Iranian state-backed cyber spies becoming increasingly skilled, says report

Computer hackingA group of cyber spies with close links to the Iranian government is becoming increasingly competent and adept, and could soon bring down entire computer networks, according to a leading cyber security firm. The California-based cyber security company FireEye said that it has been monitoring the operations of the mysterious group of cyber spies since 2013. The company, whose clients include Sony Pictures, JP Morgan Chase and Target, said that the Iranian group appears to be especially interested in gathering secrets from aviation, aerospace and petrochemical companies.

In a detailed report published on Wednesday, FireEye said that the Iranian group has a very narrow target focus. Moreover, it attacks its targets —which are typically companies— in highly customizable ways. The latter includes the use of cleverly designed phishing tools that are designed to attract the attention of the company’s unsuspecting employees. So far, companies that have been targeted include Saudi petrochemical conglomerates, American aviation firms, as well as South Korean and other Southeast Asian companies that have aviation or energy holdings, said FireEye. The security company said it had codenamed the group “APT33”, which stands for “Advanced Persistent Threat #33”. It also said that APT33 was clearly distinct from other known Iranian hacker groups, because of the sophistication of its operations and the quality of its cyber weapons. The cyber security firm said that APT33 was the first Iranian hacker group to be included on a select list of the most capable cyber spy groups from around the world.

Some experts believe that APT33 is run by Iran’s Revolutionary Guard Corps, an irregular branch of the Iranian military, which is seen by many as a state within a state in post-1979 Iran. The FireEye report does not appear conclusive on this point. However, it notes that APT33 has built an offensive cyber arsenal “with potential destructive capabilities”, but that it currently appears to focus solely on intelligence collection, not sabotage or warfare.

Author: Joseph Fitsanakis | Date: 21 September 2017 | Permalink

Advertisements

Russia jailed senior intelligence officers for helping CIA nab notorious hackers

FSB - JFTwo senior officers in the Russian intelligence services were charged with treason after they were found to have helped the United States catch two notorious Russian hackers, according to reports in the Russian media. Sergey Mikhailov was a career officer in the Federal Security Service —a descendant of the domestic section of the Soviet-era KGB— which is often referred to as Russia’s equivalent of the United States Federal Bureau of Investigation. Mikhailov had risen through the ranks of the FSB to eventually head the agency’s Center for Information Security. Known in Russia as CIB, the Center is tasked with investigating electronic crime in the Russian Federation.

But in December 2016, Mikhailov and one of his trusted deputies in the CIB, Dmitry Dokuchaev, were suddenly removed from their posts and arrested. The arrests marked some of the highest-profile detentions of intelligence officers in Russia since the demise of the Soviet Union. Russian authorities refused to reveal the reasons for the arrests, but confirmed that the two men had been charged with treason. Reports soon surfaced in the Russian media, claiming that Mikhailov and Dokuchaev were arrested for their involvement in a Russian criminal hacker gang. Some Western media, including The New York Times, speculated that the two men may have been arrested for helping US intelligence investigate Russian interference in the 2016 US presidential election.

But now a new report alleges that Mikhailov and Dokuchaev were charged with treason after helping the US Central Intelligence Agency catch two prolific Russian hackers. The report was aired on Russian television station TV Dozhd, also known as TV Rain, a privately owned channel based in Moscow, which broadcasts in Russia and several other former Soviet Republics. One of the hackers, Roman Seleznev, known in hacker circles as Track2, reached worldwide notoriety for defrauding major credit card companies of tens of millions of dollars. He was arrested in 2014 in the South Asian island country of Maldives and eventually extradited to the US to stand trial. He was sentenced to 27 years in prison, which he is currently serving. The other hacker, Yevgeniy Nikulin, was arrested in the Czech Republic in 2016, pursuant to a US-issued international arrest warrant. He is now awaiting extradition to the US, where he is expected to be tried for hacking several high-profile companies, including DropBox and LinkedIn.

TV Dozhd said that Russian authorities are also suspecting the men of being members of hacker gangs, but that their main charges relate to their close cooperation with American intelligence agencies, reportedly in exchange for cash.

Author: Joseph Fitsanakis | Date: 25 August 2017 | Permalink

North Korean state now uses cyber attacks to steal cash, says report

North KoreaNorth Korea’s intelligence establishment has shifted its attention from spying for political gain to spying for commercial advantage –primarily to secure funds for the cash-strapped country, according to a new report. Since the 1990s, the Democratic People’s Republic of Korea (DPRK) has used computer hacking in order to steal political and military secrets from its rivals. But there is increasing evidence that Pyongyang is now deploying armies of computer hackers in order to steal cash from foreign financial institutions and internet-based firms. This is the conclusion of a new report by the Financial Security Institute of South Korea, an agency that was set up by Seoul to safeguard the stability of the country’s financial sector.

