Cyberwar, Cyber Crime, and American Freedom

[Crafty_Dog]

https://www.foxbusiness.com/politics/microsoft-exec-details-frightening-doj-abuse-of-secret-requests-for-americans-data-in-hearing?fbclid=IwAR0Jvst44hgpX_qmKHxOo3hHsspQE-RoTTPZ6xIxj6t-oPCxkUg1jsh6R8Q

[Crafty_Dog]

Crime and Technology, Part I: Secure Communication Platforms

undefined and Global Security Analyst
Ben West
Global Security Analyst, Stratfor
15 MIN READJun 30, 2021 | 10:00 GMT






(Shutterstock)

Editor's Note: Criminals have always been relatively quick to adopt new technology. From bootleggers assembling fleets of motorized vehicles in the 1930s for the transport of illegal alcohol to drug traffickers exploiting commercial airliners to transport cocaine from South America in the 1960s, technology has always created opportunities for criminals. The current era is no exception, and criminals are quickly adopting technology to help them communicate in secrecy, sell their illicit wares in virtual marketplaces, and send and receive payments through new forms of currency. The technologies are helping criminal organizations conduct traditional activities (such as drug trafficking) more efficiently and creating entirely new fields of criminal activity, such as ransomware attacks and off-the-shelf tools to facilitate cyberattacks.

But with new technology comes new vulnerabilities, and law enforcement agencies around the world are demonstrating that they can also harness the efficiencies of new technology to counter criminal activity. In this three-part series on crime and technology, we will explore how criminals are adopting new forms of communication to coordinate criminal activity, new marketplaces for selling illicit wares and new ways to facilitate payments that cater to a more virtual market. Each analysis will explore how criminals use the technology in question, how it makes them vulnerable to detection and what to expect in the future. First, we consider how criminals use secure communication platforms to coordinate activity across organizations and around the world, and how those same platforms can make them vulnerable.

Secure, private communications platforms are proliferating as more people around the world seek out ways to stay connected to others while also being discreet about what information they share with whom. Every week seemingly brings new revelations about ostensibly private information being compromised in a data breach, hostile cyberattack, government surveillance operation or from private companies gleaning personal details about their users. Concern for privacy has driven demand for mainstream platforms like WhatsApp and iMessage, which allow individuals and groups to share information through encrypted channels. Encrypted messaging platforms are attractive in business and commercial dealings, allowing users to hash out details on a transaction, share invoices and arrange transfers of goods and services in a convenient and relatively secure fashion.

The privacy provided by mainstream services like WhatsApp and iMessage is not sacrosanct. Such platforms are operated by major companies — in these cases, Facebook and Apple, respectively — that fall under U.S. legal jurisdiction. If law enforcement authorities have reason to suspect individuals are conducting illegal activity on the messaging platforms, they can file requests for information with the company in order to get details that could facilitate legal charges and arrests. While companies tout the privacy provided by their products, they also have a reputation to uphold and would not benefit from being associated with drug trafficking, child pornography, threats of violence or other illicit activities. In short, there is a limit to the privacy large companies tolerate on their services.

Just as encrypted messaging services benefit legitimate business and commercial activity, criminal and terrorist groups also stand to gain from them. Public debate over the legality of encrypted communications and secure electronic devices accelerated after the 2015 San Bernardino terrorist attack, when a husband and wife team slew 14 people before law enforcement killed them. Despite law enforcement appeals to Apple to help them unlock an iPhone belonging to one of the attackers, Apple refused, arguing that it would not compromise user privacy to help with the investigation. The FBI eventually gained access to the phone with the help of a third party.

The San Bernardino attack and resulting investigation elevated public awareness of encryption and the limits of personal privacy on electronic devices. Even though Apple held its ground on protecting user privacy, it became clear that U.S. authorities had legal avenues to try to compel compliance and/or break the encryption that supported that privacy. This development accelerated criminals' adoption of more niche apps and services to ensure security and privacy above and beyond the encrypted messaging service apps widely used by the general public.

How Criminals Use Encrypted Communication Tech
Criminals undoubtedly continue to use mainstream communication platforms, despite the security vulnerabilities, because they are cheap, easy to access and allow them to communicate with a wide audience. As of May 2021, WhatsApp had 2.5 billion users in over 100 countries, making it the most used encrypted communications app in the world. There are an estimated 1.3 billion active iMessage users; another popular encrypted messaging app, Telegram, has 500 million users. Criminals have exploited the huge markets they can access through popular messaging services to sell their illicit products.

A research group affiliated with Norton Cybersecurity published a report in 2021 outlining how criminals use Telegram to sell everything from counterfeit documents to personally identifiable information to cyber malware that facilitates online criminal activity such as distributed denial of service and ransomware attacks.
A federal investigation in 2020 dismantled an opioid and fentanyl trafficking operation on the East Coast that at least partially relied on iMessages for coordination.
In 2019, Insight Crime reported that street gangs in Mexico were using WhatsApp to advertise drug sales, list prices, availability and arrange delivery.
As demonstrated in the examples above, despite these apps' heightened privacy settings due to encryption, criminal activity is still fairly easily discoverable — by both independent researchers and legal authorities. Because apps like WhatsApp and iMessage are widely available, criminal actors conducting illegal activities over the platforms can never really be sure of who they are dealing with: police officers can pose as buyers or business partners on messaging apps more easily than they can in the physical world.

In order to provide a deeper level of security, a new group of encrypted messaging services has emerged over the past five years. Such services do not aim to be the next WhatsApp, iMessage or even Telegram, but instead, they work to remain unknown except to the small number of people who use them. Since 2018, law enforcement agencies have taken down three such services: Phantom Secure, EncroChat and Sky Global. They have all followed similar strategies to provide next-level security in electronic communications. Services used widely available electronic devices, stripped them down to only the most essential components (removing cameras, microphones, GPS devices or other components that could jeopardize the user's security) and installed a single app on the phone that only allowed the user to communicate with people who also had access to that app. The encryption technology behind the app itself wasn't necessarily new, but rather the single-purpose nature of the app and the device that hosted it that ensured communications remained isolated from other services that could compromise the user's security. The services also offered a feature that would destroy past messages and even shut down individual devices should they be seized or otherwise compromised. By sandboxing the service on a dedicated device and only allowing users to communicate with other users, these encrypted messaging platforms provided increased operational security.

While the services ostensibly helped business executives and celebrities ensure discretion in business dealings and/or personal matters, they were immensely popular with criminals. The messaging services' aggressive security features offered criminals a sense of comfort, leading them to discuss details of drug sales and shipments in plain terms instead of code. For example, British investigators charged a former Royal Marine with drug trafficking after intercepting messages from his EncroChat account openly discussing the price and delivery methods of marijuana, MDMA, heroin and other drugs, as well as pictures of the shipments to offer potential buyers proof of quality. The criminal activity wasn't just limited to drug trafficking — police accused Phantom Secure users of attempting to organize murders on the platform. Based on investigations into the services mentioned above, police were able to identify dozens of drug labs, interdict tons of drugs, seize illegal weapons and ultimately arrest thousands of criminals.

It is important to note that the enhanced security messaging platforms were primarily used to facilitate wholesale drug sales and shipments between criminal organizations. They are not practical when it comes to retail drug sales due to the limited number of users. Compared to the billions of users on mainstream messaging services such as WhatsApp, iMessage and Telegram, niche platforms like Phantom Secure, EncroChat and Sky Global measured their users in the tens of thousands. They were still, however, very successful financially. Each device cost several thousand dollars and access to the niche encrypted messaging services cost upward of $1,000 per month. One of the first companies discovered to be involved in such a business, Phantom Secure, earned an estimated $80 million in revenue over 10 years in business. When it comes to encrypted communications platforms, bigger is not always better. And based on the financial success of past companies in the market, more are sure to follow.

How Encrypted Communication Tech Has Made Criminals Vulnerable to Detection
All of the advantages of niche encrypted communications platforms have come at the price of increased police scrutiny and surveillance. The fact that the public is aware of companies like Phantom Secure, EncroChat and Sky Global is the first indication that their encrypted messaging platforms were not as secure as advertised. Phantom Secure collapsed after the FBI arrested its owner, Vincent Ramos, in 2018 for knowingly facilitating criminal activity. EncroChat shut down its services in 2020 after learning that French police were monitoring its servers and collecting intelligence on criminal communications on the platform. In early 2021, European authorities gained access to Sky Global's secure network and monitored the activity of 70,000 users before shutting the operation down.

The key vulnerability of these services is that they depended on servers to handle the encrypted traffic and make sure messages go where they are supposed to go. In all three cases, police found out about the services when they noticed suspected criminals carrying unusual electronic devices. Collecting evidence on individuals typically gives law enforcement agencies leverage over them that they use to turn suspects into informants, which can lead to further evidence and arrests. Investigators were eventually able to trace down the servers that supported those devices. When those servers are physically located in a law enforcement agency's jurisdiction — or that of a partner country — authorities can get legal approval to search or monitor those servers. Once investigators have access to the servers, they can intercept messages and start collecting evidence to make arrests. As demonstrated in the 2015 San Bernardino case, it is possible to break encryption, and law enforcement agencies appear to have been able to do that based on their access to plain text messages and images shared on the platforms.

