United States charges six Russian intelligence operatives with hacking

October 20, 2020 by Leave a comment

US Department of JusticeTHE UNITED STATES DEPARTMENT of Justice has unsealed charges against six members of Russia’s military intelligence agency for allegedly engaging in worldwide computer hacking against several countries. The charges, announced in Pittsburgh on Monday, represent in a rare move that targets specific intelligence operatives and identifies them by name and visually. According to the US government, the six Russian operatives were instrumental in some of the most destructive and costly cyber-attacks that have taken place worldwide in the past five years.

The indictment alleges that the six Russian intelligence operatives were members of a hacker group named “Sandworm Team” and “Voodoo Bear” by cybersecurity experts. In reality, however, they were —and probably still are— employees of Unit 74455 of the Russian Armed Forces’ Main Intelligence Directorate, known as GRU. Their cyber-attacks employed the full resources of the GRU, according to the indictment. They were thus “highly advanced”, and were carried out in direct support of “Russian economic and national objectives”. At times, the group allegedly tried to hide its tracks and connections to the Russian government, by making it seem like its cyber-attacks were carried out by Chinese- and North Korean-linked hackers. However, according to the US government, its operations and targets were carried out “for the strategic benefit of Russia”.

The hacker group has been active since the end of 2015, and is alleged to have continued its operations until at least October of 2019. Alleged attacks include a major assault on the power grid of Ukraine in December of 2015, which left hundreds of thousands without electricity and heat. Other alleged attacks targeted the government of Georgia and the French national elections of 2017. The charges include alleged attacks on Western chemical laboratories that examined the toxic substance used in 2018 against former GRU officer Sergei Skripal in England.

Finally, some of the group’s alleged efforts centered on sabotaging the 2018 Winter Olympics in Pyeongchang, South Korea. Russian athletes were barred from the games, after the Russian government was accused of participating in wholesale doping of its Olympic team. Notably, none of the attacks connected with the group’s operations appeared to have directly targeted the United States —though some of the viruses that were allegedly unleashed by the group affected some American companies.

Author: Joseph Fitsanakis | Date: 21 October 2020 | Permalink

Filed under A specialized intelligence website written by experts, since 2008 Tagged with , , , , , , ,

FBI reorganizes cyber-crime and foreign cyber-espionage divisions as cases rise

October 2, 2020 by Leave a comment

FBI

The United States Federal Bureau of Investigation is reorganizing its cyber-crime and foreign cyber-espionage divisions in order to combat growing activity in those areas, while also increasing its cross-agency contacts. The goal is to reinforce investigations into computer hacking perpetrated by organized cyber-criminals, as well as by foreign states aiming to steal government and corporate secrets.

According to the Reuters news agency, the FBI made the decision to reorganize its cyber divisions after Internet-based crime and espionage cases rose to unprecedented levels in the past year, a trend that is partly driven by the COVID-19 epidemic. Aside from the damage caused to national security, the financial loss associated with computer hacking is said to be incalculable.

In an interview with Reuters, Matt Gorham, assistant director of the FBI’s Cyber Division (established in 2002), said the reorganization includes both the Bureau’s cyber-crime and foreign cyber-espionage wings. It also includes increased FBI emphasis on the National Cyber Investigative Joint Task Force (NCIJTF), an amalgamation of cyber-security specialists from dozens of US federal agencies, including the Secret Service, the National Security Agency, the Department of Homeland Security and the Central Intelligence Agency.

Under the new system, the NCIJTF will serve as the coordinating body of the US government’s cyber-security efforts. Additionally, said Gorham, the FBI is creating “mission centers” located within various cyber units, and connect their work with the NCIJTF. These mission centers will include concentrations on specific cyber-espionage actors, such as Iran, North Korea, China or Russia. Lastly, the restructured NCIJTF will increase its contacts with domestic and foreign law enforcement agencies, such as the Australian Federal Police, as well as with telecommunications service providers, which are engaged on the front lines of the fight against cyber-crime and cyber-espionage.

Author: Ian Allen | Date: 02 October 2020 | Permalink

Filed under A specialized intelligence website written by experts, since 2008 Tagged with , , , , , ,

Large-scale cyberattacks, Internet disruptions, reported on Belarus election day

August 10, 2020 by Leave a comment

BelarusBelarus experienced large-scale cyberattacks that crippled many government websites, while parts of the Internet were inoperative during a national election on Sunday, as large-scale demonstrations erupted all over the country. The demonstrations, which went on late into Sunday night, were sparked by reports that the country’s authoritarian leader, Alexander Lukashenko, had secured a record sixth term in office, despite facing a serious challenge from opposition leader Sviatlana Tsikhanouskaya. Tsikhanouskaya is married to Syarhey Tsikhanouski, a jailed blogger with substantial social-media following among young voters.

