Fool Me Once ... Iran's Hack and Leak Falls Flat

Editor’s Note: This newsletter is part of a collaboration between Lawfare and Risky Business. You can find the full version of the Seriously Risky Business newsletter and previous editions on news.risky.biz.

Fool Me Once ... Iran’s Hack and Leak Falls Flat

In sharp contrast to events during the 2016 U.S. presidential election campaign, an apparent hack and leak operation targeting the Trump campaign is being treated responsibly by America’s mainstream media. For us, “responsible” behavior means verifying the documents, assessing the material’s newsworthiness, and giving readers context of the potential operation.

On Saturday, after being approached by news outlet Politico with leaked documents, the Trump campaign claimed it had been hacked in an attempt to interfere with the 2024 election. Trump campaign spokesperson Steven Cheung said that “these documents were obtained illegally from foreign sources hostile to the United States, intended to interfere with the 2024 election and sow chaos throughout our Democratic process.” Cheung cited a recent Microsoft report describing Iran’s targeting of the 2024 U.S. elections, which said Iranian intelligence had attempted to spearphish a high-ranking official in a presidential campaign.

An Iranian operation is plausible, based on recent warnings from a U.S. intelligence official that Tehran wanted to damage Trump’s election prospects. However, neither Microsoft nor the FBI has confirmed the Trump campaign was hacked, although the FBI said it was investigating the matter.

Politico’s reporting on the contents of the material has been very cautious:

On July 22, POLITICO began receiving emails from an anonymous account. Over the course of the past few weeks, the person—who used an AOL email account and identified themselves only as “Robert”—relayed what appeared to be internal communications from a senior Trump campaign official. A research dossier the campaign had apparently done on Trump’s running mate, Ohio Sen. JD Vance, which was dated Feb. 23, was included in the documents. The documents are authentic, according to two people familiar with them and granted anonymity to describe internal communications. One of the people described the dossier as a preliminary version of Vance’s vetting file.
The research dossier was a 271-page document based on publicly available information about Vance’s past record and statements, with some—such as his past criticisms of Trump—identified in the document as “POTENTIAL VULNERABILITIES.” The person also sent part of a research document about Florida Sen. Marco Rubio, who was also a finalist for the vice presidential nomination.

That is all Politico says about the content of the leaked documents. Its reporting has instead focused on the hacking incident itself:

The person said they had a “variety of documents from [Trump’s] legal and court documents to internal campaign discussions.”
Asked how they obtained the documents, the person responded: “I suggest you don’t be curious about where I got them from. Any answer to this question, will compromise me and also legally restricts you from publishing them. ”

The Washington Post and New York Times were also given Trump campaign documents by “Robert” from an AOL account. Their reporting has also focused on the hack and not the contents of the documents.

This stands in stark contrast to the 2016 reporting on the content of hacked Democrat materials, which were published by WikiLeaks and widely reported in mainstream media.

This all sounds like reason for optimism: U.S. media organizations stand firm against foreign interference! Well done!

However, this is probably as good as “responsible” reporting will get. Although news organizations have earned a gold star for at least thinking about the ethics of publishing hacked materials, it appears the leak was just a snoozefest and not really worth publishing after all.

A Politico spokesperson told the Washington Post’s media reporter that “the questions surrounding the origins of the documents and how they came to our attention were more newsworthy than the material that was in those documents.” And the Washington Post’s executive editor, Matt Murray, thought the material “didn’t seem fresh or new enough.”

In other words, even though media organizations are being more cautious about hacked material, if the leaked materials were newsworthy enough, they would have published them.

In 2016, the news cycle was gummed up with pointless stories about the inner machinations of the Democratic National Committee. Moving the editorial threshold at which American media companies will publish stolen documents is a massive win. And there are other reasons for optimism.

When it comes to detecting the breach, the Washington Post reports the Trump campaign detected an email system breach “earlier this summer” even though it did not disclose it to the public or to law enforcement at the time.

In 2016, multiple compromises of organizations and individuals related to the Democratic party and Hillary Clinton’s campaign went unnoticed by the victims. Even the FBI’s initial efforts to inform the victims were fruitless and took months to break through.

