Responding To Election Interference At Warp Speed

Editor’s Note: This newsletter is part of a collaboration between Lawfare and Risky Business. You can find the full version of the Seriously Risky Business newsletter and previous editions on news.risky.biz.

Responding to Election Interference at Warp Speed

The U.S. Department of Justice has announced the indictment of three Iranians allegedly responsible for a hack-and-leak operation targeting the Trump presidential campaign. In addition to the hack-and-leak operation, the indictment alleges the three had been involved in a “wide-ranging hacking campaign” since 2020 and were employed by Iran’s Islamic Revolutionary Guard Corps (IRGC).

The operation was first reported by Politico on Aug. 10, and by Aug. 19, the FBI, the Cybersecurity and Infrastructure Security Agency, and other U.S. agencies had attributed it to Iran. The indictment was unsealed on Sept. 27. This is operating at warp speed when responding to state-sponsored hacking.

The mid-August attribution statement was short (“It was Iran what done it!”), and the relatively rapid release of a highly detailed indictment gives confidence that the U.S. government really does know what it is talking about. The quick government response means that other actors in the information ecosystem, ranging from individual citizens to social media platforms, can make informed decisions about the content.

Late last week, independent journalist Ken Klippenstein published what appeared to be one of the hacked documents, a research dossier examining the political vulnerabilities of Sen. JD Vance (R-Ohio), Trump’s running mate.

We have previously covered how mainstream media had not published this document and focused instead on the hack element of the hack-and-leak operation. As a Politico spokesperson told the Washington Post’s media reporter, “[T]he questions surrounding the origins of the documents and how they came to our attention were more newsworthy than the material that was in those documents.”

Klippenstein took a different view, writing:

[T]he news media has been sitting on it (and other documents), declining to publish in fear of finding itself at odds with the government’s campaign against “foreign malign influence.”
…
If the document had been hacked by some “anonymous” like hacker group, the news media would be all over it. I’m just not a believer of the news media as an arm of the government, doing its work combating foreign influence. Nor should it be a gatekeeper of what the public should know.

Meta blocked links to the newsletter containing the dossier on Threads, Instagram, and Facebook, citing policies that ban sharing of hacked materials when they are part of a foreign influence operation. Leaving aside whether this ban is the best policy, at least rapid government action allows Meta to enforce it without making judgment calls about what constitutes foreign interference.

Jon Bateman, a senior fellow at the Carnegie Endowment and author of a report on countering disinformation, told Seriously Risky Business that “the politics and architecture of platform governance has radically changed” in recent years.

Bateman described Meta’s content moderation policies as “highly institutionalized” but despite that said, “[I]t’s also clear that Mark Zuckerberg is trying to reduce the overall presence of controversial political material on his apps, and to neutralize his (and Meta’s) reputation as left-leaning.” So, less election-related material on Meta properties simply means there is less opportunity for interference.

Although the overall environment has changed so that it is more difficult for foreign interference activities to gain traction, it’s not all good news.

X also blocked links and also temporarily suspended Klippenstein’s account for posting unredacted private personal information such as “Sen. Vance’s physical addresses and the majority of his Social Security number.” Klippenstein says he didn’t post private information to X, just links to the dossier, but Elon Musk, X’s owner, described the release of the report as “one of the most egregious, evil doxxing actions we’ve ever seen.”  

Bateman said that content policies on X have become “personalized, that is, they reflect the individual desires of Elon Musk, an extremely partisan, irresponsible, and politically engaged individual.”

From the perspective of minimizing foreign interference, having a social media company blocking or promoting hacked materials based on the owner’s political leanings seems less than ideal. But it is not a crime to be a billionaire with strong opinions, so we wonder if rather than being blocked, it might be better if social media platforms simply marked potentially hacked materials with warning labels.

After all, if leaked materials really are newsworthy, the public should know about them. But the public should also know if those materials are the result of a potential foreign hacking operation.

