Srsly Risky Biz: Spain leaves key under mat for Huawei - Risky Bulletin

Summary5 min read

Risky Bulletin Podcast Summary

Episode: Srsly Risky Biz: Spain leaves key under mat for Huawei
Host: Amberly Jack
Guest: Tom Uren, Policy and Intelligence Editor
Release Date: July 17, 2025

1. Introduction

In this episode of Risky Bulletin, Amberly Jack hosts a discussion with Tom Uren, the policy and intelligence editor at Risky Biz. With Patrick Gray on holiday, Amberly delves into critical cybersecurity issues, focusing primarily on Spain's longstanding relationship with Huawei regarding its lawful intercept systems and recent developments in cybercrime activities linked to the Scattered Spider group.

2. Spain’s Enduring Partnership with Huawei

The conversation opens with Amberly addressing a surprising revelation about Spain's contractual relationship with Huawei.

Amberly Jack [00:48]:
"You and I were talking earlier this week about recent reporting that Spark Bain had contracted Huawei to manage the storage for the government's lawful intercept systems... it turns out it got a bit worse and they've actually been in a bit of a relationship for many years now."

Tom Uren [01:15]:
"It's a terrible decision. How could anyone make that decision in this day and age? Because there's been a whole lot of concerns about Huawei over the last, I guess, decade in particular."

Tom elaborates on the concerns surrounding Huawei, emphasizing the company's perceived ties to the Chinese government and the inherent risks of entrusting critical national security systems to a vendor under Chinese jurisdiction.

3. Security Implications and Risks

Tom delves deeper into the implications of having Huawei manage Spain's lawful intercept systems.

Tom Uren [02:00]:
"Lawful intercept systems,... have been used to fight crime in particular, but they're also used for counterintelligence... a great place to be if you're both for law enforcement but also for foreign intelligence services."

He highlights historical instances, such as the 2004 Athens Olympics hack, to illustrate the potential vulnerabilities of these systems when managed by high-risk vendors. The lack of renewal or reassessment of Huawei's role over two decades poses significant national security threats.

4. Salt Typhoon and Unauthorized Access Attempts

Amberly brings up another concerning development related to Salt Typhoon, a Chinese-backed cyber threat group.

Amberly Jack [04:37]:
"You also touched on the newsletter about Salt Typhoon hacks on US telcos as another example."

Tom Uren [04:37]:
"Salt Typhoon has been trying to get access... they got access to the portals that we use to task the system... this essentially tips off the Chinese intelligence services about US agencies' interests."

Tom explains that even limited access to tasking portals can provide valuable intelligence to foreign actors, potentially compromising ongoing operations and national security.

5. Long-Term Relationship Between Spain and Huawei

The discussion circles back to Spain's enduring contract with Huawei, spanning over two decades.

Tom Uren [05:49]:
"It turns out that they've actually been involved in Spain's lawful intercept system for almost well over two decades now... between 2004 and today, there should have been a time where you went, okay, next time we revisit this contract, it's time to do something different."

He criticizes the lack of reassessment and the failure to sever ties despite escalating concerns, likening the situation to the "frog boiling" metaphor—where gradual changes go unnoticed until it's too late.

Rob Joyce Quote [07:30]:
"Spain is putting Salt Typhoon out of business because they're just giving it all away."

Rob Joyce, a former NSA cybersecurity leader, underscores the severity of Spain's actions, emphasizing the inadvertent support it provides to Chinese intelligence efforts.

6. Scattered Spider and Recent UK Arrests

Transitioning to cybercrime, Amberly references Tom's newsletter on the Scattered Spider group and recent arrests in the UK.

Amberly Jack [09:15]:
"You wrote about Scattered Spider... four people got arrested in the UK over recent retail hacks."

Tom Uren [12:08]:
"The UK National Crime Agency announced that four people had been arrested... all very young people."

He details the profiles of the arrested individuals, highlighting their involvement in previous cybercrime activities and the challenges in prosecuting such young offenders.

7. The Cybercrime Pipeline and Resilience of Scattered Spider

Tom discusses the resilience and adaptive nature of cybercrime groups like Scattered Spider.

