Security Brief: CICYBER Week of July 19, 2021
French President Emmanuel Macron, another victim of Pegasus spyware
Date: July 20, 2021
Parties involved: French President Emmanuel Macron; Israeli company NSO; Moroccan government
The event: French President Emmanuel Macron was targeted for surveillance by Israel’s NSO using their Pegasus spyware for Morocco, who had denied any form of involvement. Before this, former French Prime Minister Edouard Philippe and 14 other ministers were targeted in 2019. This targeted surveillance came about as an investigation published on Sunday, July 18, found that the NSO has been successfully hacking into the smartphones of journalists, government officials, and human rights activists with their Pegasus spyware. However, the result of this investigation was denied by the NSO, as the spyware is only used for cases of terrorism and crime.
The robust bilateral relationship between France and Israel will possibly experience some tension, resulting in a scandal that would promote distrust between the security of France's nation. France will likely grow more conservative in sharing information with Israel, as their relationship involves their cultural, scientific, and technological cooperation with one another. Israel will very likely experience a decrease in information sharing from France out of fear that the NSO will use the given information to conduct or motivate another spyware attack.
Morocco and France’s bilateral relationship could very likely strain because of the likelihood of Morocco’s association in the Pegasus spyware targeting. If this association proves to be accurate, then this will likely develop into a scandal, which will promote distrust between France and Morocco, resulting in the possibility of them decreasing their investment and trading relationships. This decrease would very likely affect Morocco's economy negatively, as France is their largest trading partner and leading investor. This scandal could likely promote distrust towards Morocco in other countries as well, affecting foreign trade relations and their economy negatively. Morocco’s request for NSO’s services could reveal a possible plan to spy on other countries, such as Algeria, who have been at odds with Morocco over the sovereignty of the West Sahara.
Israel as well could potentially abuse NSO's Pegasus spyware to gain foreign intelligence from other countries such as Syria, Lebanon, and Turkey, which are Israel’s known enemies, through surveillance. It is also highly possible that this spyware could potentially be used to gather intelligence within Palestine, further escalating tensions. If Israel managed to gather intelligence from Palestine through said campaign, the conflict could be shifted in Israel's favor.
NSO's use of Pegasus software to monitor journalists and human rights activists, despite being theoretically used to gather intelligence related to terrorism, could put into question the cybersecurity policies in place in the country. The ability of NSO, a private company, to use its spyware to target citizens could encourage Israel at the same time to review cybersecurity laws and industry standards to improve accountability, considering both the progressive growth of this sector and the repercussions of past incidents. Despite NSO's status as a privately owned company, the issue could spark a national security debate regarding privacy, and whether or not Israel could prevent the NSO from influencing the country politically and allowing violations of rights. CEO Shalev Hulio has defended their software saying that such actions have saved many lives in the past, referring to their collaboration in the capture of Mexican drug kingpin Joaquín ``El Chapo'' Guzmán. Cases such as this will almost certainly make it difficult to enforce stricter standards regarding privacy from NSO’s spyware, both inside and outside of Israel. NSO's list of targets that extend outside of Israel very likely indicates a danger to national security if Israel does not improve its cybersecurity and industry standards regarding privately owned businesses.
Date: July 21, 2021
Location: Saudi Aramco’s refineries in Yanbu, Jazan, Jeddah, Ras Tanura, Riyadh, Dhahran (Saudi Arabia)
Parties involved: Saudi Aramco; ZeroX threat actor group
The event: Saudi Aramco has confirmed the leak of at least 1 terabyte of data held by third-party contractors, which includes information on the location of oil refineries, projects’ blueprints, internal analysis reports and agreements, a list of Aramco’s clients with their contracts, and sensitive information of 14,254 employees. The group, ZeroX, who has posted a sample of the data online to lure prospective customers, has confirmed Saudi Aramco’s assessment that this was not a ransomware incident but instead said they had gained access through zero-day exploitation. ZeroX claims the data was stolen in 2020 and is willing to sell it online for $5 million USD, although it has offered to delete it if Aramco paid the equivalent of $50 million USD in Monero cryptocurrency. Saudi Aramco has insisted the incident is still under investigation, without clarifying what contractor was affected, who was behind the attack, and how it has taken place. According to the company, the leak has not had an impact on their operations as they have a “robust cybersecurity posture”. The energy industry has been increasingly becoming a victim of cyberattacks globally.
