Russian actors had access to Dutch police computer network during MH17 probe

June 17, 2021 by Leave a comment

Flight MH17

Russian hackers compromised the computer systems of the Dutch national police while the latter were conducting a criminal probe into the downing of Malaysia Airlines Flight 17 (MH17), according to a new report. MH17 was a scheduled passenger flight from Amsterdam to Kuala Lumpur, which was shot down over eastern Ukraine on July 17, 2014. All 283 passengers and 15 crew on board, 196 of them Dutch citizens, were killed.

Dutch newspaper De Volkskrant, which revealed this new information last week, said the compromise of the Dutch national police’s computer systems was not detected by Dutch police themselves, but by the Dutch General Intelligence and Security Service (AIVD). The paper said that neither the police nor the AIVD were willing to confirm the breach, but added that it had confirmed the breach took place through multiple anonymous sources.

On July 5, 2017, the Netherlands, Ukraine, Belgium, Australia and Malaysia announced the establishment of the Joint Investigation Team (JIT) into the downing of flight MH-17. The multinational group stipulated that possible suspects of the downing of flight MH17 would be tried in the Netherlands. In September 2017, the AIVD said it possessed information about Russian targets in the Netherlands, which included an IP address of a police academy system. That system turned out to have been compromised, which allowed the attackers to access police systems. According to four anonymous sources, evidence of the attack was detected in several different places.

The police academy is part of the Dutch national police, and non-academy police personnel can access the network using their log-in credentials. Some sources suggest that the Russian Foreign Intelligence Service (SVR) carried out the attack through a Russian hacker group known as APT29, or Cozy Bear. However, a growing number of sources claim the attack was perpetrated by the Main Directorate of the Russian Armed Forces’ General Staff, known commonly as GRU, through a hacker group known as APT28, or Fancy Bear. SVR attackers are often involved in prolonged espionage operations and are careful to stay below the radar, whereas the GRU is believed to be more heavy-handed and faster. The SVR is believed to be partly responsible for the compromise of United States government agencies and companies through the supply chain attack known as the SolarWinds cyber attack, which came to light in late 2020.

Russia has tried to sabotage and undermine investigation activities into the MH17 disaster through various means: influence campaigns on social media, hacking of the Dutch Safety Board, theft of data from Dutch investigators, manipulation of other countries involved in the investigation, and the use of military spies. The Dutch police and public prosecution service were repeatedly targeted by phishing emails, police computer systems were subjected to direct attacks, and a Russian hacker drove a car with hacking equipment near the public prosecution office in Rotterdam.

The above efforts are not believed to have been successful. But the attack that came to light in September 2017 may have been. The infected police academy system ran “exotic” (meaning uncommon) software, according to a well-informed source. The Russians reportedly exploited a zero day vulnerability in that software. After the incident, the national police made improvements in their logging and monitoring capabilities, and in their Security Operations Center (SOC). It is not currently known how long the attackers had access to the national police system, nor what information they were able to obtain.

Author: Matthijs Koot | Date: 17 June 2021 | Permalink

Filed under A specialized intelligence website written by experts, since 2008 Tagged with , , , , , , , , , ,

Chinese state-linked cyber actor allegedly behind attack on global airline industry

June 11, 2021 by 1 Comment

Air India

A GROUP OF COMPUTER hackers with close links to the Chinese state are allegedly behind a wide-scale attack on the global airline industry, which includes espionage, as well as financial motives, according to a new report. If confirmed, the attack would constitute a global campaign against a single industry that is unprecedented in size, according to experts.

The most recent victim of this series of worldwide attacks is Air India, India’s government-owned flagship air carrier. In May of this year, the company was targeted by what officials described as “a highly sophisticated attack” that had begun over two months earlier. It was indeed in early February that the hackers had begun to collect information about Air India and trying to infiltrate its networks through a combination of methods, including spear-phishing. The resulting compromise affected the data of some 4.5 million of Air India’s passengers. Stolen information included passengers’ credit card details, as well as passport information, such as names and dates of birth.

