Srsly Risky Biz: Why America needs its own Salt Typhoon

A

Foreign and welcome to Seriously Risky Business. My name is Patrick Gray. Seriously Risky Business is the podcast we do here at Risky Biz, which is all about public policy and intelligence and you know, it's, it's all based on the work of our colleague Tom Uren, who is our policy and intelligence editor. Tom, g'day. Good to see you.

B

G'day, Pat, how are you?

A

Good, good. And yeah, we would like to thank the William and Flora Hewlett foundation and Lawfare Media for supporting Tom's work with us and also this week's sponsor, Rad Security, who do all sorts of interesting stuff around kubernetes and container security. Profiling containers. Yeah, really interesting fingerprinting of containers and whatnot. And you can find them@rad.security. so we are going to talk through your newsletter, Tom, that you write for us every week, which people can subscribe to by going to Risky Biz. Again, it's all about cyber policy and intelligence. You know, it's, it's catnip for the guvies, this newsletter. And you've written something somewhat controversial this week and, and I love it. Senator Mark Warner, who was, is, I'm not sure the head of the Senate Intelligence Committee in the United States actually met him briefly once a year or so ago. He's a very, very sharp guy. He spoke at the Munich Security conference and said that, you know, the remediation costs of cleaning up after the salt typhoon campaign targeting American telcos are really, really high and the United States should threaten China with essentially doing the same thing to them. So a retaliatory campaign. And he's, you know, we are well aware that NSA probably almost certainly conducts collection operations in Chinese networks. But what he is advocating for is a, you know, is a retaliatory operation of sort of similar scale and this is the threat that he would like China to understand. You have argued, don't threaten this, just go and do it.

B

Yeah, yeah. I think there's this asymmetry, I guess, between the way that the US runs its own networks, which is like essentially mostly surveillance free, you know, on the margins. Whereas the Chinese telco networks, they're built to enable surveillance. So there's very, very little end to end encryption in Chinese networks. So I actually think this would give, you know, someone like NSA or a group like NSA an advantage when it comes to what intelligence you can get. I think the opportunities for nsa, if they went hell for leather on Chinese networks, would just be bigger than whatever salt typhoon can get out of the US So I think it's you know, the US has already issued advice which is use things like Telegram or not Telegram Signal or WhatsApp, any of the reputable end to end messengers as a, as a sort of compensating control I guess you would call it, for the presence of salt typhoon on the networks. But that's just not advice that the Chinese government could give there.

A

I mean, it kind of is though. I mean, so this all gets a bit nuanced. It kind of is because the Chinese use a lot of over the top applications that are surveillance friendly. So I wouldn't say like, I would say that western networks are actually pretty surveillance friendly. I think the thing is though, there's only so much you can get because people are using over the top services like signal and WhatsApp and whatnot. In China it is the same, but it's the over the top applications that are surveillance friendly. Right. So things like WeChat for example, which is extremely surveillance friendly for the government. So I mean, what would a salt typhoon campaign. I mean your broader point sticks, right, which is there is an asymmetry here where because communications technology and that's over the top applications and the networks are just so geared up for surveillance in China, they're probably more vulnerable to this, to negative effects from a campaign like this than the US is. And I think that is a very interesting point.

B

Yeah, yeah. I think that there's, like you said, it's a very complicated discussion and I like to float at the 10,000 foot level. So I think there's many, many things that you can do in Chinese networks that you can't do in American networks or are more effective. So you mentioned WeChat. WeChat uses transport encryption. So there's a central place you can get to everything. And if you're using something like signal or WhatsApp, that central place doesn't exist.

A

So, so I mean if we regard, if we regard WeChat as being sort of like a telco, if you lumped it into the target set, yeah, that's a really juicy target. I do wonder if NSA has shells there already though. You know what I mean?

B

I mean like to me it's a question of whether there's an intelligence requirement that would be satisfied by having a presence there. And like, probably, but it's not a question of is it possible or not, it's just whether there's a need or is there somewhere better. So you can imagine a world where just handset exploitation is so good that they never bother with the centralized like that's the centralized repository of data because.

A

They'Re getting it all off the endpoint.

B

But this is all like, you know, unknowable stuff.

