US Congressional review considers impact of federal database hack

Office of Personnel Management 2A United States Congressional review into last month’s cyber theft of millions of government personnel records has concluded that its impact will go far “beyond mere theft of classified information”. Up to 21 million individual files were stolen in June, when hackers broke into the computer system of the Office of Personnel Management (OPM). Part of OPM’s job is to handle applications for security clearances for all agencies of the US federal government. Consequently, the breach gave the unidentified hackers access to the names and sensitive personal records of millions of Americans —including intelligence officers— who have filed applications for security clearances.

So far, however, there is no concrete proof in the public domain that the hack was perpetrated by agents of a foreign government for the purpose of espionage. Although there are strong suspicions in favor of the espionage theory, there are still some who believe that the cyber theft could have been the financially motivated work of a sophisticated criminal ring. But a new report produced by the Congressional Research Service, which is the research wing of the US Congress, seems to be favoring the view that “the OPM data were taken for espionage rather than for criminal purposes”. The report was completed on July 17 and circulated on a restricted basis. But it was acquired by the Secrecy News blog of the Federation of American Scientists, which published it on Tuesday.

The 10-page document points out that strictly financial reasons, such as identity theft or credit card fraud, cannot be ruled out as possible motivations of the massive data breach. But it points out that the stolen data have yet to appear in so-called “darknet” websites that are used by the criminal underworld to buy and sell such information. This is highly unusual, particularly when one considers the massive size of the data theft, which involves millions of Americans’ credit card and Social Security numbers. Experts doubt, therefore, that the OPM data “will ever appear for sale in the online black market”. This inevitably leads to the conclusion that the breach falls “in the category of intelligence-gathering, rather than commercial espionage”, according to the report.

The above conclusion could have far-reaching consequences, says the report. One such possible consequence is that high-resolution fingerprints that were contained in the OPM database could be used to blow the covers of American case officers posing as diplomats, and even deep-cover intelligence operatives working secretly abroad. Furthermore, the hackers that are in possession of the stolen files could use them to create high-quality forged documents, or even publish them in efforts to cause embarrassment to American intelligence agencies.

Author: Ian Allen | Date: 30 July 2015 | Permalink: http://intelnews.org/2015/07/30/01-1746/

NATO missile system hacked remotely by ‘foreign source’

MIM-104 Patriot missile systemA Patriot missile system stationed in Turkey by the North Atlantic Treaty Organization (NATO) was allegedly hacked by a remote source, according to reports. German magazine Behörden Spiegel said this week that the hacked missile system is owned and operated by the German Army. It was deployed along the Turkish-Syrian border in early 2013, after Ankara requested NATO assistance in protecting its territory from a possible spillover of the civil war in neighboring Syria.

The Patriot surface-to-air missile system was initially built for the United States Army by American defense contractor Raytheon in the 1980s, but has since been sold to many of Washington’s NATO allies, including Germany. The Patriot system consists of stand-alone batteries, each composed of six launchers and two radars. The radars, which are aimed at spotting and targeting incoming missiles, communicate with the launchers via a computer system. The latter was hijacked for a brief period of time by an unidentified hacker, said Behörden Spiegel, adding that the perpetrators of the electronic attack managed to get the missile system to “perform inexplicable commands”. The magazine gave no further details.

Access to the Patriot missile system could theoretically be gained through the computer link that connects the missiles with the battery’s control system, or through the computer chip that guides the missiles once they are launched. Hacking any one of these nodes could potentially allow a perpetrator to disable the system’s interception capabilities by disorienting its radars. Alternatively, a hacker could hypothetically prompt the system to fire its missiles at an unauthorized target. According to Behörden Spiegel, the attack on the missile system could not have come about by accident; it was a concentrated effort aimed at either taking control of the missiles or compromising the battery’s operating system. Moreover, the sophisticated nature of such an attack on a well-protected military system presupposes the availability of infrastructural and monetary resources that only nation-states possess, said the magazine.

Shortly after the Behörden Spiegel article was published, the German Federal Ministry of Defense denied that Patriot missile systems under its command could be hacked. A Ministry spokesman told German newspaper Die Welt that the Ministry was not aware of any such incident having taken place in Turkey or elsewhere.

Author: Joseph Fitsanakis | Date: 10 July 2015 | Permalink: http://intelnews.org/2015/07/10/01-1732/

US spies voiced concerns about Fed database prior to massive hack

Office of Personnel ManagementUnited States intelligence officials expressed concerns about a federal database containing details of security-clearance applications in the years prior to a massive cyber hacking incident that led to the theft of millions of personnel records. Up to 18 21 million individual files were stolen last month, when hackers broke into the computer system of the US Office of Personnel Management (OPM), which handles applications for security clearances for all agencies of the federal government. The breach gave the unidentified hackers access to the names and sensitive personal records of millions of Americans who have filed applications for security clearances –including intelligence officers.

