Srsly Risky Biz: Why hack and leak is still a big deal - Risky Bulletin

Summary4 min read

Podcast Summary: Risky Business News - "Srsly Risky Biz: Why hack and leak is still a big deal"

Release Date: December 5, 2024
Host: Adam Boileau
Guest: Tom Uren

Introduction

In this episode of Seriously Risky Business, host Adam Boileau is joined by his colleague Tom Uren to discuss the enduring impact of hack and leak operations. They explore recent developments in corporate espionage, historical parallels, and the evolving landscape of criminal communication networks.

1. Corporate Hack and Leak Operations: The Exxon Mobil Case

Tom Uren opens the discussion by highlighting a significant Reuters report investigating Exxon Mobil’s involvement with DCI Group, a public relations consultancy implicated in hack for hire operations.

Tom Uren [01:29]: "The sources told them that the FBI is investigating the links between Exxon Mobil, a consultancy group called DCI Group, and hack for Hire operations."

The investigation reveals that private investigators acted as intermediaries between U.S. corporate interests and Indian hack for hire firms. These operations involved stealing materials from environmental activist groups to undermine lawsuits against Exxon Mobil, drawing a parallel to the historical legal battles faced by the U.S. cigarette industry.

Tom Uren [01:29]: "These hack and leak operations undermined those lawsuits against the energy sector and had a profound influence."

Adam reflects on the societal desensitization to such activities, noting that while the 2009 ClimateGate incident was initially dismissed, today’s investigative journalism brings more scrutiny and understanding.

Tom Uren [04:04]: "Nowadays things are better. We've got investigative journalists pursuing these kinds of stories."

2. Historical Context: The 2009 ClimateGate Incident

Adam reminisces about the 2009 ClimateGate hack, comparing it to contemporary hack and leak operations. He emphasizes how the lack of attribution at the time limited the perceived impact of the breach.

Adam Boileau [04:07]: "It was never attributed to anyone. People think maybe it was the Russian state... or US energy interests like Exxon."

Tom adds that the ClimateGate incident was a pivotal moment in the climate change debate, much like the Exxon case today, highlighting the strategic use of cyberattacks to influence public opinion and legal outcomes.

Tom Uren [04:07]: "Someone arranged this, they organized it, they timed it... hack and leak was the way they did it."

3. Impact on Victims and Accountability Issues

The hosts discuss the devastating effects of hack and leak operations on targeted organizations and individuals. Tom underscores the misrepresentation of leaked data and the lack of accountability beyond the middlemen.

Tom Uren [09:17]: "It was quite devastating because their work was basically misrepresented for a purpose they didn't agree with."

Adam points out the systemic issue where private investigators and intermediaries face the brunt of legal consequences, leaving the orchestrators unaccounted for.

Adam Boileau [10:52]: "Almost never anyone is held responsible other than the poor PIs who are the fall guys in this case."

4. The Crime Phone Ecosystem and Law Enforcement Crackdowns

Transitioning to criminal communication networks, Tom discusses recent law enforcement actions against "crime phones," encrypted messaging applications used by criminals.

Tom Uren [12:28]: "Police were able to intercept and decipher messages for months and then they took it down."

He explains how these apps, despite their claims of enhanced security, often have exploitable vulnerabilities due to their reliance on key individuals and centralized control.

Tom Uren [16:11]: "There's always someone in charge, and police have figured out... either get hold of the infrastructure or the key person."

Adam contrasts this with legitimate state-run secure communications, highlighting the extensive measures and reviews involved in maintaining such systems.

Adam Boileau [16:59]: "In the criminal world, we haven't really got that north star of capitalism that kind of guides things in a predictable way."

5. Challenges in Securing Criminal Communications

Tom delves deeper into the inherent challenges faced by criminals in maintaining secure communication networks. He cites the example of Mexican cartels attempting to create their own encrypted systems, which ultimately failed due to internal security lapses.

Tom Uren [18:18]: "They built an encrypted messaging service with an interception system, which the police exploited."

Adam humorously suggests that even with increased budgets, the fundamental human factors and operational complexities undermine the security of these illicit networks.

