Lockdown Mode, mercenary hackers and Finland’s approach to hybrid war

Illustration: Si Weon Kim

Welcome to Changelog for 7/10/22, published by Synack! Blake here, back after a hiatus for the Fourth of July holiday. Last week brought a mixed bag of cybersecurity news, between Apple’s decision to roll out a “Lockdown Mode” for high-risk users to Microsoft’s (temporary) move to reenable macros by default in Office downloads. When one door closes to hackers, another opens. Here’s what happened:


The payload

Each country has its own spin on cybersecurity. The U.S. leverages Silicon Valley and its status as a global superpower to spend big and carry a bigger stick in the cyber arena. Israel prides itself on fostering a startup-friendly culture while leaning on compulsory military service to nurture tech talent.

As for Finland, everyone has a role to play when it comes to ensuring the nation’s cyber and physical defense, as Shaun Waterman reports for README. This whole-of-society approach has left NATO’s newest would-be member exceptionally well-equipped to deal with cyberthreats from neighboring Russia.

And there are plenty of threats: Russia has warned both Finland and Sweden that there would be consequences if either country joined NATO. Both nations cleared a major milestone last week on their road to becoming full-fledged NATO members, as NATO allies signed Accession Protocols putting them on the road to final approval.

Russia, which shares an 830-mile border with Finland, could deploy some of the same hybrid tactics used in its war in Ukraine as it retaliates against Helsinki.

While Finland’s unique approach to cybersecurity carries lessons for the U.S., the Nordic nation’s history and geography set it apart.

“The United States doesn’t face an existential threat,” said Mikko Hyppönen, chief research officer at Finland-based cybersecurity firm WithSecure. “You’re not fighting for your survival. We are. Both my grandfathers fought the Russians, I did military service. It’s a different scenario here.”

The week, compiled

Apple announced its Lockdown Mode feature last week — and no, it’s not a new corporate COVID protocol.

The capability refers to “an extreme, optional protection for the very small number of users who face grave, targeted threats to their digital security,” as Apple put it in a press release Wednesday.

Here’s how it works: Lockdown Mode takes devices running iOS 16, iPadOS 16, or macOS Ventura, and wrings out potentially exploitable features like wet dish towels. Link previews? Gone. Incoming FaceTime call from someone you haven’t previously contacted? Too bad. Want to load a website that normally uses just-in-time JavaScript compilation? You may have some trouble.

Hedgehog Digital/Flickr

Lockdown Mode “reflects our unwavering commitment to protecting users from even the rarest, most sophisticated attacks,” said Ivan Krstić, Apple’s head of Security Engineering and Architecture.

Those threats include mercenary spyware produced by the likes of Israel-based NSO Group or the Italian company RCS Lab. If you’re in the crosshairs of a government that’s buying powerful surveillance tools like Pegasus, you may be willing to sacrifice convenience and some usability for the peace of mind that comes with using Lockdown Mode. For the vast majority of users, the feature will be an unnecessary drag.

Here’s some other news that stood out last week:

Motherboard: Reporter Joseph Cox published snippets of the “messy” code behind the Anom messaging app that the FBI surreptitiously used to sweep up millions of messages (including plenty of evidence of criminal activity).

CSO Online: U.S. cybersecurity officials are pushing out of the blocks in the race to prepare for quantum computers that could break conventional methods of encryption. The National Institute of Standards and Technology last week committed to standardizing four algorithms that can hold their own against future threats posed by quantum technology, while the Cybersecurity and Infrastructure Security Agency kicked off a Post-Quantum Cryptography Initiative.

Bleeping Computer: Microsoft rolled back its decision to block macros by default for certain downloads, reopening a common cyberattack vector. “Looks like Microsoft has blessed us all with more job security,” quipped British security researcher Marcus Hutchins. Microsoft later told HackerNews the reversal would be temporary as it works to “enhance usability.”

A message from Synack

Synack Red Team mission data indicates that once-a-year pentests are no longer adequate to protect sensitive missions or meet most compliance requirements. Government Agencies Deserve A Better Way To Pentest, one that scales to find vulnerabilities that matter most and to meet M-22–09 zero trust requirements for dedicated application security testing. Find your Better Way to Pentest today in Synack’s FedRAMP Moderate In Process environment.

Flash memory

In June 2020, Reuters revealed the existing of a sprawling Indian hack-for-hire operation whose activities dated back to at least 2013.

An obscure IT firm based out of New Delhi, BellTroX InfoTech Services, barraged French lawyers, American environmental activists and other targets with tens of thousands of malicious messages.

A detail of a courthouse in Wisconsin. Eric Allix Rogers/Flickr

Last week, Reuters published a comprehensive investigation detailing the hacking campaign’s alarming focus on lawyers embroiled in high-stakes lawsuits around the globe. Indian mercenary hackers reportedly tried to steal documents in at least 35 legal cases, often at the behest of private investigators working for larger clients.

“Millions of dollars are being made by hackers, investigators and their instructing law firms from these illegal activities,” aviation executive Farhad Azima told Reuters. “The hack-for-hire companies may be thousands of miles away, but the victims are often U.S. citizens on U.S. soil.”

Local files

BBC News: An advertisement for a tranche of hacked files purportedly affecting 1 billion Chinese citizens was taken down last week. Moderators said “the data is no longer being sold,” leaving some experts to speculate that the Chinese government itself may have bought back the stolen data.

AP: Poland’s Prime Minister Mateusz Morawiecki accused Russia of hacking into government accounts and leaking emails that expose improper ties between his ruling party and Poland’s judicial branch.

CyberScoop: Marriott International confirmed last week that it fell victim to a data breach that included confidential information on guests and employees at the BWI Airport Marriott in Baltimore.


Wildlife biologists in Florida recently captured a whopping 215-pound Burmese python in their quest to combat the invasive species, which has disrupted fragile ecosystems in the Everglades.

I’m no ophidiophobe, and yet you’ll never find me posing with an 18-foot-long snake. But this isn’t the first rodeo for the team at the Conservancy of Southwest Florida, the group that announced the record-breaking find last month. Since launching the python program in 2013, the team has removed over 1,000 snakes clocking in at a total of 26,000 pounds — heavier than a half-dozen Jeep Wranglers:

Conservancy of Southwest Florida

That’s it for this week. Stay cool out there, and don’t forget to send tips and feedback to bsobczak@synack.com. See you next Sunday!