News: Digital breadcrumbs hint at scope, origins of IC leak

Monday, April 10, 2023

Digital breadcrumbs hint at scope, origins of IC leak

Apr 10, 2023

Driving the day

— An open-source investigator has clues suggesting a stunning breach of the U.S. intelligence community began in a surprising place — and earlier than previously understood.

HAPPY MONDAY, and welcome to Morning Cybersecurity! Me and the U.S. government: both battling a significant leak right now.

They: racing to defend some of the intelligence community’s most sensitive secrets. Me: trying to save my sanity from the plop, plop, plop of a stubborn bathroom sink.

We’re in this together.

Got tips, feedback or other commentary? Send them my way at jsakellariadis@politico.com. You can also follow @POLITICOPro and @MorningCybersec on Twitter. Full team contact info is below.

STEP INSIDE THE WEST WING: What's really happening in West Wing offices? Find out who's up, who's down, and who really has the president’s ear in our West Wing Playbook newsletter, the insider's guide to the Biden White House and Cabinet. For buzzy nuggets and details that you won't find anywhere else, subscribe today.

Want to receive this newsletter every weekday? Subscribe to POLITICO Pro. You’ll also receive daily policy news and other intelligence you need to act on the day’s biggest stories.

Today's Agenda

Officially, it’s a quiet day. Unofficially, half this town is racing to figure out what’s what with this those leaks.

At the Agencies

INCONSPICUOUS ORIGINS — What may prove to be one of the most damaging leaks in the history of the U.S. intelligence community appears to have begun in the least likely of places: a small, online discussion group named Thug Shaker Central.

The group, which was hosted on social media platform Discord, originally brought together 20 or so users united by a shared interest in video games, Orthodox Christianity and a popular YouTuber named Oxide, according to Aric Toler, director of research and training at open source intelligence firm Bellingcat.

But one of its members began leaking sensitive intelligence community documents there as early as January, later spooking and deleting the server when a small batch of Pentagon briefing material surfaced on a Russian-language Telegram channel late last week, at which point the story became headline news.

POLITICO could not independently verify Toler’s findings — the majority of which he published in a Sunday blog post — but he’s been at the forefront of the (public) investigations into the leaks, and his record thus far is spotless. If true, his research offers powerful hints about the timing, scope and source of the leaks, which may have begun months earlier than previously reported.

The deets — After news of the leak first surfaced, Toler and his team worked to trace it back to its source, quickly determining that the Pentagon briefing documents had been online well before the public caught wind of them.

The documents first described last week had been sitting on a Discord server populated by fans of the popular computer game Minecraft since March 4, while an even larger batch of more than 100 leaked files was posted on a separate server named WowMao beginning earlier in March, Toler said.

Toler was only able to get his hands on about half of the documents posted in WowMao before they were deleted — all of which are now in the hands of the media. But the trail didn’t end there.

Multiple users told him that the documents on that server represented just “the tip of the iceberg” — with the leaks ultimately tracing back to an administrator of the now-deleted Thug Shaker Central server.

About that server — Discord declined to comment on the existence of that server, though it confirmed it is cooperating with law enforcement about the leak. The Department of Justice, which is investigating the leak, declined to comment on the record about the leak or the server.

For his part, Toler has only seen screenshots of Thug Shaker Central, and can’t be 100 percent certain of what information it contained.

However, he became confident in its existence after speaking with four alleged members of the discussion group, with whom he was able to cross-check various information. Other Discord users Toler spoke with could at least verify the server’s existence.

Another reason to think his sources may not be bluffing? One of them shared a screenshot of a new leaked document that featured the “same style and formatting of those posted in the WowMao server,” Toler wrote for Bellingcat.

And while he cautioned he could not verify it without seeing the original, one detail caught his eye: it was dated Jan. 13, raising the possibility the leaker was active for nearly three full months before people caught notice.

Cybercrime

MORE THAN MEETS THE EYE — Microsoft’s new court-driven approach to kneecapping cybercrime is as bold as it is dense — and dense it is.

