Google Sharpens its Cyber Knife

Written by

Tom Uren

Policy & Intelligence

Your weekly dose of Seriously Risky Business news is written by Tom Uren and edited by Patrick Gray . It's supported by Lawfare with help from the William and Flora Hewlett Foundation. This week's edition is sponsored by Push Security .

You can hear a podcast discussion of this newsletter by searching for "Risky Business News" in your podcatcher or subscribing via this RSS feed .

Google has announced it is starting a cyber "disruption unit" that will seek out opportunities to proactively disrupt threat actor campaigns. This move reflects increased industry and government appetite for more aggressive private sector approaches and also indicates a sensible incremental step towards government-endorsed private sector hacking. 

Per CyberScoop's coverage :

Sandra Joyce, vice president of Google Threat Intelligence Group, said at a conference Tuesday that … the company was looking for "legal and ethical disruption" options as part of the unit’s work.

"What we're doing in the Google Threat Intelligence Group is intelligence-led proactive identification of opportunities where we can actually take down some type of campaign or operation," she said at the Center for Cybersecurity Policy and Law event, where she called for partners in the project. "We have to get from a reactive position to a proactive one … if we're going to make a difference right now.

Google has already been involved in the court-endorsed botnet takedowns of Glupteba in 2021 and BadBox 2.0 in July . To put this in perspective, Microsoft pioneered court-ordered disruption operations way back in 2010 and has been involved in a string of takedowns since then. 

Court-endorsed take downs are not new, and two is not many. But at the very least, we’d expect this new unit to result in more of these operations.

We suspect, though, that Google wants to push the audacious edge of the envelope rather than deliver a higher volume of much of the same. Significantly, Joyce's announcement took place at a conference exploring the concept of hacking back , offensive cyber operations and "charting a legal and strategic path forward". 

Joyce said that more details would be revealed over time, but what could a more aggressive approach look like?

We already have a public example of the ethical use of hacking to protect a vendor's customers. In 2024, cyber security firm Sophos released details of what it described as a "counter offensive… to neutralise China-based threats". 

After discovering that its firewalls were being targeted by a group in multiple campaigns, Sophos responded by increasing the variety and volume of telemetry being collected by its devices. Together with trial registration data, this was used to identify multiple devices that were being used by the threat actor for vulnerability research and exploit development. Per Seriously Risky Business at the time :

In late April 2020, Sophos started working on 'forward deployment tooling', "a specialised kernel implant to deploy to devices that [the vendor] was highly confident were controlled by groups conducting malicious exploit research. The tool allowed for remote file and log collection without any visible userland artefacts."

Sophos deployed this implant to adversary-controlled test devices to observe exploit development and testing as it was taking place. The firm used this information to understand vulnerabilities and remediate them before they were widely exploited. It was also able to retrieve malware, including a UEFI bootkit and write detections before the malware was deployed in the wild.

Without going into details, Sophos' CISO Ross McKerchar told Risky Business host Patrick Gray that End User License Agreements were "certainly part of" getting approval from legal counsel and he noted that Sophos was "working with law enforcement at the time". Later in the interview he said that cyber security authorities such as NSA and the UK's NCSC had been "incredibly supportive and helpful throughout this". 

Google is in a similar position to Sophos. Products such as Chrome and its Android devices are attractive targets for threat actors. Google's Terms of Service could be modified to give it the legal wiggle room to behave more aggressively against threat actors. The company has the expertise and depth to manage technical risks from operations that push boundaries, and we doubt that cyber security authorities and law enforcement would take issue with the company hitting back against abuse of its products.

One reason that controversial big-bang legislative proposals such as the cyber letters of marque we discussed last week are problematic is their potentially broad scope. The legislation proposed last month could authorise hacking against a wide array of criminals by people in the private sector. 

By contrast, allowing companies to act against threat actors targeting their own products is reassuringly tightly scoped. From a government perspective, encouraging the most capable technology vendors to more aggressively protect their products just makes sense. 

Sophos has demonstrated that legal hacking back is already here. Rather than spinning their wheels on controversial hackback-style legislation, policymakers should encourage more vendors to embrace it.

Salt Typhoon Outed But Not Evicted

Cyber security agencies from 13 countries have attributed the Salt Typhoon intrusions to three Chinese companies. These co-ordinated cyber attributions used to be a big deal, but in this case we are not so sure.  

Salt Typhoon is a Chinese government-backed effort that has had outrageous success targeting telecommunications and other networks worldwide. This week, the FBI said the group had hit more than 80 countries and compromised more than 200 American organisations.  

The advisory covers the group's targets:

People's Republic of China (PRC) state-sponsored cyber threat actors are targeting networks globally, including, but not limited to, telecommunications, government, transportation, lodging, and military infrastructure networks. While these actors focus on large backbone routers of major telecommunications providers, as well as provider edge (PE) and customer edge (CE) routers, they also leverage compromised devices and trusted connections to pivot into other networks. 

And later described the impact of the hacks:

The data stolen through this activity against foreign telecommunications and Internet service providers (ISPs), as well as intrusions in the lodging and transportation sectors, ultimately can provide Chinese intelligence services with the capability to identify and track their targets' communications and movements around the world.

The advisory links these activities to three Chinese firms: Sichuan Juxinhe Network Technology, Beijing Huanyu Tianqiong Information Technology and Sichuan Zhixin Ruijie Network Technology.

According to the advisory, the three provide "cyber-related products to China's intelligence services, including multiple units in the People's Liberation Army and Ministry of State Security".

A Five Eyes agency getting outed like Salt Typhoon has been here would be considered a massive failure. The US and allies have traditionally focussed on stealthy intelligence collection. Particularly for enduring targets, stealth enables long-term collection. If you don't get caught you can keep on collecting valuable intelligence. 

