Today’s edition of the LookingGlass Cyber Monitor features Chinese tactics to influence elections, another cyber attack against space systems, analysis that shows Russia is responsible for 75% of ransomware attacks, a settlement over a NotPetya lawsuit could change the cyber insurance industry, US sanctions on Iranian officials for internet censorship of protestors, NCSC’s program to scan the entire UK internet, recommendations for the US to combat against cyber-enabled economic warfare, and Microsoft accuses China of abusive vulnerability disclosure practices.
Major Hacks & Campaigns
Chinese tactics to influence US elections historically involve economic and diplomatic influence, though recent Twitter activity underscores that social media still plays a prominent role, and TikTok poses risks as well. Twitter recently disrupted three China-based operations that were covertly trying to influence American politics in the months leading up to this week’s midterm elections, by amplifying politically polarizing topics. The operations spanned nearly 2,000 user accounts, some of which were likely located in the US, and weighed in on a variety of hot-button issues. The accounts represented views on both the right and left of American politics, and some repeated pro-China narratives. China’s attempts to influence elections are not limited to the US nor are they limited to social media. According to reports filed to the Justice Department under the US Foreign Agents Registration Act (FARA), China has spent more over the past six years – $280M – to influence US politics than any other foreign country. Unlike Russia, which often targets individual politicians or merely aims to create chaos, in recent years, Beijing has aimed to change US views of China more broadly. Another rising factor in China’s influence toolkit is its social media gem, TikTok, which new studies say could become a major vector for election misinformation. Digital watchdog Global Witness and the Cybersecurity for Democracy team at NYU, in a new report, suggest the video platform is failing to filter large volumes of election misinformation. TikTok approved 90% of advertisements featuring election misinformation, including ads containing the wrong election date, false claims about voting requirements, and rhetoric dissuading people from voting. Experts point out that TikTok has 80M monthly users in the US and large numbers of young Americans indicating the platform is their primary source of news.
Research from various organizations suggested that the inauthentic networks did not appear to successfully achieve strong influence in the online communities or significant infiltration within politics-centric circles on Twitter. LGC analysts observed that tactics used in these operations have evolved and matured as China’s information campaigns persisted in the past years.
Compared to the previous campaigns, the recently-identified inauthentic accounts appear to have adopted a more comprehensive approach to building personas. One of the well-established accounts, 10Votes, has a digital presence on multiple platforms, differentiating themselves from other low-quality fakes, and has reached a large number of followers and engagements online. In addition to becoming more adaptive to various digital environments, the content and strategies used in these China-based networks appear to become more tailored with sharpened cultural and political sensitivity to the target audiences. For example, a Washington Post article pointed out that these China-based accounts attempt to influence American audiences by mimicking the strategies Russia-based operatives used to stoke cultural and political tensions during the 2016 election, suggesting that China-based operations have become more sophisticated. A blog published by Election Integrity Partnership indicated that one of the more extensive networks, Pro-China Network (APAC3), from the recent Twitter takedowns consisted of 1,872 accounts and 310,043 tweets, predominantly in English and Mandarin, and a smaller proportion in Spanish, Japanese, Russian, Bengali, and Korean. This is in line with LGC analysts’ observation of previous China-linked disinformation campaigns that some old accounts would be repurposed for different influence operations. This APAC3 network primarily focused on pro-China and anti-Western content. LGC analysis suggests that this network of less-well-developed accounts could also be a part of the trial and error phase. The traffic data collected from these accounts may be used to help campaign operatives build successful operations in the future.
The Atacama Large Millimeter Array (ALMA) Observatory in Chile has suspended all astronomical observation operations and taken its public website offline following a cyber attack on October 29. The ALMA Observatory is one of the largest in the world, containing 66 radio telescopes worth about $1.4B. They can capture high quality images of weak radio waves emitted by distant objects as far as 13B light years away. It’s maintained in international partnership between Canada, Chile, the EU, Japan, South Korea, Taiwan, and the U.S. ALMA’s antennas and scientific data were not compromised, but ALMA suspended space observations, took its public facing website offline, and restricted the use of its email services. Though the threat was contained, it is not clear when the observatory will return to normal operations according to a statement. It is not yet known how hackers got into their system. Cyber attacks affecting space systems are on the rise as both exponentially more launches are taking place and more functions are dependent on access to space systems. Earlier this year, LookingGlass published a blog addressing the lessons learned from electronic attacks against Starlink during the Ukraine conflict, and how that affected other systems around the world – like wind turbines in other parts of Europe. And our CEO, Bryan Ware, co-authored a piece at the World Economic Forum that addresses how geopolitical events can increase cybersecurity risk of space-based services.
