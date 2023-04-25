Comment on this story Comment Gift Article Share

Welcome to The Cybersecurity 202!

Below: The United States unseals indictments for the laundering of crypto stolen by North Korea, and Prince Harry seeks restitution from another media group over phone hacking allegations. First:

Behind the booting of the SolarWinds hackers, and how the Russians are faring now

SAN FRANCISCO — Freshly revealed details highlight the close collaboration among government agencies as they worked to counter a massive Russian hack, officials at an annual conference said Monday.

And that effort was one of many reasons Russian hackers appear to be at an ebb, experts said at the same conference.

The officials, who spanned across several federal agencies, touted successful counteroffensives against Moscow-backed hackers and offered potential explanations for Russia’s cyberspace power dip at two events at the RSA Conference. The events examined the hack of software company SolarWinds, which was discovered in 2020 and blamed on Russia’s SVR foreign intelligence agency.

To be clear, no one’s counting Moscow out of the hacking game. But experts and officials say that Moscow’s recent behavior in cyberspace — and U.S. operations to counter those hacks — helps explain why they believe Russia, one of the world’s cyber titans, hasn’t been as successful in recent endeavors.

CISA + Cyber Command

For two top officials with the Cybersecurity and Infrastructure Security Agency (CISA) and Cyber Command’s Cyber National Mission Force (CNMF), the response to the SolarWinds hack was an example of the two organizations working together to evict Russian spies.

In its capacity as liaison with the private sector, CISA collaborated with FireEye, which had been infected in the SolarWinds hack, said Eric Goldstein, executive assistant director for cybersecurity at CISA. CISA also worked with Microsoft, whose Office 365 infrastructure was targeted in the campaign. And it also worked with affected federal agencies. (The White House said the hackers infiltrated nine federal agencies via SolarWinds.)

That’s how CISA ended up getting electronic copies of infected servers, which the agency then shared with the CNMF, Goldstein said.

And the CNMF was able to make use of them, in combination with working with an unnamed overseas partner, said the force’s commander, Maj. Gen. William J. Hartman.

“The ability to gain access to an image of the compromised server was invaluable to us,” he said.

“Because of the relationship and because of preparation, not only were we able to gain access to the adversary, but we were able to do so in a manner that the adversary didn't know we were there,” he said.

Overall, “We were eventually able to collect 18 pieces of novel malware,” Hartman said. Officials then shared those samples with CISA and returned to its overseas partner to help boot the hackers from its network.

If you want to hear about more fascinating, previously undisclosed and now declassified examples of CISA and Cyber Command collaborating, check out what my colleague Joseph Menn wrote yesterday.

Down, but definitely not out

The SolarWinds intrusion and the foothold it gave the SVR in top companies and agencies was a significant achievement for the Russians.

But that also meant that the discovery of the hack — and their loss of access to the hacked networks — was rough for them. “Losing SolarWinds was a big loss for Russia,” said Michael Sikorski, chief technology officer and vice president of engineering and threat intelligence at Palo Alto Networks’ Unit 42. If the SVR had retained access without anyone knowing, Russia might have had a cyber leg up going into the Ukraine conflict, Sikorski said.

The operation also wasn’t something Russian hackers could quickly replicate; the SVR’s hackers had to wait for months after hacking SolarWinds to eventually pounce on the software update that they exploited to gain entry into SolarWinds customers’ systems, Sikorski said. “It’s going to take precious time to build up a capability like that again,” he said.

The FBI has undertaken other types of operations to disrupt Russian hackers, including by seizing back payments to Russian ransomware gangs or breaking up their launchpads for attacks, said Elvis Chan, assistant special agent in charge assigned to the FBI’s San Francisco office. The moves come as the Biden administration seeks to “use all instruments of national power to disrupt and dismantle threat actors whose actions threaten our interests,” according to its cyber strategy.

“What are we doing to inflict consequences, to inflict pain?” Chan asked. “We’re just trying to wreak havoc wherever we can.”

Experts also examined the role of cyberattacks in Russia’s war with Ukraine. The cyber aspect of the conflict has been frequently described as being somewhat underwhelming. The recent leaks of classified U.S. documents on chat app Discord are also probably complicating Russia’s ability to carry out cyber campaigns, said Christopher Ott, a partner at the Loeb & Loeb law firm.

