Russian hacker group using Internet service providers to spy on foreign embassies

August 2, 2025 by 3 Comments

Hacking cyber - JFA HACKER GROUP LINKED to Russia’s Federal Security Service (FSB) has compromised Russia’s domestic internet infrastructure and is using it to target foreign diplomats stationed in Russia. According to a report, published last week by Microsoft Threat Intelligence, the hacker group behind this operation is Turla, also known as Snake, Venomous Bear, Group 88, Waterbug, and Secret Blizzard. Analysts have linked the group with “some of the most innovative hacking feats in the history of cyberespionage”.

Turla began its attempt to compromise a host of Russian internet service providers in February, according to Microsoft’s report. The group’s apparent goal has been to gain access to the software that enables Russian security agencies to legally intercept internet traffic, following the issuance of warrants by judges. This software is governed by Russia’s System for Operative Investigative Activities (SORM), which became law in 1995, under the presidency of Boris Yeltsin. All local, state, and federal government agencies in Russia use the SORM system to facilitate court-authorized telecommunications surveillance.

According to Microsoft, targeted Internet users receive an error message prompting them to update their browser’s cryptographic certificate. Consent by the user results in the targeted computer downloading and installing a malware. Termed ApolloShadow by Microsoft, the malware is disguised as a security update from Kaspersky, Russia’s most widely known antivirus software provider. Once installed the malware gives the hackers access to the content of the targeted user’s secure communications.

The Microsoft report states that, although Turla has been involved in prior attacks against diplomatic targets in Russia and abroad, this is the first time that the hacker group has been confirmed to have the capability to attack its targets at the Internet Service Provider (ISP) level. In doing so, Turla has been able to incorporate Russia’s domestic telecommunications infrastructure into its attack tool-kit, the report states. The report does not name the diplomatic facilities or the countries whose diplomats have been targeted by Turla hackers. But it warns that all “diplomatic personnel using local [internet service providers] or telecommunications services in Russia are highly likely targets” of the group.

Author: Joseph Fitsanakis | Date: 02 August 2025 | Permalink

Filed under Expert news and commentary on intelligence, espionage, spies and spying Tagged with , , , , , , , , , , ,

Hackers breach website used by US intelligence community to solicit vendor contracts

July 28, 2025 by 1 Comment

NRO - IAHACKERS HAVE COMPROMISED A website used by the United States Intelligence Community (IC) to solicit sensitive contracts from the private sector, according to a new report. The target of the attack, and the methods used by the hackers, appear to point with a high degree of certainty to a state actor.

The website in question belongs to the Acquisition Research Center (ARC), an initiative of the US government’s Acquisition Center of Excellence. Even though the ARC solicits contracts on behalf of the entire US IC, its public-facing website is maintained by the National Reconnaissance Office (NRO), which last week notified several companies affected by the breach.

The ARC online interface is designed for companies in the private sector who want to register as government vendors in the national security space. Once they register through the ARC system, these companies can pitch a variety of intelligence agencies with a particular technology or idea. Recent projects solicited through the ARC system have involved communications interception systems, artificial intelligence-powered data collection or analysis tools, predictive technologies, signature-reduction systems, or various tools used in physical surveillance.

It is believed that the hackers targeted the unclassified portion of the ARC website, seeking personal information about vendors, as well as proprietary intellectual property. An NRO spokesperson told The Washington Times that the breach was being looked at by federal law enforcement but declined to provide further information about what he described as an “ongoing investigation”.

Author: Ian Allen | Date: 28 July 2025 | Permalink

Filed under Expert news and commentary on intelligence, espionage, spies and spying Tagged with , , , , , ,

Russian spies allegedly impersonated Microsoft staff to hack government agencies

August 7, 2023 by 1 Comment

SVR hqMEMBERS OF A PROLIFIC hacker group that many associate with Russian intelligence impersonated Microsoft technicians in order to compromise nearly 40 government agencies and companies around the world. Microsoft security researchers said last week that the “highly targeted” social engineering campaign was guided by “specific espionage objectives” by the hackers.

