Cyberwarfare / Nation-State Attacks , Fraud Management & Cybercrime , Video
ISMG Editors: Chinese Hackers Raise Stakes in Cyberespionage
Also: AI Safety Bill Vetoed, Global Ransomware Response Guide Gets Some Revisions Anna Delaney (annamadeline) • October 11, 2024In the latest weekly update, ISMG editors discussed the implications of the U.S. investigation into Chinese hackers targeting telecom wiretap systems, the catastrophic risks of AI and the recent veto of an AI safety bill in the U.S., and the latest global ransomware response guidance.
See Also: Accelerate Your Business Success with Windows 11 Pro powered by Copilot
The panelists - Anna Delaney, director of productions; Tony Morbin, executive news editor for the EU; Rashmi Ramesh, assistant editor for global news; and Mathew Schwartz, executive editor for DataBreachToday and Europe - discussed:
- How the U.S. government is investigating Chinese state-sponsored hackers for breaching major telecom providers' lawful wiretap systems in an espionage operation targeting U.S. surveillance efforts;
- How legislation like the recently vetoed AI safety bill in California fits into balancing the push for AI innovation with the need to manage "catastrophic" risks;
- How the new ransomware guidance from the International Counter Ransomware Initiative, which advocates for faster incident reporting, expert involvement and discouraging ransom payments, could reshape how organizations respond to ransomware attacks.
The ISMG Editors' Panel runs weekly. Don't miss our previous installments, including the Sept. 27 edition on whether Microsoft can regain trust in its security and the Oct. 4 edition on Russian cybercrime syndicates under siege.
Anna Delaney: Hello and welcome to the ISMG Editors' Panel. I'm Anna Delaney. Today, we'll cover the U.S. investigation into Chinese hackers targeting telecom wiretap systems, the catastrophic risks of AI and the vetoed safety bill in the U.S., and new global ransomware response guidance. The brilliant minds joining me today are Mathew Schwartz, executive editor - DataBreachToday and Europe; Rashmi Ramesh, assistant editor - global news desk; and Tony Morbin, executive news editor for the EU. Great to see you all.
Tony Morbin: Good to be here.
Rashmi Ramesh: Good to be here.
Mathew Schwartz: Thanks, Anna.
Delaney: Mat, you start us off. This week, you reported that the U.S. government is investigating Chinese state-sponsored hackers for breaching major telecom providers' lawful wiretap systems in an espionage operation, not for the first time of course, targeting U.S. surveillance efforts. So, what key details should we be aware of?
Schwartz: There's some irony here, because, as you say, it looks like this espionage operation, which has been attributed not by the U.S. government but by researchers to China, looks like they've hacked into lawful wiretap equipment or intercepts. So, for ages in the U.S., telecommunications providers have had to comply with court-ordered wiretaps, known as lawful intercept, as opposed to illegal intercept. But, it's lawful because the court said you must do this. So, the scale at which this sort of thing can happen is a bit eye-watering. You have seen a lot of reports in the past talking about the almost industrialized nature of law enforcement taps, questions about whether this is violating people's privacy rights, not that you have those per se so much in the U.S. to the extent that you do in Europe, but there have been some big questions. It appears to be a bunch of Chinese spies who are asking, "Well, we'd like to know if some of this information as well. What's the easiest way to do it? Should we infect endpoints? No, why don't we just hack into the system they've built for police and other law enforcement agencies to use to keep tabs on people." So, the supposition with this particular espionage operation is that Chinese spies are interested in Chinese operations that the U.S. government might be attempting to probe. So, what does the government know about what China is trying to do? That's the guess. But, it looks like they've also vacuumed up a lot of more general information as well. It's not always clear what their goal will be, but here's what we know so far. Very recently, the Wall Street Journal had started reporting that there was a national security probe involving some very large service or broadband providers. In recent days, that reporting has been expanded to say that Verizon Communications, AT&T and Lumen technologies are among, i.e., there might be more, the broadband providers breached in this apparent espionage operation that I've been discussing tied to China, specifically tied to a group that Microsoft has codenamed Salt Typhoon. Neither of those words mean anything except that typhoon is what it uses to refer to Chinese or suspected Chinese groups. So, this one looks like it is a part of the Ministry of State Security, which is China's foreign intelligence agency. So, if all of this sounds familiar, China's been hacking the U.S. and its allies for a long time. This is the latest in a very long series of attempted or effective espionage