But in a new report issued on Thursday, the Singapore-based cybersecurity firm Group-IB said that the methodology used by the perpetrators of the Air India attack resembled those used to hack other airline carriers around the world. Other victims have included Singapore Airlines, Malaysia Airlines, Finnair, as well as SITA, a Swiss-based provider of information technology services to airline operators in over 200 countries and territories around the world.

What is more, the Group-IB report claims “with moderate confidence” that the attacks on the global airline industry are being perpetrated by APT41. Also known as BARIUM, APT41 is a highly prolific group of computer hackers that is widely believed to be connected with the Chinese government. Since first appearing on the scene in 2006, APT41 has amassed a list of victims that include firms from almost every imaginable industry, including manufacturing, telecommunications, transportation, healthcare and defense. Some of its strikes are clearly financially motivated and include ransomware attacks. Others are espionage-related and point to the information needs of a nation-state —allegedly China.

In 2020, the United States Federal Bureau of Investigation added five members of APT41 to its “Most Wanted” list. The accompanying press statement accusing the five men of conducting “supply chain attacks to gain unauthorized access to networks throughout the world”, and attacking a host of companies on nearly every continent, including the Americas.

Author: Joseph Fitsanakis | Date: 11 June 2021 | Permalink

Filed under A specialized intelligence website written by experts, since 2008 Tagged with , , , , , , , , , , ,

US government takes control of Internet domains used by SolarWinds hackers

June 3, 2021 by Leave a comment

Computer hacking

THE UNITED STATES GOVERNMENT has taken control of two Internet domains used last month in a large-scale phishing campaign by the same Russian-linked hacker group that was behind SolarWinds. The Department of Justice said on Tuesday it seized the two domains, theyardservice[.]com and worldhomeoutlet[.]com, on May 28, following a decision by a US court that authorized the action.

The large-scale attack was detected on May 25, and was delivered in over 3,000 emails sent from a compromised account belonging to the United States Agency for International Development (USAID). The compromised account was paired with the services of a legitimate email marketing company called Constant Contact. It was subsequently used to deliver phishing emails to the employees of over 150 organizations worldwide, most of them American.

The phishing emails featured an official USAID logo, beneath which was an embedded link to a purported “USAID Special Alert” titled “Donald Trump has published new documents on election fraud”. The link sent users to one of the two illicit subdomains, which infected victim machines with malware. The latter created a back door into infected computers, which allowed the hackers to maintain a constant presence in the compromised systems.

According to Microsoft Corporation, the hackers behind the phishing attack originated from the same group that orchestrated the infamous SolarWinds hack in 2020. The term refers to a large-scale breach of computer systems belonging to the United States federal government and to organizations such as the European Union and the North Atlantic Treaty Organization. The threat actor behind the attack is referred to by cybersecurity experts as APT29 or Nobelium, among other names.

Speaking on behalf of the US Department of Justice’s National Security Division, Assistant Attorney General John C. Demers said on Tuesday that the seizure of the two Internet domains demonstrated the Department’s “commitment to proactively disrupt hacking activity prior to the conclusion of a criminal investigation”.

Author: Joseph Fitsanakis | Date: 03 June 2021 | Permalink

Filed under A specialized intelligence website written by experts, since 2008 Tagged with , , , , , , , , ,

Chinese hackers used Facebook to target Uighur activists with malware

March 25, 2021 by 4 Comments

Facebook

CHINESE HACKERS USED FAKE Facebook accounts to target individual activists in the expatriate Uighur community and infect their personal communications devices with malware, according to Facebook. The social media company said on Wednesday that the coordinated operation targeted approximately 500 Uighur activists living in the United States, Canada, Australia, Syria, Turkey and Kazakhstan.

At least 12 million Uighurs, most of them Muslims, live in China’s Xinjiang region, which is among the most impoverished in the country. The Chinese state is currently engaged in a campaign to quell separatist tendencies among some Uighurs, while forcibly integrating the region’s population into mainstream culture through a state-run program of forcible assimilation. It is believed that at least a million Uighurs are currently living in detention camps run by the Communist Party of China, ostensibly for “re-education”. Meanwhile, thousands of Uighur expatriates, most of whom live in Kazakhstan and Turkey, are engaged in a concerted campaign aimed at airing human-rights violations occurring in the Chinese detention camps throughout Xinjiang.

