The timing was one of the weirder aspects of this week’s cyber condemnation of China by the West. Why was this piece of political theatre being staged now? China (and Russia’s) sponsoring and/or condoning of semi-state and criminal hacker groups has been known about for nigh on a decade. More particularly, Microsoft had been alerted to the flaws in its Microsoft Exchange product in early January, and had (belatedly) issued patches to correct those flaws in early March. At that time, the company admitted that the four major flaws in Microsoft Exchange had been penetrated by a group of Chinese hackers that Microsoft called Hafnium. It blamed the Chinese government for harbouring the group. (Hafnium is the same state-sponsored group that Canada and New Zealand have called APT 40. APT stands for Advanced Persistent Threat.)
So why did the US, the UK, the EU, Australia, Japan etc etc take until July 20 to tell the world that Chinese hackers have exploited flaws in Microsoft Exchange and that this sort of behaviour must stop, or else? What interests of political theatre are being served by making a song and dance now – over three months after White House officials had publicly chided Microsoft, and told the company that issuing inadequate security patches for Microsoft Exchange was not a good enough response to the failings in its product?
In New Zealand’s case, how could it be that the (paywalled) Australian newspaper was able to tell its readers that New Zealand and Canada were about to condemn China’s complicity in the Microsoft hack, before GCSB Minister Andrew Little informed New Zealanders late on Monday night? On Monday, the Crikey website cited the Australian story to the same effect that negative comment from New Zealand and Canada about China would be forthcoming. While the commentariat pondered whether New Zealand should be applauded or criticised for daring to criticise China, a raft of other questions went unanswered.
Such as: what responsibility does a lucrative tech giant like Microsoft bear for (a) having readily exploitable flaws in Microsoft Exchange and (b) taking its own sweet time to alert its customers of the problems and provide them with security patches that still (see below) seem to have left a ‘back door’ open? Unfortunately, Bill Gates didn’t get to where is today by making the quality of Microsoft’s products an overriding concern. Beyond Microsoft, what oversight/testing capability do (or should) security agencies have for vetting digital products that can compromise the privacy and data of individuals and firms? The banking system requires certain stewardship standards from those entrusted with caring for the public’s wealth. No similar standards seem to apply to the highly profitable companies entrusted with caring for the public’s digital data.
In the US, the FBI obtained a court order in March to enter the networks of businesses to remove web shells used by cyber attackers as ‘ back doors’ to exploit the vulnerabilities in Microsoft Exchange. In lieu of adequate corporate responsibility, is this kind of exercise of state power a good idea, or a bad idea?
The state may need to get more involved. The unfortunate reality is that almost all the recent major hacks have been discovered by individuals or by private players, such as the FireEye security firm that discovered the SolarWinds hack last December. As things stand, we seem to be relying on the private sector and on computer nerds to check and report on the adequacy of the tools we use to carry our digital data. At the very least, it should be made mandatory for the companies selling these systems to report the vulnerabilities in their products immediately on discovery. Ironically, Microsoft and the FireEye security firm are both currently lobbying Congress to make breach reporting mandatory. That legal requirement isn’t currently in place. Tech companies can limit breach disclosures to protect their share price.
Looking ahead, would it be better – or worse – to call in the FBI (or the GCSB and SIS)when product failings become apparent, and when vital socio-economic organisations are being attacked for reasons of ransom, IP theft or cyberespionage? Either way, this is not a great situation. With reason, some people may not want to have the SIS to be in a position where it could trawl through their health data, even while acting as a line of privacy defence.
Actual risk, appropriate response
Why, one wonders, are the attacks on Microsoft by Chinese operatives being treated by the West as so much worse than the SolarWinds hack detected in December, a raid widely attributed to Russian-based operatives? In the SolarWinds hack – also made possible by flaws in the company’s products – it is believed the Russian hackers went for nine months undetected, while they ransacked files held by the US Treasury, Justice etc and some 18,000 other government agencies and private firms. That attack too, was preceded by any number of Russian attacks on everything from the IOC to the integrity of elections in the US and France. If hacking was an Olympic sport, Russia and China would both be medal contenders.