A Timeline of Operation Trojan Shield
In the most recent case of police targeting criminal communication networks, authorities expanded their access from the servers to the devices themselves. In early June, police agencies around the world started announcing arrests linked to Operation Trojan Shield, a two-yearslong sting operation that tricked criminals into using supposedly the latest and greatest encrypted messaging service, called "Anom." While the devices followed similar protocols as their predecessors — stripped down handsets whose sole function was to send and receive secure texts through an app disguised as a calculator — there was one major, critical difference: Law enforcement authorities had inserted code into the messaging program that forwarded an unencrypted copy of all messages to a server they controlled. Over two years, the devices acted as honey pots to attract nearly 12,000 criminal actors around the world, yielding 20 million individual messages that authorities used to eventually arrest 800 people and counting.

The success of the operation relied on access to networks of criminals just as much as the piece of code that forwarded copies of all the messages. The FBI was able to carry out the operation by recruiting a confidential human source who had worked on the development of the Phantom Secure service. After the arrest of Vincent Ramos and the collapse of Phantom Secure in 2018, the CHS began developing the next-generation niche encrypted messaging service when the FBI arrested him. They worked out an arrangement whereby the confidential human source would continue with his plans to launch a new encrypted messaging service, but he would include the tracking code on devices and ship them out to criminals in order to help police monitor criminal activity. Having been closely involved in the success of Phantom Secure, the confidential human source not only had the technical expertise, but also the reputation and credibility within criminal organizations around the world so that when he sent out a device, they trusted him. As mentioned above, niche encrypted messaging services cannot become successful the same way mainstream services can through market saturation and scale. Instead, discretion and exclusivity are essential, and the confidential human source was able to convince his contacts that the devices he provided were secure and private.

A Chart Comparing Criminal-Linked Encrypted Messaging Services
While Operation Trojan Shield posted impressive figures when it comes to geographic scope, number of arrests, and seized criminal assets, perhaps its largest impact was on the credibility of niche encrypted messaging services — at least in the immediate future. In announcing the culmination of Operation Trojan Shield in early June, the FBI specifically noted that one of the objectives of the effort was to "shake the confidence in" messaging services catering to criminal actors. The success of this sting operation means that at least some criminal actors will be more cautious when it comes to adopting encrypted communications services moving forward. The next generations of service providers will face a considerable challenge in convincing users that their devices are secure following Operation Trojan Shield. Creating mistrust in the criminal world will make it that much harder to organize drug shipments, share intelligence or discuss other criminal matters openly. Any degradation in criminal communication networks makes them less efficient, less profitable and less able to expand operations in the near future. That said, at some point, this disruptive impact will wear off and, in the long run, Operation Trojan Shield and other similar law enforcement efforts targeting encrypted messaging services are unlikely to severely hamper global criminal activities as criminals adapt and adopt new communications practices.

What Lies Ahead for Secure Criminal Communications
The demand for secure communications reaches far beyond just criminal organizations and, given the success (albeit short term) of previous niche encrypted messaging platforms, more will certainly come. Legitimate businesses and multinational corporations want to be able to communicate without jeopardizing key technology or business decisions, celebrities and high-profile individuals similarly want to be able to discuss personal matters without it leaking to the public, and security-conscious individuals, in general, want to be able to communicate without having their information harvested and sold to marketers. To that end, researchers are constantly working on new technology and companies are constantly providing new services that offer secure, encrypted communications.

An Explainer of Block Chain Technology
One of those emerging technologies is blockchain messaging, which uses the same technology behind cryptocurrencies to send and receive secure messages. Proposed designs would mean that only users of the devices sending and receiving the messages would be able to view them. Network administrators, the messaging company providing the service and outside law enforcement investigators would not be able to intercept messages outside of the devices approved to view the messages — at least not without tipping off the author and recipient of the message.

An Explainer on Validating Blockchain Requests
The challenge of offering such a service in the long term is figuring out how to prevent it from becoming corrupted by criminals or terrorists. Police will eventually find out about communication services that facilitate criminal activity and the moment of truth would arrive for any such company when put in the position of either cooperating with authorities or resisting. Cooperating with authorities would cost a company its criminal clientele and resisting would likely result in criminal charges and a service shutdown.

One outcome could be that state-backed criminals facilitate encrypted communication platforms by hosting servers and other critical infrastructure in more permissive environments out of reach of foreign law enforcement agencies. This outcome would acknowledge that communication security is not so much a question of encryption technology, but the physical location of servers that support the service. Countries like Russia and North Korea have been known to tolerate and even support criminal activity so long as it targets their internal political rivals or external enemies and does not challenge their own political power.

Another outcome might be just to continue the cat-and-mouse game with police, where criminals and service providers accept a high rate of turnover in the development of new encrypted messaging apps (along with the risk of arrest) as the cost of doing business. New services will surface and shut down in the face of law enforcement scrutiny only to reemerge in different forms in an ever-repeating cycle.

Criminal organizations have immense access to resources and an even greater demand for secrecy in their daily operations. These two forces will ensure that secure communication services will run the risk of attracting a criminal clientele and that some companies will even cater to criminals in ways that help them avoid law enforcement detection. But just as these dynamics are inevitable, so it is that law enforcement agencies will continue to find ways into ostensibly secure platforms to identify and ultimately disrupt their users. This same process plays out in the shadowy world of online criminal marketplaces, which we will discuss in part two of this series.

Next: New Marketplaces for Selling Illicit Wares

[Crafty_Dog]

https://www.washingtontimes.com/news/2021/jul/18/reminiscent-obama-administration-cyberattackers-ig/?utm_source=Boomtrain&utm_medium=subscriber&utm_campaign=morning&utm_term=newsletter&utm_content=morning&bt_ee=l3UffOiRReaQV5y68p%2FADHEEkHieTMOA6iOCiYq7ueoI7P9YIZcburyneN21VsEM&bt_ts=1626687942743

[Crafty_Dog]

Accusations against China. A cybersecurity coalition involving NATO member states, the EU, Australia, New Zealand and Japan launched Monday. In its first joint action, the bloc accused China’s Ministry of State Security of collaborating with criminal organizations to conduct a slew of cyberattacks, including one targeting Microsoft that came to light in March. The Biden administration appears to be behind the campaign, releasing a trove of details about the allegations. The European Council said it backs the U.S. accusations.

[Crafty_Dog]

https://www.washingtontimes.com/news/2021/jul/21/criminal-contract-hackers-china-iran-russia-enlist/?utm_source=Boomtrain&utm_medium=subscriber&utm_campaign=newsalert&utm_content=newsalert&utm_term=newsalert&bt_ee=mv33%2FSmcuMc62cnUvKXA%2BspwvcVXn9MM3Cs9HglAMjfMKeUi3Av0584YRYKvCM9r&bt_ts=1626876493628

[Crafty_Dog]

Tough Biden Talk, Little Action
On Nord Stream and Chinese hacking, a message of weakness.
By The Editorial Board
July 21, 2021 6:42 pm ET


President Joe Biden speaks as Secretary of State Antony Blinken, left, listens during a cabinet meeting at the White House in Washington, D.C., U.S., on Tuesday, July 20, 2021.
PHOTO: AL DRAGO - POOL VIA CNP/ZUMA PRESS

A troubling pattern is emerging in President Biden’s foreign policy: Officials talk tough—then follow up with diplomacy that amounts to little. Two examples this week—on Chinese hacking and Russia’s Nord Stream 2 pipeline—underscore the point.


Barack Obama and Donald Trump opposed the $11 billion Nord Stream pipeline, which could double the amount of natural gas exported directly to Germany from Russia. But the Biden Administration has now blessed the project’s completion, handing Vladimir Putin a major strategic victory at the expense of Ukraine and Europe’s energy independence.

The White House says the pipeline was inevitable and improving America’s relationship with the Germans should come first. But the deal with Germany is embarrassing in its weakness. In a joint U.S.-German statement on Wednesday, Berlin pledges to impose sanctions in the future “should Russia attempt to use energy as a weapon or commit further aggressive acts against Ukraine.” We can hear them laughing in the Kremlin at that one.

The deal won’t go down well in Kyiv, which is struggling against Russian assaults on its territory. The country is set to lose billions in transit fees as Russian natural gas is diverted from routes that run through Ukraine. But at least “Germany commits to establish and administer a Green Fund for Ukraine to support Ukraine’s energy transition, energy efficiency, and energy security,” according to the joint statement. The U.S. and Germany say they’ll ask Russia to keep paying Ukraine. Are they kidding?

