerners. Every one of those views is part of a full-spectrum attack against the West designed not just to undermine support for Ukraine, but to actively damage Western democratic systems.

Moscow launches its attacks using a playbook familiar to anyone who watched the disinformation campaigns linked to the 2014 invasion of Crimea and the 2016 U.S. presidential election. Bots, trolls, targeted ad campaigns, fake news organizations, and doppelganger accounts of real Western politicians and pundits spread stories concocted in Moscow—or in St. Petersburg, where then-Wagner Group leader Yevgeny Prigozhin ran an army of trolls posting on Western social media. If the specific technologies are new, Russia’s strategy of information warfare is not. During World War II, Soviet propagandist Ilya Ehrenburg memorably described the pen as “a weapon made not for anthologies, but for war.” From the early Bolshevik era to the end of the Cold War, his peers spent decades spreading disinformation abroad in hopes that countries targeted by Russia would be unable to “defend … themselves, their family, their community, and their country,” as Soviet journalist turned defector Yuri Bezmenov put it.

What is undoubtedly new is a polarized Western public’s enthusiasm for re-centering its own identity around Moscow’s narratives—and becoming an unwitting weapon in the information war. Take, for example, the QAnon movement, whose supporters have long gathered critical energy from talking points supplied and amplified by Moscow through social media. QAnon supporters espouse a range of grievances familiar from Russian propaganda: anti-LGBTQ+, anti-liberal, and especially anti-Ukraine sentiments. QAnon channels on the messaging app Telegram, for example, rapidly turned into fora for anti-Ukraine and pro-war sentiment.

While the ICC’s press release specifies that the suspects are responsible for missile strikes carried out by the forces under Kobylash and Sokolov’s command, this characterization does not preclude the prosecutor from introducing evidence of other types of attacks on the electric grid, such as cyberattacks that were carried out by other parts of the Russian military in coordination with this missile campaign. In light of the prosecutor’s recent pronouncement that his office will investigate cyber-enabled international crimes under the Rome Statute, these cases might offer the first opportunity for submitting evidence of military cyber operations in an ICC trial. In fact, evidence of Russia’s cyberattacks on Ukraine’s power infrastructure could provide important context and help the prosecutor establish elements of the charged crimes, specifically the intent to target civilian objects. Moreover, evidence of Russian cyber operations could demonstrate that the missile attacks on power plants were not isolated or random incidents, but were part of a broader military policy—one of the elements that must be established for the charge of a crime against humanity.

For over a decade, Russia has employed hybrid tactics in its aggression against Ukraine, combining cyber and information operations with traditional kinetic force, and directing both types of attacks toward civilian infrastructure. As Russia expert Gavin Wilde explains “This strategy is consistent with Moscow’s long-standing views about information’s supposed coercive potential. For instance, current members of the Russian General Staff have long claimed that cyber and information warfare must be designed not only to neutralize enemy military networks, but also to degrade the adversary’s morale, cultural values, and very way of life.”

In addition to its well-articulated policy to degrade political and popular will through military and nonmilitary methods, Russian practice over the years strongly suggests that civilian objects have been intentional, direct targets and not simply collateral damage. Since Russia’s initial occupation of Crimea in 2014, over which the ICC has been granted jurisdiction, the Russian military has deployed significant cyber capabilities against Ukraine, executing several effects-based cyber operations on the energy grid that could amount to war crimes. Two meaningful incidents occurred before Russia’s full-scale invasion of Ukraine in February 2022.

Further, to the extent that policymakers should prioritize bigger harms and greater risks, sensitive locations lists could help articulate which places constitute that greater risk to individuals. Mental health and reproductive health care clinics, domestic violence shelters, children’s schools, and religious places of worship, among others on the FTC’s list, are certainly places where the sale of location data can reveal highly personal information about people that is prone to abuse.

Insurance companies, for instance, could learn about people’s medical conditions by purchasing data on geolocation pings at mental health facilities, reproductive health clinics, or treatment centers specializing in HIV or cancer. And advertising firms could sidestep the Children’s Online Privacy Protection Act to buy location data about children (which, unlike data from children, is not covered), including their families and the schools they attend. Individuals can even buy location data to filter down within larger data sets, identify specific queer people, and out their sexual orientation.

Policymakers weighing the use of sensitive locations lists could consider adding other places that pose greater risks to individuals or society. The FTC mentioned in its May 2023 complaint, for example, that X-Mode was advertising data for sale about military bases. Given the number of U.S. data brokers that collect and sell data about U.S. military service members and national security personnel, legislators and policymakers could build a sensitive locations list that also includes certain U.S. military bases and government facilities.

Sensitive locations lists, practically speaking, may also facilitate companies implementing more concrete privacy protections. For instance, if a federal law prohibited data brokers from selling data about a defined list of sensitive locations, brokers could implement internal protocols to identify when possibly collected location data relates to a place of worship, the site of a First Amendment-protected public demonstration, or an addiction treatment facility. The brokers could use a concrete list of location types to identify actual locations in each bucket (such as for “mental health facilities,” developing lists of all mental health facility addresses to not collect on)—and could give those specific lists to salespeople. Then, when a prospective buyer approaches a broker for location data on a specific mental health facility at a certain address, the salesperson could check against the prohibited list and block the transaction. Others involved in a data broker’s transaction process, such as those building contracts and monitoring client account activity, could be trained to use the list to enforce prohibitions on sensitive location sales as well.

To authorize the government’s efforts to remediate botnets and other malware, the Justice Department and the FBI have developed a new playbook, employing a nationwide hacking warrant. In the Volt Typhoon case, Justice Department prosecutors obtained four virtually identical such warrants from federal magistrate judges in Houston, Texas.

Warrants that allow the government to search or seize private property in criminal investigations are a centuries-old tool with origins in British common law, refined and given teeth in the United States through the experience of the American Revolution, which inspired the Fourth Amendment’s prohibition against unreasonable searches and seizures. While the warrants the FBI used to delete malware from hundreds of small office and home office routers have the same form as traditional warrants, a closer look shows just how little they have in common with them.

First, the purpose of these nationwide hacking warrants is not criminal investigation, but cybersecurity. The targets are not criminals, but devices belonging to the innocent victims of foreign hackers who will almost certainly never see the inside of a courtroom. The government’s actions are best characterized as technical mitigation of a cybersecurity threat, which the warrant serves to make legal.

In the Volt Typhoon case, the warrant did not authorize one or a few searches or seizures within the geographic reach of the court’s jurisdiction, the Southern District of Texas. Instead, it applied to any router anywhere in the United States infected with KV botnet malware. The warrant was also secret, at least temporarily. To ensure that the Volt Typhoon hackers did not interfere with the operation, the prosecutors sought and obtained an order allowing them to delay notice of the warrant to affected owners for up to 60 days.

Because Congress has not provided specific authority for such operations to disrupt botnets, delete malware, or otherwise counter malicious cyber activity on privately owned devices, it is these warrants that allowed the FBI to secretly use a criminal botnet to reach into hundreds of devices in American homes and offices without consent or even prior notice to their owners. In other words, malicious code used in cybercrime is fair game for such hacking because it is either evidence of a crime or what is known as a fruit or instrumentality of crime. According to prosecutors, the malicious code on the devices was “property designed for,” “intended for,” or “used in” criminal activity, making it subject to seizure (and deletion) by the government.