So… Why has the Western club of nations decided that now is the right time to join together to condemn China, when it hasn’t rallied the same team effort to blame Russia for its (equally or more damaging) persistent online behaviours? It looks very much as if New Zealand has been wrangled into joining the chorus line in a White House-led effort intended to put China (and the world) on notice that the US is back, and in charge of Team West. Basically, we have been pressured into putting our trade and diplomatic relationship with China in jeopardy, in the service of what is largely an exercise in image building by US President Joe Biden. This week, there hasn’t been any evidence of New Zealand having an “independent” foreign policy. Or much sign of our fabled ability to juggle our trade links with China, and our defence and security links with the Americans. Plainly, under Biden, the space for that kind of fancy footwork is going to shrink.
Here, at Home
The cyber security questions don’t stop there. Apparently, we are regularly coming under cyber-attack by hackers sponsored by or operating with the tacit blessing of several other nation states, including the hacker groups acting on behalf of our main trading partner. If that’s the case, why aren’t we being told which countries are believed to have been responsible for the major hacks and ransomware demands that have happened here, of late?
For example: the public has been left in the dark as to the likely national origins of the hackers who committed the cyber-attacks on (a) the NZ stock exchange in mid 2020 and (b) the Waikato DHB this year. Moreover, we aren’t being told if these attacks are being launched by foreign criminal gangs or by foreign state agencies, or by individuals with a foot in both camps. Do our security agencies even know such details? It would help public confidence to know how well our cyber defenders are coping with the traffic.
Rumour has it that in both those major NZ hacks, Russian-speaking criminal gangs working with the blessing of the Russian government were responsible. It would still be nice though, to be officially told who our security agencies regard as the prime suspects. Instead, we’re being rallied by the Ardern government to the threat posed by China even though we haven’t been offered any evidence as to which New Zealand individuals, firms or state agencies (if any) have suffered actual harm at the hands of these Chinese APT groups.
The question is not merely why we’re marching in step with our traditional allies to name and shame China on the world stage. To repeat : GCSB Minister Andrew Little has refused to name even the country of origin of the hackers at the Waikato DHB or any of the local victims of the multitude of hacks earlier this year of Microsoft Exchange. His answer this week has been that there are issues of national security and “commercial in confidence reasons” that prevent him from commenting further on such matters. Really? This is one area where the public’s right to know who has been violating their privacy and/or stealing their data is more important than the possibility that some commercial firms might lose market share (or some state agencies might lose face) if their inability to protect the public’s data was to be disclosed. Most people would blame Microsoft, not their hapless local customers.
Thank goodness that during the Vietnam War, similar issues of “commercial in confidence” sensitivity didn’t prevent us from finding out that Dow Chemical were making Agent Orange in New Plymouth. In a transparency sense at least, those were the good old days.
Hafnium, APT 40
The first public sign of the vulnerabilities in Microsoft Exchange were reported to the company (and to the world at large) on January 5th in this tweet by a DEVCORE researcher using the handle “Orange Tsai.” Initially it was thought that attacks exploiting the four “zero day” flaws detected began on January 6th. The Volexity site has since reported that those attacks began three days earlier, on January 3.
For background: Microsoft Exchange Server is an email inbox, calendar, and collaboration solution. Users range from giant multinationals to small and medium-sized businesses worldwide. The extent of the problems resulting to users of the flawed versions of Microsoft Exchange have depended on the adequacy of the security patches and the speed at which they are made available by Microsoft, and put in place by users. ZDNet has explained here the four basic flaws, the kind of attacks mounted on them, and the response by Microsoft. The subsequent investigations have included the possibility that the attackers were tipped off by an insider :
Microsoft is now also reportedly investigating potential links between PoC attack code issued privately to cybersecurity partners and vendors prior to patch release and exploit tools spotted in the wild, as well as the prospect of an accidental — or deliberate — leak that prompted a spike in attacks.
If used in an attack chain, all of the four main vulnerabilities cited could lead to “Remote Code Execution (RCE), server hijacking, backdoors, data theft, and potentially further malware deployment….”As mentioned, Microsoft has blamed a Chinese state sponsored group it calls Hafnium for the subsequent attacks. There is useful background information on Hafnium here. Here’s how the attackers did it :
The attacks included three steps. First, it would gain access to an Exchange Server either with stolen passwords or by using the previously undiscovered vulnerabilities to disguise itself as someone who should have access. Second, it would create what’s called a web shell to control the compromised server remotely. Third, it would use that remote access – run from the U.S.-based private servers – to steal data from an organization’s network.