On Sunday afternoon, the National Computer Incident Response Center of Belarus (CERT) reported that the servers of the State Security Committee (KGB), the country’s spy agency, had come under sustained attack. The Internal Affairs Ministry’s website and servers had also been affected by what CERT called “a large wave” of cyberattacks. These were first noticed on Saturday, but continued well into the evening of Sunday, according to reports. Other government websites and services were subjected to distributed denial of service (DDoS) attacks, during which online servers crashed after being flooded with requests for information.

Meanwhile, Internet and cell phone users reported having difficulty accessing popular websites like Google, and social media services, including Telegram and Signal. Internet-based cell phone service was almost completely down throughout the country by Sunday afternoon. Beltelecom, the state-owned telephone service provider, said its systems were “experiencing interruptions in access” and “congestion of channels due to foreign traffic in large quantities”. It added that its technicians had not yet determined “whether people or machines” were behind the disruptions in service.

Late last month, the Belarusian secret services arrested 33 Russian citizens, who were allegedly members of the Wagner Group, a Kremlin-backed private military firm. The government of Belarus accused the group of trying to subvert the presidential elections on behalf of Moscow. The 33 Russians were charged with terrorism against the state. Russia has denied claims by the Belarussian government that it is behind an effort to destabilize the former Soviet Republic.

Author: Joseph Fitsanakis | Date: 10 August 2020 | Permalink

Filed under A specialized intelligence website written by experts, since 2008 Tagged with , , , ,

North Korea targeted UN Security Council officials with spear-phishing campaign

August 5, 2020 by Leave a comment

United Nations headquartersComputer hackers working for North Korea launched cyberattacks against carefully selected officials of national delegations belonging to the United Nations Security Council, according to a soon-to-be released report. The report is expected to be submitted early next month to the UN Security Council Sanctions Committee on North Korea.

Known previously as the UN Security Council Committee Established Pursuant to Resolution 1718, the committee was created in 2006 as part of the UN Security Council’s resolution 1718. The resolution was implemented in response to the first nuclear test conducted by North Korea on October 9 of that year, which confirmed beyond doubt the existence of Pyongyang’s nuclear weapons program. The committee’s mission is to gather information about North Korea’s nuclear activities, examine and evaluate the impact of international sanctions, and issue periodic recommendations to the UN National Security Council.

A draft version of the report was leaked to the media earlier this week. It states that a North Korean cyberattack targeted at least 11 officials belonging to six different national delegations that are members of the UN National Security Council. According to the draft report, the 11 officials were targeted earlier this year via a so-called “spear-phishing” campaign. The term refers to cyber-espionage operations in which hackers carefully select specific staff members of larger organizations for penetration. The targeted officials were reportedly approached using Gmail and WhatsApp, by a group of hackers who used fake identities.

The report also details efforts by the North Korean regime to acquire foreign hard currency through illicit hacking operations, as well as by illicitly acquiring virtual assets, such as cryptocurrencies. There is increasing speculation among North Korea observers about Pyongyang’s involvement in the cryptocurrency industry —though how exactly the government manages to cash out its alleged cryptocurrency assets remains a mystery.

Author: Joseph Fitsanakis | Date: 05 August 2020 | Permalink

Filed under A specialized intelligence website written by experts, since 2008 Tagged with , , , , , ,

In major victory over Pentagon, CIA is authorized to expand offensive cyber operations

July 16, 2020 by 1 Comment

Trump CIA - JFThe United States Central Intelligence Agency was secretly authorized by the White House in 2018 to drastically expand its offensive cyber operation program —a development that some experts describe as a significant development for the secretive spy agency. However, the move has reportedly not pleased the Department of Defense, which sees itself as the primary conduit of American offensive operations in cyberspace.

The two-year-old authorization was disclosed by Yahoo News, which cited “former US officials with direct knowledge of the matter” in its report. The website said the authorization came in the form of a presidential finding. A presidential finding, also known as a Memorandum of Notification, refers to a directive, which is authored by the president of the US and is given to the intelligence committees of Congress. Its purpose is to explain the reasoning behind a covert operation that is to be carried out abroad. Following that disclosure by the president, government funds can be appropriated for use in that operation or series of operations.