According to Microsoft, the hackers behind the spying campaign are associated with a prolific hacker group named APT29 (also known as “Cozy Bear” and “Midnight Blizzard”) by cybersecurity researchers. It rose to infamy in 2020, when it was connected with the worldwide SolarWinds attack, which some experts described as possibly being among “the most impactful espionage campaigns on record”. It is believed that APT29 is closely associated with the Russian Foreign Intelligence Service (SVR, pictured).

Starting in late May 2023, APT29 hackers used several previously compromised Microsoft 365 accounts in order to set up internet domains with technical support-themed names. They then used these domains to contact a number of “highly targeted” individuals through Microsoft Teams, pretending to be Microsoft technical support representatives. Eventually, some of their targets were persuaded to provide the hackers with information they received through Microsoft’s multifactor authenticator system, thus granting them full access to their user accounts.

Microsoft did not disclose the identities of the targets, saying only that they were nearly 40 in number, and included government agencies, various multinational technology and manufacturing firms, media companies, as well as non-governmental organizations.

Author: Joseph Fitsanakis | Date: 07 August 2023 | Permalink

Filed under Expert news and commentary on intelligence, espionage, spies and spying Tagged with , , , , ,

US-led ‘Five Eyes’ alliance dismantled Russia’s ‘premier espionage cyber-tool’

May 11, 2023 by 3 Comments

Computer hackingAN ESPIONAGE TOOL DESCRIBED by Western officials as the most advanced in the Russian cyber-arsenal has been neutralized after a 20-year operation by intelligence agencies in the United States, Australia, Canada, the United Kingdom and New Zealand. The operation targeted Turla, a hacker group that cyber-security experts have long associated with the Russian government.

Turla is believed to be made up of officers from Center 16, a signals intelligence unit of Russia’s Federal Security Service (FSB), one of the Soviet-era KGB’s successor agencies. Since its appearance in 2003, Turla has used a highly sophisticated malware dubbed ‘Snake’ to infect thousands of computer systems in over 50 countries around the world. Turla’s victims include highly sensitive government computer networks in the United States, including those of the Department of Defense, the National Aeronautics and Space Administration, and the United States Central Command.

The Snake malware has also been found in computers of privately owned firms, especially those belonging to various critical infrastructure sectors, such as financial services, government facilities, electronics manufacturing, telecommunications and healthcare. For over two decades, the Snake malware used thousands of compromised computers throughout the West as nodes in complex peer-to-peer networks. By siphoning information through these networks, the Turla hackers were able to mask the location from where they launched their attacks.

On Tuesday, however, the United States Department of Justice announced that the Federal Bureau of Investigation (FBI), along with its counterparts in the United States-led ‘Five Eyes’ intelligence-sharing alliance, had managed to dismantle Snake. This effort, codenamed Operation MEDUSA, was reportedly launched nearly 20 years ago with the goal of neutralizing the Snake malware. In the process, Five Eyes cyber-defense experts managed to locate Turla’s facilities in Moscow, as well as in Ryazan, an industrial center located about 120 miles southeast of the Russian capital.

The complex cyber-defense operation culminated with the development of an anti-malware tool that the FBI dubbed PERSEUS. According to the Department of Justice’s announcement, PERSEUS was designed to impersonate the Turla operators of Snake. In doing so, it was able to take over Snake’s command-and-control functions. Essentially, PERSEUS hacked into Snake and instructed the malware to self-delete from the computers it had compromised. As of this week, therefore, the worldwide peer-to-peer network that Snake had painstakingly created over two decades, has ceased to exist, as has Snake itself.

Author: Joseph Fitsanakis | Date: 11 May 2023 | Permalink

Filed under Expert news and commentary on intelligence, espionage, spies and spying Tagged with , , , , , , , , ,

North Korean hackers behind ‘sophisticated’ effort to elicit views of experts

December 13, 2022 by 2 Comments

North KoreaA NOTORIOUS NORTH KOREAN hacker group is believed to be behind a “sophisticated” effort to elicit the views of international experts on issues that are of concern to Pyongyang, according to an investigation by Reuters. The news agency said its reporters had managed to uncover this previously unreported campaign with the help of cybersecurity experts and five individuals who had been targeted by the North Korean hackers.

