Cybersecurity & Tech

When Israeli National Security Trumps U.S. Lawsuits

Tom Uren
Friday, August 2, 2024, 12:30 PM
The latest edition of the Seriously Risky Business cybersecurity newsletter, now on Lawfare.
God of justice holding a smartphone, Stable Diffusion

Published by The Lawfare Institute
in Cooperation With
Brookings

Editor’s Note: This newsletter is part of a collaboration between Lawfare and Risky Business. You can find the full version of the Seriously Risky Business newsletter and previous editions on news.risky.biz.

When Israeli National Security Trumps U.S. Lawsuits

An apparent leak from its Ministry of Justice suggests the Israeli government seized documents and computers from NSO Group to prevent potentially damaging material from being provided to litigants in a U.S. court case.

WhatsApp filed suit against NSO Group in 2019 after the company discovered that NSO Group had targeted about 1,400 of its users with Pegasus malware, which has been used to facilitate human rights violations around the world. WhatsApp is seeking an injunction blocking NSO Group from accessing its computer systems, which would effectively end NSO Group’s ability to target WhatsApp users.

The court process includes a formal discovery phase in which parties to a case exchange relevant information, including otherwise sensitive documents.

The Guardian examined documents from the Ministry of Justice leak relating to the WhatsApp lawsuit discovery process:

The leaked emails reviewed by the Guardian suggest that senior Israeli officials met NSO’s representatives “to discuss issues related to disclosure” a day after WhatsApp’s requests for production of documents were received by the company. …
Three days later, in mid-July 2020, Israel made a significant but secret intervention. At an urgent meeting with NSO, Israeli officials presented the company with an order issued by a Tel Aviv court granting the government powers to execute a search warrant at its office, access its internal computer systems and seize files.
The court order prohibited NSO from disclosing or transferring any documents or technical materials to “any external person or entity” without the authorisation of Israeli authorities. The order itself was also made secret; a gag order has prevented the government’s actions being made public in Israel.

The leaked documents and emails appear to have been stolen in a hack of Israel’s Ministry of Justice. Although the ministry found “no infiltration of the ministry’s systems[,]” it didn’t deny the authenticity of the documents in the leak.

A journalism nonprofit, Forbidden Stories, which collaborated with the Guardian on the story, says it was able to “confirm the main findings” regarding the seizure of documents from NSO Group “through background sources, an additional official Israeli document and forensic analysis of some of the leaked files.”

A spokesperson for the Ministry of Justice told the Guardian it “rejects the claim that it has acted in any manner as to harm or obstruct the [U.S.] legal proceedings.”

Some of the documents Forbidden Stories reviewed hint at what was at stake for the Israeli government:

Another document seen by Forbidden Stories and that seems to have been accessed by officials at the Ministry of Justice shows that in 2020, NSO’s legal team believed that sensitive documents, such as its full customer list including “U.S. customers,” contracts, or even information related to “the Jeff Bezos hack or Khashoggi killing” could be among the files that might fall under the discovery.

To be fair, that’s not to say that NSO Group actually had sensational documents relevant to those matters. But it is fair to assume that WhatsApp’s lawyers did a thorough job asking for any document that could potentially embarrass NSO Group and possibly, by extension, the Israeli government.

Forbidden Stories also found evidence that the Israeli government was involved in NSO Group’s court case. These include that the Ministry of Justice appears to have “pushed NSO to remove language from court filings that implied Israel is a customer of NSO and uses Pegasus technology,” and that government officials reviewed and suggested changes to documents authored by NSO Group lawyers before they were filed in court.

Cooperation between NSO Group and the Israeli government on a matter that could be damaging for both is not really a surprise. In 2021, the Financial Times described how the Israeli government had used NSO Group’s spyware as a “diplomatic calling card” in its regional diplomatic efforts. Haaretz reported the government also actively assisted NSO Group’s efforts to market its products in the region.

