The Australian Government Will Shut Down AN0M Evidence Appeals

Editor’s Note: This newsletter is part of a collaboration between Lawfare and Risky Business. You can find the full version of the Seriously Risky Business newsletter and previous editions on news.risky.biz.

The Australian Government Will Shut Down AN0M Evidence Appeals

The Australian government has proposed legislation to retrospectively guarantee that evidence collected by the AN0M crimephone sting operation is admissible in court. (Crimephone is the Risky Business HQ term for dedicated encrypted devices that are marketed in criminal networks to facilitate illegal activity.)

This is an extremely unusual move, but there is a lot at stake here. The Australian Federal Police (AFP) described the AN0M operation as the "largest organized crime investigation in the Southern Hemisphere[,]" and if the evidence is ruled inadmissible there may not be another opportunity to strike such a large blow against organized crime.

The Surveillance Legislation (Confirmation of Application) Bill 2024 is aimed squarely at evidence collected by AFP's Operation Ironside. This operation was jointly conducted with the FBI, which called it Operation Trojan Shield, and is entertainingly chronicled in Joseph Cox's book "Dark Wire." In this operation, an encrypted smartphone application called AN0M was developed and marketed to criminals in the aftermath of the 2018 shutdown of the Phantom Secure crimephone. AN0M's encryption was legit, but police were blind cc'd on every message that its users sent. Better yet, the system geotagged messages with precise locations. Per the AFP's press release describing the operation:

We built capability and computers that allowed law enforcement across the world to access, decrypt and read communications in an app called AN0M. Covertly run by the FBI, AN0M was installed on mobile phones that were stripped of other capability. The mobile phones, which were bought on the black market, could not make calls or send emails. They could only send messages to another device that had the organised crime AN0M app. Criminals needed to know a criminal to get a device. ...

The devices organically circulated and grew in popularity among criminals, who were confident of the legitimacy of the app because high-profile organised crime figures vouched for its integrity. These criminal influencers put the AFP in the back pocket of hundreds of alleged offenders.

The AFP said that as of August this year, in Australia alone, 392 offenders had been charged in relation to the operation and over 6,600 kg of drugs and AUD $55.6 million of cash seized. Although a number of people have already been sentenced, dozens of accused people have challenged the admissibility of evidence collected via AN0M.

These defendants argue that although police had surveillance device and computer access warrants, what occurred with AN0M was actually telecommunications interception and should have been authorized with a Telecommunications (Interception and Access) Act (TIA Act) warrant.

The South Australian Court of Appeal ruled in June this year that the evidence collected during Operation Ironside was legal. Although this was a favorable decision for police, it was possible the ruling could be overturned in Australia's High Court. The full judgment delves into questions about the distinction (or not) between a smartphone, an app on that smartphone, the Android operating system, and the telecommunications system. The court ultimately ruled that copying data on a device was not the same as it being 'passed or carried' over a telecommunications system, so interception hadn't taken place.

The proposed surveillance legislation is designed to eliminate the possibility the ruling is overturned and essentially says "nothing to see here, everything is good, it was all collected under a warrant bro and no, there wasn't any interception." The bill is narrowly scoped, and applies to seven specific computer access or surveillance device AFP warrants and four specific search warrants, but applies retrospectively to all relevant civil or criminal proceedings.

Greg Barns SC of the Australian Lawyers Alliance told Seriously Risky Business the proposed surveillance bill was "extraordinary legislation." He said that "governments should not be in the business of passing retrospective legislation that undermines the rights of an accused person."

A King's Counsel we spoke to, Michael Whitten, was more philosophical. He agreed that the proposed legislation was "very unusual" but also pointed out that "the separation of powers ensures parliament supremacy when it comes to the making of laws or amending existing ones subject to constitutional limits."

When viewed from this perspective, this is just the Australian Parliament saying, "[T]he way police gathered evidence in Operation Ironside was fine." Of course, the normal course of affairs is that Parliament issues or amends laws after the court's interpretations don't match its policy direction, not before.

There is a suite of different warrants that could have been relevant to the AN0M app—surveillance device, computer access, and telecommunications interception warrants. Although the judgments in the AN0M-related court cases have been favorable to prosecutors so far, they show that the boundaries between these warrants are more ambiguous than perhaps people thought. 

Both the government and the opposition support the proposed surveillance bill, so it will likely pass and solve this ambiguity when it comes to Operation Ironside. But it is past time to make sure that the boundaries between these warrants are more clearly defined for future operations. It won't be the last time the techniques used in Ironside could be valuable.  

When Red Teamers Don't Tidy Up Afterward

The Cybersecurity and Infrastructure Security Agency (CISA) has published another sterling red team assessment report on its efforts against an unnamed U.S. critical infrastructure organization. Although CISA wasn't able to gain access via phishing (Hooray!), its team "gained initial access through a web shell left from a third party’s previous security assessment." (Doh!) To (very uncharitably) summarize the lessons learned, the organization’s leadership didn't care enough about security, its staff weren't trained or resourced to do a good job, and it didn't have enough technical controls to detect and prevent malicious activity.

In addition to a set of recommendations for network defenders within organizations, CISA notes that "insecure software is the root cause of many of these flaws and responsibility should not fall on the end user" and provides a set of recommendations for software manufacturers. These include eliminating default passwords, mandating MFA, and focusing on making systems secure by default. Other recommendations feel more ambitious, such as "embed security into product architecture throughout the entire software development lifecycle" and "design products so that the compromise of a single security control does not result in compromise of the entire system."

It's a good report, but it highlights the depth of the problem. Sigh.

