How Hack and Leak Shapes Public Policy

Editor’s Note: This newsletter is part of a collaboration between Lawfare and Risky Business. You can find the full version of the Seriously Risky Business newsletter and previous editions on news.risky.biz.

How Hack and Leak Shapes Public Policy

The 2016 U.S. presidential race has raised awareness of the role of hack-and-leak operations in election interference, but there is a far longer history of these operations affecting public policy. This week, Reuters reported that a consultancy working for ExxonMobil was being investigated by the FBI over its alleged role in a hack-and-leak operation targeting environmental activists.

This is the latest instalment in Chris Bing and Raphael Satter’s long-running Reuters investigation into the rise of the hack-for-hire industry and how it has been used to influence legal battles. Per Reuters:

The scheme allegedly began in late 2015, when U.S. authorities contend that the names of the hacking targets were compiled by the DCI Group, a public affairs and lobbying company working for Exxon at the time, one of the sources said. DCI provided the names to an Israeli private detective, who then outsourced the hacking, according to the source.

In an effort to push a narrative that Exxon was the target of a political vendetta aimed at destroying its business, some of the stolen material was subsequently leaked to the media by DCI, Reuters determined. The Federal Bureau of Investigation found that DCI shared the information with Exxon before leaking it, the source said.

Material from these leaks was used to undermine U.S. state government lawsuits against Exxon and other energy companies.

Bing and Satter’s first report in their investigation covered how Indian hack-for-hire firms were being used to help wealthy clients in legal cases. The report also included information from a database of more than 80,000 emails sent by these firms. This database contained 13,000 targets, including over 1,000 attorneys at 108 different law firms. Reuters found “at least 75 U.S. and European companies, three dozen advocacy and media groups and numerous Western business executives were the subjects of these hacking attempts.”

While hack-for-hire operations are being used by vested interests to corrupt legal processes, so far only private investigators have been held legally accountable. Aviram Azari, a private investigator who acted as an intermediary to Indian hack-for-hire firms, has been sentenced to 80 months in prison. Amit Forlit, the private investigator hired by DCI Group, has been arrested in the U.K. and is fighting extradition to the United States over wire fraud and hacking charges.

This isn’t the first time that environment-related entities have been targeted by hackers. In 2009, the Climatic Research Unit (CRU) at the University of East Anglia in the U.K. was the subject of a hack-and-leak operation (aka Climategate) the month before the Copenhagen Summit on climate change. The leaked materials were used to undermine arguments for climate action, and a recent BBC podcast series described the incident as “The Hack That Changed the World.” The interests behind the hack were never identified, although observers theorized that Russian state actors, oil interests, or even global warming skeptics could have been responsible. Indian hack-for-hire firms appear to have started operating around 2013 and so were unlikely to be involved in the CRU hack.

Today, in some ways, we are better off. There is more focus on these hacks from investigative journalists, leaked materials are viewed more skeptically, and there is more focus on responsible reporting. That is all positive, but unfortunately it is still a technique used regularly by wealthy vested interests to manipulate public policy and pervert the course of justice.

Crimephone Landscape Splinters Under Police Pressure

Continued police success breaking into and disrupting encrypted messaging services marketed for criminal purposes (“crimephones” in Risky Biz HQ parlance) is splintering the crimephone landscape and forcing crooks to search for new, notionally more secure platforms.

An international law enforcement operation has taken down MATRIX, an encrypted messaging service Europol says was “made by criminals for criminals” (not to be confused with the legitimate messaging platform hosted at matrix.org). This is the latest police operation targeting communications services used almost exclusively by criminals.

A Dutch police press release describes MATRIX:

The crypto communication service offered an entire ecosystem of applications, including the ability to make (video) calls, keep track of transactions and use the internet anonymously. The service was offered under various names, in addition to Matrix. It was offered in the form of an app that was mainly installed on Google Pixel phones. A device with a six-month subscription cost between 1300 and 1600 euros. New users could only get a device if they were invited.

Dutch police said MATRIX was “technically more complex than previous platforms such as Sky ECC and EncroChat,” and the service’s founders “were convinced” it was more secure than previous crimephone messengers. MATRIX’s infrastructure included more than 40 servers in several countries, and investing in added security makes sense as a reaction to previous takedown operations.

Regardless, law enforcement agencies were able to intercept and decrypt messages sent via the platform. Europol says:

By using innovative technology, the authorities were able to intercept the messaging service and monitor the activity on the service for three months. More than 2.3 million messages in 33 languages were intercepted and deciphered during the investigation.

The messages provided information about criminal networks and crimes such as international drug trafficking, arms trafficking, and money laundering.

For criminals, the attraction of crimephones is that they are notionally protected from lawful access schemes, whereby police can access messages by obtaining a warrant. Hence, criminal reluctance to use encrypted services that still respond to lawfully authorized requests. On the flip side, however, the people running crimephone services are typically doing something illegal and, in the right jurisdictions, can be pressured by law enforcement. “Help us crack your crimephone or spend a long time in prison” can be a compelling pitch.

