A

Foreign and welcome to Seriously Risky Biz. This is our podcast here, all about cyber security policy and intelligence. My name's Amberly Jack, and in just a moment, I'll bring in Tom Uran, our policy and intelligence editor, to talk all about the Seriously Risky Business newsletter that has been published today. And you can, of course, find that, read it, and subscribe over at our website, Risky Biz. But. But first, I'd like to thank the William and Flora Hewlett foundation for supporting Tom's work here, and also Lawfare, who syndicate his newsletter and publish it on the LawFair Media website. And finally, I'd like to thank our sponsor for this week's episode, which is Nebuloc. And you can find them at Nebulok N E B U L O C K I O. So, Tom, g'. Day. Thank you for joining me.

B

G', day, Amberly. How are you?

A

Pretty good, thanks. And just been digging into, I mean, the first piece in your newsletter today are all about spyware and surveillance, basically. And you've had a look into a Jakarta based company called First Wap, which is selling unethical surveillance as a service. And you've kind of used this company as a illustration that while there may be these crackdowns that are having an impact, especially on the big spyware players like NSO Group, there are still these companies that are waiting in the wings and happy to pick up any slack and meet any demand. So tell me a bit about that, Tom.

B

Yeah, so there's a couple of reasons this company is interesting. One of them is that it is involved in exploiting what I call SS7 vulnerabilities. So vulnerabilities in the signaling protocol that telecommunications networks use to set up and tear down phone calls and send text messages. And so over the years, I've written a couple of times about these kinds of vulnerabilities. And last year the FCC did a sort of quick probe into what the state was in the US and so it's interesting to get the other side of that. So in that probe, the FCC asked us telcos, what's the story? What's going on? And everyone replied, yeah, everything's fine. We're doing all the right stuff. And so it's interesting to get the, I guess the adversary side. So the story is that a couple of reporters from this outfit called Lighthouse Reports discovered a data archive, I guess, of the queries and results of a surveillance product. And they tied that product, which was called Altamides, to this company called first wap, which is a Jakarta based company that was actually set up by a couple of Europeans and they set it up as a marketing SMS type company, but they basically immediately pivoted to surveillance and they figured out that they could abuse SS7 to find out where devices were. And they can also now do things like intercept both phone calls and texts. And they go so far as to say that if you've got a service that relies on receiving a two factor code, we can help you break into that. And including things like WhatsApp, they say, yeah, we, we can easily get into WhatsApp. I don't know if that's true, but the data archive that these reporters found covered about seven years and it had one and a half million records or something like that. And so I'm taking each record as an individual ping to a device. Where are you? And they were able to mine that and figure out who and when people were being targeted. So all it has is the numbers. And so there's a huge amount of work to figure out going from a phone number to an individual. Now one of the interesting things is that they found a whole lot of targeting of Americans and in the US So that's unusual because usually surveillance companies and spyware companies don't want to annoy the US government and so they basically avoid targeting the us but like, so the people they identify, Blackwater founder Erik Prince and Wojcicki, who is the wife of Google's Sergey Brin and the founder of 23andMe, which is a DNA testing company, a journalist, Raytheon executives and employees of telecoms and cybersecurity firms. And I'm sure there's others as well.

A

Wasn't there just a random mention of Jared Leto in there as well?

B

That's right, yeah. Yeah. So there's an interesting overlap with Hollywood in this story and some of the other ones as well I wrote about this week. And so they actually approached this company, Lighthouse Reports, under the guise of being a potential customer. So undercover reporters, it's like so good. I know that appeals to you, Amberly.

A

As a, honestly, as a journalist, being able to go undercover would be just chef's kiss. We were never allowed in my job. It was actually written into our clause that you were never allowed to pretend to be someone that you weren't. But the idea of going undercover to.

B

Yeah. So these two went to a conference in, I think it was Austria, and they spoke to first wap's sales executive and he was very forward leaning, I guess, in terms of what he was willing to suggest that the company would do. And so they presented him with kind of very sketchy scenarios, like, you know, if we were a mining company and we wanted to find out about the movements of some people who are agitating against us, would that be okay? And the executive provided a, yeah, yeah, we could do that. Now, first, wait, the company has formally said, no, we don't do anything illegal. But the overall vibe you get both from that data archive and from the undercover journalist interactions with the sale executive is that they would use cutouts and, you know, distance themselves from the sale of the product. And, yeah, you can do whatever you like with it.