It’s also a lot clearer how political parties and campaigns should protect themselves. Google’s Advanced Protection Program, for example, didn’t exist in 2016.

So there are better technical measures to prevent hacks, and the media’s response has improved. But a sensational leak is still a sensational leak. A hack and leak operation containing the right source material could well have a significant impact.

The U.S. Government’s Foray Into Cyber Insurance Underwhelms

The U.S. government is working on a policy that addresses insurance for catastrophic cyber incidents, reports The Record. The idea here is to provide market certainty in the event of a catastrophic cyber incident while also improving organizations’ cybersecurity. Government support in this context is often referred to as a “backstop,” where it would cover insurance costs for certain yet-to-be-defined catastrophic events.

Josephine Wolff, a cybersecurity professor and author of a book on cybersecurity insurance policy, spelled out the logic to this newsletter. She explained that insurers want the backstop so that for certain stipulated catastrophic events the government would ultimately pay out for successful claims. The government could tell insurance companies wanting this coverage that their policyholders must implement certain security measures.

So voila! Increased certainty with improved security.

Wolff said insurers were currently writing exclusions that “increasingly leave their policyholders on the hook to pay for various types of catastrophic cyber events.” Lloyd’s of London has drafted various war exclusions that exclude, among other things, “a cyber operation that has a major detrimental impact on the functioning of a state.”

Wolff thinks that although figuring out the details of a backstop would be “pretty tricky,” it could be a tool used by governments and insurers to improve security.

On the other hand, Daniel Woods, a cyber risk and insurance researcher at the University of Edinburgh, told Seriously Risky Business he thought a backstop was unnecessary.

In a Lawfare piece last year, Woods notes that government backstops are usually required when a lack of insurance results in economic activity grinding to a halt. After 9/11, for example, construction activity stopped because terrorism exclusions meant property insurance was prohibitively expensive for developers. The U.S. government passed the Terrorism Risk Insurance Act in response.

This justification just does not exist in the cyber domain. It’s not as if organizations are not engaging in online activity because they can’t get insurance.

Woods also pointed to the rise of catastrophe bonds and insurance-linked securities covering cyber risk, which he described as the private sector equivalent of a backstop.

It’s worth remembering that the large-scale catastrophe that the proposed backstop policy is intended to address has never occurred. Even the largest cyber and technology-related disasters, such as NotPetya, CrowdStrike’s faulty update, and WannaCry, have not required intervention in insurance markets.

Given that there is no immediate economic imperative for a cyber insurance backstop, we wonder if this is the easiest, most bang-for-buck way to improve economy-wide security.

When Searching a Database Is Unconstitutional

A U.S. federal appeals court has ruled that geofence warrants are unconstitutional. These warrants, which seek to identify devices within a specified area at a particular time, were used, for example, to identify thousands of potential suspects in the Jan. 6 Capitol attack based on locations from their Android phones.

When it comes to geolocation data from smartphones, the decision may be academic anyway. Google announced late last year that it would store user location data on-device, rendering the case for geofence warrants moot.

However, UC Berkeley law professor Orin Kerr writes that the U.S. Court of Appeals for the Fifth Circuit’s ruling is still a huge deal. Kerr says the ruling states that querying large databases is unconstitutional because any search requires the entire database to be scanned for matches. Kerr argues that this has far-reaching implications:

[T]he Fifth Circuit’s ruling, although announced in a case that happens to be about geofence warrants, is about a lot more than that. It’s about CSLI [cell-site location information]. It’s about pen registers. It’s about keyword searches. It’s about pretty much all database queries. They all have this common feature that the Fifth Circuit found objectionable. Just create a data source big enough—how big, we don’t know, but big—and then it can’t be searched, even with a warrant.

Kerr says “the ruling is wrong, and that it is very important for it to be overturned.”

