18, Nov 2022
Judge tells hacked law firm to hand over some (but not all) client names

Good morning and welcome to The Cybersecurity 202! As someone watching “Murder, She Wrote” for the first time, I am reserving judgment on whether Jessica Fletcher is the most prolific serial killer in television history.

Reading this online? Sign up for The Cybersecurity 202 to get scoops and sharp analysis in your inbox each morning.

Below: Researchers uncover a backdoor in and military radios, and lawyers want the name of the nation that aided an FBI operation. First:

Judge tells hacked law firm to hand over some client names

A federal judge ordered a hacked law firm to give a federal regulator a list of seven clients whose material nonpublic information may have been accessed by Chinese hackers.

But the judge also ruled that the regulator — the Securities and Exchange Commission — shouldn’t be able to get a list of nearly 300 other clients whose material nonpublic information the law firm found wasn’t accessed by the hackers.

“The court finds some merit to both parties’ positions, but ultimately holds that the SEC’s demand for the names of affected clients does not exceed its statutory authority or cross any constitutional lines,” U.S. District Judge Amit Mehta — a federal judge who also serves on the Foreign Intelligence Surveillance Court — wrote in his opinion. 

The Monday afternoon ruling is the latest development in a case that raises thorny questions about the role of cyber regulators, law firms, client secrets and the willingness of victims to report cyberattacks to the federal government. 

Adding to the drama, both the SEC and law firm Covington & Burling earlier this year signaled that they wouldn’t be happy with such a ruling, raising the odds that it could be appealed.

  • Covington & Burling spokesman David Schaefer told The Post in a statement that the firm is “appreciative of the Court’s thoughtful consideration of the fundamental principles at stake. We believed from the beginning that we had a duty to protect our clients’ confidential information and are grateful for the broad amicus support our position received from both the client community and the legal profession,” Schaefer said. He also said that the firm will “review the decision carefully and consider any next steps in consultation with our affected clients.”
  • The SEC declined to comment. 

The case originates with a hacking campaign disclosed by Microsoft in March 2021. Chinese hackers at the center of the cyberattacks caused havoc for victims around the world when they leveraged vulnerabilities in Microsoft’s email software.

Covington investigated and found that it was breached in November 2020. “State-sponsored” Chinese hackers focusing on a “small group of lawyers and advisors” were behind the attack, and they were “principally focused on state espionage to learn about policy issues of specific interest to China in light of the incoming Biden Administration,” Covington told the SEC in a letter.

After the SEC in early 2022 found out that Covington was hit, it eventually sent Covington a subpoena for nearly a dozen different types of documents. Covington said it couldn’t comply with one of the requests — a demand for records that could identify Covington clients or impacted public companies hit in the cyberattack.

That request is at the center of the dispute, and the SEC went to court over it.

Covington has argued that it has a duty to keep client names confidential. It has also said that  the SEC’s demand for client names could damage relationships between law firms and clients, and could also disincentivize victims of hacks from turning to law firms.

It also warned — alongside other law firms and the Chamber of Commerce — that victims could be disincentivized from reporting hacks to the federal government. That’s a critical point because the U.S. government says it relies on voluntary cooperation from victims to understand the scope of hacks and respond.

In his opinion, Mehta didn’t disagree.

The policy concerns by Covington, other law firms and groups like the Chamber “are not unfounded,” Mehta wrote. 

“The SEC’s approach here could cause companies who experience cyberattacks to think twice before seeking legal advice from outside counsel,” Mehta wrote. “Law firms, too, very well might hesitate to report cyberattacks to avoid scrutiny of their clients.” But Mehta noted that “[t]he court’s role, however, is limited. Its task is only to assess whether the subpoena exceeds the SEC’s statutory authority or fails to meet minimum constitutional requirements. It is not to pass on the wisdom of the SEC’s investigative approach.”

The ruling and what’s next

Mehta’s ruling only requires Covington to “disclose the names of the seven clients as to whom it has not been able to rule out that the threat actor accessed material nonpublic information.” The SEC wanted a list of nearly 300 clients that also includes clients whose material nonpublic information Covington found wasn’t accessed.

“In the court’s estimation, the SEC has not made the case that it needs the names of the 291 clients whose material nonpublic information Covington has determined was not accessed,” Mehta wrote. “Those clients, by the SEC’s own admission, are not relevant to its investigation. Therefore, the court is not prepared to grant the SEC access to a client list of nearly 300 names when only seven are actually needed to satisfy the agency’s stated law enforcement interests.”

Mehta noted that the SEC argued that it couldn’t “independently verify” Covington’s accounting, but said that didn’t mean it should get the full list of names.

Neither Covington nor the SEC have said whether they plan to appeal the ruling. 

But a lawyer representing Covington, Theodore J. Boutrous Jr., said at a May 9 hearing that identifying even the seven clients whose material nonpublic information may have been breached — as Mehta eventually ordered them to do on Monday — would in some ways be worse than just having work-product protections, because it would reveal that their material nonpublic information was accessed.

Researchers uncover backdoor in and military radios

Security researchers say they discovered an apparently deliberate backdoor in encrypted radios that police, military and critical infrastructure organizations use and that might have been there for decades, Joseph Cox reports for Motherboard.

The flaw would let someone decrypt encrypted voice and data communications and send fraudulent messages to spread misinformation or redirect personnel and forces during critical times,” Kim Zetter writes for WIRED. It’s one of a set of flaws that Dutch researchers from Midnight Blue found in a European radio standard known as TETRA in 2021, but that they agreed not to disclose while manufacturers created fixes.

