The escalation of invasive wiretapping in Cyber Warfare

Key Takeaways

Wiretapping, previously associated primarily with spy cinema, has become a real and evolving threat in today’s digital world, with state actors and APT groups implementing increasingly sophisticated techniques.
The invasive surveillance methods used in wiretapping can be leveraged for a multitude of advanced threats, including deepfake voice creation, targeted spear-phishing campaigns, and corporate espionage.
Despite the strength of modern cryptographic techniques, wiretapping remains a powerful tool for user profiling, allowing for extensive data correlation, but does not necessarily breach communication confidentiality.
The strength of cryptographic systems relies heavily on effective key management. Encryption is not infallible; if attackers can gain access to encryption keys, they can bypass the encryption.

Recommendations

Monitor Application Permissions: Regularly check and limit the permissions of the applications you install. Applications should only have access to the data they need to function properly. Deny unnecessary permissions, particularly access to your microphone, camera, and location.
Use Privacy Modes: Utilize built-in privacy features like Windows’ privacy settings or Android’s “Incognito” or “Private” modes to limit data tracking and to stop unwanted permissions.
Install Trustworthy Applications Only: Only download and install applications from trusted sources such as the Microsoft Store or Google Play Store. Even then, review the app’s developer and read user reviews before installing.
Keep Your Operating Systems Updated: Regularly update your operating systems and applications to ensure you have the latest security patches and updates. These can often fix vulnerabilities that could be exploited by malicious parties.
Implement Policy Changes via Microsoft Intune: In large organizations, use Microsoft Intune to manage and change privacy and security settings across all devices. Policies should be set up to prevent unauthorized access to sensitive features like the microphone or camera.

Introduction

Invasive wiretapping, traditionally a tool of surveillance and control employed by state actors, is experiencing an increasing trend in its use and sophistication. Particularly active in this domain are Russian intelligence services and the North Korean hacker group Lazarus, now supplemented by the equally worrying APT37, another North Korean-backed group. These actors do not limit their surveillance to high-profile targets; the technology is deployed against anyone in opposition to their actions, fostering a climate of fear and paranoia. This escalation carries significant implications, not only for individual privacy but also for the cybersecurity landscape of large organizations. As wiretapping becomes more prevalent and intricate, it emerges as an increasingly alarming instrument of cyber warfare.

Advanced Attack Techniques: The Evolution of Wiretapping

Wiretapping, for the purposes of this report, encompasses a suite of techniques aimed at monitoring and intercepting digital communications. These techniques, originally developed by several relatively unknown Russian technology firms under the umbrella of the Citadel Group, have evolved from basic components of Russia’s intrusive telecom wiretapping system into sophisticated tools serving the country’s intelligence services.

The software developed by these firms plugs directly into the telecommunications infrastructure, offering a spectrum of spying possibilities. It can detect when individuals make voice calls or send files through encrypted chat apps such as Telegram, Signal, and WhatsApp. While it may not intercept specific messages, the software can identify whether a person is using multiple phones, map their network of relationships by tracking interactions with others, and triangulate what phones have been at specific locations at a given time. It can even capture passwords entered on unencrypted websites, providing an in-depth view of internet activity.

One of Citadel’s subsidiaries, MFI Soft, has developed a tracking system offering a detailed overview of telecom subscribers’ internet traffic, including statistical breakdowns of this data, presented on a specialized control panel for use by regional F.S.B. officers. Another MFI Soft tool, NetBeholder, can map the locations of two phones over a day to deduce if they coincided, indicating a possible meeting between the users.

Even though the solution described above is feasible only on a global scale, through access to the infrastructure of a telecommunications operator, it serves as an excellent case study regarding architectural concepts of surveillance tools. It is also an example of a hardware backdoor capable of decoding the nature of network traffic and enhancing the correlation capabilities of various types of data, which are of great importance in authoritarian regimes for controlling society and its sentiments or intentions.

APT37 (RedGroup) focusing on Wiretapping functionality

The RedEyes (APT37) group, known for its meticulous and targeted attacks, focuses primarily on individuals such as defectors from North Korea, human rights advocates, and academics. Their primary area of operation is information theft, with recent instances revealing the use of an Infostealer, uniquely equipped to wiretap microphones. Despite South Korea’s strict regulations against unauthorized eavesdropping, the actors managed to persistently monitor their victims’ activities on their computers, resorting to wiretapping when necessary.

