A Russian hacking group, believed to be working on behalf of Russian intelligence, has been targeting politicians, journalists, military and former intelligence officers for at least the past seven years.
In May this year, the group secured one of its greatest successes by publicly compromising emails and documents from Richard Dearlove, a top British spy chief and former head of MI6, and more than 60 others, in a secretive network of right-wing activists set up in 1988 to campaign for a hard Brexit.
Computer Weekly, with the assistance of a grant from the Association of British Science Writers, has been able to systematically analyse the leaked emails, which reveal how the group tried to influence government policy on Chinese technology, satellites, vaccines and Covid. We present the first two stories in a series here.
Meanwhile, the courts have continued to grapple with the legal implications of a novel hacking operation against encrypted phone network EncroChat, which has led to hundreds of arrests of organised criminals in the UK.
Courts in multiple countries are addressing legal questions over whether millions of messages harvested from EncroChat can be lawfully used in evidence. In the UK, the Investigatory Powers Tribunal is considering whether the UK’s National Crime Agency acted with proper candour when it applied for a Targeted Equipment Interference warrant that would allow EncroChat evidence to be cited in court. The verdict could affect hundreds of prosecutions.
Europol co-ordinated the EncroChat hacking operation. MEPs voted to give it new powers to collect and process data on European citizens from telephone, internet and social media and other sources. The vote overturned an order by the European Data Protection Supervisor (EDPS) requiring Europol to delete huge amounts of previously unlawfully gathered data, including data on people not suspected of any crime.
Computer Weekly also reported on government pressure to weaken the protection offered by end-to-end encryption, to better police terrorism and child abuse. The proposals have been criticised by the Information Commissioner’s Office for failing to recognise the value of encryption for security, and by academics as “magical thinking” which is unlikely to achieve its aims.
A series of stories also revealed the apparently common practice by NHS trusts to delete the email accounts of former employees even though they are likely to contain important evidence that should be disclosed to employment tribunals brought by doctors and nurses who have blown the whistle on poor patient care.
1. MI6 chief’s hacked emails attacked MI5 and betrayed British spy operations in China
Emails published by Russian hackers and systematically analysed by Computer Weekly reveal that in January 2020, the former “C” (chief of the Secret Intelligence Service, MI6), Richard Dearlove, linked up with hard-Brexit campaigners and White House lobbyists to send a threat-laden briefing to 10 Downing Street warning about telecoms company Huawei.
Dearlove’s report revealed the names of three “retired senior SIS officers” who he said were the “leading experts on Chinese intelligence”, and who had run agents while working as diplomats in China.
“[They] all speak fluent Mandarin, have all served in Beijing, have all been involved in the running of penetration cases of the MSS [Ministry of State Security] and PLA [People’s Liberation Army],” he wrote. “Their cumulative knowledge of the realities of China’s attitude to the exploitation of intelligence collection opportunities is unparalleled.”
Computer Weekly has withheld the MI6 identities revealed by Dearlove. Their CVs reveal their work in the diplomatic service, a standard cover role for intelligence officers.
2. How Russian intelligence hacked the encrypted emails of former MI6 boss Richard Dearlove
A Russian cyber attack group has been targeting politicians, journalists, and military and intelligence officials across Britain and Europe for at least seven years, and may have stockpiled access to and data from target computers and phones for future operations, according to data analysed by Computer Weekly.
The group’s greatest success to date has been to publicly compromise emails and documents from Richard Dearlove, a top British spy chief and former head of MI6, as well as more than 60 others, in a secretive network of right-wing activists set up in 1988 to campaign for an extreme separation of Britain from the European Union. Dearlove was chief of the UK Secret Intelligence Service (SIS) from 1999 to 2004, holding the post immortalised in James Bond films and fiction as “M” – although in real life the role is known as “C”.
3. NCA ‘deliberately concealed’ information when it applied for EncroChat warrants, tribunal hears
The National Crime Agency “deliberately concealed” information when it applied for a warrant to access hundreds of thousands of intercepted messages and photographs from the EncroChat encrypted mobile network, a court has heard.
The claim was made during the first day of a hearing by the Investigatory Powers Tribunal (IPT), Britain’s most secret court, in a case that is likely to have significant ramifications for the use of intercept evidence in criminal prosecutions.
But lawyers representing defendants claim the NCA did not give the independent judge – known as a judicial commissioner – who authorised the NCA’s surveillance warrant, a full explanation of the basis of its understanding of how the French hacking operation worked.
The court heard that the NCA had decided it wanted a Targeted Equipment Interference (TEI) warrant – the only warrant that would allow messages and images intercepted from EncroChat to be used as evidence in court.
“The NCA started with the result they wanted and tried to fit that into the Investigatory Powers Act. They wanted a TEI and nothing else,” a barrister acting for complainants told the court. “Their motive was understandable. They wanted to make the intercept available in court.”
4. Police EncroChat cryptophone hacking implant did not work properly and frequently failed
A surveillance operation that covertly harvested text messages from an encrypted phone network allegedly used by criminals and drug dealers relied on technology that frequently failed and often stopped working.
A senior technical officer at the National Crime Agency (NCA) disclosed to the Old Bailey that French-designed software implants used to extract supposedly encrypted text messages from the EncroChat cryptophone network were unreliable.
Luke Shrimpton, senior technical officer at the NCA, and forensic expert Duncan Campbell disclosed in a joint report that the French implant had technical problems, during a trial at London’s Old Bailey over an alleged drug-related conspiracy to murder.
“In broad and general terms, we agree that records show that the implant and processing system were not reliable, in that the implants frequently and often stopped working, unless or until restarted,” according to an extract of the report read out in court.
