A cybersecurity company will reveal this weekend the secretive details of how one government spies on its citizens and adversaries.
The company Lookout discovered a cache of digital messages between government officials in an unnamed nation with a relatively nascent surveillance program -- and more than a dozen companies eager to outfit it with bespoke spying tools.
The messages, which Lookout will detail at the ShmooCon cybersecurity conference, highlight how the barrier to entry for getting sophisticated spyware tools has dramatically lowered. The proliferating private market for hacking tools has allowed even poor and developing nations’ governments to scoop up troves of private conversations from critics, activists and political opponents — often far outside their borders.
“Historically, these tools were the purview of a few nations that had people to develop them in house. Now there’s another tier that don’t have the technology but can pay for it, and there are fewer checks and an even greater potential for abuse,” John Scott-Railton, a senior researcher at the University of Toronto’s Citizen Lab, which has extensively investigated spyware, told me.
The nation that Lookout is profiling started with a $23 million budget for spyware, researchers Michael Flossman and Andrew Blaich told me. The government apparently negotiated with companies -- including major spyware players such as Italy’s Hacking Team and Israel’s NSO Group -- offering complex hacking tools that cost as little as $50,000 and as much as $7 million.
The government was mainly focused on exposing the contents of smartphones and tablets, the researchers say. Ultimately, the nation couldn’t afford what it really wanted within its price range, so it opted to build its own more moderate tool in house, the researchers said.
Lookout isn’t naming the country or providing details on its spying targets because researchers are still studying the operations, Flossman and Blaich said. The researchers discovered the messages between the government and spyware companies, along with internal communications after they were exposed by an error in a computer server the officials used.
Lookout has experience studying government spyware campaigns. The company previously uncovered what appeared to be a Pakistani military spying operation targeting the mobile phones of diplomats, military personnel, and activists in Pakistan, Afghanistan, India, Iraq, and elsewhere.
But the troves of messages shed new insight into this highly opaque form of government contracting. One big takeaway for researchers was how easy it was for the government to get pitches and compare prices from numerous spyware companies, almost as if they were contracting for construction or janitorial work rather than invasive spying tools.
“This shows the low barrier to entry when it comes to building a mobile surveillance program,” Flossman told me.
The spyware companies also mirrored more conventional businesses, offering slick sales brochures and tiered pricing options, Flossman and Blaich said.
In one case, a company trying to sell the government one hacking tool offered to throw in a second tool if the first one was discovered and patched by the software company within 40 days. The deal was off, though, if the government did something stupid that might draw the software company’s attention to the hack, the spyware company said.
The messages also provide an unusual inside look at the practices of spyware companies under frequent criticism for selling their tools to autocratic regimes that use them to to spy on political opponents, journalists and human rights activists.
The spyware products sold by Hacking Team and NSO Group, for instance, are often purchased and used for legitimate law enforcement investigations -- and also to clamp down on dissent within their borders. A 2018 Citizen Lab investigation found instances of NSO Group malware in 45 nations frequently targeting civil society actors rather than criminals.
“We know that once these are in the possession of a security service there’s an incredible temptation to abuse them,” Scott-Railton told me.
|You are reading The Cybersecurity 202, our must-read newsletter on cybersecurity policy news.|
|Not a regular subscriber?|
PINGED: The Democratic National Committee believes it was the target of a phishing campaign after the midterm elections that’s been linked to Russian government hacking groups, according to legal documents filed overnight, ABC News’s MaryAlice Parks and Lee Ferran reported.
The phishing campaign targeted dozens of DNC email addresses, but there’s no evidence it was successful, ABC News reported. The effort, which had other targets as well, used tactics similar to those employed by the Russian hacking group known alternately as Cozy Bear and APT29.
The allegations came in an amended complaint filed as part of the DNC’s lawsuit against Russia, the Trump campaign and others stemming from 2016 hacks at the DNC and the Hillary Clinton campaign that rocked the presidential election. The DNC did not allege the Trump administration knew about the post-midterm phishing campaign.
PATCHED: Sens. Angus King (I-Maine) and James E. Risch (R-Idaho) reintroduced a bill aiming to protect U.S. energy infrastructure from cyberattacks in part by considering ways to use low-tech procedures and analog devices. Such analog systems could help isolate the most critical parts of energy infrastructure from cyberattacks, according to a news release from King's office. “The increasing complexity of our digital systems has resulted in significant weaknesses and vulnerabilities that need to be addressed,” Risch said in a statement.
