A

Foreign. Hey everyone, I'm James Wilson and welcome to this week's Seriously Risky Biz. This is of course, our cybersecurity policy and intelligence podcast that is based upon the Seriously Risky Business newsletter that my colleague Tom Uren writes. You can find that newsletter and subscribe to it over at our website, Risky Biz. Now, before we get into this week's newsletter, I want to take a moment to thank the sponsor for this week, which is Push Security. I posted an interview this week with Push Security's Chief Research Officer, Jacques Lowe, talking about how the browser extension that Push makes is now getting some amazing new capabilities in terms of detecting and defending against even some really novel campaigns thanks to the use of AI and an interesting harness that they've developed to extend their threat hunting platform. Now back to this week's Seriously Risky Biz. We've got two topics for you. The first one is about how signal rose to becoming, I guess, the ubiquitous and de facto standard for how government officials talk amongst themselves. But now, how not just problems that are inherent to signal, but things that are problematic whenever you've got a ubiquitous, globally connected messaging platform. How some of those are now pushing some governments, particularly in Europe, to actually start making their own signal clones and apps for their own sovereign use. And suffice to say, Tom's got some concerns about just whether this will even work or whether. And also, you know, does it really make us safer and more secure? The second topic we've got for you is the slow burn of Stuxnet and Fast 16. It is incredible that, you know, 20 odd years later, we are now only this month finding out that stuck Stuxnet that at the time was this most incredible malware when it was discovered, you know, why a long time ago now, I think that was around the 2000 and tens, but it actually had a sibling. There was also fast 16 and Tom puts it in a really interesting way here. If you think about Stuxnet as being the thing that disrupted the supply chain, the creation, the enrichment of the uranium required for a nuclear bomb that Iran has been trying to make for some time now, then think of fast 16 as answering the question of, well, even if you can make all that enriched in radium, what are you going to be able to do with it? Because it had some sneaky, sneaky tricks up its sleeve. So those are our two topics and I'm going to drop you in here where Tom talks about the history of signal, how it became this de facto standard, some of the problems that that exhibits and then we Talk about, you know, whether this is really a net benefit or whether it's just history repeating and people will gravitate back to having conversations where people already are having conversations. I hope you enjoy this week's episode.

B

Yeah. So back in 2020, the European Commission, which is the sort of bureaucratic body of the European Union, they issued this memo, this notice that if you're talking to outsiders, Signal is the preferred app of choice. And I think that's a very pragmatic decision. You want to talk to people, obviously, and like you, of all the options, you just choose the best one. Now the problem is that Signals kind of become a monster in terms of important discussions between groups and people. So it's used all over the place amongst influential people discussing things. So there was this very interesting article in Semaphore where it talked about it being the dark matter of US politics.

A

Very dramatic framing.

B

Yeah, yeah, it was great. There's all these groups of influential people who talk and develop policy ideas on Signal, but it's not solely US phenomena. So there's also stories of like EU foreign ministers talking on Signal. And so there's a group that was set up by Kaja Kallas, who is the EU's lead diplomatic person. There's a group of European Commission, very senior officials talking on Signal. And so it's just swallowed up every. Every other alternative. And I guess like going back to the US administration, there was Signal Gate, where they were discussing their imminent plans to bomb people on Signal and managed to invite a journalist into the discussion.

A

Yeah. And then the wonderful B side to that story, when it turned out either it wasn't Signal, or it's shortly after that became not Signal because it became something with data retention that was even more disastrous.

B

So there's, I guess there's this Signal is convenient and it is a very good reputation for security. Now, the problem with Signal is that it's not a ground up. It's not a ground up system where everything is guaranteed to be secure. So they've done a very good job of the transport layer from device to device, providing guarantees that that's not interceptable. They don't store a lot of data, so you can't steal anything from Signal. That's all that use. If you give them a warrant, they can provide very little, but there's very little guarantees about who you are. So, like, who am I talking to? And so, you know, if someone rocks up and says, I am Signal support, there's no way to verify that or disprove it either within the app.

