Previously obscure N. Korean hacker group is now stronger than ever, say experts

APT37A little-known North Korean cyber espionage group has widened its scope and increased its sophistication in the past year, and now threatens targets worldwide, according to a new report by a leading cyber security firm. Since 2010, most cyber-attacks by North Korean hackers have been attributed to a group dubbed “Lazarus” by cyber security specialists. The Lazarus Group is thought to have perpetrated the infamous Sony Pictures attacks in 2014, and the worldwide wave or ransomware attacks dubbed WannaCry by experts in 2017. It is widely believed that the Lazarus Group operates on behalf of the government of North Korea. Most of its operations constitute destructive attacks —mostly cyber sabotage— and financial criminal activity.

For the past six years, a smaller hacker element within the Lazarus Group has engaged in intelligence collection and cyber espionage. Cyber security researchers have dubbed this sub-element “APT37”, “ScarCruft” or “Group123”. Historically, APT37 has focused on civilian and military targets with links to the South Korean government. The hacker group has also targeted human rights groups and individual North Korean defectors living in South Korea. However, a new report warns that APT37 has significantly expanded its activities in terms of both scope and sophistication in the past year. The report, published on Tuesday by the cyber security firm FireEye, suggests that APT37 has recently struck at targets in countries like Vietnam and Japan, and that its activities have disrupted telecommunications networks and commercial hubs in the Middle East.

According to the FireEye report, aerospace companies, financial institutions and telecom- munications service providers in at least three continents have been targeted by APT37 in recent months. What is even more worrying, says the report, is that the hacker group is now capable of exploiting so-called “zero-day” vulnerabilities. These are software bugs and glitches in commonly used software, which have not been detected by software providers and are therefore exploitable by malicious hackers. FireEye said in its report that the North Korean regime will be tempted to use APT37 increasingly often “in previously unfamiliar roles and regions”, as cyber security experts are catching up with some of Pyongyang’s more visible hacker groups, such as Lazarus.

Author: Joseph Fitsanakis | Date: 21 February 2018 | Permalink

Advertisements

Dutch spies identified Russian hackers who meddled in 2016 US election

Cozy BearDutch spies identified a notorious Russian hacker group that compromised computer servers belonging to the Democratic Party of the United States and notified American authorities of the attack, according to reports. In 2016, US intelligence agencies determined that a Russian hacker group known as Cozy Bear, or APT29, led a concerted effort to interfere in the US presidential election. The effort, which according to US intelligence agencies was sponsored by the Russian government, involved cyber-attacks against computer systems in the White House and the Department of State, among other targets. It also involved the theft of thousands of emails from computer servers belonging to the Democratic National Committee, which is the governing body of the Democratic Party. The stolen emails were eventually leaked to WikiLeaks, DCLeaks, and other online outlets. Prior descriptions of the Russian hacking in the media have hinted that US intelligence agencies were notified of the Russian cyber-attacks by foreign spy agencies. But there was no mention of where the initial clues came from.

Last Thursday, the Dutch current affairs program Nieuwsuur, which airs daily on Holland’s NPO 2 television, said that the initial tipoff originated from the AIVD, Holland’s General Intelligence and Security Service. On the same day, the Dutch newspaper De Volkskrant published a detailed account of what it described as AIVD’s successful penetration of Cozy Bear. According to these reports, AIVD was able to penetrate Cozy Bear in mid-2014, before the hacker group intensified its campaign against political targets in the US. Citing “six American and Dutch sources who are familiar with the material, but wish to remain anonymous”, De Volkskrant said that the AIVD was able to detect the physical base of the Cozy Bear hackers. The latter appeared to be working out of an academic facility that was adjacent to Moscow’s Red Square. The AIVD team was then able to remotely take control of security camera networks located around the facility. Eventually, the Dutch team hacked into another security camera network located inside the buildings in which the hackers worked. They soon began to collect pictures and footage of Cozy Bear members, which they then compared with photos of “known Russian spies”, according to De Volkskrant.

