Hack-for-hire operation revealed – POLITICO
With help from Martin Matishak, Laurens Cerulus and John Hendel
Editor’s Note: Morning Cybersecurity is a free version of POLITICO Pro Cybersecurity’s morning newsletter, which is delivered to our subscribers each morning at 6 a.m. The POLITICO Pro platform combines the news you need with tools you can use to take action on the day’s biggest stories. Act on the news with POLITICO Pro.
— A massive hack-for-hire operation got outed, and is the subject of a federal investigation.
— A group of House members demanded that federal law enforcement agencies halt surveillance of peaceful protesters.
— A new deputy at Cyber Command is en route after the president made a nomination, one of several recent changes at the command.
HAPPY WEDNESDAY and welcome to Morning Cybersecurity! Good to see “Wonder Showzen,” which I proselytized to about everyone back in the day, get its due. Send your thoughts, feedback and especially tips to [email protected]. Be sure to follow @POLITICOPro and @MorningCybersec. Full team info below.
MERCENARIES IN CYBERSPACE — A hack-for-hire phishing operation targeting thousands of victims, including politicians, journalists, activists and more, was exposed on Tuesday, but there are some questions remaining and fallout ahead. Among the groups targeted by the Dark Basin hacking group, which Citizen Lab and NortonLifeLock tied to an Indian IT company named BellTroX, were net neutrality advocates as well as environmentalists who were part of a climate-change campaign against ExxonMobil. Citizen Lab said it did not have “strong evidence” linking Exxon or any other company to Dark Basin. “ExxonMobil has no knowledge of, or involvement in, the hacking activities outlined in Citizen Lab’s report," Exxon spokesman Casey Norton told our Morning Energy colleagues in an email.
Federal prosecutors in Manhattan are investigating, The New York Times reported. The key question, per BAE threat intelligence analyst Saher Naumaan: “Outsourcing these services through PIs & lawyers creates layers of obscurity and deniability, shielding the end client - who were the employers contracting BellTroX?” And per Google’s Shane Huntley: “The real test now, is whether there are consequence[s] here or these groups can continue hacking with impunity.” Citizen Lab, a cyber watchdog organization at the University of Toronto, said it shared its report with DOJ, which declined to comment.
THE STING — A group of nearly 40 lawmakers led by Reps. Anna Eshoo (D-Calif.) and Bobby Rush (D-Ill.) are demanding that federal law enforcement agencies halt invasive surveillance of people protesting police brutality around the nation. In a letter to the heads of the FBI, DEA, National Guard, and Customs and Border Protection, the lawmakers cited tactics such as Stingrays that gather cellphone browsing, call, location, and text data, which have prompted news organizations to publish guides on how to preserve privacy while protesting.
“The surveillance tactics … during the recent protests across the U.S. are significantly chilling the First Amendment rights of Americans. We demand that you cease any and all surveilling of Americans engaged in peaceful protests,” the lawmakers said. “Americans should not have to take proactive measures to protect themselves from government surveillance before engaging in peaceful demonstration.”
CYBERCOM CAROUSEL — U.S. Cyber Command leadership will soon sport an array of fresh and familiar faces. President Donald Trump on Tuesday nominated Air Force Maj. Gen. Charles L. Moore — Cyber Command’s director of operations — to be the organization’s new deputy. Later in the day it was announced that Marine Corps Master Gunnery Sgt. Scott H. Stalker, the senior enlisted leader for Cyber Command and the NSA, would leave for U.S. Space Command. The personnel moves come about a month after the chief of staff of the Army announced that Army Maj. Gen. David Isaacson, the chief of operations and networks in the service’s CIO office, had been assigned to be Cyber Command’s next chief of staff.
NGOS CALL FOR TOUGHER CYBER SURVEILLANCE EXPORT REGIME — Eight non-governmental organizations including Amnesty International, Human Rights Watch and Access Now wrote to European Union Trade Commissioner Phil Hogan on Tuesday asking him to take a tougher line on stopping companies from exporting surveillance and hacking software. It comes as EU negotiators are struggling to agree to new rules, known as the dual-use export controls legislation, that governs goods and software that risks being used for surveillance.