Until a few years ago, however, Scattered Castles, the database containing security clearance applications for the US Intelligence Community, was not connected to the OPM database. But in 2010, new legislation aiming to eliminate the growing backlog in processing security-clearance applications required that Scattered Castles be merged with the OPM database. The proposed move, which aimed to create a unified system for processing security clearances made sense in terms of eliminating bureaucratic overlap and reducing duplication within the federal apparatus. But, According to the Daily Beast, US intelligence officials expressed concerns about the merging of the databases as early as 2010. The website said that security experts from the Intelligence Community expressed “concerns related to privacy, security and data ownership” emerging from the impending merge. One official told the Daily Beast that there were fears that the “names, Social Security numbers, and personal information for covert operatives would be exposed to hackers”.

However, the merge went ahead anyway, and by 2014 parts of the Scattered Castles databases were gradually becoming accessible through the OPM network. The Daily Beast cited an unnamed US official as saying that there was “no connection between Scattered Castles and the OPM hack”. But when asked whether Scattered Castles was linked to the OPM system, he referred the website to the Federal Bureau of Investigation, which is probing last month’s hack attack.

Author: Joseph Fitsanakis | Date: 1 July 2015 | Permalink: http://intelnews.org/2015/07/01/01-1726/

Israel denies using computer virus to spy on Iran nuclear deal

Duqu 2.0The Israeli government rejected reports yesterday that its spy agencies were behind a virus found on the computers of three European hotels, which hosted American and other diplomats during secret negotiations on Iran’s nuclear program. Cybersecurity firm Kaspersky Lab said on Wednesday that it first discovered the malware, which it dubbed “Duqu 2.0”, in its own systems. The Moscow-based firm said the sophisticated and highly aggressive virus had been designed to spy on its internal research-related processes. Once they detected the malicious software in their own systems, Kaspersky technicians set out to map Duqu’s other targets. They found that the virus had infected computers in several Western countries, in the Middle East, as well as in Asia. According to Kaspersky, the malware was also used in a cyberattack in 2011 that resembled Stuxnet, the elaborate virus that was found to have sabotaged parts of Iran’s nuclear program in 2010.

However, Kaspersky said that among the more recent targets of the virus were “three luxury European hotels”, which appear to have been carefully selected among the thousands of prestigious hotels in Europe. The three appear to have only one thing in common: all had been patronized by diplomats engaged in the ongoing secret negotiations with Iran over the Islamic Republic’s nuclear program. Kaspersky was referring to the so-called P5+1 nations, namely the five permanent members of the United Nations Security Council plus Germany, who lead ‘the Geneva pact’. Israel has condemned the negotiations and has repeatedly expressed anger at reports that the Geneva pact is about to strike an agreement with Tehran over its nuclear program.

However, Israel’s deputy foreign minister flatly rejected Kaspersky’s allegations on Wednesday, calling them “pure nonsense”. Speaking on Israel Radio, Eli Ben-Dahan said Israel had “many far more effective ways” of gathering foreign intelligence and that it did not need to resort to computer hacking in order to meet its intelligence quotas. Israeli government spokespeople refused to comment on the allegations when asked late Wednesday.

Author: Joseph Fitsanakis | Date: 11 June 2015 | Permalink: http://intelnews.org/2015/06/11/01-1713/

Russian hackers accessed Obama’s email correspondence

White HouseBy JOSEPH FITSANAKIS | intelNews.org
Computer hackers believed to be connected to the Russian government were able to access emails belonging to the president of the United States, according to American officials briefed about the ensuing investigation. The cyberattack on the White House was announced by American government officials in October of last year, soon after it was discovered by security experts. But The New York Times said on Saturday that the hacking was far more intrusive than had been publicly acknowledged and that the information breach resulting from it was “worrisome”. The paper said that the individuals behind the cyberattack were “presumed to be linked to the Russian government, if not working for it”. It also quoted one unnamed senior US official, who said that the group that perpetrated the hacking was “one of the most sophisticated actors we’ve seen”.