A

Right. Because there's an important distinction between something being secure, something being private, and there being a degree of, I guess, I guess identity validation built into something. Right. So. So Signal has really focused on secure and private insofar as people in the middle can't intercept conversations. If the Signal infrastructure is hacked, as you said, there's very little there. So that's the privacy aspect of it. But at the end of the day, I can have a very private and very secure conversation that might actually, with someone that might actually not be Tom Uren, and I would be none the wiser, you know, in a lot of cases. Right, so. So that's one of the fundamental challenges here.

B

Yes, that's right. And so because all these conversations of important people have migrated to Signal, it's become a magnet for state hackers. And so there's been a lot of, particularly Russian intelligence agencies have come up with some clever attacks. One in particular, there's a linked devices feature in Signal and also in WhatsApp, where it's kind of convenience trump security in a sense, where it's. They make it easy to link a computer or another mobile device. Perhaps you might have a phone, a tablet and a computer and you can have signal or WhatsApp running on all of those devices at the same time. And one of the clever techniques was to convince people to link their device or link their account to a device controlled by the attacker. And from an espionage point of view, that's perfect because they get ongoing access to your communications from that point onwards. And so that's a very clever, perfect for espionage style attack. And I have this feeling that clever attacks have been sort of conflated with other problems that have occurred with Signal, where, for example, Ursula von der Leyden, who is the president of the European Commission, she was negotiating Pfizer contracts and the story is she negotiated billions in contracts and the messages were never recovered. Now I think that's, I don't think that was Signal in particular, but the fact that people have disappearing messages on these devices and there's no record keeping from a government point of view, that's a problem. And it's easy and Signal to set up disappearing messages. People often do that.

A

A problem from just the, I think, reasonable expectation that these sort of conversations are happening in a durable place that allows for freedom of information access or whatever other local sort of jurisdiction, governance

B

purposes to be able to see why a decision was made and who made it and what the reasoning was. I think for government people that's, that's Reasonable. That's the way things are done.

A

Signal almost fell victim to its own network effect. Right. Everyone was there, people started using it. More and more you're going to go to have conversations with people where they already are, which is far less friction than trying to bifurcate into. Please join this new small network thing that's set up for this conversation. So everyone's there. Because everyone's there. It is a very enticing target. There is quite a. I don't want to say there's quite a few attack surfaces in Signal, because I think one of the things to delve into a little bit here is that there's something to be said for Signal having reached a requisite level of security as a platform when phishing is your only option and exploiting device, linking through phishing is the only sort of, I guess, the traditional or more prolific way that someone has been exploiting this to gain access to Signal. It's not like they're going after bugs in the protocol, bugs in the app. So. But now it feels like the mood has changed a little bit. You know, governments were issuing a lot of warnings about signal phishing attacks, but correct me if I'm wrong, it feels like governments are now coming up with some pretty strong directives around this change.

B

Yeah, yeah. So there's a number of European governments that are actually creating their own apps internally based on the Matrix open source protocol, which is a different style of encrypted app. And like Germany, France, Belgium and Poland have all got their own apps. And part of the way they're dealing with phishing is just by making them closed ecosystems, so they're linked to government identities, government accounts, and so you can't talk to everyone. And so if you're being phished by the Russians, limiting who you can talk to you is obviously going to make that harder. And Matrix, it also has the ability to do things like data retention policies if you've got the right server built on top, and you can also link it to your identity platform. And so these are all attractive things from a government point of view because they give you the warm fuzzies that, yes, I can set policies exactly how I like them. I don't have to rely on Signal setting a policy that's appropriate for. For the entire world. On balance, I can set one that's appropriate for my government.

A

Yeah. Because this feels a lot like what you largely could have done with the secure email systems and messaging systems that would have existed prior to Signal and with the things that people moved away from so like it's just, gosh, it feels like history repeats again. If these systems are closed, the people aren't there. Clunky because they're not, you know, the result of many people working thousands of hours to create a great user experience. So like, doesn't this just all happen again?

