FCC to Demand Telcos Improve Security

Editor’s Note: This newsletter is part of a collaboration between Lawfare and Risky Business. You can find the full version of the Seriously Risky Business newsletter and previous editions on news.risky.biz.

FCC to Demand Telcos Improve Security

The U.S. government and lawmakers are scrambling to deal with the ongoing compromise of U.S. telecommunications companies by a Chinese espionage group dubbed Salt Typhoon. In the U.S., the campaign has compromised at least eight telecommunications companies and been ongoing for a year or more. The Cyber Safety Review Board examination of the incident has kicked off, but we already know the rough shape of what has happened.

At some U.S. telcos, the hackers were able to penetrate the portals used to submit court orders for interception requests, letting them see what phone numbers were being tasked. This attack would be a counterintelligence boon as these portals were also used for foreign surveillance, so Chinese intelligence services would be able to see whether their activities were being watched. All in all, it’s pretty bad and to top it off, U.S. officials said they had not yet been able to evict the hackers. So it is not surprising the U.S. administration and lawmakers are lining up to impose security regulations on telcos.

At a press briefing last week, Anne Neuberger, the deputy national security adviser for cyber, said the White House wanted “minimum cybersecurity practices at telecoms, from secure configurations to architecting to monitor for anomalous behavior to strong key management.” An unnamed senior official at the briefing said, “We believe that if the companies had in place minimum [security] practices … that would make it far riskier, harder, and costlier for the Chinese to gain access and maintain access.” “We believe that the voluntary approach has proved inadequate for the most critical companies that underpin our critical infrastructure,” the official added.

Also last week, Federal Communications Commission (FCC) chairwoman Jessica Rosenworcel proposed a ruling that would interpret a section in the U.S.’s 1994 lawful intercept law (CALEA) as making it clear that carriers had a legal obligation to secure their networks against unlawful access and interception. The ruling would require that telcos create, update, and implement cybersecurity risk management plans.

At a glance, simply requiring a cybersecurity plan seems like a good idea. However, it is only a first step toward a comprehensive regime. The U.K.’s Telecommunications Security Code of Practice is highly detailed and includes specific security requirements spanning supply-chain management, physical security, identity management, and network architecture. 

The code of practice grew out of the 2019 U.K. Telecoms Supply Chain Review, which was motivated by concerns about the involvement of Chinese firms such as Huawei and ZTE in U.K. critical infrastructure. The review determined that increasingly capable telecommunications services came with higher risk and therefore required more robust security.

That kind of detailed planning takes years, and the code wasn’t published until 2022, after new legislation was passed in 2021. The U.S. is already in deep doo doo and doesn’t have that time.

At the opposite end of the spectrum, Australian law simply requires that telcos “do their best” to prevent unauthorized access or interference and protect confidentiality, integrity, and availability. This positive obligation to protect security was introduced way back in 2017, which in retrospect seems amazingly farsighted. This grew out of a recognition by some key people in government that security at telcos wasn’t as good as it should be and that telcos having an obligation to protect security was a good idea, as documented in this 2013 parliamentary committee national security review. 

Although the approaches taken by the U.K. and Australia are very different, the underlying intent of these laws and regulations is simply to increase telecommunications companies’ attention to and investment in security. In that regard, requiring a cybersecurity risk management plan seems like a sensible first step, albeit one that should have been taken years ago.

Of course, another short-term plan would be to give up on making telcos secure and just use Signal and WhatsApp like the FBI and Department of Homeland Security suggest. Shrug.

Romania’s TikTok Candidate

As the deadline for TikTok’s forced divestiture from Chinese parent company ByteDance grows closer, the company has cruelled its chances of a reprieve by mishandling an influence campaign targeting the Romanian presidential elections.

Per my colleague Catalin Cimpanu writing in Risky Business News:

Romania’s national security council (CSAT) has declassified two documents this week that reveal a coordinated propaganda campaign that boosted an obscure far-right and pro-Kremlin candidate into the country’s first round of presidential elections.
The campaign, which mostly took place via TikTok, took Calin Georgescu from an unknown candidate who was only polling around 1% a month before the election to the winner of the first presidential election round, where he accounted for almost a quarter of all votes.

Catalin describes different elements of the campaign, including TikTok influencers being paid to promote Georgescu and the use of dormant propaganda accounts that sprang to life in the weeks leading up to the election. He also catalogues TikTok’s shortcomings:

From the declassified documents, Romanian officials are pretty angry at TikTok for several reasons. The company failed to detect the propaganda accounts in time, failed to mark the Georgescu-themed posts as politically themed, and then refused to remove the content—only blocking it for Romania-based users but leaving it available to international audiences and the Romanian diaspora. Officials say this not only broke Romanian election laws but the company’s own policies.
The Romanian security council says that while other Romanian political candidates labeled their TikTok content properly and saw a fraction of the coverage, Georgescu’s obvious political posts were trending among Romanian audiences, and the company never intervened.

The Romanian top court annulled the first round of presidential elections.

TikTok cooperated with Romanian authorities in the investigation, and there is no reason to believe TikTok was complicit in the campaign, but this is exactly the sort of foreign interference exercise that concerns governments. (The U.S. State Department labeled the campaign as Russian interference.)

TikTok must separate from ByteDance by Jan. 19 or face a ban in the U.S., although the company is pursuing legal action to have the legislation reviewed by the Supreme Court. President-elect Trump said he would not ban TikTok, but who knows?

With so much at stake for the company, TikTok’s failure in Romania does not suggest it is capable of detecting and countering, say, Chinese influence operations. 