Analysis from the Department of Justice’s Financial Crimes Enforcement Network (FinCEN) reveals that Russian actors comprised roughly three-quarters of recorded ransomware incidents during the latter portion of 2021. Building off of data collected from the Bank Secrecy Act and an earlier agency report, FinCEN officials attributed 594 of the ransomware-related activities recorded between July and December 2021 to Russia-linked actors, out of a cumulative 793 reported to the agency during that time frame. The total cost of incidents over that time period was $488M. And financial institutions reported more than $1B in potential ransomware related payments in 2021. Treasury’s report was published as the White House hosted officials from 36 countries, the EU, and 13 global companies to address ransomware and cyber crime. The meeting follows last year’s inaugural meeting of the informal Counter-Ransomware Initiative, adding seven more countries and bringing in a group of private sector players for the first time. Outcomes of the meeting include agreements to crack down on how cryptocurrencies are used to finance ransomware operations, and vows to not provide safe harbor for cyber criminals, among other agreements. More details can be found on the White House Fact Sheet.
Analyst Comment: This analysis confirms some LGC findings. While it is not always possible to identify specific locations of ransomware groups and their affiliates, most ransomware groups observed by LGC appear to be Russian-speaking. The reason for this is likely that Russia and some other countries within the Commonwealth of Independent States (CIS) serve as “safe havens” for cyber criminals, meaning that local law enforcement generally does not attempt to charge people with cyber crimes as long as their activity does not affect any organizations in any of the CIS countries. Changes of geopolitical situation may change this situation in future; however, so far even such events as the war in Ukraine has not caused any significant changes.
The settlement over a $100M lawsuit last week over whether insurance should cover losses from the infamous NotPetya cyber attack could reshape the cyber insurance marketplace. Mondelez International and Zurich American Insurance reached the settlement after several years of legal battles over the food company’s claim regarding the damage from the 2017 NotPetya cyber incident. The insurer had initially refused to cover the damage to Mondelez, which in court documents attested it lost more than 1,700 servers and 24,000 laptops to the malware. NotPetya was a destructive attack which masqueraded as ransomware, and reportedly caused more than $10B in global damages, while it encrypted its victims’ machines and left a demand for the ransom payment, it was not actually designed to be decrypted. The case was complex because Mondelez had not taken out an explicit cyber insurance policy but a property policy that it argued covered cyberattacks. Zurich claimed in response that the damage caused by NotPetya was excluded from this policy on the grounds it was a “hostile or warlike action” conducted by a “government or sovereign power.” The ruling in favor of Mondelez follows a January ruling in a New Jersey court that sided with global pharmaceutical company Merck in a similar case, also over NotPetya. Neither case was interpreted as an act of war. The Mondelez case was decided as the US Treasury Department weighs a potential backstop for cyber insurance.
The US Treasury sanctioned Iranian officials for an ongoing crackdown on protests and internet censorship. The Department’s Office of Foreign Assets Control (OFAC) designated 10 Iranian officials for brutally cracking down on protests and two Iranian intelligence actors and two Irnaian entities involved in Tehran’s efforts to “disrupt digital freedom.” The sanctions were announced 40 days after the arrest of Mahsa Amini and subsequent death in the custody of Iran’s Morality Police, which sparked the protests. The US also expanded the range of American software and internet services available to Iranians. Leaked documents also revealed that Iran was using mobile surveillance tools to track smartphones by its citizens. The spyware, called SIAM, has 40 functions such as the ability to track, decrypt messages, block internet access on smartphones, and more. It can also reduce internet capability to 2G coverage which not only prevents the phone from accessing the internet but messages sent over the 2G network are easier to decrypt. Multi-factor authentication can also be undermined with this tool as texted verification codes can be accessed. SIAM has been used by the country’s Communications Regulatory Authority (CRA) to keep tabs on protesters. The use of such a tool by the government in Tehran is no surprise to security experts, though the granular level of information available via SIAM is notable, according to a researcher at Citizen Lab. More than 14,000 people have been arrested in demonstrations across over one hundred cities and universities. After one of the larger protests took place at the end of October, almost 300 protesters had been killed including 44 minors.
