Pegasus and China-sponsored hacking cause alarm across media industry

This week’s revelations about the scale of infiltration of mobile phones used by journalists – including those working for a range of AIB Member companies – and further intelligence about the China’s cyber attacks on US companies, including Microsoft Exchange systems has sent shockwaves through the media and cyber security industries.

According to reports in the UK’s Guardian and the US Washington Post, the spread of Pegasus spyware has infiltrated the mobile phones of thousands of journalists, activists and lawyers, notably those involved in human rights cases. Journalists working for AIB Members Al Jazeera, Bloomberg and France 24, as well as Agence France-Presse, The Wall Street Journal, CNN, The New York Times, El Pais, the Associated Press, Financial Times, Le Monde, The Economist, and Reuters, were targeted by the Pegasus spyware, The Guardian reported.

The phone numbers of the affected phones were leaked to Amnesty International who worked with Forbidden Stories, a not-for-profit Paris-based journalism organisation. Amnesty has verified hundreds of the numbers tracing the users.

The AIB reported on the first Pegasus revelations in December 2020. The scale of the spyware infiltration had not been realised at that point.

This incident, and its scale, demonstrates the need for constant vigilance by everyone working in media organisations. The threats are real and immediate and it is why the AIB is involved in urgent, wide-scale research into the vulnerabilities that exist within the Internet of Things (IoT) that can be harnessed by malign actors. This work is being undertaken by the AIB’s research assistant and Doctoral student at the University of Oxford and will be provided to all AIB Members in order to help them better protect their organisations and staff from the increasing number of attacks that are being perpetrated. We have received input from a large number of AIB Members to assist in this work, including workflows and other data that will inform this major, important research project. Contact the AIB Secretariat to discuss how your organisation can get involved, or benefit from the work.

Separately, the US Cybersecurity and Infrastructure Security Agency [CISA] has provided background and support in connection with the Chinese cyber threat that has hit critical infrastructure in the USA and elsewhere in the world. CISA has uploaded the Current Activity regarding the U.S. Government release of an indictment and several advisories detailing Chinese cyber threat activity.

CISA reports that it, the Federal Bureau of Investigation (FBI), and the National Security Agency (NSA) have observed increasingly sophisticated Chinese state-sponsored activity targeting U.S. political, economic, military, educational, and critical infrastructure personnel and organisations. In response:

• The White House has released a statement attributing recent Microsoft Exchange server exploitation activity to the People’s Republic of China (PRC).
• The Department of Justice has indicted four Chinese cyber actors from the advanced persistent threat (APT) group APT40 for malicious cyber activities, carried out on orders from PRC Ministry of State Security (MSS) Hainan State Security Department (HSSD). These activities resulted in the theft of trade secrets, intellectual property, and other high-value information from companies and organisations in the United States and abroad, as well as from multiple foreign governments.
• CISA and FBI have released Joint Cybersecurity Advisory: TTPs of Indicted APT40 Actors Associated with China’s MSS Hainan State Security Department to help network defenders identify and remediate APT40 intrusions and established footholds.
• CISA, NSA and FBI have released Joint Cybersecurity Advisory: Chinese Observed TTPs, which describes Chinese cyber threat behaviour and trends and provides mitigations to help protect the Federal Government; state, local, tribal, and territorial governments; critical infrastructure, defence industrial base, and private industry organisations.
• CISA, NSA and FBI have released CISA Insights: Chinese Cyber Threat Overview for Leaders to help leaders understand this threat and how to reduce their organisation’s risk of falling victim to cyber espionage and data theft.

CISA also encourages users and administrators to review the blog post, Safeguarding Critical Infrastructure against Threats from the People’s Republic of China, by CISA Executive Assistant Director Eric Goldstein and the China Cyber Threat Overview and Advisories webpage.

The UK’s National Cyber Security Centre has also published details of the UK’s response to the Chinese threat. Its release says:

The UK has revealed that Chinese state-backed actors were responsible for gaining access to computer networks around the world via Microsoft Exchange servers. The NCSC assessed that it was highly likely that a group known as HAFNIUM, which is associated with the Chinese state, was responsible for the activity.

The NCSC recommends following vendor best practice advice in the mitigation of vulnerabilities, and any organisations which have yet to install security updates released for Microsoft Exchange servers should do so. More information can be found on Microsoft’s website: https://msrc-blog.microsoft.com/2021/03/02/multiple-security-updates-released-for-exchange-server/

The attack on Microsoft Exchange software was highly likely to enable large-scale espionage, including acquiring personally identifiable information and intellectual property. It is the most significant and widespread cyber intrusion against the UK and allies uncovered to date.

The UK is also attributing the Chinese Ministry of State Security as being behind activity known in open source as “APT40” and “APT31”. Activity relating to APT40 included the targeting maritime industries and naval defence contractors in the US and Europe, and for APT31 the targeting of government entities, including the Finnish parliament in 2020.

The NCSC statement is available on its website: https://www.ncsc.gov.uk/news/uk-allies-hold-chinese-state-responsible-for-pervasive-pattern-of-hacking

The UK Foreign Secretary’s statement is available at: https://www.gov.uk/government/news/uk-and-allies-hold-chinese-state-responsible-for-a-pervasive-pattern-of-hacking

David Kaye, former UN Special Rapporteur on freedom of expression and Marietje Schaake, International Policy Director at Stanford University’s Cyber Policy Centre, have written an op-ed piece in The Washington Post. It’s behind a paywall, although a limited number of articles are available free-of-charge each month. Read the piece here. David Kaye was one of the key contributors to the AIB/PMA Media Freedom Summit held earlier this year that brought together senior executives of broadcasters globally to discuss the challenges posed by media freedom infringements.