According to Facebook, Chinese hackers set up around 100 accounts of fake personas claiming to be journalists with an interest in reporting on human rights, or pro-Uighur activists. They then befriended actual Uighur activists on Facebook and directed them to fake websites that were designed to resemble popular Uighur news agencies and pro-activist websites. However, these websites were carriers of malware, which infected the personal communications devices of those who visited them. Some Facebook users were also directed to fake smartphone application stores, from where they downloaded Uighur-themed applications that contained malware.

Facebook said it was able to detect and disrupt the fake account network, which has now been neutralized. It also said it was able to block all fake domains associated with the hacker group, and notified users who were targeted by the hackers. It added that its security experts were not able to discern direct connections between the hackers an the Chinese state.

Author: Joseph Fitsanakis | Date: 25 March 2021 | Permalink

Filed under A specialized intelligence website written by experts, since 2008 Tagged with , , , , , ,

Finnish intelligence identifies Chinese state-linked group behind cyber-attack

March 19, 2021 by 3 Comments

Finnish Parliament

FINLAND’S INTELLIGENCE AGENCY HAS identified a hacker group with ties to the Chinese state as the culprit of an attack of “exceptional” magnitude and intensity that targeted the Finnish Parliament last year. The attack was reported in December 2020, but had been going on for several weeks prior to being discovered by the information security department of the Eduskunta (Parliament of Finland).

Finland’s National Bureau of Investigation (NIB) said at the time that the attack had compromised parts of the Parliament’s internal communication system, including a number of Parliamentary email accounts. Some of these accounts belonged to members of Parliament, while others belonged to members of staff, according to the NIB.

Little became known about the attack in the months after the incident was first reported by Finnish media. But on Thursday the Finnish Security and Intelligence Service (SUPO) issued a press release about the incident. It said that the attack was likely part of a state-sponsored cyber espionage operation. It also identified those responsible for the attack as Advanced Persistent Threat (APT) 31. The SUPO report did not name the state that sponsored the attack. However, several private computer security firms have linked APT31 with the Chinese government.

The SUPO report stated that the attack on the Finnish Parliament was neither random nor experimental. On the contrary, it was aimed at acquiring specific information stored at the Parliament’s computer servers. Although the motive for the attack is still being investigated, it is possible that it was part of an effort “to gather intelligence to benefit a foreign state or to harm Finland’s interests”, said SUPO. The spy agency added that it would not provide further details about the case while it remains the subject a criminal investigation.

Author: Joseph Fitsanakis | Date: 19 March 2021 | Permalink

Filed under A specialized intelligence website written by experts, since 2008 Tagged with , , , , , , ,

Iran spies on dissidents via web server based in Holland, registered in Cyprus

February 19, 2021 by Leave a comment

Computer hackingA WEB SERVER BASED in Holland and owned by a company registered in Cyprus is being used by the Iranian government to spy on its critics abroad, according to Dutch public radio. The information about Iranian espionage was revealed on Thursday by NPO Radio 1, one of Holland’s public radio stations, with the help of Romanian cybersecurity firm BitDefender.

The discovery was reportedly made after an Iranian dissident based in Holland was sent an infected file by a user of the popular instant messaging application Telegram. Instead of opening the file, the recipient contacted cybersecurity experts, who identified it as a type of infected software that is known to have been used in the past by the Iranian state. Once it infects a computer, the software takes screenshots and uses the machine’s built-in microphone to make surreptitious recordings.

According to BitDefender’s cybersecurity experts, the server is being used for “command and control” functions in order to facilitate remote control of infected computers and phones. These functions include stealing data, as well as collecting screen shots and audio recordings. The server had been previously used to penetrate computers in Holland, Sweden, Germany, and several other countries, including India.

Cybersecurity experts from BitDefender found that the infected file was delivered to its target via a web server facility based in Haarlem, a city located 20 miles west of Amsterdam. The cybersecurity company said the server is registered to a company that belongs to a Romanian service provider. The company is registered in Cyprus and provides services to a number of companies, including in this case an American company. The latter reportedly stopped using the service provider once it was told of the Iranian connection, according to reports.