On Thursday, the company’s Digital Crimes Unit filed a 223-page complaint seeking to prevent criminals from abusing a powerful and easy-to-use hacking tool called Cobalt Strike. Built to help defenders identify weak points in their own networks, Cobalt Strike routinely falls into the hands of hackers, allowing them to punch (er, click) well above their weight when it comes to the speed and efficiency of mouse-pad mischief.

While Microsoft has used legal tools to go after hackers before, the substance and sweep of the new action — which includes support from Fortra, the owner of Cobalt Strike, and the Health Information Sharing & Analysis Center, a health sector cyber consortium — are unique, potentially paving the way for sustained disruptions across the cybercriminal ecosystem, according to Amy Hogan-Burney, general manager of Microsoft’s DCU.

“This wasn't your run-of-the-mill trademark issue,” said Hogan-Burney.

New tack — Microsoft’s action represents a turn away from past takedown efforts, which focused on specific criminals and individual malware families, said Hogan-Burney.

The latter showed “an ability … to reconstitute” through the use of backups and “other things,” she said, referencing the company’s short-lived attempt to short-circuit the Trickbot malware ahead of the 2020 elections.

This time, said Hogan-Burney, Microsoft wanted to be “thoughtful about what works and what doesn’t.” So, the DCU tasked its threat intelligence team with finding “the mechanism that's being used in the most disruptive attacks” — an analysis that led back to filched (or “cracked”) copies of Cobalt Strike.

Novel theories — To pursue a case against a mere criminal tool, however, Hogan-Burney said Microsoft needed to develop a novel and robust argument to win over the courts.

Eventually, she and her team decided on a racketeering charge that would lean in two directions at once: on the destructiveness of Cobalt Strike’s most notorious abusers and the suffering of its most sympathetic victims.

Hence, Microsoft’s court filing cites a who’s who of cybercrime kingpins, such as members of the EvilCorp, Conti and LockBit crime syndicates. In addition, it includes backing from the HS-ISAC, a health care-sector cybersecurity consortium which could provide testimony about how the tool had been used in debilitating ransomware attacks against hospitals across the country.

HS-ISAC helped Microsoft “ground [the case] in those that are really suffering,” said Hogan-Burney.

Long-term impact — Microsoft has already won a temporary restraining order, meaning it is now in the process of dismantling the domains and hosting sites outlined in its gargantuan filing. But that’s just the first leg of its effort.

As soon as the firm spots criminals attempting to reach back for illicit copies of Cobalt Strike, said Hogan-Burney, it will pursue a permanent injunction and then a special master, legal maneuvers that will enable it to dismantle future such abuse without having to file new court orders — a notoriously tedious process.

Those measures won’t just allow Microsoft to undercut an across-the-board enabler of cybercrime. They will help it amass more evidence against the high-profile defendants cited in the case, potentially allowing the firm to unmask some of the world’s most sought-after cyber criminals.

Admittedly, that isn’t Microsoft’s top priority in the case, said Hogan-Burney. But it's not an outcome she’s ready to dismiss, either.

Stolen versions of Cobalt Strike “are being used by the worst cybercrime criminals out there,” she said.

Tweet of the Day

Intelligence and disinformation expert Thomas Rid puts the leak in historical perspective:

Twitter

Quick Bytes

— The head of Ukraine’s cyber defense agency has an op-ed on some of the lessons and takeaways of the first year of the war. (CyberScoop)

— The Biden administration is weighing action against Russian cybersecurity firm Kaspersky. (The Wall Street Journal)

—- Apple fixes two zero-day vulnerabilities affecting iPhones and Macs. (Bleeping Computer)

— Leaked documents suggest Russian hacking group had capability to disrupt Canadian gas pipeline. (The New York Times)

GO INSIDE THE 2023 MILKEN INSTITUTE GLOBAL CONFERENCE: POLITICO is proud to partner with the Milken Institute to produce a special edition "Global Insider" newsletter featuring exclusive coverage, insider nuggets and unparalleled insights from the 2023 Global Conference, which will convene leaders in health, finance, politics, philanthropy and entertainment from April 30-May 3. This year’s theme, Advancing a Thriving World, will challenge and inspire attendees to lean into building an optimistic coalition capable of tackling the issues and inequities we collectively face. Don’t miss a thing — subscribe today for a front row seat.