Adam Boileau [20:05]: "We can't even secure our own telcos in the free world... criminals have a tough time there."

6. The Future of Hack and Leak Operations

The conversation concludes with reflections on the future trajectory of hack and leak operations. The speakers emphasize the relentless cat-and-mouse game between cybercriminals and law enforcement, noting that as security measures evolve, so do the tactics of those attempting to circumvent them.

Tom Uren [20:44]: "It's a lot of work, and it seems unreasonable to expect a crime cartel to do that amount of work in a robust way."

Adam encapsulates the ongoing struggle, highlighting that while significant progress has been made, the battle to secure information and maintain accountability continues to evolve.

Adam Boileau [21:22]: "Good luck to you sir."

Conclusion

In this episode, Adam Boileau and Tom Uren provide a comprehensive analysis of the enduring significance of hack and leak operations in both corporate and criminal contexts. Through detailed case studies and historical comparisons, they underscore the complex interplay between cyber threats, legal frameworks, and the relentless pursuit of accountability.

Listeners are encouraged to stay informed by following the Seriously Risky Business newsletter and accessing further resources on Risky.biz.

For more detailed discussions and insights, subscribe to the Seriously Risky Business newsletter and explore additional content on Risky.biz.

Loading summary

Transcript32 lines

[00:05]
Adam Boileau
Hey, everyone, and welcome to Seriously Risky Business. I'm Adam Boileau. I'm joined by my colleague Tom Uren, who writes our newsletter, also called Seriously Risky Business. How you doing, Mr. Uren?
[00:15]
Tom Uren
Good, Adam. How are you?
[00:17]
Adam Boileau
I'm doing well. Doing well. Tom's work here is supported by the William and Flora Hewlett foundation and syndicated by Lawfare. This week's sponsor is Push Security, who make a security control for the only operating system that actually really matters these days, which is the web browser. And that vantage point of being in the browser gives them a bunch of unique opportunities to kind of spot badness as it happens. Check them out@PushSecurity.com Now, Tom, we've talked a bit through the most on the main show how in the most recent US Election cycle, you know, Hack and Leak really hasn't featured in the same way that it did in the elections previously. And we kind of talked about how it feels like as a society, we're a little more inured against it. We understand that leaks that show up from hacking often come with hooks with ulterior motives and so on. But you've written this week about some hack and leak operations that are not political in nature, that are more kind of corporate skullduggery. And that seems to be a field where hack and leak is still very much important. So what's the, what's the story with Exxon?
[01:30]
Tom Uren
Yeah, so the story is this week, Reuters produced a report and they said that the sources told them that the FBI is investigating the links between Exxon Mobil, a consultancy group, a sort of public relations consultancy group called DCI Group, and, and hack for Hire operations. So that's the investigation. The links are that there's two private investigators that have been arrested and charged or convicted and charged over sort of acting as middlemen between potentially a US Corporate interests and Indian hack for hire firms. So one of them has been convicted and another one has been arrested in the UK and is fighting extradition on sort of similar charges. And the implication at least is that material was stolen from environmental activist groups and it was leaked to the sort of other interests, anti climate change interests. And it was used to undermine lawsuits that U.S. state governments were bringing against ExxonMobil. And so these lawsuits were kind of the report analogizes them to the lawsuits that were launched against the US Cigarette industry. So the cigarette industry had been hiding evidence for a long time that they knew cigarettes were bad. And so there was a coalition of states that launched these lawsuits, and there was eventually a huge payout but these hack and leak operations undermined those lawsuits against the energy sector and so had a profound influence. Now, this made me all think back to a long time ago, 2009, where there was the climate gate hack and leak. So that was a climate research institute at a UK university and it was hacked, its emails were leaked and they were used by interests to undermine arguments for climate change. Now, that leak was never attributed to anyone. It feels like it occurred in a different time.
[04:05]
Adam Boileau
So I remember it was a long time ago, man.
[04:07]
Tom Uren
