Cyber Week in Review: November 1, 2024

Six senators voice concerns to Biden Administration over new U.N. Cybercrime Convention

Six Democratic senators expressed major concerns over a new U.N. Cybercrime Convention on Tuesday in a public letter to Secretary of State Antony Blinken, Secretary of Commerce Gina Raimondo, Attorney General Merrick Garland, and National Security Adviser Jake Sullivan. The letter lays out a number of objections to the convention, arguing that the convention’s expansive definition of cybercrime would empower authoritarian regimes to crackdown on dissent worldwide; imperil the viability of several different encryption methods globally; and put security researchers, including those focused on cybersecurity, AI, and child safety, at risk through its lack of exemptions for good faith research. The convention has engendered pushback from an unusually broad coalition of civil society groups and companies in the United States and European Union, with more than a dozen organizations cosigning the senators’ letter, including the Cybersecurity Tech Accord, a trade organization that represents companies including Microsoft, Meta, and Oracle. Proponents of the treaty, which has been actively negotiated since 2019, argue that additional protections added during the negotiating process, such as narrowing the scope for the definition of cybercrime, are enough to overcome human rights concerns. The convention will come before the General Assembly as early as December, and it remains unclear whether the United States will shift its positioning in response to the many concerns that have been raised.

Russia targets Ukrainian conscripts with a dual espionage and influence campaign

Google Threat Intelligence Group released a report that lays out what it calls a “hybrid espionage and influence operation” as part of a campaign by Russian-backed hacker group UNC5812 to spread anti-mobilization content and malware in Ukraine. The campaign primarily operated from a Telegram channel and persona known as “Civil Defense;” that channel hosts a dedicated news section which highlights purported cases of unjust mobilization practices, and links to a similar website that ostensibly provides free software to track Ukrainian military recruiters. However, the software contains malware that enables attackers to gather a host of data from users’ systems, including information stored in web browsers, live location tracking, and individual keystrokes. Russian information warfare groups often release hacked materials as part of their information campaigns, but it is relatively rare to see them deploy malware within an active information campaign. Google said that the campaign also piggy-backed off of existing Ukrainian Telegram channels to expand its reach, including by paying an 80,000 member channel to promote “Civil Defense” content. Despite the relative novelty of the campaign, it is unclear how effective it was; Google said that much of the infrastructure used in the campaign, including the “Civil Defense” Telegram channel, were only registered weeks before they were detected and taken down by Google.

GitHub announces major additions to its Copilot tool

GitHub, a platform that hosts and manages code and allows developers to collaborate, announced this week that developers using its Copilot tool will be able to use generative AI models from Anthropic, Google, and OpenAI. Copilot is available across GitHub’s platform, and can provide users with autocomplete suggestions as they type out code, generate a description of changes to a given piece of code, and manage knowledge bases. GitHub—which is owned by Microsoft—rolled out Copilot in 2021 as one of the first outcomes of Microsoft’s more than $1 billion investment into OpenAI in 2019. GitHub also announced a new tool called Spark, which enables developers to code completely in natural language and allows more experienced developers to more easily compare versions of existing code. Spark and Copilot will make use of models developed by Anthropic and Google, Microsoft’s direct competitors in some areas of the market. The decision to allow its competitors’ models onto its platform appears to be part of a larger strategy for GitHub; GitHub CEO Thomas Dohmke during the announcement said, “it is clear the next phase of AI code generation will not only be defined by multi-model functionality, but by multi-model choice.”

Cyber Safety Review Board to investigate Salt Typhoon telecommunications cyberattack that targeted presidential candidates and their campaigns

The U.S. Cyber Safety Review Board (CSRB) plans to investigate how Chinese hacker group Salt Typhoon accessed the networks of several major U.S. telecommunications firms earlier this year. Salt Typhoon reportedly compromised systems used to comply with court-ordered wiretaps and used these systems to target former President Donald Trump, his running mate JD Vance, and associates of Vice President Kamala Harris’s campaign. It is currently unclear what kind of information Salt Typhoon was able to access through the attack. The CSRB has undertaken several investigations since it was formed in February 2022, including a Chinese threat actor’s intrusion into the emails of major U.S. government officials. The CSRB’s investigation of the breach of U.S. telecommunications infrastructure was unusually fast by its standards; previous investigations, including its email investigation, have been announced months after the initial compromise. Experts have previously called for Congress to grant the CSRB expanded powers and staffing, and for the CSRB to adopt a more transparent and methodical approach to investigating cybersecurity incidents. The CSRB has also previously appeared to shy away from investigating the event that inspired its creation, the SolarWinds hack, due to political sensitivities around the incident; this time, the board does not appear to be avoiding cybersecurity incidents which could be politically contentious.

China confirms detention of South Korean citizen on charges of semiconductor espionage

Chinese Ministry of Foreign Affairs representative Lin Jian confirmed Tuesday that the country had arrested a South Korean citizen under China’s expanded counterespionage law on accusations of leaking semiconductor information to South Korean authorities. China's counterespionage legislation originally passed in 2014. Last July, it was expanded to prohibit the transfer of any information related to national security, broadly-defined to include “work secrets.” Foreign nationals charged under the law are consistently convicted and have faced harsh sentences. The detainee is a former Samsung Electronics employee in his 50s who was an employee at ChangXin Memory Technologies (CXMT), a Chinese semiconductor company in Hefei, Anhui. He was taken from his residence in December and formally arrested in May. This arrest comes amid South Korean public concern over the outflow of South Korean semiconductor information to China. The South Korean government has also initiated investigations into the transfer of a memory semiconductor technology from Samsung Electronics to CXMT and arrested a former Samsung executive who attempted to emulate Samsung’s chip factory in Xi’an. The arrest of the South Korean national comes as relations between China and South Korea have deteriorated in recent years, and as China continues to build its domestic semiconductor industry in response to U.S. export controls; the detention also suggests that China may be prioritizing semiconductors—which it sees as a core national interest—ahead of worsening Sino-South Korean relations.

Maya Schmidt is the intern for Digital and Cyberspace Policy Program.