Police forces around the world are arresting more suspects of organized crime. They’re unsealing evidence gathered over the past two to three years via a private-messaging app, Anom (styled ΛNØM).
Agencies from at least 15 countries didn’t merely have a secret back door into the messaging service—they basically ran it. The idea came to them, as the Australian police like to put it, “over a couple of beers.”
This is madness. In this week’s Security Blogwatch, this is Sparta.
Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: Marcus explains all.
Cops did WHAT?
What’s the craic? Joseph Cox reports—How the FBI Secretly Ran a Phone Network for Criminals:
For years the FBI has secretly run an encrypted communications app used by organized crime in order to surreptitiously collect its users' messages and monitor criminals' activity on a massive scale. … The elaborate operation netted more than 20 million messages from over 11,800 devices used by suspected criminals.
…
In 2018, the FBI arrested Vincent Ramos, the CEO of Phantom Secure, which provided custom, privacy-focused devices to organized criminals. In the wake of that arrest, a confidential human source (CHS) who previously sold phones on behalf of Phantom … was developing their own encrypted communications product. This CHS then "offered this next generation device … to the FBI to use in … investigations," the court document reads.
…
While criminals left Phantom, they flocked to other offerings. One of those was Anom … effectively operated [by] the FBI. … Messages include discussions around drug smuggling, corruption, and other high-level organized criminal activities.
It all started in Australia, where they called it Operation Ironside. Say g’day to Aussie-Aunty’s Alison Xiao—Australian Federal Police and FBI nab criminal underworld figures in worldwide sting:
As part of a three-year collaboration between the Australian Federal Police (AFP) and the … FBI, underworld figures were tricked into communicating via an encrypted app designed by police. Authorities say … they uncovered 21 murder plots and seized more than 3,000 kilograms of drugs and $45 million in cash and assets.
…
There have been arrests across 18 countries, including the United States, UK, Germany and New Zealand, with more expected. Police said the plan to use an encrypted app was hatched overseas over a few beers with FBI agents in 2018. … The AFP built a capability to access decrypted communications between customised mobile phones.
…
The app was unwittingly distributed by [a] fugitive Australian drug trafficker … after he was given a handset by undercover agents. [He] recommended the app to criminal associates who would purchase the handset pre-loaded with AN0M.
…
AFP Commissioner Reece Kershaw said … agents had been in the "back pockets" of criminals: … "The FBI had the lead on this. We provided the technical capability to decrypt those messages."
…
"Some of the best ideas come over a couple of beers."
How did it work? Catalin Cimpanu expandifies—FBI and Australian police ran an encrypted chat platform:
All data on the device was encrypted, and no phone number was required to use the app, which relayed all its messages via An0m’s central platform. … All An0m devices located outside the US were configured to send a blind carbon copy (BCC) of all their messages to a third-party XMPP bot, [which] would decrypt the messages and then re-encrypt them using encryption keys managed by the FBI.
…
It was mostly Australian authorities who reviewed these messages, due to jurisdiction issues, as it was easier for AFP officials to obtain all the necessary paperwork, and then pass the information to the US three times a week. … The scheme was so successful that a third unnamed country, believed to be in the EU, hosted another … server and helped sift through more than 26 million encrypted messages.
Officials initially relied on undercover agents to promote the An0m devices, but as law enforcement agencies shut down competing platforms, such as EncroChat and Sky ECC, criminal gangs found refuge on the network, which eventually amassed more than 12,000 users from 300+ criminal syndicates across 100+ countries.
Why reveal this now? A clue might be in this now-deleted blog post, by canyouguess67, indicating people might have started to notice:
Upon a visual display of … connections I was quite concerned to see the amount of IP addresses relating to … the 5 eyes Governments (Australia, USA, Canada, UK, NZ who share information with one another). … To make matters worse they were direct connections to the actual proxy servers etc giving me the ability to locate their remote offshore Romanian Server with an IP of 193.27.15.41.
In other, totally unrelated news, Iain Thomson notes Uncle Sam recovers 63.7 of 75 Bitcoins Colonial Pipeline paid to ransomware crew:
A ransom of about $5m or 75 BTC was paid to the Darkside crew behind the attack. It turns out the Feds were able to trace this payment through multiple transactions to "a specific address, for which the FBI has the 'private key',” the DoJ said.
…
How the FBI had this private key is not entirely clear. It could be that the Feds were able to gain access to a system hosting the key. It could be that someone gave them the key, or that the bureau got the key from them.
Hmm, could be. Or it could be a psychological operation, muses @aris_jewels:
I'm feeling like we're being psyoped from each side, I don't know who to trust anymore. Ironside, AN0M, … the "recovered" bitcoin, … possible black Swan events. Something is boiling behind the scenes.
Or, as gweihir suggests, there are other ways the feds could have cracked the wallet:
This is pretty easy if you have the "five eyes" support you:
1. Find the computer the wallet is on by large-scale network traffic analysis. Sounds impressive, but it is not. I have done this (in a research context) in the past.
2. Hack that computer. The NSA TAO may have risked a zero-day for that. More likely the computer had just shoddy security.
3. Change the wallet code to send you the key when opened.
4. Wait for anybody to log in and access the wallet.
And then you have the key.
And Alex Thorn—@intangiblecoins—adds color:
We looked on-chain & found a pattern that seems to show the funds ultimately flowed to a trading desk or exchange willing to comply with a US warrant. There’s no evidence of a bitcoin or bitcoin wallet security vulnerability. … This looks like a standard trace and trap with the illicit funds identified in the custody of a compliant party.
But back to Trojan Shield. Here’s cromka’s analysis:
Looking at the seal of the operation, [the] following countries participated in the operation: Canada, Australia, US, Sweden, The Netherlands, Lithuania, Finland, Hungary, Norway, Austria, UK, New Zealand, Estonia, … Germany, Denmark.
I expect this to be bigger than Panama Papers. Way bigger. I expect a few prominent politicians to be soon either arrested or "convinced" to step down. I expect the US to have gained a lot of intel and leverage over those from the countries who did NOT participate in this.
We will absolutely NOT learn about everything they discovered. CIA will and the respective intelligence agencies will.
Meanwhile, ukeandhike ain’t in awe of Aussie app algorithms: [You’re fired—Ed.]
Any sufficiently advanced crowbar is indistinguishable from magic.
The moral of the story?
Active threat response is key. How far will you go to root out bad actors?
And finally
MalwareTech bursts some bubbles
You have been reading Security Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi or sbw@richi.uk. Ask your doctor before reading. Your mileage may vary. E&OE. 30.
This week’s zomgsauce: Alex Grant (cc:by)
Keep learning
Learn from your SecOps peers with TechBeacon's State of SecOps 2021 Guide. Plus: Download the CyberRes 2021 State of Security Operations.
Get a handle on SecOps tooling with TechBeacon's Guide, which includes the GigaOm Radar for SIEM.
The future is security as code. Find out how DevSecOps gets you there with TechBeacon's Guide. Plus: See the SANS DevSecOps survey report for key insights for practitioners.
Get up to speed on cyber resilience with TechBeacon's Guide. Plus: Take the Cyber Resilience Assessment.
Put it all into action with TechBeacon's Guide to a Modern Security Operations Center.