Covert Comms (Issue № 5)
Swiss hackers and US security cameras | Chinese companies pose a threat to the US | China brings surveillance tools to Hong Kong | UK secretly tests web-snooping tool
Welcome to our periodical brief Covert Comms, where you receive current events, espionage, digital security, and privacy-related insights from us directly to your inbox.
Behind the cloak & dagger: covert communications have long been used for two parties, normally handler and spy, to communicate secretly (and oftentimes remotely) without the knowledge of the Opposition, aka bad guys. Covert communications are a classic tool of spycraft and have been used since literally the beginning of time (espionage is the world’s second-oldest profession so we’ve got some history behind us), the ancient form being steganography, or concealing a message within another message or object.
Leave your secrets (aka your email) with us and you’ll receive the latest insights, commentary, and news directly to your inbox. We strive for timeliness, relevance, conciseness, and of course — a dash of intrigue and occasional wit.
Editor’s Note: We’ve been away for a short while, hope you missed us! We can’t promise you our writing has improved since our last missive, but one can hope. This week is chock-full with info, so read away and let us know your thoughts by leaving a comment below! Thanks for reading!
Swiss authorities on Monday confirmed a police raid at the home of a Swiss software engineer who took credit for helping to break into a U.S. security-camera company’s online networks, part of what the activist hacker cited as an effort to raise awareness about the dangers of mass surveillance. The Federal Office of Justice said regional police in central Lucerne, acting on a legal assistance request from U.S. authorities, on Friday carried out a house search involving hacker Tillie Kottmann. The hacker said online that electronics devices were seized during the raid. The Swiss office declined to specify the location or comment further, deferring all questions to “the relevant U.S. authority.” The FBI said in a statement Friday it was “aware of the law enforcement activity conducted in Switzerland” but had no further comment. Kottmann had identified as a member of a group of “hacktivists” who say they were able to view live camera feeds and peer into hospitals, schools, factories, jails and corporate offices for much of Monday and Tuesday last week after gaining access to the systems of California startup Verkada. They said the action was aimed at raising awareness about mass surveillance.1
The FBI, in conjunction with local Swiss authorities, certainly moved quickly in the raid on a Swiss software engineer’s home, who they pegged as having hacked into U.S. security-camera startup company Verkada and viewing live security camera footage. While we certainly support the alleged motive behind the hacker’s actions—to raise awareness about the dangers of mass surveillance—we cannot condone illegal cyber activity such as gaining unauthorized access to a private network. Legality aside, the question raised by Kottmann and the hacktivist group of which he is a part is an absolutely critical one, especially as we see the great vulnerabilities posed by applying precise cyber power to yield a high payoff return such as this hack (gaining access to live security camera feeds of Verkada clients, including hospitals, schools, factories, jails, and corporate offices, among others). While Kottmann was caught in this act, many more sophisticated state actors, such as China, are not.
The Federal Communications Commission (FCC) on Friday [12 Mar] designated five Chinese companies as posing a threat to national security under a 2019 law aimed at protecting U.S. communications networks. The FCC said the companies included Huawei Technologies Co, ZTE Corp, Hytera Communications Corp, Hangzhou Hikvision Digital Technology Co, and Zhejiang Dahua Technology Co. A 2019 law requires the FCC to identify companies producing telecommunications equipment and services “that have been found to pose an unacceptable risk to U.S. national security.” Acting FCC Chairwoman Jessica Rosenworcel said in a statement: “This list provides meaningful guidance that will ensure that as next-generation networks are built across the country, they do not repeat the mistakes of the past or use equipment or services that will pose a threat to U.S. national security or the security and safety of Americans.” The 2019 law used criteria from a defense authorization bill that previously identified the five Chinese companies. In August 2020, the U.S. government issued regulations barring agencies from buying goods or services from any of the five Chinese companies.2
No Covert Comms edition would be complete without the requisite warning of insidious Chinese efforts to infiltrate and undermine U.S. national security using its widespread technological and espionage reach. While this may appear at face value to be a wanton and unfair designation barring the economic exchange of Chinese companies from doing business in the U.S., we wholly support this FCC ban given the aggression with which the Chinese government sponsors, infiltrates, and seeks to proliferate its errors throughout the West, primarily aimed at the U.S. and its national security. We’ve extensively covered Chinese cyber espionage in the past, and cannot under-emphasize how critical supply chain management is in the context of the protection of U.S. critical infrastructure in next-generation networks. Unlike the U.S., other countries have not proven as strong on this issue, particularly the more economically vulnerable developing nations (i.e. in Africa), who rely on cheap Chinese products to develop infrastructure and telecommunications networks—which comes at an insidious and hidden cost to those nations given the unchecked access it provides the Chinese surveillance machine.
