Kaspersky Finally Evicted From the U.S.

Editor’s Note: This newsletter is part of a collaboration between Lawfare and Risky Business. You can find the full version of the Seriously Risky Business newsletter and previous editions on news.risky.biz.

Kaspersky Finally Evicted From the U.S.

The U.S. government has decided to evict Russian cybersecurity company Kaspersky from the U.S. market, announcing a ban on sales to U.S. customers and applying financial sanctions to Kaspersky’s senior leadership.

The Commerce Department announced on June 20 that Kaspersky will be prohibited from selling to U.S. customers from late July and that its operations in the country must stop by Sept. 29. This means no more codebase and antivirus signature updates, so current customers have just a short time to find alternatives. The department also placed three Kaspersky entities on an export control register known as the Entity List, citing “their cooperation with Russian military and intelligence authorities in support of the Russian Government’s cyber intelligence objectives.”

The U.S. Treasury has also sanctioned a dozen of Kaspersky’s executives and senior leadership team. Eugene Kaspersky, the company’s co-founder and CEO, is notably absent from the sanctions list.

The ban has been a long time coming. The Department of Commerce says Kaspersky’s products pose an “unacceptable risk” to U.S. national security and cite the risk of subversion or sabotage of U.S. critical infrastructure.

In 2017, the New York Times reported an Israeli intelligence operation had found National Security Agency (NSA) documents and tools in Kaspersky’s network that had been scooped up by the Russian company’s software:

The Russian operation, described by multiple people who have been briefed on the matter, is known to have stolen classified documents from a National Security Agency employee who had improperly stored them on his home computer, on which Kaspersky’s antivirus software was installed.

Sensationally, the New York Times claimed the Russian government had used Kaspersky as a kind of worldwide search engine, writing that “Israeli intelligence officers looked on in real time as Russian government hackers searched computers around the world for the code names of American intelligence programs.” The Wall Street Journal also made this claim, sourcing it to “current and former U.S. officials with knowledge of the matter.” Barring claims of direct Russian government involvement, much of what the New York Times reported was confirmed by Kaspersky. The company admitted it had swept up NSA hacking tools, naming them the Equation malware:

Our product detected known Equation malware on a user’s system. Later, on the same system, it also detected a non-Equation backdoor originating from a pirated copy of Microsoft Office, and a 7-Zip archive containing samples of previously unknown malware. After it detected them, our product sent the archive to our antivirus researchers for analysis. As it turned out, the archive contained malware source code that appeared to be related to the Equation Group, as well as several Word documents bearing classification markings.

Kaspersky’s incident report says CEO Eugene Kaspersky ordered the source code be deleted and that the archive was not shared with any third parties. The incident also resulted in a new “delete potentially classified material” policy at the company, the report says.

Two people with links to NSA’s hacking programs have since been convicted of taking classified material home. Nghia Pho, an NSA employee, was convicted in 2018 and contractor Harold “Hal” Martin was convicted in 2019.

The U.S. government banned Kaspersky products from its networks in 2017. Back then, it would have been easier to squeeze your eyes shut and argue that allowing Kaspersky on non-federal government U.S. networks was an acceptable risk. These days, not so much.

Gavin Wilde, a Russia and cyber expert at the Carnegie Endowment, told Seriously Risky Business that the balance of risk had shifted in recent years after Russia’s invasion of Ukraine and engagement in higher profile European sabotage operations. Wilde also thought the discovery of Volt Typhoon, the Chinese actor that compromised U.S. critical infrastructure in preparation for potential sabotage operations, had also shifted perceptions of risk. Given Russia and China’s “no-limits” relationship, having Russian security software protecting U.S. critical infrastructures is a terrible idea. Wilde noted that the U.S. intelligence community “has looked warily on Kaspersky since I started in government almost two decades ago,” and Wilde described the ban as “at least a decade overdue.”

The Optus Breach Was as Dumb as We Thought

The Australian Communications and Media Authority (ACMA) says a 2022 data breach at Australia’s second largest telecommunications provider, Optus, occurred because the company accidentally removed access controls from a long-disused API endpoint.

This newsletter has previously described the breach as Australia’s Equifax moment as it affected 9.5 million current and former Optus customers (about a third of Australia’s population).

The ACMA says the “target” API endpoint in question had not been used since 2017 and had originally been protected by access controls. These controls were removed in 2018 in what the ACMA describes as a “coding error.” It says Optus detected and fixed the same error in 2021 on a different endpoint it was actively using. Unfortunately, the same error was not detected or fixed on the dormant target endpoint, which was exploited by an attacker in 2022.

The ACMA says the breach “was not highly sophisticated or one that required advanced skills or proprietary or internal knowledge of Optus’ processes or systems. It was carried out through a simple process of trial and error.”

U.S. Car Dealerships Struck by Ransomware

A ransomware attack on software-as-a-service (SaaS) platform CDK Global has disrupted thousands of North American car dealerships over the past week.

Several publicly listed companies have lodged filings with the U.S. Securities and Exchange Commission indicating that they have been affected by the CDK Global incident. The SaaS provider claims it services close to 15,000 dealer locations. CDK Global suffered a second breach while attempting to recover from an initial ransomware attack and has also warned that customers are being approached by fraudsters posing as CDK agents in an attempt to gain system access.

