Smells like teen hackers

Delivered every Monday by 10 a.m., Weekly Cybersecurity examines the latest news in cybersecurity policy and politics.

Sep 25, 2023 View in browser   By Joseph Gedeon With help from John Sakellariadis  Driving the day — Underage hackers are wreaking havoc on American companies, and that poses a real problem for federal law enforcement agencies. HAPPY MONDAY, and welcome to MORNING CYBERSECURITY! Ahh, fall in Washington. There’s something about the foliage setting the National Mall ablaze with warm colors that puts a soft spot in even the most serious of lawmakers. Maybe getting our elected officials to jump into some leaf piles is the ticket to avert a government shutdown? Have any tips or secrets to share with MC? Or thoughts on what we should be covering? Email Joseph at jgedeon@politico.com. You can also follow @POLITICOPro and @MorningCybersec on X. Full team contact info is below. Let’s dive in. Don’t forget to sign up for POLITICO’s AI and Tech Summit on Wednesday. We’ll have tech leaders, policymakers, national security officials like the White House’s Anne Neuberger, the CIA’s director of AI Lakshmi Raman and others hashing out the proper policies to balance risk and innovation, and to chart America’s AI future. Sign up for the summit here, whether you plan to attend in person, in D.C. or virtually. Cybercrime YOUNG, WILD AND FREE — FBI Director Chris Wray likes to say that Chinese hackers outnumber FBI investigators more than 50-1. But for now, one of the greatest hacking threats bedeviling the bureau is much closer to home — and still well below the legal drinking age. Two weeks ago, a previously little-known cybercriminal group that private sector researchers believe is made up of teenagers and young adults from the U.S. and the U.K. burst onto the public radar after bringing slot machines to a halt at MGM Resorts and extracting an eight-figure ransom from Caesars Entertainment for an earlier cyberattack. But those who have been tracking the group for well over a year say the Las Vegas hacks are just the tip of the iceberg, John reports. Despite garnering little attention until recently, the group has been riding roughshod through some of the largest American companies for months now. And, researchers say, their success is symptomatic of the broader struggles Western law enforcement is facing with juvenile cybercrime — even when coming from its own backyard. “The narrative with a lot of cybercriminals is like, ‘Oh, they’re an untouchable Russian hacker in a non-friendly country,’” Allison Nixon, chief research officer at Unit221B, a digital forensics company, told MC. “But with this phenomenon, they’re not Russian hackers. They live in Five Eyes countries, and some of them are underage.” Teenage dream — Researchers at Mandiant, CrowdStrike and SentinelOne interviewed for this newsletter expressed confidence that the perpetrators of the Vegas hacks are a small group of individuals between the ages of 17 and 24 based in the U.K. and the U.S, while acknowledging they are not 100 percent certain of the identity, location or the exact number of perpetrators. All said the group emerged from an English-language Telegram channel known as the Com, where mostly high-school-aged individuals bond over a range of illicit activity, from sextortion schemes and fraud to blackmail. The FBI did not respond to a request for comment about the Com or the identity of the lead suspects in the casino hacks. Below age, above the law — Many Western jurisdictions limit how harshly minors can be penalized for crimes, while U.S. law generally requires that juvenile hacking prosecutions be tried in state court, constraining what federal law enforcement can do about the Vegas hackers or groups like the Com. Adam Meyers, a senior vice president at cybersecurity firm CrowdStrike, said another obstacle is how difficult it is for law enforcement to link an online persona to a real-world crime. “When it comes to law enforcement, they have a higher burden of proof,” he said. Sweet talkers — While they remain free, the Vegas hackers have been wreaking havoc through a mix of techniques to subvert SMS-based two-factor authentication — a common way companies protect their employees’ accounts. They have also found clever methods to use the access they get from one victim, like an IT provider, to lily pad into another. The group is adept at SMS phishing, sim-swapping and social engineering, often by phone. “If you have a native English speaker, people aren’t going to necessarily t hink something’s weird or out of place,” said Kimberly Goody, the head of financial crime analysis for Google Cloud's Mandiant. Appearances can be deceiving — Meyers, Goody and Nixon all cautioned that people’s dismissive reaction to those techniques, and the group’s age, have led them to underestimate it. But Meyers said CrowdStrike believes a group of just 3-4 individuals is responsible for roughly 50 intrusions in the last 18 months. And while it once focused on smaller scale crime, like crypto heists, the group has recently doubled-down on extortion. “We've been trying to say that this is a big deal, and people didn't listen until we had this highly visible incident with MGM,” said Mandiant’s Goody. Dangerous liaisons — Perhaps most troublingly, in April, the small group believed to be behind the Vegas hacks began deploying ransomware it rented from a prolific Russian-language crime group, AlphV.  For researchers, the unusual alliance set off alarm bells because it suggested that cybercriminals from Russia and Eastern Europe were beginning to recruit minors from the West. Established gangs are “specifically targeting children for recruitment … because these jobs are high-risk and they know the cops have limited options to punish minors,” said Unit221B’s Nixon.   