Author: Joseph Fitsanakis | Date: 19 February 2021 | Permalink

Filed under A specialized intelligence website written by experts, since 2008 Tagged with , , , , , ,

Analysis: Potential espionage aspects of attack on US Capitol must be considered

January 12, 2021 by 4 Comments

US CapitolTHE INSURGENTS WHO STORMED the United States Capitol Building Complex on January 6 may have unwittingly provided cover for teams of foreign spies, who could have stolen or compromised sensitive electronic equipment. This largely neglected security-related aspect of the attack is discussed in an insightful article by David Gewitz, a ZDNet and CNET columnist who writes about cybersecurity affairs.

Hundreds of unauthorized people entered the US Capitol last Wednesday. Many of them entered the offices of several members of Congress, some of whom are members of Congressional committees on intelligence, armed services, defense, and other sensitive matters. According to Gewitz, “there is absolutely no knowing what actions were taken against digital gear inside the building” by the intruders. Most of them were clearly members of disorganized mobs, who appeared to have no concrete plan of action once inside the Capitol. However, points Gewitz, it would have been easy for foreign actors to blend in with the crowd of wild-eyed rioters and surreptitiously entered the Capitol in order to steal or compromise sensitive electronic equipment.

In addition to stealing electronic equipment, foreign spies could have stolen sensitive documents, access codes and passcodes, says Gewitz. He adds that more sophisticated efforts could have included loading malware onto Capitol computer systems, or plugging surreptitious USB drives into the internal ports of tower PCs —a process that takes less than two minutes for someone who is equipped with an pocket-size electric screwdriver. Foreign actors could also have left dozens of “generic USB drives in various drawers and on various desks” around the Capitol, hoping that members of Congress or their aides will make use of them in the coming days or weeks. For all we know, says Gewitz, the place could now be riddled with USB chargers with built-in wireless key-loggers, devices that look like power strips but actually hide wireless network hacking tools, fake smoke detectors, electric outlets or switches that contain bugs, and many other surreptitious spying devices.

What should Capitol security personnel do to prevent the potential espionage fallout from the January 6 attack? Gewitz argues that, given the extremely sensitive nature of the information that is stored in the Capitol’s digital systems, federal cybersecurity personnel should “assume that ALL the digital devices at the Capitol have been compromised”, he writes. They will therefore need to resort to “a scorched Earth remediation effort”, meaning that they will have to “completely scrub” those systems, and even lock the USB drive slots of every PC in the building complex. This damage will take months, even years, to clean up, he concludes.

Author: Joseph Fitsanakis | Date: 12 January 2021 | Permalink

Filed under A specialized intelligence website written by experts, since 2008 Tagged with , , , , ,

Massive hacker attack triggers US National Security Council emergency meeting

December 15, 2020 by 2 Comments

White HouseA large-scale cyberespionage attack targeting United States government computer systems, which some experts described as potentially being among “the most impactful espionage campaigns on record”, triggered an emergency meeting of the US National Security Council on Sunday, according to reports. Chaired by the US president, the National Security Council is the country’s most senior decision-making body.

Although it was only discovered last week, the cyberespionage campaign is believed to date to last spring, possibly as early as March. Sources called it a highly sophisticated operation that originated from a “top-tier” adversary –a term that refers to a handful of state actors that have access to the most elite cyber operatives and advanced technologies known to exist.

As of last night, US government officials had not publicly identified the state actor believed to be behind the cyberespionage campaign, which experts have coined the “2020 supply chain attack”. But several American and European news outlets pointed to Russia as the culprit, citing sources familiar with the investigation. The Washington Post said the Russian Foreign Intelligence Service, known as SVR, was behind the attack. The Russian government denied on Monday that its agencies had any role in the attacks.