Bleeping Computer reports the relatively new Blacksuit ransomware group is responsible. CDK Global is reportedly negotiating with the group, which is seeking tens of millions of dollars in ransom.

These kinds of high-leverage victims (think Colonial Pipeline, Change Healthcare, or Kaseya) are highly motivated to resolve incidents quickly because of the huge impact ransomware has on their customers. In other words, they are the best targets for ransomware crews because disruption causes extensive collateral damage.

From a policy perspective, this is a reason to demand higher cybersecurity standards from these systemically important companies. The trick, of course, is to identify these types of companies before they are struck by ransomware and work with them to improve their security.

Three Reasons to Be Cheerful This Week:

1. Safer Chrome extensions: Google has published a blog post describing its Chrome extension security measures, and how users can stay safer while using extensions. The company applies automated and human review and claims that “less than 1% of all installs from the Chrome Web Store were found to include malware.” This seems like an odd flex... 1 percent seems insanely high to us.
2. Ransomware victims’ resilience up, payments down: Insurance broker Marsh has found that only 23 percent of companies that submitted claims paid ransom demands last year, a decline from previous years. This is very similar to figures provided by ransomware incident response firm Coveware, which found recently that 28 percent of victims paid a ransom. Meredith Schnur, managing director of Marsh’s U.S. and Canada cyber practice, told Legal Dive that companies are “just more resilient than they were three, four, five years ago.”
3. Scattered Spider ringleader arrested: Krebs on Security reports the alleged ringleader of the Scattered Spider group has been arrested. This is good news, as this group has been responsible for a string of high-impact hacks. At the same time, Scattered Spider is more of a community than a group. What does it mean to be a ringleader?

Shorts

A Succulent American Plea Deal

WikiLeaks founder Julian Assange is free after he pleaded guilty to espionage in a U.S. court and was sentenced to time already served. Assange had served five years in Britain’s Belmarsh prison. The presiding judge, Ramona Manglona, noted that Chelsea Manning, Assange’s co-conspirator in the case, had served seven years in prison before her sentence was commuted. Manglona described Assange’s sentence as “fair and reasonable and proportionate to Ms Manning’s actual prison time.”

AI Bias Should Not Trump Privacy

The Record reports that removal of civil rights protections and algorithmic bias guardrails from the latest version of the American Privacy Rights Act (APRA) has “incensed” advocates. It’s clear that the U.S. needs improved privacy legislation, but we don’t think that algorithmic bias has yet proved to be a clear and present danger.

This Machine Hunts Bugs, Poorly

Google’s Project Zero has published a write-up of its efforts evaluating the use of large language models (LLMs) for vulnerability research. It appears that, on their own, LLMs are bad at vulnerability research, but if you give them some specialized tools, they can perform some basic vulnerability research tasks.

Risky Biz Talks

In the latest “Between Two Nerds” discussion, Tom Uren and The Grugq talk about how information about the use of cyber operations in Ukraine is incomplete. Rather than clarifying the role of cyber operations in conventional warfare, there is still a lot of room for confirmation bias.

From Risky Biz News:

Russia wants its own CISA: The Russian government is holding private talks on establishing a dedicated cybersecurity agency, similar to the role the Cybersecurity and Infrastructure Security Agency plays in the United States. Talks are in early stages, but a RIA Novosti report suggests the initiative has support from Russia’s private sector.

The Russian government has recently passed or started working on several cybersecurity-related initiatives. These include larger fines for data breaches, mandatory incident reporting, legalizing vulnerability research, and banning the use of Western software in critical infrastructure on the grounds of national security. Currently, the enforcement of Russia’s cybersecurity regulations fall on multiple agencies, such as the FSB, FSTEC, Roskomnadzor, the Ministry of Digital Affairs, and Russia’s central bank.

Hacker-for-hire scandal: The California State Bar has accused a Los Angeles lawyer of trying to hire Israeli hackers to break into the emails of a judge and rival attorney. Michael Libman concocted the scheme with another lawyer named Paul Paradis after a judge canceled a settlement in a class-action lawsuit against the California Department of Water and Power. Another lawsuit found that Paradis had secretly represented both of the parties in the class-action lawsuit. The judge canceled the settlement and ordered Libman to return $1.65 million he received as attorney fees in the case. The California State Bar claims Libman and Paradis wanted to use a hacker to get the judge’s emails, hoping to find evidence to get the ruling annulled and keep their attorney fees. The scheme was uncovered after Paradis turned FBI informant. [additional coverage in the Daily Journal]

Matriochka: The French government has published a report on Matriochka, a pro-Russian social media influence campaign that tried to discredit Western news media, public figures, and fact-checking organizations. Matriochka accounts impersonated their targets, aiming to discredit their trustworthiness while also spreading Russian interests. The campaign has been active since September 2023, and its main objective has been to propagate and amplify anti-Ukrainian narratives. French officials say disinformation posted on Twitter was initially posted on Russian Telegram channels, suggesting the content was initially set up for Russian-speaking audiences and then repurposed for Western audiences.

VIGINUM believes that this campaign undermines the reputation of French mainstream media and official institutions. Since the start of the large-scale invasion of Ukraine in February 2022, the Russian influencing mechanism has regularly targeted fact-checkers and used extensive resources to discredit analysis from Western media outlets.