The North Korean hacker group that is alleged to be behind this elicitation campaign is known among cybersecurity experts as Thallium, or Kimsuky. It has been active since at least 2012 and has orchestrated intensive “spear-phishing” attacks against international targets. Similarly to other hacker groups that have been active in the past decade, Thallium’s operations have centered on tricking its targets to download malware on their personal electronic devices, or to share sensitive information, including passwords.

Lately, however, the group has changed its tactics in striking ways, according to Reuters. Instead of trying to steal secrets, it has been involved in a campaign aimed at eliciting the views of Western experts on North Korean affairs. It has been doing so by directly contacting these experts with requests to review policy papers, or by commissioning opinion pieces on various aspects of North Korean politics, economy and society. The requests are camouflaged to appear as originating from respected think-tanks, universities or consultancy firms.

Since January of this year, when the first experts began to be contacted, “multiple” individuals have fallen victim to this elicitation campaign, according to experts at the Microsoft Threat Intelligence Center (MSTIC). They include policy experts working for Western governments, think-tank and university researchers, as well as human-rights campaigners. They have all fallen victim to “sophisticated” requests that use polished language and appear legitimate, according to Reuters.

In most cases, the elicitation emails promise a payment of $300.00 in return for reviewing a manuscript, authoring a short opinion piece, or recommending another expert who may be able to provide these services. However, none of the individuals who proceeded to provide these services have ever received any funds. Cybersecurity experts, who reviewed the elicitation campaign, told Reuters that the hackers never intended to provide any payments to targets.

Author: Joseph Fitsanakis | Date: 13 August 2022 | Permalink

Filed under Expert news and commentary on intelligence, espionage, spies and spying Tagged with , , , , ,

Newly discovered cyber-espionage group spies for money using state-actor methods

May 4, 2022 by 1 Comment

Computer hackingA NEWLY DISCOVERED CYBER-espionage group appears to target the senior leadership of private corporations involved in large-scale financial transactions, but employs skills and methods that are usually associated with state-sponsored threat actors. The group has been termed “UNC3524” by the American cybersecurity firm Mandiant, which says it discovered it in December of 2019. In a detailed blog post published earlier this week, a team of cyber-security researchers at Mandiant say they have been studying the group for over two years, and have been surprised by their findings.

Given its targets, as well as the information it goes after, there is little doubt that UNC3524 is interested in financial gain. However, its operational profile differs markedly from those of other financially oriented hacker groups, according to Mandiant. Its sophisticated approach to espionage demonstrates aspects that are typically associated with government-sponsored intelligence operations. Notably, UNC3524 operatives take their time to get to know their targets, and are not in a hurry to exploit the online environments they penetrate. Mandiant reported that UNC3524 attacks can take up to 18 months to conclude. In contrast, the average financially-motivated cyber-espionage attack rarely lasts longer than three weeks.

Additionally, UNC3524 operatives make a point of maintaining an extremely stealthy and low-key online profile, and have even developed a series of novel exploitation techniques, which Mandiant has termed “QuietExit”. The latter appear to focus on exploiting Internet of Things (IoT) devices that are typically found in corporate settings, but are not protected by traditional anti-virus systems. Once they penetrate the digital environment of their target, UNC3524 operatives meticulously build sophisticated back-doors into the system, and are known to return sometimes within hours after they are detected and repelled.

Interestingly, UNC3524 operatives do not waste time on low-level employees of targeted corporations. Once inside, they go straight for executive-level targets, including those in corporate strategy and development, mergers and acquisitions, and even information security. Mandiant says a few other actors, notably Russian-linked groups like Cozy Bear, Fancy Bear, APT28 or APT29, are also known to operate with such high-level targets in mind. However, there is little other operational overlap between them and UNC3524, the blog post claims.