The group employed a GoLang backdoor to communicate commands, leveraging the Ably service. The necessary API key value for this communication was found stored in a GitHub repository. Given the nature of the key, anyone with access to it can subscribe to the threat actor’s channel, which revealed some of the commands the actor utilized during our analysis.

The employed Infostealer boasted a wide range of capabilities, from screen captures, data exfiltration from removable media devices and smartphones, to keylogging and, most notably, wiretapping.

This case exhibits a well-planned and skillfully executed attack flow, where the group utilized spear-phishing emails to penetrate targeted systems, and an Ably channel served as a command-and-control server. Such sophisticated attack patterns are difficult for an individual to detect.

This incident underscores the pervasive and increasingly sophisticated use of wiretapping by APT groups. It serves as another reminder of the expanding scope of data that such groups are targeting and exfiltrating from their victims. It’s an indicator that wiretapping is becoming an increasingly utilized and refined tool in the arsenal of such groups, raising further concern about individual privacy and the cybersecurity landscape.

Conclusion

Our investigation into invasive wiretapping techniques employed by state actors such as Russian intelligence services and APT groups backed by North Korea highlights a rapidly evolving threat landscape. These examples demonstrate how wiretapping, once a fixture of spy cinema, has emerged as a tangible, complex risk in today’s interconnected digital world.

Two particular techniques illuminate the potential reach and impact of such activities: the pervasive surveillance methods that infiltrate telecommunications infrastructures, and the precision-targeted information-stealing strategies utilized by sophisticated APT groups. Not only do these tactics spotlight the scale and severity of the threat, they also underscore the vast array of potential consequences.

Firstly, the ability to capture ambient noise or individual voices can facilitate the creation of deepfake voices, thereby increasing the risk of successful attacks against voice-authenticated services and Business Email Compromise (BEC) schemes.

Secondly, wiretapping broadens the scope of exfiltrated data by incorporating private conversations, significantly escalating reputational risks for senior personnel within organizations. Such recordings could serve as powerful bargaining chips in potential ransom situations.

Moreover, wiretapping can enhance the precision of spear-phishing campaigns, empowering attackers with personal information that could be used to trick employees into revealing sensitive information or credentials. It could also offer insider knowledge about an organization’s operations, strategic plans, or forthcoming projects, which could be exploited for corporate espionage or market disruption.

Despite the challenges posed by these sophisticated threats, it’s essential to highlight the limitations of wiretapping when pitted against modern cryptographic techniques. Encrypted messaging apps like WhatsApp and Signal rely on end-to-end encryption, ensuring the confidentiality of communication content. However, while the content of these communications remains secure, these systems do not protect against metadata analysis. Therefore, being able to determine who is communicating with whom, when, and how often can still offer valuable insights to an attacker.

The strength of these cryptographic systems rests heavily on effective key management. If attackers can gain access to encryption keys through strategies like malware or social engineering, they can bypass the encryption.

Therefore, our conclusions necessitate a “granular approach” to understanding and combating wiretapping. Recognizing wiretapping as a tool for user profiling rather than a breach of communication confidentiality is critical. It extends the possibility for data correlation but does not infringe on the content of communications.

In conclusion, wiretapping poses a multifaceted threat that extends beyond privacy concerns to corporate security and reputation management. As these tactics become more refined and widespread, it is crucial for organizations to proactively devise strategies to detect and counteract these threats. This encompasses technical measures like network monitoring and anomaly detection, as well as educational initiatives to heighten staff awareness about the risks and precautions related to wiretapping. As we navigate an ever-evolving threat landscape, a holistic approach that combines technical defenses, robust encryption practices, sound key management, and user education is paramount to effectively combat the multifaceted threat that wiretapping presents in the modern era.

Recommendation

To mitigate the risk of wiretapping in both Windows and Android systems, it’s crucial to control the permissions granted to applications. Users should regularly audit their installed applications, limiting access only to necessary data. Users should also utilize built-in privacy features, such as Windows’ privacy settings or Android’s “Incognito” mode, to prevent unwarranted access to personal data, including microphone and camera access. Additionally, to ensure device integrity, only applications from trusted sources, like the Microsoft Store or Google Play Store, should be installed, with attention paid to the developer’s reputation and user reviews. Regular updates to the operating system and applications ensure the incorporation of the latest security patches and fixes, protecting against potential vulnerabilities exploited by malicious actors. In larger organizations, centralized control via Microsoft Intune and Active Directory can efficiently manage and alter privacy and security settings, preventing unauthorized access to sensitive features and managing user and administrator access rights.