Tom Uren [15:15]:
"Scattered Spider is many of the same people as Lapsus, they just don't have a public presence... there's a pipeline of new people, new spiderlings getting developed and they pick up over time."

He emphasizes that while arrests may temporarily disrupt operations, the inherent structure and recruitment strategies of these groups ensure their continuity and evolution.

Tom Uren [18:24]:
"There's enough of them that there will be these people who want to do this stuff and get a thrill out of it... they are always pushing new boundaries."

This underscores the perpetual threat posed by such groups, driven by the thrill and validation found within their communities.

8. Conclusion and Future Outlook

As the episode wraps up, Amberly and Tom reflect on the broader implications for cybersecurity.

Amberly Jack [20:38]:
"So good to spend the next couple of months where there might be some quiet time just boosting their security."

Tom Uren [20:43]:
"Make the crown jewels a bit more protected."

They agree on the necessity for organizations to bolster their defenses proactively, anticipating the inevitable resurgence of cyber threats.

Key Takeaways

Spain's Huawei Contract: Spain has maintained a contractual relationship with Huawei for its lawful intercept systems since 2004, raising significant national security concerns due to Huawei's perceived ties with the Chinese government.
Security Risks: Entrusting critical intelligence and law enforcement systems to high-risk vendors like Huawei can lead to potential compromises and unauthorized access by foreign intelligence services.
Salt Typhoon Threat: Chinese-backed Salt Typhoon group’s attempts to access lawful intercept portals exemplify the ongoing cyber threats targeting national security infrastructures.
Cybercrime Resilience: Groups like Scattered Spider demonstrate the persistent and adaptive nature of cybercriminal communities, with continuous recruitment and skill development ensuring their longevity despite law enforcement actions.
Proactive Defense: Organizations must prioritize strengthening their cybersecurity measures to protect against sophisticated and evolving threats from both state-backed and independent cybercriminal entities.

For a more in-depth analysis, you can subscribe to the Seriously Risky Business newsletter on the Risky Biz website and stay updated with the latest cybersecurity insights.

