Srsly Risky Biz: Thursday June 2
Who hacked the Xinjiang Police Files?
Your weekly dose of Seriously Risky Business news is written by Tom Uren, edited by Patrick Gray, and supported by the Cyber Initiative at the Hewlett Foundation, AustCyber, and founding corporate sponsors CyberCX and Proofpoint.
Xinjiang Police Files
Hacked documents released last week have shed light on the extent, brutality, and official government support for the PRC's oppression of its Uyghur population. Given the long history of states pretending to be hacktivists, we thought we'd examine the incident to see if there are any red flags a state might be behind the hack.
The documents, released as the Xinjiang Police Files, contain a range of different file types, including transcripts of not-for-publication speeches from Chinese officials, operational directives for police, detainee photos and personal records, and also internal police PowerPoint files. These files were provided to Dr. Adrian Zenz, Director in China Studies at the Victims of Communism Memorial Foundation and a leading researcher of China's Xinjiang re-education camps. Zenz stated on Twitter that the files were provided by an individual who got access "by hacking into Xinjiang police/re-education camp computers" in two separate counties. In a journal article, Zenz expands on how he acquired the files:
The Xinjiang Police Files were obtained by a third party from the outside through hacking into computer systems operated by the Public Security Bureau (PSB) of the counties of Konasheher (shufu xian 疏附县), located in Kashgar Prefecture, and Tekes (tekesi xian 特克斯县) in Ili Prefecture, both regions traditionally dominated by non-Han ethnic groups. The person who unexpectedly reached out to the author to provide the files acted on a solely individual basis, attached no conditions to their provision or publication, and wishes to remain anonymous due to personal safety concerns.
The files show Chinese leaders' direct involvement in the internment camps and show that they are prisons rather than education facilities. The BBC used the files to release a graphical news report on the Shufu County New Vocational Skills Education and Training Centre, just south of Kashgar in southern Xinjiang, which has 3,772 "students" guarded by over 366 police officers. The camp has watchtowers containing police officers armed with machine guns and sniper rifles, with orders to shoot to kill if its so-called students try to escape.
This newsletter previously examined the long history of state groups pretending to be hacktivists ("If it quacks like a hacktivist") and presented The Grugq's framework for assessing the authenticity of these groups. In short, this approach assesses whether a purported hacktivist group's technical and operational skill is consistent with its expressed political views. Inconsistency across code, capability, and politics is a red flag.
In this case, there is not much to go on. Other than providing the materials to Zenz, the person(s) responsible actively avoided expressing a political agenda, and there is no technical detail on how the hack occurred.
These aren't the first internal documents relating to human rights abuses in Xinjiang that have found their way into the hands of journalists or researchers. Zenz's journal article lists seven prior examples, although Zenz told VICE Motherboard, "this is the first hack that I know of". One leak that stood out to us was that of an internal database of the Urumqi City Public Security Bureau, which resulted in a 2021 story published in The Intercept. That one feels like it could be the result of a hack (it's the vibe of the thing, a database was stolen and not just a series of files), but The Intercept was not explicit about the source and had not responded to our queries at the time of publication.
There are elements to this affair that suggest a state actor is not responsible. The leaking of an entire database to journalists — from a state actor's perspective — might leave too much to chance. Why give a journalist data in a hard to interpret database rather than presenting an easy-to-digest story in simple documents? The leaking party loses control of both the exact message and also timing, which may be important if the leak is intended to influence other events.
Regardless, Zenz confirmed to Seriously Risky Business the Xinjiang Police Files were a hack and not a leak "obtained by external intrusion," but he is clearly awake to the possibility of being duped. His journal article notes a "malicious actor seeking to discredit research on this topic may leak falsified evidence on purpose", and it details the verification work he did.
In addition to Zenz's efforts, a consortium of 14 media companies also conducted extensive verification work, including analysis of the GPS metadata available in images, comparison with other OSINT resources, and even ringing phones to confirm that they belonged to camp police officers.
Where does that leave us? Without any red flags, we think the data probably does come from a hacktivist (unless Zenz is trying to protect an internal source by saying it is an external hacker to throw investigators off).
But even if the hacking was conducted by a state actor, the data is legit anyway. So wherever the files came from, they describe a human rights disaster.
Costa Rica Woes Continue
The Costa Rican Social Security Fund was struck by Hive ransomware this week, and Krebs on Security reports that the incident is affecting the national health service and medical centres are being forced to use manual processes. This comes just weeks after the Costa Rican President declared a national emergency following a mid-April Conti attack that cruelled many government services.
Cyber security company AdvIntel, as we reported last week, believes there is some sort of relationship between Hive and Conti that at the very least involves affiliates operating with both groups. Hive and Conti also have both listed victims in common on their websites, but Hive has denied any affiliation.