Little concrete information has emerged on the hacking, but it appears to have started with attempts to compromise computers at the US Department of State. As CNN reported earlier this month, the hackers essentially managed to take control of the State Department’s declassified computer network and exploit it for several months. In most American government departments, senior officials operate at least two computers in their offices. One is connected to the government’s secure network used for classified communications; the other is used to communicate unclassified information to the outside world. In theory, those two systems are supposed to be separate. However, it is common knowledge that the publicly linked computers often contain sensitive or even classified information. It is this unclassified part of the network that the alleged Russian hackers were able to access, in both the State Department and the White House.

According to The Times, by gaining access to the email accounts of senior US government officials, the hackers were able to read unclassified emails sent or received by, among others, President Barack Obama. The US president’s own unclassified account does not appear to have been breached, said the paper, nor were the hackers able to access the highly classified server that carries the president’s mobile telephone traffic. Nevertheless, the operation to remove monitoring files placed in US government servers by the hackers continues to this day, and some believe that the presence of the intruders has yet to be fully eradicated from the system. The Times contacted the US National Security Council about the issue, but was told by its spokeswoman, Bernadette Meehan, that the Council would “decline to comment”. The White House also declined to provide further information on the incident and the ensuing investigation.

Hezbollah likely behind malware that attacked Israeli servers

Malware program codeBy JOSEPH FITSANAKIS | intelNews.org
A report by a major Israeli computer security firm claims that “a Lebanese entity”, possibly Hezbollah, was behind a cyberespionage operation that targeted companies connected to the Israeli military. In late March, Israeli computer security experts announced they had uncovered an extensive cyberespionage operation that targeted computers in Israel, and to a lesser extent in the United States, Britain, Turkey and Canada. The cyberespionage operation, dubbed VOLATILE CEDAR by Israeli computer security experts, was allegedly launched in 2012. It employed a sophisticated malicious software, also known as malware, codenamed EXPLOSIVE. One Israeli security expert, Yaniv Balmas, said the malware was not particularly sophisticated, but it was advanced enough to perform its mission undetected for over three years.

It is worth noting that, during the period of operation, the EXPLOSIVE malware kept surreptitiously updating itself with at least four different versions, which periodically supplemented the original malware code. Additionally, once the discovery of the malware was publicized in the media, security experts recorded several incoming messages sent to the installed malware asking it to self-destruct. These clues point to a level of programming and operational sophistication that exceeds those usually found in criminal cyberattacks.

According to Israeli computer security firm CheckPoint, there is little doubt that the source of the malware was in Lebanon, while a number of programming clues point to Lebanese Shiite group Hezbollah as “a major player” in the operation. In a report published this week, CheckPoint reveals that most of the Israeli targets infected with the malware belong to data-storage and communications firms that provide services to the Israel Defense Forces. According to one expert in the firm, the malware designers took great care to avoid “a frontal attack on the IDF network”, preferring instead to target private entities that are connected to the Israeli military. More specifically, the web shells used to control compromised servers after successful penetration attempts were of Iranian origin. Additionally, the initial command and control servers that handled EXPLOSIVE appear to belong to a Lebanese company.

The head of CheckPoint’s security and vulnerability research unit, Shahar Tal, told Ha’aretz newspaper: “We are not experts on international relations and do not pretend to analyze the geopolitical situation in Lebanon”. But these attacks originated from there, and were specifically designed to infiltrate “systems that are connected to the IDF”, he added.

News you may have missed #891

Edward SnowdenBy IAN ALLEN | intelNews.org
►►Sophisticated malware found in 10 countries ‘came from Lebanon’. An Israeli-based computer security firm has discovered a computer spying campaign that it said “likely” originated with a government agency or political group in Lebanon, underscoring how far the capability for sophisticated computer espionage is spreading beyond the world’s top powers. Researchers ruled out any financial motive for the effort that targeted telecommunications and networking companies, military contractors, media organizations and other institutions in Lebanon, Israel, Turkey and seven other countries. The campaign dates back at least three years and allegedly deploys hand-crafted software with some of the hallmarks of state-sponsored computer espionage.
►►Canada’s spy watchdog struggles to keep tabs on agencies. The Security Intelligence Review Committee (SIRC), which monitors Canada’s intelligence agencies, said continued vacancies on its board, the inability to investigate spy operations with other agencies, and delays in intelligence agencies providing required information are “key risks” to its mandate. As a result, SIRC said it can review only a “small number” of intelligence operations each year.
►►Analysis: After Snowden NSA faces recruitment challenge. This year, the NSA needs to find 1,600 recruits. Hundreds of them must come from highly specialized fields like computer science and mathematics. So far the agency has been successful. But with its popularity down, and pay from wealthy Silicon Valley companies way up, Agency officials concede that recruitment is a worry.

Follow

Get every new post delivered to your Inbox.

Join 986 other followers