Sophisticated spy malware found on Russian government computers

FSB - IAAccording to the predominant media narrative, the United States is constantly defending itself against cyber-attacks from countries like China and Russia. But, as intelNews has argued for years, this narrative is misleading. Recent intelligence disclosures clearly show that the US cyber-security posture is as offensive as that of its major adversaries. Additionally, China and Russia have to defend their computer networks as much as America does. Last weekend’s report from Moscow helps restore some of the balance that is missing from media reporting on cyber-security. According to the Russian Federal Security Service (FSB), a meticulously coded and sophisticated virus has been found on the computer networks of at least 20 major Russian agencies and organizations. The targets appear to have been carefully selected by the malware’s authors. They include government bodies, weapons laboratories and defense contractors located throughout Russia.

The FSB said that once installed, the virus gave its handler control of the infected computer system. It permitted an outside hacker to turn on a computer’s microphone or camera, and capture screenshots. It also stealthily installed keylogging software, thus allowing an outside party to monitor keyboard strokes on an infected system. Based on its functions, the malicious software seems to be designed to conduct deep surveillance on infected computers and their physical surroundings. The FSB would not attribute the malware to a specific hacking group or nation. But it said it believed that the malware attack was “coordinated”, “planned and planned professionally”. It also said that the coding of the virus “required considerable expertise”. In a brief statement released Saturday, the FSB said that aspects of the coding of the virus, as well as other identifying information, resembled those detected in preceding hacking attacks on computer servers in Russia and other countries. The statement did not elaborate, however.

The news about hacked Russian computers comes less than two weeks after it was claimed that Russian government-backed hackers stole electronic data belonging to the Democratic National Convention (DNC) in the United States. The Democratic Party’s presidential candidate, Hillary Clinton, publicly accused the Russian government of orchestrating the hacking of the DNC computer systems in an attempt to damage her campaign.

Author: Ian Allen | Date: 01 August 2016 | Permalink

Islamic State’s online army is a Russian front, says German intelligence

Cyber CaliphateA German intelligence report alleges that the so-called ‘Cyber Caliphate’, the online hacker wing of the Islamic State, is in fact a Russian front, ingeniously conceived to permit Moscow to hack Western targets without retaliation. The group calling itself Cyber Caliphate first appeared in early 2014, purporting to operate as the online wing of the Islamic State of Iraq and Syria (ISIS), later renamed Islamic State. Today the Cyber Caliphate boasts a virtual army of hackers from dozens of countries, who are ostensibly operating as the online arm of the Islamic State. Their known activities include a strong and often concentrated social media presence, and computer hacking, primarily in the form of cyber espionage and cyber sabotage.

Since its inception, the Cyber Caliphate has claimed responsibility for hacking a number of European government agencies and private media outlets. Its targets include the BBC and French television channel TV5 Monde, which was severely impacted by cyber sabotage in April of 2015. The Cyber Caliphate said it was also behind attacks on the servers of the United States Federal Bureau of Investigation, the Department of Defense, and the website of the Pentagon’s US Central Command. The US has since retaliated, both with cyber attacks and physical strikes. One such strike resulted in the killing of Junaid Hussain, a British hacker of Pakistani background, who was said to be among the Cyber Caliphate’s senior commanders. Hussain, 21, was reportedly killed in August 2015 in Raqqa, the Islamic State’s de facto capital in Syria, reportedly after clicking on a compromised link in an email, which gave away his physical whereabouts.

Now, however, a German intelligence report claims that the Cyber Caliphate is not associated with the Islamic State, but is rather a fictitious front group created by Russia. According to German newsmagazine Der Spiegel, which said it had seen the classified report, German authorities suggest that the Cyber Caliphate is in fact a project of APT28 (also known as ‘Pawn Storm’), a notorious Russian hacking collective with close ties to Russian intelligence. The German intelligence report echoes previous assessments by French authorities, which in 2015 stated that the TV5 Monde cyber attack was a false flag operation orchestrated by APT28. Also in 2015, a security report by the US State Department concluded that despite the Cyber Caliphate’s proclamations of connections to the Islamic State, there were “no indications —technical or otherwise— that the groups are tied”.

Author: Ian Allen | Date: 20 June 2016 | Permalink

German nuclear power plant found to be infected with computer viruses

Gundremmingen nuclear power plantThe computers of a nuclear power plant in southern Germany have been found to be infected with computer viruses that are designed to steal files and provide attackers with remote control of the system. The power plant, known as Gundremmingen, is located in Germany’s southern district of Günzburg, about 75 miles northwest of the city of Munich. The facility is owned and operated by RWE AG, Germany’s second-largest electricity producer, which is based in Essen, North Rhine-Westphalia. The company provides energy to over 30 million customers throughout Europe.