The origins of the attack are believed to be in the private sector. It began when a sophisticated illicit cyber actor, known by the nickname Advanced Persistent Threat (APT) 29, or Cozy Bear, stole cyber tools used by two major government contractors, FireEye and SolarWinds. These cyber tools are used to detect and patch vulnerabilities in computer systems. These companies provide services to numerous US government customers, including the Departments of Defense, State, Treasury and Commerce. Other US government customers include the National Security Agency and the Office of the President, including the White House Situation Room. All of these entities have reportedly been affected by this cyber espionage operation.

By disguising their malicious software as software patches, the hackers were reportedly able to access and monitor, in real time, email traffic within and between government agencies. It is not known at this time whether US intelligence agencies, other than the National Security Agency, have been affected by this hack. All branches of the US military maintain intelligence components. Additionally, the Department of the Treasury operates the Office of Intelligence Analysis, while the Department of State is in charge of the Bureau of Intelligence and Research. The White House said yesterday that it had asked the Federal Bureau of Investigation and the Cybersecurity and Infrastructure Security Agency to probe the attack and evaluate the extent of the damage caused to US government operations.

Author: Joseph Fitsanakis | Date: 15 December 2020 | Permalink

Filed under A specialized intelligence website written by experts, since 2008 Tagged with , , , , , , , , ,

Dutch hacker says he logged into Trump’s Twitter account by guessing password

October 23, 2020 by 1 Comment

Twitter IA

A DUTCH ETHICAL COMPUTER hacker and cybersecurity expert claims to have logged into the personal Twitter account of United States President Donald Trump, reportedly after guessing his password. The hacker, Victor Gevers, took several screenshots of the private interface of Trump’s Twitter account, and shared them with Dutch news media, before contacting US authorities to notify them of the breach.

Trump attributes much of his popularity and electoral success to social media, and is especially fond of Twitter as a means of communication. He has tweeted nearly 20,000 times since 2015 (including re-tweets), with at least 6,000 of those tweets appearing in 2020 alone. His personal account, which uses the moniker @realDonaldTrump, has almost 90 million followers.

But Gevers, a self-described ethical computer hacker, cybersecurity researcher and activist, said he was able to guess the American president’s password and log into his Twitter account after four failed attempts. The hacker claims that Trump’s password was “maga2020!”. According to Gevers, Trump’s account did not require a two-factor authentication log-in process, which usually requires a password coupled with a numeric code that is sent to a user’s mobile telephone. As a result, Gevers said he was able to access Trump’s private messages on Twitter and —had he wanted to— post tweets in the name of the US president. He could also change Trump’s profile image, had he chosen to do so.

The Dutch hacker took several screenshots of the webpages he was able to access and emailed them to Volkskrant, a Dutch daily newspaper, and Vrij Nederland, an investigative monthly magazine. Shortly after accessing Trump’s account, Gevers said he contacted the US Computer Emergency Readiness Team (US-CERT), which operates under the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency. He said the US president’s password was changed “shortly after”, and that he was then contacted by the US Secret Service.

Also on Thursday, a Twitter spokesman said the company’s security team had seen “no evidence to corroborate” Gevers’ claim. He added that the San Francisco, California-based social media company had “proactively implemented account security measures for a designated group of high-profile, election-related Twitter accounts in the United States, including federal branches of government”. Such measures included “strongly” encouraging such accounts to enable two-factor authentication, said the spokesman. But he did not specify whether Trump’s account had activated this feature. The White House also denied Gevers’ claim, calling it “absolutely not true” and adding that it would “not comment on security procedures around the president’s social media accounts”.

Author: Ian Allen | Date: 23 October 2020 | Permalink

Filed under A specialized intelligence website written by experts, since 2008 Tagged with , , , , ,

United States charges six Russian intelligence operatives with hacking

October 20, 2020 by 2 Comments

US Department of Justice

THE UNITED STATES DEPARTMENT of Justice has unsealed charges against six members of Russia’s military intelligence agency for allegedly engaging in worldwide computer hacking against several countries. The charges, announced in Pittsburgh on Monday, represent in a rare move that targets specific intelligence operatives and identifies them by name and visually. According to the US government, the six Russian operatives were instrumental in some of the most destructive and costly cyber-attacks that have taken place worldwide in the past five years.

