Robin’s Newsletter #230

13 November 2022. Volume 5, Issue 46
How Qatar hacked the World Cup. Calls for a law on 'failing to prevent fraud'. Australia's new offensive cybercrime team. Mistrust at a root CA.
Join hundreds of subscribers who get this first, every Sunday. Subscribe

This week

Project Merciless: ‘how Qatar hacked the World Cup’

  • Hundreds of critics of Qatar’s World Cup 2022 bid were targeted by ‘hackers for hire’ as part of a decade-long espionage and influence operation outsourced to Global Risk Advisors (GRA), a company run by former CIA operative Kevin Chalker.
  • Investigative journalists have obtained copies of proposals and reports showing the extent to which Qatari officials went to “protect the interests of Q22,” with the planned deployment of 66 operatives across five continents at a budget of $387 million. GRA documents referred to this as ‘Project Merciless’ and targeted FIFA and national football executives, lawyers and journalists. It’s a remarkable undertaking.
  • Amongst the private investigators, ‘diligence’ and intelligence firms sub-contracted by GRA is an Indian hacking group also targeted Formula One motor racing bosses, the president of Switzerland and then-UK chancellor Philip Hammond. The group operates as ‘WhiteInt’ and is headed by 31-year-old Aditya Jain, who works at Deloitte during the day. (I’d guess that probably will shortly no longer be the case…),

Lords call for an offence for ‘failing to prevent fraud’

  • A House of Lords report calls for UK legislation that would make it a criminal offence for “failure to prevent fraud”. Drawing parallels to health and safety regulations, which can lead to prosecutions and disqualification of company directors, the rules would apply to all sectors. However, big tech and telco companies are singled out in particular:

“Platform companies and telecom companies have basically skipped off without responsibility for the fact that many of their customers are first encountering fraud over their platforms and devices” — Baroness Nicky Morgan

  • Calls like this underline the importance for organisations to consider a broad range of threats and harms associated with their services, not just those to their business operations when threat modelling and conducting risk assessments.

Other newsy bits

  • Australia is establishing a new, permanent joint task force of the Australian Signals Directorate and Australian Federal Police to pursue ‘scumbag’ cybercriminals proactively. Home affairs minister Clare O’Neil confirmed that the group will be “offensively going to find these people, hunt them down and debilitate them before they can attack our country.” The move comes as cybercriminals began leaking medical data stolen during a recent attack, including treatments for substance abuse and abortions. Australian companies have been hit by a recent wave of high-profile attacks against companies such as Optus (vol. 5, iss. 39) and Medibank (vol. 5, iss. 44). @ClareONeilMP,

  • The US Department of Justice says it has made the largest crypto seizure ever from James Zhong, a fraudster who amassed the fortune by exploiting a ‘race condition’ in the Silk Road darkness marketplace. The 50,491 Bitcoin, worth over $3 billion at one point and $1.07 billion at today’s prices, were stored on a single-board computer hidden in a popcorn tin during a raid on Zhong’s home. Authorities also found over $660,000 in cash and gold and silver bars. Zhong, who pled guilty this week, will be sentenced in February 2023.

  • A couple of interesting counter-points to criticism that the ICRC’s proposal to add a ‘digital emblem’ — to signify protected systems much like medical facilities in war zones — is impractical because criminals inherently don’t respect rules. Firstly, this is more focused on cyber-warfare and preventing collateral damage from state-backed actions where there is, generally, greater respect for international norms. Perhaps it would have helped spare the NHS from the harms of WannaCry. Secondly, and perhaps more interestingly, Patrick Gray argued that it gives courts a leaver to be much harsher in sentencing cyber-criminals who do target protected systems.

  • Interesting read: Joseph Menn joins the dots between TrustCor, one of the Internet’s root certificate authorities and a registered address at a UPS Store in Toronto, with Packet Forensics, a company with ties to US defence and intelligence. Packet Forensics “designs and builds some of the world’s most sophisticated sensors for communications networks” for “active network defense, lawful intercept, communications policy enforcement or custom-tailored requirements,” according to their website. A root certificate authority would be handy in intercepting those communications but would be frowned upon by browser vendors. It wouldn’t surprise me to see TrustCor removed from their root CA lists.

In brief

Attacks, incidents & breaches

  • A new ransomware group called ‘Royal’ has allegedly compromised the UK’s Silverstone racing circuit.
  • Royal Mail’s Track & Trace parcel tracking website has been “temporarily unavailable” for over three days. It comes after last week’s issue with the firm’s Click & Collect service.