From a narrow perspective, the Israeli government document lockdown is working. Forbidden Stories points out that in a court filing this month, lawyers for WhatsApp complained about NSO Group’s “continued refusal to meaningfully participate in discovery” and said they had “yet to receive any document discovery related to the relevant spyware.” For its part, NSO Group can say that as a law-abiding company, it is merely complying with its Israeli legal obligations.

It’s worth keeping in mind that the seizure of NSO Group documents and computers occurred in 2020, before the Pegasus Project in July 2021 published a stream of stories about how Pegasus spyware was being used to facilitate human rights abuses. In November 2021, the U.S. placed NSO Group on an export control list and we wrote that the Israeli government had to decide what it valued more—its relationship with the U.S. or the benefits it gained from playing fast and loose with cyber espionage capabilities.

In 2020, protecting its reputation by preventing documents from being handed over to a U.S. court process might have seemed like an easy win for the Israeli government. In today’s world, however, hiding those documents comes with a cost. It destroys whatever shred of credibility the Israeli government has left as a responsible regulator of a spyware export industry.

Good News! Election Interference Gets Professional

U.S. intelligence officials warned this week that foreign actors are targeting the upcoming U.S. presidential elections and will adjust their tactics as the campaign develops.

The media briefing on election interference was accompanied on the same day by the release of an election security update from the Office of the Director of National Intelligence (ODNI).

Much of the briefing and update is unsurprising. Loosely paraphrasing, Iran hates Trump and the Republicans, Russia loves them, while China would so far rather just sow division instead of getting down and dirty in the election itself. The ODNI describes Russia as the “predominant threat to U.S. elections.”

All this is more or less “business as usual” nowadays.

However, one notable shift the ODNI reports is that:

Foreign actors are turning to commercial firms, such as marketing and public relations companies, to leverage these firms’ expertise in communications, technical sophistication, and to complicate attribution. These firms offer foreign states and other political actors an array of potential services and are often able to operate more nimbly and with fewer bureaucratic hurdles than government entities.

The ODNI says Moscow is using Russia-based influence-for-hire firms while the Chinese government has collaborated with China-based technology companies.

Although it sounds worrying, we are interpreting this as good news.

When it comes to U.S. presidential elections, money is the name of the game, and the price of entry is very, very high.

Open Secrets, a nonprofit that tracks money in politics, says that $5.7 billion of legitimate money was spent on the presidential race in 2020, with another $8.7 billion spent on congressional races, for a whopping $14.4 billion in total. The Biden and Trump campaigns raised over $1 billion and $774 million, respectively.

Open Secrets says that candidates Hilary Clinton and Donald Trump raised nearly $1 billion between the two of them in the 2016 election. By comparison, the Internet Research Agency (IRA), the Russian “troll farm” that engaged in election interference in that year’s presidential election, had a budget of $1.25 million per month in the lead-up to Election Day. That’s a drop in the ocean compared to the legitimate domestic spending on campaigns.

Of course, money isn’t everything. U.S. authorities still need to be on the lookout for tactics that aren’t available to legitimate influence actors, like hack and leak campaigns, as does the mainstream media.

In our view, engaging commercial services is a tacit admission that state-backed interference efforts haven’t had a huge impact, so this is fundamentally a good news story!

Three Reasons to Be Cheerful This Week:

  1. Removing the PlugX botnet one country at a time: The country’s authorities have taken up the offer from French security firm Sekoia to “disinfect” PlugX malware from France. Sekoia discovered it could send commands to remove the malware from affected computers after it sinkholed the worm version of PlugX in September last year. There are potentially a large number of infections, as around 100,000 unique IP addresses contact the sinkhole daily.
  2. Financial sextortion takedowns: Meta announced that it had taken down 63,000 Instagram accounts in Nigeria targeting people with financial sextortion scams. It also took down associated Facebook assets in Nigeria, including 5,700 groups and 1,300 accounts.
  3. More malware scanning in Chrome: Google has announced changes to its scanning of potentially malicious files in Chrome. For users who have opted in to Chrome’s Enhanced Protection mode, the changes cover by default what it calls “deep scans.” Chrome will also prompt these users to submit passwords for encrypted archives they download so that Google can scan them. Malware authors often distribute their software to potential victims in password-protected archives to prevent scanning. In these cases, the passwords are provided with the software archive, for example, on the same page or in the file name. Makes sense to us, so we are bemused that this is controversial on Ars Technica.

