Spain Leaves Key Under Mat for Huawei

Written by

Tom Uren

Policy & Intelligence

Your weekly dose of Seriously Risky Business news is written by Tom Uren and edited by Patrick Gray . It's supported by Lawfare with help from the William and Flora Hewlett Foundation. This week's edition is sponsored by Zero Networks .

You can hear a podcast discussion of this newsletter by searching for "Risky Business News" in your podcatcher or subscribing via this RSS feed .

Recent reporting that the Spanish government had awarded  €12.3 million to Huawei to manage storage for the government's lawful intercept (LI) system struck us as a terrible idea. 

Digging a bit deeper, it turns out the truth is more understandable but far worse. These contracts were awarded over the last few years and were a continuation of an existing arrangement. Huawei has been involved in Spain's lawful intercept (LI) system since 2004. 

It is time to rip the bandaid off. 

In LI systems, service providers intercept communications and provide them to officials from intelligence or law enforcement agencies when presented with a valid authorisation such as a court order. LI is common enough that there are a number of ETSI standards for it. 

While it is a valuable investigative tool for domestic law enforcement and counterintelligence purposes, LI systems are also a high-value target for foreign intelligence services. 

Back in 2004, for example, in the lead-up to the Athens Olympics, local telecommunications provider Vodafone Greece was hacked . In this case, rogue software subverted the built-in LI capabilities of Ericsson telephone switches to effectively wiretap specified phone numbers. Over 100 phones were targeted, per IEEE Spectrum : 

Besides the prime minister and his wife, phones belonging to the ministers of national defense, foreign affairs, and justice, the mayor of Athens, and the Greek European Union commissioner were all compromised. Others belonged to members of civil rights organizations, peace activists, and antiglobalization groups; senior staff at the ministries of National Defense, Public Order, Merchant Marine, and Foreign Affairs; the New Democracy ruling party; the Hellenic Navy general staff; and a Greek-American employee at the United States Embassy in Athens.

More recently, Chinese state-backed hackers Salt Typhoon targeted LI systems at US telecommunications providers. It doesn't appear that they have been as successful as the hackers in the Athens example, per this Washington Post article: 

Hackers have acquired access to the system that logs US law enforcement requests for criminal wiretaps, allowing the Chinese to know who is of interest to authorities. There is no evidence so far that hackers have compromised the collection system itself through which law enforcement listens in on wiretapped calls, said U.S. officials, speaking on the condition of anonymity because of the matter's sensitivity.

Regardless of Salt Typhoon's success or lack thereof, the point here is that LI systems are a great place for foreign intelligence services to be. Even simply knowing who is being targeted is valuable. For the Chinese government, for example, knowing which of their potential spies is being surveilled would be tremendously useful. 

Telecommunications equipment from any vendor is potentially hackable. But equipment from Chinese vendors is also subject to an entirely different type of risk, the risk that the Chinese government itself could compel a vendor to assist in its intelligence efforts. Article 7 of China's National Intelligence Law states that "All organizations and citizens shall support, assist, and cooperate with national intelligence efforts in accordance with law, and shall protect national intelligence work secrets they are aware of." 

That law is part of the reason that the EU member states have restricted what the European Commission has called "high-risk suppliers", such as Huawei and ZTE, from their 5G networks. The justification for this restraint is that 5G infrastructure is critical and underpins other sectors such as energy, transport and finance. This importance means that countries shouldn't take unnecessary risks. 

Huawei's involvement in Spain's LI system long precedes growing concerns about the Chinese government's coercive powers and its intelligence law, which was passed in 2017. We get it, it can be tough to finally walk away from a decades-old relationship, even if the red flags and toxic traits are glaringly obvious to anyone on the outside. But it is past time to decide who gets the dog. 

Arrests a Pause for Scattered Spider

Recent arrests of people linked to the Scattered Spider group are good news… with a caveat. While we expect some respite from the group's havoc, it will only be short term.

Late last week the UK's National Crime Agency announced the arrests of four individuals over attacks on UK retailers Marks and Spencer, Co-op and Harrods. These incidents have been linked to Scattered Spider, a community of teenagers and young adults believed to be responsible for a string of high-profile, high-impact hacks. 

Coincidentally, the arrests occurred the same day we wrote that just four key individuals were driving the activities of the group. 

We think it very unlikely that all four of these key players live in the UK, but Krebs on Security has learned the identity of two of the suspects and both have been involved in multiple high-impact hacks. 

19-year-old Thalha Jubair is a founding member of a SIM swap Telegram channel called Star Fraud Chat. He’s also the founder of a criminal service that sold fraudulent Emergency Data Requests (EDRs). 

EDRs are used by police to get specific subscriber information from service providers without needing a warrant or subpoena, due to an imminent risk of harm or death. The criminal service that Jubair allegedly created used compromised email accounts from police or government agencies to send bogus EDRs. The information obtained from fraudulent EDRs is typically used for stalking, doxxing and harassment or in social engineering efforts to obtain account access. 

There is a theme here. Both the SIM swap and EDR services Jubair is linked to take advantage of weak points in identity verification. His involvement in the founding of these two services suggests Jubair had a flair for identifying those weak points within systems. 

Sources told Krebs that Jubair was also a core member of Lapsus$, a predecessor group that Scattered Spider evolved from. He had also been the administrator of the toxic online doxxing community Doxbin. 

