Murder Board Blog Series: Chapter 4 – Trojan Horses or: State Hacking
Feeding Pigeons in the Park—Espionage
Knowledge is power. Knowing nothing makes one envious when looking at the model of modern information societies. The natural application of networks that transport information is espionage. So the Internet early made acquaintance with it. The aspect of smuggling messages in and out of an area is obvious. It also involves breaking through security measures to gain access to protected information.
Whereby large parts of our own information are much less protected than we would like or even be aware of. The e-mails mentioned above are always in plain text and therefore are visible to everyone. An unknown number of third parties read them on the way from sender to recipient and assess this information. And all the information we have in accounts on US platforms (photos, more or less public postings, direct messages, etc.) is viewable by authorities in the US and anyone who cooperates with the US. It would not be the first time that people may not enter a country because of a social media posting or a direct message on a platform.
Chain of Command
Martin B. from A. earns his money as a contractor. He has a small company under which he offers good old IT services: Setting up printers, maintaining the networks of small businesses, occasionally building a website for individual entrepreneurs. That doesn’t make a lot of money, but it provides a valid umbrella for his actual business. Martin B. takes care of a couple of command & control servers that are used by several large campaigns on the net to control and manage malware. He doesn’t know the names of his clients. The last three had given long strings of letters and numbers as their nicknames. He gets his money from changing number accounts in different crypto currencies. Most of the time, these accounts exist for only a few days. He has given up trying to track them. He doesn’t even want to know. Martin B. keeps using different nicknames and different number accounts himself at irregular intervals. One for each incoming payment. He rarely uses a nickname or number account twice. At the moment he is on the road as “ldra002”. And his mission is to spin up a new command & control server for a malware called Ryuk. The specifications given to him are impressively large, and the job gives good money. Presumably his clients have something bigger in mind with it. Martin B. doesn’t ask. Asking is bad for the business. Instead, he randomly pulls out one of the recently purchased credit cards from the digital file box and rents a virtual server for 21 days from a major provider. He smiles when he reads the name: Leon Dragic. How funny and very fitting for his current pseudonym. Already the day after tomorrow he will use another one—far earlier than Leon would get the bill.
With sufficient digitization, we can leave both the production of goods and the destruction of production facilities to the machines. Where once you had to smuggle explosives with great effort and have them planted by agents, today you can have that done by software. Industrial facilities such as power supplies, energy transport by pipelines, chemical or nuclear processing, manufacturing or related constructs are vulnerable to failure. It is also possible to interfere with measurement and control processes to force deliberate decisions out of machines based on false values. This type of digital sabotage rarely manifests in spectacular explosions. More like a production coming to a standstill or exhibiting a serial defect. The best sabotage goes unnoticed for a long time.
For the execution of such perfidious attacks, one can assign one’s own people or hire silent service providers for a lot of tax money.
One topic we should address at this point is the so-called “state Trojan”—a piece of software that carries many problems. Starting with the fact that we now live in a society in which those in power have a fundamental distrust in all citizens and we are all under a general suspicion of planning the next terrorist attack. Followed by a spyware to be foisted on all of our most personal devices. We mean our smartphones.
That this software exists at all, brings all kinds of problems. For example, finding a way for malware to get access to the right data in the first place. With unsecured or minimally secured devices like IoT devices, this is easy. But our cell phones, which are targeted by governments because they are our personal communication hub, are quite a different level, because they are usually well secured. To get “root privileges” (super admin, quasi “god mode”) there, you have to find a really fat (and therefore expensive) security hole. And those exist. It has a reason that the manufacturers of our devices release security updates now and then to close freshly found security holes and to keep the operating systems and apps secure as well as they can. However, there is a large black market, where security holes are sold to the highest bidders. If you have read this far, you won’t be surprised. Criminals always find ways to compromise devices. Unlike security researchers, who basically do the same thing but report their findings to manufacturers and help them close the loopholes and make the world a little safer for everyone, the criminals make money out of it. And cui bono? Who is buying into these gaps? Other criminals and governments, who use them to build state Trojans against their own citizens. A highly problematic black market is not only kept alive, they actually fuel it with our tax money.
In application, such spy programs are then also problematic. On the one hand, legally, because a malware for communication monitoring needs really deep rights on a cell phone. For example, if it is to read communication data in secure messengers, it must be able to read the content on the sender’s device before encrypting it. A secure messenger sends the data “end-to-end encrypted”, i.e. the content of the message can only be read at both ends by the sender and the recipient. On the way in between, you can see that a message exists, but the content is not readable from the outside, only “character salad”. Malware that is supposed to be able to read message content before it is encrypted and forward it to the outside world needs super admin rights on the cell phone. And with that, it can read everything that happens on the device, including the phonebook, photos, content in other apps, listen in on phone calls, and whatever else the device can do. That’s much, much more than the authorities are actually allowed to do, but it’s technically impossible for the software to do less than that.
