SJUK Exclusive: Novel cyber threat – is mobile device the answer?

September 16, 2022

As cybercrime becomes ever more sophisticated the answer may lie in apps, argues Philip Ingram MBE.

When it comes to cyber threats the different types have almost become part of the lexicon of today’s language and certainly for security professionals.

DDoS, ransomware, phishing, vishing, zero-day exploits and more, leading to loss of data, ransom payments, potential GDPR implications and, of course, the greatest damage of all, loss of reputation. 

We hear it is often difficult to attribute blame for attacks, but certain types have the signature of a cybercrime group, especially if ransomware is involved, others are from known nations state Advanced Persistent Threats or APTs and the rest must fall into the script kiddie, the hacker in a hoodie, category.

What people fail to ask is why they are potential targets, which often answers who is potentially responsible and then what are they likely after. The major threat actors, from nation states and organised criminal groups who, in turn, are often linked back to nation states and are referred to by the cyber security giant Mandiant, as APTs.

APTs can be split into country and target focus group, for example, there are at least 16 Chinese APTs with APT1 and APT2 being Peoples Liberation Army (PLA) Unit 61398 and PLA Unit 61486, respectively. 

Military technologies

APT1, based in Shanghai, targets mainly US businesses and intellectual property and are known to use targeted malware, APT2 uses spear phishing and remote access tools to target technology companies in the US, Europe and Japan and have a particular interest in military technologies. The main targets for Chinese APTs are economic – anything that will allow China to gain some form of economic advantage.

Russia has at least seven APTs, Iran five and North Korea three. These three countries all have different target sets. Russian groups have two as part of their military, focused on military secrets and disinformation.

The rest are organised crime groups structured and run like major businesses with elements spread internationally. Their ‘business’ HQ is based in Russia as it is almost impossible for them to be extradited for what they do and by paying an unofficial ‘tax’ and at times doing the bidding of the Russia government, a blind eye is turned to their very lucrative criminal enterprise.

Iran is very much focused on military targets and critical national infrastructure targets in the Middle East, but they do try elsewhere. Saudi Arabia and Israel are big targets for Iranian APTs.

North Korea is interesting, their primary want is crypto currency or other international currencies if they can get them. However, if we remember the WannaCry ransomware attack of 2017 that was attributed to North Korea it is distinctly possible that they were being used as a plausibly deniable outlet for a Chinese attack.

Russia uses North Korea like that as well, as the only two internet pipes in and out of North Korea are supplied by China and Russia, with the Russian pipe being the highest bandwidth of the two.

So, thinking from a threat perspective is the first novel issue, the second is the threat from Apps, especially apps that go viral on app stores.

There are two questions to bound the possible risk, does anyone know the source and developers of every app on their phone, tablet or desktop and has anyone read the privacy statement associated with the app before allowing it to be installed on their device? I would argue that close to 100% will answer no to both those questions.

Keynote speaking

By way of an illustration of what could happen, I use an example I brief internationally whilst keynote speaking and it is about Pokémon Go, the game, chasing monsters, that went viral a few years ago. I chose it not because I have any evidence it is used for nefarious activities, as I don’t, but that the story highlights a potential risk and clear potential indicators.

In 2001, a company called Keyhole Inc. was founded by John Hanke whose first job out of college was in a foreign affairs position within the U.S. government before he moved into the technology industry. Keyhole was an interesting choice of names as the name “Keyhole” is a homage to the KH reconnaissance satellites, the original eye-in-the-sky military reconnaissance system now some 50 years old.

Keyhole Inc. was a pioneering software development company specialising in geospatial data visualisation applications, it was acquired by Google in 2004 for $35m. It was initially launched as a spin-off from a company called Intrinsic Graphics with initial funding from a variety of sources including a company called In-Q-Tel.

The name, Keyhole combined with In-Q-Tel involvement starts to make the history of Pokémon Go very interesting indeed. In-Q-Tel was widely billed as the venture capital arm of the CIA and most of the funds it used for its venture with Keyhole came from the National Geospatial-Intelligence Agency (NGIC).

The link between Keyhole and In-Q-Tel was not as sinister as it could first seem when you understand the project that Keyhole was working on. It was called Earth Viewer which later became the widely used opensource mapping and imagery tool, Google Earth, when Google acquired Keyhole in 2004.

However, in 2010, the company behind Pokémon Go was founded, by Keyhole’s founder, John Henke. As it launched the initial game was free which meant it quickly went viral across the globe. However, if something is free then it means you are the commodity or more accurately your data. So, on launch, if we look at the data the game could access on any device, we get a list of what, when you click install and accept terms, you have just allowed the app to access. In essence, at launch, it allowed the game to access everything on the device, emails, text messages, photos, browsing history, contact lists, location, everything.

Legal authority to access

Next looking at the terms and conditions to see what was being done with all of this data, the line “we may transfer your (or your authorized child’s) PII to the United States and process it there,” was worrying, as the US Foreign Intelligence Surveillance Act with the US Patriot Act gave US intelligence legal authority to access all of that data.

A parliamentary committee has just called for Parliament’s Tik Tok account to be deleted following privacy concerns.

Brendan Carr, the commissioner of the FCC (Federal Communications Commission), called on the CEOs of Apple and Google to remove TikTok from their app stores. In a letter dated June 24, 2022, Carr told Tim Cook and Sundar Pichai that “TikTok poses an unacceptable national security risk due to its extensive data harvesting being combined with Beijing’s apparently unchecked access to that sensitive data.”

His statements then went on to tie links to the Chinese Communist party and ask what happens with the data and could it be a sophisticated surveillance tool?

The answer is that both apps could be sophisticated surveillance tools and the question is, how many others could be the same? We need to look at app and mobile device security more closely.

This article was originally published in the September 2022 edition of Security Journal UK. To read your FREE digital edition, click here.

Read Next