The paper said that the AIVD team continued to monitor Cozy Bear’s activities until at least 2017, while sharing intelligence with the Central Intelligence Agency and the National Security Agency in the US. The intelligence was allegedly instrumental in alerting US spy agencies about Russian government-sponsored efforts to meddle in the 2016 presidential election. Several newspapers, including The Washington Post in the US and The Independent in Britain, contacted the AIVD and the MIVD —Holland’s military intelligence agency— over the weekend. But the two agencies said they would not comment on reports concerning Cozy Bear.

Author: Joseph Fitsanakis | Date: 29 January 2018 | Research credit: E.J. & E.K. | Permalink

Russian hackers behind US election attacks also targeted hundreds of journalists

Fancy BearThe Russian hacker group that targeted the United States presidential election in 2016 also attacked hundreds of reporters around the world, most of them Americans, an Associated Press investigation shows. The group is often referred to in cyber security circles as Fancy Bear, but is also known as Pawn Storm, Sednit, APT28, Sofacy, and STRONTIUM. It has been linked to a long-lasting series or coordinated attacks against at least 150 senior figures in the US Democratic Party. The attacks occurred in the run-up to last year’s presidential elections in the US, which resulted in a victory for Donald Trump. The hacker group’s targets included Democratic Party presidential candidate Hillary Clinton and her campaign chairman John Podesta. But its hackers also went after senior US diplomatic and intelligence officials, as well as foreign officials in countries like Canada and the Ukraine.

Now a new investigation by the Associated Press news agency, based on data collected over a period of two years by the cyber security firm Secureworks, appears to show that Fancy Bear also attacked journalists. In a leading article published last week, the Associated Press said that journalists appeared to be the third largest professional group targeted by Fancy Bear, after politicians and diplomats. The investigation shows that nearly half of all journalists that were systematically targeted by the hacker group worked for a single newspaper, The New York Times. At least fifty Times reporters feature on the hacker group’s target list. The latter includes another 50 reporters working for Russian outlets that known to be critical of the Kremlin, and dozens of Eastern European reporters based in the Baltics, Moldova, Armenia, Georgia and Ukraine.

The Associated Press said that prominent names on the Fancy Bear target list include The Washington Post’s Josh Rogin, The Daily Beast’s intelligence correspondent Shane Harris, CNN’s security correspondent Michael Weiss, and Ellen Barry, the former Moscow bureau chief for The New York Times. The report also said that some American journalists were not only targeted online, but also physically. One of them, The New Yorker’s Masha Gessen, claims that she was routinely followed by Russian-speaking men in the period leading up to the 2016 presidential election. In April of this year, a study by the Tokyo-based cybersecurity firm Trend Micro showed that Fancy Bear was behind systematic efforts to subvert recent national elections in France and Germany. And a few weeks ago, Russian media reported that Konstantin Kozlovsky, a member of the prolific Russian hacker group Lurk, alleged that he had been hired by the Kremlin to help target the US Democratic Party.

Author: Ian Allen | Date: 26 December 2017 | Permalink

Israel reportedly behind discovery of Russian antivirus company’s spy links

Computer hackingIsraeli spy services were reportedly behind the United States government’s recent decision to purge Kaspersky Lab antivirus software from its computers, citing possible collusion with Russian intelligence. Last month, the US Department of Homeland Security issued a directive ordering that all government computers should be free of software products designed by Kaspersky Lab. Formed in the late 1990s by Russian cybersecurity expert Eugene Kaspersky, the multinational antivirus software provider operates out of Moscow but is technically based in the United Kingdom. Its antivirus and cybersecurity products are installed on tens of millions of computers around the world, including computers belonging to government agencies in the US and elsewhere. But last month’s memorandum by the US government’s domestic security arm alarmed the cybersecurity community by alleging direct operational links between the antivirus company and the Kremlin.