And last, but not least, the problem where application and purchase of vulnerabilities coincide: The provability. Who says that criminals have sold this one vulnerability (or even the many) only to this one government? It is possible for anyone with enough money to buy anything on a black market. And private individuals or highly professional criminals like the ones we described above can afford three-, four- or even five-figure sums. Now, if anyone can create malware, it will be hard to argue that certain evidence is really from a particular person. We remember admin rights: anyone can forge photos, GPS histories, and more through malware and associated access rights to mobile devices. Suddenly evidence is no longer evidence. The question is, who wants to tell which story? What was done with this device, where was it present, what is it supposed to have seen or heard?
And because we have already spent so much tax money on such software, we have to use it, otherwise it would all have been for nothing. Surprisingly enough, 80 million Germans and 8 million Austrians are not planning terrorist attacks on a daily basis. They also don’t organize in child molester rings. Most of them don’t even know where to look on the net for instructions on how to build highly explosive things or for photographs that are rightly forbidden. And they have never heard of the Tor browser for accessing the so-called Darknet. Actually, most of them are also happy not to have anything to do with all this stuff and just live their normal lives. So what to do with this nuclear first-strike weapon? They find a few sparrows in extortion and drug and property crimes (https://netzpolitik.org/2021/justizstatistik-2019-polizei-nutzt-staatstrojaner-vor-allem-bei-erpressung-und-drogen/). And other European countries don’t think their own populations are so dandy either when they advocate independence from the central state (https://www.golem.de/news/nso-group-spanien-setzt-offenbar-staatstrojaner-gegen-katalanen-ein-2007-149659.html).
In the end, what remains is that governments keep mobile devices insecure for everyone for a state-planned purpose against a few criminals. Worldwide. For tax money. And that opens the door for criminals to do whatever they please with all our devices.
The Fifth Dimension—War and Propaganda
First, we waged war on the land. Then came the water. The air is still young as a theater of war. Space is even younger. In the last few decades, the Internet has joined the ranks. The military calls the world of digital warfare, or “cyber warfare,” the fifth dimension. We fight it with software that either defends against attacks or carries them out. One combines elements of information security (or insecurity) with the dictates of military missions. Including espionage and sabotage.
We often forget information sovereignty in this topic. The manipulation of information is just as much a part of the whole. Influencing news, political decisions, elections or public opinions can have serious consequences. Language becomes a weapon in this process, and the Internet is the delivery system. What is fatal about this kind of manipulation is that even a temporary presentation of messages can have an effect.
State Hacking in Investigations
Where there’s investigation, digital chips sometimes fall. This also applies to the digital part of investigations. Unfortunately, that’s where forensics meets information security. The basic task of information security is to prevent attacks, the tapping of data and the compromising of systems. Organized crime or the attacks of nations, however, do not abide by laws. Often discussed in this context is therefore the so-called “hack back” or “hacking back” in attacks. This involves actively counterattacking the real or alleged perpetrators of an attack. The controversy here is whether one actually catches the right people or only passers-by or unsuspecting deputies who are involved in the attack. Another issue is the loss of trustworthiness of online platforms and digital infrastructure when backdoors are introduced to access data and digital activities. The major argument for backdoors is the protection of data through encryption. However, seatbelts with predetermined breaking points are no longer. Said backdoors can be used by investigators and criminals alike. We will all be the losers.
Implications and Consequences for Information Security
Information security is to protect digital data and infrastructures. The tools required for this are barriers that protect the digital assets from unauthorized access. These include secure encryption, protection of transport and storage location, and restricted access to data and systems. The quality of protection depends on the means available. Third party access to IT systems or data can only be achieved with a backdoor or designated access permissions. If one would like to protect oneself from access by third parties, only weak points or duplicate keys remain for investigators and attackers. This then makes it impossible to implement information security. The technology does not value access ethically. Access by third parties remains an intrusion or attack. The context decides. IT specialists can hardly determine the context when there are signs of access before data is copied. In purely technical terms, there is also no such thing as good or evil access. Access to data remains value-neutral. Any weakening of security measures weakens the capabilities of the defenders.
The Click of the Handcuffs
Catherine is in a jubilant mood. She and her colleagues have just landed an enormous fish. One of the persons behind a large-scale malware campaign against the Ministry of the Interior is sitting next door in the interrogation room. To their own amazement, he has confessed. What is particularly interesting is who else he had to deal with and who was involved in the affair?
Catherine meticulously goes through her notes again. One name keeps popping up here, too. At the same time in the same place … Leon Dragic. The GPS data on his phone speaks volumes. Four out of seven times he was in the same café and once at a demonstration. She is sure by now that Leon is one of those guys who are too sure of themselves. She found him in photos from two demonstrations. Rips on it quite the mouth.
Catherine sends the warrant to the colleagues who will bring Leon in.
We hope, we could show you, that one aspect is central for internet crime: trust. Trust is a good and long-learned thing between humans since the mammoths. But with all the technology in between us, trust nowadays—sadly—is usually in the wrong places.
The End. (For now.)
00 Prequel (German / English)
01 Chapter 01: Traces (German / English)
02 Chapter 02: Investigations (German / English)
03 Chapter 03: Serial Hackers (German / English)
04 Chapter 04: State Hacking (German / English)
Klaudia’s blog has also the German versions of the articles.
Our presentation at #pw20 (in German) can be found here: https://media.ccc.de/v/pw20-367-murderboard-wo-krimi-privatsphre-und-it-sicherheit-zusammenkommen