To an outsider, that last point that the Chinese hackers (and presumably those sponsored by other nation states) are launching their attacks via a web of virtual private servers located in the US (partly in order to conceal their true location) seems a bit surprising, and ironic. It suggests a possible means of defence. Namely, don’t lease US servers to Chinese, Russian or North Korean based enemies of the state, or their representatives. This is maybe where the FBI could be of some use, in tracing who hired those servers, and from where.
Was China the sole player?
Even when it comes down to just the cyber attacks made via Microsoft Exchange, its doubtful that Hafnium (aka APT 40) were the only culprits. Microsoft’s own alerts accessible here explicitly say others were involved:
[03/08/2021]: Microsoft continues to see multiple actors taking advantage of unpatched systems to attack organizations with on-premises Exchange Server….
Update [03/05/2021]: Microsoft sees increased use of these vulnerabilities in attacks targeting unpatched systems by multiple malicious actors beyond HAFNIUM.
Who were these other players ? ZDNet’s chronology of how the crisis developed in early March shows how quickly it became open season on Microsoft Exchange. Even so, several of the other identified attackers also seem to have been Chinese-speaking. They included the notorious APT 27 group, also known as LuckyMouse, which has a history of cyber breaches stretching back to 2010. This year, it made successful inroads into several US gaming companies. Calypso, one of the other hacker groups involved, is a cyber-espionage group that Russian sources say has “Asian roots.” Winnti Group, another team named as being involved, is also Chinese-based. Reportedly, while LuckyMouse has tended to specialise in cyber-espionage,Winnti Group tends to be a for-profit operation.
The US Cybersecurity and Infrastructure Security Agency (CISA) says that it is “aware of threat actors using open source tools to search for vulnerable Microsoft Exchange Servers.” On March 10, ESET said that 10 APT groups have been connected to attacks exploiting the Exchange Server vulnerabilities. These state-sponsored groups include LuckyMouse, Tick, Winnti Group, and Calypso. F-Secure researchers have called the situation a “disaster in the making,” adding that servers are “being hacked faster than we can count.”
The slew of attacks in March via Microsoft Exchange mushroomed :
Mandiant says further attacks against US targets include local government bodies, a university, an engineering company, and retailers. The cyberforensics firm believes the vulnerabilities could be used for the purposes of ransomware deployment and data theft. Sources have told cybersecurity expert Brian Krebs that at least 30,000 organizations in the US have been hacked. Bloomberg estimates put this figure closer to 60,000 as of March 8. Palo Alto Networks suggests there were at least 125,000 unpatched servers worldwide, as of March 9.
Things quickly got worse:
On March 11, Check Point Research said that attack attempts leveraging the vulnerabilities were doubling every few hours. On March 15, CPR said attack attempts increased 10 times based on data collected between March 11 and March 15. The US, Germany, and the UK are now the most targeted countries. Government and military targets accounted for 23% of all exploit attempts, followed by manufacturing, financial services, and software vendors. The US Cybersecurity and Infrastructure Security Agency (CISA) says that it is “aware of threat actors using open source tools to search for vulnerable Microsoft Exchange Servers.”
As mentioned, some of the APT groups cited above had previously been associated with intrusions conducted mainly for reasons of cyberespionage or IP theft, and not ransomware attacks for profit.. However, this pattern seems to be changing, as state actors and criminal gangs appear to be co-operating in launching ransomware demands, and are sharing their tools of attack to do so. Reportedly, they may also be splitting the proceeds. The tools of the trade include these items :
In a situation reminiscent of the 2017 WannaCry ransomware outbreak, on March 12, Microsoft said that a variant of ransomware known as DoejoCrypt/DearCry is leveraging the bugs to deploy ransomware on vulnerable Exchange servers…The deployment of web shells, such as China Chopper, on compromised Exchange servers has proved to be a common attack vector. Batch files written to servers infected with ransomware may ensure access is maintained to vulnerable systems, even after infections have been detected and removed.