5. How diplomatic immunity silenced the prosecutor who coordinated Sweden’s EncroChat probe
A senior Swedish prosecutor cited diplomatic immunity after being summoned to answer questions in court about Sweden’s role in the international police operation to infiltrate the EncroChat-encrypted phone network used by organised crime groups.
Prosecutors said Solveig Wollstad, head of the Swedish desk at Eurojust, the EU agency for diplomatic cooperation in the Hague, had diplomatic status that meant she was unable to give evidence about her work during an international police operation to hack into the EncroChat phone network.
Defence lawyers claim that the decision by a Swedish court not to call her to testify about the EncroChat operation has left important questions unanswered about the legality under Swedish law of the interception operation, which enabled the French police to covertly harvest messages from Swedish citizens who were using EncroChat phones.
The lawyers claim the interception may have been unlawful as there is no evidence that Sweden sought approval from a Swedish Court to authorise France to conduct the mass interception of EncroChat-encrypted phones, which were widely used by organised crime groups, in Sweden.
6. ‘Russian-backed’ hackers defaced Ukrainian websites as cover for dangerous malware attack
Malicious malware posing as ransomware has been discovered on multiple computer systems in the Ukraine following a hacking attack that targeted more than 70 government websites.
A hacking group linked to Belarus used multiple techniques to break into government computer systems, including hacking into a Ukrainian IT company to launch a “supply chain” attack against its government customers.
The hacking group also exploited applications containing the Log4J2 security vulnerability, which remains unpatched in many computer systems and allows attackers to execute Java code to take control of targeted servers.
Distributed denial of service attacks were launched against an undisclosed number of state organisations, according to updates from the Ukrainian government.
The attacks were accompanied by a series of highly visible attempts to deface government websites with provocative messages, in an attempt to distract from more serious attempts to manually plant malicious “wiper” malware on government IT systems.
7. Europol gears up to collect big data on European citizens after MEPs vote to expand policing power
The European Parliament has voted to give Europol wide powers to collect and process data on individuals, including people not suspected of any crime, in a move that significantly widens the power of the European police agency.
MEPs voted in May to widen the mandate of Europol to collect personal data from tech companies, including telecoms and internet suppliers and social media firms, and to collect and analyse data from countries outside the European Union (EU).
The proposals give Europol the go-ahead to develop algorithms and artificial intelligence (AI) systems capable of making automated decisions and developing predictive policing models.
The Parliament’s draft regulation effectively overturns an order by the European Data Protection Supervisor (EDPS) in January 2020 that required Europol to delete swathes of personal data it had collected and processed unlawfully.
The move has been criticised by civil society groups, and some MEPs, which claim that it amounts to a “massive, unchecked expansion” of Europol’s powers and could represent a first step on the road to creating a European version of GCHQ or the US National Security Agency.
“Europol will be allowed to collect and share data left, right and centre, without much restriction or control,” said Chloé Berthélémy, policy rights advisor at European Digital Rights (EDRi), a network of civil and human rights organisations in Europe.
8. ICO criticises government-backed campaign to delay encryption
The Information Commissioner’s Office (ICO) has stepped into the debate over end-to-end encryption (E2EE), warning that delaying its introduction leaves everyone at risk – including children.
The privacy watchdog said end-to-end encryption plays an important role in safeguarding privacy and online safety, protecting children from abusers, and is crucial for business services.
The intervention follows the launch of a government-funded campaign this week that warns that social media companies are “blinding themselves” to child sexual abuse by introducing end-to-end encrypted messaging services.
Stephen Bonner, the ICO’s executive director of innovation, said the discussion on end-to-end encryption had become too unbalanced, with too much focus on the costs, without weighing up the significant benefits it offers.
“E2EE serves an important role both in safeguarding our privacy and online safety,” he said. “It strengthens children’s online safety by not allowing criminals and abusers to send them harmful content.
“It is also crucial for businesses, enabling them to share information securely, and fosters consumer confidence in digital services.”
9. Protecting children by scanning encrypted messages is ‘magical thinking’, says Cambridge professor
Governments are in danger of turning to “magical software solutions” to fight child abuse and terrorism, rather than investing in police, social workers and teachers who can deal with the underlying causes, a Cambridge academic claims.
Professor of security engineering Ross Anderson has argued in a paper that governments should view the child safety debate from the point of view of children at risk of harm, rather than from the perspective of the intelligence agencies and firms that want to sell computer software.
In a 19-page rebuttal of a paper by two senior GCHQ directors, Anderson, a professor at Cambridge and Edinburgh University, claimed the idea of using software to detect child abuse, terrorism and other illegal activities would prove unworkable in practice, and fail to address the underlying problems.
“The idea of using artificial intelligence to replace police officers, social workers and teachers is just the sort of magical thinking that leads to bad policy,” he argued in a discussion paper, Chat control or client protection?
10. NHS trust ‘deliberately’ deleted up to 90,000 emails before tribunal hearing
An NHS Trust “deliberately” deleted as many as 90,000 emails that were “potentially” critical to a legal case brought by a whistleblower who revealed that under-staffing in an intensive care unit was linked to two avoidable deaths.
Chris Day, a former junior doctor at Queen Elizabeth Hospital’s intensive care unit in Woolwich, is bringing a tribunal case against Lewisham and Greenwich NHS Foundation Trust over allegedly defamatory statements issued about him by the trust.
An employment tribunal heard that Lewisham and Greenwich NHS Foundation Trust’s head of communications, David Cocke, “deliberately destroyed” email and other digital evidence, including electronic archives, just before he was about to give evidence.
The high-profile case raises questions about the adequacy of information governance practices in NHS hospital trusts, and whether they are deploying information backup systems capable of properly preserving critical medical documents and communications.