The Marriage Between Evil Corp and Russian Intelligence Services

A new paper jointly authored by the U.K.’s National Crime Agency, the FBI, and the Australian Federal Police spells out the links between Russian cybercrime group Evil Corp and Russian intelligence services. The document release was timed to coincide with new sanctions levied against the group by the U.K., Australian, and U.S. governments and provides a high-level overview of the group’s origins, operations, and evolution.

Evil Corp was formed in 2014, but the criminal activities of some of its key members date back to 2007. The paper describes Evil Corp as “the most pervasive cybercrime group to ever have operated.”  The paper says that Evil Corp had a “privileged position” with the Russian state and that its relations went “far beyond the typical state-criminal relationship of protection, payoffs and racketeering.” Maksim Yakubets, the group’s founder, was the group’s main contact with Russian intelligence services “developing or seeking to develop relationships with FSB, SVR, and GRU officials.” Yakubets’s father-in-law was a “key enabler” of these relationships:

Eduard Benderskiy is a former high ranking official of the FSB’s secretive ‘Vympel’ unit and now owns various organisations carrying the ‘Vympel’ name. It has been reported by Bellingcat that through Vympel, Benderskiy has been involved in multiple overseas assassinations on behalf of the Russian state. Evidently, he is a highly connected individual still closely involved with the Kremlin’s activities.
Benderskiy leveraged his status and contacts to facilitate Evil Corp developing relationships with officials from the Russian Intelligence Services. After the US sanctions and indictments against Evil Corp members in December 2019, Benderskiy used his extensive influence to protect the group, both by providing senior members with security and by ensuring they were not pursued by internal Russian authorities.

Even prior to 2019, Evil Corp was asked by Russian intelligence services to conduct cyber espionage operations against NATO countries. It seems that what was once unusual is now commonplace, and there have been recent reports that the Russian government is using criminals to bolster its cyber forces, as discussed in a recent “Between Two Nerds” podcast.  

Bang for Buck in Memory Safe Languages

Adopting memory safe languages for new code will reduce the total number of memory safety vulnerabilities found in software projects relatively quickly, according to Google.

Memory safety vulnerabilities are a class of vulnerabilities related to how computers read, store, and write memory. Google notes these types of vulnerabilities “tend to be significantly more severe, more likely to be remotely reachable, more versatile, and more likely to be maliciously exploited than other vulnerability types.” This finding reinforces the message of a White House report released in March that called for the adoption of memory safe languages.

Memory safe languages such as Go, Rust, and Swift significantly reduce the likelihood of these vulnerabilities. In older languages, such as C and C++, programmers were responsible for managing memory and could inadvertently introduce vulnerabilities that gave malicious actors the opportunity to take control of systems.

Google has found that even in a large code base such as Android, writing new code in memory safe languages surprisingly quickly reduces the number of memory safety vulnerabilities that are discovered. This is an outsized effect, and the reduction is significant even when only a minority of the total code base is written in the new memory safe language. This is because most vulnerabilities are found in new or recently modified code. Using memory safe languages has an outsize impact because it eliminates a class of vulnerabilities from new code, the place where vulnerabilities are most likely to be found. When it comes to Android, prioritizing memory safe languages has reduced the number of memory safety vulnerabilities more than fivefold since 2019, even though only around 40 percent of the code base was written in these languages. (Memory safety vulnerabilities have declined from over 200 per year in 2019 to a predicted 36 in 2024, based on discovery rates so far this year.)

Easy wins are pretty rare in security, and this has been good advice for a long time. Now that we have some actual numbers behind it, it’s time to get serious.