Author: Joseph Fitsanakis | Date: 04 May 2022 | Permalink

Filed under Expert news and commentary on intelligence, espionage, spies and spying Tagged with , , , , ,

Russia targeted by unprecedented wave of cyber-attacks, experts say

May 3, 2022 by 1 Comment

Computer hackers AnonymousRUSSIAN STATE COMPANIES, BUSINESSES and individuals are being targeted in an unprecedented wave of attacks by digital assailants, according to observers, who say they are surprised by its ferocity. Since February of this year, hackers have accessed the personal financial data of pro-Kremlin oligarchs, stolen millions of internal emails stored on Russian government severs, and defaced high-profile websites across the nation. The Washington Post, which summarized the wave of attacks last Sunday, said they are being waged by hacker collectives, as well as common criminals. The paper claimed that the assailants are not connected to foreign governments.

According to observers, Russia currently tops the global list of targeted attacks by hackers for the first time since records began. Major targets include Russia’s media regulator, the Federal Service for Supervision of Communications, Information Technology and Mass Media, which anti-government activists blame for implementing Soviet-style censorship. Hackers have also attacked Russia’s state-owned broadcaster, known as VGTRK, as well the Russian intelligence and defense establishments. Tens of thousands of emails exchanged by senior VGTRK officials since 2013 were recently stolen and leaked in a massive data dump. Additionally, lengthy lists containing the names of alleged Russian intelligence officers, as well as of soldiers, have been leaked online by unknown hackers.

The attacks are led by political hacker collectives, including Network Battalion 65 (NB65), which announced its existence on Twitter just hours after Russian troops began to march toward Kyiv. The group is believed to have links to the international hacktivist collective Anonymous, and claims to have no ties to governments. Another hacker collective that is behind the attacks on Russia is a group calling itself AgainstTheWest. Despite its name, it is led by a group of pro-Western, “English-speaking hackers […] with intelligence backgrounds”, according to The Post. Attacks are also being perpetrated by smaller groups of hackers, some of them based in Ukraine, and by criminal groups, whose members are motivated by profit and are attacking Russian state targets at a time when the Kremlin appears vulnerable.

According to the paper, the Ukrainian government is not directly involved in these cyber-attacks. However, it has repeatedly endorsed attacks by hackers aimed at weakening the Russian state. Back in February, Ukraine’s Deputy Prime Minister and Digital Transformation Minister issued an open call for the formation of a “volunteer cyber army” to fight for Ukraine. As intelNews reported at the time, the Ukrainian government claimed that nearly 200,000 people had shown interest in joining the initiative. However, little has been mentioned since. The government of Ukraine maintains an “IT Army” channel on Telegram, where it frequently suggests Russian targets that pro-Ukrainian hackers should attack. However, any evidence of links between it and the wave of cyber-attacks that Russia has been experiencing remains speculative.

Author: Ian Allen | Date: 03 May 2022 | Permalink

Filed under Expert news and commentary on intelligence, espionage, spies and spying Tagged with , , , , , , , ,

Dutch intelligence disrupt large-scale botnet belonging to Russian spy agency

March 7, 2022 by Leave a comment

GRU KtON MARCH 3, 2022, Dutch newspaper Volkskrant reported that the Dutch Military Intelligence and Security Service (MIVD) took action in response to abuse of SOHO-grade network devices in the Netherlands. The attacks are believed to have been perpetrated by the Main Intelligence Directorate of the General Staff of the Russian Armed Forces (GRU) Unit 74455. The unit, which is also known as Sandworm or BlackEnergy, is linked to numerous instances of influence operations and sabotage around the world.

The devices had reportedly been compromised and made part of a large-scale botnet consisting of thousands of devices around the globe, which the GRU has been using to carry out digital attacks. The MIVD traced affected devices in the Netherlands and informed their owners, MIVD chief Jan Swillens told Volkskrant. The MIVD’s discovery came after American and British [pdf] services warned in late February that Russian operatives were using a formerly undisclosed kind of malware, dubbed Cyclops Blink. According to authorities, the botnet in which the compromised devices were incorporated has been active since at least June 2019.

Cyclops Blink leverages a vulnerability in WatchGuard Firebox appliances that can be exploited if the device is configured to allow unrestricted remote management. This feature is disabled by default. The malware has persistence, in that it can survive device reboots and firmware updates. The United Kingdom’s National Cyber Security Centre describes Cyclops Blink as a “highly sophisticated piece of malware”.