Giving a revisionist power more influence over Europe’s economy doesn’t help U.S. interests. The big win for Russian gas also comes as the Administration moves to restrict fossil-fuel production in the U.S. Angela Merkel, who negotiated the deal with President Biden, soon won’t even be Chancellor.

***

Meanwhile, on Monday the Administration called out China for cyber attacks and was joined by the European Union, NATO, the United Kingdom, Canada, Australia, New Zealand and Japan. Secretary of State Antony Blinken said “the United States and countries around the world are holding the People’s Republic of China (PRC) accountable for its pattern of irresponsible, disruptive, and destabilizing behavior in cyberspace, which poses a major threat to our economic and national security.”

Accountable how? The allied powers announced no sanctions or other repercussions. A coalition against Chinese cyber attacks is nice, but not if the result is a lowest-common-denominator response—i.e., nothing. Beijing may conclude that harsh words are all the U.S. can unite its allies behind.

Mr. Blinken also confirmed this week that “cyber actors affiliated with” China’s Ministry of State Security had conducted a “massive cyber espionage operation” earlier this year that “indiscriminately compromised thousands of computers and networks.”

He’s referring to an attack on entities that ran their on-premise email server through Microsoft Exchange. The Chinese hackers gained access to users’ email correspondence, attachments and contacts, then launched attacks that could compromise the organization’s networks and computer systems, says Steven Adair, president of the cyber security firm Volexity, which was among the first to detect the breach.

The hackers focused on traditional espionage targets, then broadened their efforts to include others in the private and public sectors, nonprofits and academia. The State Department confirms the operation “gave Chinese intelligence services the ability to access and spy on or potentially disrupt tens of thousands of computer systems worldwide.”

The U.S. response this past week was to unseal an indictment against four Chinese citizens involved in another hacking campaign. The feds say that from 2011 to “at least” 2018, a provincial arm of the Ministry of State Security set up a front company that stole intellectual property, trade secrets, and other confidential information “from companies and universities involved in virus and vaccine research of the Ebola virus,” among other topics.


Alas, all four are “nationals and residents” of China, and unlikely to be extradited, so the indictment’s utility as a deterrent is symbolic. Oh, and State did announce a reward of up to $10 million for information to identify cyber criminals who target the U.S. for a foreign government. No doubt that will impress the hard men at Zhongnanhai.

Biden officials, including the President, believe in the power of diplomacy almost for its own sake. But diplomacy that yields only talk achieves nothing against determined adversaries with malign intentions.

[ccp]

"Tough Biden Talk, Little Action"

threaten to tell the teacher on China ->. " we are going to discuss this with our friends and allies"

threaten to make them go stand in the corner ->. " we are going to threaten sanctions"

This was the Democrats foreign policy concerning  adversaries ( Hillary would repeat this like a broken memorized record every time)

[DougMacG]

Projecting American weakness to our enemies is a feature, not a bug, of their plan.

These are not Henry Scoop Jackson Democrats running our country.
https://en.wikipedia.org/wiki/Henry_M._Jackson

Come election time, how do they defend stopping a pipeline of energy for Americans while giving the Russian German one their blessing?

[Crafty_Dog]

Back when his name was being mentioned as a possible presidential nominee, my father sat next to him at some fund raiser dinner.

"Not bright enough" was my dad's assessment.

[Crafty_Dog]

https://www.defenseone.com/ideas/2021/07/what-chinas-vast-new-cybersecurity-center-tells-us-about-beijings-ambitions/183933/

[Crafty_Dog]

Dark Territory: The Secret History of Cyber War
By Fred Kaplan

A reader recommended Fred Kaplan's “Dark Territory: The Secret History of Cyber War” to me, and it turned out to be a timely suggestion. The book, which lays out an in-depth history of U.S. cyber policies dating back to just about as soon as Washington realized that with the great potential of the internet also came great peril, hits on a couple of repeated themes. One is the perhaps inevitable struggle to get the folks in charge to take cyber seriously. Computer stuff is complicated, after all, and path dependencies are enormously difficult for institutions to break. So time and again, it came down to a handful of figures who were astute enough to grasp the fantastic and fraught security environment that was emerging – and who happened to have the necessary bureaucratic knife-fighting chops – to get the machinery of government moving in a constructive direction. One maneuver in particular pulled off by former National Security Agency director and LBJ School of Public Affairs professor Adm. Bobby Inman will be studied in elite policy schools for a century to come. Another theme is the constant rediscovery that defense is much harder than offense – and that offensive cyber capabilities that the U.S. pioneered can be assumed to eventually land in the hands of potential adversaries.

These themes remain in play today. It's no longer necessary to persuade anyone in power that cyberattacks could be extraordinarily destructive, of course. But there still often seems to be a lack of appreciation for the true scale of destruction that's possible as the emerging technologies become integrated with nearly every dimension of U.S. vitality – as well as the near-impossibility of defensive innovations keeping pace with the offensive realm.

There are signs that a paradigm shift in D.C. has taken root, thanks to myriad high-profile attacks ranging from whatever Russia was up to in the 2016 election to the brief crippling of the Colonial Pipeline this spring. The new U.S.-led cybersecurity coalition involving dozens of allied countries shouldn't be sniffed at. But the reality is: It's easier than ever for state and non-state adversaries alike to do severe, tangible damage to U.S. infrastructure and myriad other critical systems without resorting to conventional weapons – to say nothing of threats to data, trade secrets, intellectual property, the information domain and so forth. This is leveling the balance of power and creating a new form of mutually assured destruction, the logic of which needs to be explored.

Phillip Orchard, analyst

A referral is the best compliment.
Feel free to forward this email to friends and colleagues.

Share this article on Facebook

 

[Crafty_Dog]

https://www.youtube.com/watch?v=tSuCuoQxI20&t=3s

[ccp]

https://www.nationalreview.com/magazine/2021/08/16/defense-threats-in-cyberspace/?utm_source=recirc-desktop&utm_medium=homepage&utm_campaign=river&utm_content=featured-content-trending&utm_term=second

[Crafty_Dog]

https://michaelyon.locals.com/upost/1008109/new-war-begins

[Crafty_Dog]

ON GEOPOLITICS
Cyber Diplomacy Arrives at Another Fork in the Road

undefined and Senior Global Analyst
Matthew Bey
Senior Global Analyst, Stratfor
14 MIN READSep 2, 2021 | 16:56 GMT






(Shutterstock)

My colleague recently wrote that ransomware has so far undoubtedly been the “defining cyber threat” of 2021. I agree with that assessment, given the onslaught of major ransomware attacks we’ve seen this year. But it’s also important to note that there’s been meaningful progress in U.N. negotiations on cyberspace — much to the surprise of many observers, including myself.

In March, the Russia-backed Open-Ended Working Group (OEWG) reached a cybersecurity agreement reaffirming 11 non-binding norms for state-sponsored cyber activity. And then two months later, the U.S.-backed Group of Governmental Experts (GGE) followed suit. Merely reaffirming those norms, which were first established in 2015, may seem like only modest progress. The agreements, however, not only come after the GGE failed to reach a similar deal in 2017, but in the wake of several high-profile cyberattacks — including the SolarWinds, Microsoft Exchange and Colonial Pipeline hacks.

That said, fundamental differences in opinions and priorities between countries remain on what kind of cyber activities should be regulated and how. The diplomatic path forward for future rounds of international negotiations is also unclear, with the United States wanting to enforce current U.N. agreements as Russia proposes more. Thus, despite the progress seen so far this year, the chances of the world not only agreeing, but adhering, to a single set of ground rules are slim at best — with a future of fragmented internet policies still the most likely outcome.

The Core of the Cyber Divide: Sovereignty vs. Privacy

Russia, China and the United States have long had opposing views on cyberspace. From Russia’s perspective, most information technologies (including software and hardware) have been developed by the United States and its allies, giving Washington and Moscow’s other rivals in the West a clear advantage in cyber capabilities. For this reason, Russia — along with fellow U.S. adversaries like China, Cuba and Iran — wants to use cyber arms control and negotiations as a way to limit what the United States and its allies can do. And these concerns have only been hardened in recent years following  Edward Snowden’s revelations about the U.S. National Security Agency’s reach, as well as the United States and Israel’s successful deployment of the Stuxnet worm against Iran’s nuclear program.

Russia has wanted to prioritize negotiations around what it has recently come to define as the “national security” of its “information sphere,” as outlined in its 2016 Information Security Doctrine. Compared with the West, Russia — along with China and other like-minded countries — take a more expansive view on cyber threats that also includes stopping the spread of dangerous information, in addition to preventing traditional malware or other attacks on networks and infrastructure. Through this viewpoint, these countries want to strengthen state control and oversight over information in cyberspace, particularly as it relates to issues like opposition groups, non-governmental organizations and other threats that could use the interconnected digital world as a tool against the state. Today, that position is embodied by China’s Great Firewall, Iran’s National Information Network and Russia’s Runet.