Yeah, so it was a big deal in terms of the public debate around climate change. So there was a recent BBC podcast that called it the Hack that changed the World. The leaks occurred just the month before the Copenhagen Climate summit. And so clearly, like, you sort of look at all the pieces and you go, yes, someone arranged this, they organized it, they timed it, they had a particular interest that they wanted to pursue. And hack and leak was the way they did it. It's never been attributed. People think maybe it was the Russian state, because Russia is an oil powerhouse, an exporter. Other people think it was the US energy interests and they've mentioned Exxon. Other people think it might have been the actual advocates themselves, the anti climate change advocates. And so that it feels like at that time people were naive to hack and leak. And I don't recall it getting a huge amount of security interest. And so the security reporter who did the BBC podcast said, yes, at the time I paid no attention. Whereas it feels like nowadays things are better. You've got this report itself from Reuters, which is you've got investigative journalists pursuing these kinds of stories. I think you would have more security people focused on that story and trying to delve into the motivations and the causes. And I would at least hope that people would be more skeptical about the leaks themselves and try and, you know, unravel the motivations and what's the purpose behind them.
[06:03]
Adam Boileau
Yeah, because I remember, I mean, 2000, 2008, 2009, whiskey biz. I was on Risky Biz at that point. Like we were covering the news and I do remember us talking about it, but, you know, from a technical point of view, there really wasn't much exciting there. I mean, the idea of hacking a university, being able to read people's mail spills, like that's just rig. I mean, every hacker that hacked stuff in the 90s did that. Right? Broke into the university. That was the kind of the rite of passage is where you learned the trade. And then reading people's email spills was just normal Hacking, So it wasn't interesting from a technical perspective. And I guess much like when you and Grok talk about the utility of cyber war, how much value it has. It doesn't have a whole bunch of value unless you use it for something meaningful. Like the cyber by itself is not particularly powerful. And we weren't really used to seeing hacking used for something other than lulls or crime, stealing money or credit card details, because I went back at that point in time, was that even before stuxnet, it might have been like. I mean, we were at a point in time where we just didn't see impact from computer hacking. So, yeah, I don't remember that we paid it a whole bunch of attention, but it seems weird looking back on it now that we didn't because it was kind of foreshadowing.
[07:26]
Tom Uren
Yeah.
[07:26]
Adam Boileau
So much hacking leak in the future. And, you know, it seems we seem so naive in hindsight now, which I guess is how it works. You know, we would have thought it would have stood out more. And especially climate change, so important. And the fact that there were forces willing to go to that extent. Right. Not from a technical extent, but from a. Like trying to counter this narrative, trying to counter this research for something that, I mean, let's face it, it's pretty inevitable. Like, climate change is not a thing that we can get rid of by, you know, pretending the ostrich strategy of.
[08:02]
Tom Uren
Sticking your head in the sand.
[08:04]
Adam Boileau
Yeah, yeah, exactly. So it's. I don't know, the world. It just feels so long ago that it's kind of hard to wrap your head around all the things that have happened because, I mean, can you imagine, you know, we've had. When I was a pen tester, we had so many customers that were universities and trying to come up with pragmatic recommendations for their security problems that would fit their budget constraints, would fit the openness of academic environments. Like, even if you had plenty of budget, securing an environment like a university is difficult enough to start with. So I don't know what we would have told them, but, yeah, this. When we talked about this Exxon story on the Risk Quiz main show, Pat and I were talking about how it must feel to be on the receiving end of these kinds of hack and leak operations. Right. I mean, I've.
[09:00]
Tom Uren
Yep.
[09:01]
Adam Boileau
You know, hackers, as hackers, you kind of get used to having data, you know, kind of nicked out from underneath you. But as regular people, you just don't have that experience. And it must. Yeah, it must feel pretty intrusive. I would Imagine being a victim of something like this.
[09:18]
Tom Uren
