Drug Cartels Are the New APTs

Written by

Tom Uren

Policy & Intelligence

Your weekly dose of Seriously Risky Business news is written by Tom Uren and edited by Patrick Gray . It's supported by Lawfare with help from the William and Flora Hewlett Foundation. This week's edition is sponsored by Yubico .

You can hear a podcast discussion of this newsletter by searching for "Risky Business News" in your podcatcher or subscribing via this RSS feed .

One by one, US federal government agencies are learning that the sensitive but unclassified information they hold is susceptible to theft by hackers. Unfortunately, education-by-breach is very costly.

Last week, Politico reported the electronic case filing system used by the federal judiciary had been breached in a "sweeping cyber intrusion". Hackers breached the Case Management/Electronic Case Files (CM/ECF) system that legal professionals use to upload and manage case documents. They also breached PACER, the system that gives the public limited access to some of the same data. 

The hack sounds just about as bad as can be, with officials concerned that Latin American drug cartels have obtained sensitive court data. Per Politico's follow-up reporting :

The worry, according to three judicial officials and investigators with knowledge of the hack, is that cartels could weaponize the stolen data to identify witnesses in cases the federal government has opened against them, or to gain knowledge of impending or ongoing criminal investigations, such as sealed wiretap orders and arrest and search warrants.

At least a dozen district courts across several U.S. states are believed to have been directly impacted by the ongoing compromise of the digital case filing system, known as CM/ECF, according to the first two people. The incident is believed to be one of the most serious hacks into the federal court filing system in years.

But concerns about the breach are not limited to the drug cartels. It appears many other groups had also breached the judiciary's systems.

It's unclear if the cartels were directly connected to each of those breaches because multiple nation-states and criminal groups are thought to have penetrated CM/ECF simultaneously, while at least some of those groups have been inside the system for years, the first two people said. All three people were granted anonymity due to the sensitivity of the issue.

Federal court officials issued a statement saying they were strengthening cyber security protections "in response to recent escalated cyberattacks of a sophisticated and persistent nature on its case management system". The statement continued that "the Judiciary is also further enhancing security of the system and to block future attacks, and it is prioritizing working with courts to mitigate the impact on litigants."

This isn't the first time that the US judicial system has been targeted by hackers. Back in 2020 , three foreign groups attacked the court's document filing system. In 2021 Russian state-backed hackers targeted email accounts at New York's state attorney's offices.

The targeting of unclassified but sensitive data isn’t just a problem for the courts. The Securities and Exchange Commission's Edgar database of corporate filings, for example, was compromised in late 2016. 

The problem here is that each individual agency is learning, hack by hack, that its data is highly prized by multiple groups who are actually capable of stealing it. Unfortunately, when the data in question contains sensitive information such as witness identities, learning lessons after a hack is simply too late. 

We don't think that the Trump administration's promise of more aggressive offensive cyber operations will be the answer here, either. We generally support the idea, but there are simply too many potential threat actors. States, cartels and cyber criminals each have their own reasons for wanting data. Disrupting one group still leaves plenty of adversaries waiting in the wings. It won't do much to reduce the overall threat level.

The risk to sensitive federal systems is also increasing as hacking becomes democratised. In an ideal world that threat would be met with a co-ordinated security uplift. Instead, each agency is being left to independently batten down the hatches after it has been hacked. 

That large-scale coordinated action didn’t happen when CISA was bigger and better resourced, so we're not holding our breath for massive changes after recent budget and personnel cuts there. Still, we think some kind of centralised response would be helpful. Even something as simple as developing these incidents into case studies to be shared between government agencies would be better than nothing. 

For now though it's the status quo. So … More hacks to come. 

Azure Fuels Israeli Surveillance and a PR Nightmare For Microsoft

Microsoft is discovering that commercial deals with foreign intelligence agencies can be reputationally risky, even if technical and contractual firewalls are in place. 

A joint investigation from The Guardian , +972 Magazine and Local Call revealed that Israel's military signals intelligence agency, Unit 8200 , has used Microsoft Azure to store communications intercepted from Palestinians in Gaza and the West Bank. 

The Guardian describes the entire system, which isn't named in the reporting, as "a sweeping and intrusive system that collects and stores recordings of millions of mobile phone calls made each day". 

Thanks to the control it exerts over Palestinian telecommunications infrastructure, Israel has long intercepted phone calls in the occupied territories. But the indiscriminate new system allows intelligence officers to play back the content of cellular calls made by Palestinians, capturing the conversations of a much larger pool of ordinary civilians.

Intelligence sources with knowledge of the project said Unit 8200's leadership turned to Microsoft after concluding it did not have sufficient storage space or computing power on the military's servers to bear the weight of an entire population’s phone calls.

Several intelligence officers from the unit, which is comparable to the US National Security Agency (NSA) in its surveillance capabilities, said that a mantra emerged internally that captured the project’s scale and ambition: "A million calls an hour".

Per The Guardian, three Unit 8200 sources said "the cloud-based storage platform has facilitated the preparation of deadly airstrikes and has shaped military operations in Gaza and the West Bank". 

Microsoft says its CEO Satya Nadella was not aware of the specific data Unit 8200 planned to store in Azure. It hasn't responded to the allegations published this week, but back in May it issued a statement in response to concerns about its products being used "by the Israeli military to target civilians or cause harm in the conflict in Gaza". It said:

We have conducted an internal review and engaged an external firm to undertake additional fact-finding to help us assess these issues. Based on these reviews, including interviewing dozens of employees and assessing documents, we have found no evidence to date that Microsoft’s Azure and AI technologies have been used to target or harm people in the conflict in Gaza.