A

Well, but I mean you and I were having a conversation before this and like just based on the world as we understand it, the way, you know, Western collection operations tend to operate, it doesn't look, look like Salt Typhoon. It's a little bit more targeted. They don't just go hey, we're going to hack a Chinese telco and put shells on every single Cisco device in the whole place. Which is kind of how Salt Typhoons rolling. Which is why I think Warner's comments are interesting here because he's talking about imposing a cost on them which might because he pointed specifically to the remediation cost for Salt Typhoon and about how it would just cost an insane amount of money, billions and billions of dollars and take forever to evict these attackers where you know, the US is in a great position to put them in the same boat. And your point is? It's going to hurt them more than it hurts the United States because the US doesn't rely on surveillance friendly over the top communications platform. So I think it's interesting.

B

Yeah, yeah. You also have to wonder at this day and age what the costs, what the reputational costs are for the US if they were much more overt. So I think the, the dominant thinking up until now has been just never get caught and that's the safest way to do things. But you really wonder like what cost is China paying for Salt Typhoon being so, being outed.

A

Well it's quaint and old fashioned these days, isn't it? The never get caught thing. Because this is the real mantra of the five Eyes agencies and yet everyone else gets caught all the time and it doesn't seem to hurt them.

B

Yeah, yeah, that's right. And so in this case in particular as a response to Salt Typhoon it's like well if you know, if we do something and we get caught, what's the, what actually is the cost? And I'm not, I can't think that I can spell it out very well. It may well be that the cost is, is worth it. Like there is some reputational damage. The Chinese will say oh look, you know, the US is the biggest hackers of all.

A

But they say that already anyway. You know what I mean? Exactly. The Americans can just do what the Chinese do and deny it and say this is just communist, you know, I mean then we'll have imperious liars versus communist lies and you know, won't it just be grand? But, I mean, it is. It is an interesting state of affairs when someone like you, who, you know, you're a credible commentator with a lot of experience in this field say, yeah, the USA needs its own Salt Typhoon crew. Right? To go. To go wild. And I mean, you know, this is. This has popped up in discussions I've had with Adam on the other podcast as well, just about how things that used to seem crazy don't seem so crazy anymore.

B

Yeah. So now, full disclosure, I'm not 100% sure that I believe what I'm saying, but I think it is a really interesting idea and it is worth thinking about. So the whole point of what I do is to get people to think. So I think that's, like, there's a reasonable argument there that's worth thinking about and talking about. And also, I think, like, the Trump administration may be the ones who would, like, run there.

A

Yeah, yeah, no, I'm with you. And I think also the conversation gets much more interesting when you expand it beyond Salt Typhoon and you start looking at Vault Typhoon, which is the campaign which is really targeting critical infrastructure and whatnot. I mean, I think it's an even more compelling case there because they're putting their. They're putting their shells in some pretty delicate places, and I think there needs to be some symmetry there. Honestly, from a national security perspective, I would think achieving the same type of access into sensitive Chinese systems, you know, it's going back to a little bit of that mutually Assured destruction thinking.

B

I mean, I just keep thinking of what's. What's that movie, the Kubrick movie?

A

Oh, Dr. Strangelove.

B

Dr. Strangelove. Like, there is this dynamic where you want the capability to disrupt the adversary, but you want to keep it secret so that you. They don't discover it and you can use it, but if you keep it secret, then they don't know that you have it. And they therefore may be inclined to be more aggressive than they would be. And I think that particularly applies to cyber capabilities because they can be relatively easy to remediate at times. And so I think there's a lot to think about. I think, in a way, responding to Salt Typhoon is easier because it's like the question is more straightforward because there's less.

A

I mean, the second order effects are easier to wrap your head around.

B

I think that's right. Yeah.

A

Where you're getting at with that. Yeah. But I do think it's a new world and it's. You know, there are a Whole bunch of new possibilities in terms of how all of this is going to unfold. I mean, I did not expect us to get here so quickly. I also think the point you make about the Trump admin being more likely to do this sort of thing is, is bang on. They've certainly shown a lot of interest in the Indo Pacific region, less so in Europe as we've, as we've seen in, in recent days. But you know, I, and you wonder what the escalation risks are as well. And I think, I honestly think escalation risks around a lot of this stuff have been overstated historically.

B

Right. So there's never an example of a cyber operation escalating into anything else.