On Tuesday, The New York Times reported that the initial piece of intelligence that alerted the US government to the alleged links between Kaspersky Lab and Moscow was provided by Israel. The American paper said that Israeli cyber spies managed to hack into Kaspersky’s systems and confirm the heavy presence of Russian government operatives there. The Times’ report stated that the Israelis documented real-time cyber espionage operations by the Russians, which targeted the government computer systems of foreign governments, including the United States’. The Israeli spies then reportedly approached their American counterparts and told them that Kaspersky Lab software was being used by Russian intelligence services as a backdoor to millions of computers worldwide. The Israelis also concluded that Kaspersky’s antivirus software was used to illegally steal files from these computers, which were essentially infected by spy software operated by the Russian government.

It was following the tip by the Israelis that he Department of Homeland Security issued its memorandum saying that it was “concerned about the ties between certain Kaspersky [Lab] officials and Russian intelligence and other government agencies”. The memorandum resulted in a decision by the US government —overwhelmingly supported by Congress— to scrap all Kaspersky software from its computer systems. Kaspersky Lab has rejected allegations that it works with Russian intelligence. In a statement issued in May of this year, the company said it had “never helped, nor will help, any government in the world with its cyberespionage efforts”.

Author: Joseph Fitsanakis | Date: 11 October 2017 | Pemalink

Iranian state-backed cyber spies becoming increasingly skilled, says report

Computer hackingA group of cyber spies with close links to the Iranian government is becoming increasingly competent and adept, and could soon bring down entire computer networks, according to a leading cyber security firm. The California-based cyber security company FireEye said that it has been monitoring the operations of the mysterious group of cyber spies since 2013. The company, whose clients include Sony Pictures, JP Morgan Chase and Target, said that the Iranian group appears to be especially interested in gathering secrets from aviation, aerospace and petrochemical companies.

In a detailed report published on Wednesday, FireEye said that the Iranian group has a very narrow target focus. Moreover, it attacks its targets —which are typically companies— in highly customizable ways. The latter includes the use of cleverly designed phishing tools that are designed to attract the attention of the company’s unsuspecting employees. So far, companies that have been targeted include Saudi petrochemical conglomerates, American aviation firms, as well as South Korean and other Southeast Asian companies that have aviation or energy holdings, said FireEye. The security company said it had codenamed the group “APT33”, which stands for “Advanced Persistent Threat #33”. It also said that APT33 was clearly distinct from other known Iranian hacker groups, because of the sophistication of its operations and the quality of its cyber weapons. The cyber security firm said that APT33 was the first Iranian hacker group to be included on a select list of the most capable cyber spy groups from around the world.

Some experts believe that APT33 is run by Iran’s Revolutionary Guard Corps, an irregular branch of the Iranian military, which is seen by many as a state within a state in post-1979 Iran. The FireEye report does not appear conclusive on this point. However, it notes that APT33 has built an offensive cyber arsenal “with potential destructive capabilities”, but that it currently appears to focus solely on intelligence collection, not sabotage or warfare.

Author: Joseph Fitsanakis | Date: 21 September 2017 | Permalink

Russia jailed senior intelligence officers for helping CIA nab notorious hackers

FSB - JFTwo senior officers in the Russian intelligence services were charged with treason after they were found to have helped the United States catch two notorious Russian hackers, according to reports in the Russian media. Sergey Mikhailov was a career officer in the Federal Security Service —a descendant of the domestic section of the Soviet-era KGB— which is often referred to as Russia’s equivalent of the United States Federal Bureau of Investigation. Mikhailov had risen through the ranks of the FSB to eventually head the agency’s Center for Information Security. Known in Russia as CIB, the Center is tasked with investigating electronic crime in the Russian Federation.

But in December 2016, Mikhailov and one of his trusted deputies in the CIB, Dmitry Dokuchaev, were suddenly removed from their posts and arrested. The arrests marked some of the highest-profile detentions of intelligence officers in Russia since the demise of the Soviet Union. Russian authorities refused to reveal the reasons for the arrests, but confirmed that the two men had been charged with treason. Reports soon surfaced in the Russian media, claiming that Mikhailov and Dokuchaev were arrested for their involvement in a Russian criminal hacker gang. Some Western media, including The New York Times, speculated that the two men may have been arrested for helping US intelligence investigate Russian interference in the 2016 US presidential election.