Three Reasons to Be Cheerful This Week:

1. A security advisor for small business: Google has launched a set of tools it calls a “security advisor” for Google Workspace. The tools are designed to make it easier for small businesses to improve their security.  
2. Australian code of conduct for dating services: The Australian government has launched a voluntary code of conduct for online dating services. The code requires that dating services make reasonable efforts to detect and act on online-enabled harm, have prominent complaint mechanisms, and share information about high-risk users. The government doesn’t have any enforcement role, but the code has reporting and transparency requirements, and services can be kicked out of the code if they don’t comply.
3. FCC T-Mobile settlement aims to improve cybersecurity: In a settlement with the U.S. Federal Communications Commission over multiple breaches, T-Mobile has committed to changes aimed at improving its cybersecurity and will pay $15.75 million in penalties. The security commitments include the chief information security officer regularly briefing T-Mobile’s board on cybersecurity risk, moving toward a zero-trust architecture, and the broad adoption of multi-factor authentication within its network.

Shorts

Pentagon: Change Is Bad

The U.S. Department of Defense has asked lawmakers to withdraw their proposal for an independent assessment of establishing a cyber force separate from existing services.

The Pentagon formally asked the House and Senate Armed Services committees to remove the proposal, which is contained in the 2025 National Defense Authorisation Act. The Defense Department cited a previous study examining cyber personnel training as a justification, but it would be no surprise to us if vested interests are the driving force here. We don’t imagine the established services such as the Army, Navy, and Air Force want to divide the kitty with a new upstart force. Further coverage in The Record.

U.S. Government and Court Systems Riddled With Flaws

Jason Parker, a software developer turned security researcher, has uncovered a swathe of flaws in commercial software used for public record systems by governments and courts across the U.S. Parker found serious flaws in 19 commercial software packages including in voter registration and court document management systems. Per Ars Technica, which has good coverage:

One flaw he uncovered in the voter registration cancellation portal for the state of Georgia, for instance, allowed anyone visiting it to cancel the registration of any voter in that state when the visitor knew the name, birthdate, and county of residence of the voter. In another case, document management systems used in local courthouses across the country contained multiple flaws that allowed unauthorized people to access sensitive filings such as psychiatric evaluations that were under seal. And in one case, unauthorized people could assign themselves privileges that are supposed to be available only to clerks of the court and, from there, create, delete, or modify filings.  

Yikes.

Risky Biz Talks

In the latest “Between Two Nerds” discussion, Tom Uren and The Grugq talk about various Southeast Asian countries investing in cyber forces, the drivers behind these decisions, and what kind of actions make sense.

From Risky Biz News:

New Evil Corp sanctions and LockBit arrests drop on Counter Ransomware Initiative summit week: This week, the Counter Ransomware Initiative is holding its yearly summit in Washington, and the U.S.-led coalition decided to celebrate its fourth anniversary with a crackdown on everybody’s “favorite” cybercrime groups—LockBit and Evil Corp. Announcements included new LockBit arrests and server seizures, and more sanctions on newly uncovered Evil Corp members—including a former FSB Spetsnaz officer who has been quietly protecting the group from local authorities.

Three years later, the U.S. charges Joker’s Stash carding forum admin: The U.S. Department of Justice has charged a Russian national for operating the now-defunct Joker’s Stash carding forum. Officials say Timur Shakhmametov went online under the aliases of JokerStash and Vega. He launched Joker’s Stash in October 2014 and shut down operations in February 2021, two months after Interpol and the FBI seized some of its front-facing server infrastructure. Threat intel companies have estimated the forum made between $280 million and $1 billion by selling more than 40 million payment card details.

Attackers are on the hunt for the new UNIX CUPS RCE: Threat actors are scanning the internet for UNIX systems that are exposing their printing ports in an attempt to exploit a set of four vulnerabilities in the CUPS printing component. The vulnerabilities were discovered by Italian security researcher Simone Margaritelli earlier this year and were disclosed at the end of last week. They impact CUPS, the Common UNIX Printing System, an open-source component to allow UNIX systems to function as print servers. The four bugs are part of an exploit chain that can allow an attacker to deploy a malicious printer, have the printer indexed by a victim’s CUPS server, plant malicious code on the CUPS server (UNIX system) inside a PPD file, and have the malicious code from the PPD file executed when a user launches a print job via the attacker’s (malicious) printer.