The indictment alleges that the six Russian intelligence operatives were members of a hacker group named “Sandworm Team” and “Voodoo Bear” by cybersecurity experts. In reality, however, they were —and probably still are— employees of Unit 74455 of the Russian Armed Forces’ Main Intelligence Directorate, known as GRU. Their cyber-attacks employed the full resources of the GRU, according to the indictment. They were thus “highly advanced”, and were carried out in direct support of “Russian economic and national objectives”. At times, the group allegedly tried to hide its tracks and connections to the Russian government, by making it seem like its cyber-attacks were carried out by Chinese- and North Korean-linked hackers. However, according to the US government, its operations and targets were carried out “for the strategic benefit of Russia”.

The hacker group has been active since the end of 2015, and is alleged to have continued its operations until at least October of 2019. Alleged attacks include a major assault on the power grid of Ukraine in December of 2015, which left hundreds of thousands without electricity and heat. Other alleged attacks targeted the government of Georgia and the French national elections of 2017. The charges include alleged attacks on Western chemical laboratories that examined the toxic substance used in 2018 against former GRU officer Sergei Skripal in England.

Finally, some of the group’s alleged efforts centered on sabotaging the 2018 Winter Olympics in Pyeongchang, South Korea. Russian athletes were barred from the games, after the Russian government was accused of participating in wholesale doping of its Olympic team. Notably, none of the attacks connected with the group’s operations appeared to have directly targeted the United States —though some of the viruses that were allegedly unleashed by the group affected some American companies.

Author: Joseph Fitsanakis | Date: 21 October 2020 | Permalink

Filed under A specialized intelligence website written by experts, since 2008 Tagged with , , , , , , ,

FBI reorganizes cyber-crime and foreign cyber-espionage divisions as cases rise

October 2, 2020 by Leave a comment

FBI

The United States Federal Bureau of Investigation is reorganizing its cyber-crime and foreign cyber-espionage divisions in order to combat growing activity in those areas, while also increasing its cross-agency contacts. The goal is to reinforce investigations into computer hacking perpetrated by organized cyber-criminals, as well as by foreign states aiming to steal government and corporate secrets.

According to the Reuters news agency, the FBI made the decision to reorganize its cyber divisions after Internet-based crime and espionage cases rose to unprecedented levels in the past year, a trend that is partly driven by the COVID-19 epidemic. Aside from the damage caused to national security, the financial loss associated with computer hacking is said to be incalculable.

In an interview with Reuters, Matt Gorham, assistant director of the FBI’s Cyber Division (established in 2002), said the reorganization includes both the Bureau’s cyber-crime and foreign cyber-espionage wings. It also includes increased FBI emphasis on the National Cyber Investigative Joint Task Force (NCIJTF), an amalgamation of cyber-security specialists from dozens of US federal agencies, including the Secret Service, the National Security Agency, the Department of Homeland Security and the Central Intelligence Agency.

Under the new system, the NCIJTF will serve as the coordinating body of the US government’s cyber-security efforts. Additionally, said Gorham, the FBI is creating “mission centers” located within various cyber units, and connect their work with the NCIJTF. These mission centers will include concentrations on specific cyber-espionage actors, such as Iran, North Korea, China or Russia. Lastly, the restructured NCIJTF will increase its contacts with domestic and foreign law enforcement agencies, such as the Australian Federal Police, as well as with telecommunications service providers, which are engaged on the front lines of the fight against cyber-crime and cyber-espionage.

Author: Ian Allen | Date: 02 October 2020 | Permalink

Filed under A specialized intelligence website written by experts, since 2008 Tagged with , , , , , ,

Large-scale cyberattacks, Internet disruptions, reported on Belarus election day

August 10, 2020 by Leave a comment

BelarusBelarus experienced large-scale cyberattacks that crippled many government websites, while parts of the Internet were inoperative during a national election on Sunday, as large-scale demonstrations erupted all over the country. The demonstrations, which went on late into Sunday night, were sparked by reports that the country’s authoritarian leader, Alexander Lukashenko, had secured a record sixth term in office, despite facing a serious challenge from opposition leader Sviatlana Tsikhanouskaya. Tsikhanouskaya is married to Syarhey Tsikhanouski, a jailed blogger with substantial social-media following among young voters.