But now a new report alleges that Mikhailov and Dokuchaev were charged with treason after helping the US Central Intelligence Agency catch two prolific Russian hackers. The report was aired on Russian television station TV Dozhd, also known as TV Rain, a privately owned channel based in Moscow, which broadcasts in Russia and several other former Soviet Republics. One of the hackers, Roman Seleznev, known in hacker circles as Track2, reached worldwide notoriety for defrauding major credit card companies of tens of millions of dollars. He was arrested in 2014 in the South Asian island country of Maldives and eventually extradited to the US to stand trial. He was sentenced to 27 years in prison, which he is currently serving. The other hacker, Yevgeniy Nikulin, was arrested in the Czech Republic in 2016, pursuant to a US-issued international arrest warrant. He is now awaiting extradition to the US, where he is expected to be tried for hacking several high-profile companies, including DropBox and LinkedIn.

TV Dozhd said that Russian authorities are also suspecting the men of being members of hacker gangs, but that their main charges relate to their close cooperation with American intelligence agencies, reportedly in exchange for cash.

Author: Joseph Fitsanakis | Date: 25 August 2017 | Permalink

North Korean state now uses cyber attacks to steal cash, says report

North KoreaNorth Korea’s intelligence establishment has shifted its attention from spying for political gain to spying for commercial advantage –primarily to secure funds for the cash-strapped country, according to a new report. Since the 1990s, the Democratic People’s Republic of Korea (DPRK) has used computer hacking in order to steal political and military secrets from its rivals. But there is increasing evidence that Pyongyang is now deploying armies of computer hackers in order to steal cash from foreign financial institutions and internet-based firms. This is the conclusion of a new report by the Financial Security Institute of South Korea, an agency that was set up by Seoul to safeguard the stability of the country’s financial sector.

The report, published last week, analyzed patterns of cyber attacks against South Korean state-owned and private financial institutions that took place between 2015 and 2017. It identified two separate computer hacking groups, which it named Lazarus and Andariel. According to the report, both groups’ activities, which are complementary, appear to be directed by the government of North Korea. An analysis of the groups’ targets suggests that Pyongyang has been directing its computer spies to find ways to secure hard currency for use by the government. Foreign currency has been increasingly hard to come by in North Korea in recent years, due to a host of international sanctions that were imposed on the country as a form of pressure against its nuclear weapons program.

Several cyber security experts and firms have claimed in recent months that North Korea has been behind recent cyber attacks against international banking institutions. The DPRK has also been blamed for a 2014 attack against the Hollywood studios of the Japanese multinational conglomerate Sony. Regular readers of intelNews will recall our story in March of this year about comments made on the subject of North Korea by Rick Ledgett, a 30-year veteran of the United States National Security Agency. Speaking at a public event hosted by the Aspen Institute in Washington, Ledgett expressed certainty that the government of North Korea was behind an attempt to steal nearly $1 billion from Bangladesh Bank —the state-owned central bank of Bangladesh—in 2016. Eventually the bank recovered most of the money, which were made through transactions using the SWIFT network. But the hackers managed to get away with approximately $81 million.

More recently, cyber security experts have claimed that the government of North Korea has been behind attempts to hack into automated teller machines, as well as behind efforts to steal cash from online gambling sites. In April of this year, the Russian-based cyber security firm Kaspersky Lab identified a third North Korean hacker group, which it named Bluenoroff. The Russian experts said Bluenoroff directed the majority of its attacks against foreign financial firms. There are rumors that Pyongyang was behind the wave of WannaCry ransomware attacks that infected hundreds of thousands of computers in over 150 countries in May. But no concrete evidence of North Korean complicity in the attacks has been presented.

Author: Joseph Fitsanakis | Date: 31 July 2017 | Permalink