Srsly Risky Biz: Drug cartels are the new APTs

A

Hey, everyone, and welcome to Seriously Risky Business. It's the podcast here at Risky Biz, all about cyber security policy and intelligence. My name is Amber Lee Jack, and in just a moment, I'll be chatting to Tom Uren, our policy and intelligence editor, all about the Seriously Risky Business newsletter that you can check out on our website today, Risky Biz. First, though, I'd like to thank the William and Flora Hewlett foundation for supporting Tom's work here, and also Lawfare, who syndicate his newsletter and publish it on the Lawf Media website. And finally, thanks to our corporate sponsor, Ubico, this week as well. Tom, G'. Day. It's great to have you back from holiday.

B

G', Day, Amberly. How are you?

A

Oh, not too bad, not too bad. And we've just been sort of spending the morning working on the finishing edits of your newsletter this morning. And the first thing I want to talk to you about is the recent reporting that U.S. court filing systems have been hacked. And by the looks of it, everyone's kind of had their fingers in that particular pie. And it sort of led you to write that government agencies are learning a fairly brutal lesson, and that is that they hold sensitive, but not classified information that is very susceptible to being hacked. And your sort of take on this, Tom, is that getting your security education by cleaning up after you've been breached is maybe less than ideal.

B

Yeah, for sure. So the. The story is that there's a couple of electronic systems that the US Courts use, and these systems have case documents, so things like indictments, filings, etc. And some of them have very sensitive information like the names and identities of witnesses or, you know, what is going to be alleged, you know, upcoming litigation that might happen or prosecution or whatever. And so there's a whole range of different people who would be interested in having advanced warning of that information. And so it's a valuable target. And so there's been a breach, and that was reported just last week, last month. And it turns out that it's just about as bad as it can be in that there's not just one threat actor in there, but there's multiple ones. So the reporting from Politico last week was that the concern, one particular concern is that drug cartels have access to this information and could use it to identify and pressure witnesses, perhaps even murder them. There was a story we spoke about maybe a month or so ago about them using more advanced hacking techniques or surveillance techniques to try and identify witnesses. So that's one concern. But it turns out that There were also several different state backed APTs in the court system as well across different jurisdictions. And so that's like pretty much as bad as it can be. Now this is actually not the first time that the U.S. court document management systems have been hacked. They were first hacked back in 2020 and at the time the response was that the court said for highly sensitive documents, I think they even use the acronym hsds. We're not going to keep them in the online system, we'll keep them in a separate standalone system, will only file them on paper. But it seems like the only logical conclusion is that there's still sensitive stuff. It just didn't fall into the highly sensitive category. And so this is still bad news. Now this made me think of other hacks that have affected federal systems that are sensitive but not classified. And so for example, the sec, the securities and Exchange Commission, they have this system called EDGAR, which is basically a database for all the corporate filings and cybercriminals way back in, I think it was 2016, actually hacked that database. And the idea was that they would get advance warning of the public releases that were going to be sent out and they would trade on that. And the point is that the US Government across different agencies holds a lot of sensitive but valuable information. It's not classified, it's not national security information. And there's not the same security dynamic where the organizations really, really care about security and they just get hacked one by one and then they try and improve security to lesser or greater extent. I suppose the problem is that in an ideal world you'd have someone like CISA come along and say, okay, we've got these particularly valuable holdings, let's try and have a security uplift program that covers the whole federal government. And we'll be in a better place because we've got centralized expertise, we'll do things better. Now that didn't happen when CISA was bigger and better resourced and given budget cuts, I don't think that's going to happen. So I guess at this point I'm sort of old man waving at cloud. This is a problem. It would be great if there was something proactive to identify and improve those. And I think like right now the sort of practical response might be, well, let's turn these into like case studies and try and get some momentum to try and improve things by making people understand the risk.

A

But you also just going back a little to what you were saying before, we, you know, as you said, there were sort of state actors in there, there Were cartels. There were. There are a lot of adversaries who sort of want this stuff. So even the going, maybe the fun way of going full on offensive cyber, that's not going to work either, is it?

B

Yeah, yeah. So the, the Trump administration, the broad thrust or the vibe of the Trump administration has been we'll spend less on defense, but as a compensating control, maybe we'll use more offensive cyber capabilities. And I think that really makes sense where you can identify a small number of outsized important actors. So, for example, when it comes to ransomware, it turns out that most of the damage is done just by a few groups at any one time. So there's a priority list. You can say, okay, top one, top two, top three, whatever. If we can disrupt those key players in a meaningful way, we'll make a meaningful difference. In this case, there's just so many different players, it's hard to see how you would disrupt any one or two or even three or four or five and actually air quotes solve the problem. And so this, where you've got a wide range of parties interested and capable, it doesn't seem to me that offensive cyber will be a thing that will be effective. You can get small tactical wins against individual players, but that won't help the bigger picture problem.

A

Yeah, for sure.

B

Now, I think in contrast with state action, you know that there's a few key state players and you can probably prioritize those and make a difference. So it's, I guess, horses for courses. And what you really need to do is just improve the security of those systems. And that's not happened so far. I'm not optimistic. More hacks to come, I guess.