A

Well, there's a first time for everything. Let's just, let's just say that. But you know, we'll sum it up by saying, Tom, you, Ren Cyber Hawk, you are the cyber hawk. So it's interesting. And look, you know, in your newsletter this week, you've also looked at something that we touched on in the, in the weekly show as well, which is a report from Recorded future that looked at Salt Typhoon hacking a bunch of Cisco devices using a combination of two bugs. We spoke about that a bit in the weekly. But, but this just, this is the thing, right? Like you're not going to see they hacked like a thousand of these things, right?

B

Yeah.

A

In telcos everywhere. And you just don't. Whoever does that is going to be observed. Right. And that's why you don't tend to see, you know, five Eyes agencies doing similar stuff because of that mantra of like, don't be seen, we're invisible, we're like ghosts in the wires. Right. Whereas this stuff with China, I mean, they make a hell of a mess. And you know, Warner's point about remediation costs is a, is a good one. I remember when there was that Chinese campaign against Barracuda devices. You know, you and I have spoken about this as well. And when they were first detected, they burrowed in deeper into these devices, which meant that the remediation was still going to happen, but it would be more difficult and more costly. So, you know, perhaps the United States doing some retaliation here might get China to actually alter its behaviour because calling it out, dropping sanctions and charges in absentia, it has done three fifths of absolutely nothing to curtail this sort of behaviour.

B

Yeah, that's right. I think there's like the way people have behaved is because they've behaved that way in the past, it's not because it's actually supported by what's going on nowadays. And I think it's worth. Times are changing, I guess, is what I'd say. So the fact that it's. You just operate, you get caught, you move on. Why should that apply to one half of the world but not the other? Like, what's the. What's the real reason that you're trying to remain secret? And I think that for many things it's, you know. Several other pieces in this newsletter deal with agencies actually talking about what they're doing. And so it's, I think, a time to rebalance how covert agencies actually need to be like, what's the point of that?

A

Yeah, well, and the Internet is an open domain where an awful lot can be observed. Right. So I don't know, I think a lot of it's historical and like orthodoxy.

B

Yeah, yeah, yeah, that's right, exactly.

A

Question the orthodoxy.

B

Suburban dominant paradigm.

A

Yeah, says cyber hawk Tom Yu ran. Now look, staying with China stuff, and we've seen an interesting little, you know, diplomatic event in the Pacific where Samoa has explicitly called out a Chinese APT crew, which is APT40. They didn't attribute this activity to a. To China, but they attributed it to APT40 and then linked off to other information that, like from the US that actually attributes them to China. So they did really call out China through this action. But what's really interesting here, this was the Pacific Forum stuff, presumably. Right.

B

Well, it's Samoa. It's a country, I think, I think I looked couple of hundred thousand people and what struck me is that they've done. They've essentially attributed it to China and this is something that even Australia has never done by itself. So we've got this tiny country calling out Chinese hackers. I think Australia has attributed like many different things, but it's always in coalition with the US or the UK and the Pacific is actually a bit of a geopolitical hotspot because China's trying to muscle in or.

A

Yeah, well, the reason, I should just say too, the reason I mentioned the Pacific Forum stuff is because there was a hack targeting the Pacific Forum and gee, I wonder who could have been behind that. So I'm not sure if this is directly linked to that, but it's part of the whole thing where China is hacking all of these tiny Pacific nations because they're geo. Strategically important.

B

That's right, yeah, yeah, yeah. And so for example, a whole swath of these countries used to support Taiwan, so they would recognize Taiwan at the un. Very few of them do now. And in fact, I don't think Samoa is one of them. And so it's just striking to me that such a small country is essentially standing up and saying, watch out for Chinese hackers, when so many other countries have. Have historically been afraid of taking that kind of action. And I thought it was good news. And it also is another sign that times are changing. Like, you know, getting discovered and being called out isn't. I don't think it is the thing that it was once upon a time.