So criminals are stuck between a rock and a hard place, and we’ve wondered whether large criminal organizations will roll out their own crimephones.

So far the answer is no. Per Europol:

The encrypted communication landscape has become more fragmented following the takedown of several services such as Sky ECC, EncroChat, Exclu and Ghost. Criminals, in response to the disruptions of their messaging services, have been turning to a variety of less-established or custom-built communication tools that offer varying degrees of security and anonymity.

Police have turned crimephones from a massive enabler of criminal networks into their Achilles heel. And yet despite a drumbeat of successful takedowns, criminals continue to ride the crimephone wave … to prison.

Cryptocurrency and Remote Work Saves Banks

Banks worldwide continue to be cybercrime targets, but one of the most significant threat actors—North Korea—appears to have moved on to lucrative new targets.

North Korea has been responsible for some significant bank hacks. In 2016, the rogue state made off with about $60 million after trying to steal nearly $850 million from the Bangladesh central bank. In 2018, it attempted to pilfer $110 million from Mexican bank Bancomext and successfully stole $15-20 million from other Mexican banks. It also relieved the Cosmos Cooperative Bank in India of $13.5 million.

Since then, however, it seems that North Korean actors have simply found more lucrative stomping grounds. They have focused on raising revenue through cryptocurrency thefts and using false identities to get remote tech worker jobs. This TechCrunch report covers the rise of remote workers, which it says have raised “billions of dollars” over the past decade. The change in strategy may also be due to the fact that banks present harder targets than cryptocurrency entities. They cooperate closely to unwind illegitimate transactions. In the Bangladesh Bank heist, many transactions were flagged as suspicious and not executed.

When it comes to the stability of the banking system, let’s be thankful for cryptocurrency and the COVID-19-induced shift to remote working!

Three Reasons to Be Cheerful This Week:

1. Hydra convictions: A Russian court has sentenced the founder of the Hydra dark web marketplace, Stanislav Moiseyev, to life in prison, according to TASS and Interfax. From 2015 to 2018, Hydra was one of the largest dark web marketplaces with 17 million customers and sales of over $1.3 billion in 2020. Fifteen of Moiseyev’s accomplices were also sentenced to prison terms. The Record has further coverage.
2. Crimenetwork takedown: German police have taken down the country’s largest online crime marketplace, Crimenetwork, and arrested its administrator. Police say the marketplace had been around since 2012 and had over 100,000 users and 100 vendors.
3. FTC data broker action: The Federal Trade Commission has banned two U.S.-based data brokers, Mobilewalla and Gravy Analytics, from selling the geolocation data of their users. They were selling location data without consent, and according to the FTC, this included sensitive locations such as churches and military sites.

Shorts

Five Eyes: Secure Your Telcos

Five Eyes cybersecurity authorities have released guidance on how to respond to Chinese cyber espionage actors targeting telecommunications networks. It focuses on increased visibility and hardening systems.

New U.S. Regulations Proposed, but Who Knows

The Consumer Financial Protection Bureau has proposed new rules that would limit how data brokers can buy and sell American’s sensitive personal data. Of course, who knows what will happen in the second Trump administration. New rules—bad! Protecting U.S. service members—good! More coverage in The Record. With that in mind, CyberScoop examines the three politicians who are likely to have influence over cyber policy in the next administration.

Risky Biz Talks

In our last “Between Two Nerds” discussion, Tom Uren and The Grugq talk about how the opportunities for hackers have changed and how that has altered the pipelines that turn kids into criminals.

From Risky Biz News

Poland arrests former spy chief in Pegasus scandal: The Polish government has detained Piotr Pogonowski and forcibly taken him to testify in front of a parliamentary hearing over the former government’s use of the Pegasus spyware. Pogonowski led Poland’s internal security agency, the ABW, from 2016 to 2020. Under his watch, the agency bought and used the NSO Group’s Pegasus spyware to spy on opposition leaders, journalists, and prosecutors investigating government corruption.

Russia arrests WazaWaka: Russian authorities have arrested Mikhail Matveev, a high-profile ransomware affiliate known for his hacker name of WazaWaka. Matveev’s arrest was mentioned in a court case filed in Russia’s Kaliningrad exclave, Russian state news agency RIA Novosti [archived] reported on Friday. He was detained and charged with creating malware. The criminal case specifically mentions that WazaWaka wrote new ransomware in January this year.

Matveev’s real-world identity was exposed in a Brian Krebs article in January 2022. He was charged a year later by the Justice Department for a series of ransomware attacks across the United States, including two attacks against police departments.

Tor Project has “urgent need” for 200 new bridges to avoid Russian censorship: The Tor Project says it urgently needs at least 200 new bridges by the end of December to ensure Russian users can continue accessing the Tor network. The project says it specifically needs bridges that run the WebTunnel protocol, which disguises connections to Tor networks as mundane web browsing activity. WebTunnel bridges are harder to detect and censor compared to normal Tor bridges.

The Tor Project launched WebTunnel bridges in March and is currently running 143 servers. Tor maintainers believe 200 more servers would create enough of a server population to ensure Russian users will have enough servers available to connect to Tor safely.