Newsletter

01.18.2022 | 9'' read

Who are legit targets for NSO Pegasus surveillance malware?

by Ryan Naraine

* The most clicked link from the last newsletter was the Apache Software Foundation’s position paper decrying for-profit companies that leech on open-source software.

Notes.
  • A personal welcome to all the new folks who joined the list since the start of the year. It’s incredible to watch the organic growth of this newsletter (I deliberately avoid marketing and promotion) into a fun community of builders and defenders. My main ask, send feedback here or on Twitter (DMs open).
  • Coveware CEO Bill Siegel will headline my fireside chat at SecurityWeek’s Ransomware Resilience & Recovery Summit on Jan 26th. I’m looking forward to kicking it with Bill on the murky world of ransomware negotiations, making bitcoin ransom payments, and war stories from high-profile incidents.

Monday blues.

I’m yielding some space for a very important op-ed by my friend and mentor Costin Raiu, a big-game APT researcher with few equals.

_ryan

To be, or not to be: legitimate targets for NSO Pegasus and other legal surveillance malware?

Guest editorial by Costin Raiu

One of the long-running claims by NSO Group is that its Pegasus surveillance tool is only used to target criminals and terrorists. How come we see it in other places?

NSO is an expensive suite; in the range of millions if not tens of millions USD. Law enforcement rarely affords such budgets. A friend of mine who worked in law enforcement said a few years ago his cyber budget to catch criminals was a hefty US$3000.  Yes, three thousand dollars!

Now, imagine you have purchased an expensive spyware suite worth several millions USD that effectively gives you the option to hack any smartphone anywhere with a click of a button. How would you use it? Given the number of “bullets” is limited, one must choose targets very carefully. Let’s look closely at the categories that you might want to target with, say, an iOS 0-click spyware:

Criminals – these are legit targets and constantly highlighted as the reason why governments purchase software such as Pegasus. We should however keep in mind they must be really big criminals to justify the multimillion-dollar investments. Here’s the rub, though, really big criminals don’t use iPhones. As we see from other stories, such as the fake secure phone network that the FBI ran, major criminals stay away from regular devices and instead use various “Secure” phones. So, it’s not very well justified for this purpose.

Terrorists – basically, on the most entry level jihadists forums, in the tech section, “opsec for dummies”, the recommendations are to stay away from iPhones. These fellas standardize on the use of dumb phones, as opposed to smart phones. They use old devices without GPS or capability to run user apps. So, again, 0-click iOS exploits + malware –  it’s not very well justified for this category.  While we’re on the subject, how many terrorists were caught lately, say in Europe or U.S.?

Drug dealers – here, the budget may very well be justified. Actually, there are stories where drug dealers were successfully targeted and caught by such technologies. However, as discussed above, big-fish criminals will likely use custom devices or dumb phones.

Cybersecurity personnel/researchers – these are top threats for governments engaging in shady operations, so it is a perfect targeting case! The budget is not an issue, because it is usually black budget, with no auditing. We are actually aware of security researchers who have been targeted by Pegasus.

Extremists – this can be a very good justification and the budgeting surely fits the purpose. The only issue is that extremism can be relative to the government or governing processes in a certain country. In oppressive regimes, activists can be extremists. These are easy to justify and easy to target because they rarely care about operational security.

Journalists, media, reporters – does not fit the initial goal, but again, plenty of evidence this is happening. The reason is simple – governments are worried about the stories they can write, their sources, and potentially bad PR. Budget can be justified quite easily by designating these as extremists, foreign agents, enemies of the state.

To summarize – the categories for which the usage of highly expensive cyber warfare products is justified with a ROI are drug dealers (sometimes), security researchers, extremist activists, journalists, mass media and reporters.

Is this worrying? Probably. So, what would an ideal, corruption free, legitimate cyber offensive business look like?  It must be unprofitable, independent and externally audited.

When you see that an offensive cybersecurity company is owned by an investment fund or venture capital outfit, this means their top goal is to make as much money as possible. Profit, sell to anyone then try to find arguments or loopholes to justify the sales.

Are these tools a threat to democracy or our civilization as a whole? Democracy – yes, civilization probably not. One thing, though – are these mercenary tools solving the problem (be it criminals, terrorism or extremism)?

We all know the answer is a definitive no.

(Ed’s note: Listen to related podcast.  Also read this breaking news piece on Pegasus usage on targets within Israel)


Sponsored:  Symmetry DataGuard

Using Symmetry DataGuard, cloud-security teams tighten IAM policies around data, incident response teams know precisely what data objects are involved in a breach, and governance teams audit every access across every data store. Schedule a demo.


On to the newsletter…

The familiar smell of cyberwar.

Amidst escalating Russia/Ukraine geopolitical tensions, the familiar smell of cyberwar is starting to emerge with reports of website defacements and wiper malware attacks. There’s limited visibility but let’s catch up:

  • Microsoft issues a warning for WhisperGate, a destructive data-wiping malware hitting multiple government, non-profit, and information technology organizations, all based in Ukraine.
  • One of the wiper targets, a company called Kitsoft, says the attacks are “aimed at sowing panic and fear.”
  • The WhisperGate malware not only overwrites the MBR and create a ransom note but also overwrites files without any backups, so it’s clear that the purpose is data destruction, not financial gain.
  • As is customary, Florian Roth is out front sharing YARA rules for WhisperGate and related files.
  • Kim Zetter has comprehensive coverage of what we know and don’t know about the cyberattacks in Ukraine.

Diplomacy and the future of ransomware..

The decision by Russia’s FSB to raid affiliates of the REvil ransomware operation should not have been a surprise. In my 2022 predictions piece, I suggested that politicians making deals could help slow the ransomware crisis but I didn’t expect to see it happen so soon and with so many obvious signals.

Must-read research.

Essays.

Open-source security at the White House.
The White House convened an open-source security summit last week (full readout available here) and big-tech had a lot to say on the way forward.  A sample of the public posturing:

  • Google is calling for a public-private partnership to identify a list of critical open-source projects o help prioritize and allocate resources for the most essential security assessments and improvements
  • GitHub CISO Mike Hanley: “As an industry, we must also come together and support the developers who design, build, and maintain the open source projects we depend on.”
  • As I previously covered, the ASF published a position paper arguing that upstream producers were not exclusively responsible for bolstering the software ecosystem.
  • Red Hat statement: “The core tenets of the Cyber EO remain fundamental to improving the security posture of all software—both proprietary and open source, including assuring that vendors of all stripes maintain greater visibility into their software, take responsibility for its life cycle, and make security data publicly available.”

Newsy leftovers.

Tangentially.

P.S. Full podcast episodes are available on the SecurityConversations.com home page, and on all major platforms:  Apple/iPhoneGoogle/AndroidSpotify and Amazon/Audible.

|

This site uses cookies and may process personal data based on our Privacy Policy