operations. Things appear to have been getting worse. FBI director Christopher Wray, earlier this year at a conference, said that the threat posed by the Chinese government is massive. He characterized China's hacking program as being larger than that of every other major nation combined. So, China's got an army of individuals, believed to number about 600,000 people, which includes not just employees but also private contractors. We've seen leaks earlier this year and before that even of Chinese groups that appear to be hired and run by the espionage agencies, but they're ostensibly private firms. So, huge industrialized hacking operations lately, including this intrusion into what looks like lawful intercept. So, what else does this portend? There's the lawful intercept side of things. We've also seen a lot of other Chinese hacking come to light this year. For example, in recent months, there was a big hack of Versa Networks' Versa Director software used by service providers to help provision their services. This was also tied to China. So, they've had a long-standing focus on service providers, because if you can break into the likes of Verizon and AT&T, you can get a view of so much of the internet traffic in the United States. We've also been seeing successful attempts to hack into hardware by Volt Typhoon - another group codenamed by Microsoft. The group has been tied to the targeting of outdated routers often used in homes and small businesses, some of which have gotten to the point where they're no longer supported, and yet there are still great launching points for hackers who want to get a view of hackers who wanted to hit other parts of the United States. So, you had the FBI forcibly retiring some of those routers working with service providers. One last thing to mention. Last month, Lumen Technologies' threat intelligence group was warning about a modified version of the Mirai malware, Internet of Things infecting malware, that came out years ago. It looked like it had been modified by, again, Chinese intelligence to exploit a number of devices for years now, hitting a peak in July of last year of 60,000 infected devices, and it's less now, but these devices come and go. It still looks like the botnet that this espionage group is using is composed of tens of thousands of endpoints. So, massive hacking going on here as China attempts to run what appears to be a number of espionage operations.
Delaney: Have there been any signs of the stolen, wiretapped communications or other data being used for further espionage or intelligence gathering?
Schwartz: Too soon to say. They're running these operations for a reason, and the use of espionage is to give government planners and diplomats information about what their adversaries, or sometimes allies, are thinking and what they're planning to do. So, NO is the short answer. We don't know what exactly has been stolen. We don't know whose communications may have been intercepted. As I mentioned, the U.S. government hasn't attributed these attacks. And the government typically won't attribute the attacks unless there is a politically expedient reason to do so. So, there'll be some geopolitical point they're trying to make or pressurize on. Until that happens, we might not get many more details about what exactly went down here.
Delaney: And Mat, final question - given the scale of this breach, what are the immediate steps you think CISOs and their security teams, especially in telecoms as critical infrastructure, should be taking right now to assess their defenses and prevent this happening to them?
Schwartz: This needs to spark some conversations between service providers and the government about expectations for this lawful intercept type of stuff. Whether anything comes of this remains to be seen, because it seems like law enforcement's appetite for using court orders is voracious for getting these communications. Hence, if you're going to give law enforcement an easy way to access the communications of so many individuals inside the states, what mechanism do you have then to secure that for an intelligence agency looking like one of these law enforcement agencies and getting all-you-can-eat access to Americans' communications? There are some big unanswered questions here. Hopefully, we'll see Congress look into this and maybe take a stand and demand greater safeguards if those discussions ever come to light publicly though. I am not optimistic that we'll ever hear much detail.
Morbin: The other thing that makes me think of is that it kind of adds to the argument that if you have backdoors for law enforcement, they're not always going to stay with law enforcement. And I still can't get my head around the idea of 600,000 hackers for China. They'd find a way.
Schwartz: Absolutely. And this has huge relevance for the crypto debate. Governments keep getting told by computer scientists that you can either have strong, unbreakable encryption or everyone can listen to it, but you still have Western governments saying we want backdoors, and that's weak encryption. This is a case study of exactly what will happen with weak systems.