On the other hand, the United States and other liberal democracies believe individual rights and freedom of expression should be protected in the cyber world — rejecting Russia, Iran and China’s broader view.
Moreover, the United States has argued that any cyberspace negotiations focused on limiting online behavior or arms control were redundant, given the existing international law on cyber warfare and the application of the U.N. charter. Washington has stressed that the focus of such international talks should instead be on countries working together to root out the threats outlined in the 2004 Budapest Convention on Cybercrime, a treaty that has largely been only ratified by Western countries.

Over the last 15 years, the United States has become increasingly concerned about the digital realm becoming a Wild West for criminal activity. NATO’s increasing focus on cyber activity and the 2009 creation of U.S. Cyber Command also reflects Washington’s fears about the cyber domain becoming more integrated into its adversaries’ military strategies, which attacks by Russia, China and Iran on U.S. critical infrastructure, along with China’s cyber industrial espionage, have only underscored. To address these concerns, the United States has sought to focus international talks on establishing “norms” for state-sponsored cyber activity that, even if non-binding, would help provide a blueprint to judge perceived transgressions by Russia and China.

U.N. Cyber Negotiations: A Brief History

Russia has consistently tried to lead international negotiations on cybersecurity. Since 1998, Moscow has introduced a resolution each year at the United Nations on “developments in the field of information and telecommunications in the context of international security.” In 2001,  Russia proposed the creation of a Group of Governmental Experts (GGE) panel to evaluate and discuss threats to information security. And in 2004, the first GGE was created, including experts from 15 countries, with Russia chairing the group. The first GGE panel failed to reach the consensus needed for an agreement on global cyber rules. But the three subsequent meetings held between 2009 and 2015 each adopted a report by consensus, with the 2015 GGE panel notably establishing the first-ever non-binding cyber norms. 

The 2016-17 GGE, however, failed to build on the last meeting’s success and, for the first time in nearly a decade, ended without a consensus statement. The United States and the West wanted to explicitly state that International Humanitarian Law (which covers international law during armed conflicts) applies to cyberspace. But Cuba, Iran, China and Russia rejected this position, with Havana specifically arguing such an application would normalize cyber warfare. Looming questions around Russia’s alleged interference in the 2016 U.S. election, along with then-U.S.President Donald Trump’s abrasive stance toward China, also made the GGE process more politically difficult.

Parallel Talks Yield Unexpected Progress

Despite the failure of the 2016-17 GGE, however, the United States and Russia still had strategic interests in cyberspace that made diplomatic talks attractive. In 2018, Russia sponsored a U.N. resolution to replace the GGE with a new Open-Ended Working Group (OEWG). The OEWG would still operate on consensus, but unlike the GGE, would be open to all members of the United Nations.

The United States and its allies also participated in the OEWG, but were skeptical of Russia’s intent — namely, whether Moscow was using the new working as a vehicle to gain support for its own alternative to the Western-backed cybercrime guidelines in the Budapest Convention. These fears then seemed to be confirmed after Russia, in quick succession, proposed a new five-year successor OEWG (which started work in May 2021), updated its National Security Strategy (names information security a priority for the first time), and unveiled a draft treaty on international cybercrime in July.

The United States and other Western countries also expressed concerns that Russia would use the open access offered by the OEWG to get more countries interested in its version of information security in order to eventually adopt a different set of norms or expanded set of norms than those established by the 2015 GGE. But these fears did not materialize in the OEWG’s March 2021 consensus report. China, in fact, backed reaffirming the 2015 GGE norms, effectively eradicating any chance that Russia may have had in changing them. This, along with some language alluding to China’s concerns about supply chain reviews, was enough to reach a consensus that enshrined many of the GGE’s findings. While the OEWG agreement did not yield significant breakthroughs in terms of scope, it marked the first time a working group open to all U.N. member states resulted in a consensus report on cyber norms.

Amid concerns about the direction of the Russia-backed OEWG, the United States sponsored a resolution to create a new 25-member GGE in order to keep the smaller working group intact. The group met earlier this year and produced a consensus report that details exactly what is expected of countries to fulfill each of the norms established in the 2015 GGE report. U.S. negotiators described the 2021 GGE report, which also includes examples of what qualifies as critical infrastructure, as an effective guidebook on how to apply and interpret the cyber norms, with the understanding that no new rules needed to be created.

The report also explicitly states that International Humanitarian Law applies cyberspace (Cuba, the 2017 GGE member vetoing the inclusion, was not a member of the 2021 GGE). The inclusion of this may limit some of the development of potential cyber weapons due to the impact on civilians, though it is unclear to what degree that application of International Humanitarian Law will be respected. China and Russia are concerned about the fact that most of their critical infrastructure is operated by state-owned enterprises and the West's is operated by private companies, opening up questions as to what a “civilian” is in the context of war with a huge cyber component.

The GGE report does not, however, go into high detail around how to assess attribution cyberattacks — a major demand of Russia and China. Both Moscow and Beijing have criticized Western governments for accusing them of being behind cyberattacks without always providing substantial evidence (Western intelligence agencies frequently have detailed evidence on attribution, but avoid sharing it publicly for fear of exposing their sources and techniques). The United States and its allies, meanwhile, argue that Russia and China exploit the gray area around attribution to gain plausible deniability around attacks.

Enforcing vs. Expanding Cyber Rules

Differences in priorities between the West — led by the United States — and China and Russia over what to do next in international negotiations over cyberspace also appear to be widening.

The West’s Position

It seems the GGE process has run its course, with the West now signaling it wants to shift the conversation on how to apply norms, and not what they should be. The United States, in particular, wants to use the 11 norms established in 2015 to press China and Russia. During his meeting with Russian President Vladimir Putin in June, U.S. President Joe Biden focused largely on Russian cyber activity, including the SolarWinds supply chain hack, as well as Russia’s alleged harboring of ransomware gangs behind the 2021 Colonial Pipeline and JBS hacks. In July, the United States and its allies also publicly named and shamed China for its cyber activity, with China’s state-sponsored cyber industrial espionage campaigns being one of the key focuses.

In October 2020, France, Egypt and over 40 other primarily Western countries proposed launching a Programme of Action (PoA) to establish “a permanent U.N. forum to consider the use of ICTs [information and communication technologies] by States in the context of international security.” Although the United States was not a sponsor, presumably the focus of the new U.N. body and dialogue would focus more on enforcement, as opposed to advancing rules and standards.

It’s unlikely that Russia or China will ever fully scale back such activities. But since both are included in the cyber norms established, the United States hopes to at least use the rules as a benchmark to judge the behavior of Russian and Chinese cyber officials/entities, as well as justify potential retaliatory sanctions and/or legal action. Washington also hopes that offering more clarity on how it will respond to attacks will help at least keep Russian and Chinese cyber activity in check, even if it can’t prevent attacks altogether.

Russia and China’s Position

Meanwhile, China, Russia and other more authoritarian governments are far more concerned about how cyberspace is used in their countries and furthering their concepts of digital sovereignty. Russia appears interested in using the new five-year OEWG as a vehicle to do so, banking on nationalist data and internet sovereignty trends in countries like Brazil, India, Saudi Arabia, Turkey and the United Arab Emirates. In doing so, Moscow is seeking to bring these typically more Western-aligned countries closer to its view on information security concerns. Russia also hopes that further diffusing the physical infrastructure underpinning the global cyberspace (i.e. servers, networks, cables) could eventually help reduce Western hegemony by compartmentalizing the internet as well.


The aforementioned cybercrime treaty that Russia proposed in July may also find some support among other governments with similar sovereignty-focused approaches to the internet policy.  The proposed treaty would expand upon the EU-backed Budapest Convention by increasing the number of cybercrimes from 9 to 23. Western officials have voiced concerns that the broader list of offensives — which include unauthorized access to personal data and extremism — could grant repressive regimes more power and more ways to manage dissent, public opinion and control information flows in their countries.

The new terrorism-related crimes added to the treaty, in particular, could immediately enable authoritarian governments to designate dissidents who share critical content as terrorists — a label Ethiopia’s govern
ment, for example, has used to justify its offensive against the Tigray People’s Liberation Front.

Russia’s draft treaty also criminalizes the creation and use of digital data intended to “mislead” the user, which governments could use to crack down on critical media coverage by labeling such content “ake news or disinformation.

In addition, the treaty’s section on extradition explicitly says that none of the 23 cybercrimes would be political crimes  — meaning that they would not fall be subject to the carve-outs for political crimes in current extradition treaties.

The United States and the West are concerned that Russia’s ultimate intent is to replace that Budapest Convention. But what’s more realistic is that Moscow’s treaty garners support from a select handful of like-minded states, with Russia’s fellow Shanghai Cooperation Organization members (China, Kazakhstan, Kyrgyzstan, Tajikistan and Uzbekistan) among the most likely to do so. But even if only a small number of countries end up adopting it, the new cybercrime treaty nonetheless adds the litany of alternatives to Western frameworks that Russia and China have been backing, and would also put clearer regulations in place fragmenting the internet.