The Commission has floated a new text, obtained by our POLITICO Europe colleagues, to break the deadlock on an issue that was blocking the talks. The NGOs urged Hogan “to reconsider the compromise position as was disclosed.” The Commission’s latest proposal isn’t airtight in imposing standards of human rights on the export of software in the way that it demands respect for those standards inside the bloc, the NGOs warned. What’s more, “the Commission’s phrasing imposes no obligations on companies to identify, prevent, mitigate and account for how they address their actual and potential impacts on human rights.”
The NGOs said it should be up to EU governments, not companies, to take the initiative to include new items to the EU’s own list of goods and services that can cause harm. The NGOs also called for stronger reporting requirements so civil society can check and compare how governments hand out export licenses.
Negotiators of Parliament and Council early this year were hoping to land a deal at the end of March, but that fell through due to the coronavirus. Technical discussions kicked off again last month, but progress is very slow, as nations seek to revamp their common “mandate” for negotiations.
THAT’S A LOT OF PATCHING — The largest Patch Tuesday in the history of Microsoft just arrived. There were 129 vulnerabilities in all. One of them was the result of CyberArk research that identified a vulnerability in Microsoft’s Group Policy Object mechanism that affects any Microsoft machine after 2008, amounting to millions of devices. The good news is that there were no zero days in this batch.
INFINITY WARS — A consortium of cybercriminal forum members teamed up to develop a tool to combat DDoS attacks on the dark web, known as EndGame, and Digital Shadows said in a blog post Tuesday that it might offer broader lessons. “While we cannot tell whether EndGame will eradicate DDoSing activities across the dark web community, a tool-set offering a number of features, customizations, and solutions moves the scene into a much better position than before,” wrote Alex Guirakhoo, head of the company’s Photon Research Team.
WHO, US? CHINESE TELECOM COMPANIES DEFEND RECORD — From our friends at Morning Tech: The U.S. divisions of China Telecom, China Unicom and ComNet are all defending their records before the FCC, which earlier this year pressed these China-affiliated telecom providers over why they should keep their authorization to operate in the U.S. The Trump administration in April urged the FCC to revoke China Telecom’s license to operate, warning of likely Beijing government sway over the company that creates a risk of espionage.
“Most of [the administration’s] factual allegations involve potential or imagined future conduct by third parties, not actual misconduct,” China Telecom countered in its filing posted Tuesday. China Unicom, too, said it’s generally abided by FCC regulations and posed no threat over its two decades of operation in the U.S. “In their dealings with the U.S. government and the operation of their business, Pacific Networks and ComNet have consistently operated in a responsible manner,” those companies wrote.
The FCC is following a “well-established process” for this review, FCC Chairman Ajit Pai told reporters Tuesday: “We are following a process that affords the companies in question the opportunity to present their views. … The due process we are affording them is notable because it is not necessarily process which is afforded in other countries, notably the People’s Republic of China.”
TWEET OF THE DAY — Just in case you needed the expert view on all this.
— Cyber Command penned an article about the “Cyber 9-Line,” a program with the National Guard to help with election security.
— CyberScoop: CISA discussed an industrial control system security strategy.
— Motherboard: The Los Angeles Police Department got a demonstration of NSO Group’s phone hacking technology.
— Krebs on Security warned Florence, Ala., about ransomware hackers inside the city’s computer system. You’ll never guess what happened next.
— CNET: The Nintendo hack was nearly twice as big as previously revealed.
That’s all for today.
Stay in touch with the whole team: Eric Geller ([email protected], @ericgeller); Bob King ([email protected], @bkingdc); Martin Matishak ([email protected], @martinmatishak); Tim Starks ([email protected], @timstarks); and Heidi Vogt ([email protected], @heidivogt).
Gloss