When Hong Kong's national security law went into effect last June, many residents scrubbed their social media accounts of controversial content and switched communications to more private, encrypted alternatives. Use of virtual private networks (VPNs) increased, too, as did self-censorship -- a byproduct of concern about the vague, broad powers entrusted to the authorities under the Beijing-imposed law. For about half a year, this was largely the extent of the security law's internet impact. By some measures, Hong Kong's internet remained as free as it had been prior to the security law's passage. But recent events have made plain the Chinese government's intention to transform Hong Kong's digital spaces just as it has the city's offline environment and, last week, its electoral system. In January, Hong Kong authorities used the security law as grounds for blocking a website for the first time, compelling mobile providers to disrupt access to HKChronicles, which compiled information on anti-government protests and personal data on police and their supporters. Two weeks later, the government unveiled a plan to require buyers of mobile phone SIM cards to show personal identification. Readily available prepaid SIM cards have, until now, provided a key way for activists to protect their identities during protests, granting Hong Kongers an anonymous way to communicate and organize.3
What does the gradual removal of civil liberties in exchange for more repressive means of control on behalf of a repressive government look like? We need look no further than the ongoing transformation of Hong Kong under Chinese-imposed law, where residents are seeing the beginnings of control (under the guise of security, labeling opposition figures as “subversive”) emanating across the digital domain of cyberspace. Specifically, Hong Kong-based websites and mobile providers are being forced to take action against a form of what could be determined as free speech, coming in the form of various websites that compiled data on anti-government protests and personal data on supporters of Hong Kong’s security forces and police—who have received strong criticism for their crackdown against pro-democracy figures who oppose Beijing. These actions constitute a larger Chinese-backed effort to clamp down on any dissent in Hong Kong, a semi-autonomous Chinese territory. While Chinese-backed lawmakers attempt to curb digital security and privacy (i.e. through the use of mandating identification when purchasing a mobile phone SIM card), Hong Kongers and pro-democracy supporters are still seeking ways to protect their identities during protests and to find ways to communicate and organize safely.
For the last two years police and internet companies across the UK have been quietly building and testing surveillance technology that could log and store the web browsing of every single person in the country. The tests, which are being run by two unnamed internet service providers, the Home Office, and the National Crime Agency, are being conducted under controversial surveillance laws introduced at the end of 2016. If successful, data collection systems could be rolled out nationally, creating one of the most powerful and controversial surveillance tools used by any democratic nation. Despite the National Crime Agency saying “significant work” has been put into the trial it remains clouded in secrecy. Elements of the legislation are also being challenged in court. There has been no public announcement of the trial, with industry insiders saying they are unable to talk about the technology due to security concerns. The trial is being conducted under the Investigatory Powers Act 2016, dubbed the Snooper’s Charter, and involves the creation of Internet Connection Records, or ICRs. These are records of what you do online and have a broad definition. In short, they contain the metadata about your online life: the who, what, where, why and when of your digital life. The surveillance law can require web and phone companies to store browsing histories for 12 months – although for this to happen they must be served with an order, approved by a senior judge, telling them to keep the data. The first of these orders was made in July 2019 and kickstarted ICRs being trialled in the real world, according to a recent report from the Investigatory Powers Commissioner. A second order, made to another internet provider as part of the same trial, followed in October 2019. A spokesperson for the Investigatory Powers Commissioner’s Office says the trial is ongoing and that it is conducting regular reviews to “ensure that the data types collected remain necessary and proportionate”. They add that once the trial has been fully assessed a decision will be made on whether the system will be expanded nationally.4
We do not condone nor do we support this trial, which would significantly advance a governmental body’s ability to conduct bulk data collection on its citizens using internet metadata—complete with web and possibly mobile phone histories, IP addresses, when internet use starts and stops, domains visited, and other potentially revealing data. As we have previously discussed, similar forms of this mass data collection exist in the form of corporate surveillance, which seeks the desired endstate of selling targeted individuals some form of targeted advertisement; however, the desired endstate here would ostensibly be to inform matters of national security—a slippery slope for a democratic nation to engage. It must be stated that while internet metadata may not reveal specific “content” (i.e. specific articles viewed online, for example), the use of metadata writ large is still hugely revealing. A prime example can be found in modern counter-terrorism strategy: due to the prevalence and advancements of technology, it’s not always possible for counter-terrorism forces to obtain communications content (i.e actual voice or text messages) of terrorist targets. What’s done? Individuals are identified, tracked, targeted, and (oftentimes) killed based on their metadata alone. The illustrative point we must make is that just because a government possesses the ability to conduct mass data collection, and for an ostensibly good reason, should it? Bulk data collection and the formation of the so-called Internet Collection Records establishes a dangerous precedent for the use of government surveillance systems in the context of online privacy, individual civil liberties, and how the cyber domain evolves over time with regards to personal use.