Disagreements on Data

Data transfer and privacy is one area where there is little room for substantial agreement between Europe, the United States and China. The United States and the European Union may eventually reopen bilateral negotiations on a new data transfer framework between them after the European Court of Justice struck down the EU-U.S. Privacy Shield Framework in 2020 over concerns about lax U.S. privacy rules and government intelligence agencies' access to personal and corporate information. But while the United States may make some reforms, it's unlikely to completely scale back some of the government’s access to information, making any hypothetical new deal potentially being struck down again.

China’s growing state oversight of data, meanwhile, makes collaboration on privacy and other data-related issues even more difficult. A number of new laws and regulations introduced in China over the last year have – including the Personal Information Protection Law and Data Security Law – focus on restricting companies’ ability to send Chinese data overseas. Beijing also has yet to introduce measures that would significantly reduce its own access to data.

A Fragmented Future

The chasm between the world’s four dominant cyber powers — the United States, Europe, Russia and China — on how cyberspace should be managed internationally and what types of behavior countries should engage in (and avoid) is only likely to widen — accelerating the fragmentation of the internet, online services, data transfer rules and cyber policies. This portends higher risks for Western companies trying to operate in countries that are increasingly able — both from a technical and diplomatic perspective — to expand control over the internet.

Such fragmentation would also make it more difficult for Western tech giants like Google, Twitter, Facebook and Amazon to be truly global by forcing them to focus their activities in Europe and North America where regulations are more consistent. This would, in turn, give an edge to alternative tech companies from Russia, China and elsewhere that are more willing to work in environments with stricter regulations. The absence of strict rules on government access to information in China may also give some of its state-backed companies more freedom to reap the benefits of emerging data processing technologies, like artificial intelligence,  compared to their Western counterparts that will have to heed far more stringent requirements on privacy, equality and non-bias on algorithms.

[Crafty_Dog]

https://www.gatestoneinstitute.org/17737/cyberwar-flipping-switches

[ccp]

It is tempting to blame US leftist partisans,

but I think this is more likely Chinese (or Russian hack)

who are are allies of the Democratic Party :

https://www.dailydot.com/debug/project-of-veritas-says-hackers-scammed-it-out-of-165000/

[Crafty_Dog]

The U.S. Cracks Down on Exports of Hacking Tools and Spyware
5 MIN READOct 20, 2021 | 21:03 GMT





A woman checks the Pegasus spyware website at an office in Nicosia, Cyprus, on July 21, 2021.
A woman checks the Pegasus spyware website at an office in Nicosia, Cyprus, on July 21, 2021.

(MARIO GOLDMAN/AFP via Getty Images)

New U.S. export controls on hacking and cyber-surveillance software will limit the proliferation of such tools being developed in the West, though at the risk of at least temporarily undermining cybersecurity research. On Oct. 20, the U.S. Commerce Department’s Bureau of Industry and Security issued a new interim final rule that will tighten export restrictions on cyber tools used for surveillance, espionage and other malicious activities. The new export controls will take effect in 90 days, and there is a 45-day comment period.

Under the new rule, exports of hacking tools to government end-users in a select number of countries — including Bahrain, Israel, Saudi Arabia, Taiwan and the United Arab Emirates — will need a special license granted by the U.S. Commerce Department. Exports to non-government users in those countries for research and other cyber defensive purposes will not need a license.
Exports to all end-users who pose a national security threat to the United States or against which the United States has an arms embargo — including China, Russia and Vietnam — will require a special license.
Few U.S. companies are likely to be affected by the new rule because few U.S. firms develop spyware. The rule will probably have a more significant impact on foreign companies that sell hacking tools and surveillance software using U.S.-origin software, patents or workers.
The Commerce Department’s rule has been in the works for nearly a decade, but the Biden administration has come under pressure to introduce more spyware restrictions in response to authoritarian governments’ increased use of spyware tools against dissidents and opposition leaders. The Wassenaar Arrangement on export controls — a multilateral arms control regime with 42 participating countries — was amended in 2013 to include internet-based surveillance technology and intrusion software. The United States has been one of the slowest participants in the arrangement to adopt new export restrictions since the amendment. A proposed export control rule in 2015 garnered significant opposition among U.S. cyber experts, industry leaders and lawmakers over its broad scope, sending the Commerce Department back to the drawing board. But multiple spyware scandals over the last three years appear to have renewed the department’s push to finally implement the new export control rule.

Although far from the only spyware in use, the Israeli NSO Group’s Pegasus spyware first attracted major media attention when it was discovered on the phone of a UAE human rights activist in 2016. Since then, the spyware has been found on dozens of phones belonging to dissidents and opposition leaders, including the wife of murdered Saudi dissident Jamal Khashoggi before his 2018 death.
A Washington Post report from earlier this year found that over 50,000 phone numbers were targeted in campaigns to deploy Pegasus. While most numbers were clustered around countries like Bahrain, Rwanda and Saudi Arabia, traces of the spyware were found on the phones of five French Cabinet members and other targets in Western democracies.
New U.S. export controls will make it more difficult to transport Western spyware tools — especially Israeli spyware — to authoritarian governments, limiting those governments’ short- and medium-term opportunities to mount sophisticated cyber campaigns. The United States is home to the world’s largest cybersecurity industry, and U.S. researchers, developers, software and intellectual property are found in most corners of the global industry. The extraterritorial nature of U.S. export controls, which cover products that use U.S. workers and content, means that many tools will fall under the Commerce Department’s jurisdiction, potentially even Pegasus. When the United States applied similarly aggressive export controls to other industries, namely the oil and gas and semiconductor industries, the restrictions significantly curtailed transfers. The Israeli government, which had already promised to review the NSO Group’s exports of Pegasus, will be under even more pressure to take action against the company. In response to these future limitations, authoritarian governments will try to develop their own tools or use those publicly available. But they will face barriers in developing spyware that is equally sophisticated, as well as the intrusion methods to deploy it.

The new rule will also create challenges for researchers and the cybersecurity industry because of its secondary impacts on cybersecurity research and global collaboration. From a technical perspective, software and techniques used for hacking are often also used for defensive purposes. Cybersecurity researchers will often use such tools in order to find vulnerabilities to improve the cybersecurity of a product through subsequent patches. Spyware can also be used for other lawful purposes, such as against criminal or terrorist organizations. The large scope of U.S. export control laws and the importance of the U.S. cybersecurity industry means that the new rule risks limiting cybersecurity cooperation if broadly applied. This was the main concern of U.S. cyber experts, industry leaders and lawmakers when the original rule was announced in 2015. The difficulty of limiting the rule’s impact on cybersecurity research is also why the second drafting process took so long.

By separating government and non-government end-users, the United States hopes that the private sector and academic research will be only partially impacted. Moreover, many Western countries — including all participating countries in the Wassenaar Arrangement — do not fall under the new controls. There are also significant carve-outs for Israel and Taiwan, which both have significant cybersecurity industries, to cover things like “digital artifacts” when used in an incident response scenario.
Nonetheless, the inadvertent consequences of export control laws are always a risk, despite U.S. efforts to limit their effect on the private sector and academic research. It will likely take years to learn the extent of the rule’s secondary impacts, which could mean the Commerce Department will make future amendments.

[Crafty_Dog]

The West Goes on the Offensive Against Ransomware Gangs
6 MIN READOct 22, 2021 | 20:05 GMT





A file photo taken on Aug. 4, 2020, shows a man monitoring global cyberattacks on his computer.
A file photo taken on Aug. 4, 2020, shows a man monitoring global cyberattacks on his computer.

(NICOLAS ASFOURI/AFP via Getty Images)

The United States and its partners are going on the offensive against ransomware groups, but there are limitations in replicating the success they’ve apparently had against the Russian-led gang REvil. And while this “whack-a-mole” approach may present some challenges to Russian authorities, it will ultimately risk playing into the Kremlin’s hands by distracting the West from other Russian cyber activities. An unnamed U.S. foreign partner successfully hacked into Russian-led ransomware group REvil’s systems, forcing the closure of several of its websites on Oct. 17, Reuters reported Oct. 22. The multi-country operation, which reportedly had been in the works since earlier this year, accelerated after REvil’s high-profile and sophisticated July Kaseya ransomware attack.

In the Kaseya attack, REvil demanded $70 million from the U.S. software company after its attack subsequently disrupted the cyber networks of more than 1,000 other global companies that rely on Kaseya’s services.

After the Kaseya attack, REvil took down its sites on July 13 for still unclear reasons. But the Oct. 22 Reuters report said that the United States and its partners’ intelligence and law enforcement agencies penetrated the group’s network beforehand, gaining control of some of its servers. Thus, when REvil restored its website from backups in September, it had already been compromised in an operation that remains ongoing.