B

Like, I mean I think in fairness the alternatives they had back in 2020 were less good. So they were things like encrypted emails, work based platforms. Now having, having said that, I think there's also. I think you're right. I think people tend to prefer using a single app for everything. So I think that people will face an uphill battle. But having said that, I think that a lot of the team based in government stuff will work fine on these platforms because they'll start there, there'll be someone who sets up the conversation there and you're not going to jump to signal just because there's no reason to

A

jump to signal until the moment comes that you need to add someone into that conversation that's not in their network.

B

My view is that the more seen you get, the more you have to talk to people who are not your friends.

A

Exactly. Yes.

B

They may not be enemies, but you have to talk to frenemies. And for example like Emmanuel Macron had a signal conversation with Ursula von der Leyden. So the President of France versus the President of the ec. Not versus but with discussing like really significant trade deals. So there is no sovereign app where either France or the European Commission is like maybe that's not the best example but for example Macron with Vladimir Putin then there is no they're not going to talk on a French sovereign app, they're not going to talk on a Russian sovereign app, they're going to talk on signal because that's where those sorts of conversations have place.

A

Yep. You did mention the potential of federation that is built into the matrix. And so like all geopolitical issues aside, you could imagine that there is a technical possibility of individual European governments could federate their instances and do allow some degree of cross government conversation. But you know, like in the corporate world your seniority is generally directly correlated to your sphere of influence and, and that sphere of influence requires you to talk to people of and increasingly beyond your normal sort of interactions. And I'm sure that that's the same as what you just described in, in government. So again I just, it feels to me like this falls victim to the network effect.

B

Yeah, the an app is more useful when you can talk to more people. Yeah, like you said, the Network effect. But the more people you can talk to, the more vulnerable you are to phishing. Because if it's federated with everything, then there's nothing to stop, you know, a service, an intelligence service, setting up their own server and calling it, you know, your government's secret server.

A

Yeah, the real GC server that joins.

B

Yeah, yeah. So it's. I think this is very much a case of swings and roundabouts. I think one of the other big factors I haven't mentioned is sovereignty. And I think European governments. Well, I mean, to be frank, the US administration is a bit on the nose and they want to feel like they've got more control and relying on a US foundation or in the case of WhatsApp, relying on Meta, that doesn't feel like the right solution. So this, I think is a natural response. Now, I think it's very much a case of there's some advantages, but there's some disadvantages. Like you've got these new homegrown apps and they'll probably come with new homegrown security vulnerabilities, signals well tested. And we know what the problems are

A

worth mentioning there as well. Matrix itself, this thing that gets cited as what these are based on, that's a protocol which doesn't give you the app and the user experience and everything on top of that. And there'll be just myriad attack surface on top of that, I think is the point you are making there.

B

Yeah, there's different varieties of stuff built on top of. And so the like signal, like you said earlier, like there's a lot of phishing attacks, but because they're phishing attacks, we don't tend to see. Well, we've never seen the signal protocol itself or the signal client be hacked in a way that's significant. Like the phones get hacked. But then everyone has that problem with matrix and all the implementations that sit on top. We don't have that same level of history, I guess.

A

Yeah. So given, given sort of your, given your insight into this, what's your sense as to how this shakes out and then how, what would that, how would that form the advice that you would give to, to these governments that are. That are already starting to spin up their own signal.

B

Yeah. I think that basically signal is inescapable. You're always. Senior people especially are always going to want to communicate with other important people in a way that feels secure. And when you're talking to everyone on the planet, that is kind of signal. So I think that it's unrealistic to expect that you can create your own homegrown apps and get away from the problem of phishing, because any app that can talk to everyone, phishing will be a thing. So there's. I kind of think that you've got to accept that it's part of your future and make the best of it and do things like maybe invest in a fork that you can layer on some additional controls that you want, or perhaps give some money to the Signal foundation to work on particular things that you think are worthwhile. I think it's embrace and accept rather than shun and reject would be my kind of the pithiest way of putting it.