In December, the Pentagon and the US intelligence community came to an alarming conclusion. Hackers had breached their security, potentially stealing unknown amounts of classified information and jeopardizing national security. First revealed by FireEye, a private cybersecurity firm, the massive hack was thought to be the work of the Russians. Although it appears that Moscow had a leading role in the cyber intrusion, now it appears that the Chinese were also able to access sensitive information. The hack targeted the Department of Defense, several intelligence agencies, and nuclear laboratories. The damage caused by the cyber intrusion is still undetermined. But the cyberattacks targeted not only government agencies and departments but also several Fortune 500 companies. Now it appears that the Chinese got access to the National Finance Center, a federal payroll agency inside the U.S. Department of Agriculture, stealing the personal information of thousands, if not millions, of government employees. Put together with the hacking of the Office of Personnel Management (OPM) sometime around 2012, the Chinese have succeeded in stealing the personal information of the majority of the US government employees. In addition, they have the personal, financial, and even DNA information of a great chunk of the U.S. population.5
While this piece does not introduce any new information that Privacy Matters has not already covered elsewhere, we do wish to share it in the form of a shameless plug, given Privacy Matters and its experts were cited in this Sandboxx News article! We will also never pass up an opportunity to highlight the dangers associated with the Chinese (or Russian) government’s malicious intent and impact on U.S. national security. Thanks to Sandboxx for their work.
Russian National Pleads Guilty to Conspiracy to Introduce Malware into a U.S. Company’s Computer Network
A Russian national pleaded guilty in federal court today for conspiring to travel to the United States to recruit an employee of a Nevada company into a scheme to introduce malicious software into the company’s computer network. According to court documents and admissions made in court, from July 15, 2020, to Aug. 22, 2020, Egor Igorevich Kriuchkov, 27, conspired with others to recruit an employee of a large U.S. company to transmit malware provided by the conspirators into the company’s computer network. Once the malware was installed, Kriuchkov and his co-conspirators would use it to exfiltrate data from the company’s computer network and then extort the company by threatening to disclose the data.6
Speaking of malign Russian influence, particularly in cyberspace, this Department of Justice press release sheds light on the often murky espionage wars raging just out of the public’s view. We are fortunate to have access to such information, which reveals to us the tradecraft and methods by which Russian criminals—with the tacit approval or complicit backing of Russian intelligence and security services—employ to conduct acts of cyber aggression against the U.S., by way of targeting large U.S. companies at home. In this instance, a Russian individual, probably backed by state intelligence services, attempted to recruit an American employee of an American business to introduce malware into the company’s network, which would have exfiltrated trade secrets and other sensitive company data from friendly control. Thankfully, the individual spotted by the Russians did not fall for the recruitment pitch, and notified his superiors, who contacted the FBI. While this is certainly a win, it unfortunately represents the probable minority of cases that go unreported or unknown to victim companies, individuals, and the appropriate authorities.
European spies are alarmed after a scientist with top security clearance was caught working for China, sources say
Intelligence officials around Europe were alarmed by the news that a prominent scientist was convicted in the Baltic states for spying for China. Sources who spoke with Insider said the case is part of a long, worrying trend of China attempting to infiltrate institutions across the continent, in some cases supplanting Russia as their most obvious adversary. The prompt was the sentencing by Estonia of Tarmo Kõuts, 57, to three years in prison. Kõuts had close ties to the Estonian military and worked on multiple sensitive projects, per reports. Prosecutors said Kõuts began spying for China in 2018, and was arrested in secret last September. He had received about $20,000 and several luxury trips, according to accounts provided to the media by Danish government officials. They described a counterintelligence environment where China often posed the largest espionage threat to European institutions. The Baltic official said: "Russian intelligence activity obviously takes the highest priority in our neighborhood but the amount of resources required to monitor China increases for us each year. Our natural experience is more with the Russians but we have been warning about China for well over a year."7
One simply cannot catch a break from the unrelenting threat of Chinese espionage, here observed in Estonia where a marine scientist with a top security clearance was arrested for spying on their behalf. According to intelligence experts, the Chinese espionage playbook relies heavily on academic settings for their spying. China heavily emphasizes intelligence collection of intellectual property, scientific research, and industrial techniques, which heavily exploits the academic world, which typically does not expect to be recruited by trained intelligence officers under the guise of an academic conference, special lavish vacations, or opportunities to “present their research” in China. Regrettably, this method is highly effective and very difficult to counteract given the open nature of academia. Chinese intelligence officers also heavily rely on other forms of cover, such as the use of the European Union’s mission in Brussels, Belgium, to station its intelligence officers with the placement and access needed to effectively spot, assess, and recruit potential espionage targets.