A

I also kind of love you mentioned there as well that while talking to the undercover reporters, this guy seemed to kind of promote his business by saying, well, all these other spyware companies that are getting media attention have ethical principles. Now we don't.

B

That's right, yeah. So I thought that was a very interesting part of the report. So this came from a Mother Jones article. So it was a collaborative investigative research. Mother Jones wrote about it. And they talk about how it appears that the government and media actions against someone like NSO Group, the company they describe sounds a lot like NSO Group have actually had an impact. And so the executive talks about, yeah, I sent them a couple of customers, like, presumably they wanted something more than what First WEP could provide, and they turned them down. And he says, you know, they've got air quotes, ethical principles now. And so that it seems like that those government actions and sanctions and media attention has meant that whichever company they're talking about has become more cautious about customers and they're not taking sketchy customers anymore. So that was a positive sign of impact on, on the spyware market. Now NSO Group has got a lot of government attention and a lot of media attention. First, WEP is not the same product. Like, it's not as powerful, but basically the people who are buying it are trying to use it for the same sorts of purposes. And they're just flying under the radar at this point. And so it seems that there's no simple solution to SS7 being abused. Like the protocol is the way it is. There's, you know, decades of investment in telco protocol stacks. We're not going to replace them anytime soon or even upgrade them anytime soon. So that company is going to just kind of exist. It's going to be a lot more cautious about undercover reporters, I think. So to me, the question was, will there be media attention and government attention on these sorts of companies that are existing? They're Providing I would call them abusive surveillance services, not abusive spyware services.

A

Yeah, right.

B

But it's the, you know, same same, but to a different degree.

A

Yeah, yeah.

B

And are they just going to continue existing like forever? I don't know.

A

Yeah.

B

I think this is an interesting example in that it has been shown to be targeting U.S. people. And so that has what would you would think be a trigger for the US government to take action. This is, this data is all historical. So the, it dates from 2007, 2014. So there's no actual evidence that they're still targeting US people. There's. And so I don't know what the story is right now. I think it's the kind of thing where they're a company worth investigating. Certainly right now with the government shut down, the US government will not have the capacity to do anything. Maybe European governments will because there's a fair few stories about like targeting of Red Bull executives, targeting in the Czech Republic, other people in Austria. So it's appears to be used quite widely.

A

Yeah, yeah, for sure. And speaking of spyware, the NSO Group has looks like there's a deal with US investors to sort of acquire the company. Worth tens of millions of dollars.

B

That's right. What really struck me about that is exactly that figure, tens of millions of dollars. Because at one point NSO Group was at least notionally worth a billion dollars. So there was a buyout in 2019 where the management, some of NSO Group and a venture capital partner bought out the then owners for and that valued the company at a billion dollars. So since then there's just been bad news after bad news like human rights abuses, stories about how it's been misused by different authoritarian regimes, government sanctions, both financial and putting them on, I think called the entity list, which makes it hard to do business with them for the US and so they've gone from a billion dollars now to being bought for like tens of millions. Now both of those figures are a bit rubbery, but that's like a massive, like, you know, lighting dollar bills on fire.

A

Yeah. Quite a fall from grace. I'm assuming tens of millions to mean what, between 20 and 99. So there's a fair bit missing from that number.

B

Yeah, I'm gonna guess closer to 10 than 99. And so it seems to me this is a cautionary tale for anyone else investing in spyware, that if you get the wrong sort of attention, basically your business evaporates. Now, I'm a realist and I think that there's demand for these kinds of products. And the best that governments can do is try and shape them to behave as responsibly as they can. Like there are legitimate uses for these things and so forth. The question to me, is nsos been bought by US private capital? Will that be a way of making sure that it runs on the straight and narrow? I guess we'll have to see because, I mean, a couple of weeks ago I said that I think US investment in spyware is probably a good thing because they've got all these incentives now to make sure that they're not misused. And I think that management attention makes a difference. And so we'll have to see if.

A

That was your intention to buy this company and, you know, make it better. It seems like a pretty good time to do it. I mean, you're getting a really good deal.

B

Yeah. So interestingly, and this is the other Hollywood interaction, one of the. The main partners in this deal is actually has produced a whole lot of Hollywood films, including I think like Happy Gilmore.

