January. The month also known as the time of the year where most of the Great New Year’s Resolutions come to die. However, I’m sure that giving kudos to great threat intelligence analysts and reporters is a resolution that the Photon Team will not give up in the next months. That’s why here’s the first chapter of 2022 of the What We’re Reading This Month blog series. This time, our team discusses zero trust architecture, spyware targeting El Salvador, and the use of cyber operations in the Ukrainian-Russian tense situation. Enjoy!

Trust in the Zero-Trust era

Nothing gets me more riled up than discourse about cyber-security issues, especially regarding public policies and strategies towards fostering a more conducive stage we operate in today. Imagine my excitement when the Jan/Feb copy of Foreign Affairs reached my mailbox. For the first two months of 2022, turmoil and partnership within the cyberspace are the publication’s focal point. I honed in on Jacquelyn Schneider’s contribution titled “A World Without Trust”  

In her article, Schneider attested to the need for trust, especially towards building the prosperous digital world that we live in today. In the cyberspace, trust has severely been eroded since cyber attacks, and cyber threats have demonstrated the catastrophe they can bring with a single point of failure. Events, such as DarkSide’s attack on Colonial Pipeline and the supply-chain attack leveraging SolarWinds, have put out in full view how easily the foundation of economies—not just digital ones—can be threatened with an exploit, or, god forbid, a weak password.

Attempts to fix the risks and threats of operating in the cyberspace have primarily been fixated on ensuring zero cyber attacks. This may not be the appropriate mindset in a world where cyber attacks are inevitable. Poor defenses can undoubtedly lead to network intrusions. Still, oftentimes cyber attacks have also occurred because of how the targeted systems were developed and operated (legacy systems, anyone?). Instead of obsessing over whether we can stop cyber attacks completely, Schneider urges us to channel those energy into building systems resilient to impending attacks. Such tenacity also extends to human resources – fostering trust between people and communities, citizens and their countries, and global powers with other nations. 

We live in a world rife with conjecture and skepticism. But as Robert Putnam believed, trust is the basic ingredient in social capital; there is no better way to sum up Schneider’s proposed strategy than the Russian proverb “Доверяй, но проверяй” (trust, but verify), a likely nod to what we extol with the Zero-Trust network architecture. 

Read more about it here. Music pairing: M83 – Midnight City, Florence + The Machine – Shake It Out

Byline: Xue Yin Peh 

Operation Torogoz: Pegasus targeting within El Salvador 

One thing that caught my eye this month was a report on “Operation Torogoz”, which detailed extensive use of the infamous Pegasys malware to surveil media and civil society with El Salvador. Targets included journalists at Salvadoran news outlets and two independent journalists. Pegasus is an advanced spyware targeting mobile devices that has a raft of capabilities to enable 24-hour surveillance; it can copy messages you send or receive, harvest your photos and record your calls. Pegasys might secretly film you through your phone’s camera or activate the microphone to record your conversations. If that’s not enough, itt can also pinpoint where you are, where you’ve been, and who you could have met. 

For obvious reasons, Pegasus has long been associated with espionage activities, and its adopters have often been nations linked with authoritarianism or questionable human rights records. Developed by Israeli company NSO Group, Pegasus has been used to target several high-profile journalists, activists, and diplomatic figures in recent years, including prominent journalist and Saudi critic Jamal Khashoggi, who was murdered in 2018. The latest name on this long rap sheet is El Salvador, with the activity reportedly aimed against 35 members of the Salvadorian media and civil society. As commonly seen across central America, El Salvador has a troubled past, often dictated by civil wars, crime and narcotics issues, and associations to corruption and authoritarianism. 

El Salvador is also a particularly interesting country when you look at its current President, 40-year-old Nayib Bukele, a charismatic individual with a big social media presence and a particular enthusiasm for all things Bitcoin. Recently, El Salvador spent USD 15 million buying 410 Bitcoin during its recent drop in price (Rule 1 of crypto investing, buy the dip). Bukele has also announced plans for El Salvador to generate bitcoin mining using geothermal energy from a Salvadorian volcano, which would be used to fund a tax-free city on the Salvadorian coast (yes, you read that correctly). El Salvador also became the first country to accept Bitcoin as legal tender in September 2021. Some have suggested that Bukele’s appeal largely comes from embodying several traditional strongman archetypes while building a modern brand via social media. An intriguing figure nonetheless, which you don’t always see in the political world. 

Nayib Bukele: A strong proponent of BTFD


So what happened to these targeted individuals and who was it conducted by? The targeted individuals mostly belonged to the media class within El Salvador, which has a long history of providing robust and critical coverage of the El Salvadorian regime. Verbal attacks and threats against the press are commonplace, both by Bukele himself and also in other cases by state ministers and legislators. Regarding press freedom, the country ranks poorly, and journalists have regularly been banned from attending government conferences if they are viewed as critical to the regime. The researchers have concluded that while there is no technical proof to link to the Salvadorian regime, they believe a range of circumstantial evidence indicates that they are most likely to be responsible. This includes the country-specific focus of the Pegasus infections and the timing of the targeted individuals working on projects of great importance to the Salvadorian government. 

Byline: Chris Morgan

Cyber Operations Targeting Ukrainian May Spiral Out of Control

The International Relations nerd living inside of me couldn’t help but shiver at the thought of what’s been happening along the Ukrainian border in the past weeks. The troop build-up is at its highest in years and it’s spurring fears of an imminent Russian invasion. Images of Russian tanks and troops being deployed to the nation’s border with Ukraine are jamming my Twitter feed, dominating the news cycle, and threatening to destabilize the balance of peace and power on European soil.

MIT Technology Review’s senior cybersecurity editor Patrick Owell O’Neil does a great job at describing how cyber operations have already begun to cause serious disruptions to Russia’sadversaries. One of the most critical examples is the recent defacement attack targeting multiple Ukrainian government websites. This attack caused these websites to halt operations, and installed a wiper in their networks. Although attribution efforts are still ongoing to determine who was behind this attack, it is likely that Russian state-encouraged threat actors conducted it. 

Attacks such as the one just mentioned are not aiming to provoke a military response.. However, these cyber operations are mostly psychological operations and “they corrode institutions, they make us look insecure, and they make governments look weak”, as stated by John Hultquist, head of intelligence for Mandiant.  

Understanding the game Moscow is playing is a daunting task – and one that may not bear any firm answers. Although these attacks do not intend to escalate military tensions, it is possible that they could spiral out of control and cause significant, unintended damage. This represents a significant risk for anyone indulging in offensive operations, let alone cyber attacks that happen in a borderless and often unregulated dimension. 

Cyber operations are increasingly marking the initial phases of geopolitical conflicts and should as such be closely monitored when analyzing broader international relations tensions. The growing cyber activity surrounding the Russian-Ukrainian conflict should be interpreted as a potential sign of an imminent attack. However, every intelligence analyst gets an assessment wrong every now and then – and I couldn’t be more hopeful that this is the case for me.

Read more about it here

Bonus shameless plug: The ShadowTalk episode where we discussed the aforementioned defacement attacks, the REvil arrests, and what those could mean for the broader threat landscape.

Byline: Stefano De Blasi 

The Digital Shadows (now ReliaQuest) Difference

This is the stuff us analysts love to do: Researching and learning more about the myriad threats out there, and contextualizing them with the world around us. We love cyber threat intelligence!

Find out more about the intelligence we provide in SearchLight (now ReliaQuest’s GreyMatter Digital Risk Protection) with a 7-day test drive, or contact us to schedule a demo to learn more about your use cases and how intelligence might make a difference for you.