A

Yeah, yeah, for sure. And you know, you said it hasn't happened so far and you also said when, even when SISA was bigger and better resourced, we didn't see that coordinated kind of uplift and security. But I'm going to ask you to pull out your imaginary crystal ball here because these things can take some time. Right. Do you think that would have come had SISSA remained as well resourced as it was?

B

No, probably not.

A

Fair enough.

B

It's like, I think it's the kind of thing where a number of hacks maybe would have led to a program. I guess the secure by design effort was an effort to try and make everything better. I think if there had been a bigger CISA today, maybe this hack would then eventually lead to a program which would be to kind of identify the highest risk data sets and try and work collaboratively to improve them. But I think as it had proceeded up until the Trump administration, it would have made no difference.

A

Yeah, for sure. And for now, as you said, more hacks.

B

Yeah.

A

And the second thing that I wanted to chat to you about, Tom, is the recent reporting that Israel Military Signal Intelligence Agency has used Microsoft Azure to store some interceptor comms from Palestin in Gaza and the West Bank. And I guess, to start with, Tom, can you just give us a bit of a rundown of what that data was and what it was used for, if we know.

B

So the reporting is that back in 2021, the equivalent of the USNSA, which is known as Unit 8200, they do signals intelligence and cyber espionage. They went to Microsoft and said, we would like to use your services. And they said they would use it to source sensitive data. And so the reporting is that the Israeli intelligence has good access to telecommunications in Palestinian territories just because of the nature of its control. And so it wanted to basically hoover up everything, store it and then query it retrospectively, kind of like a digital video recorder or a TiVo for signals intelligence. And at the time Microsoft said, it ultimately said, yes, it wasn't hands on, on the system that was built, but it worked with the Israeli Ministry of Defense in adding extra security protections. And the story is that it's been used to host audio and messages from mobile phone intercepts. Now, the more serious allegations are that that's used for the targeting of people who are subsequently being killed in military operations. And part of Microsoft's, I guess, you know, it doesn't want to be involved in that kind of business. So it had or has acceptable use policies. And it also sought assurances from Israeli officials that it wouldn't be used to target people. Now, the problem is that once you've got this massive collection of intelligence and if you're involved in military action, it's inevitable that you will try and use it. You want to make the best decisions that you can. It doesn't necessarily mean that you're using it to identify targets, but it's going to be involved in the process. It'll be in the mix. Because if I'm a military commander and I want to make the best decision, whether it is finding the right target or avoiding collateral damage or what have you, you just query all your holdings to make sure that you make the best decision. So it's the data that is being stored in Azure contributes to that process.

A

And so you've highlighted in the piece, Tom, that these kind of commercial deals with Foreign intelligence agencies can be reputationally risky.

B

Yeah, yeah. So I think that the nature of intelligence agencies is that they prosecute the national interests and perhaps more than most organizations, with perhaps exception. Well, they're part of the Defence Ministry usually and so they're very focused on their own national interest, sometimes at the expense of other countries. And so they're very polarizing organizations. So I think that if you're involved in contractual agreements or arrangements with them, that's a risk you've got to identify. Now they seem to have tried to mitigate that risk with, like I said, acceptable use policies, assurances. But I think the reality is that there's very, very few countries that a company like Microsoft can have arrangements with intelligence agencies with no risk. Now a year or so ago I would have said that those were Australia, the uk, the US and New Zealand, maybe some countries in Europe, but even Canada. In the last year or so it's been, at least the idea has been floated that it be removed from the five eyes. So I think the actual number of countries you can be safe working with intelligence agencies is very, very small. And I think at this Microsoft didn't realize that, thought it would be okay. This was set up in 2021 when times were very, very different.

A

Yeah, the whole things were very different.

B

Yeah, yeah, yeah, 2021, sorry. It's a kind of case study of being blind to tail edge risks, I guess.

A

And finally Tom, the newsletter today you've got a little bit of reporting here about Australia's blunt espionage warning. Tell me a little bit about that.

B

Yeah, so the director of the Australian Security Intelligence Organisation or asio, Mike Burgess, he released a report and had an associated speech where he's basically trying to warn people in Australia about the risk of espionage and foreign interference. And part of that was releasing this report that has an actual dollar value attached to how much foreign interference and espionage is costing Australia. And they came up with the figure of US$8 billion a year. So even though he cites a whole lot of Australian examples of what the organization has disrupted, it's a global problem. It's not because Australia is somehow special and unique and where the focus of the most espionage activity. He describes it as just a new era of great power competition. And so this is occurring everywhere. So it's really a global warning, which is why I wanted to mention it. He said that in the last three years ASIO has disrupted more foreign operations than in the last eight years combined. So it's really been an uptick. There's lots of interesting examples where he talks in vague terms about what type of operations have been disrupted. And it's quite rare to see the heads of these types of organizations just list a whole lot of different anonymized examples. So I thought that was interesting. But really the take home message is it's a big problem and it's everywhere. So, you know, it's not just us because we're special.

A

We are special, though. All right, Tom, we might wrap it up there. But of course, you can read Tom's full newsletter over at our website, Risky Biz. But Tom, thank you so much and look forward to chatting again next week.

B

Thanks, Amberly. Sam.