A

I know it sounds like a pretty good political slogan. Could be your platform to run.

B

Now, unfortunately, I think politically, that's not the way things are going right now. So, yeah, no one will listen.

A

We'll see how it goes. Speaking of seeing how things go, and in this case, seeing how things went 20 plus years ago and being just all collectively amazed. Fast 16 and Stuxnet. Tell me about the history of these two things when we're now sort of pivoting towards these incredible pieces of malware that have been discovered that were plaguing the Iranian nuclear program. And you wanted to give us a bit of a look into what we've learned this week. But let's start with the history.

B

Yep. So, okay, stepping back. Mid 2000s, Iran is trying to build a nuclear weapon. They've got different facilities. They have started uranium enrichment. Now, we knew about stuxnet from, like, 2010 or so, and Stuxnet was malware that was designed to infiltrate the Natanz nuclear facility where they were spinning uranium enrichment centrifuges. And it diddled with those centrifuges in a very clever way. It spun them up and spun them down very rapidly. They break themselves apart. Yet anyone in the control room, it looked like things were operating normally. So they just had a whole lot

A

of broken centrifuges indistinguishable from sort of some sort of manufacturing defect or some. Something. Yeah, Like a brilliant blending of, I guess, cyber and physical, but being driven by cyber in this case.

B

So that's one arm which I guess attacks the supply chain, Right. It attacks the process of making enriched uranium. And like I said, we've known about that for over 15 years now, and it's only this month that we've learned about a second arm of that. I guess it was a broader campaign. And it's malware that's been called Fast 16, and it was actually discovered by Sentinel One researcher Jaggs in 2019, but he couldn't figure out at that time what it was used for. And so it's only in the last month that Jags and Symantec have figured out that it was actually. It would manipulate the results of two specific pieces of software. I think it's called LSDYNA and Autodyn. And so they're software you use in simulations of things like vehicle crashes or explosions. And the actual mechanism was that if it detected material of a certain density being compressed, it would give results that were incorrect.

A

Right, and it turns out that only tends to happen when you're detonating a nuclear bomb.

B

Exactly, yes. So the results would be changed when you were compressing uranium in something like an implosion. And so the way some nuclear bombs work is that you take a ball of uranium and you just squash it by exploding high explosive around it. And it turns out that. Amazing. The results of these experiments or simulations would be incorrect in. And it would appear that you weren't getting the result that you wanted. And so this is a second arm of a campaign to delay Iran's nuclear weapons program. So there's one aimed at the uranium enrichment, and there's another aimed at. What are you even going to do with that? Enriched uranium?

A

Yeah. As you were saying that, Tom, it feels like this is almost like a belts and suspenders kind of operation. Right. It's like, you know, the primary thing here was disrupt the supply chain of the enriched uranium by having the.

B

Was it the primary thing?

A

Well, this is what I'm wondering. Right, because. Okay, so listen, here's an aspect of this campaign that I find a little bit fascinating, is that if you can destroy enough of the centrifuges, then you're going to have a clear impact. If you're frustrating researchers, there's like, isn't there a risk here that if one researcher was infected by this and someone else wasn't, that they'd compare notes and go, hey, my experiment says this worked fine, and if that's a possibility, I just. I just wonder if this was a little bit more of a risky sort of thing of like, yeah, let's do this. It's a good. Additional frustration. But do you think there is a. Do you think that the stuck stuxnet campaign, for lack of a better term, had a. I guess, a more trusted degree of impact versus this? Or were they both the same? I guess that's how I would approach this. Was this the primary.