It also distanced itself from the Israeli Ministry of Defence's (IMOD): 

It is worth noting that militaries typically use their own proprietary software or applications from defense-related providers for the types of surveillance and operations that have been the subject of our employees' questions. Microsoft has not created or provided such software or solutions to the IMOD.

It is important to acknowledge that Microsoft does not have visibility into how customers use our software on their own servers or other devices. This is typically the case for on premise software. 

The Guardian reported this week that a senior Microsoft source said the company insisted to Israeli defence officials that its systems not be used to identify targets for lethal strikes. 

However, a Unit 8200 source told The Guardian that the phone call interception system was queried when planning airstrikes within densely populated areas. The sources didn't elaborate on what the purpose of these queries was. 

The data was also being actively used to facilitate real world actions, per The Guardian :

Unit 8200 sources said the information stored in Azure amounted to a rich repository of intelligence about its population that some in the unit claimed had been used to blackmail people, place them in detention, or even justify their killing after the fact.

These allegations were published last week. At time of writing Microsoft hadn't responded to them directly. 

When this contract was signed in 2021, Microsoft attempted to isolate itself from reputational risk by putting controls in place such as acceptable use policies and assurances from IMOD officials. It was also not involved in building the system. Microsoft obviously thought this was a sufficiently careful approach in 2021, but times have changed. Dramatically.

Australia's Blunt Espionage Warning

Mike Burgess, the Director-General of the Australian Security Intelligence Organisation (ASIO), has warned that espionage is costing the country about USD$8 billion a year. 

Burgess said that in the last three years ASIO had carried out 24 major espionage and foreign interference disruptions. That's more than the previous eight years combined. 

He said "a new iteration of great power competition is driving a relentless hunger for strategic advantage and an insatiable appetite for inside information." 

The USD$8b was cited in ASIO's Cost of Espionage report , produced in partnership with the Australian Institute of Criminology. Speaking at the University of South Australia, Burgess said the amount included direct costs "such as the state-sponsored theft of intellectual property as well as the indirect costs of countering and responding."

"The Institute estimates foreign cyber spies stole nearly AUD$2 billion of trade secrets and intellectual property from Australian companies and businesses in 2023-2024."

Watch Amberleigh Jack and Tom Uren discuss this edition of the newsletter:

Three Reasons to Be Cheerful This Week:

1. More secure open source software: GitHub has reported initial results from its Secure Open Source Fund. It says it has helped 71 important and fast growing open source projects improve their security practices and find and remediate vulnerabilities.  
2. Volunteers protect our precious fluids: The startup phase of a volunteer effort to protect water utilities across America has been a success and is looking to scale up. The effort, known as DEF CON Franklin, is covered in more detail at The Record .  
3. Scammers detained in Thailand, Philippines: In separate incidents scammers running call centres have been detained in Chiang Mai, Thailand and Pasay City , in the Philippines.  

Sponsor Section

In this Risky Business sponsor interview, Tom Uren talks to Derek Hanson, Yubico's Field CTO, about making account recovery and onboarding for employees phishing-resistant. They also discuss the problems and opportunities of syncable passkeys.

Shorts

An Explanation For All Those Spam Texts

The Security Alliance has published an analysis of the Chinese SMS digital wallet fraud ecosystem. It explains how all those spam texts that everyone gets are used in digital wallet fraud.

When successful, information stolen by phishing is used to load credit cards into digital wallets such as Apple Pay or Google Wallet on attacker-controlled mobile devices. The criminals will then sell devices loaded with multiple stolen cards. 

Risky Biz Talks

You can find the audio edition of this newsletter and other fine podcasts and interviews in the Risky Biz News feed ( RSS , iTunes or Spotify ).  

In our last "Between Two Nerds" discussion Tom Uren and The Grugq dissect the Belarusian Cyber Partisans hack of Russian airline Aeroflot. Despite the short-term impact, the airline will likely bounce back quite quickly. But it is still a big win for the Cyber Partisans.

Or watch it on YouTube!

From Risky Bulletin :

CISA tells federal agencies to mitigate on-prem-to-cloud Exchange attack: CISA has released a rare emergency directive ordering federal agencies to patch a new attack vector in Microsoft Exchange email servers.

Federal agencies have four days, until August 11, to address the issue and apply mitigations shared by Microsoft on Wednesday.

The guidance addresses a vulnerability (actually more of a design flaw) in hybrid environments, where Exchange on-premise servers sync data to an Exchange Online instance.

[ more on Risky Bulletin ]

China with the accusations again: The Chinese government accused the US last week of trying to sneak backdoors into NVIDIA chips and of using Microsoft zero-days to hack and steal its military secrets.

Both accusations came via the Cyberspace Administration of China (CAC), the country's cybersecurity agency and internet regulator.

On Thursday, the CAC summoned American chipmaker NVIDIA to provide details of an alleged backdoor mechanism that could be embedded on chips sold in China.

The system is detailed in the US Chip Security Act , a bill put forward in May by Republican Senator Tom Cotton. If passed, the bill would mandate that NVIDIA include a tracking system inside chips to prevent them from being rerouted to sanctioned or unwanted countries. The tracking system would also have to include a remote shutdown system to disable the chips if they reach a destination the US doesn't like.

[ more on Risky Bulletin ]

Russia spies on foreign embassies using local ISPs: Russian intelligence services are hacking and spying on foreign embassies and their staff by tampering with their internet connections.

Russian espionage units are using the SORM traffic interception system installed at local ISPs to alter traffic and deliver malware payloads to embassy staff.

According to Microsoft , the campaign has been ongoing since at least last year. The company attributed the attacks to a group it tracks as Secret Blizzard, but more widely known as Turla.

Microsoft says Turla operators are using the ISPs providing internet connectivity to foreign embassies for adversary-in-the-middle (AiTM) attacks.

[ more on Risky Bulletin ]