Loading summary

Transcript24 lines

[00:05]
Amberly Jack
Hey, everyone, and welcome to Seriously Risky Business, the podcast that we do here at Rescue Biz, all about cyber security policy and intelligence. Patrick Gray is still away on holiday this week, so my name is Amberly Jack, and in just a moment, I'll be talking to our policy and intelligence editor, Tom Uren, all about the Seriously Risky Business newsletter that has been published today. You can, of course, find that and subscribe on our website, Risk, Risky Biz. First, though, I'd like to thank the William and Flora Hewlett foundation for supporting Tom's work here at Risky Biz and also Lawfare, who syndicate Tom's newsletter and publish it on the LawFair Media website. Finally, we do have a corporate sponsor this week, which is Zero Network. So. G', day, Tom. How are you? Always lovely to see you.
[00:47]
Tom Uren
G', day, Amberly. How are you?
[00:48]
Amberly Jack
Oh, not too bad. Now, you and I, this kind of made me laugh, actually. You and I were talking earlier this week about recent reporting that Spark Bain had contracted Huawei to manage the storage for the government's lawful intercept systems. And at the time you said to me, this is really stupid. And then as you started writing it, it turns out it got a bit worse and they've actually been in a bit of a relationship for many years now.
[01:15]
Tom Uren
Yeah, yeah. So my personal journey with this story is that, ah, it's a terrible decision. How could anyone make that decision in this day and age? Because there's been a whole lot of concerns about Huawei over the last, I guess, decade in particular. And they basically wrapped up around how the Chinese government behaves very aggressively and coercively. And it also has put that into law where it says any company, any person, any organization, if you're acquired, you have to help with intelligence work and keep it a secret. And so that's raised a whole lot of concerns about what the PRC might do with companies that have critical positions in other countries. Well, I guess in this case would be telecommunication infrastructure. So, over the last decade, a whole lot of countries have banned Huawei and ZTE from critical parts of 5G networks in particular. So it seems nonsensical that you could make a decision to put it into a critical part of your lawful intercept system. So lawful intercept systems, for anyone who doesn't know, are ways that telcos can give authorities the content of messages. So the way it works is they get given a warrant or a court order and they can siphon up whatever, you know, messages, calls, etc. And those systems are built into the way that almost all modern Telcos work because it's in every government's individual interest, have these systems, they're used to fight crime in particular, but they're also used for counterintelligence. These are a great place to be if you're both for law enforcement but also for foreign intelligence services. Because these systems give you the ability to collect information. Even without the ability to collect information, you can see what's being tasked, who is of interest. And there's actually a really long history of foreign intelligence services compromising these systems. So back in 2004 in the lead up to the Athens Olympics, the local telco was compromised and these systems were subverted to basically collect about 100 different phone numbers. And so there's, that's what, over 20 years now. And that seemed like quite a sophisticated hack. So it targeted the Prime Minister and his wife, ministers of national defence, foreign affairs and justice, mayor of Athens, a whole lot of people. And so when you've got a system like that, it's actually quite important for national security. So why would you essentially leave the keys with a company that you've got these concerns with?
[04:26]
Amberly Jack
Yeah, absolutely. And you also touched on, I mean you spoke about the Athens Olympics there. You also touched on the newsletter about Salt Typhoon hacks on US telcos as another example.
[04:37]
Tom Uren
Yeah, yeah, yeah. So it turns out that Salt Typhoon, which is a Chinese backed group, has been trying to get access, or appears to be trying to get access to lawful intercept systems. So the reporting I've read, the most detailed reporting, says that they got access to portals that were used to task that system. So basically law enforcement or whoever would submit tasking. So they didn't actually get access to the systems, although that seems to be for some reason the received wisdom. They got access to the portals that we use to task the system and like that makes sense if you know who's being, what numbers are being put in there. If you're the Chinese government, you can say, uh, oh, this number corresponds to someone who we've got an interest in. We'd, you know, maybe they're an agent of ours or maybe they're someone that we're trying to get act for us. Perhaps we'd better lay low. It's basically a tip off for their intelligence services if their assets are being tasked for sure.
[05:47]
Amberly Jack
So even if you don't get full access, it's still useful to.
[05:50]
Tom Uren
