Cybersecurity & Tech

German Military’s Use of WebEx + Data Broker Order

Tom Uren
Friday, March 8, 2024, 9:49 AM
The latest edition of the Seriously Risky Business cybersecurity newsletter, now on Lawfare.
Listening to Taurus, Stable Diffusion

Published by The Lawfare Institute
in Cooperation With
Brookings

Editor’s Note: This newsletter is part of a collaboration between Lawfare and Risky Business. You can find the full version of the Seriously Risky Business newsletter and previous editions on news.risky.biz.

Why the German Military’s Use of WebEx Is Fine, Actually

A senior Russian media figure has published a recording of German Ministry of Defense (Bundeswehr) officials discussing the implications of providing Ukraine with medium-range cruise missiles.

The story here is not that German security is poor, but that Russia is publishing raw intelligence to sow discord in the country.

Margarita Simonyan, editor-in-chief at RT, the Russian state-controlled TV outlet, published the 38-minute audio recording on March 1, saying “comrades in uniforms” had given her the recording.

The United Kingdom and the European Union both sanctioned Simonyan in 2022 for her propaganda supporting Russia’s invasion of Ukraine.

The audio was a recording of a WebEx call between four senior German military officials that occurred on Feb. 19. The head of Germany’s air force, Ingo Gerhartz, was one of the participants.

After an initial investigation, Germany’s defense minister, Boris Pistorius, said the leak resulted from one of the participants dialing in to the call on an unsecured line from a Singapore hotel.

There are several plausible scenarios here that could have resulted in the call being intercepted. An uninvited participant could have joined the call without being detected, the call could have been intercepted as it traversed telecommunications networks, it could have been recorded on a compromised endpoint device, or the room could even have been bugged.

Since Pistorius highlighted the use of an unsecured line, if the officer in question used a cellphone, one more specific scenario is that the Russians intercepted the call using base stations they control near the hotel (aka Stingrays).

Another possibility is that the call was intercepted remotely via SS7 shenanigans, which Russia has reportedly used before in Ukraine (SS7 or Signaling System 7 controls how phone calls are carried over the global telecommunications network). A call over a hotel landline could be intercepted by compromising the hotel switch.

Both types of calls could be passively intercepted using old-school signals-intelligence techniques, as they traveled from Singapore to the Bundeswehr’s WebEx server, presumably in Germany.

Pistorius said the show was attended by high-ranking military officers from across Europe and “targeted hacking took place in the hotels used across the board.”

“It must therefore be assumed that the access to this (phone) conference was a chance hit as part of a broad, scattered approach.”

Pistorius called this an “individual error” and described it as a one-off. He said that the Bundeswehr used a hardened on-premise WebEx server and that calls up to certain classifications were allowed.

Sven Herpig, director of cybersecurity policy at German digital policy think tank SNV, told Seriously Risky Business that he thought using hardened WebEx correctly would likely have prevented interception.

“Correct use” would have included enforcing encrypted connections, using regular hardened laptops or smartphones, and connecting from an embassy network. (Herpig previously worked for both the German information security office and its foreign office.) It is possible to set up WebEx meetings that enforce end-to-end encryption with verified participants.

Taking these steps is still not an absolute guarantee, but doing so mitigates against all the scenarios outlined previously.

Herpig noted that, in this case, insecure dial-ins hadn’t been disabled and no one noticed the “call not secure” sign, adding that unfortunately “there is no patch for human stupidity.”

Regardless of how it accessed the meeting, Russia must have judged that it would get more value by weaponizing the recording through publication, rather than keeping its access secret for possible future intelligence-gathering potential.

The published recording was portrayed by Russian figures as indicating that Germany was preparing to enter the war in Ukraine.

Simonyan claimed the recording showed that Germany was planning to bomb the Kerch Bridge linking Crimea to Russia. This bridge has already been the target of several Ukrainian attacks.

On Telegram, Dmitry Medvedev, the deputy chair of Russia’s Security Council, said the leak indicated “our eternal adversaries, the Germans, have once again become sworn enemies.” A foreign ministry spokesperson, Maria Zakharova, warned of “dire consequences” for Germany in connection with the leak.

Putin spokesperson Dmitry Peskov said the conversation “suggests that in the bowels of the Bundeswehr, plans for strikes on Russian territory are being discussed in a substantive and concrete manner.”

Of course, an Associated Press report of the leaked discussion doesn’t match the Russian portrayal. The conversation is not about “preparing for war” so much as “preparing a PowerPoint” to present to the minister of defense. In it, the participants discuss what would happen if Germany were to give Ukraine Taurus cruise missiles, including how Ukraine might use them and how much technical support German forces would need to provide. Per the Associated Press:

In the course of the discussion, it becomes clear that they are referring to the Kerch bridge linking Russia and occupied Crimea. One of the officials says that training to target the bridge, which is “as big as an airfield,” would likely take longer.

