Purported TikTok/WeChat Breach?
A rapid analysis to try and untangle a few things.
Dear Reader, here is the ‘bottom line, up front’:
An influence operation that centers TikTok as a cause of concern has re-emerged with new data and purveyors. Early reviews by independent security experts indicate that the dataset does not appear authentic in relation to claims made about it. Nevertheless, its purveyors have taken specific claims to connect TikTok and WeChat in this latest salvo against the Chinese Communist Party, seeking to employ unspecified concerns about data privacy and the public’s lack of awareness regarding the business of data as a geopolitical influence lever.
Ultimately, despite its massive reach, singling TikTok out for this behavior is unnecessarily hawkish behavior intended to inflame geopolitical tensions. The root causes of data collection are squarely within reach of U.S. regulators and policymakers; namely, national data privacy legislation, which would limit the ability of Big Tech platforms such as Google and Apple to continue enabling the ongoing wholesale theft of our private data via mobile platforms on which billions of users have come to rely.
So let’s break this down: what is the veracity of the dataset? Who are the actors and their goals? Does this issue reflect a growing trend? What seem to be the outcomes thus far?
The “samples” (screenshots) of the dataset teased by the threat actor on the forums where this purported breach was publicized mean nothing, and many have called out the actual dataset as appearing to be false.
I reviewed two files, TikTok-Main-Weixin.7z and TIKTOK&WECHAT.7z, each containing various csv files which are supposed to be database exports. Many of these files only contain headers, and no actual user data. A couple of files contain data which could easily have been scraped. I see no un-scrapable PII.
In fact, this data could have been reconstituted from other scraped drops available on the forums, and may simply be a money-making scam for the hacker gang. Forum reputation is supposed to help with that, and this user did have some dings on their previous reputation for being a ‘skid’ (unskilled idiot).
Cybersecurity analysts with good reputations, especially within context of breached data, say the dataset being promoted is unlikely to have come directly from TikTok.
Various characteristics, including the way the data is structured and the database it uses makes that seem unlikely. TikTok has denied this data has come from them but has not given indication as to any potential source.
TikTok says they have anti-scraping mechanisms, and they do (compared to many other companies which do not have any, or whose defenses are ineffective).
Note: Scraping has been declared legal in the U.S. — a win for the open web, but another reason as why we need federal data privacy legislation… the only way to stop certain types of data collection (and all resulting harms) is for legislators to force companies to stop.
Actors: Hackers, Promoters, Quoted CEOs
Claiming responsibility for the “breach” is a “pro-West” hacking group called “Against The West” which seems a little… off. It’s entirely possible they are a regular hacker crew, which would explain their seeming amateurishness. Yet something about them seems unconvincing, including various inconsistencies from their media blitz earlier this year.
Here’s a fun one:
Here is how they specifically claimed they obtained the data on Twitter (vaguely suggesting they brute forced a password), while there are inconsistencies relating to that context in their forum post. We don’t know if they found this themselves, we don’t know if it was passed to them by a source, and we don’t know who they really are.
Here is one additional major supporter who claims to have verified the findings.
Both are extremely sus :-)
It only took three steps from Google for me to associate this supposed “data breach”, which has been debunked by several experts I trust, right to an old report I analyzed a while back by a firm called “Penetrum” which has been used to bolster various claims of bad privacy and security at TikTok each time they emerge.
Here is the Bloomberg article I started from Google with. The quote in question is from Robert Potter, who is credited as “co-CEO of Australian-US cybersecurity firm Internet 2.0 Inc.”
That firm’s website links directly to the Penetrum report alongside their own: https://internet2-0.com/technical-analysis-of-tiktok-app. In my opinion, this looks like cybersecurity company marketing, but it could also serve the deeper purpose of legitimizing an influence narrative, while gathering contact info of interested parties at the same time.
There is very strange conflation in media reporting between TikTok and WeChat. Why?
I figured out that conflation was coming from both the aforementioned company AND the group claiming responsibility for the breach:
“Just here to post the vast array of images and screenshots from the 2022 TikTok and WeChat databreach”.
They further claim on the same page:
“WeChat (Which is state owned) is within the same database as the TikTok DB (which claims not to give such information to their government).”
This actor was banned from the hacker forum today for “lying about data breaches” 😂.
Trend: Leveraging Cybersecurity for Influence Operations
I have observed a growing trend of using “security analyses” which cannot be independently verified or are roundly debunked by experts in order to make geopolitical points (in addition to the regular trend of security companies hyping finds for marketing–those finds are almost always verifiable and generally correct due to the reputations of the authors/analysts being on the line).
For example, an influence actor “@jonathandata1” has been making the rounds recently with pro-NSO, anti-Citizen Lab propaganda. He has also been previously identified as a source of misinformation specifically about TikTok with similar claims as Penetrum.
The data presented by these “experts” are typically misleading, lack context, and lack technical integrity. The academic credentials conferred upon “@jonathandata1” by at least one of his affiliated universities has been recently revoked as a result of efforts inside the information security community to bring light to this actor and this type of effort which, at best, creates opportunities for misinformation with geopolitical impact to be uncritically picked up by media, and at worst, actively seeks to subvert the impression of legitimate information security research for nefarious purposes.
Similarly, fake “breaches” are also increasingly used, for example to create impressions of security negligence. Denials by companies may not hold much water if influence operators can succeed in manipulating the media into publishing such claims without performing sufficient due diligence to avoid laundering narratives for bad guys.
Timing: Changing of the Guard in U.K. and China
The timing of this supposed new data breach from TikTok exactly coincides with the news that Liz Truss is to be confirmed as Prime Minister of the U.K.
Truss has previously spoken in fairly “radical” terms in terms of reshaping U.K.’s relationship with Beijing (labeling them a “threat” and seeking to end economic partnerships) to avoid being coerced as Australia has been and counter Chinese defense buildup in APAC, the recent deal with the Solomon Islands being the most recent example of China’s growing influence in the region.
It’s also instructive to read what SCMP (China state-affiliated media) has to say about it, and how their viewpoint is presented.
An additional element of timing on this “breach” includes China ordering yet another purge of non-conforming citizenry using Chinese tech companies to detect speech and behavior violations:
“China’s conducted many such blitzes in recent years, with mixed success. The significance of this one is probably its timing: on October 16th the Communist Party Of China will conduct its 20th National Congress, an event at which Chinese president Xi Jinping is expected to be granted an unprecedented third five year term as the nation’s leader. Acting to minimize online comment that could in any way take the shine off the Congress, and the decisions it makes, therefore appears to be the aim of this new blitz.Yet as China already requires registration for many online services using verified real names, announcing the blitz ahead of the Congress also demonstrates some weakness in that regime.”
TikTok: Leveraged for Influence Operations
I have observed the consistent use of TikTok to heighten geopolitical tensions over data privacy in a manner that appears to be coordinated and leveraging the media, especially publications without technical expertise to tease apart such claims, in the sense that there is a new wave of claims which are sometimes tricky to debunk by established security researchers, and whose debunks are often ignored in favor of making a more sensationalistic point or headline.
Once again, concerning the substance of various claims against TikTok which have been somewhat debunked, we have to look towards who seeks to make their case and what they have to gain, which is certainly beyond the scope of this rapid analysis.
This type of hawkish rhetoric reduces the public’s understanding of data privacy concerns by elevating the behavior of the TikTok app above the thousands of other mobile apps in Google and Apple stores which collect similar data, who most often don’t notify us appropriately that our data is being collected and how, and whose supply chains may also have unknown secondary and even tertiary interests and purposes for such data.
Influence Operation: Goals?
Beyond inflaming geopolitical tensions between China and the West, which serves many organizations’ goals, it is difficult to speculate further as to what the goals of this operation are beyond the new conflation of TikTok and WeChat, partially driven by an Aussie “security company” whose other overtly anti-CCP work includes a report which seeks to connect WeChat and other Chinese properties (I have not yet reviewed the substance of any other claims).
However, I see these as some of the outputs of these operations:
1. People are growing concerned that China is doing “nefarious things” with data. It is likely (certain) that China, as well as Russia and many other countries around the world including the United States, seek to maximize the data they can obtain and seek to fully exploit (analyze/use) such datasets. This is standard practice now. Project Dragonfly from 2018 demonstrates intent and capability to surveil users with Big Tech complicity for the purpose of imposing Orwellian measures on citizenry.
What isn’t well-understood by the people is what can be *done* with the data. However, we only need to look to China’s Xinjiang province to understand the existential risks presented by data collection and surveillance, especially within undemocratic regimes led by dictators.
2. Americans are led to ignore the fact that their own government allows companies around the world to collect and use their personal data by failing to pass and enforce national data privacy legislation. It seems likely many complainers speak up because TikTok isn’t a Silicon Valley/American company.
This dichotomy helps highlight the inauthenticity of these attacks against TikTok in the face of little information from inside the company showing evidence of malfeasance or misrepresentation.
3. People are led to believe that TikTok in particular presents a unique type of national security threat, despite lack of evidence regarding the supposed nefarious activities of TikTok’s American staff (since they claim to have separated data and are supposedly no longer commingling data between US and China).
Obviously the concern is that China’s National Security Law creates a direct backdoor between PRC and TikTok’s installed user base, which is not only a concern regarding TikTok, but applies more broadly across the entire spectrum of app ecosystems. This is an entirely valid concern which in reality should apply to all apps today!
I hope this has helped untangle some of the factors involved with media reports about this latest “breach”.
If you liked this article, please leave claps below.