On Tuesday, a RWE AG spokesperson said cybersecurity experts had discovered a number of computer viruses in a part of the operating system that determines the position of nuclear rods in the power plant. The software on the system was installed in 2008 and has been designed specifically for this task, said the company. The viruses found on it include two programs known as “Conficker” and “W32.Ramnit”. Both are responsible for infecting millions of computers around the world, which run on the Microsoft Windows operating system. The malware seem to be specifically designed to target Microsoft Windows and tend to infect computer systems through the use of memory sticks. Once they infect a computer, they siphon stored files and give attackers remote access to the system when the latter is connected to the Internet. According to RWE AG, viruses were also found on nearly 20 removable data drives, including memory sticks, which were in use by employees at the power plant. However, these data drives were allegedly not connected to the plant’s main operating system.

RWE AG spokespersons insisted this week that “Conficker”, “W32.Ramnit”, and other such malware, did not pose a threat to the nuclear power plant’s computer systems, because the facility is not connected to the Internet. Consequently, it would be impossible for an attacker associated with the viruses to acquire remote access to Gundremmingen’s computer systems. The company did not clarify whether it believed that the viruses had specifically targeted at the power plant. But they insisted that cyber security measures had been strengthened following the discovery of the malware, and said that they had notified Germany’s Federal Office for Information Security (BSI), which is now looking into the incident.

Author: Ian Allen | Date: 29 April 2016 | Permalink

America’s most senior intelligence official has his phone, email hacked

James ClapperA member of a hacker group that took responsibility for breaking into the personal email account of the director of the Central Intelligence Agency last year has now hacked the email of the most senior intelligence official in the United States. In October 2015, the hacker group referred to by its members as “Crackas With Attitude” —CWA for short— claimed it was behind the hacking of an AOL personal email account belonging to John Brennan, who heads the CIA. Less than a month later, the CWA assumed responsibility for breaking into an online portal used by US law enforcement to read arrest records and share sensitive information about crimes involving shootings. Shortly after the second CWA hack, the Federal Bureau of Investigation issued an alert to all government employees advising them to change their passwords and be cautious about suspicious emails and other phishing attempts.

On Monday, an alleged member of CWA contacted Motherboard, an online media outlet belonging to Vice Media, and alleged that the group had managed to hack into the personal email account of James Clapper, Director of National Intelligence (DNI). Clapper’s job is to help synchronize the operations of US intelligence agencies and to mediate between the US Intelligence Community and the Executive. According to CWA, clapper’s personal telephone and Internet service had also been compromised, as had his spouse’s personal email, which is hosted by Yahoo! services. The alleged CWA member told Motherboard that the forwarding settings of Clapper’s home telephone had been changed. As a result, calls made to the DNI were being forwarded to the headquarters of the Free Palestine Movement in California. Shortly afterwards, Free Palestine Movement executives confirmed that they had received a number of phone calls for Clapper. Last year, when they hacked the email of the director of the CIA, the CWA dedicated their action to the Free Palestine Movement.

Motherboard said that a spokesman at the Office of the DNI, Brian Hale, confirmed that Clapper’s personal email and telephone service had indeed been hacked. He told Motherboard’s Lorenzo Franceschi-Bicchierai that Office of the DNI was “aware of the matter” and had “reported it to the appropriate authorities”. The FBI was contacted as well but did not respond.

Author: Ian Allen | Date: 14 January 2016 | Permalink

Security firm says it shut down extensive Iranian cyber spy program

IRGC IranA security firm with headquarters in Israel and the United States says it detected and neutralized an extensive cyber espionage program with direct ties to the government of Iran. The firm, called Check Point Software, which has offices in Tel Aviv and California, says it dubbed the cyber espionage program ROCKET KITTEN. In a media statement published on its website on Monday, Check Point claims that the hacker group maintained a high-profile target list of 1,600 individuals. The list reportedly includes members of the Saudi royal family and government, American and European officials, North Atlantic Treaty Organization officers and nuclear scientists working for the government of Israel. The list is said to include even the names of spouses of senior military officials from numerous nations.

News agency Reuters quoted Check Point Software’s research group manager Shahar Tal, who said that his team was able to compromise the ROCKET KITTEN databases and acquire the list of espionage targets maintained by the group. Most targets were from Saudi Arabia, Israel, and the United States, he said, although countries like Turkey and Venezuela were also on the list. Tal told Reuters that the hackers had compromised servers in the United Kingdom, Germany and the Netherlands, and that they were using these and other facilities in Europe to launch attacks on their unsuspecting targets. According to Check Point, the hacker group was under the command of Iran’s Revolutionary Guards Corps, a branch of the Iranian military that is ideologically committed to the defense of the 1979 Islamic Revolution.