China Chopper is a tiny but crucial part of the APT arsenal when it comes to creating enduring “ back doors” to online targets. FireEye’s useful brief description of China Chopper is available here. ZDNet has also explained the qualities of China Chopper that make it such a useful “back door” instrument.
Finally… All the above information is being freely published and debated elsewhere. It is time the NZ government and its security agencies were more forthcoming about the cyber attacks on our firms and state agencies. Our security agencies were supposed to be entering a new era of transparency, and have recently been engaged in re-branding exercises to that effect. Yet when it comes to cyber security, they’re ducking back into the worst “zipped lips, we know best” practices of yore. These come down to “trust us, we’re the experts and we know what we’re doing” approach. It has never seemed to occur to the SIS and the GCSB that the public’s trust is not a given, but something that has to be earned. Right now, cyber security isn’t a field where the state “experts” hold all the cards, or even many of the relevant ones.
Special Footnote: The above article refers to 18,000 customers affected by the SolarWinds hack. However, a SolarWinds company representative has since been in contact and referred me to an official investigation. Here’s the key paragraph:
“….of the approximately 18,000 affected public and private sector customers of Solar Winds’ Orion product, a much smaller number have been compromised by follow-on activity on their systems. We have so far identified fewer than ten U.S. government agencies that fall into this category, and are working to identify and notify the non-government entities who also may be impacted.
Clearly there’s a spectrum involved here, ranging from “affected” to being“compromised by follow-on activity.” While 250 US agencies and entities were originally reported as “affected” by the hack, the reference to “fewer than ten US government agencies” being subject to “follow-on activity” is a bit disingenuous, given the importance of some of those agencies: Justice, Energy, Homeland Security, Commerce and the State Department.
Footnote One: Mindful of what happened subsequently at Waikato DHB, the trend of targeting healthcare providers had been identified by Microsoft, last October. The spread of cyber attacks to US hospitals is also discussed by NBC news here.
Footnote Two: The term “cybersecurity” conjures up images of ninja attacks by elite Asian hackers and Russian SMERSH agents out to (a) steal the intellectual property of our corporates, and (b) disrupt the key strategies of our politicians and diplomats. Not to mention the theft and extortion rackets being run by criminal gangs whose names seem torn from the pages of a James Bond novel.
For sure, there are some bad players out there in cyberspace. Yet cyber-security also seems to consist of democratic governments building and deploying platforms for pro-active cyber offensives aimed at alien foreign powers, and even (when it comes down to stealing trade secrets) some that have aimed in the past at a few of our friends and allies. What I’m getting at is that cybersecurity is not just about building up our resilience/resistance capabilities on the home front. Last year, the Australians were upfront about what they have in mind –
Australia will recruit 500 cyber spies and build on its offensive capabilities to take the online fight overseas in a $1.3 billion funding boost……The Australian Signals Directorate will also share intelligence with government departments and companies in near real time as part of the biggest ever cash injection to Australia’s cyber defences. Prime Minister Scott Morrison [announced] the ASD will be given more than $1 billion over the next decade to disrupt foreign cyber criminals and better identify malicious hacks.
Hmm. So… Australia aims to “build on its offensive capabilities to take the online fight overseas.” Clearly, in the age of cyber conflict, hack attacks are just another form of force projection. And “our side” is doing it, too.
This week’s Spotify playlist kicks off with a track from the Superwolves collaboration between Will Oldham and Matt Sweeney, and they’re backed on this cut by the great Sahel region guitarist Mdou Moctar, and his band. The hybrid result sounds like West African rockabilly. That’s why I’ve segued into the classic “Obaa Sima” dance cut from Ghana There’s a fascinating documentary available here on Youtube about how this terrific piece of music was recorded, buried, re-discovered and has since spread around the world, much to the amazement of the humble “Ata Kak”guy who made it.
Everything else is pretty self-explanatory. Desperate Journalist are a four piece British band, – two women, two blokes – based in London. The playlist’s closing cut “Banks of the Hope” is not just an optimistic metaphor, though it is that, too. The Hope River runs through the St Andrew parish of Kingston, Jamaica. You should check out this beautiful video featuring Agent Sasco – who grew up on the river- side – as he stands on the bridge that links his old neighbourhood of Kintyre (in St Andrew parish) to the rest of the world. That line about wanting “better public transport” is only part of what the community needs.
Here’s the playlist :