Microsoft Wants Trump to Try Harder on Cyber

Brad Smith, Microsoft's vice chair and president, has told the Financial Times (republished by Ars Technica) that he hopes "the Trump administration will push harder against nation-state cyber attacks, especially from Russia and China and Iran."

"We should not tolerate the level of attacks that we are seeing today," he continued.

That's a fine sentiment, but unfortunately there is no international relations magic bullet that will solve cyber espionage or destructive military cyber operations. Our assessment is that Trump does not care about cybersecurity as an independent topic but focuses instead on bigger issues such as "competition with China." And that's about right. When it comes to state competition, cyber operations are a means to an end and not an end in themselves, so cyber is secondary in the scheme of real-world geopolitics.

Microsoft, meanwhile, might instead do well to look within. Many of the most serious state-backed cyberattacks target deficiencies in its products, and it's actually in a position to do something about that.

Three Reasons to Be Cheerful This Week:

1. Operation Serengeti arrests 1,006: Authorities from 19 African countries have arrested over 1,000 suspects allegedly involved in a range of activities including ransomware, business email compromise, extortion, and online scams. More than 35,000 victims were identified during the operation and cases linked to more than $193 million in losses worldwide.
2. Professional liability insurance for CISOs: Although the charges against SolarWinds CISO Timothy Brown were ultimately dismissed, it is probably a good idea to at least investigate professional liability insurance. And now it's available!
3. U.K. to help allies with IR: The British government will launch a new capability to help partner countries deal with cyber incidents, particularly those affecting critical infrastructure. This mirrors efforts by the Australian government in the Pacific and the U.S.'s aid fund, so better late than never.

Shorts

FTC Launches Microsoft Probe

In late-breaking news, Bloomberg is reporting that the U.S. Federal Trade Commission (FTC) has opened an antitrust investigation into Microsoft. The investigation will cover Microsoft's software licensing practices, cloud computing business, cybersecurity offerings, and AI products.

Salt Typhoon Hack Turning Into A Nightmare

The more we learn about the Chinese hack of U.S. telecommunications firms, the worse it gets. Per the New York Times:

They have learned that the Chinese hackers got a nearly complete list of phone numbers the Justice Department monitors in its "lawful intercept" system, which places wiretaps on people suspected of committing crimes or spying, usually after a warrant is issued. ...

As a result, officials said, the penetration almost certainly gave China a road map to discover which of China’s spies the United States has identified and which they have missed.

When we first heard of this story, this was probably the worst-case scenario. However, there is also increasing concern that the hackers will be difficult to evict. Yikes.

You Can't Keep a Good Story Down

Reporters Without Borders has examined how interests associated with Appin, an Indian cybersecurity firm, have used legal action to shut down reporting on the company or its founder, Rajat Khare.

These actions affected Seriously Risky Business and partner Lawfare, where this newsletter is syndicated, when we wrote about the topic. The good news is that the original Reuters article we referred to, which describes how Appin alumni are involved in a number of firms in India's hack-for-hire industry, was restored online on Oct. 25 after a New Delhi court lifted its takedown order. 

When Banning 2 Million Is Not Enough

Meta says it has taken down more than 2 million accounts linked to scam centers in Myanmar, Laos, Cambodia, the United Arab Emirates, and the Philippines this year. It is also rolling out protections including warnings about suspicious interactions or cold calls from people you don't know and providing contextual information about groups chats you are invited to join. These efforts are good, but they are only really speed bumps for scammers. Meta notes that:

The scale and sophistication of this threat is unprecedented, with the U.S. Institute of Peace estimating that up to 300,000 people are forced into scamming others around the world by these criminal groups, with about $64 billion stolen worldwide annually as of the end of 2023.

Risky Biz Talks

In the latest "Between Two Nerds" discussion, Tom Uren and The Grugq talk about different views on attribution and why it still matters for sophisticated state-backed groups.

From Risky Biz News

Four PR firms are behind a Chinese propaganda network: Google has removed from its search and news index hundreds of domains that were operated by four Chinese-based public relations firms that published pro-People's Republic of China (PRC) propaganda to international audiences.

The companies ran two newswire services where they published articles and collectively pulled content to distribute through their own "independent" news websites. The articles were low-quality rewordings of stories from Global Times, a PRC state-controlled media outlet, designed to push China's views on various topics through smaller news sites and give the impression of mass consensus and authenticity.

News stories covered the PRC's territorial claims over the South China Sea, Taiwan, controversies over the Xinjiang region, coverage of the COVID-19 pandemic, conspiracy theories, and even ad hominem attacks targeting regime critics.

U.S. charges five Scattered Spider members: The U.S. Department of Justice has unsealed charges against five suspected members of the Scattered Spider hacking group. The five include four Americans and one British citizen:

• Ahmed Hossam Eldin Elbadawy, 23, aka "AD," of College Station, Texas
• Noah Michael Urban, 20, aka "Sosa" and "Elijah," of Palm Coast, Florida
• Evans Onyeaka Osiebo, 20, of Dallas, Texas
  
• Joel Martin Evans, 25, aka "joeleoli," of Jacksonville, North Carolina
• Tyler Robert Buchanan, 22, aka "tylerb," from the United Kingdom

Three of the five are confirmed to be in custody. Evans was arrested this week, Buchanan in June, and Urban in January.

Banshee Stealer shuts down after source code leak: The developers of Banshee Stealer, an infostealer that targets macOS systems, have shut down their operation after an unidentified individual leaked their malware's source code online. The incident took place earlier this week and was announced via hacking forums and Telegram channels. The Banshee group launched its operation in August and is one of several macOS infostealers that were released this year.