The Securing Energy Infrastructure Act would direct the energy secretary to set up a two-year pilot program within the Energy Department's National Laboratories to identify security vulnerabilities. The program would also aim to study the use of analog and physical controls to isolate and protect industrial control systems from digital attacks.
“Securing our energy infrastructure is not an abstract policy idea, it is an immediate need to protect our grid from the real threat of malign actors,” King said in a statement. “So far, the federal government has not matched this serious threat with the necessary action.” The bill passed the Senate in December in the previous Congress but it didn't advance in the House.
PWNED: The partial federal shutdown continues to take a toll on government websites. The Britain-based Internet security company Netcraft said the number of expired Web security certificates used by federal agencies rose to more than 130 from about 80 in the past week, The Washington Post's Brian Fung reported. As a result, most popular Web browsers won't display the Web pages and will suggest that the sites could have been compromised. And the damage could be worse: Paul Mutton, a security consultant for Netcraft, told Brian that the number of websites affected by the problem could be higher than 130 because some certificates may have applied to several Web pages.
The government also can't buy tools that automatically renew certificates to keep federal sites online. Matthew Prince, chief executive of Cloudflare, said he contacted the Justice Department and NASA to pitch his company's services including automatic renewal of certificates, but to no avail. “They’ve said ‘Thanks for the offer to help, but we don’t actually have anyone who is able to sign a new contract,’” Prince said, according to Brian. “Even agreeing to the terms of service is a contract. So they can’t even sign up for the free version of the service that would solve this problem.” Additionally, TechCrunch's Zack Whittaker has a list of federal HTTPS sites that are set to expire soon. You can see the list here.
-- The American Civil Liberties Union and the ACLU of Northern California sued the federal government to obtain information about federal authorities' alleged “social media surveillance activities,” according to a news release from the ACLU. The lawsuit seeks in part to obtain the release of rules governing such alleged surveillance from several federal agencies. The lawsuit, which was filed in the U.S. District Court for the Northern District of California, also seeks details about the Trump administration's alleged monitoring of some visa applicants.
“The public has a right to know how the federal government monitors social media users and speech, whether agencies are retaining social media content, and whether the government is using surveillance products to label activists and people of color as threats to public safety based on their First Amendment-protected conduct,” Hugh Handeyside, a senior staff attorney for the ACLU’s National Security Project, said in a statement.
— Rep. Douglas A. Collins (R-Ga.), the top Republican on the House Judiciary Committee, said data privacy and encryption are among the cybersecurity issues where he sees potential bipartisan agreement, the Hill’s Olivia Beavers reported. Collins said it could be possible to strike a balance between security and privacy concerns over the issue of criminals and terrorists using encrypted communications systems that police can't access with a warrant.
— More cybersecurity news from the public sector:
— The data breach that has been named “Collection #1” contains dizzying figures — including almost 773 million unique email addresses, according to security researcher Troy Hunt, who reported the breach — but it is not as dire as it sounds, according to Motherboard's Lorenzo Franceschi-Bicchierai. “Collection #1 is actually a collection of old breaches,” Motherboard said. In fact, of the 773 million unique emails in this collection, only 141 million (around 18 percent) were not included in Have I Been Pwned, Hunt’s invaluable resource of hacked data,” Motherboard reported.
— More news about security incidents:
— German authorities are considering preventing Chinese telecommunications giant Huawei from involvement in the country's 5G networks, Reuters reported. Several countries have raised similar security concerns about Huawei, and U.S. officials have said the company could be a platform for Chinese spying. “While no concrete steps have been decided upon, business daily Handelsblatt reported on Thursday that Chancellor Angela Merkel’s administration was actively considering stricter security requirements and other ways to exclude Huawei,” according to Reuters. “Officials were discussing setting security standards that Huawei could not achieve, effectively blocking its participation.”
— More cybersecurity news from abroad:
- ShmooCon hacker conference in Washington through Sunday.
How popular is the border wall?
Schiff compares Trump to 5th grader after canceling congressional trip:
Trump long-touted online polls during the 2016 campaign: