Pages

Tuesday, June 8, 2021

Burmese Army’s Hacking Software: Oxygen Forensics

                  (Mike Lewis’s “Filling A Gap” from his blog site on April 25, 2021.) 

Myanmar’s military coup, and the subsequent crackdown on protestors, have refocussed attention on digital surveillance and data extraction tools used by Myanmar’s police and security forces.

Earlier this month the New York Times, using budget documents obtained by the campaign group Justice for Myanmar, listed a series of digital forensics tools that Myanmar’s home affairs ministry has allegedly sought to purchase: software and hardware used to extract data from suspects’ cellphones, computers and other devices.

Some are familiar from previous reporting, particularly around the 2018 trial of the two Reuters journalists Wa Lone and Kyaw Soe Oo, which heard communications evidence that investigators had extracted from their cellphones using a Cellebrite UFED device.

(There’s an important functional distinction between digital forensics tools, intended to crack open and extract data from seized devices; and wider surveillance technologies intended to gather data remotely on people, their devices and their data. Recent commentary on Myanmar has often swept them up in the same generic ‘spyware’ category. That’s for another post.)

Budgeting to procure something doesn’t prove that the Myanmar government actually ended up buying it. Several suppliers listed by Justice for Myanmar and the New York Times insist that high-profile acts of repression made them refuse or discontinue sales in Myanmar.

One company listed in the budget documents has said that although it received a request to supply its product to Myanmar, it turned it down, citing the military operations against the Rohingya. Similarly Cellebrite, and its Myanmar distributor, have both insisted that Cellebrite cancelled licences for its products in Myanmar in late 2018, in response to the furore around their use in the Wa Lone/Kyaw Soe Oo case.

At least one US company, however, seems to have stepped into that market gap. Oxygen Forensics LLC (company tagline: “Helping Good People Make This World Safer”) produces a suite of software, supplied on a dongle,

“built to extract, decode, and analyze data from multiple digital sources: mobile and IoT devices, device backups, UICC and media cards, drones, and cloud services. Oxygen Forensic® Detective can also find and extract a vast range of artifacts, system files as well as credentials from Windows, macOS, and Linux machines. The cutting edge and innovative technologies deployed in Oxygen Forensic® Detective include, but are not limited to, bypassing screen locks, locating passwords to encrypted backups, extracting and parsing data from secure applications and uncovering deleted data.”

Oxygen Forensics is essentially in the same data extraction/digital forensics market as Cellebrite, though not as well-known. Oxygen Forensics wasn’t listed in the New York Times article, but it does appear in the Ministry of Home Affairs budget documents for 2018-19 obtained by Justice for Myanmar.

Importantly, though, it’s clear that Oxygen Forensics has indeed supplied their product to Myanmar. Records of export manifests from India, which are available through several online data providers, show that in June and September 2020, Oxygen Forensics’ Indian reseller, 3rd Eye Techno Solutions Pvt Ltd, shipped an Oxygen Forensic® Detective dongle and several cable sets by air from Delhi to Yangon, consigned to a Myanmar company, MySpace International Co Ltd.

MySpace International, owned by former Tatmadaw officer Kyaw Kyaw Htun, was also reportedly Cellebrite’s reseller in Myanmar. The New York Times claimed earlier this month that “two people with knowledge of police procurements said that Dr. Kyaw Kyaw Htun’s companies supply most of the imported Western surveillance technology for the Myanmar police.“

Oxygen Forensics LLC told me that “our records indicate the sale of only one license (in Jan 2019) to organisations in Myanmar.” This would have been immediately after Cellebrite claims that they stopped business in Myanmar and cancelled their products’ licences there, though there is no evidence of a direct connection.

Oxygen Forensics declined to respond to a follow-up question about whether their Myanmar end-user was a government or private-sector organisation. They also said that “we are unable to monitor the use of our technology but when we are made aware of its use in a way which does not conform to our EULA, international law, or Oxygen Forensic ideals, these licenses are noted, as are the end users, and they cannot be renewed.” They declined to say whether they had done this with their Myanmar customer.

3rd Eye Techno Solutions requested questions in writing, but has declined to respond so far. MySpace International has not responded to phone calls or emails.

There are growing trade controls on this kind of hardware and software. In December 2019, forty-two countries from Russia to the USA, meeting under the Wassenaar Arrangement, agreed to add a range of communications monitoring technologies, digital investigative and digital forensics tools to their export controls, requiring licences for their international transfer.

Since October 2020, therefore, the US has duly required export licences for “Systems, Equipment and Components for Defeating, Weakening or Bypassing Information Security“. (This rule came into force after the Oxygen Forensics exports for which there is public evidence. There’s no suggestion that any of the companies named in this post have acted unlawfully, or are guilty of any other wrongdoing. And there’s no evidence so far about how Oxygen Forensics’ products may have been used or misused in Myanmar).

The EU is seeking to regulate trading of digital forensics tools too: the European Parliament agreed new export control rules in March 2021, which still need to be signed off by the Council.