The development of the incident suggests that the breach was less inclined towards disrupting the company’s activity than obtaining a financial reward, evidenced by the combination of the online sale of the stolen information and attempted extortion of Saudi Aramco. ZeroX’s demand to be paid through Monero, a cryptocurrency known for its difficult traceability and ability to hide the identity of the receiver, follows the pattern of double extortion ransomware without needing actual encryption of the data. Unlike the 2012 predecessor, this event won’t probably produce important damage to the oil producer or impact gravely global markets, as it has not greatly affected the company’s daily operations. Saudi Aramco could take the incident as an opportunity to do a thorough top-to-bottom security review and redesign security policies/procedures, as it is likely to be targeted again due to its relevance in the sector (the company is the world’s largest oil producer).
While news outlets, as well as the company, have presented the issue as rooted in a leak at some point along the supply chain, other specialized magazines and websites attribute the exfiltration of the data to a threat actor group whose background is still unknown. ZeroX allegedly made use of a zero-day exploitation (a dangerous unknown exploit in the wild that exposes a vulnerability in software/hardware, with the attacker being the only one aware of their existence) to access the information, which could be considered a relatively sophisticated attack. Although the regional dynamics in the Middle East region are expected to be extended to the cyber realm in the form of cyberespionage or malicious activity, the circumstances of the attack are not a reminder of Iranian proxies' modus operandi, more likely to rely on social engineering or denial of service attacks. Iranian actors are often considered short of the capabilities shown by Chinese or Russian actors, but cooperation in cyber operations is expected to increase in the coming years among these nation-states (and their surrogates).
The most immediate consequence of the data leak could be the impact on the reputation of Saudi Aramco, which has already aimed to distance itself from the incident by pointing towards its contractors. Supply chains have become a profitable source of information in later years due to their relative vulnerability and are likely to continue that way as both cyberattacks and data leaks increase in frequency. While the global energy industry has become the center of attention given the recent Colonial Pipeline attack, it may have not been translated into greater spending to prevent new cyber threats. Supply chains tend to be neglected although attacks against them would have an impact on the bigger companies, which are ultimately responsible for clients' data and protecting intellectual property. Given the amount of information accessed by ZeroX, Saudi Aramco can expect distrust not only from its customers but from within (its employees), which would in turn influence traders. It would probably also give malicious actors a broad enough base from which to craft additional convincing social engineering attacks in the future.
Date: July 22, 2021
Location: Cape Town and Durban, South Africa
Parties involved: Cape Town; Durban; Cape Town Harbour Carriers Association; and Transnet
The event: A cyberattack disrupted the container operations at the South African ports of Cape Town and Durban on Thursday, July 22. Cape Town Harbour Carriers Association halted port operating systems until the systems were restored, and the official webpage of Transnet, a South African company that operates the country’s major ports such as Cape Town and Durban, went down. Prior to this attack, Transnet was prioritizing the export of reefer containers. It is unknown if this is the cause of the increase in unrest and violence going on in parts of the country. The source of the disruption was isolated on Friday, July 23 and original operations continued.
The success of this attack will likely increase the number of large, detrimental cyberattacks by foreign actors. It is unknown who might be behind the attack, but the incident could be interpreted by other foreign actors as a sign of weak cybersecurity implementations and policies, which is often what malicious actors look for when preparing for a cyber attack. It's very likely that, without a proper cybersecurity solution, the vulnerabilities of Cape Town and Durban ports will be exploited again. This and future cyberattacks could be highly detrimental to South Africa, as it is highly dependent on foreign trade. Terrorists could hold one of these ports hostage through a cyberattack to gain leverage for ransom, which, if paid, could prove profitable to other criminals and constitute an additional motivation. This will almost certainly create distrust from the foreign nations that export goods to South Africa, wary of the possibility of terrorists hijacking their ships, making continuing trading relations too risky. The ensuing instability would very likely slow down their trade market.
Transnet, among other companies, is likely to experience in the short-term an important financial loss due to disrupted port and ship activity. The halting of the country's exports of reefer containers could further influence struggling citizens or other threat groups to perform cyberattacks of different scales for monetary motives. RaaS, or ransomware-as-a-service, is a tool that these citizens could use to conduct similar attacks, especially those who have no knowledge of hacking techniques. Their targets will likely not be limited to South Africa, as other countries who also have stable economies, like the US, Singapore, or within the EU, could be ultimately affected.
The success of the attack on the Cape Town and Durban ports possibly could worsen the unrest already caused by the imprisonment of former President Jacob Zuma. Such an attack could very likely prove useful for opposing actors to induce friction between the South African government and citizens, as the interruption of the country's imports and exports could slow or stunt their economy. The opposition could leverage this situation against the current government to encourage a coup, similar to the storming of the United States Capitol building, where the motive was to overturn the defeat of former President Donald Trump. South Africa would likely have to increase their cybersecurity efforts to prevent such an interpretation from escalating as a result of this unrest.