Reuters said it contacted the US Federal Bureau of Investigation and Europol, but that both agencies refused comment, as did the Iranian Ministry of Foreign Affairs. However, an unnamed official representing the Shin Bet, Israel’s domestic security agency, said that ROCKET KITTEN “is familiar to us and is being attended to”. The official declined to provide further details. Meanwhile, Check Point said it would issue a detailed report on the subject late on Monday.

Author: Joseph Fitsanakis | Date: 10 November 2015 | Permalink

US Congressional review considers impact of federal database hack

Office of Personnel Management 2A United States Congressional review into last month’s cyber theft of millions of government personnel records has concluded that its impact will go far “beyond mere theft of classified information”. Up to 21 million individual files were stolen in June, when hackers broke into the computer system of the Office of Personnel Management (OPM). Part of OPM’s job is to handle applications for security clearances for all agencies of the US federal government. Consequently, the breach gave the unidentified hackers access to the names and sensitive personal records of millions of Americans —including intelligence officers— who have filed applications for security clearances.

So far, however, there is no concrete proof in the public domain that the hack was perpetrated by agents of a foreign government for the purpose of espionage. Although there are strong suspicions in favor of the espionage theory, there are still some who believe that the cyber theft could have been the financially motivated work of a sophisticated criminal ring. But a new report produced by the Congressional Research Service, which is the research wing of the US Congress, seems to be favoring the view that “the OPM data were taken for espionage rather than for criminal purposes”. The report was completed on July 17 and circulated on a restricted basis. But it was acquired by the Secrecy News blog of the Federation of American Scientists, which published it on Tuesday.

The 10-page document points out that strictly financial reasons, such as identity theft or credit card fraud, cannot be ruled out as possible motivations of the massive data breach. But it points out that the stolen data have yet to appear in so-called “darknet” websites that are used by the criminal underworld to buy and sell such information. This is highly unusual, particularly when one considers the massive size of the data theft, which involves millions of Americans’ credit card and Social Security numbers. Experts doubt, therefore, that the OPM data “will ever appear for sale in the online black market”. This inevitably leads to the conclusion that the breach falls “in the category of intelligence-gathering, rather than commercial espionage”, according to the report.

The above conclusion could have far-reaching consequences, says the report. One such possible consequence is that high-resolution fingerprints that were contained in the OPM database could be used to blow the covers of American case officers posing as diplomats, and even deep-cover intelligence operatives working secretly abroad. Furthermore, the hackers that are in possession of the stolen files could use them to create high-quality forged documents, or even publish them in efforts to cause embarrassment to American intelligence agencies.

Author: Ian Allen | Date: 30 July 2015 | Permalink: https://intelnews.org/2015/07/30/01-1746/

NATO missile system hacked remotely by ‘foreign source’

MIM-104 Patriot missile systemA Patriot missile system stationed in Turkey by the North Atlantic Treaty Organization (NATO) was allegedly hacked by a remote source, according to reports. German magazine Behörden Spiegel said this week that the hacked missile system is owned and operated by the German Army. It was deployed along the Turkish-Syrian border in early 2013, after Ankara requested NATO assistance in protecting its territory from a possible spillover of the civil war in neighboring Syria.

The Patriot surface-to-air missile system was initially built for the United States Army by American defense contractor Raytheon in the 1980s, but has since been sold to many of Washington’s NATO allies, including Germany. The Patriot system consists of stand-alone batteries, each composed of six launchers and two radars. The radars, which are aimed at spotting and targeting incoming missiles, communicate with the launchers via a computer system. The latter was hijacked for a brief period of time by an unidentified hacker, said Behörden Spiegel, adding that the perpetrators of the electronic attack managed to get the missile system to “perform inexplicable commands”. The magazine gave no further details.

Access to the Patriot missile system could theoretically be gained through the computer link that connects the missiles with the battery’s control system, or through the computer chip that guides the missiles once they are launched. Hacking any one of these nodes could potentially allow a perpetrator to disable the system’s interception capabilities by disorienting its radars. Alternatively, a hacker could hypothetically prompt the system to fire its missiles at an unauthorized target. According to Behörden Spiegel, the attack on the missile system could not have come about by accident; it was a concentrated effort aimed at either taking control of the missiles or compromising the battery’s operating system. Moreover, the sophisticated nature of such an attack on a well-protected military system presupposes the availability of infrastructural and monetary resources that only nation-states possess, said the magazine.

Shortly after the Behörden Spiegel article was published, the German Federal Ministry of Defense denied that Patriot missile systems under its command could be hacked. A Ministry spokesman told German newspaper Die Welt that the Ministry was not aware of any such incident having taken place in Turkey or elsewhere.

Author: Joseph Fitsanakis | Date: 10 July 2015 | Permalink: https://intelnews.org/2015/07/10/01-1732/

Follow

Get every new post delivered to your Inbox.

Join 1,358 other followers