Some owners of affected devices in the Netherlands were asked by the MIVD to (voluntarily) hand over infected devices. They were advised to replace the router, and in a few cases given a “coupon” for an alternative router, according to the Volkskrant. The precise number of devices compromised in the Netherlands is unclear, but is reportedly in the order of dozens. Swillens said the public disclosure is aimed at raising public awareness. “The threat is sometimes closer than you think. We want to make citizens aware of this. Consumer and SOHO devices, used by the grocery around the corner, so to speak, are leveraged by foreign state actors”, he added.

The disclosure can also be said to fit in the strategy of public attribution that was first mentioned in the Netherlands’ Defense Cyber Strategy of 2018. Published shortly after the disclosure of the disruption by MIVD of an attempted GRU attack against the computer network of the OPCW, the new strategy included the development of attribution capabilities, as well as the development of offensive capabilities in support of attribution. It advocates the view that state actors “that are [publicly] held accountable for their actions will make a different assessment than attackers who can operate in complete anonymity”.

Author: Matthijs Koot | Date: 07 March 2022 | Permalink

Filed under Expert news and commentary on intelligence, espionage, spies and spying Tagged with , , , , , , , ,

North Korea uses stolen cryptocurrency to fund its missile program, UN report claims

February 7, 2022 by Leave a comment

Kim Jong-un North Korea DPRKTHE NORTH KOREAN MISSILE program has developed rapidly in the past year, partly due to an influx of stolen cryptocurrency, which has now become “an important revenue source” for Pyongyang, according to a United Nations report. The confidential report was produced for the United Nations’ Security Council, by a committee tasked with monitoring the impact of the supranational body’s sanctions on the North Korean economy.

The United Nations imposed sanctions on North Korea in 2006, in response to its announcement that it possessed nuclear weapons. These sanctions have increased over the years, as Pyongyang has continued to advance its nuclear and ballistic missile programs. The sanctions have targeted the communist country’s export industry sectors, including fisheries, textiles, raw materials such as iron, lead and coal, as well as refined energy products.

Now a new report, produced for the United Nations Security Council, suggests that, not only have the sanctions failed to degrade Pyongyang’s nuclear and missile weapons programs, but that the latter actually saw a “marked acceleration” in 2021. The report was delivered last week to the United Nations Security Council by a committee tasked with monitoring the effects of international sanctions on North Korea. According to the Reuters news agency, which accessed the confidential report, it states that North Korea has been able to demonstrate “increased capabilities for rapid deployment, wide mobility (including at sea), and improved resilience of its missile forces”.

Much of this ability comes from funding derived through “cyberattacks, particularly on cryptocurrency assets”, which have now become “an important revenue source” for the North Korean government. These cyberattacks are conducted by North Korean hackers, who regularly target “financial institutions, cryptocurrency firms and exchanges”. According to the report, North Korean hackers were recently able to steal cryptocurrency valued at over $50 million, by attacking just three cryptocurrency exchanges in a period of just 18 months.

The United Nations report comes in the heels of another report, published last month by cybersecurity firm Chainalysis, which alleged that Pyongyang was able to acquire digital assets worth nearly $400 million in 2021 alone. That made 2021 one of the most successful years for North Korean government-sponsored hackers, according to the report. To this one must add cyberattacks that do not target cryptocurrency, which also generate foreign cash supplies for the North Korean government. These generate several hundred million dollars each year, according to research.

Author: Joseph Fitsanakis | Date: 07 February 2022 | Permalink

Filed under Expert news and commentary on intelligence, espionage, spies and spying Tagged with , , , , ,

Hacker behind attack on popular booking site has ties to US intelligence, paper claims

November 12, 2021 by 1 Comment

Booking.comA HACKER WHO TARGETED a major Dutch-based reservations website has ties to intelligence agencies in the United States, according to a new report. The claim was made on Wednesday by three Dutch investigative journalists, Merry Rengers, Stijn Bronzwaer and Joris Kooiman. In a lengthy report published in NRC Handelsblad, Holland’s newspaper of record, the three journalists allege that the attack occurred in 2016. Its target was Booking.com, a popular flight and hotel reservations website, which is jointly owned by Dutch and American venture firms.