“We can see from the Discord leaks that there’s a fairly intensive compromise of Russian military intelligence,” said Ott, who handled cyber cases as a federal prosecutor. “Because they’re in the middle of an invasion, it’s going to be difficult for them to clean back out … some of their communications capabilities.”

“They can’t necessarily count on their ability to deploy things secretly,” he said.

Still, Russia remains a capable foe in cyberspace, the experts said.

Sikorski warned that it’s entirely possible there’s already a massive, undiscovered Russian hack underway. Or perhaps Russia has turned its attention to misinformation and similar operations, he said.

Russia launched a 250 percent increase in attacks on Ukraine last year, compared with 2020 volumes, according to a recent Google Threat Analysis Group report.

“The quantity is increasing, and I would like to think it’s because there’s some level of desperation from Russia,” the FBI’s Chan said.

What’s particularly worrisome is Russian efforts to “sow discontent” ahead of the 2024 U.S. elections through disinformation and influence campaigns, Chan said.

“Heading into 2024, it’s already been contentious, and we don’t even have all the declared candidates,” Chan said.

The keys

U.S. accuses four people of working to launder stolen cryptocurrency for North Korea

Federal prosecutors accused four people of working to “launder stolen cryptocurrency and use the funds to purchase goods through Hong Kong-based front companies for the benefit of North Korea,” according to a news release. North Korean Foreign Trade Bank representative Sim Hyon Sop, Chinese national Wu Huihui, alleged “financial facilitator” Jammy Chen and Cheng Hung Man, who lives in Hong Kong, were charged in three indictments that were unsealed Monday.

Prosecutors also accused Sim of conspiring with North Korean IT workers to launder the “proceeds of illegal IT development work,” when “IT workers gained employment at U.S. crypto companies using fake identities and then laundered their ill-gotten gains through Sim for the benefit of the North Korean regime,” according to the news release.

The Treasury Department also announced related sanctions on Monday.

North Korea’s “use of illicit facilitation networks to access the international financial system and generate revenue using virtual currency for the regime’s unlawful weapons of mass destruction (WMD) and ballistic missile programs directly threatens international security,” Undersecretary of the Treasury for Terrorism and Financial Intelligence Brian E. Nelson said in a statement.

Haines warns of digital repression efforts from China, Iran

Director of National Intelligence Avril Haines warned of tactics being used by nations like China and Iran to crack down on dissenters domestically and outside their borders, Jack Gillum reports for Bloomberg News.

Haines was speaking at an event with the Carnegie Endowment for International Peace, where she said disinformation, spyware and emerging technologies like artificial intelligence could enable authoritarian regimes to suppress their citizens.

“We’re seeing more and more instances of other countries engaging in digital repression and their adoption of these approaches is, in turn, contributing to further democratic erosion,” she said at the event.

Haines “singled out Russia for passing laws that censored opposition to its invasion of Ukraine and imprisoning people who spread so-called ‘fake news,’” Gillum writes. Haines also said China and Iran were responsible for repressing speech online.

She also warned of governments repressing their citizens by cutting off internet access, a rising practice “which she said had happened more than 180 times across 35 countries last year,” Gillum writes.

Prince Harry goes to court again amid phone hacking allegations

Lawyers for Prince Harry will return to court Tuesday as he continues a legal battle against British media outlets for allegedly hacking his phone, this time taking a case against Rupert Murdoch’s News Group Newspapers (NGN), the publisher of the Sun newspaper and defunct News of the World, Michael Holden and Sam Tobin report for Reuters.

“The case is one of four Harry is pursuing at the High Court in London against British newspapers that he accuses of using illegal means to invade his or his wife's privacy, or simply lying about them,” according to the report.

NGN seeks to strike the claims, which have been brought by Prince Harry as well as actor Hugh Grant. The company says they should have been filed sooner.

“The Sun does not accept liability or make any admissions to the allegations,” an NGN spokesperson told Reuters. “As we reach the tail end of litigation, NGN is drawing a line under disputed matters, some of which date back more than 20 years ago.”

The case could prove significant for the media giant, Holden and Tobin write. NGN in 2012 issued an apology following hacking carried out by News of the World journalists. NGN has “paid out millions of pounds to settle hundreds of phone-hacking cases,” they also note. But the company has long rejected accusations that illegal activity happened at the Sun, Reuters reports.

Thanks for reading.