They also discuss potential red lines for German politicians, including a desire to avoid the military being seen as directly involved.

The officers say the rapid deployment of Taurus missiles would only be possible with the participation of German soldiers—and that training Ukrainian soldiers to deploy the Taurus on their own would be possible, but would take months.

The recording makes clear that the German government has not given its OK for the delivery of the cruise missiles sought by Ukraine.

Here in Australia, WebEx is rated for conversations up to “Protected,” information that could cause “damage to the national interest” if it was compromised (but not “serious” or “exceptionally grave” damage).

Germany’s classification system is similarly high level, and although Pistorius didn’t say exactly what level of classified discussion is permitted over WebEx, we think it likely that the leaked conversation wasn’t too sensitive for WebEx.

To keep a sense of perspective here, a conversation actually about how to provide Ukraine direct boots-on-the-ground military support would be classified “Secret” or “Top Secret.”

According to Deutsche Welle, Pistorius said Russia’s action was “about using this recording to destabilize and unsettle us,” and described the incident as “part of an information war that Putin is waging.”

Part of the background to this leak is that German Chancellor Olaf Scholz has so far been reluctant to send Taurus missiles to Ukraine, fearing that it would cause an escalation that would drag Germany into the war, especially if Ukraine uses them to strike targets in Russia. There is some political support for providing Ukraine with the missiles, but the idea is unpopular with the public.

Scholz hasn’t ruled out sending the missiles, however, and various politicians believe one of the reasons the recording was leaked was to undermine the possibility Scholz will allow Taurus deliveries to Ukraine.

In the short term, Russia’s operation has been a success and Herpig judged that the press coverage has been more damaging than the leak itself. We’ll have to see if it has longer term impacts on Germany’s military support for Ukraine.

Data Broker Order Is the Best Band-Aid Available

A new Biden executive order sets out to stop adversary countries from getting bulk sensitive personal data of Americans. It’s a step in the right direction, but it needs to be part of a more holistic solution.

The executive order is motivated by foreign countries’ continued efforts to access bulk data about Americans, which the administration says they could use to “​​engage in espionage, influence, kinetic, or cyber operations or to identify other potential strategic advantages over the United States.”

From Risky Business News coverage of the executive order:

In a phone call with reporters, the White House said foreign governments are increasingly viewing data as a “strategic resource.” Officials said foreign governments are collecting the personal data of Americans and using it for espionage and other cyber-enabled activities.

“Bad actors can use this data to track Americans (including military service members), pry into their personal lives, and pass that data on to other data brokers and foreign intelligence services. This data can enable intrusive surveillance, scams, blackmail, and other violations of privacy.”

The new executive order is meant to provide US government agencies—and especially the Justice Department—with regulatory tools to hunt down data brokers that turn a blind eye to who they're doing business for the sake of profits. 

The types of data covered include genomic data, biometric data, personal health data, geolocation data, financial data, and certain kinds of personal identifiers.

The order directs the Department of Justice to develop rules to limit the sale of this kind of data to foreign entities from yet-to-be-defined countries of concern.

There are some reasons to be skeptical about the effectiveness of the order. These include that privacy regulation of the private sector isn’t standard fare for the Department of Justice and that many small data purchases that would bypass this order can add up to “bulk data.”

Brandon Pugh, cybersecurity and emerging threats director at the R Street Institute, told this newsletter the order wasn’t a “full solution” but did think “it has the potential to be part of the solution.”

Pugh thinks a comprehensive federal data privacy and security law is needed, and he noted that many recent administration policy documents call for exactly that kind of law.

However, he pointed out this is a complex issue and requires the balancing of competing interests and that, even though adversaries will look to steal sensitive data, “data is important for innovation and fuels many technologies.”

One of the mitigations Pugh suggested was to impose controls over the amount of data collected in the first place. We think changes that have occurred over the past couple of years in the ad tracking ecosystem are a good example of that principle in practice.

Prior to 2021, for example, advertisers were able to track iOS devices using a more or less permanent pseudonymous per-device identifier known as an IDFA (or identifier for advertising). Coupled with geolocation data, this makes tracking over time more or less trivial, and last week’s newsletter covered real-world examples of this kind of tracking.

In mid-2021 with iOS 14.5, Apple introduced what it calls App Tracking Transparency. This privacy feature required iOS users to opt-in to allow tracking of their behavior. If users don’t opt-in to tracking, the IDFA is set to all zeros and App Store terms and conditions also forbid using workarounds such as hashed identifiers or device fingerprinting within apps.

This makes tracking over time much more difficult but doesn’t entirely prevent it.

Eric Seufert, a mobile advertising expert and author of Mobile Dev Memo, told Seriously Risky Business that:

The deprecation of Mobile Advertising Identifiers does erect significant barriers to tracking a person’s behaviour across online and real-world contexts but it doesn’t entirely prevent it. For instance, location data can form the basis of a rough identifier if patterns become reliable or predictable, especially if they include a person’s home or place of work. IP address, location data, and various device parameters can be bundled into synthetic identifiers that, while not deterministic, can still be used in some ways to track a person’s behaviour.