Clop Ramps Up
The Clop ransomware group suddenly added 21 new victims on their data leak site after being quiet from November through to February.
Universities Put On Watch
The FBI has warned the US education sector that college and university credentials are being offered for sale on criminal marketplaces. University attacks are already fairly common, so we don't think this alert is all that useful, but perhaps it explains why they are so common.
Arrested REvil Members Will Skate
Russian media reports the prosecution of REvil suspects arrested in January has stalled, with Russian prosecutors not receiving the material they need to press ahead from US law enforcement officials. CyberScoop has English-language coverage, which suggests that this may not indicate broader Russian policy but simply reflects the facts on the ground. Cyber security cooperation just stopped after the invasion of Ukraine. Regardless, we won't look to Russian law enforcement efforts to solve problems with ransomware.
Indian low-cost airline SpiceJet was affected by an "attempted ransomware attack" that left some passengers stranded for hours including many actually stuck in planes. In his newsletter, The Grugq pointed out:
The interesting thing is that passengers trapped on planes that can't take off are tweeting from the runway. They are directly engaging and putting pressure on the company. This is an interesting dynamic that hasn't been explored in cyber extortion. It opens new perspectives on possible ways to force a company to pay a ransom.
Oh. Great. A new way for ransomware crews to ratchet up the pressure.
A Microsoft Office 0day, which takes advantage of the Microsoft Support Diagnostic Tool (MSDT) is being actively exploited. Microsoft Word's remote template feature can be used to load HTML, which then calls MSDT to execute Powershell.
Exploitation in the wild dates back to April. This week Proofpoint reported a group linked to Chinese state interests is using it to target the international Tibetan community, and the ACSC says it is being used to target Australian organisations. Disclosure: Proofpoint is a corporate sponsor of this newsletter.
Kevin Beaumont has, as usual, been doing a bang-up job collating new information as it comes to light and also keeping Microsoft honest by pointing out its sometimes inconsistent behaviour. Beaumont notes, for example, that Microsoft initially said the bug was "not a security related issue," and also managed to recently fix very similar bugs in Teams but not Office. (He dubbed the bug Follina, btw, because the sample he had included the string "0438", the area code of Follina in Italy.)
Microsoft has issued guidance that recommends disabling the MSDT URL protocol, but a patch is not yet available at the time of writing.
Three Reasons to be Cheerful this Week:
60 million wins: Microsoft has announced plans to apply sensible security defaults to Azure customers who haven't applied them already. These defaults were introduced for new tenants in October 2019, but previous customers remained unprotected unless they explicitly enabled the features. Some interesting stats: This move will bring MFA to another 60 million accounts, and organisations with these protections experience 80% less compromise than the overall tenant population. Further coverage on Risky Business News.
SilverTerrier Head Arrested: On Wednesday, INTERPOL announced the Nigeria Police Force cybercrime unit had arrested a 37-year-old Nigerian man who is alleged to have run a Business Email Compromise gang, dubbed SilverTerrier by Palo Alto Networks. Interpol was assisted by a smattering of cyber security companies, including Palo Alto Networks, Group-IB, and Trend Micro.
A Minister for Cyber Security!: The recently-elected Australian government appointed the Hon Clare O'Neill MP to a new Cabinet-level Minister of Cyber Security position. This is a vast improvement over the previous arrangement where no government minister had "cyber security" in their job title. We do worry, however, about how much bandwidth O'Neill will be able to dedicate to the role as she is also Minister for Home Affairs.
Save Time with a Risky.Biz Product Demo
Risky Business is publishing sponsored product demos to YouTube. They're a great way for you to save the time and hassle of trying to actually get useful information out of security vendors.
In our latest demo, Sergio Gonzalez shows Patrick Gray the ins and outs of Red Canary's Managed Detection and Response service.
You can subscribe to our product demo page on YouTube here.
Chinese Open Source is Not that Open
Gitee, a Chinese version of Github, has started to manually review code before it is made publicly available, with the MIT Technology Review reporting the company stating "it didn't have a choice". The suspicion, naturally enough, is that Gitee has fallen afoul of the Chinese government's need to censor information. As Catalin Cimpanu writes in the Risky Business News, "who else has the desire and power to force Gitee to do this?"
These types of companies are strategically important for both companies and countries. Microsoft spent USD$7.5bn to acquire GitHub, and the PRC government is likely concerned about its developer's dependence on the platform. Making Gitee much harder to use won't help it grow, though.
Do Svidaniya, Tor
Roskomnadzor, Russia's censorship agency, has used its Telegram channel to demand Google remove the Tor Browser Android App from the Russian version of the Play store. Risky Business News has this well-covered. Russia's internet clampdown continues apace.