A

No, no. It is interesting when you're talking about a tiny nation with, you know, 200,000 odd people in it standing up to China and saying, get your, get your hands off our network. It is, yes. The times are changing. It seems to be the things theme of this week's. This week's podcast. And yeah, finally, Tom, in your newsletter you looked at the demise of Z servers, or ZED servers, which is the. Was the Russian bulletproof hosting service, which looked like, yeah, they had a real bad time. Looks like at some point, timeline unclear, Australia's Signals Directorate actually deleted a bunch of data from that host. The Dutch seized a bunch of the servers that were based in the Netherlands. They've been sanctioned, like, just bad times all around for them. But, you know, again, sticking with the theme of times are changing and also sticking with this idea of like actually doing stuff that can be observed and talked about. I mean, the fact that ASD is actually out there, at least talking to one journalist who works for the Sydney Morning Herald about this is certainly a sign of the times.

B

Yeah, yeah, that's right. I think it's. I thought it was great that it appeared in the newspaper. There was a lot of interesting little details in there that kind of give you a sense of what's going on without ever really explaining what is going on.

A

I think it was one of those stories I had that, that same perspective, which is reading that story. It's like, if you have quite well informed on all of this, which I'd like to think we are, then there was some really interesting stuff in there that perhaps the person who wrote the story didn't even know were the interesting bits necessarily. Do you know what I mean? So I think that it was one of those things too, where it wasn't written for us as an audience, but you could divine some very interesting things from reading it.

B

Yeah. What I would have loved is if it had made clear the ASD wiped those servers on the same day that the people got sanctioned and the servers got seized. But I don't know that that's the Case certainly the announcements were coordinated, but were the actions coordinated? I don't know.

A

Well, they deliberately haven't said. Right. And this is the frustrating thing and it's not even addressed by Andrew Proben, who's the journalist who wrote the piece for the Sydney Morning Herald. And you know, I've tried, I've done my best to ask around and like say, when did this happen? And you know, you just get sort of a dead eye look and like operational something, something, something. Right. So you don't, you don't get to know this. So again, this is, this is very interesting because it is that culture of secrecy bumping into, you know, trying to be transparent but doing it badly in some way.

B

Yeah, yeah. There was another line where it says the agency has deleted 250 terabytes of stolen information held by so called bulletproof hosting services with a plural. And so that implies something. But then you're just so uncertain. Do they really mean services or are they just.

A

Well, so sources I have have said vague but encouraging things, Tom. That's about as detailed as I can get. But they have said that a lot of the anti, you know, the countering cybercrime operations that are being performed by our Signals Intelligence Agency are ongoing and achieving some excellent results. That's, that's about as good as you can get at the moment. And, you know, they're not out there talking about how awesome they are, really. I mean, there's a few little details leaking out here, so you can kind of like let it stand that they're not prepared to sort of back it up when they're not out there sort of publicly saying it, I guess. But, you know, hopefully in time we know more. But it sounds like they're actually, you know, they're causing some headaches.

B

Man, I love it. Yeah, yeah, yeah. I mean, in this case it absolutely makes sense that you would, because you've got other public actions you can tie it to. And at that point, once, you know, once the sanctions come out, the criminals know they've been targeted, the world knows they've been targeted. So you may as well tell everyone. And I guess until there's another public measure that someone announces, there's kind of no point tying it to an intelligence agency action.

A

Yeah. And I think, look, they've got good reasons for not talking about the timing of this because, like, if this is something they did years ago, do they want the people who are involved in that business knowing that they were onto them for that long? Because they're probably going to be involved in future shady ventures and whatever. So, like, you know, there are some good reasons for secrecy here, but, I mean, what's great is, like, if you're one of these people who's been caught up in this, like, you're spinning your wheels pretty hard at the moment, trying to figure out what's real, what's not, what's going on. And that's exactly the point of these sort of operations.

B

So, yeah, there is this part in the story where they're interviewing one of the people in charge, this woman called Georgina Fuller, and she says they spent a very long time profiling and understanding the people. And the quote is, that process takes weeks, months, and in this case, sometimes years.

A

Yeah, so, yeah, I think the part of the story where it talks about how they were using linguists and psychologists to profile them, it's like they're going pretty deep here, you know, like, this is not. Yeah, this is. This is not Light touch, which is. Which is great. We're going to wrap it up there. Tom, you're in. Thank you so much for joining me to talk through the work that you've done for us this week. People can subscribe to Tom's newsletter at Risky Biz, and I recommend that they do. Yeah, fun stuff as always, mate. And we'll do it all again next week. Cheers.

B

Thanks.