According to Yahoo News, the 2018 presidential finding provides the CIA with “more freedom in both the kinds of operations it conducts and who it targets”, when it comes to covert action carried out online. The goal of the White House was to enable the CIA to unleash a series of offensive measures against “a handful of adversarial countries”, which include North Korea, Iran, China and Russia, according to the report. Such offensive operations differ substantially from those typically carried out by CIA personnel on cyberspace, which focus on clandestine information collection. In contrast, offensive operations aim to disrupt, sabotage or even destroy targeted systems.

In addition to enhancing the scope of the CIA’s cyber operations, the presidential directive is also believed to make it easier for the agency to target non-state actors and agencies, including financial intuitions, charities, news media, or businesses. Such targets may be attacked when they are found to be operating on behalf of adversarial intelligence agencies. Moreover, it makes it easier for the spy agency to leak secret information about targeted adversaries to media organizations, a tactic that Russian spy services are believed to have utilized in the past.

The Yahoo News report notes that the presidential directive is seen as a major victory for the CIA in its long bureaucratic battle with the Department of Defense. The latter has traditionally been entrusted by the US government with carrying out offensive cyber operations. There are also questions about potential operational overlap between the CIA and the Pentagon, as the two actors may at times be attacking the same targets. This brings up the issue of inter-agency coordination between two bodies, which has not always been smooth in the past.

Yahoo News said it submitted “an extensive list of questions” to the CIA, but the agency declined to comment. The National Security Council, which oversaw the drafting of the alleged presidential finding, did not respond to questions stemming from the news report.

Author: Joseph Fitsanakis | Date: 16 July 2020 | Permalink

Filed under A specialized intelligence website written by experts, since 2008 Tagged with , , , , ,

US Department of Health computers targeted by hackers amidst COVID-19 crisis

March 17, 2020 by 4 Comments

Health and Human ServicesA cyberattack, coupled with a disinformation campaign, targeted the computer systems of the United States Department of Health and Human Services (HHS), in what officials believe was an effort to undermine America’s response to the coronavirus pandemic.

The cyberattack reportedly took place on Sunday night, when online administrators at HHS noticed an abnormal spike in requests to the department’s servers. The number of requests grew to several million within a few hours, according to Bloomberg News, which first reported the incident. A few hours later, a campaign of disinformation was launched against the HHS, along with text messages warning that martial law would be declared across the nation and a two-week curfew would be imposed by the Armed Forces.

The disinformation campaign prompted a tweet by the US National Security Council on Sunday. The tweet warned against “fake” text messages spreading unsubstantiated rumors. There was no elaboration about the content of these text messages. On Monday, the HHS acknowledged that its computer systems had come under attack the previous evening. However, it said that the hackers behind the attack had failed to compromise the integrity of the Department’s computer systems, and that no data had been stolen.

Later on Monday, the HHS said that it was still investigating what it described as “a significant increase in activity” on its computer infrastructure. But it added that its systems remained “fully operational” and that the functionality of its networks had suffered “no degradation”. An HHS spokesman said the Department had augmented its cybersecurity protections in light of the COVID-19 emergency. Consequently, it had suffered no loss of operational capacity or data as a result of the cyberattack.

Speaking at the White House on Monday, HHS Secretary Alex Azar said that the source of the cyberattack was under investigation and refused to speculate as to the identity of the culprit or culprits. However, Bloomberg said that some US government officials suspect that the attack “may have been the work of a foreign actor”. On March 13, the US news network NBC cited experts from several cybersecurity firms who warned that spy agencies around the world were sending out coronavirus information in an attempt to “hack and spy on their targets”.

Author: Joseph Fitsanakis | Date: 17 March 2020 | Research credit: M.S. | Permalink

Filed under A specialized intelligence website written by experts, since 2008 Tagged with , , , , ,

Chinese cybersecurity firm accuses CIA of 11-year cyberespionage campaign

March 4, 2020 by 1 Comment

CIA headquartersA leading Chinese cybersecurity firm has accused the United States Central Intelligence Agency of using sophisticated malicious software to hack into computers belonging to the Chinese government and private sector for over a decade.

The accusation against the CIA comes from Qihoo 360, a prominent cybersecurity firm headquartered in Beijing. On Monday, company published a report of its investigation on its website, written in both Chinese and English. The report identifies the hackers as “the CIA Hacking Group (APT-C-39)”, and says that the group has carried out activities against “China’s critical industries” for at least 11 years.