On Sunday afternoon, the National Computer Incident Response Center of Belarus (CERT) reported that the servers of the State Security Committee (KGB), the country’s spy agency, had come under sustained attack. The Internal Affairs Ministry’s website and servers had also been affected by what CERT called “a large wave” of cyberattacks. These were first noticed on Saturday, but continued well into the evening of Sunday, according to reports. Other government websites and services were subjected to distributed denial of service (DDoS) attacks, during which online servers crashed after being flooded with requests for information.

Meanwhile, Internet and cell phone users reported having difficulty accessing popular websites like Google, and social media services, including Telegram and Signal. Internet-based cell phone service was almost completely down throughout the country by Sunday afternoon. Beltelecom, the state-owned telephone service provider, said its systems were “experiencing interruptions in access” and “congestion of channels due to foreign traffic in large quantities”. It added that its technicians had not yet determined “whether people or machines” were behind the disruptions in service.

Late last month, the Belarusian secret services arrested 33 Russian citizens, who were allegedly members of the Wagner Group, a Kremlin-backed private military firm. The government of Belarus accused the group of trying to subvert the presidential elections on behalf of Moscow. The 33 Russians were charged with terrorism against the state. Russia has denied claims by the Belarussian government that it is behind an effort to destabilize the former Soviet Republic.

Author: Joseph Fitsanakis | Date: 10 August 2020 | Permalink

Filed under A specialized intelligence website written by experts, since 2008 Tagged with , , , ,

North Korea targeted UN Security Council officials with spear-phishing campaign

August 5, 2020 by Leave a comment

United Nations headquartersComputer hackers working for North Korea launched cyberattacks against carefully selected officials of national delegations belonging to the United Nations Security Council, according to a soon-to-be released report. The report is expected to be submitted early next month to the UN Security Council Sanctions Committee on North Korea.

Known previously as the UN Security Council Committee Established Pursuant to Resolution 1718, the committee was created in 2006 as part of the UN Security Council’s resolution 1718. The resolution was implemented in response to the first nuclear test conducted by North Korea on October 9 of that year, which confirmed beyond doubt the existence of Pyongyang’s nuclear weapons program. The committee’s mission is to gather information about North Korea’s nuclear activities, examine and evaluate the impact of international sanctions, and issue periodic recommendations to the UN National Security Council.

A draft version of the report was leaked to the media earlier this week. It states that a North Korean cyberattack targeted at least 11 officials belonging to six different national delegations that are members of the UN National Security Council. According to the draft report, the 11 officials were targeted earlier this year via a so-called “spear-phishing” campaign. The term refers to cyber-espionage operations in which hackers carefully select specific staff members of larger organizations for penetration. The targeted officials were reportedly approached using Gmail and WhatsApp, by a group of hackers who used fake identities.

The report also details efforts by the North Korean regime to acquire foreign hard currency through illicit hacking operations, as well as by illicitly acquiring virtual assets, such as cryptocurrencies. There is increasing speculation among North Korea observers about Pyongyang’s involvement in the cryptocurrency industry —though how exactly the government manages to cash out its alleged cryptocurrency assets remains a mystery.

Author: Joseph Fitsanakis | Date: 05 August 2020 | Permalink

Filed under A specialized intelligence website written by experts, since 2008 Tagged with , , , , , ,

In major victory over Pentagon, CIA is authorized to expand offensive cyber operations

July 16, 2020 by 1 Comment

Trump CIA - JFThe United States Central Intelligence Agency was secretly authorized by the White House in 2018 to drastically expand its offensive cyber operation program —a development that some experts describe as a significant development for the secretive spy agency. However, the move has reportedly not pleased the Department of Defense, which sees itself as the primary conduit of American offensive operations in cyberspace.