Yeah, it lets you know what the US agencies are interested in and you know, maybe it actually gives you a green light, you know, here's an agent who isn't being tasked, they're good to go. There's no interest in them so far. But it turns out that the reporting was that Spain had signed a new contract or that was the way the reporting was interpreted, but like diving deeper. A new contract for Huawei to provide the storage for its lawful intercept system. So having a Chinese, they're basically categorized as a high risk vendor because of the Chinese laws so intimately involved in your lawful intercept system just seemed like a terrible idea. But it turns out that they've actually been involved in Spain's lawful intercept system for almost well over two decades now. So back in 2004, so that was to me both more understandable but also in a way more shocking or more worrying. And back in 2004, people didn't have the same concerns, like it was a very different world. And you can sort of see that you get, you develop a contract with Huawei, they're providing a storage array or storage services for this system and you just keep trucking along and you renew the contract and you renew the contract. And it's like the frog boiling metaphor where these concerns about Huawei are getting more and more intense. And at some point between 2004 and today, there should have been a time where you went, okay, next time we revisit this contract, it's time to do something different because we, we can't, you know, the, the status quo just isn't sustainable anymore. Yeah, but that's never happened. So to this day Huawei still provides the storage. It's not a, it's, it's not a lay down misere. Like I think the Chinese intelligence services still have to do some work, but it basically gives them a leg up if they wanted to compromise Spain's system. It's an advantage. Rob Joyce, who formerly of nsa, who headed both their cybersecurity division and previously their hacking division, he basically said, he described it as Spain is putting salt typhoon out of business because they're just giving it all away. Now he's a person who would know exactly what that kind of access would provide. So the, I guess it's past time for a new like you've got to rip the band aid off, make that hard decision, choose someone else.
[08:45]
Amberly Jack
And I mean, I may need you to explain this to me like I'm five Tom, but you touched on a couple of things that seemed quite significant. The fact that these systems are high value target for foreign intelligence. Also the issue that China can compel its vendors to assist intelligence efforts. Is there any reason why Spain would continue this, other than we've been going steady for 20 years and breaking up is really hard.
[09:16]
Tom Uren
I think it's probably more expensive. I think there's a changeover cost when you get one vendor doing something and you replace them. I think it's hard and painful. I think that maybe there's also like geopolitical reasons to do with the relationship between Spain and China that could play a part. So those are all factors. And you can also say to yourself things like, well, we've designed the system in such a way that it doesn't matter. I think you can fool yourself into thinking that. But I think that ultimately a lot of these systems, it relies on, on trusting trusted supply chains. Like when it becomes a critical system, you have to rely on trusted supply chains because you can't guarantee that everything's secure. And from Chinese intelligence point of view, it doesn't have to be something as dramatic as you must install the backdoor in these servers and that will get us the magic that we need. It could be as simple as here's the source code, here's how it works, these are the things that we do. You could help set up test beds of the sitel is the system, the Spanish intercept system, and figure out, you know, as a playpen to sort of experiment and figure out what would actually work. So none of those are actually backdoors, but they're still very, very useful assistance to intelligence efforts, I guess. So I think that the, you know, all these decisions are about balancing risk and effort or cost, I guess. And I guess from the Spanish point of view, the risk has changed dramatically over 20 years, but they haven't. It doesn't seem that they ever revisited it and re architected the system to make that decision to change that Huawei's involvement.
[11:17]
Amberly Jack
The other topic that I wanted to chat to you about that you wrote in the newsletter this morning is kind of an update on last week. Last week you wrote about Scattered Spider, the cybercrime community, if we want to call them that. And you mentioned that there were sort of four key players that seemed to be driving the group's activities. As luck would have it, that very same day four people got arrested in the UK over those recent UK retail hacks. And you're sort of writing that we can't say for sure that they are the key personnel, at least not all of them. But there's good news in that the scattered Spider chaos may slow and not so good news in that this won't be the end of Scattered Spider.
[12:08]
Tom Uren
Yeah, yeah, I thought it was interesting. The UK National Crime Agency, they announced that four people had been arrested. So one of the interesting things is that they were 19, 19, 17 and 20. So from my perspective, all very young people.
[12:25]
Amberly Jack
So young, yeah.
[12:28]
Tom Uren
Now, they didn't release names, but Brian Krebs, riding on Krebs on security, said, people have told me that two of these individuals, and I think there's a couple interesting things. Both of those people were over 18, so they're now old enough to get tried as adults. And so I think that makes a difference. Now, one of them, a guy called Tala Jubeir, I thought his resume, as Krebs relayed it, was very interesting. So he was a founding member of a sim swap Telegram channel called Star Fraud Chat. Now, Staff Fraud Chat has been linked to a number of different hacks, like pretty significant hacks over time. He was also the founder of a criminal service that sold emergency data requests. So an emergency data request is when the police or some other official agency log lobs up to a service provider and says, hey, we need subscriber details, double click, because we've got a life or death situation. And there's some reason, like you can think of many. And so in the criminal service, what they would do is they would get access to an official law enforcement email address and they would construct a pretext for an emergency data request and send it off. And they like, usually they would get back replies within a couple of hours. So it turns out that mostly there's this kind of tiered process where if there's time, you have to get a warrant and the service provider, you know, Facebook or a telco, will scrutinize that warrant, make sure it's legit. There's an official procedure, they can verify it, but when it's an emergency data request, it's basically if it just comes from the right email address, there's just no time to go through a process to check it and there is no good process. And often these are legit email accounts. And so this individual, Jubeir, he's been involved in two services which take advantage of, I guess you'd call them, weaknesses in identity verification. He was involved in Lapsus previously as a core member and he was also the administrator of a doxing community called Docsbin. So that's the kind of person that feels like a key individual. I don't know if that is one of the top four that I wrote.
