image of breaking badness
Breaking Badness
Breaking Badness

Breaking Badness Cybersecurity Podcast - 187. Harriet the Spyware

Coming up this week on Breaking Badness: Mercenary in Retrograde, Hunt Forward Bound, and Gold, Guidance, and Grievances.

Here are a few highlights from each article we discussed:

Mercenary in Retrograde

  • Apple alerts users in 92 nations to mercenary spyware attacks
  • What is a ‘mercenary spyware attack?’
    • This is Apple playing some politics and separating spyware companies from their likely customers – typically, nation-states, but not always
    • Ian’s understanding is that the pushback Apple got was from Israel, where NSO group resides, and India, and apparently some facets of the government and political parties in India have been using mercenary spyware companies with increasing regularity
  • Are these types of attacks more common in regard to elections?
    • There are typically three groups that constitute the primary targets of nation-state level spyware; the first is legitimate targets in the criminal and national security threat space
      • Unfortunately, the second and third target groups are probably the larger ones: opposition political figures and activists, and journalists
    • Additionally, given the threat environment around disinformation and harassment campaigns that now routinely spin up surrounding elections, it’s common for batches of these messages from Apple to go out around that time
    • Having real-time access to the devices of target figures is invaluable, and contributes in major ways to different campaigns, from intelligence (as in knowing what your opponent is up to or planning) to disinformation (being able to create fear, uncertainty, doubt, or other issues around planned moves – while the opponent plans their rally or visit, you get to plan things around it with the benefit of foresight, which can be incredibly effective
    • Disinfo can leave regular folks thinking, “How can it be a conspiracy? It would’ve been so intricate and involved to pull off, it must be true..”
  • What’s Apple’s history in sending these types of messages to their users?
    • Mostly it was initially around celebrity account security and celebrity device security at first 
    • If the audience will recall, there was a period of a few years where a bunch of celebs’ phones got popped for information as well as their private pictures
    • Apple was then able to pivot to provide extended protection for other notable figures, finally offering it to everyone with things like Lockdown Mode, which Ian highly recommends 
    • To date, no reports are available that spyware has been able to penetrate an Apple phone in Lockdown Mode
    • As for the spyware alert messages, these are usually sent about only sophisticated actors trying to compromise accounts, and Apple likely has an incredibly cool internal threat intelligence team working on indicators around this, along with engineers specifically tasked to monitor threat actor techniques and ensure they’re as ineffective as possible
    • They’ve happened around elections most especially – usually targeting opposition parties rather than the parties in power. Journalists with a history of breaking stories that governments dislike are also regularly targeted, along with human rights and other activists
  • With smishing scams, how do users know to take these notifications seriously?
    • Apple has been really smart with their threat notifications
    • First of all, they’ll never include links, files, or other misdirections. Secondly, if you receive a threat notification, you can sign into apple id dot apple dot com and it will be echoed by a page header showing the threat notification as well
  • If you received a message like this, what would be the next steps? How do you clear mercenary spyware from your device?
    • Verifying that it’s genuine is the first step – as we said, through the Apple ID sign in, but Apple also refers folks to the Digital Security Helpline from Access Now
    • The Digital Security Helpline is a free-of-charge resource that provides direct technical assistance to targeted people, be they activists, journalists, bloggers, etc.
    • The best actions you can take in the moment are the defense you set up now, rather than waiting for the attack
    • First of all – as with most systems – you want to keep the operating system as up-to-date as possible anyway. That’s one of the best ways to keep it protected in the first place. You want to use a fairly robust passcode (no 0000) for multiple reasons, both physical and remote – if someone steals the phone, they’re less likely to be able to get into it to extend the compromise
      • Remotely, some actions require the passcode and that usually requires user interaction and can’t be input remotely even if they know it. Also, abiding by the usual digital hygiene – strong, unique password for your Apple ID, and multifactor authentication – hopefully not SMS/text messages, due to SIM swaps
    • Secondly, and again as a measure you can do now ahead of time – enable Lockdown mode. I’ve had it enabled on my devices for months with few problems. Once in a while  you’ll need to exempt a page or an app from Lockdown Mode, but most things work fine with it enabled, and it vastly reduces the attack surface of the device
    • Third – regular rebooting of the phone. Especially for mobile devices, and very especially for iPhones, it’s really difficult for malware to establish persistence mechanisms that last beyond a device reboot. So as long as you haven’t done things like enabling a device management profile that would allow the spyware to redeploy, rebooting your phone is a good way to refresh it. And coming from an IT support background, Ian tends to suggest this to folks anyway – it keeps the device working better and staves off most of the lower-level problems by rebooting a phone once per week

Hunt Forward Bound

  • Following the Volt Typhoon attacks on critical infrastructure in the region by China, the US reportedly will share cybersecurity threat information with Japan and the Philippines
  • Brief overview on Volt Typhoon:
    • Assessed to be a PRC APT
    • Active since mid-2021 and has targeted critical infrastructure organizations in Guam and elsewhere in the United States
    • Focused a bunch on espionage and info gathering, but could be disruptive
  • Why would the Philippines be a prime target for Volt Typhoon?
    • Location, location, location 
    • And vulnerability 
    • But a lot of it comes down to location with the South China Sea 
    • Regarding vulnerability: there’s service reliability, workforce skills shortages, and data/privacy management issues 
  • Is this the first time we’ve seen a cyber agreement like this between nations?
    • No, which is a good thing
    • This goes way back; the 2001 Budapest Cybercrime Convention was the first international treaty to address cybercrimes
      • And specifically in recent years in the APAC region, The United States and Japan already have entered into trilateral talks with South Korea; Japan and South Korea also have joined NATO’s Cooperative Cyber Defense Center of Excellence (CCDCOE) in 2018 and 2022, respectively
      • And that’s just APAC. The EU has done a lot over the last few years to foster cooperation, and of course some of the great cooperation we’ve seen on law enforcement takedowns, such as when the FBI and Europol work together, are the result of agreements and cooperation across nations
      • As alluded in the article title, these latest agreements are part of the larger “Hunt Forward” campaign where the US Cyber Command deploys military cybersecurity specialists to allies to hunt for malicious cyber activity
  • How do these alliances impact the fight against cybercrime?
    • Sort of analogous to how Tim always says “network segmentation” as a response to questions about how orgs can mitigate risk in terms of network-based attacks, my corresponding answer to this is “information sharing.”
    • So much of what actually gets done in the fight against all kinds of cyber badness happens as a result of cooperation and info sharing, and this will certainly help from a cybercrime perspective

This Week’s Goodie Scale

Mercenary in Retrograde

[Tim]: 1/10 Goodie
[Ian]: 8/10 Goodies

Forward Hunt Bound

[Tim]: 7/10 Goodies
[Ian]: 8/10 Goodies

That’s about all we have for this week, you can find us on Mastodon and Twitter/X @domaintools, all of the articles mentioned in our podcast will always be included on our podcast recap. Catch us Wednesdays at 9 AM Pacific time when we publish our next podcast and blog.

*A special thanks to John Roderick for our incredible podcast music!