Three Reasons to Be Cheerful This Week:

1. Dispossessor ransomware disrupted: The FBI announced the takedown of 24 servers and nine domains used by RADAR/Dispossesor ransomware in the U.S., U.K., and Germany. Risky Business News has more coverage, including the group’s genesis in August 2023, its recent shift from data extortion to encrypting ransomware, and the operational security failure that might have led to the takedown.
2. UN cybercrime treaty passes: The UN passed its first cybercrime treaty last week. Cybercrime is a global problem, but previous treaties such as the Budapest Convention have not included China, Russia, India, or Brazil.
3. Understanding open-source use in critical infrastructure: The White House has announced the launch of the Open-Source Software Security Initiative, an effort to understand the use of open-source software in critical infrastructure. This includes its use in the health care, transportation, and energy sectors, the idea being to understand what open-source software is most important from a security and resilience perspective.

Shorts

When Government Deception Is a Win

The U.K. National Cyber Security Centre has announced that it is planning to deploy a suite of cyber deception technologies within the U.K. at scale including what it calls tripwires, honeypots, and breadcrumbs. It is not doing it willy-nilly, however, but instead wants to figure out whether these technologies actually help keep the country safer. We like that this will result in evidence-based, rather than buzzword-based, decision-making.

DEF CON Franklin Will Protect America’s Effluence

Launched at the recent DEF CON conference, a new project called DEF CON Franklin aims to harness hacker talent to protect organizations in need of cybersecurity assistance, including water and wastewater facilities.

Airbnb: How Hackers Stay Ahead of Kidnappers

404 Media reports hackers are “Airbnb hopping” using false identities to avoid being located by violent criminals who want to threaten or kidnap them. Yikes!

Risky Biz Talks

In the latest “Between Two Nerds” discussion, Tom Uren and The Grugq discuss what it would mean to be in a golden age of open-source intelligence and whether we are in one.

From Risky Biz News:

State Department puts $10 million bounty on IRGC-CEC hackers: The U.S. State Department is offering a $10 million reward for any information on six Iranians behind Cyber Av3ngers, an Iranian hacktivist group that has repeatedly attacked critical infrastructure across the U.S. and other countries. The six were identified as members of an Iranian cyber unit known as the Iranian Islamic Revolutionary Guard Corps Cyber-Electronic Command (IRGC-CEC). The six were sanctioned by the U.S. Treasury in February this year, but this marks the first time the U.S. has formally linked the six to the Cyber Av3ngers persona. The group emerged at the end of last year when it used default passwords to access PLCs from Israeli company Unitronics and deface control panels with anti-Israel and pro-Gaza messages. The group focused its attacks on countries allied with Israel, with the most prominent of these hitting the water authority in Aliquippa, Pennsylvania.

[more on Risky Business News]

Russia and Venezuela block Signal: The governments of Russia and Venezuela have blocked access to the Signal secure messaging service. Russia’s communications watchdog says it blocked the service because it was being used for terrorist and extremist purposes. The block in Venezuela comes days after President Nicolas Maduro’s regime also blocked Twitter. Protests broke out across Venezuela after Maduro claimed victory in the country’s election without providing any evidence that he actually won. More than a dozen protesters have been killed by the military in the streets, and more than 1,000 protesters have been arrested in their homes. Maduro claimed victory in recent elections with what appeared to be a bogus vote tally. Signal has asked affected users to enable a feature named “Censorship Circumvention” to get around the block.

Midnight Blizzard hacks: The Russian hackers who breached Microsoft last year have stolen emails from email systems managed by the U.K. government. The breach impacted Home Office inboxes, according to a report from The Record. The U.K. government is the most well-known victim of the hack, besides Microsoft itself. Microsoft disclosed the hack earlier at the end of last year and said a Russian espionage group known as Midnight Blizzard breached its internal corporate network. The group stole emails from the inboxes of its management and security teams. Microsoft has tried to keep the hack and its aftermath quiet and has been silently notifying affected customers—many of which remain unknown. Just days before The Record’s report, security researcher Kevin Beaumont claimed the hack of Microsoft itself was much larger than previously disclosed. Beaumont said that Midnight Blizzard stole data on all security flaws reported to Microsoft’s team for the past decades and that Microsoft failed to detect this bigger breach until January 2024, months after it disclosed the initial hack. Three days later, Beaumont’s LinkedIn profile was mysteriously banned.