Changelog: The U.S. and U.K. expose APT31
Polina Razorilova / Unsplash
Welcome to Changelog for 3/28/2024, published by Synack! README senior editor Nathaniel Mott here with the week’s leading security news.
The payload
U.S. officials have been warning us about China’s offensive capabilities for a while now. We’ve heard about how China “has a bigger hacking program than that of every major nation combined” and how it appears to be “positioning itself to launch destructive cyber-attacks that would jeopardize the physical safety of Americans.” This week the U.S. and U.K. offered additional information about how one group in particular, APT31, has been conducting attacks on China’s adversaries since at least 2010.
The U.K. National Cyber Security Centre was fairly cursory in its analysis: It merely said that it “assesses that the China state-affiliated cyber actor APT31 was almost certainly responsible for conducting online reconnaissance activity in 2021 against the email accounts of UK parliamentarians, most of whom have been prominent in calling out the malign activity of China.” This is the kind of public attribution I’m used to seeing—no muss, no fuss, no details about the campaign that haven’t already been disclosed.
The U.S. took a different approach. In addition to the Treasury Department sanctioning two Chinese nationals, the Justice Department unsealed an indictment “charging seven [people] with conspiracy to commit computer intrusions and conspiracy to commit wire fraud for their involvement in a PRC-based hacking group that spent approximately 14 years targeting U.S. and foreign critics, businesses, and political officials in furtherance of the PRC’s economic espionage and foreign intelligence objectives.”
The Justice Department didn’t just say APT31 was “almost certainly responsible” for a specific attack. It said the group is “part of a cyberespionage program run by the MSS’s Hubei State Security Department, located in the city of Wuhan,” and counts “dozens of identified PRC Ministry of State Security (MSS) intelligence officers, contractor hackers, and support personnel” among its members. Then, in the indictment, it attributes many attacks that took place between 2010 and November 2023 to APT31.
The New York Times characterized the sanctions as “a major escalation of what has become an increasingly heated contest between the Biden administration and Beijing.” But I think the unsealed indictment—which includes detailed information not only about APT31’s activities over the course of 13 years, but about campaigns that were conducted by specific members of the group, too—makes an even bigger statement about the access the U.S. government has to one of China’s high-profile hacking groups.
There’s no denying that China is a force to be reckoned with. But how did Theodore Roosevelt put it? “Speak softly and hack really well?” It seems to me that unsealing this indictment was at least partly intended to be the U.S. government’s way of making it clear that it’s following Teddy’s advice.
The week, compiled
I’m still wrapping my head around the revelation that Facebook used Onavo, the VPN service it acquired in 2013 and then shut down in 2019 after it was caught paying folks to install a “research” app that let it “suck in all of a user’s phone and web activity,” to intercept and decrypt encrypted traffic to Snapchat.
These efforts were revealed as part of a class-action lawsuit filed in 2020. (TechCrunch shared the docs here.) It was referred to internally as “Project Ghostbusters”—apparently its executives never thought they’d have to reveal their cutesy moniker for a deeply troublesome initiative—until it was used to intercept traffic to Amazon and YouTube as well. Then it became the “In-App Action Panel (IAPP) program.”
The project worked by having people install “kits” that allowed Facebook to add a root certificate to their devices while its servers used “fake digital certificates to impersonate trusted Snapchat, YouTube, and Amazon analytics servers to redirect and decrypt secure traffic from those apps for Facebook’s strategic analysis." (No word yet on whether they also drew a diagram with a smiley face at the point of decryption.)
Igor Omilaev / Unsplash
It’s taken eight years for this project to be made public. I want to know how people are supposed to believe this is the only time Facebook actively undermined the privacy and security of its users for its own gain. I also can’t help but wonder what horrifying things we’re going to learn about providers of other VPN services, which don’t receive nearly as much scrutiny as Facebook, in the future.
Now for some of the week’s leading security news:
Google: Google’s Threat Analysis Group—with, for the first time, some assistance from Mandiant—published its annual review (PDF) of zero-days exploited throughout the previous year. The whole thing is worth a read, but the big takeaway is that the number of exploited zero-days rose from 62 in 2022 to 97 in 2023. That’s about a 50% increase, but doesn’t quite reach the record 106 vulns from 2021.
TechCrunch: Telegram is offering users a complimentary premium subscription if they agree to allow the company to use their phone numbers to send one-time authentication codes to other users. Don’t do this. It can incur additional costs for you (depending on your phone plan) and it seems like a privacy and security incident just waiting to happen. That isn’t worth a discount on a messaging service.
BleepingComputer: The German Federal Office for Information Security said that “at least 17,000 Microsoft Exchange servers in Germany [are] exposed online and vulnerable to one or more critical security vulnerabilities.” Running your own Exchange server is probably a bad idea in the first place; doing so without being diligent about security updates is borderline masochistic.
A message from Synack
Pentesting on a FedRAMP Moderate Authorized Platform. Synack has achieved the Moderate "Authorized" designation from the U.S. Federal Risk and Authorization Management Program (FedRAMP), demonstrating that Synack's premier security testing platform meets the cloud compliance framework's rigorous requirements at the Moderate level. The milestone approval means government agencies can deploy Synack's best-in-class penetration testing and vulnerability management solutions – even for internal data, and in systems that process Controlled Unclassified Information. To learn more about the news and your security testing options, head over to https://hubs.ly/Q02jpBQ30.
Local files
The Record: The NSA and U.S. Cyber Command have decided to keep the identities of the co-chiefs of the Election Security Group a secret, The Record reported, “in part to shield them from the threats and harassment other election officials have received for merely being associated with such work.”
CyberScoop: The U.S. Cybersecurity and Infrastructure Security Agency published its proposal for critical infrastructure organizations reporting incidents on March 27. The proposal would require these orgs to report incidents within 72 hours and report payments to ransomware gangs within 24 hours. (Unless there was also an incident, in which case they have 72 hours, though I don’t see why they’d pay otherwise?)
FDD: The Foundation for Defense of Democracies published a study on March 25 in which it argued that the U.S. military needs to establish an independent Cyber Force. “America’s cyber force generation system is clearly broken,” the study’s authors said in their executive summary. “Fixing it demands nothing less than the establishment of an independent cyber service.”
Off-script
I used to think Superman was boring. How are you supposed to tell interesting stories about a man who’s nearly impervious to injury, has seemingly every superpower under the Sun and somehow manages to make wearing his underwear on the outside of his suit look far less ridiculous than it should?
That perception’s changed over the years. It started with “Superman Smashes the Klan,” a graphic novel adaptation of a story originally told during “The Adventures of Superman” radio show, and continued with “Superman: Up in the Sky.” Both helped show a side of Superman that I hadn’t seen before. (“Up in the Sky” also has an extended boxing sequence that is far better than it has any right to be.)
Yogi Purnama / Unsplash
This has carried through to a CW series called “Superman & Lois.” I didn’t have particularly high hopes for it—not least because of how much of the DC Cinematic Universe or whatever they’re calling it was mediocre at best—but I enjoyed the first season even though it stretches the plausibility of some glasses disguising Superman’s identity well past the breaking point. Give it—and the books I mentioned—a shot.