Delaney: Excellent analysis. Thank you so much. Speaking of evolving threats, Rashmi, one of the pressing discussions right now is around the catastrophic risks posed by AI. And I know there's lots of debate on what catastrophic actually means. Who gets to define these risks and how immediate or realistic they are? What are your thoughts? And I know it's complex, but a critical area. I'm keen to hear what you think.
Ramesh: Yes, you're right about that. We've been talking about catastrophic risks of AI for quite some time now. I don't know if you recall, but there was the OpenAI Superalignment team, which was tasked with mitigating AI's catastrophic risk. Stephen Hawking has warned about it. But, despite all of this noise and so many attempts, we have not seen much regulation that has become law around it, or even have companies or organizations take concrete steps to address it. I spoke to some experts to figure out why that may be the case. One of the interesting aspects of those conversations was that AI's catastrophic risk has brought themes, but it does not have a definition. Actually, that's not completely right. AI's catastrophic risks have too many definitions, and the explanation changes depending on who you ask, and why is that? One explanation is that the technology and its use cases are complex and its behavior is unpredictable. So, the base definition is that catastrophic risk is anything that causes a failure of the system. But, these risks depend on the type of system in question and who it affects. The impact of this failure of AI systems can range from endangering civilization and affecting humanity to more localized risks, such as the ones that impact enterprise customers. So, how do you comprehensively legislate or curb the risk of something whose definition itself is so shaky? It takes attacking the problem from dozens of directions, and that's possibly time-consuming and possibly why we don't have any concrete legislation yet. It's no excuse though, because there's an EU AI Act for inspiration. Its deployment may take a few years, but you need to start somewhere. This also sort of brings up a tangential discussion about how realistic these risks are and how likely they are to affect us in the immediate future. Surprisingly or not surprisingly, most of the AI and security experts I spoke to said that these extension-level risks that are part of the catastrophic risk are farfetched and that we should be focusing on the risks that are already in motion, such as deepfakes and AI frauds and malware development; not to mention every old trick in a book now has an AI upgrade. And that's what we should be focusing on.
Delaney: Rashmi, how do you think legislation such as the AI safety bill that was recently vetoed in California fits into balancing this push for innovation with the need to manage these catastrophic risks?
Ramesh: They're useful. They set the rules on what the definitions of tech, safety and risks are and in what scenarios are they harmful. Who is liable? And what are the consequences for anybody who's prioritizing profit over safety? It gives you a sense of what is okay and what is not. And more importantly than anything else, it's not left up to the AI-developing companies to figure out what the rules are and which ones they can choose to follow and ignore.
Delaney: Excellent. Lots to think about there. Thank you, Rashmi. It's shifting gears slightly. Tony, there's been new ransomware guidance released as part of the international counter-ransomware initiative pushing for faster reporting, expert involvement and discouraging ransom payments. How do you see this changing how organizations tackle ransomware?
Morbin: Ransomware groups stole their business model from kidnappers. So, in many ways, they should be treated the same, except, of course, they are more prevalent. They're online, and they're far more successful. Ransomware payments were exceeding a billion dollars in 2023 according to Chainalysis. Now, conventional wisdom says that ransomware should never be paid, as it not only funds the criminals, it fuels further crime and also identifies you as a payer. So, you're more likely to be attacked again. And then comes the issue of whether you get access to your data, because the attackers' decrypters often don't work assuming they provide them, plus whatever they say, the likelihood is that they'll not hold up, they will hold on to your data and then they'll resell it, whether you pay it or not - a typical criminal behavior. But what do you expect from criminals? The obvious conclusion is that we should ban paying ransoms and kill the business model. If no one pays, they'd stop. Now, while that works in theory, the collateral damage could be huge. And as with kidnappers, when it's your child that's held, or in ransomware cases, your patients or organizations that are at risk, paying appears to be the only way to save them; the pressure to pay can be immense. Everybody understands this. So, with the exception of banning payments to sanctioned entities, there's no real proposed ban on the payment of ransoms, and the guidance given which we're going to get into is not binding. Nonetheless, the advice is, don't be overhasty to pay. Consider your options and the likely outcomes. Now, as you mentioned, making these options clearer is the new voluntary ransomware guidance that was released during the International Counter Ransomware Initiative 2024 meeting at the White House this month. Now, the latest guidance, produced by the U.K. and Singapore governments and supported by 39 countries and global insurance bodies, aims to reduce disruption and cost to businesses, reduce the number of ransoms paid by ransomware victims, and reduce the size of the ransoms when the victims do choose to pay.