The report claims that APT-C-39 targets included China’s energy and civilian aviation sectors, Internet service providers, scientific research universities and organizations, and various government agencies —which it does not name. The majority of the hacker group’s targets were located in Beijing, and also in China’s Zhejiang and Guangdong provinces.

According to Qihoo 360, APT-C-39 must be a “state-level hacking organization”, judging by the hacking tools that it used. These tools, such malware named by forensics experts as Grasshopper and Fluxwire, are believed to have been designed by the CIA. They were leaked in 2017 by the international whistleblower website WikiLeaks. American authorities have charged a former CIA programmer, Joshua Schulte, with leaking the malware. Schulte denies the charges.

The Qihoo 360 report also claims that the hours during which APT-C-39 hackers appear to be active correspond to the working hours of the East Coast of the United States. It also suggests that one goal behind the hacking operations against airline industry targets was to access the travel itineraries of senior figures in China’s political and industrial circles.

Author: Ian Allen | Date: 04 March 2020 | Permalink

Filed under A specialized intelligence website written by experts, since 2008 Tagged with , , , , , , , ,

United Nations targeted in sophisticated cyber-espionage operation

January 30, 2020 by 1 Comment

United Nations headquartersOne of the United Nations’ most sensitive computer systems was targeted in a highly sophisticated cyber-espionage operation that appears to have been sponsored by a state, according to a leaked study. The study was leaked to the media earlier this week, and was reported by the Associated Press on Wednesday.

According to the Associated Press report, hackers used IP addresses in Romania to stage a meticulously organized infiltration of dozens of United Nations computer servers. The servers that were compromised included those used by the Office of the United Nations High Commissioner for Human Rights (OHCHR), which collects sensitive personal data regarding human rights abuses by governments around the world. The OHCHR has regularly been the subject of verbal attacks by authoritarian governments around the world in recent years.

The identity of the hackers remains unclear, said the report. However, their degree of technical sophistication was so substantial that forensic investigators suspect that a state actor was behind the espionage operation, according to the Associated Press. The news agency relayed an email message it received from United Nations spokesman Rupert Colville, which claimed that the hackers did penetrate the OHCHR system but “did not get very far, [as] nothing confidential was compromised”.

But the above statement appears to contradict the leaked study, which suggests that the cyber-espionage operation against the United Nations resulted in a compromise of “core infrastructure components” that were “determined to be serious”. Among the accounts that were compromised by the hackers were those of some domain administrators, who have access to large segments of the United Nations’ computer networks. The Associated Press spoke to an anonymous United Nations official, who said that the attack was “sophisticated”, and that the organization’s computer systems were “reinforced” in the months following the incident.

Author: Joseph Fitsanakis | Date: 30 January 2020 | Permalink

Filed under A specialized intelligence website written by experts, since 2008 Tagged with , , , , ,

Massive data dump identifies users of influential far-right website

November 12, 2019 by 3 Comments

Atomwaffen DivisionA data dump of unprecedented scale includes usernames, IP addresses and even the content of thousands of private chat logs stolen from an influential neo-Nazi website that is now defunct. The data belonged to IronMarch, which was founded in 2011 by Alexander Mukhitdinov, a Russian far-right activist using the online nom-de-guerre “Slavros”. In the nearly six years of its existence, the website featured some of the most extreme and uncompromising far-right content on the World Wide Web.

The discussions that took place on IronMarch’s message boards are believed to have led to the creation of several far-right groups in Europe, Australia, and the United States. Among them is the notorious Atomwaffen Division (pictured), an American neo-Nazi group that focuses on street-fighting and is known to train its members in the use of military-grade weapons and guerilla warfare tactics. Another group that organized and recruited heavily through IronMarch was Vanguard America, one of the organizers of the Unite the Right rally in Charlottesville, Virginia in 2017.

But the website abruptly shut down its operations in late 2017. No explanation was given. Users of far-right online forums are used to experiencing such sudden changes in hosting platforms, which are due to legal challenges, intervention by law enforcement, etc. So they did what they always do in such cases: they migrated to other far-right platforms where they continued to discuss and organize. IronMach never resurfaced, so it was eventually forgotten.

Last Wednesday, however, a user calling themselves “antifa-data” uploaded what appears to be the entire metadata and chat log archive of IronMarch on the website of the Internet Archive. The content was later removed, but not before it was downloaded by thousands of Internet Archive users, among them government agencies. The data dump reportedly includes the usernames of IronMarch members, as well as the emails associated with their individual accounts. It also contains the IP addresses of IronMarch members and even the contents of private messages that they exchanged with other members.