A

Big Gilmore. Yeah.

B

Now what strikes me about Hollywood movies and spyware is that they're both like very risky investments in the terms of, like, how do you know if a film's going to appeal to people? I don't know. And so the guy, I think, Simmons. Simons.

A

Simons, yeah.

B

Must have a high appetite for risk.

A

Yeah.

B

And he actually tried to buy NSO Group a couple of years ago for more money. So I think he's, you know, probably happy that he's getting NSO Group at. It must be close to the bottom.

A

Yeah.

B

If not at the absolute bottom, it seems like there is actually the potential to do pretty, pretty well out of this deal. Of course, he does have to keep NSO Group on. On the right side of, well, doing the right thing. So we'll have to see what happens.

A

Yeah, for sure. You'd definitely be pretty stoked if you. If you had a. Had a deal that fell through a couple of years ago and then you. You landed yourself on this one.

B

Yeah. One of the interesting stories I came across in researching this is that it was sold in 2019. Some of the owners bought it in collaboration with this group called Novopena Capital. And the press got so bad that the wife of one of the novalpina Capital principals, she had to resign from her job as chairman of an art train trust because just her vague association with NSO Group was so toxic that she. So I guess the point is there that even though it's like money and it feels like you're divorced and separated from it. If the press gets bad enough, it still has ramifications for the people funding it.

A

Yeah, for sure. And your final piece today, Tom, taking a look at China's hacking competitions and you're sort of saying the, the hacking competition scene has been completely co opted by the state in, in China. And you take a look at the Matrix cup which I believe has replaced the Tefano cup in Tian Fu.

B

I think you're thinking of the Italian Tefano cup, but this is the Chinese Tianfu Cup. The story is in the time I've been writing this newsletter, the Tienfu cup became this stunning exhibition of exploit development prowess. Like all sorts of very, very difficult targets would be exploited by Chinese hackers and they were doing better than other hackers in Western competitions. And so the Tienfu cup has actually disappeared. Like it hasn't been run the last year and instead it appears that it's been replaced by this thing called the Matrix Cup. Now what's super interesting about the Matrix cup is that the chairman of the organizing committee is actually the founder of Chihu360 and he's got this particular view that in fact hacking competitions in the west were run by intelligence agencies and that the purpose of them was to take both the exploits and the techniques that were being developed and to siphon them off like the use of intelligence agencies. Like now we know that that doesn't happen here, but he explicitly set up the Matrix cup to do that for China and he said the results will stay in China and be used for the state to defend cybersecurity. So he actually said that at the opening address of the Matrix cup and his view was that Chinese researchers were going overseas to these hacking competitions and were getting money, but the money was far outweighed by what Chinese researchers were giving up, which was the actual vulnerabilities themselves and the techniques that were using. And you know, I think the Americans were getting our services for free is what he said. So he's, it seems like pretty explicitly he's setting up the Matrix cup to do what he thinks western competitions are doing. So it's a competition to find talent and techniques and exploits and set them aside for state purposes or like at the very minimum it's to improve Chinese domestic cyber security. But it sounds like more than that.

A

Yeah, yeah.

B

So the Matrix like Cup, interestingly it's relatively opaque. So Instead of saying VMware, for example, they might say, you know, best vulnerability goes to vulnerability in a leading global virtualization management platform. So this is from the official write up of the. The host, basically.

A

Yeah.

B

And so I just thought that this was fascinating that it's gone from, you know, the west had hacking competitions and China had none. China had hacking competitions and its researchers were actually forbidden from going overseas. Those hacking competitions were like somewhat normal in that they were transparent and you would see the results and you would see the targets. And now they're quite opaque. There hasn't even been one announced this year. Has one taken place? I don't know. Maybe. Probably. You'd probably bet on it. If that was the. If the purpose was for feeding the state, he would say, well, of course you would hold one.

A

Yeah. Right.

B

And so I think that this is like just a really interesting change that I hadn't written about before because nothing had happened because it was. It was hidden away, I guess.

A

All right, Tom, we. We may actually leave it there. But thank you so much for joining me today to talk through the Seriously Risky Business newsletter, which you can of course read on our website, Risky Biz. But, Tom, have a great week and we'll see you again same time next week.

B

Thanks, Amber. Sam.