The UK National Cyber Security Centre (NCSC) has launched a new program to continually scan every internet-connected device hosted in the UK for vulnerabilities to help the government respond to zero day threats. NCSC’s scanning activity will specifically hunt for vulnerabilities that are common or particularly important due to widespread impact. The scans are performed using tools running from inside the NCSC’s dedicated cloud-hosted environment, allowing network administrations to easily identify the agency in their logs. UK organizations can also opt out of having their servers scanned by the government. In a blog post, the agency’s outgoing technical director Ian Levy explained that the NCSC is not trying to find vulnerabilities in the UK for some other nefarious purpose, which is notable since the NCSC falls under UK Government Communications Headquarters (GCHQ). GCHQ is the British equivalent of the US NSA/CYBERCOM and also includes an offensive cyber mission. The policy is similar to efforts by Norway’s National Security Authority, which last year saw the agency look for evidence of exploitation of Microsoft Exchange vulnerabilities targeting internet users in the country. Slovenia’s cybersecurity response unit, known as SI-CERT, also said at the time that it was notifying potential victims of the Exchange zero-day bug in its internet space.
Trends & Research
The Foundation for Defense of Democracies (FDD) published an updated report on how the Big 4: Russia, China, North Korea, and Iran could wage cyber-enabled economic warfare (CEEW). The Chairman of the Center on Cyber and Technology Innovation (CCTI) at FDD, Samantha Ravich, and Executive Director of the Cyberspace Solarium Mark Montgomery write that the risks associated with CEEW are clear. And the federal government has a blind spot that leaves the US vulnerable to catastrophic surprise – one that could simultaneously destabilize the US electric grid, water supply, banking system, transportation, or other critical infrastructure. That blind spot is intelligence that anticipates the adversary’s strategy.
Recommendations for the US government and private sector to disrupt adversary plans:
- Improve focus within the IC on the CEEW challenges.
- The IC must bring focus to adversary CEEW tool development, CEEW campaigns, and economic interests, led by ODNI’s NCSC and Treasury.
- Improve public-private collaboration efforts to prepare for the CEEW threat.
- The private sector owns and operates the vast majority of the cyber ecosystem, so scaling up security necessitates public-private cooperation.
- Develop economic contingency plans.
- Washington has adequately planned for military contingencies, but has yet to account for the full spectrum of conflict where CEEW could occur. Adversaries will likely operate in the gray zone, skirting the line of armed conflict.
- Expand the use of economic statecraft.
- Sanctions and export controls are effective, especially when multilateral. Additional restrictions on the use of ICT equipment and services received from companies in hostile states can mitigate the risk of IP theft.
- Improve US gray zone capabilities.
- The US must respond proactively to adversary gray zone operations to signal that the US government will respond to CEEW attacks, even those that do not cause physical destruction or death.
Microsoft accused state-backed hackers in China of abusing the country’s vulnerability disclosure requirements in an effort to discover and develop zero-day exploits. In its yearly Digital Defense Report, Microsoft said it observed Chinese threat actors using an increased number of zero days over the past year. Microsoft said this sudden spike in zero day exploits from Chinese actors comes as a direct result of a new law passed by the government there last year. In July 2021, the Cyberspace Administration of China (CAC) issued stricter rules around disclosing vulnerabilities for companies operating within its borders. It requires that all Chinese security researchers report new vulnerabilities they find to a state agency. Concerns that the Chinese military would exploit vulnerabilities before reporting them more broadly was an integral part of the investigation into the handling of the widespread Log4j vulnerability. Reports emerged earlier this year that the Chinese government had sanctioned Alibaba for reporting the vulnerability to Apache first, rather than to the government. Australian cybersecurity experts at Risky Biz are not convinced that China’s offensive cyber program is getting help from the state’s mandatory disclosure law. They argue China has a huge cybersecurity scene so there is no need for them to “steal” someone’s bug report when they could just as easily purchase it from a discrete private contractor. Further, China APTs are no different from the rest of the world for looking into vulnerabilities.