The two-year-old authorization was disclosed by Yahoo News, which cited “former US officials with direct knowledge of the matter” in its report. The website said the authorization came in the form of a presidential finding. A presidential finding, also known as a Memorandum of Notification, refers to a directive, which is authored by the president of the US and is given to the intelligence committees of Congress. Its purpose is to explain the reasoning behind a covert operation that is to be carried out abroad. Following that disclosure by the president, government funds can be appropriated for use in that operation or series of operations.

According to Yahoo News, the 2018 presidential finding provides the CIA with “more freedom in both the kinds of operations it conducts and who it targets”, when it comes to covert action carried out online. The goal of the White House was to enable the CIA to unleash a series of offensive measures against “a handful of adversarial countries”, which include North Korea, Iran, China and Russia, according to the report. Such offensive operations differ substantially from those typically carried out by CIA personnel on cyberspace, which focus on clandestine information collection. In contrast, offensive operations aim to disrupt, sabotage or even destroy targeted systems.

In addition to enhancing the scope of the CIA’s cyber operations, the presidential directive is also believed to make it easier for the agency to target non-state actors and agencies, including financial intuitions, charities, news media, or businesses. Such targets may be attacked when they are found to be operating on behalf of adversarial intelligence agencies. Moreover, it makes it easier for the spy agency to leak secret information about targeted adversaries to media organizations, a tactic that Russian spy services are believed to have utilized in the past.

The Yahoo News report notes that the presidential directive is seen as a major victory for the CIA in its long bureaucratic battle with the Department of Defense. The latter has traditionally been entrusted by the US government with carrying out offensive cyber operations. There are also questions about potential operational overlap between the CIA and the Pentagon, as the two actors may at times be attacking the same targets. This brings up the issue of inter-agency coordination between two bodies, which has not always been smooth in the past.

Yahoo News said it submitted “an extensive list of questions” to the CIA, but the agency declined to comment. The National Security Council, which oversaw the drafting of the alleged presidential finding, did not respond to questions stemming from the news report.

Author: Joseph Fitsanakis | Date: 16 July 2020 | Permalink

Filed under A specialized intelligence website written by experts, since 2008 Tagged with , , , , ,

US Department of Health computers targeted by hackers amidst COVID-19 crisis

March 17, 2020 by 2 Comments

Health and Human ServicesA cyberattack, coupled with a disinformation campaign, targeted the computer systems of the United States Department of Health and Human Services (HHS), in what officials believe was an effort to undermine America’s response to the coronavirus pandemic.

The cyberattack reportedly took place on Sunday night, when online administrators at HHS noticed an abnormal spike in requests to the department’s servers. The number of requests grew to several million within a few hours, according to Bloomberg News, which first reported the incident. A few hours later, a campaign of disinformation was launched against the HHS, along with text messages warning that martial law would be declared across the nation and a two-week curfew would be imposed by the Armed Forces.

The disinformation campaign prompted a tweet by the US National Security Council on Sunday. The tweet warned against “fake” text messages spreading unsubstantiated rumors. There was no elaboration about the content of these text messages. On Monday, the HHS acknowledged that its computer systems had come under attack the previous evening. However, it said that the hackers behind the attack had failed to compromise the integrity of the Department’s computer systems, and that no data had been stolen.

Later on Monday, the HHS said that it was still investigating what it described as “a significant increase in activity” on its computer infrastructure. But it added that its systems remained “fully operational” and that the functionality of its networks had suffered “no degradation”. An HHS spokesman said the Department had augmented its cybersecurity protections in light of the COVID-19 emergency. Consequently, it had suffered no loss of operational capacity or data as a result of the cyberattack.

Speaking at the White House on Monday, HHS Secretary Alex Azar said that the source of the cyberattack was under investigation and refused to speculate as to the identity of the culprit or culprits. However, Bloomberg said that some US government officials suspect that the attack “may have been the work of a foreign actor”. On March 13, the US news network NBC cited experts from several cybersecurity firms who warned that spy agencies around the world were sending out coronavirus information in an attempt to “hack and spy on their targets”.

Author: Joseph Fitsanakis | Date: 17 March 2020 | Research credit: M.S. | Permalink

Filed under A specialized intelligence website written by experts, since 2008 Tagged with , , , , ,

Older posts