The United States, like-minded countries and at least some private companies appear poised to go on a more aggressive campaign against ransomware groups, which is now a top U.S. priority in the wake of the May Colonial Pipeline hack.  In June, the U.S. Justice Department raised ransomware’s priority to a level equal to terrorism. The elevation granted the department and other agencies the legal basis to work more closely with U.S. intelligence agencies and the Department of Defense on ransomware. Last week, President Joe Biden also hosted 30 governments for a Counter-Ransomware Initiative to align a global push against such cyber threats. And in what may be a sign of more cyber operations against cybercriminals in the future, U.S. information security company Zerodium announced Oct. 19 that it is looking for zero-day exploits for the Windows versions of ExpressVPN, NordVPN and Surfshark, which are virtual private network (VPN) tools that can help hide users’ IP addresses and bypass government restrictions.

Zerodium is a U.S.-based company that pays cybersecurity researchers who discover zero-day exploits, which are vulnerabilities that have not been made public and thus can be exploited, instead of turning them over to the developers of the compromised product. Zerodium then turns around and sells them to mainly government agencies.

All three VPN products Zerodium mentioned are consumer VPNs often used by cybercriminals to hide their online activity and carry out operations. This highlights the United States and its partners’ growing interest in identifying vulnerabilities that could be used for offensive, not just defensive, purposes — making it entirely possible that Western intelligence agencies want to use any exploits as a part of operations against ransomware gangs and other cybercriminals.

Western governments can probably disrupt individual ransomware groups, but they may face difficulty in undermining the entire ransomware ecosystem. It will take significant resources to individually go after the dozens of different ransomware groups. Moreover, many of the ransomware groups’ key developers are believed to be based in Russia — meaning that arrests are likely to be extremely rare, given that Russian authorities are loath to take aggressive action against those conducting financially motivated cyber-attacks that are key to the Kremlin’s overall asymmetric campaign against the West. But even with these constraints, degrading or merely slowing down the growth of ransomware can be beneficial, particularly when combined with other non-offensive policy measures, such as increasing cybersecurity defenses and policies and diplomatic pressure.

Operations against REvil and other individual groups will probably disrupt their activities for weeks or months at a time, only for their members to rebrand as another cybercriminal group. Even though the approach will not end the ransomware threat, it can increase the costs for high-profile disruptive attacks, as groups behind high-profile attacks like the Kaseya and Colonial Pipeline hacks are more likely to be targeted, thus disincentivizing the most disruptive ransomware attacks.

Aggressive Western actions can also slow down the pace of operations by ransomware groups. Even when groups rebrand, they often use much of the same infrastructure, such as command and control servers, or in the recent case of REvil online payment infrastructure. If those systems are compromised and ransomware groups know it, they will need to take the time to develop alternatives.
Greater action against cyber gangs will also increase internal fissures and intra-group conflicts as different members are worried that they and/or other members may have had their own identities uncovered or personal computers hacked. In rarer cases, some members may also be suspicious that their colleagues are working with law enforcement.

More aggressive operations against ransomware groups can divert Western resources away from other counter-Russian activities, potentially giving the Kremlin other benefits even as ransomware activity is disrupted. If the United States and its allies divert more of their offensive and other cyber resources towards combating Russian cybercriminals, they may lose some capacity to stop Russia’s state-sponsored cyber campaign, which centers more on intelligence gathering and disinformation.

The back-to-back-back high-profile ransomware attacks against Colonial Pipeline, meat processing company JBS and Kaseya diverted media attention away from the Russia-backed SolarWinds hack uncovered last December, which was arguably the largest cyber-espionage operation uncovered.

Moreover, Western pressure against cybercriminals may give the Kremlin greater ability to co-opt and have leverage over Russia-based cyber gangs by promising to protect them from Western law enforcement and intelligence agencies in exchange for a promise that some of their future attacks also achieve the Kremlin’s other cyber strategic goals; this could include handing over valuable data stolen in ransomware attacks to the Kremlin.

Still, greater Western pressure will cause significant challenges for the Kremlin and some of the West’s actions against cybercrime infrastructure may also harm Russia’s state-sponsored cyber activity. The continued threat of ransomware is only increasing the possibility that the West holds Russia directly accountable for the attacks to the point where sanctions or other aggressive actions against the Russian state itself, not just the criminals, are possible. Moreover, the threat is also increasing the resources the West is pouring into cybersecurity, including awareness programs, data breach reporting requirements and public-private cooperation.

Stronger Western cybersecurity practices will improve cyber defenses against all forms of cyberattacks, forcing Russia’s state-sponsored cyber activities to rely on more sophisticated operations, which cost both more money and more time to carry out.

Finally, many Russian cybercriminals often work directly with Russia’s own intelligence agencies to help carry out state-sponsored attacks. This means that in some cases, there is an overlap between the infrastructure used in state-sponsored attacks and cybercriminals’ financially motivated attacks. If groups that are doing double-duty are compromised, it could disrupt both kinds of Russian cyberattacks.

[Crafty_Dog]

https://apnews.com/article/technology-business-europe-russia-united-states-8e2e6ead27e80e79482caf54111b4c3d

[Crafty_Dog]

https://amgreatness.com/2021/11/15/fbi-looking-into-fake-emails-sent-from-real-fbi-account/

[Crafty_Dog]

https://www.washingtontimes.com/news/2022/jan/1/fears-grow-cyber-chaos-will-spark-wars-hack-attack/?utm_source=Boomtrain&utm_medium=subscriber&utm_campaign=newsalert&utm_content=newsalert&utm_term=newsalert&bt_ee=vxfPfF%2BGdgNkuwi8aCN1wS%2BXVapUaR6TDb5wzBU7hfidQ9dvz%2F04hWlWdGqmRf5Y&bt_ts=1641067313297

[Crafty_Dog]

https://www.bleepingcomputer.com/news/security/cisa-urges-us-orgs-to-prepare-for-data-wiping-cyberattacks/?fbclid=IwAR0LcqSUuJ3zKndrvj1JeddhFNQWbc7YhRWrlIaXtO-qluKNZrA5abT2h5E

[Crafty_Dog]

Belarusian Hacktivists Claim Ransomware Attack on Nation's Railways
6 MIN READJan 25, 2022 | 21:09 GMT


The Delovoy Tsentr station of the Moscow Central Ring, a commuter rail line circling the Russian capital, on April 8, 2020.

(DIMITAR DILKOFF/AFP via Getty Images)


Editor's Note: ­This security-focused assessment is among many such analyses found at Stratfor Threat Lens, a unique protective intelligence product designed with corporate security leaders in mind. Threat Lens enables industry professionals and organizations to anticipate, identify, measure and mitigate emerging threats to people, assets and intellectual property the world over. Threat Lens is the only unified solution that analyzes and forecasts security risk from a holistic perspective, bringing all the most relevant global insights into a single, interactive threat dashboard.

Belarusian hacktivist group Cyber Partisans claimed in a Jan. 24 tweet that it had carried out a ransomware attack against Belarusian Railway because of the railway's use in moving Russian troops and military hardware into the country for Feb. 10-20 joint exercises. The Cyber Partisans claimed it encrypted some of Belarusian Railway's servers, databases and workstations to disrupt its activities, but it did not encrypt automation and security systems in order to avoid creating an emergency. The hacktivist group said it is prepared to release the keys to decrypt the systems, but demanded the release of 50 political prisoners and the end of Russian troops' presence in Belarus. Neither Belarusian Railway nor the government has confirmed the attack, but some train services, including passenger ticketing services, were reportedly disrupted Jan. 25. Since the 2020 Belarusian presidential election that led to nationwide pro-democracy protests, the Cyber Partisans — a group that claims to have about 15 self-taught hackers who have fled Belarus — has risen to prominence and carried out a number of different politically motivated cyberattacks against Belarusian government and state-owned targets.

While the Cyber Partisans initially focused on defacing government websites and leaking sensitive government information, it has now claimed a string of ransomware attacks that, if verified, represents a significant escalation that could lead to occasional disruptions of government-provided services in Belarus as well as disruptions to business at state-owned enterprises. On Nov. 17, the hacktivist group announced what it described as the largest "sabotage" campaign in Belarusian history, dubbing it "Operation Scorching Heat" or "Operation Inferno." As part of the campaign, it claimed ransomware attacks against Belarus' Academy of Public Administration, potash giant Belaruskali and a large state-owned automotive company, among other targets. Prior to Operation Inferno, the group carried out hacks against the country's police, Interior Ministry and other government offices leaking videos and information about the government's crackdowns against protesters — including some 5.3 million recordings of wiretapped phone calls and more than 6 terabytes of data — in what it called "Operation Heat."