Some investigative websites have since reported that numerous IronMarch users were associated with email accounts belonging to American universities. Others stated in private messages that they were members of the armed forces of several countries in Europe and the Americas. At least one user appears to have run for Congress in the United States. On Friday, the American website Military Times said that United States authorities were concerned that many of IronMarch’s members said they were serving in the US Armed Forces or expressed a desire to join a military branch. A spokesman for the US Marine Corps told the Military Times that there was “no place for racial hatred or extremism in the Marine Corps”.

Author: Joseph Fitsanakis | Date: 12 November 2019 | Permalink

Filed under A specialized intelligence website written by experts, since 2008 Tagged with , , , , , ,

Russian government cyber spies ‘hid behind Iranian hacker group’

October 22, 2019 by Leave a comment

Computer hackingRussian hackers hijacked an Iranian cyber espionage group and used its infrastructure to launch attacks, hoping that their victims would blame Iran, according to British and American intelligence officials. The information, released on Monday, concerns a Russian cyber espionage group termed “Turla” by European cyber security experts.

Turla is believed to operate under the command of Russia’s Federal Security Service (FSB), and has been linked to at least 30 attacks on industry and government facilities since 2017. Since February of 2018, Turla is believed to have successfully carried out cyber espionage operations in 20 different countries. Most of the group’s targets are located in the Middle East, but it has also been connected to cyber espionage operations in the United States and the United Kingdom.

On Monday, officials from Britain’s Government Communications Headquarters (GCHQ) and America’s National Security Agency (NSA) said Turla had hijacked the attack infrastructure of an Iranian cyber espionage group. The group has been named by cyber security researchers as Advanced Persistent Threat (APT) 34, and is thought to carry out operations under the direction of the Iranian government.

The officials said there was no evidence that APT34 was aware that some of its operations had been taken over by Turla. Instead, Russian hackers stealthily hijacked APT34’s command-and-control systems and used its resources —including computers, servers and malicious codes— to attack targets without APT34’s knowledge. They also accessed the computer systems of APT34’s prior targets. In doing so, Turla hackers masqueraded as APT34 operatives, thus resorting to a practice that is commonly referred to as ‘fourth party collection’, according to British and American officials.

The purpose of Monday’s announcement was to raise awareness about state-sponsored computer hacking among industry and government leaders, said the officials. They also wanted to demonstrate the complexity of cyber attack attribution in today’s computer security landscape. However, “we want to send a clear message that even when cyber actors seek to mask their identity, our capabilities will ultimately identify them”, said Paul Chichester, a senior GCHQ official.

Author: Joseph Fitsanakis | Date: 22 October 2019 | Permalink

Filed under A specialized intelligence website written by experts, since 2008 Tagged with , , , , , , , , ,

Iranian engineer recruited by Holland helped CIA and Mossad deliver Stuxnet virus

September 4, 2019 by 2 Comments

AIVD HollandAn Iranian engineer who was recruited by Dutch intelligence helped the United States and Israel infect computers used in Iran’s nuclear program with the Stuxnet cyber weapon, according to a new report. Discovered by researchers in 2010, Stuxnet is believed to have been designed with the aim of sabotaging the nuclear program of the Islamic Republic of Iran. The virus targeted the industrial computers —known as programmable logic controllers— that regulated mechanical and electronic hardware in Iranian nuclear installations. By compromising the software installed on these computers, Stuxnet manipulated the rotor speed of nuclear centrifuges at Iran’s Natanz Fuel Enrichment Plant. By increasing the centrifuges’ rotor speed to unmanageable levels, Stuxnet rendered many of these machines permanently inoperable.

Most observers agree that Stuxnet was a joint cyber sabotage program that was devised and executed by the United States and Israel, with crucial assistance from Germany and France. But now a new report from Yahoo News claims that the contribution of Dutch intelligence was central in the Stuxnet operation. Citing “four intelligence sources”, Yahoo News’ Kim Zetter and Huib Modderkolk said on Monday that Holland’s General Intelligence and Security Service (AIVD) was brought into the Stuxnet operation in 2004. In November of that year, a secret meeting took place in The Hague that involved representatives from the AIVD, the United States Central Intelligence Agency, and Israel’s Mossad.