Yeah, yeah. So it was, you know, in the sort of research phase, I found that podcast, and they do talk about the impact. It was quite, quite devastating because their work was basically misrepresented for a purpose they didn't agree with. And like, I also knew the CISO who was in charge at anu, and so that's the Australian National University. And there was a very big story in Australia about how ANU was hacked. And I think he came along after that and was responsible for trying to basically build up a security presence, maybe is the right word, because it was prior to that sort of traumatic incident. And it was traumatic because the head of the university got involved. It was a lot of media. That's the kind of driver of change that resulted in them doing, I think, a lot of good work since then. And I guess the whole piece is just a sort of comparison. Like, I think we're in a better place today, but we're not actually in a good place because those interests, the sort of history of Reuters reporting is that there is. This is like the tip of the iceberg. There's a lot of this stuff going on. Almost never gets reported on. Almost never. Is anyone held responsible other than the poor PIs who are the fall guys in this case.
[10:53]
Adam Boileau
Yeah. And that's the expertise they're providing. When you're a middleman, like.
[10:56]
Tom Uren
Yeah, that's the deal.
[10:58]
Adam Boileau
Yeah, that's the deal is like you take the fall and hopefully you get paid enough that you can do it a few times and then walk away. But it's just that it's really great seeing the team from Reuters and other reporters looking at some of this stuff because it is just so gross that you can hire a PR firm or a law firm or something and kind of launder this request to go hack people through several layers of cutouts and middlemen and then be like, well, we don't know how it got onto the Internet, but now we can use it because it's public information or something. And it's just, it's scummy and gross. And I'm glad that, you know, people are being called out for doing that because it shouldn't be acceptable.
[11:40]
Tom Uren
Yeah, yeah. And they've also had a hard road, those reporters, in terms of actually getting it published and the subsequent legal battles that have occurred afterwards.
[11:49]
Adam Boileau
Yeah. Because I mean, some of those Indian hack of high firms have been pretty. Also pretty aggressive about suppressing reporting about their work and practices and so on.
[12:00]
Tom Uren
Yep.
[12:02]
Adam Boileau
As we got involved with at one point. Another thing you wrote about this week is the crime phone ecosystem. Obviously we've seen another crackdown in the European Union on another criminal communications network. And you've written a bit that kind of talks about how that continued suppression of those networks is making it pretty hard on criminals and their communication needs.
[12:28]
Tom Uren
Yeah, so there was a operation against this app. It had various different names. One of them was Matrix. So it's not the same as the Matrix encrypted messenger. Like that's a separate thing. But this one. Yeah, yeah, yeah. This one was also called Matrix. Apparently it was mostly used on Android, Google Pixel devices, but it had a suite of different things that you could use. So there was video chat, there was messaging. There was also, it seems like maybe it was integrated with something like Tor. So it claimed that you could do anonymous Internet browsing. So police got into that system and they said that they were able to intercept and decipher messages for months and then they took it down. They produce a nice, as is the standard nowadays, they produce a nice video splash page saying, you know, we've got all your information, you're in trouble. And I've written a couple of times about crime phones and how they've. Police actually have a technique or a sort of big picture plan of how to attack these services. And they've had a lot of success over the last several years getting into them and being able to read messages. And so this leaves criminals stuck between a rock and a hard place. They don't really want to use commercial services because they know that commercial services, when they get a warrant, will do what the warrant says. And of course, even when those services are end to end encrypted and the police can't get the content of messengers, as a criminal, are you going to trust that? No, I think is the answer. And so then your alternative is to buy either an off the shelf, specially made encrypted messenger that's marketed to criminals, which is what all these crime phones are. The problem there is that there's always someone in charge or an administrator. And if you're selling those kind of systems, the police have figured out, well, either we can get hold of the infrastructure and fiddle with the infrastructure, or we can get hold of that key person and we can say to that key person, look, here's your choice. You can go to jail or you can help us. And I think that's a powerful, a powerful message or a powerful pitch. And so far criminals are sticking with the let's get an encrypted messaging crime phone. Now, the interesting part of this report is that the police say that what's happening is the crime phone landscape is splintering, so they're looking for more secure. The words I used in the article were notionally more secure. And as a criminal, how do you know? Yeah, so in the story, the founders of this app believed that it was more secure and that the police say it was definitely more complex. But obviously they still had success getting into it. So I thought it was just interesting to see the evolution police continue to hammer away with success at these crime phones. And criminals so far are just, you know, pushing an evolutionary approach. We'll just try and find another one that's more secure. They haven't really changed their approach in any way yet so far.
