Welcome to The Cybersecurity 202! Because we don’t say it often enough, please send tips to [email protected]
Below: A major cryptocurrency firm is funding a lawsuit over U.S. sanctions on a crypto anonymization service allegedly used by North Korean hackers, and Portugal responds to the apparent theft of classified NATO documents. First:
“No, duh.” China keeps alleging the U.S. is hacking it, confusing cyber analysts
This week China accused the National Security Agency of hacking into the computers of a Beijing-funded university the United States says conducts research for the military.
The gripes, though, have baffled cybersecurity experts of many stripes.
- They’re uncertain what China is hoping to accomplish, all the more so because they scoff at what they describe as the shoddy and often dated nature of the Chinese findings.
- Additionally, alleged targets like this week’s Northwestern Polytechnical University are what most nations would consider “fair game” for government-to-government espionage, prompting reactions of, essentially, “No duh.”
In some cases, China has drawn on publicly available media reports for their “revelations.” State media has bolstered the government message and echoed its oddly non-revelatory nature. One outlet this week, for instance, reported that it had “learned from a source” that the NSA’s Rob Joyce had once led the agency’s hacking division, Tailored Access Operations (TAO) — a fact commonly mentioned in his online biographies.
The Chinese claims were “highly amusing,” tweeted European security researcher Lukasz Olejnik:
Chinese accusation of US/NSA cyberattacks on China’s aviation university. Unusually, a strong protest issued by China’s Foreign Ministry. Chinese media write about NSA extensively, and doxx/point at Rob Joyce, specifically. Highly amusing! https://t.co/PG1XzZoIcW pic.twitter.com/wRMEAokhVj
— Lukasz Olejnik (@lukOlejnik) September 5, 2022
The confusing nature of some elements of the accusations from China’s National Computer Virus Emergency Response Center (CVERC) also makes it difficult to verify them, which sometimes only identify older hacking tools and therefore raise questions about how effective China’s cybersecurity apparatus is.
“Additional technical reporting from CVERC [is] needed to enable independent validation of analytic findings by industry peers,” Silas Cutler, senior director for cyberthreat research and analysis at the Institute for Security and Technology, told me via email.
SentinelOne’s Juan Andres Guerrero-Saade further broke down the technical side of things in a Twitter thread:
I’ve been rather glib in addressing this CN report on ‘TAO’ malware at Northwestern Polytechnical University in China. So what do we really learn from this?
— J. A. Guerrero-Saade (@juanandres_gs) September 5, 2022
There are a few possible explanations for why Chinese entities — sometimes the government, sometimes companies, sometimes both — are doing this of late, Adam Meyers, senior vice president of threat intelligence at cybersecurity company CrowdStrike told me:
- Chinese cybersecurity firms might be trying to bring attention to their threat intelligence products.
- Or: “They’re working in concern with the Chinese government in order to demonstrate that this works both ways, that China can claim the U.S. is attacking them and they can use that to push back on any claims of U.S. businesses and entities saying the Chinese are stealing their intellectual property.”
- Or: They’re trying to send a message to the U.S. government, which has repeatedly accused China of cyber malfeasance. “We’re going to start putting pressure on you because you’ve been putting pressure on us,” Meyers said.
It’s possible that all three theories are simultaneously true, Meyers said.
Another possible explanation is that China wants to diminish the United States in the eyes of regional players like South Korea, Japan and Taiwan, Josh Lospinoso, who once worked for the NSA’s TAO and now is CEO of cybersecurity firm Shift5, told me.
While the reports from China of late are more formal, government officials there have often verbally responded to past allegations of Chinese hacking by pointing to U.S. cyberspace operations, Lospinoso pointed out.
If there’s one consensus, it’s that China is making its recent spree of allegations to influence opinions.
“I would offer that Beijing seems to be making a recent habit of repackaging old news — suggesting its utility is primarily propaganda,” Gavin Wilde, a senior fellow at the Carnegie Endowment for International Peace, told me via email.
“China’s counternarrative to its pervasive cyber activity is not only useful on the domestic front, but coincides with increasing cohesion among Western governments and tech companies in cyberdefense and attribution amid Moscow’s war on Ukraine,” he said. “Even so, having to go to such lengths to explain the logic behind Chinese propaganda is indicative of how slipshod it often is.”
Coinbase finances lawsuit over Tornado Cash sanctions
The firm is sponsoring a lawsuit by six plaintiffs against the Treasury Department in federal court in Texas. The plaintiffs say the U.S. government’s blacklisting of Tornado Cash — a cryptocurrency mixer that authorities said facilitated money laundering by North Korean hackers — hurt them financially and that they all used the service for legitimate purposes, Tory Newmyer reports. Two of the plaintiffs are employees at Coinbase, which is the largest cryptocurrency exchange based in the United States.
“The suit argues that Treasury overstepped its legal authority by sanctioning software, rather than a person or an entity,” Tory writes. “And it claims the department infringed on the plaintiffs’ First Amendment rights by barring them from using a tool that enabled them to exercise their free speech.”
Investigators recover $30 million in cryptocurrency stolen by North Korea
The recovered funds appear to be a fraction of the cryptocurrency that the Lazarus Group stole from the Axie Infinity video game in March, but it still represents a success by authorities in clawing back stolen money from the notorious North Korean hackers, the Wall Street Journal’s Dustin Volz and Caitlin Ostroff report. Cryptocurrency intelligence firm Chainalysis, which worked with Axie Infinity publisher Sky Mavis, said it had discovered where the hackers tried to convert the stolen funds into cash and that cryptocurrency and law enforcement partners were able to freeze the money.
“It’s a big deal to have any amount of money clawed back from the Lazarus Group,” Chainalysis senior director of investigations Erin Plante told the Journal. “That didn’t used to happen.”
Portuguese authorities investigate sale of secret NATO documents on dark web
U.S. officials alerted their Portuguese colleagues about hundreds of documents marked “secret” and “classified” for sale on the dark web, Diário de Notícias’s Valentina Marcelino reports. The documents NATO apparently sent to Portugal, a member of the alliance.
Portuguese officials investigating the breach eventually found the computers from which the documents were stolen, Marcelino reports.
The offices of Portugal’s prime minister and military told Diário de Notícias that authorities investigate all apparent breaches. A spokesperson for the U.S. Embassy in Lisbon told the outlet that they don’t comment on intelligence issues.
- Top officials from across the federal government speak at the Billington CyberSecurity Summit today.
- Christel Schaldemose, a member of the European Parliament who is rapporteur for the Digital Services Act, discusses the DSA at an event hosted by the German Marshall Fund and Columbia’s School of International and Public Affairs on Monday at noon.
- Twitter whistleblower Peiter “Mudge” Zatko testifies before the Senate Judiciary Committee on Tuesday at 10 a.m.
- Current and former executives at social media companies testify before the Senate Homeland Security Committee on Wednesday at 10 a.m.
- A Senate Judiciary Committee panel holds a hearing on protecting Americans’ personal information from hostile foreign actors on Wednesday at 3:30 p.m.
Thanks for reading. See you next week.