The authors argue that the interest Booking.com poses for security services is “no surprise”. The website’s data includes valuable information about “who is  staying where and when, where diplomats are, who is traveling to suspicious countries or regions, where top executives book an outing with their secretary —all valuable information for [the world’s intelligence] services”.

According to the report, the hacker was able to penetrate an insufficiently secured server belonging to Booking.com, and gain access to the accounts of customers, by stealing their personal identification numbers, or PINs. Accordingly, the hacker stole “details of hotel [and flight] reservations” of thousands of Booking.com customers in the Middle East. The report claims that targeted customers included Middle East-based foreign diplomats, government officials and other “persons of interest” to American intelligence.’’

After detecting the breach, Booking.com allegedly conducted an internal probe, which verified that the hacker —nicknamed “Andrew”— had “connections to United States spy agencies”, according to the report. The company then sought the assistance of the Dutch General Intelligence and Security Service (AIVD). At the same time, however, Booking.com consulted with a British-based law firm, which advised it that it was not obligated to make news of the hacker attack public. It therefore chose not to publicize the incident, according to the NRC article.

Author: Joseph Fitsanakis | Date: 12 November 2021 | Permalink

Filed under Expert news and commentary on intelligence, espionage, spies and spying Tagged with , , , ,

Chinese-linked hacker group breached Indonesian spy agency’s networks

September 14, 2021 by Leave a comment

Indonesian State Intelligence Agency

A GROUP OF COMPUTER hackers with links to the Chinese state is likely behind a major breach of networks belonging to at least ten Indonesian government ministries and agencies, including the country’s primary intelligence service. The breach was first reported on September 10 by cybersecurity firm Insikt Group, whose researchers say they have been monitoring the hacks since April of this year.

Insikt Group said experts in its threat research division noticed that a number of PlugX malware command and control servers were regularly communicating with hosts inside the networks of the Indonesian government. After forensically examining the communication patterns, the researchers concluded that the initial contact between the command and control servers and the Indonesian government networks was made in March of this year, if not earlier. The technical details of the intrusion are still being determined, according to Insikt Group.

The firm said that the breach was perpetrated by Mustang Panda, a mysterious advanced persistent threat actor, which is also known as BRONZE PRESIDENT, HoneyMyte, and Red Lich. In the past, Mustang Panda has been particularly active in Southeast Asia, targeting servers in Mongolia, Malaysia and Vietnam. The targets of this latest breach included the Indonesian State Intelligence Agency, known as BIN. According to Insikt Group, BIN was “the most sensitive target compromised in the campaign”.

The company said it notified the Indonesian government twice about these intrusions, in June and July. Although no response was forthcoming from the Indonesian government, changes in its computer networks since that time may be taken as evidence that the authorities took steps to “identify and clean the infected systems”, according to Insikt Group’s report.

Author: Ian Allen | Date: 14 September 2021 | Permalink

Filed under Expert news and commentary on intelligence, espionage, spies and spying Tagged with , , , , , , ,

Iranian hackers used Gmail, Facebook, to spy on US aerospace contractor

August 3, 2021 by Leave a comment

Computer hacking

A GROUP OF HACKERS, who are known to operate under the direction of the Iranian government, used fictitious Gmail and Facebook accounts to compromise employees of a United States defense contractor. A report issued on Monday by the California-based cybersecurity company Proofpoint identified the hackers behind the espionage campaign as members of a group codenamed Threat Actor 456 (TA456).

Known also as Imperial Kitten and Tortoiseshell, TA456 has a history of pursuing espionage targets at the direction of the Iranian government. According to Proofpoint, TA456 is among “the most determined” Iranian-aligned threat actors. The cybersecurity firm adds that the espionage activities of TA456 often target Western “defense industrial base contractors” that are known to specialize in the Middle East.

The most recent operation by TA456 involved a fictitious online personality that went by the name “Marcella Flores”, also known as “Marcy Flores”, who claimed to live in the British city of Liverpool. The group used a Gmail account and fake Facebook profile to reinforce the fictitious profile’s credibility, and to approach employees of United States defense contractors. One such employee began corresponding with Flores on Facebook toward the end of 2019.