B

Yeah, I think the way I would think about this is, yes, its Defence in depth, belt and braces, whatever you want to call offence in depth. The uranium enrichment, it's a delaying tactic because they destroyed some of the centrifuges. There were a lot that were still running. It's the sort of in the wash up. It looks like they slowed the program rather than halted it. This feels more binary. Either you know how to construct a weapon to get uranium to turn into an atomic bomb, or you don't. And if your calculations are always wrong, hopefully you stay on the don't side. But like you say, if someone else runs those calculations and gets a different result, then you will eventually pull on the thread and figure out what's going on. The malware had a mechanism to spread within a facility, but only within a facility. So my presumption is that presumably the US knew enough about the facilities to have some reasonable degree of confidence that this would work and that those simulations only occurred in a small number of places. Now, it makes me wonder, was there a third arm? Yeah. What else would you do? And it also makes me think that this was back in 2005 and this feels very much like 5D chess to achieve a strategic outcome. The strategic outcome is we don't want Iran to have a bomb. Let's employ a number of very clever cyber operations to stop that happening. And it's very clever operations that are essentially invisible to anyone outside Stuxnet, in a way is they were bound to figure it out eventually because you've got centrifuges breaking themselves apart. Like there is an obvious problem.

A

To use that same example, if two researchers had compared notes and discovered one was different to the other, that would be the same degree of obvious problem as a centrifuge blowing up. Yeah.

B

Yeah. But until that happens, and like I said, I think they probably had some reason to think that it would not likely happen.

A

If this was, I guess, two of more things that were in play. Where else do you think would be the logical point to deploy the next sort of campaign or the next, I guess, for ask that better. You know, we talked about the Stuxnet attacked. Stuxnet attacked the supply chain of the raw materials required. Fast16 attacked the research and development of the explosive explosives required to create the supercritical. Am I stretching too far here to think that there might be novel ways to put some malware in place that perhaps disrupted the ability to even conduct a test, to collect the results from a test, to manufacture the bombs itself?

B

Yeah, I think that all these operations require, like, really extensive knowledge of what's going on and so it's hard when you don't know. But also the other thing I'd say is that it's not just a cyber problem. So part of the thing going on at the time was negotiations with the Iranian government. And so it's a state effort, but it's a diplomatic one. It's one using things like sanctions as levers. And one of the arguments I've heard is that the cyber component was just a delaying tactic to give these negotiations more time to take place.

A

Well, that's interesting. And that, that sort of leads to the point that I wanted to wrap up with here is that, you know, this, this was, this was stuff that was being used 20 years ago when as you say, there, there was a use of cyber potentially to disrupt or delay things just until negotiations and diplomacy could perhaps prevail. I think it is suffice to say, even with my novice understanding of, of policy and intelligence, that that has well and truly failed. And we are seeing, I guess, as you wrote in the newsletter, that the current administration seems to normalize more kinetic and military action to disrupt this nuclear program. Do you think that means that they've disbanded the cyber efforts or is it still a yes and sort of approach here?

B

It seems like this is the sort of thing you do when you've got a very high priority target and you want to achieve something. And so I think that those programs are long term by their nature because you're trying to achieve a, the strategic outcome, like something that makes a difference over time. And so I don't think that they've been, I would like to think that they go on all the time and people, the process is you do a lot of research, you figure out the way something an adversary is doing something that you'd like them not to do. And then you figure out, oh, hang on, there's a key point, a choke point, a point of leverage that we can make some difference in a very clever way. And I'm hoping that those programs happen all the time. It's just that we don't hear about them because the outcome is essentially invisible because it's until the worst happens. So I mean, this would have been made visible like you would know that it had failed if Iran had blown up a nuclear weapon, which they haven't so far.

A

Right, right.

B

And so the, the outcome has been kind of invisible until until now. So I'm hoping that there's more of these invisible operations going on and because they're long term, people still buy into them.

A

Yeah, well, let's hope so. Reality seems to be though, that It'll be about 20 years until we find out. So when we're sitting on our rocking chairs with glasses much thicker than these are today, Tom will reminisce about this. Tom, thanks so much for dropping by. It was great to have a chat with you. And of course, folks, don't forget you can go over to Risky Biz and subscribe to Tom's newsletter. Seriously risky business. Tom, I'll see you next week.

B

Thanks, James.