Seufert said that Apple had also introduced new tools to prevent device fingerprinting, including privacy manifests and a required reasons API.

When it comes to geolocation data derived from phones, perhaps this type of operating system-level change could reduce national security risks associated with geolocation data to acceptable levels?

We are not sure this is good enough in isolation, but we think restrictions on the type and amount of data that can be collected and sold must be part of the solution.

Apple’s actions here are one example of mitigating these types of risks at the point the data is collected. But the entire data ecosystem involves many players. Google, for example, has not yet restricted use of its Advertising ID, although it has said it might do so when it rolls out its Privacy Sandbox in 2024.

And automobile manufacturers are getting into the “selling customer data” game.

We are certain that managing national security risk is not top priority for these industry players, so we think regulation that controls the collection of at least some data types is required.

Three Reasons to Be Cheerful This Week:

  1. Court orders NSO to hand over source code: A U.S. court has ordered NSO Group to give source code for its Pegasus spyware to Meta as part of an ongoing court case between the two companies.
  2. German police seize Crimemarket: Dusseldorf police have announced the seizure of Germany’s largest cybercrime marketplace, Crimemarket. The market had 180,000 registered users, 102 search warrants were executed, three people arrested, and almost 600,000 euros in cash and assets seized.
  3. U.S. ups ante on spyware sanctions: The U.S. Treasury Department has imposed economic sanctions on spyware company Intellexa, its founder, and another executive. The company was placed on the U.S.’s Entity List in July 2023, but in October an investigation implicated its Predator spyware in the targeting of U.S., UN, and European officials. These new sanctions are stricter than previous ones levied against spyware companies and aim to prevent the entities and individuals named from accessing the U.S. financial system.

Shorts

AlphV Strikes Back Then Disappears

A recent ransomware attack on U.S. health care payment processor Change Healthcare has rippled across the U.S. health sector.

The company announced it had been affected by ransomware on Feb. 21, with the attack affecting reimbursement payments from insurers and electronic filing of prescriptions across the United States.

The attack was purportedly carried out by the AlphV/Blackcat ransomware group, a group disrupted by the FBI in late December.

It appears AlphV has absconded without paying affiliates after receiving a $22 million ransom.

Google on Board With Memory Safety

In the wake of last week’s White House call for developers to use “memory safe” languages, Google has released a paper outlining its perspective on the topic.

In short, Google is on board with the idea. It says memory safety can be achieved only with “a Secure-by-Design approach centred around comprehensive adoption of languages with rigorous memory safety guarantees.”

Risky Biz Talks

In this edition of “Between Two Nerds,” Tom Uren and The Grugq look at the shift that has taken place in Ukraine’s cyber strategy as it has gone on the front foot and its cyber forces have launched multiple cyber strikes in the past few months. They discuss reasons why Ukraine might want to make this change and ask whether it makes sense.

From Risky Biz News:

Intellexa pulls new Predator spyware infra after thorough undressing: Intellexa—the holding company that sells and operates the Predator spyware—has taken servers offline after two security firms exposed the company’s brand-new infrastructure.

Reports from Sekoia and Recorded Future provided details on new domains and servers used as part of the Predatory attack and delivery platform.

Less than 24 hours after the second report went out, all of these servers went offline.

[more on Risky Business News, including more details from the reports and Predator’s history.]

ACEMAGIC mini PCs shipped with preinstalled malware: Chinese company ACEMAGIC has confirmed that early batches of some of its new mini PC models were shipped with preinstalled malware.

Malware such as the Redline infostealer and the Bladabindi backdoor were found in the Windows OS system recovery section of its mini PCs. In some cases, malware was also found in the mini PCs’ RGB lighting driver.

[more on Risky Business News, including how the malware infections were initially found by… YouTube reviewers!]

Ukraine hacks Russia’s Defense Ministry: Ukraine’s military intelligence agency claims it successfully hacked Russia’s Defense Ministry. Ukraine’s Defense Intelligence Main Directorate (GUR) says it obtained data on Russia’s military encryption software. The GUR says it also obtained documents exchanged between more than 2,000 units of Russian security services. Ukrainian officials say the documents have helped to recreate the full structure of the Russian Defense Ministry. The GUR claimed they gained access to the network via one of Sergei Shoigu’s deputies.


Tom Uren writes Seriously Risky Business, a big-picture, policy-focused cyber security newsletter. He also co-hosts the Seriously Risky Business and Between Two Nerds podcasts that appear on the Risky Business News feed. He was formerly a Senior Analyst in the Australian Strategic Policy Institute's (ASPI) Cyber Policy Centre where he contributed to various projects including on offensive cyber capabilities, information operations, the Huawei debate in Australia and end-to-end encryption.

Subscribe to Lawfare