It was known that the Islamic Republic’s nuclear weapons program was crucially assisted by A.Q. Khan, a Pakistani nuclear physicist and engineer. In 1996, Khan sold the Iranians designs and hardware for uranium enrichment, which were based on blueprints he had access to while working for a Dutch company in the 1970s. By 2004, when the Dutch were consulted by the CIA and the Mossad, the AIVD had already infiltrated Khan’s supply network in Europe and elsewhere, according to Yahoo News. It also had recruited an Iranian engineer who was able to apply for work in the Iranian nuclear program as a contractor. This individual was provided with proprietary cover, said Yahoo News, which included two “dummy compan[ies] with employees, customers and records showing a history of activity”. The goal of the AIVD, CIA and Mossad was to have at least one of these companies be hired to provide services at the Natanz nuclear facility.

That is precisely what happened, according to Yahoo News. By the summer of 2007, the AIVD mole was working as a mechanic inside Natanz. The information he provided to the AIVD helped the designers of Stuxnet configure the virus in accordance with the specifications of Natanz’s industrial computers and networks. Later that year, the AIVD mole was able to install the virus on Natanz’s air-gapped computer network using a USB flash drive. It is not clear whether he was able to install the virus himself or whether he was able to infect the personal computer of a fellow engineer, who then unwittingly infected the nuclear facility’s system. The Yahoo News article quotes an intelligence source as saying that “the Dutch mole was the most important way of getting the virus into Natanz”.

It is believed that, upon discovering Stuxnet, the Iranian government arrested and probably executed a number of personnel working at Natanz. The Yahoo News article confirms that there was “loss of life over the Stuxnet program”, but does not specify whether the AIVD mole was among those who were executed. The website said it contacted the CIA and the Mossad to inquire about the role of the AIVD in the Stuxnet operation, but received no response. The AIVD declined to discuss its alleged involvement in the operation.

Author: Joseph Fitsanakis | Date: 04 September 2019 | Permalink

Filed under A specialized intelligence website written by experts, since 2008 Tagged with , , , , , ,

Cyber spies accessed thousands of European Union diplomatic cables

December 20, 2018 by 1 Comment

European Commission buildingA group of hackers, allegedly working for the Chinese military, accessed thousands of classified diplomatic cables from the European Union during a protracted cyber-espionage operation, a report has revealed. Over 100 organizations are believed to have been targeted in the multi-year cyber-espionage campaign, including the United Nations, international labor groups, as well as government ministries from dozens of countries. The operation was revealed on Tuesday by Area 1, a cyber-security company founded by former officials of the United States National Security Agency, and reported by The New York Times.

The compromised cables come primarily from the European Union’s COREU communication network, a Telex-based network that uses teleprinters to exchange text-based messages. The European Union uses the COREU network to transmit information that is classified “limited” or “restricted” between officials representing the executive governments of the European Union’s member states, members of the European Commission, foreign-ministry officials, and other approved parties. Top-secret information (“tres secret” in European Union parlance) is typically not shared on the COREU network. Consequently, the hacked cables contain mostly low-level information. That does not mean, however, that their access by at least one adversary power does not represent a serious security breach. Area 1 said that its forensic examination of the method used by the hackers reveals a set of cyber-espionage techniques that are closely associated with the Chinese People’s Liberation Army (PLA). These clues, in association with the PLA’s long history of attacking Western diplomatic targets, point to Beijing as a very likely culprit behind the attacks, according to Area 1.

The American cyber-security firm said it was able to access the compromised European Union cables and made over 1,100 of them available to The New York Times. The paper reported on Tuesday that the cables reflect increasing tension between Brussels and Washington, as European Union diplomats attempt to get a handle on the unpredictability of United States President Donald Trump. A series of diplomatic cables discusses the whether the European Union should bypass the White House and work directly with the Republican-controlled US Congress, which is viewed as more reliable and responsible. Another set of diplomatic exchanges describes the frustration of the Beijing’s leadership with Trump, which Chinese President Xi Jinping is said to have described to European Union officials as “a bully [engaged in a] no-rules freestyle boxing match”.

The Times said that it notified the European Union of the breach of its diplomatic cables and was told that officials were “aware of allegations regarding a potential leak of sensitive information and [were] actively investigating the issue”. The paper also contacted the White House National Security Council but did not get a response.