[15:13]
Amberly Jack
About running for the role. Right?
[15:15]
Tom Uren
Yeah, yeah, I think, you know, administrator, founder of two different services involved in Lapsus, which was a similar kind of criminal group. What distinguished Lapsus was that they were actually public about their hacks. So they had a public presence. They called themselves Lapsus. Scattered Spider is many of the same people. They just don't have a public presence. And so Scattered Spider is the name that outsiders have given them. It's complicated. So he feels like a key individual. So it was interesting to me that last week I wrote there are four key individuals. People say, and here is someone who's arrested who looks like a key individual. Others, the other person Krebs identified, Owen Flowers, is also alleged to have been involved in Lapsus and also in the hacks of MGM casinos, which were very disruptive. It's less clear that he is a key individual because basically Krebs has reported on less stuff on him, so there's less of a history. But in both cases, these individuals had been involved in these communities since they were at least 15, if not younger. And so that's four years of, I guess, honing their tradecraft, learning new skills. And these communities, the way everyone describes them is that they're a pipeline where people are recruited when they're very young. Older people get them to do something as a part of mitigating risk for the older person. So if the young person's caught, it's hard for authorities to do anything with them. And so they get, I guess you'd call it radicalized or trained. And they over time do more and more aggressive and outrageous things.
[17:14]
Amberly Jack
Yeah, yeah, for sure.
[17:16]
Tom Uren
Until basically they hit 19 or 20, get arrested and then get sent to jail. So that seems to be the, the way this works. These arrests have impact because they sort of chill the community. People do see that and they get afraid. But when you're, I guess 15 and the last person was arrested last year, that feels like a lifetime ago. And so these basically the criminal elements just bounce back over time. There's a pipeline of new people, new spiderlings getting developed and they pick up over time. So to me it was interesting that yet last week it was here are four key individuals. This week it is, here's an arrest. It looks like one, maybe one of the key individuals perhaps. But it also sheds light on there is this pipeline that will, I guess like many headed hydra or you know, whatever analogy you want to choose, will replace them over time. Even if they were key individuals, there's someone who will step up and take their ranks.
[18:25]
Amberly Jack
Yeah, for sure. I mean, it's like any good business, upskilling your stuff is important. And even Cybercrime. I guess you want to know that someone's ready to take over when the boss retires. But it does of course mean that while as you say in the newsletter, we may get a respite because these arrests have happened, there could be a lull, but they're going to bounce back because they are training these up and comers.
[18:49]
Tom Uren
Yeah. So I think it's interesting that you use the word training. I'm not sure that I would describe it as training in that it doesn't seem to be structured it in the way that it would be in a business. I think it's just a sort of an emergent property of the communities that there's opportunities to do more and more audacious, outrageous, boundary pushing things. And for some individuals, I guess that's just what suits their personalities. And so it's a combination of people involved. There's enough of them that there will be these people who want to do this stuff and get a thrill out of it. And the opportunity to do these out of bounds, I guess they're exciting because they're. Well, I guess they're essentially illegal. And you know, that combination is a form of training even though it's not structured in the same way that you would do it as a business. And I guess it's more like a filter where you find the uber, uber criminals, I guess who just are really good at this stuff because that's, that's what works for them. It's a, it's a great sieve and they're basically unrestrained. Like the, they're always pushing new boundaries. The way you get into those communities is you like a lot of it is around validation and status and the way you get that is by doing amazing things. And so I think from company security point of view, if I was a ciso, I would be very, very afraid that I'd be targeted by these groups because they will have success. Like I don't think there's, there's very few companies that are totally immune to these kinds of tactics and techniques.
[20:39]
Amberly Jack
So good to spend the next couple of months where there might be some quiet time just boosting their security a.
[20:43]
Tom Uren
Bit, I guess make the crown jewels a bit more protected.
[20:49]
Amberly Jack
Well, interesting stuff there Tom, and a little bit depressing as well, but let's call it there. Thanks so much for your time. You can of course read Tom's newsletter over at our website, Risky Biz. And Tom, you're going away on holiday, so I guess we will see you in a little bit when you get back.
[21:05]
Tom Uren
Thanks, Amberly. Sam.