Shorts

Defense: Yes, We Were Vaccine Pricks

The U.S. Department of Defense has admitted to the Philippines government that it made “some missteps” in its coronavirus-related messaging. It’s not quite an apology, but well, it’s better than nothing and the U.S. says it “has vastly improved oversight and accountability of information operations” since then.

A Reuters investigation published in June reported that the Defense Department launched an operation to discredit Chinese coronavirus vaccines during 2020 and 2021. The operation was launched as a response to Chinese efforts claiming that the coronavirus originated in a U.S. Army research facility.

Recruiting Gets Riskier

U.S. security firm KnowBe4 has published an incident report explaining how it was duped into hiring a North Korean information technology worker into a software engineer role:

We posted the job, received resumes, conducted interviews, performed background checks, verified references, and hired the person. We sent them their Mac workstation, and the moment it was received, it immediately started to load malware.

The fake worker actually made his way through four separate video conference interviews that confirmed the potential employee matched the photo provided in his application. The report has some prevention tips including not relying on email references only and getting applicants to talk about the work they are doing over video.

Infostealer 101

Wired has a good explainer on infostealer malware and its current impact on the entire cybercrime ecosystem.

Risky Biz Talks

In the latest “Between Two Nerds” discussion, Tom Uren and The Grugq discuss what the widespread disruption caused by CrowdStrike’s faulty update tells us about how useful cyber operations are for war.

From Risky Biz News:

NVD backlog unlikely to get addressed by September: New numbers released at the end of last week suggest that the National Institute of Standards and Technology (NIST) is unlikely to make any significant progress in addressing a backlog of unprocessed vulnerabilities at the National Vulnerability Database (NVD).

The backlog began in February when NIST analysts slowed down the rate at which they were processing and enriching NVD entries, releasing many common vulnerabilities and exposures (CVEs) with little to no information about the nature of the security flaw, severity scores, and fixed or vulnerable software versions.

The slowdown had a major impact on the vulnerability management section of the cybersecurity community, which was relying on these entries to help inform customers about which bugs to patch first.

[more on Risky Business News]

AMI Platform Key leak undermines Secure Boot on 800+ PC models: The Secure Boot system on more than 800 motherboard models across 10 different vendors is basically useless now after an extremely sensitive cryptographic key was accidentally leaked online last year.

The key was leaked via a now-removed GitHub repository in 2023 and discovered earlier this year by firmware security firm Binarly.

It allegedly came from an (unnamed) original device manufacturer (ODM), which in turn received it from American Megatrends International (AMI), a company known for developing BIOS/UEFI products.

Binarly named the entire event PKfail because the leaked key was a platform key (PK), one of the most important cryptographic keys that can reside on a computer.

[more on Risky Business News, including how Secure Boot is meant to work and how this incident undermines security for a significant percentage of PCs]

New DNS attack impacts a quarter of all open DNS resolvers: A team of Chinese academics has discovered a new type of DNS attack that impacts almost a quarter of all open DNS resolvers running on the internet.

Named TuDoor, the attack uses malformed DNS packets to trigger logic errors inside DNS software. The attack specifically targets the part of the DNS resolver that prepares DNS responses for user queries.

Academics say they can use a quick succession of malformed packets to poison a DNS resolver’s cache, cause a denial of service, or increase a server’s resource consumption.

[more on Risky Business News]

 



Tom Uren writes Seriously Risky Business, a big-picture, policy-focused cyber security newsletter. He also co-hosts the Seriously Risky Business and Between Two Nerds podcasts that appear on the Risky Business News feed. He was formerly a Senior Analyst in the Australian Strategic Policy Institute's (ASPI) Cyber Policy Centre where he contributed to various projects including on offensive cyber capabilities, information operations, the Huawei debate in Australia and end-to-end encryption.

Subscribe to Lawfare