In June 2021, after having cultivated the relationship with the defense employee for over a year, Flores sent the employee a link to a video file, purportedly of herself. The file contained a malware, known as LEMPO, which is designed to search targeted computers and provide the hacker party with copies of files found on penetrated systems.

Facebook is apparently aware of the espionage campaign by TA456. Last month, the social media company said it had taken action “against a group of hackers in Iran [in order] to disrupt their ability to use their infrastructure to abuse [Facebook’s] platform, distribute malware and conduct espionage operations across the internet, targeting primarily the United States”.

Author: Joseph Fitsanakis | Date: 03 August 2021 | Permalink

Filed under Expert news and commentary on intelligence, espionage, spies and spying Tagged with , , , , , , , , ,

Main suspect in potentially momentous hacker-for-hire case seeks plea deal in NY

July 2, 2021 by Leave a comment

Computer hacking

IN A DRAMATIC CASE, described by observers as “unusual”, a suspect in a hacker-for-hire scheme of potentially global proportions has told United States government prosecutors he is ready to discuss a plea deal. The case centers on Aviram Azari, a highly sought-after private detective who served in an Israeli police surveillance unit in the 1990s before launching a private career in investigations.

Azari was arrested in Florida in 2019 during a family vacation, and was shortly afterwards indicted in New York on charges of aggravated identity theft, conspiracy to commit computer hacking, and wire fraud. These charges reportedly date back to 2017 and 2018. Azari’s alleged objective was to target carefully selected individuals in order to steal their personal information, including email usernames and passwords. Last year, The New York Times reported that the case against Azari is connected with a potentially massive hacker-for-hire scheme code-named DARK BASIN.

Further information about DARK BASIN was published by Citizen Lab, a research unit of the University of Toronto’s Munk School of Global Affairs and Public Policy, which focuses on information technology, international security and human rights. It said DARK BASIN was orchestrated by an India-based firm called BellTroX InfoTech Services. It also claimed that the company is one of a number of hacker-for-hire firms based in India. These companies are said to be employed by private detectives in Western countries, who are usually hired by large multinationals or wealthy individuals.

Accordingly, the targets of DARK BASIN activities appear to have been investment firms based in the US and elsewhere, as well as government officials, pharmaceutical companies, lawyers, large banks, and even environmental activists who campaign against large multinationals. Additionally, some of DARK BASIN’s thousands of targets appear to be people involved in high-stakes divorce proceedings. Perhaps more alarmingly, among DARK BASIN’s targets are journalists around the world, who seem to have been targeted systematically in efforts to reveal their sources of information.

Azari has pleaded not guilty. But the fact that he his lawyer has now communicated his client’s desire to seek a plea deal with US government prosecutors may be a major game-changer in this case, which may have global ramifications. The Reuters news agency, which reported the latest developments on this case this week, said it reached out to the US Attorney’s Office in Manhattan, but spokesmen there declined to provide any information on Azari’s case.

Author: Joseph Fitsanakis | Date: 02 July 2021 | Permalink

Filed under Expert news and commentary on intelligence, espionage, spies and spying Tagged with , , , , , , , ,

Russian actors had access to Dutch police computer network during MH17 probe

June 17, 2021 by Leave a comment

Flight MH17

Russian hackers compromised the computer systems of the Dutch national police while the latter were conducting a criminal probe into the downing of Malaysia Airlines Flight 17 (MH17), according to a new report. MH17 was a scheduled passenger flight from Amsterdam to Kuala Lumpur, which was shot down over eastern Ukraine on July 17, 2014. All 283 passengers and 15 crew on board, 196 of them Dutch citizens, were killed.

Dutch newspaper De Volkskrant, which revealed this new information last week, said the compromise of the Dutch national police’s computer systems was not detected by Dutch police themselves, but by the Dutch General Intelligence and Security Service (AIVD). The paper said that neither the police nor the AIVD were willing to confirm the breach, but added that it had confirmed the breach took place through multiple anonymous sources.