The report, published last week, analyzed patterns of cyber attacks against South Korean state-owned and private financial institutions that took place between 2015 and 2017. It identified two separate computer hacking groups, which it named Lazarus and Andariel. According to the report, both groups’ activities, which are complementary, appear to be directed by the government of North Korea. An analysis of the groups’ targets suggests that Pyongyang has been directing its computer spies to find ways to secure hard currency for use by the government. Foreign currency has been increasingly hard to come by in North Korea in recent years, due to a host of international sanctions that were imposed on the country as a form of pressure against its nuclear weapons program.

Several cyber security experts and firms have claimed in recent months that North Korea has been behind recent cyber attacks against international banking institutions. The DPRK has also been blamed for a 2014 attack against the Hollywood studios of the Japanese multinational conglomerate Sony. Regular readers of intelNews will recall our story in March of this year about comments made on the subject of North Korea by Rick Ledgett, a 30-year veteran of the United States National Security Agency. Speaking at a public event hosted by the Aspen Institute in Washington, Ledgett expressed certainty that the government of North Korea was behind an attempt to steal nearly $1 billion from Bangladesh Bank —the state-owned central bank of Bangladesh—in 2016. Eventually the bank recovered most of the money, which were made through transactions using the SWIFT network. But the hackers managed to get away with approximately $81 million.

More recently, cyber security experts have claimed that the government of North Korea has been behind attempts to hack into automated teller machines, as well as behind efforts to steal cash from online gambling sites. In April of this year, the Russian-based cyber security firm Kaspersky Lab identified a third North Korean hacker group, which it named Bluenoroff. The Russian experts said Bluenoroff directed the majority of its attacks against foreign financial firms. There are rumors that Pyongyang was behind the wave of WannaCry ransomware attacks that infected hundreds of thousands of computers in over 150 countries in May. But no concrete evidence of North Korean complicity in the attacks has been presented.

Author: Joseph Fitsanakis | Date: 31 July 2017 | Permalink

US spies confirm Qatar’s claims that its media were hacked by Emirates to spark crisis

Sheikh Tamim Bin Hamad al-ThaniAmerican officials appear to confirm Qatar’s allegations that its news media were hacked by its Gulf adversaries, who then used the fake news posted by hackers to launch a massive campaign against it. Tensions between Qatar and other Muslim countries have risen since late May, when the country’s state-controlled news agency appeared to publish an incendiary interview with Qatar’s Emir, Sheikh Tamim Bin Hamad al-Thani. In the interview, which appeared on May 24, the sheikh appeared to praise Saudi regional rival Iran as a “great Islamic power” and to express support for the militant Palestinian group Hamas. On the following day, the United Arab Emirates, Egypt and Bahrain immediately banned all Qatari media —primarily Al Jazeera— from broadcasting in their territories and broke diplomatic relations with Doha. Later on, they declared a large-scale commercial embargo against the small oil kingdom. They have since threatened war unless Qatar changes its alleged support for Iran and for a number of militant groups in the region.

The Qatari government has dismissed the embargo as unjust and has claimed that Sheikh al-Thani’s controversial interview was fake, and was placed on the country’s state-owned news agency and social media as a result of a computer hack. It has also claimed to have evidence of a number of iPhones that were used from locations in Saudi Arabia and the Emirates to launch the hacks on its networks. Qatari officials have also said that an investigation into the incident is underway, but their claims have been criticized as outlandish by Qatar’s regional rivals.

Now, however, a report by The Washington Post claims that American officials have uncovered evidence that Qatar’s allegations of a computer hack are true. The paper cited “US intelligence and other officials” who spoke “on the condition of anonymity”. The officials said that US intelligence agencies recently became aware of a meeting of senior UAE state administrators that took place on May 23 in Abu Dhabi. At the meeting, the officials discussed a plan to hack Qatari news websites and social media, in order to post incendiary messages that could be used to spark a row between Qatar, the Saudi government and its allies. The alleged computer hacks is reported to have taken place on the following day. According to The Post, the only thing that US intelligence is unsure about is “whether the UAE carried out the hacks itself or contracted to have them done” by a third party.

The Post said that several US intelligence agencies, including the Central Intelligence Agency and the Federal Bureau of Investigation, refused to comment on its report. The paper received a response from the UAE embassy in Washington, DC, which said that the Emirates had “no role whatsoever in the alleged hacking described in the article”.

Author: Joseph Fitsanakis | Date: 18 July 2017 | Permalink

New clues emerge about targeted efforts by Russia to hack US elections

GRUNew information about carefully targeted attempts by Russian operatives to compromise the November 2016 presidential elections in the United States have emerged in a newly published intelligence document. The document, which dates from May of this year, was produced by the US National Security Agency and published on June 5 by The Intercept. The web-based outlet published the leaked document on the same day that Reality Leigh Winner, a US federal contractor with a top-security clearance, was charged with espionage for leaking classified documents to the media. This has led to speculation that Winner may be the source of the leak.