The Cyber Partisans' apparent quick evolution from organizing data leaks to carrying out potentially disruptive ransomware attacks suggests that other hacktivist groups could make the same transition. Hacktivist groups like Anonymous and WikiLeaks have long been associated with hacking governments and corporations to leak sensitive data for political purposes, but most hacktivist groups' disruptive activities have focused more on denial of service or distributed denial of service attacks or defacing websites, not on disrupting and encrypting an organization's servers and/or workstations for a political cause. While we have seen other politically motivated ransomware attacks for disruption, most have been thought linked to governments, such as Iranian-linked MosesStaff — which has carried out attacks against Israeli targets — not nonstate actors like hacktivists.

It is likely only a matter of time before hacktivist groups start copying some of the Cyber Partisans' tactics to target Western organizations with ransomware-like sabotage; their persistent focus on single issues will elevate the threat beyond more common data leaks for high-profile organizations in certain sectors. Traditional hacktivist groups like Anonymous may target Western government and nongovernment organizations with ransomware attacks based on a host of issues — including privacy, racial discrimination and economic inequality issues — but Anonymous historically has been criticized for not having a true universal motive for its attacks, instead trying to make a name for itself through disruptive action. It is likely that other activist groups organized around single issues, such as climate change, eventually will carry out attacks against Western organizations over issues like climate change, such as disrupting oil and gas processing plants operations. A continued increase in political polarization in the United States and other democracies could also lead to more hacktivist attacks from different actors targeting political groups they oppose or organizations associated with them or their supporters (such as major campaign donors).
Single-issue hacktivists may be far more persistent than financially motivated hackers in targeting a specific prominent organization as a part of their cause, because they are driven by ideology rather than monetary gain while cybercriminals can quickly move on to another target. This dedication will make it crucial for organizations to monitor activist movements targeting their industry in other ways, such as demonstrations at corporate headquarters, for any signs that they are gaining hacktivist capabilities.

Hacktivists may never represent the same level of sophisticated cyberthreat as nation-states or sophisticated cybercriminals, enabling organizations to mitigate the risk through the same practices being undertaken to mitigate other cyber risks. But they do pose a different type of challenge to organizations that suffer an attack or breach. Despite the Cyber Partisans' rapid transition to carrying out ransomware attacks, there is no indication that they have become as sophisticated as elite ransomware gangs. And it is likely that hacktivist groups that copy their strategy, at least initially, will not be as sophisticated as ransomware gangs due to the latter's generally more extensive capabilities and larger financial resources gained through attacks. This means that organizations that are improving their overall cybersecurity efforts across the board to counter other rising cybersecurity threats (e.g., sophisticated ransomware attacks, nation-state supply chain hacks, etc.) will be better positioned to mitigate the threat from hacktivists even if the threat is more targeted and persistent. Nevertheless, unlike financially motivated threat actors, hacktivists would invariably see public disclosure of attacks and the reputational damage to an organization as an added benefit in almost all scenarios. This means that organizations that intend to pay ransoms as a part of their cyber incident response plans to quietly defuse the situation without the attack's becoming public may not wind up having that option.

[Crafty_Dog]

How Russia Could Respond to Western Sanctions With Cyberattacks
7 MIN READFeb 3, 2022 | 19:00 GMT



Although a Russian invasion of Ukraine is not the most likely scenario at this point, it cannot be ruled out and organizations should start considering the risks they could face were such a conflict to break out. In the less likely but more impactful scenario where Russia conducts a full invasion of Ukraine, the United States and its European allies will likely respond with a myriad of financial and other sanctions that would in turn cause the Kremlin to respond with cyberattacks.

The United States and the West are likely to place sanctions on Russia's financial sector, export controls on technology exports to Russia (including semiconductors and green technology, and restrictions on new investment into Russia's oil and gas sector and, potentially, a U.S. (but not European) embargo of Russian energy supplies if Russia invades Ukraine. Such a sanctions strategy would be designed to maximize short-term and long-term economic pain on Russia and limit the short-term fallout to Europe by not cutting off Russian gas supplies. Nevertheless, the Kremlin would likely view such sanctions as significant economic warfare and retaliate accordingly, likely assessing that the sanctions are unlikely to be quickly removed.
Sanctions on Russia's natural gas and crude oil exports and cutting off Russian access to SWIFT are under discussion as potential options, but it is unlikely that the United States and Europe would go that far due to the blowback on Europe and potential escalation of the conflict beyond Ukraine.
In such an invasion and sanctions scenario, Russia's retaliation would focus heavily on carrying out cyberattacks aiming to disrupt U.S. and European economic activity and extract an economic cost for the sanctions strategy against Russia. Given past Russian activity targeting Ukraine and Georgia, we would anticipate the most dangerous Russian cyberattacks to be data wiping and encryption malware and worms targeting Western government organizations and leading companies operating in key sectors, including the financial sector, oil and gas, industry, and manufacturing. A massive cyber campaign akin to the 2017 NotPetya attacks, but on a larger scale and targeting U.S. and Western European organizations instead of primarily Ukrainian entities, is a realistic scenario, as the Kremlin could view it as a proportional response to Western sanctions. The 2017 NotPetya attacks initially looked like a ransomware attack before it became clear that the main aim was wiping data off of systems. There are already signs that Russia may be launching another data wiping and encryption campaign in Ukraine, as the Microsoft Threat Intelligence Center (MSTIC) said in mid-January that similar malware began appearing in Ukraine on Jan. 13 and the U.S. and U.K governments issued warnings about possible cyberattacks.

Russia's advanced persistent threat (APT) groups are less likely to carry out a series of cyberattacks that are primarily fraud and financially motivated to offset the economic impact of sanctions. Instead, Russia's primary objective will likely be widespread economic disruption aimed at breaking the West's resolve to maintain sanctions. Financial gain will be a secondary or tertiary objective. Although there is clearly a relationship between them and the government, Russia's financially motivated hackers are not directly under the control of the Kremlin's intelligence agencies and there is a degree of separation between the two, unlike in North Korea, where cybercrime groups like Lazarus Group are directly tied to the government. North Korea's primary objective is to earn hard cash (or cryptocurrencies) through fraud and cyberattacks that can offset the financial impact of U.S. sanctions and North Korea's limited access to foreign currency. In most North Korean cyberattacks, financial gain is the primary motive and disruption is a secondary or tertiary motive. By contrast, Russia is not in a position to meaningfully use cyberattacks to offset the economic impact of sanctions because of the sheer size of its $1.5 trillion economy, compared to North Korea's roughly $29 billion economy. North Korea's 2016 Bangladesh Central Bank heist cyberattack aimed to steal $1 billion would have been a meaningful amount of money for North Korea, but an insignificant amount for Russia.

Although Russia's APT groups may not engage in financially-motivated cyberattacks, Moscow would freeze all cooperation with the United States and the West over Russian cybercriminal groups and give the criminal groups more space to carry out ransomware and other cyberattacks against Western organizations. Facing a high level of U.S. and European sanctions, the Kremlin will have little incentive to rein in Russian criminal networks — both cybercriminal and organized criminal — targeting the West and may even work more closely with cybercriminals by sharing hacking tools, malware and command and control servers. Russia's cybercriminal networks remain prolific and various forms of fraud, including business email compromise attacks, banking Trojans, cyrptojacking malware, and botnets stealing credentials remain a part of their arsenal even as high-profile ransomware gangs that have gained notoriety over the last two years. Each of these risks will be more pronounced in the event of Western sanctions on Russia, but the risk will be more evolutionary from its current pattern as opposed to a largely new threat from Russia. By contrast, more escalatory state-sponsored data encrypting and wiping malware directly aimed at the West would be a new threat.

Russia may consider launching cyberattacks aiming to force offline or disrupt Western critical infrastructure, like power grids, financial transaction infrastructure and/or telecommunications, but those types of disruptions are more likely to be unintended fallout from other types of cyberattacks. Russia certainly has the capability to launch cyberattacks against Western power grids and will increase the rate at which it tries to hack into critical infrastructure if there are substantial sanctions on Russia in order to give itself the option of carrying out attacks against critical infrastructure in the future if tensions escalate. Actually carrying out attacks with the intent of disrupting or destroying critical infrastructure, however, is less likely due to the potential escalatory nature if Russian cyberattacks take substantial parts of the U.S. power grid offline for days, cause physical destruction of a German power plant, cause significant loss of life or something similar. Cyberattacks of that magnitude could be considered acts of war and result in proportional retaliation by the United States and Europe. Russia has been willing to carry out attacks on the Ukrainian power grid in recent years, but Ukraine does not have the same level of retaliatory options that the United States and Europe possess, making the costs of carrying out an attack against Ukraine's power grid much lower than an attack against the United States or a NATO member. Nonetheless, it is entirely possible that a Russian cyberattack results in accidentally disrupting Western critical infrastructure to a significant degree, either through the systems it affects or by an organization accidentally causing a crisis when responding to a breach of its systems by Russia, even if Russia's intent is reconnaissance and intelligence gathering, not disruption.