Date: July 22, 2021
Location: New Jersey and New York, United States
Parties involved: Chinese agents; US government; Chinese government
The event: Nine people have been indicted on charges connected to Operation Fox Hunt, a campaign that ended in stalking and harassing Chinese “fugitives” residing in US territory with the aim of repatriating the targets. The defendants are accused of acting as illegal agents of the Chinese government and engaging in secret surveillance of US residents, even if the victims are allegedly wanted in China for financial crimes. The operation was launched in 2014 to target wealthy “corrupt” citizens that had fled with large amounts of money abroad, and although there has been in the past cooperation from the US to bring alleged criminals to justice in certain cases, this type of covert activities from Chinese law enforcement have been identified as a violation of the rule of law and international norms.
This event could be understood as proof of intensified aggressive tactics from Chinese actors in line with their alleged “anti-corruption” campaigns. While US authorities have tried to work with China in the past to bring criminals to justice in some cases (once evidence has been submitted and in a fair trial), incidents of this kind are interpreted as a violation of both international and national law, under the FARA statute. The lack of extradition treaties, probably explained by the persecution of political dissidents from China and human rights concerns, and the prominent place that this “anti-corruption” policy has for Xi Jinping leadership, are likely to continue motivating Chinese citizens to flee to the US. This flow of migrants is not likely to slow down with increasing pressure and assertiveness from Chinese authorities, although other countries in the region, like Cambodia, will probably give in faster to Chinese demands of repatriation.
The Biden Administration is likely to bring up this subject in international forums, as there new illegal agents are found in the US under a tourist visa. Brazen attempts to pressure US residents and green-card holders to go back to China, on the other hand, will probably put a strain on any collaboration at the diplomatic level, which is considered as the appropriate pathway. Chinese counterintelligence and active measures may increase as a result, contributing to installing the impression among its expatriates that none of them are beyond the reach of Chinese law enforcement. This will raise at the same time an alarm for the US intelligence community.
These campaigns, while constituting from Xi’s perspective an attempt to “rectify” the Party, would have even odds of working to his disadvantage by showing up the deficiencies of the system, rather than restoring public faith. The methods of “Operation Fox Hunt” will almost certainly reflect negatively on the faith of Xi's Party, shown by their use of illegal agents. Their use of illegal agents to infiltrate other countries under orders from the campaign very likely reveals a disregard for the privacy policies enforced in foreign nations, which could signify the possibility of increased distrust for the Party in the future. Furthermore, their method of pressuring Chinese citizens in other countries with harassment to return to China could be interpreted as a violation of their human rights laws. This pattern of disregard of privacy and human rights laws could likely lead to tension between China and other foreign countries housing Chinese citizens.
 France's Macron targeted in project Pegasus spyware case - Le Monde, Reuters, July 2021, https://www.reuters.com/world/europe/frances-macron-targeted-project-pegasus-spyware-case-le-monde-2021-07-20/
 ‘Somebody has to do the dirty work’: NSO founders defend the spyware they built, The Washington Post, July 2020, https://www.washingtonpost.com/world/2021/07/21/shalev-hulio-nso-surveillance/
 Saudi Aramco Confirms Data Leak After Reported Cyber Ransom, Bloomberg, July 2021, https://www.bloomberg.com/news/articles/2021-07-21/saudi-aramco-confirms-data-leak-after-reported-cyber-extortion
 Saudi Aramco data breach sees 1 TB stolen data for sale, Bleeping Computer, July 2021, https://www.bleepingcomputer.com/news/security/saudi-aramco-data-breach-sees-1-tb-stolen-data-for-sale/
 Saudi Aramco confirms data leak after $50m cyber ransom demand, The Financial Times, July 2021, https://www.ft.com/content/272259b0-8e98-4b49-8047-f4b8a2d33e95
 Cyber attack disrupts major South African port operations, Reuters, July 2021, https://www.reuters.com/world/africa/exclusive-south-africas-transnet-hit-by-cyber-attack-sources-2021-07-22/
 S.Africa's Transnet says it has identified and isolated source of IT disruption, Reuters, July 2021, https://www.reuters.com/world/africa/safricas-transnet-says-has-identified-isolated-source-it-disruption-2021-07-23/
 Chinese prosecutor, ex-NYPD cop charged with stalking, harassing U.S. residents on behalf of China, CNBC; July 2021, https://www.cnbc.com/2021/07/22/chinese-prosecutor-ex-nypd-cop-charged-with-stalking-us-residents.html