APTs Behaving Badly

Sanctions and indictments do not seem to stop Chinese cyber espionage actors from crossing boundaries of acceptable behavior. We’d describe “acceptable behavior” as being targeted at national security rather than economic interests, carrying out proportionate operations, and avoiding unnecessary harm to third parties. Many cyber actors, including the U.S. and allies, generally adhere to these behaviors, but others, including Chinese actors, do not.

This week the U.S. government unsealed an indictment and levied sanctions against Chinese individuals and a company allegedly complicit in the exploitation of a Sophos firewall product in 2020. The U.S. Department of Justice claims that Guan Tianfeng and other co-conspirators were involved in the development of an exploit that was subsequently used to deploy malware on tens of thousands of devices.

Mass deployment of malware is unacceptable because it causes unnecessary collateral damage—not the done thing for a responsible state program. To make matters worse, once Sophos had cottoned on to the intrusions, Guan and his colleagues allegedly altered their malware to make it more damaging, in a kind of scorched earth policy. If victims attempted to remove the malware, it would deploy encryption from the Ragnarok ransomware variant. We have no idea why attackers would do this or what benefit they would get from torching their victims’ infrastructure. 

Thankfully, the ransomware deployment didn’t work, but the Treasury’s statement announcing the sanctions notes that:

[T]he potential impact of the Ragnarok ransomware attack could have resulted in serious injury or the loss of human life. One victim was a U.S. energy company that was actively involved in drilling operations at the time of the compromise. If this compromise had not been detected, and the ransomware attack not been thwarted, it could have caused oil rigs to malfunction potentially causing a significant loss in human life.

There is a total disconnect between what U.S. and Chinese cyber operators consider to be acceptable norms of behavior. At least so far, the U.S. has had zero apparent impact on Chinese behavior.

More on the Radiant Capital Hack

The $50 million theft in October this year from decentralized finance platform Radiant Capital (that we covered here) has been linked to North Korean hackers by Mandiant. The hackers masqueraded as a former trusted developer on Telegram and asked for feedback on a pdf document. The document, which contained malware, was shared with several Radiant developers, at least three of whom were hacked and their devices used to sign malicious multi-signature transactions.

The document analyzed another cryptocurrency theft, and it makes sense that this was interesting for cryptocurrency developers looking to avoid being hacked themselves. We wonder if this is the basis for a perpetual hack machine where each North Korean cryptocurrency theft provides material for another great lure document … for more North Korean hacks.

Radiant used what it thought were robust controls including “rigorous SOPs, hardware wallets …  and careful human review.” In retrospect, it says some of these controls were ultimately “superficial checks” because they relied on front-end verifications that could be spoofed and “blind signing,” where a transaction is approved without the authorizing user seeing full transaction data.

Three Reasons to Be Cheerful This Week:

1. Finding mobile malware with an app: Mobile device security firm iVerify has announced that the mobile threat hunting feature of its app has found seven previously unknown Pegasus malware infections (out of 2,500 scans). It has been difficult for regular users to identify malware infections on phones without specialist expertise and tools, so having an app that does it is good news. (Disclaimer: iVerify is a spin-off company from Risky Business sponsor Trail of Bits.) Wired has further coverage.
2. Snowflake shuts barn door: Cloud data analytics provider Snowflake has announced plans to roll out mandatory multi-factor authentication (MFA) from April next year. Snowflake was involved in rolling breaches throughout the year that MFA would likely have prevented, but better late than never.
3. Money laundering disruption: The U.K.’s National Crime Agency announced it had disrupted Russian money laundering networks known as Smart and TGR. The networks were linked to drugs, ransomware, and espionage. The operation led to 84 arrests, and the U.S. Treasury announced sanctions aimed at the TGR group.

Risky Biz Talks

In the latest “Between Two Nerds” discussion, Tom Uren and The Grugq talk about how states have very different approaches to controlling cyber operations.

From Risky Biz News

Improperly patched Cleo bug exploited in the wild: The Termite ransomware group is believed to be behind a wave of attacks exploiting an improperly patched vulnerability in Cleo file-transfer products. The attacks started on Dec. 3 and have compromised at least 10 organizations, according to security firm Huntress Labs. The Termite group is exploiting a bug initially patched at the end of October that impacts Cleo file-transfer products such as Harmony, LexiCom, and VLTrader. Tracked as CVE-2024-50623, the bug is an unrestricted file upload and download vulnerability that can lead to remote code execution attacks.

Greece is close to burying its Predatorgate scandal: More than two years after it got caught spying on journalists and political rivals, the Greek government is still working at burying the investigation into what is now known as the Predatorgate scandal. The incident, which rocked the Greek political scene, came to light in July 2022 when a security team of the European Parliament found traces of the Predator spyware on the phone of Nikos Androulakis, a member of the European Parliament and the president of Greece’s second-largest opposition party (PASOK). The surveillance operation was ordered by the ruling government, was conducted by the Greek national intelligence service, the EYP, and allegedly cost 7 million euros.

Turla hacked Pakistani APT infrastructure: A Russian cyber-espionage group has hijacked the infrastructure of a Pakistani APT group and used it to launch its own attacks for at least the past two years. Researchers at Lumen and Microsoft say Turla operators hacked the command-and-control servers of Pakistan’s Transparent Tribe at the end of 2022. The group used the servers to push its own payloads to victims previously infected by Transparent Tribe. Microsoft says Turla has hacked at least six other APTs over the past seven years. The only previous public case is Iranian APT group OilRig in 2019.