Here’s what others are saying about the development, from both stories:

  • An attacker could carry out “a trivial type of attack that fully breaks the algorithm,” Jos Wetzels, one of the researchers, told Cox. “That means an attacker can passively decrypt everything in almost real time. And it’s undetectable, if you do it passively, because you don’t need to do any weird interference stuff.” 
  • The chair of the technical body at ETSI responsible for the TETRA standard, Brian Murgatroyd, told Zetter it shouldn’t be called a backdoor because the algorithm was instead designed for commercial use that could meet non-European export requirements. 
  • Matthew Green, a Johns Hopkins University professor and cryptographer, told Zetter that the weakness is a “disaster,” and added, “I wouldn’t say it’s equivalent to using no encryption, but it’s really bad.

The researchers are calling the vulnerabilities TETRA:BURST and built a website devoted to it.

Jack Smith’s office probing 2020 meeting where Trump praised election security measures

Special counsel Jack Smith’s office asked former officials to provide information on a February 2020 Oval Office meeting where former president Donald Trump “touted his administration’s work to expand the use of paper ballots and support security audits of vote tallies.” Sean Lyngaas, Kylie Atwood, Zachary Cohen and Evan Perez write for CNN, citing people familiar with the matter.

They write: “Trump was so encouraged by federal efforts to protect election systems that he suggested the FBI and Department of Homeland Security hold a press conference to take credit for the work, four people familiar with the meeting told CNN.”

  • Those remarks contrast with the voter fraud conspiracy theories that Trump often spoke of just weeks later, according to the report. 

The investigators appear to be interested in Trump’s understanding of election security efforts before he began campaigning against their integrity. “Smith’s office has in recent months interviewed multiple former US officials with knowledge of the February 2020 Oval Office briefing,” CNN says, citing sources, though “not everyone who attended the meeting and has talked to the special counsel was asked about it.”

  • Chris Krebs, the former director of the Cybersecurity and Infrastructure Security Agency, has been interviewed by Smith’s team, the New York Times reported in May.
  • As our colleagues recently reported, Mark Meadows, Trump’s last White House chief of staff, joked about the president’s baseless election claims just before participating in a phone call where Trump claimed some 5,000 dead voters were in Georgia and said the results in the state should be overturned.

Defense lawyers urge judge to reveal nation that aided FBI in global encrypted phone operation

A group of defense lawyers is asking a judge to reveal the nation that aided the FBI in a secretly run operation dubbed “Anom” that used encrypted phones to target criminals around the world, Joseph Cox reports for Motherboard.

Cox writes: “The news provides the first substantial legal challenge in the U.S. to the FBI’s operation of its tech company, which resulted in the arrest of more than a thousand alleged criminals, tons of drugs, and over a hundred weapons.”

  • The Anom enterprise was an FBI-run service that allowed the agency to track criminals’ communications under the radar. The Justice Department has previously said the network grew to around 12,000 devices in over 100 countries and impacted over 300 criminal organizations.
  • U.S. and Australian intelligence agencies began publicly unveiling the Anom operation about two years ago, though the operation also enlisted an unnamed third country in the European Union that collected Anom messages and relayed them back to the United States, Cox writes.

The lawyers’ motion filed in the Southern District of California “focuses solely on the documents and information in the government’s possession related to its use of an unknown third-party country to obtain the evidence in this case,” the motion’s text reads. 

This is not the first time the information has been requested by defense lawyers, according to the report. A complete understanding of the nations involved in the message transfers is essential for crafting legal defenses, the current lawyers claim. 

‘Evolving’ CISA program helped agencies quickly respond to recent cyber incidents (Nextgov/FCW)

Investigations are causing data breach costs to skyrocket, IBM finds (Cybersecurity Dive)

‘Operation Cookie Monster’: Dutch arrest their most-wanted suspect in cyber case (Reuters)

Norway says Ivanti zero-day was used to hack govt IT systems (Bleeping Computer)

EU governments reject requiring manufacturers to report vulnerabilities to central cyber agency (The Record)

Internet restrictions have affected 4.2 billion people so far this year (Axios)

Email scammers said to send money. An Atlanta suburb’s government lost nearly $800,000 (Associated Press)

Lazarus hackers hijack Microsoft IIS servers to spread malware (Bleeping Computer)

Quinn Emanuel reports cyber attack involving ‘limited’ client data (Reuters)

Italian asset manager Azimut targeted by BlackCat hackers (Reuters)

Spyhide stalkerware is spying on tens of thousands of phones (TechCrunch)

Effort to curb police use of Google data stalls as California lawmakers struggle to shield abortion seekers (Los Angeles Times)

  • FCC Chair Jessica Rosenworcel speaks at a Center for Strategic and International Studies event on 5G spectrum security at 2 p.m.
  • The Senate Homeland Security Committee considers a pair of cybersecurity bills focusing on cyber modernization and workforce tomorrow at 9 a.m.
  • DHS Secretary Alejandro Mayorkas testifies to the House Judiciary Committee tomorrow at 10 a.m.
  • The SEC considers a cybersecurity governance item tomorrow at 10 a.m.
  • The Hudson Institute holds an event on U.S. space and national security tomorrow at 2 p.m.
  • The Institute of World Politics holds a seminar on cyber intelligence tomorrow at 6 p.m.

Thanks for reading. See you tomorrow.