HAPPENING 9/28 — INSIDE THE CANCER MOONSHOT: Join POLITICO on Thursday, Sept. 28 for an in-depth discussion on the future of cancer treatment and innovation. Hear from experts including scientists, government officials and industry leaders as we explore the critical roles played by private industry, nonprofits, the National Cancer Institute and the new Advanced Research Projects Agency for Health in achieving the Biden administration's goal of cutting the cancer death rate in half over the next 25 years. Don't miss this opportunity to dive into the progress of cancer treatments and learn about the challenges patients encounter in accessing care. REGISTER HERE.     Want to receive this newsletter every weekday? Subscribe to POLITICO Pro. You’ll also receive daily policy news and other intelligence you need to act on the day’s biggest stories. The International Scene FRIENDS BEING FRIENDLY— It was the Five Eyes who put their heads together for some intel work that led Canada to accuse the Indian government of being involved in the murder of a Canadian citizen, U.S. Ambassador to Canada David Cohen said in an interview that aired Sunday on CTV News. Cohen said Canadian Prime Minister Justin Trudeau was able to go public with the potential link because “there was shared intelligence among Five Eyes partners,” which also includes the U.S., Australia, New Zealand and the United Kingdom. And while Cohen would not comment on the specific intelligence informing the Canadian government's investigation, he said there was "a lot of communication" between Ottawa and D.C. about the matter. What we know about the Five Eyes alliance, though, is that it collaborates on joint intelligence operations and shares signals, and human and imagery intelligence to thwart terrorism, cybercrime and foreign espionage. Vulnerabilities TO CATCH A PREDATOR — Did you notice a big security update on your iPhone late last week? Well, it stems from a newly-discovered zero-day campaign to install the scarily powerful Predator spyware onto a prominent Egyptian opposition official’s device. — ICYMI: After feeling suspicious about the safety of his phone, former Egyptian member of Parliament and presidential hopeful Ahmed Eltantawy reached out to The Citizen Lab — who discovered, along with Google’s Threat Analysis Group, the repeated attacks on his phone. — What that means: According to the report, hackers could use the Intellexa-created spying tool to break into an iPhone through a “man-in-the-middle” attack, where they’d intercept traffic between the target and the website they are trying to reach to redirect the victim to a malicious website. From there, it would install a small binary that decides whether or not to program the full Predator implant. Android devices can similarly be targeted by a MITM attack, but can also be affected by one-time links sent directly to the target. — Fixed … for now:  Apple says it has addressed the problem by issuing a software update that “may prevent transferring data directly from another iPhone during setup.” But it’s not the first (or last) time you’ll hear from Predator. In August, the Biden administration blacklisted four spyware vendors linked to former Israeli defense official Tal Dilian, the entrepreneur behind Intellexa, which has notoriously been used to surveil and harass journalists, politicians and human rights activists globally. The move was meant to significantly restrict the company’s ability to acquire U.S. technology, with the White House accusing it of working against U.S. national security interests. Tweet of the Day If this post is anything to go by, an ad sticking up for the Kids Online Safety Act by arguing that cloud platforms should be *less* encrypted is getting mixed reviews. (Note: the group responsible for the ad says it used an AI-generated image to make its point.) Quick Bytes TEMU’S FAKE PHOTO PUSH — Scammers have been flooding TikTok with fake nude celebrity “photo leaks” to boost Chinese online megastore Temu, Lawrence Abrams writes for Bleeping Computer. ‘UNPRECEDENTED’ ATTACK — Russian proxies in Crimea announced a large-scale cyberattack after a Ukrainian missile strike on Russia's Black Sea Fleet headquarters in Sevastopol, reports Nate Ostiller with The Kyiv Independent. CYBERATTACK IN THE TROPICS — Bermuda and another Caribbean government are dealing with a cyberattack from Russia that has caused widespread internet outages. Jonathan Greig with The Record has the details. Chat soon.  Stay in touch with the whole team: Joseph Gedeon (jgedeon@politico.com); John Sakellariadis (jsakellariadis@politico.com); Maggie Miller (mmiller@politico.com); and Heidi Vogt (hvogt@politico.com).   DON’T MISS POLITICO’S TECH & AI SUMMIT: America’s ability to lead and champion emerging innovations in technology like generative AI will shape our industries, manufacturing base and future economy. Do we have the right policies in place to secure that future? How will the U.S. retain its status as the global tech leader? Join POLITICO on Sept. 27 for our Tech & AI Summit to hear what the public and private sectors need to do to sharpen our competitive edge amidst rising global competitors and rapidly evolving disruptive technologies. REGISTER HERE.       Follow us on Twitter Heidi Vogt @HeidiVogt Maggie Miller @magmill95 John Sakellariadis @johnnysaks130 Joseph Gedeon @JGedeon1   Follow us

To change your alert settings, please log in at https://www.politico.com/_login?base=https%3A%2F%2Fwww.politico.com/settings This email was sent to salenamartine360.news1@blogger.com by: POLITICO, LLC 1000 Wilson Blvd. Arlington, VA, 22209, USA Please click here and follow the steps to unsubscribe.