Author: Ian Allen | Date: 20 December 2018 | Permalink

Filed under A specialized intelligence website written by experts, since 2008 Tagged with , , , , , , , ,

Russian spies ‘launched major cyber attack on Ukraine’ prior to naval incident

December 12, 2018 by 1 Comment

Strait of KerchRussia “paved the way” for last November’s seizure of Ukrainian Navy ships by launching a major cyber attack and disinformation campaign aimed at Ukraine, according to a cyber security firm and the European Union. In what has become known as the Kerch Strait incident of November 25, border service coast guard vessels belonging to the Russian Federal Security Service (FSB) opened fire on three Ukrainian Navy ships that were attempting to enter the Sea of Azov through the Kerch Strait. All three Ukrainian vessels, along with crews totaling 24 sailors, were captured by the Russian force and remain in detention. Ukraine condemned Russia’s action as an act of war and declared martial law in its eastern and southern provinces. But Moscow said the incident had been caused by a provocation by the Ukrainian government, in a desperate effort to increase its popularity at home. Meanwhile, the three Ukrainian ships and their crews remain in Russia.

But now a private cyber security firm has said that Moscow launched a series of cyber attacks on Ukrainian government servers, which were aimed at gathering intelligence that could be used for the ships’ capture. In a separate development, the European Union’s security commissioner has alleged that the Kremlin launched an elaborate “disinformation campaign” aiming to “soften up public opinion” before seizing the Ukrainian ships.

The American-based cyber security firm Stealthcare said this week that the cyber attacks were carried out by Carbanak and the Gamaredon Group, two hacker entities that are believed to be sponsored by the Russian intelligence services. The first wave of attacks, which occurred in October of this year, centered on a phishing campaign that targeted government agencies in Ukraine and other Eastern European countries. Victims of these attacks had “important functions” of their computers taken over by remote actors who stole and exfiltrated data, according to Stealthcare. Another attack installed back doors on computer servers belonging to Ukrainian government agencies in November, just days prior to the Kerch Strait crisis. The two attacks, said the company, provided the hackers with “information that would have been very […] relevant in planning” the November 25 naval crisis, said Stealthcare. The company added that there was “no doubt that this was a Kremlin-led reconnaissance effort to prepare for the Kerch Strait crisis”.

Meanwhile on Monday Julian King, a British diplomat who is currently the European Commissioner for the Security Union, said that Russia “paved the way for the Kerch Strait crisis” through a systematic fake news campaign that “lasted for more than a year”. The campaign, said King, included the use of social media to spread false rumors, such as claims that the Ukrainian government had infected the Black Sea with bacteria that cause cholera. Another report by Russian media allegedly claimed that Kiev had tried to secretly transport a nuclear device to Russian-annexed Crimea through the Kerch Strait. The EU security commissioner added that social media platforms and online search engines like Google had a responsibility “to identify and close down fake accounts that were spreading disinformation”.

Author: Joseph Fitsanakis | Date: 12 December 2018 | Research credit: D.V. | Permalink

Filed under A specialized intelligence website written by experts, since 2008 Tagged with , , , , , , , , , ,

Britain sees Russian government hackers behind Islamic State cyber group

October 5, 2018 by Leave a comment

Cyber CaliphateA new report by the British government alleges that the so-called ‘Cyber Caliphate’, the online hacker wing of the Islamic State, is one of several supposedly non-state groups that are in fact operated by the Russian state. The group calling itself Cyber Caliphate first appeared in early 2014, purporting to operate as the online wing of the Islamic State of Iraq and Syria (ISIS), which was later renamed Islamic State. Today the Cyber Caliphate boasts a virtual army of hackers from dozens of countries, who are ostensibly operating as the online arm of the Islamic State. Their known activities include a strong and often concentrated social media presence, as well as computer hacking, primarily in the form of cyber espionage and cyber sabotage.

But an increasing number of reports, primarily by Western government agencies, have claimed in recent years that the Cyber Caliphate is in fact part of a Russian state-sponsored operation, ingeniously conceived to permit Moscow to hack Western targets without retaliation. On Wednesday, a new report by Britain’s National Cyber Security Centre (NCSC) described the Cyber Caliphate and other similar hacker groups as “flags of convenience” for the Kremlin. The report was authored by the NCSC in association with several British and European intelligence agencies. American spy agencies, including the National Security Agency and the Federal Bureau of Investigation, also helped compile the report, according to the NCSC. The report names several hacker groups that have been implicated in high-profile attacks in recent years, including Sofacy, Pawnstorm, Sednit, Cyber Berkut, Voodoo Bear, BlackEnergy Actors, Strontium, Tsar Team, and Sandworm. Each of these, claims the NCSC report, is “an alias of the Main Directorate of the General Staff of Russia’s Armed Forces”, more commonly known as the GRU. The report concludes that Cyber Caliphate is the same hacker group as APT 28, Fancy Bear, and Pawn Storm, three cyber espionage outfits that are believed to be online arms of the GRU.

