Hacking Diplomatic Cables Is Expected. Exposing Them Is Not
Credit to Author: Lily Hay Newman| Date: Thu, 20 Dec 2018 13:00:00 +0000
On Wednesday, the security and anti-phishing firm Area 1 published details of a breach that compromised one of the European Union's diplomatic communication channels for three years. The perpetrators also compromised systems related to the United Nations, the American Federation of Labor and Congress of Industrial Organizations, and a number of international foreign affairs ministries. It's a massive trove of sensitive communications—the kind that intelligence agencies from every country attempt to access every day.
The European Union says it is investigating the findings, but hasn't yet publicly confirmed them. Area 1 discovered the breach during routine analysis of international phishing campaigns. The firm showed more than 1,100 of the compromised diplomatic cables to The New York Times as evidence of the breach, an unorthodox decision for a private security firm conducting an investigation.
"It's not news the Chinese were reading every diplomatic cable probably. It is news that they totally got caught."
Dave Aitel, Cyxtera
Area 1 says it attributes the activity to a sophisticated hacker unit of China’s People’s Liberation Army, but emphasizes that the attack on the communication platform required very little advanced skill or finesse, because the system was poorly secured. And while Area 1 says its attribution is solid, the firm emphasizes that its real focus is not on who perpetrated the attack, but on spreading awareness about the reality that weakly defended systems—especially those that are an obvious choice for international espionage targeting—are likely to be compromised.
"We felt like it was important to speak in plain language, to lay it out," says Oren Falkowitz, CEO of Area 1 and a former NSA analyst. "It’s not hyped. We don’t call it sophisticated, in fact we call it unremarkable. With these campaigns there’s nothing interesting really about them other than the fact that they work."
That central concept matters, whether China was behind the attack or not. Recent revelations about the extent of China's hacking during 2014, along with previous leaks about CIA activity and beyond, have underscored how pervasive intelligence-gathering efforts can be. "It's not news the Chinese were reading every diplomatic cable probably. It is news that they totally got caught, though," says Dave Aitel, a former NSA researcher who is now chief security technology officer at the secure infrastructure firm Cyxtera.
In the attack Area 1 identified, hackers first breached the European communication network known as Coreu in April 2015, and actively exfiltrated data until last week. The attackers initially accessed the network by using basic phishing attacks to steal the credentials of EU diplomats in Cyprus. Once the hackers gained access, they used run-of-the-mill malware to create a backdoor in the system that would allow them to persist long term, even if their stolen credentials were revoked.
Area 1 says it wants to help raise the alarm that this scenario is very likely playing out on sensitive systems around the world. And analysts echo that whether it is China or another nation state, this sort of espionage related to government and diplomatic communications is not only standard, but expected
"Countries seeking information should surprise no one," says Lukasz Olejnik, an independent cybersecurity and privacy researcher in France. "It's standard business. And this case highlights that systems are only as secure as their weakest link. The European Union is a block of 28 countries. Consequently, getting access via the systems of any of the countries can lead to access of common data."
Some have questioned Area 1's choice to share extensive data compromised in the incident with a media outlet. The cables the Times reported on are in the public interest in many ways, but they originate from a trove of stolen data that was not made public by attackers or a whistleblower. In the WikiLeaks Cablegate incident of 2011, then-US Army soldier Chelsea Manning sent diplomatic cables to WikiLeaks for publication, and was later prosecuted under the Espionage Act.
"It's a troubling precedent."
Jake Williams, Rendition InfoSec
In the case of Area 1, some speculate that the company may face consequences under Europe's General Data Protection Regulation for its decision to share the data. And while Area 1's Falkowitz emphasizes that the company based its attribution on extensive analysis, the company intends it to inform private and industry understanding rather than geopolitical decision-making. But releasing the information to the Times raises complicated questions about cyberspace norms.
"There's no doubt that the data was of great public interest, but Area 1's handling of this is very concerning," says Jake Williams, a former NSA analyst and founder of the security firm Rendition Infosec. "They found stolen property. Rather than simply notifying the victims, they victimized them further. Reports based on this data will likely embolden other hacktivists, some of whom will operate under the color of 'helping the press get the real story.' It's a troubling precedent."
Area 1 has taken criticism for its definitive attribution as well, given how murky those waters often get. Falkowitz stands by the decision, but also sees the issue as a secondary priority in this case. "My hope is really that people move away from the process of how we do our work, and more toward how are we going to stop future people from being impacted?" he says.
With governments still taking such a lax attitude toward cybersecurity that answer may be a long ways off. In the meantime, the more immediate question may be what fallout remains from this latest hack, and the process by which it came to light.