On July 5, 2017, the Netherlands, Ukraine, Belgium, Australia and Malaysia announced the establishment of the Joint Investigation Team (JIT) into the downing of flight MH-17. The multinational group stipulated that possible suspects of the downing of flight MH17 would be tried in the Netherlands. In September 2017, the AIVD said it possessed information about Russian targets in the Netherlands, which included an IP address of a police academy system. That system turned out to have been compromised, which allowed the attackers to access police systems. According to four anonymous sources, evidence of the attack was detected in several different places.

The police academy is part of the Dutch national police, and non-academy police personnel can access the network using their log-in credentials. Some sources suggest that the Russian Foreign Intelligence Service (SVR) carried out the attack through a Russian hacker group known as APT29, or Cozy Bear. However, a growing number of sources claim the attack was perpetrated by the Main Directorate of the Russian Armed Forces’ General Staff, known commonly as GRU, through a hacker group known as APT28, or Fancy Bear. SVR attackers are often involved in prolonged espionage operations and are careful to stay below the radar, whereas the GRU is believed to be more heavy-handed and faster. The SVR is believed to be partly responsible for the compromise of United States government agencies and companies through the supply chain attack known as the SolarWinds cyber attack, which came to light in late 2020.

Russia has tried to sabotage and undermine investigation activities into the MH17 disaster through various means: influence campaigns on social media, hacking of the Dutch Safety Board, theft of data from Dutch investigators, manipulation of other countries involved in the investigation, and the use of military spies. The Dutch police and public prosecution service were repeatedly targeted by phishing emails, police computer systems were subjected to direct attacks, and a Russian hacker drove a car with hacking equipment near the public prosecution office in Rotterdam.

The above efforts are not believed to have been successful. But the attack that came to light in September 2017 may have been. The infected police academy system ran “exotic” (meaning uncommon) software, according to a well-informed source. The Russians reportedly exploited a zero day vulnerability in that software. After the incident, the national police made improvements in their logging and monitoring capabilities, and in their Security Operations Center (SOC). It is not currently known how long the attackers had access to the national police system, nor what information they were able to obtain.

Author: Matthijs Koot | Date: 17 June 2021 | Permalink

Filed under Expert news and commentary on intelligence, espionage, spies and spying Tagged with , , , , , , , , , ,

US government takes control of Internet domains used by SolarWinds hackers

June 3, 2021 by Leave a comment

Computer hacking

THE UNITED STATES GOVERNMENT has taken control of two Internet domains used last month in a large-scale phishing campaign by the same Russian-linked hacker group that was behind SolarWinds. The Department of Justice said on Tuesday it seized the two domains, theyardservice[.]com and worldhomeoutlet[.]com, on May 28, following a decision by a US court that authorized the action.

The large-scale attack was detected on May 25, and was delivered in over 3,000 emails sent from a compromised account belonging to the United States Agency for International Development (USAID). The compromised account was paired with the services of a legitimate email marketing company called Constant Contact. It was subsequently used to deliver phishing emails to the employees of over 150 organizations worldwide, most of them American.

The phishing emails featured an official USAID logo, beneath which was an embedded link to a purported “USAID Special Alert” titled “Donald Trump has published new documents on election fraud”. The link sent users to one of the two illicit subdomains, which infected victim machines with malware. The latter created a back door into infected computers, which allowed the hackers to maintain a constant presence in the compromised systems.

According to Microsoft Corporation, the hackers behind the phishing attack originated from the same group that orchestrated the infamous SolarWinds hack in 2020. The term refers to a large-scale breach of computer systems belonging to the United States federal government and to organizations such as the European Union and the North Atlantic Treaty Organization. The threat actor behind the attack is referred to by cybersecurity experts as APT29 or Nobelium, among other names.

Speaking on behalf of the US Department of Justice’s National Security Division, Assistant Attorney General John C. Demers said on Tuesday that the seizure of the two Internet domains demonstrated the Department’s “commitment to proactively disrupt hacking activity prior to the conclusion of a criminal investigation”.

Author: Joseph Fitsanakis | Date: 03 June 2021 | Permalink

Filed under Expert news and commentary on intelligence, espionage, spies and spying Tagged with , , , , , , , , ,

Older posts