Delaney: But Tony, what are the initial recommendations to guide organizations in the event of an attack?
Morbin: Among the recommendations is the call for victims to report attacks to law enforcement, cyber insurance and other outside firms that can help. This involvement of more advisors in deciding whether to pay a ransom includes reviewing what the legal situation is in the country and whether sanctions apply. Now, catching and jailing those responsible and seizing and disrupting their infrastructure might not be the victim's top priority during an attack, but cooperation in achieving this outcome is going to be a benefit for everyone. Victims are also being reminded that paying the ransom doesn't guarantee access to their devices or data, and therefore, they're told that the decision to pay the ransom should be made only after making sure that it's likely to change the outcome of the incident and complies with local regulatory requirements. The ransomware victims are being encouraged to record their incident response decisions related to ransomware mitigation data captured for post-incident reviews. This kind of due diligence - collecting an analysis of information and understanding the potential harms - is recommended to be part of every organization's incident response and recovery plans. Organizations also need to make sure that they know the regulatory penalties that can result from a data breach in their sector. Among the guidance that can be given by these cyber incident response companies is that they can let you know if there's a publicly available decrypter that can unlock your systems. These are obtained by organizations such as No More Ransom. Plus negotiators familiar with ransomware operators will typically negotiate down the actual ransom that you have to pay considerably. In addition, the negotiation process itself, quite deliberately, is extended so that it acts as a delay to avoid hasty decisions. It gives the organization impacted the time to identify the extent of the problem, quantify what data or assets have been stolen or affected, the impact on business operations, customers, employees, and supply chain, and the likelihood of further data exfiltration. It also provides the time to provide a more empirical and less emotional review of how practical it would be to continue operations if the ransom isn't paid. How good are your backups? Have they been compromised as well? Is pen and paper or other workarounds even an option? And have you identified where the attackers are in your system and ejected them? Also, have you identified how they got in and closed that door so they don't just walk back through the same route? Do you have cyber insurance? Does it cover the full cost of what's happened, and if not, how much is covered? Could you afford to pay for the managed move-in if you chose to, or is starting again going to be a cheaper option? And if you do end up paying the ransom, who makes that decision? Are you paying people who have the ability to unlock your systems or another criminal in the chain? And have you got access to cryptocurrency, a most likely form of payment, and how secure is that? And then, of course, after the event where data has been stolen, you need to evaluate what the risks are to life, personal data or national security if the data were published and to verify that any claims about the nature and the amount of data stolen are true. Finally, it is also crucial to assess the initial breach and ensure the associated vulnerabilities have been remediated.
Delaney: Excellent overview and many questions to be asked. Mat, would love your thoughts here, because does this encourage you as someone who has covered ransomware at great length for many years?
Schwartz: Definitely. One of the things Tony mentioned was there might be a public decrypter if you work with firms. And that's the advice - always reach out to experts. I know in the U.S., the FBI is often a great starting point abroad; other law enforcement agencies, likewise, have great starting points. Incident response firms - a great starting point. If you have cyber insurance, they'll be the first point of call if you've suffered an incident like this. But besides the public stuff, which you can find, there's the private stuff, and by reaching out to law enforcement incident response firms as well, sometimes they can clue you into decrypters that the bad guys don't know about. So, it isn't always a black-and-white situation of either I pay to get it back or I've got to restore it. Sometimes, there's in-between sorts of stuff. Again, like Tony was saying, think about if you need to pay, don't pay, just in case. In the U.S., we've seen great strides in that front again with the FBI getting on-site very quickly with a lot of these breaches and saying to the board, saying to the CEO, "Wait a moment. Let's see what we can do without you paying." I don't think the rest of the world necessarily has been that proactive. Hopefully though, with this sort of guidance that we're seeing, it'll cause people to stop and reflect and hopefully pay less.
