Massive hacker attack triggers US National Security Council emergency meeting

White HouseA large-scale cyberespionage attack targeting United States government computer systems, which some experts described as potentially being among “the most impactful espionage campaigns on record”, triggered an emergency meeting of the US National Security Council on Sunday, according to reports. Chaired by the US president, the National Security Council is the country’s most senior decision-making body.

Although it was only discovered last week, the cyberespionage campaign is believed to date to last spring, possibly as early as March. Sources called it a highly sophisticated operation that originated from a “top-tier” adversary –a term that refers to a handful of state actors that have access to the most elite cyber operatives and advanced technologies known to exist.

As of last night, US government officials had not publicly identified the state actor believed to be behind the cyberespionage campaign, which experts have coined the “2020 supply chain attack”. But several American and European news outlets pointed to Russia as the culprit, citing sources familiar with the investigation. The Washington Post said the Russian Foreign Intelligence Service, known as SVR, was behind the attack. The Russian government denied on Monday that its agencies had any role in the attacks.

The origins of the attack are believed to be in the private sector. It began when a sophisticated illicit cyber actor, known by the nickname Advanced Persistent Threat (APT) 29, or Cozy Bear, stole cyber tools used by two major government contractors, FireEye and SolarWinds. These cyber tools are used to detect and patch vulnerabilities in computer systems. These companies provide services to numerous US government customers, including the Departments of Defense, State, Treasury and Commerce. Other US government customers include the National Security Agency and the Office of the President, including the White House Situation Room. All of these entities have reportedly been affected by this cyber espionage operation.

By disguising their malicious software as software patches, the hackers were reportedly able to access and monitor, in real time, email traffic within and between government agencies. It is not known at this time whether US intelligence agencies, other than the National Security Agency, have been affected by this hack. All branches of the US military maintain intelligence components. Additionally, the Department of the Treasury operates the Office of Intelligence Analysis, while the Department of State is in charge of the Bureau of Intelligence and Research. The White House said yesterday that it had asked the Federal Bureau of Investigation and the Cybersecurity and Infrastructure Security Agency to probe the attack and evaluate the extent of the damage caused to US government operations.

Author: Joseph Fitsanakis | Date: 15 December 2020 | Permalink

Dutch spies identified Russian hackers who meddled in 2016 US election

Cozy BearDutch spies identified a notorious Russian hacker group that compromised computer servers belonging to the Democratic Party of the United States and notified American authorities of the attack, according to reports. In 2016, US intelligence agencies determined that a Russian hacker group known as Cozy Bear, or APT29, led a concerted effort to interfere in the US presidential election. The effort, which according to US intelligence agencies was sponsored by the Russian government, involved cyber-attacks against computer systems in the White House and the Department of State, among other targets. It also involved the theft of thousands of emails from computer servers belonging to the Democratic National Committee, which is the governing body of the Democratic Party. The stolen emails were eventually leaked to WikiLeaks, DCLeaks, and other online outlets. Prior descriptions of the Russian hacking in the media have hinted that US intelligence agencies were notified of the Russian cyber-attacks by foreign spy agencies. But there was no mention of where the initial clues came from.

Last Thursday, the Dutch current affairs program Nieuwsuur, which airs daily on Holland’s NPO 2 television, said that the initial tipoff originated from the AIVD, Holland’s General Intelligence and Security Service. On the same day, the Dutch newspaper De Volkskrant published a detailed account of what it described as AIVD’s successful penetration of Cozy Bear. According to these reports, AIVD was able to penetrate Cozy Bear in mid-2014, before the hacker group intensified its campaign against political targets in the US. Citing “six American and Dutch sources who are familiar with the material, but wish to remain anonymous”, De Volkskrant said that the AIVD was able to detect the physical base of the Cozy Bear hackers. The latter appeared to be working out of an academic facility that was adjacent to Moscow’s Red Square. The AIVD team was then able to remotely take control of security camera networks located around the facility. Eventually, the Dutch team hacked into another security camera network located inside the buildings in which the hackers worked. They soon began to collect pictures and footage of Cozy Bear members, which they then compared with photos of “known Russian spies”, according to De Volkskrant.

The paper said that the AIVD team continued to monitor Cozy Bear’s activities until at least 2017, while sharing intelligence with the Central Intelligence Agency and the National Security Agency in the US. The intelligence was allegedly instrumental in alerting US spy agencies about Russian government-sponsored efforts to meddle in the 2016 presidential election. Several newspapers, including The Washington Post in the US and The Independent in Britain, contacted the AIVD and the MIVD —Holland’s military intelligence agency— over the weekend. But the two agencies said they would not comment on reports concerning Cozy Bear.

Author: Joseph Fitsanakis | Date: 29 January 2018 | Research credit: E.J. & E.K. | Permalink