[16:12]
Adam Boileau
Yeah, because I guess they have the same problems that any communications network has in terms of confidentiality and identity management and robustness from a software point of view, software updates and all those sort of things, all of the regular problems, plus then you have all of the people problems of both the people using IT having to trust who they're dealing with and trust the system, but also the people building and administering it have to be, you know, trusted in ways that in a commercial environment, like if you're buying the service from a legitimate entity, you know, there are commercial interests that you trust. Like we trust Apple and Google to do certain things because of their economic interests.
[16:59]
Tom Uren
Right.
[16:59]
Adam Boileau
But in the criminal world, we haven't really got that, you know, north star of, you know, of capitalism that kind of guides things in a way that's predictable. Like, let's just figure out what they're, what they're doing and, you know, having to put so much trust ultimately in a couple of people and their system because, you know, no amount of math is going to make this not a communications network that involves people at either end. And police are clearly getting pretty good at, you know, leveraging the intersection of that technology and the people part of it. And I think, you know, the natural evolution would be to have crime communications networks that are inside, you know, intra to a particular crime group, if you've got the scale. And you know, in the past we've talked about this because there was a story about like Mexican drug cartels building their own, like, cellular network, like putting up their own cell towers to be able to do secure comms. But ultimately that fell down in the same way. Right. I think with that story.
[18:01]
Tom Uren
Well, the story I'm aware of is that they had a IT guy, so they found an IT guy. I think, in Bogota and convinced him to build an encrypted messaging service. And it was. What's his name? Guzman.
[18:18]
Adam Boileau
Yeah.
[18:19]
Tom Uren
And he got the guy who's. If I remember rightly, his name was Christian something. He also built in an interception system so that Guzman could keep track of his girlfriend and also associates. But of course, once you've done that, the police are like, hey, yeah, we really want your help. Oh, you've got an inception system built in. And so that seems like a classic example of one of those problems like you need. You place a lot of trust in a few key people. And I guess from a cartel's point of view, you've always got the threat of life, ending, violence, and so you can convince yourself that that is enough to keep something secure. I guess the contrast is with a state, like a state, say the US and they want secure comms. They have this whole architecture of clearances and security reviews and, like, proper jobs where you hire real people to do, not just the IT guy who happens to work at Best Buy down in Bogota or whatever, and, you know, review. And so that's really a huge amount of work. And even then those. I'm sure the US Is not sitting on its laurels going, oh, yeah, we've got it all solved. Secure comms are unbreakable. They are thinking about that. Someone in the US Government is thinking about that all the time and sort of revisiting it. And there's a whole lot of standard operating procedure around that to make sure that it is secure and stays secure.
[20:05]
Adam Boileau
So what you're saying is the criminal cartels should band together in some kind of, like, crime five eyes and then set out standards for security clearances and compartmentalization and all of the other, like, mirror all. All of the things that states have to do to try and hide their secrets. And then they have to hope there's no Colombian Edward Snowden that defects with all the sharepoint from the crime high side.
[20:31]
Tom Uren
Yeah, I mean, I think what I'm really saying is to try and put it in context is it's a lot of work, and it seems unreasonable to expect a crime cartel to be able to do that amount of work in a robust way.
[20:44]
Adam Boileau
I mean, given that we can't even secure our own telcos in the free world. Well, I mean, I guess risky biz is where criminals come for crime advice. And the crime advice from us today is, boy, you're going to have a tough time there. You might have to increase your comms budget and good luck to you sir. Dear that's probably about all we have time for this week. Tom, thank you very much for your work. If people want to read it, head on over to News Risky Biz. You can sign up for Tom's newsletter and also Catalyn's Fine Risky Business news there as well. So, yeah, thanks very much for your time, Tom. And thanks everyone for listening.
[21:23]
Tom Uren
Thanks, Adam.