Delaney: Absolutely. Thanks both. And finally and just for fun, imagine AI is fully integrated into society 50 years from now. What kind of cultural or social changes do you think would emerge from AI being part of everyday life? So, how would things like work, relationships or even creativity evolve in such a future?
Morbin: I'll give you a big dystopian view I'm afraid. Initially, social and health inequalities can be evened out globally, and the need to work will be reduced. But, I fear that knowledge is no longer going to be prized as AI stores and recalls all data. Human understanding becomes less valued as AI can demonstrate a more thorough analysis of the facts. So, there are going to be fewer people who are motivated to pursue deep understanding and intellectual growth. As a result, we revert to the medieval world, where extremely sociopathic rulers use disinformation to seize control, supported by a small educated elite controlling AI technology in the ruthless pursuit of power. And then, the rest of us get fed so much of social media-generated likes from chatbox and kept down. So, I know I do understand Rashmi's warning about the dangers of AI itself, and I don't dismiss those, but my worry is the dangers of what humans will do with it.
Delaney: Back to the dark ages. So, some argue it will drive up, it will encourage and inspire creativity, but maybe our brains will.
Morbin: I'm just throwing that in there as a warning so to say that, I do think we should regulate.
Delaney: I understand. Rashmi?
Ramesh: The world would possibly be more efficient and more secure physically and virtually, all of which could possibly result in life being a little less stressful. But, with the shadow surveillance and smart devices at every corner, I also think we'd lose the ability to forget or be forgotten or have anonymity of any sort. Is that a good thing? A bad thing? We will cross that bridge when we get there, if we get there.
Schwartz: Great points there. There's so much detritus in everyday life that doesn't need to be recorded and analyzed. And on that front, I would love it if it was a productivity-enhancing tool. I tend to be late to everything, despite my best efforts. And so if AI could, I don't know, maybe with electrodes or something hooked up to my brain, but if AI could be like, "Look, it's time for you to go now. You tend to run 10 minutes late, so I've blocked off. There's do not disturb. Nobody knows, nobody thinks you're available. Leave now, walk out the door." If there was something that could maybe hack my life a little bit on the productivity and the organizational front, that might be helpful.
Delaney: And your AI assistant would tell who to meet or who to run over. The AI assistant does all the dirty work for you. So, I was thinking maybe AI time travel. Imagine AI creating these immersive simulations of past societies, and you wouldn't observe history; you'd just go back to those historical events and even alter small details for a more personalized journey. So, that was one of them. Digital deities, that is, you're going to see this maybe obsession or a cult following AI could evolve into virtual spiritual guides. We've seen this happen before. You're already seeing the tech titans in California become these high priests. So, these spiritual guides could offer individualized paths to enlightenment, maybe.
Schwartz: And redemption.
Delaney: Yes, personal beliefs. Then, I also think, because this is a long-time obsession of humans - immortal living and permanent youth. So, there'll be a drive on that front. With the AI advancements, this concept of aging and death could be transformed, allowing people to experience immortality, and maybe even maintain permanent youth.
Morbin: Unfortunately, it might not be the immortality you thought. You were talking about creating a virtual world. If we were able to create a realistic virtual world, we then get the situation where simulations are more likely than reality, and therefore, we're more likely to be a simulation than reality.
Delaney: What is real?
Morbin: Statistically, we are more likely to be a simulation than real.
Delaney: Heavy stuff this week. Hopefully, it won't happen anytime soon. Let's just say that. Thank you so much everybody. You've been brilliant. Excellent insights. And as always, great to see you.
Schwartz: Thanks for having us.
Ramesh: Thanks Anna.
Morbin: Thank you!
Delaney: Thanks so much for watching. Until next time.