In a worst case (low likelihood, high impact) scenario, Russia may be willing to engage in more destructive and disruptive cyberattacks targeting critical U.S. and European critical infrastructure, but that would likely only occur in a scenario where either the United States and Europe adopt Iran- or North Korea-style sanctions on Russia or the conflict in Ukraine leads to direct military conflict between Russian and Western forces. Neither of these are particularly likely scenarios, but the consequences would be dramatic and while cyberattacks will be a primary risk that many Western organizations face, those are the types of triggers that could lead to broader conflict in Eastern Europe that goes beyond Ukraine's borders. Targeting Russia with SWIFT sanctions would also result in essentially blocking Russian energy exports to Europe without clear waivers. Even in that case, Russia could respond by cutting off exports regardless in order to cause a spike in energy prices and shortages in Europe. A scenario like this is extremely unlikely, but escalation can be a slippery slope. While Russia and the United States will seek to avoid such a scenario, a Russian invasion of Ukraine could trigger a series of events that bring the West and Russia to trade cyber, economic and military blows against each other to significant proportions.

[Crafty_Dog]

Cyberattacks against government offices, banks rattle nerves

in Kyiv

ASSOCIATED PRESS

KYIV, UKRAINE | A series of cyberattacks on Tuesday knocked the websites of Ukrainian government offices and major banks offline, authorities here said, attacks that came amid strong tensions between Russia and the West over possible military action against Ukraine.

Nerves have been on edge for months in Ukraine’s capital, but it was too early to know, however, if the apparently low-level denial-of-service attacks Tuesday might be a smokescreen for more serious and damaging Russian-orchestrated cyber mischief.

At least 10 Ukrainian websites were unreachable due to so-called “denialof- service” attacks, including those of the Defense Ministry, the Foreign Ministry, the Culture Ministry and Ukraine’s two largest state banks. In such attacks, websites are barraged with a flood of junk data packets, rendering them unreachable.

Customers at Ukraine’s largest state-owned bank, Privatbank, and the state-owned Sberbank reported problems with online payments and the banks’ apps.

“There is no threat to depositors’ funds,” the Ukrainian Information Ministry’s Center for Strategic Communications and Information Security said in a statement. The deputy minister, Victor Zhora, confirmed the cyberattacks.

The ministry suggested Russia could be behind Tuesday’s incident, without providing details. “It is possible that the aggressor resorted to tactics of petty mischief, because his aggressive plans aren’t working overall,” the statement said.

Oleh Derevianko, a leading private sector expert and founder of the ISSP cybersecurity firm, said it was not immediately clear if Tuesday’s cyberattacks were limited to what officials had said publicly.

“That’s exactly the question we always ask,” he said.

Ukraine has been subject to a steady diet of Russian aggression in cyberspace since 2014, when Moscow annexed the Crimean Peninsula and backed pro-Russian separatists in eastern Ukraine. The Biden administration has also been warning that cyber attacks could be part of a larger Russian move against Kyiv.

The attacks follow a Jan. 14 cyberattack that damaged servers at Ukraine’s State Emergency Service and at the Motor Transport Insurance Bureau with a malicious “wiper” cloaked as ransomware. The damage proved minimal — some cybersecurity experts think that was by design, given the capabilities of Russian state-backed hackers. A message posted simultaneously on dozens of defaced Ukrainian government websites said: “Be afraid and expect the worst.”

Serhii Demediuk, the No. 2 official at Ukraine’s National Security and Defense Council, called the attack Tuesday “part of a full-scale Russian operation directed at destabilizing the situation in Ukraine, aimed at exploding our Euro-Atlantic integration and seizing power.”

Russia’s cyber warriors have been blamed for perhaps the most devastating cyberattack ever. Targeting companies doing business in Ukraine in 2017, the NotPetya virus caused over $10 billion in damage worldwide

[Crafty_Dog]

https://therecord.media/iran-linked-muddywater-carrying-out-digital-attacks-worldwide-u-s-warns/

[Crafty_Dog]

https://dailycaller.com/2022/02/24/russia-ukraine-cyber-attack-putin-zelensky/?utm_medium=email&pnespid=v7puDSVMaP9L0PTft2_.E8ictAK_UMZ5Jui50_J2ogNmR1deLOlJ3XGA7zrU4dK.PAmO6HLT

[Crafty_Dog]

https://www.msn.com/en-us/news/technology/elon-musk-says-starlink-was-told-to-block-russian-news-sources-but-it-will-not-do-so-unless-forced-at-gunpoint/ar-AAUDUvI?ocid=msedgntp

[Crafty_Dog]

https://www.foxnews.com/world/us-doesnt-stand-a-fighting-chance-if-russia-and-china-combine-cyber-tech-former-pentagon-official-says?fbclid=IwAR3URgxFL7XS7akQnODI--7OIWJPx7fbNbwKFNHgjirmM6puiXgt0IP_SME

[G M]

https://www.foxnews.com/world/us-doesnt-stand-a-fighting-chance-if-russia-and-china-combine-cyber-tech-former-pentagon-official-says?fbclid=IwAR3URgxFL7XS7akQnODI--7OIWJPx7fbNbwKFNHgjirmM6puiXgt0IP_SME

Good thing we haven't forced Russia into China's camp!

[DougMacG]

Good thing we haven't forced Russia into China's camp!

Seems like just one President ago we were putting the screws to China.

[G M]

Good thing we haven't forced Russia into China's camp!

Seems like just one President ago we were putting the screws to China.

Yeah, but MEAN TWEETS Doug.

MEAN TWEETS.

[Crafty_Dog]

https://theintercept.com/2022/04/22/russia-hackers-leaked-data-ukraine-war/

[ccp]

"Yeah, but MEAN TWEETS Doug.

MEAN TWEETS."

me:

mean tweets = approval rating ~ 40 %

no problem 

[G M]

"Yeah, but MEAN TWEETS Doug.

MEAN TWEETS."

me:

mean tweets = approval rating ~ 40 %

no problem 

What’s the approval rating for our sellout RINOS?

[ccp]

I agree he is better then a rino

but he is not great for us over the long term

we need someone else

not a man child

[Crafty_Dog]

Ahem , , , beware thread drift , , ,

[Crafty_Dog]

https://www.calcalistech.com/ctechnews/article/sk200ds1wc?utm_source=sendinblue&utm_campaign=Extremist%20Roundup%202022-06-30%20SIB&utm_medium=email

[Crafty_Dog]

https://www.washingtontimes.com/news/2022/nov/22/report-beijing-deploys-10-times-more-operators-tha/?utm_source=Boomtrain&utm_medium=subscriber&utm_campaign=newsalert&utm_content=newsalert&utm_term=newsalert&bt_ee=U8WU%2BsZe%2FvuzE3yrlV%2FLRWlXIxdi8krc3xaLR6g%2BeJ5kjsqa%2B1o4xojUVj7R8YVJ&bt_ts=1669144479030

[Crafty_Dog]

https://www.oodaloop.com/briefs/2023/02/28/major-cyberattack-compromised-sensitive-u-s-marshals-service-data/#:~:text=The%20US%20Marshals%20Service%20has%20suffered%20a%20major,%E2%80%9Cstand-alone%E2%80%9D%20system%20and%20was%20discovered%20on%20February%2017.

[Crafty_Dog]

https://www.youtube.com/watch?v=IAWoSSKQtFM

[ccp]

"Yeah, its just a movie clip"

what if we had an apocalyptic war and not one nuc was exploded ?

lets see EMP
cyber war
bioweapon engineered  so the Han are protected...

seems more relevant than threat of gas or oil to me

[G M]

"Yeah, its just a movie clip"

what if we had an apocalyptic war and not one nuc was exploded ?

lets see EMP
cyber war
bioweapon engineered  so the Han are protected...

seems more relevant than threat of gas or oil to me

We are probably going to get some of each.

[Crafty_Dog]

A.k.a. "Full Spectrum War".

[ccp]

the bad news :


"Tens of thousands of Chinese military hackers are preparing for war against the United States. The report said China has 10 times more troops devoted to offensive cyberattacks than does U.S. Cyber Command."

the good news:

1) we have 2 new national parks
2) Springstein, who I don't like, is going to perform at the WH
3) we have more members in our military with GAD
4) and DJT to be arrested for a misdemeanor
5) we will bail out any Democrat *donors and wokesters*

[Crafty_Dog]

https://www.defenseone.com/threats/2023/03/using-starlink-paints-target-ukrainian-troops/384361/

[G M]

https://twitter.com/Fynnderella1/status/1640016692305711105?t=TjecOe0CeGrc6V2z0HRrww&s=19

[Crafty_Dog]

https://www.msn.com/en-us/news/technology/new-restrict-act-could-mean-20-years-in-prison-for-using-a-vpn-to-access-banned-apps/ar-AA19exSd

[Crafty_Dog]

https://www.gatestoneinstitute.org/19551/tiktok-america-do-or-die

Makes good points for both sides.