Indeed, a senior FBI official told CyberScoop the Chinese government's use of contractor companies was a failure: 

"These enabling companies, they failed," Jason Bilnoski, deputy assistant director in the FBI's cyber division, told CyberScoop . "This investigation, and that of our partners, are exposing that the use of these enabling companies by the CCP is a failure."

The lack of control China has over what those companies do precisely created an opening for investigators, Bilnoski said.

However, stealth isn't the only way to ensure enduring collection. Another way is to simply hack all the things and just not stop, even after you've been discovered.

This kind of digging-in is common when Chinese threat actors are pinged these days. See, for example, this year's SharePoint exploitation , the 2023 Barracuda email gateway hacks , the Microsoft Exchange free-for-all in 2021, and even the behaviour of Salt Typhoon itself. 

Sure, the outing of Salt Typhoon isn't ideal for the PRC. But we're hesitant to call it a failure. A failure would be the group's eviction from US telecommunications networks. For now, the Chinese government can brush off any diplomatic blowback as a cost of doing business. 

Death of Apple's UK Encryption Fight Greatly Exaggerated

The stoush between Apple and the UK government over lawful access to iCloud user data has not been resolved, despite media reporting last week. 

The Financial Times this week reported on documents filed with the Investigatory Powers Tribunal (IPT), an independent judicial body that examines complaints about UK intelligence services. 

Back in January, Apple was provided with a government order known as a Technical Capability Notice (TCN). 

The Financial Times now suggests the TCN required Apple to provide broad access to iCloud data, including messages and passwords:

"The obligations included in the TCN are not limited to the UK or users of the service in the UK; they apply globally in respect of the relevant data categories of all iCloud users," the IPT filing adds.

So despite what Tulsi Gabbard says on social media , this is still a live issue.

Watch Amberleigh Jack and Tom Uren discuss this edition of the newsletter:

Three Reasons to Be Cheerful This Week:

1. Spain cancels Huawei contract: The Spanish government has cancelled a contract that would have deployed Huawei kit across RedIRIS , the country's research and academic network.  
2. The EU's Cybersecurity Reserve gets closer: The European Commission has appointed ENISA, the European Union's cyber security agency, to manage the EU's Cybersecurity Reserve. The reserve will use trusted providers to deliver surge incident response capacity in the event of a significant large-scale cyber security incident. 
3. Takedowns are affecting ransomware gangs: The ransomware ecosystem is splintering with new variants appearing in the wake of law enforcement takedowns, according to The Record . Increasing fragmentation and churn in ransomware variants is also accompanied by increasing distrust between individual cyber criminals. These are all good signs if you are an optimist, but we concede that there are no reliable metrics confirming the impact of the scourge has actually been reduced.   

Sponsor Section

In this sponsored interview Casey Ellis chats with Push Security co-founder Jacques Louw. Push's browser plugin gives a unique level of visibility into how users interact with the web and the attacks they face. Jacques talks through what they’re seeing, and their recently published taxonomy of phishing attacks. It’s on Github for everyone to contribute to!

Risky Biz Talks

You can find the audio edition of this newsletter and other fine podcasts and interviews in the Risky Biz News feed ( RSS , iTunes or Spotify ).  

In our last "Between Two Nerds" discussion Tom Uren and The Grugq talk about how cyber threat actors are using AI tools to fill in the resource and skills gaps they have.

Or watch it on YouTube!

From Risky Bulletin :

YouTubers unmask and help dismantle giant Chinese scam ring: Two YouTube channels named Scammer Payback and Trilogy Media played a crucial role in unmasking and identifying members of a giant scam network that stole more than $65 million from US seniors.

The US Department of Justice used videos posted by the two channels in 2020 and 2021 to identify and then track down the network. Officials arrested 25 of the 28 suspects they identified during this investigation.

The group allegedly used call centers based in India to call US seniors, posing as government officials, bank employees, and tech support agents.

[ more on Risky Bulletin ]

Noem fires FEMA IT team over alleged cybersecurity failures: DHS head Kristi Noem has fired 24 employees of the FEMA IT department, citing an alleged data breach and a string of cybersecurity failures.

The firings included FEMA CIO Charles Armstrong and FEMA CISO Gregory Edwards.

…

In a somewhat unhinged press release , the DHS and Noem claim the fired employees were "entrenched bureaucrats" and "deep-state individuals" who "resisted any efforts to fix the problem," downplayed the issues, and "were more interested in covering up their failures."

FEMA insiders who spoke to CNN shortly after the firings last Friday painted a totally different picture and described the ousted IT team and its leaders as "extremely competent" and "highly respected."

[ more on Risky Bulletin ]

npm attack uses AI prompts to steal creds, crypto-wallet keys : A novel supply chain attack has hit the users of NX , a popular developer tool used to automate and optimize CI/CD pipelines.

The incident took place on Tuesday, after a threat actor compromised the npm token for one of the NX developers, and then released malicious updates for several NX tools to the npm package repository.

The new versions contained a malicious script that 

• Attempted to run a prompt on local AI CLI tools like Claude, Gemini, and Q.
• The prompt instructed the AI agents to search the local filesystem for text-based files that may contain GitHub tokens, npm tokens, SSH keys, .env secrets, and wallet files.
• All found data was encoded and written into a file.
• Other commands would use the GitHub API to create a new public repository on the infected user's GitHub account and upload the file with all the stolen data.
• The script also adds a shutdown command to the local shell environment (~/.bashrc and ~/.zshrc) that would restart the developer's machine every time the terminal was started.

[ more on Risky Bulletin ]