The NCSC report echoes the conclusion of a German government report that was leaked to the media in June of 2016, which argued that the Cyber Caliphate was a fictitious front group created by Russia. In 2015, a security report by the US State Department concluded that despite the Cyber Caliphate’s proclamations of connections to the Islamic State, there were “no indications —technical or otherwise— that the groups are tied”. In a statement issued alongside the NCSC report on Wednesday, Britain’s Secretary of State for Foreign and Commonwealth Affairs, Jeremy Hunt, described the GRU as Moscow’s “chosen clandestine weapon in pursuing its geopolitical goals”. The Russian government has denied these allegations.

Author: Ian Allen | Date: 05 October 2018 | Permalink

Filed under A specialized intelligence website written by experts, since 2008 Tagged with , , , , , , , , , ,

Western spy agencies thwarted alleged Russian plot to hack Swiss chemical lab

September 17, 2018 by Leave a comment

OPCW HagueWestern intelligence agencies thwarted a plot involving two Russians intending to travel to a Swiss government laboratory that investigates nuclear, biological and chemical weapons, and hack its computer systems. According to two separate reports by Dutch newspaper NRC Handelsblad and Swiss newspaper Tages-Anzeiger, the two were apprehended in The Hague in early 2018. The reports also said that the Russians were found in possession of equipment that could be used to compromise computer networks. They are believed to work for the Main Intelligence Directorate, known as GRU, Russia’s foremost military intelligence agency. The apprehension was the result of cooperation between various European intelligence services, reportedly including the Dutch Military Intelligence and Security Organization (MIVD).

The laboratory, located in the western Swiss city of Spiez, has been commissioned by the Netherlands-based Organization for the Prohibition of Chemical Weapons (OPCW) to carry out investigations related to the poisoning of Russian double agent Sergei Skripal and his daughter Yulia in March of this year. It has also carried out probes on the alleged use of chemical weapons by the Russian-backed government of President Bashar al-Assad in Syria. In the case of the Skripals, the laboratory said it was able to duplicate findings made earlier by a British laboratory.

Switzerland’s Federal Intelligence Service (NDB) reportedly confirmed the arrest and subsequent expulsion of the two Russians. The Swiss agency said it “cooperated actively with Dutch and British partners” and thus “contributed to preventing illegal actions against a sensitive Swiss infrastructure”. The office of the Public Prosecutor in the Swiss capital Bern said that the two Russians had been the subject of a criminal investigation that began as early as March 2017. They were allegedly suspected of hacking the computer network of the regional office of the World Anti-Doping Agency in Lausanne. The Spiez laboratory was a target of hacking attempts earlier this year, according to a laboratory spokesperson. “We defended ourselves against that. No data was lost”, the spokesperson stated.

On April 14, Russian Minister of Foreign Affairs Sergei Lavrov stated that he had obtained the confidential Spiez lab report about the Skripal case “from a confidential source”. That report confirmed earlier findings made by a British laboratory. But the OPCW, of which Russia is a member, states that its protocols do not involve dissemination of scientific reports to OPCW member states. Hence, the question is how Foreign Minister Lavrov got hold of the document.

As intelNews reported in March, in the aftermath of the Skripals’ poisoning the Dutch government expelled two employees of the Russian embassy in The Hague. In a letter [.pdf] sent to the Dutch parliament on March 26 —the day when a large number of countries announced punitive measures against Russia— Holland’s foreign and internal affairs ministers stated that they had decided to expel the two Russian diplomats “in close consultation with allies and partners”. The Russians were ordered to leave the Netherlands within two weeks. It is unknown whether the two expelled Russian diplomats are the same two who were apprehended in The Hague, since none have been publicly named.

A November 2017 parliamentary letter from Dutch minister of internal affairs Kajsa Ollongren, states[4] that Russian intelligence officers are “structurally present” in the Netherlands in various sectors of society to covertly collect intelligence. The letter added that, in addition to traditional human intelligence (HUMINT) methods, Russia deploys digital means to influence decision-making processes and public opinion in Holland.

Author: Matthijs Koot | Date: 17 September 2018 | Permalink

Filed under A specialized intelligence website written by experts, since 2008 Tagged with , , , , , , ,

Older posts