Threat intel

  • Cisco says that the decentralised web3 InterPlanetary File System (IPFS) is being used as ‘bulletproof hosting’ for malware payloads and phishing sites by cybercriminals.
  • Compromised WordPress sites are being used to boost search engine rankings of fake Q&A discussion forums according to Sucuri.
  • The ‘Prestige’ attacks against Polish and Ukrainian logistics firms (vol. 5, iss. 42) was conducted by Russia’s ‘Sandworm’ military intelligence unit, says Microsoft.


  • Security updates are available for three vulnerabilities in Citrix’s ADC and Gateway products, including a critical authentication bypass issue.
  • Microsoft has fixed six 0-day vulnerabilities, including the two high-severity, actively exploited bugs in Microsoft Exchange dubbed ProxyNotshell.
  • Three 9.8/10.0 vulnerabilities in VMware’s Workspace ONE Assist for Windows allow attackers to bypass authentication and gain administrator access to exposed devices.

Operational technology

  • High severity vulnerability in flow computers manufactured by ABB and used by oil and gas companies to manage flow rates.

Internet of Things

  • NFC-capable door entry systems manufactured by Aiphone do not prevent or log admin access attempts. This allows attackers to cycle through all 10,000 admin PIN combinations in minutes. The company’s devices are used on everything from apartment blocks to government buildings, and those manufactured before December 2021 cannot be fixed.


  • Changes to standards may be needed to prevent the ability to use ‘Wi-fi to see through walls’. The technique, pioneered by scientists at the University of Waterloo, Canada, uses a drone and response times to triangulate the position of wi-fi devices like laptops, smartwatches and security cameras.
  • A new report from the Pegasus Project claims EU governments used “spyware on their citizens for political purposes and to cover up corruption and criminal activity”.

Public policy

  • Reinsurance giant Swiss Re has called for “new sources of capital” and “public and private sector collaboration,” such as a government-backed fund, to mitigate cyber threats to critical infrastructure.
  • Anne Neuberger, White House deputy national security advisor, has called for a ‘nimbler’ NATO capability to respond to digital threats. Speaking at a meeting of the military alliance, Neuberger said that “[we] must be more nimble as an alliance … in providing direct, technical and necessary support if a country faces a significant disruptive attack.”

Law enforcement

  • Ramon ‘Ray Hushpuppi’ Abbas has been sentenced to 11 years for money laundering. The Nigerian cybercriminal admitted to conspiring to launder over $300 million over 18 months, ranging from business email compromise scams to North Korean attackers. Abbas documented his lavish lifestyle on Instagram, showing off exotic cars and expensive watches, before being arrested in Dubai in 2020.
  • A Russian operator of the LockBit ransomware was arrested in Canada last month.
  • US authorities have seized eighteen domains used to recruit money mules.

Mergers, acquisitions and investments

  • Compliance startup Laika has announced a $50 million Series C round to expand its platform functionality and go-to-market efforts.

And finally

Twitter chaos

  • Elon Musk’s decision to open up ‘blue checkmarks’ to anyone willing to pay $8/month may have contributed to wiping ‘billions’ off medicines company Eli Lilly after a spoof account tweeted the company was “excited to announced” that “insulin is free now”. It’s just one of many spoof accounts that have been giving that social network’s advertisers cause for concern. @faraelshmunov

  • Twitter has lost its CISO, as engineers are told that they will need to ‘self-certify’ compliance with an FTC mandate to “establish and maintain a comprehensive information security program” as part of a 2011 agreement over cyber security failings. The firm’s chief privacy and compliance officers have also jumped ship. One company lawyer is advising staff to seek whistleblower protection “if you feel uncomfortable about anything you’re being asked to do”, while media outlets struggle to get answers because apparently ‘Twitter no longer has a communications department’.,

  • Meanwhile, Twitter’s HR team sent an email to employees recently laid off… without putting everyone on BCC, becoming a “reply-all disaster”. @ZoeSchiffer

  • In a month, on 12th December, Twitter’s TLS certificate expires. Against this chaotic background, it will be interesting to see if anyone at the firm remembers — and knows! — how to renew it. @RTO


  Robin's Newsletter - Volume 5

  Qatar Fraud Australia Cybercrime Trust Certificates Twitter