It's the kind of criminal resumé that would see Jubair at least shortlisted for one of those key player roles.

The other suspect identified by Krebs, Owen David Flowers, is alleged to have been involved in the Scattered Spider ransomware incident that shut down MGM Casino properties in September 2023. Other online identities Flowers is alleged to have used are also associated with Lapsus$.

The online communities that foster this behaviour are pipelines that develop criminal talent from a young age. Flowers and Jubair developed their tradecraft over years. Krebs' investigations suggest the pair, both 19 now, have been involved in serious online crime at least since they were fifteen. 

We are sure these online communities are currently upskilling young spiderlings, so while we're optimistic that last week's arrests will slow the group down, we're realistic that the respite won’t last.

After all, we’ve seen it before. In previous years, there have been quite a few arrests that have been associated with Lapsus$ and Scattered Spider . The hacks slow down in the short term, but they don't go away for good. Key talent is arrested or retires, and new talent appears. 

The good news: companies now have a few months to improve their security!  

Watch Amberleigh Jack and Tom Uren discuss this edition of the newsletter:

Three Reasons to Be Cheerful This Week:

1. Volt Typhoon a bust: Chinese government efforts to hack US critical infrastructure for sabotage in the event of a military conflict have been a failure, according to FBI and NSA officials. 
2. Big Sleep to the rescue: Google announced that an AI agent it calls Big Sleep discovered an SQLite vulnerability after it was somehow tipped off by intel from Google Threat Intelligence. The post says "Through the combination of threat intelligence and Big Sleep, Google was able to actually predict that a vulnerability was imminently going to be used and we were able to cut it off beforehand". We'd love to know the details behind this. 
3. UK announces Vulnerability Research Initiative: The UK's National Cyber Security Centre has announced that it wants to "work with external experts to strengthen the UK's ability to carry out vulnerability research". It can't do it all in-house, so it is a good move.  

Sponsor Section

In this Risky Bulletin sponsor interview, Zero Networks Field CTO, Chris Boehm, discusses the everyone-gets-an-AI future with Casey Ellis. Zero Networks makes network microsegmentation achievable without simply handing an AI control of the network. Will generative artificial intelligence ever be trusted to make hard access control decisions?

Shorts

FBI In Cyber Knife Fight

The Record has an interesting report on how the FBI engaged in what assistant director for cyber, Brett Leatherman called "true cyberwarfare". 

Leatherman said that after the FBI tried to take down a botnet used by Chinese state-backed group Flax Typhoon, the Chinese cyber espionage company Integrity Technology Group hit back with a DDoS attack. 

The two groups struggled for control until the FBI published a splash page announcing their presence, at which point the Flax Typhoon actors "burned down their own infrastructure", Leatherman said. 

Offensive Cyber Operations Get Big $$$

President Trump's One Big Beautiful Bill allocates USD$1 billion for offensive cyber operations. That's a lot of bytes. TechCrunch has further coverage . 

Risky Biz Talks

You can find the audio edition of this newsletter and other fine podcasts and interviews in the Risky Biz News feed ( RSS , iTunes or Spotify ).  

In our last "Between Two Nerds" discussion Tom Uren and The Grugq examine whether US cyber operations are too stealthy. Could they get more bang for the buck if they adopted a devil may care attitude to getting busted? 

Or watch it on YouTube!

From Risky Bulletin :

Microsoft blocks filesystem redirection attacks in new security feature: Microsoft has added a new security feature to Windows 11 that will mitigate an entire class of filesystem redirection attacks.

The new RedirectionGuard feature is currently under testing in Windows 11 Insider builds.

It works by blocking a type of file redirection known as a junction , or a soft link. This allows users to create a link between two folders, so when users or processes access that folder, they get automatically redirected to the target directory somewhere else on the same system.

[ more on Risky Bulletin ]

Major EoT/HoT vulnerability can bring trains to sudden stops: More than 12 years after the issue was first reported, the Association of American Railroads is replacing an insecure railroad protocol that can be abused to engage brakes and bring trains to sudden stops anywhere across North America.

The issue impacts a radio protocol that links locomotives (Head-of-Train) to devices mounted on the last wagon, a flashing red light known in the industry as an End-of-Train device or a FRED (Flashing Red End Device). 

Back in 2012, a hardware security researcher named Neil Smith discovered that the radio protocol used to send commands from locomotives to EoT devices used a weak form of authentication—a simple BCH checksum.

Smith says that an attacker with hardware as cheap as $500 and a software-defined radio (SDR) could create packets and issue commands to the EoT device to suddenly engage the brakes.

[ more on Risky Bulletin ]

Two billion eSIMs receive a crucial security patch: Security updates are being shipped out to mobile operators across the world to fix vulnerabilities in more than two billion eSIMs.

The vulnerabilities impact Kigen's eUICC (embedded Universal Integrated Circuit Card), a software package provided to mobile network operators to support eSIM technology.

eSIMs allow mobile operators to ship a software-based SIM to a device. The technology is mainly used for issuing temporary SIMs to travelers and to add mobile connectivity to IOT devices that can't fit a SIM card slot.

The team at AG Security Research, publicly known as Security Explorations , has discovered that some mobile operators ship a "test profile" for Kigen's eUICC software that uses a default secret key to safeguard eSIM data.

[ more on Risky Bulletin ]