The NSA document details attempts by hackers to compromise the online accounts of over 100 election officials, as well as employees of private contractors involved in administering the election process. The attempts reportedly took place during the period leading up to November 8, 2016. To do that, hackers resorted to a technique commonly known as ‘spear-fishing’. They sent carefully crafted emails, claiming to be from Google, to specifically targeted individuals. The goal was to trick the email recipients into downloading and opening Microsoft Word attachments, which were infected with malware. The infected software would then allow the hackers to remotely access the compromised computers. The NSA document states that at least one targeted person had his or her computer compromised though the ‘spear-fishing’ technique. Importantly, the leaked document appears unequivocal in its assessment that the hackers behind the ‘spear-fishing’ attacks worked for the General Staff Main Intelligence Directorate (GRU) of the Russian armed forces. The document also states that the main goal of the attacks was to compromise the software used to manage voter registration lists, and that the attackers were operating under a “cyber espionage mandate specifically directed at US and foreign elections”.

American intelligence officials have previously said that Russian spies launched in a complex and prolonged campaign to undermine public faith in the US electoral process. It is also known that the Russian campaign targeted election officials in the months leading up to the November 2016 elections. But the NSA report is the first publicly available description of some of the specific techniques employed by the alleged Russian hackers as part of their campaign. The leaked document does not provide technical details about the ‘spear-phishing’ campaign. Nor does it discuss whether the attacks were successful, whether vote tallies were actually compromised, or whether the election process itself was sabotaged by the hackers. The Intercept said it contacted the NSA and the Office of the Director of National Intelligence, who refused to publicly comment on the content of the NSA report.

Author: Joseph Fitsanakis | Date: 09 June 2017 | Permalink

Same hacker group is targeting French and German elections, says report

Konrad Adenauer FoundationThe same group cyber-spies that attacked the campaign of French presidential candidate Emmanuel Macron is now attacking German institutions that are connected to the country’s ruling coalition parties, according to a report by a leading cyber-security firm. The Tokyo-based security software company Trend Micro published a 41-page report on Tuesday, in which it tracks and traces the attacks against French and German political targets over the past two years. The report, entitled From Espionage to Cyber Propaganda: Pawn Storm’s Activities over the Past Two Years, concludes that the hackers are seeking to influence the results of the national elections in the European Union’s two most powerful nations, France and Germany.

The Trend Micro report focuses on a mysterious group that cyber-security experts have dubbed Pawn Storm —otherwise known as Sednit, Fancy Bear, APT28, Sofacy, and STRONTIUM. It says that the group has launched an aggressive phishing campaign against German political institutions, which has intensified in the past two months. The group allegedly set up fake computer servers in Germany and the Ukraine, and used them to try to infiltrate the computer networks of two elite German think-tanks, the Konrad Adenauer Foundation (KAF) and the Friedrich Ebert Foundation (FEF). The KAF is connected with the Christian Democratic Union party, which is led by Germany’s Chancellor, Angela Merkel. The FEF has strong ties with the centrist Social Democratic Party, which is part of Germany’s governing alliance.

The report’s leading author, cyber-security expert Feike Hacquebord, told the Reuters news agency that the hackers were possibly seeking to infiltrate the two think-tanks as a means of gaining access to the two political parties that are connected with them. Some cyber-security experts in Europe and the United States have said that the Russian Main Intelligence Directorate, the country’s military intelligence agency, known as GRU, is behind the cyber-attacks on France, Germany and the United States. But the Trend Micro report did not attempt to place blame on Moscow or any other country for the cyber-attacks. The Kremlin has denied involvement with the alleged hacking operations.

Author: Ian Allen | Date: 26 April 2017 | Permalink

New report details one of history’s “largest ever” cyber espionage operations

GCHQ center in Cheltenham, EnglandA new report authored by a consortium of government and private organizations in Britain has revealed the existence of a computer hacking operation, allegedly based in China, that is said to be “one of the largest ever” such campaigns globally. The operation is believed to have compromised sensitive information from an inestimable number of private companies in Southeast Asia, Europe and the United States. The report was produced by a consortium of public and private organizations, including BAE systems and the London-based National Cyber Security Centre, an office of the United Kingdom’s signals intelligence agency, the Government Communications Headquarters. It details the outcome of Operation CLOUD HOPPER, which was launched to uncover the cyber espionage activities.

According to the report, the attacks were first launched several years ago against targets in Japan’s government and private sector. But after 2016, they spread to at least 14 other countries, including France, the United Kingdom and the United States. It is claimed that the attacks are “highly likely” to originate from China, given that the targets selected appear to be “closely aligned with strategic Chinese interests”. The authors of the report have named the hacker group APT10, but provide limited information about its possible links —or lack thereof— with the Chinese government.

The report claims that APT10 uses specially designed malware that is customized for most of their targets, thus constituting what experts describe as “spear fishing”. Past successful attacks have already resulted in an “unprecedented web of victims” who have had their information compromised, say the authors. The victims’ losses range from intellectual property to personal data. One of the report’s authors, Dr. Adrian Nish, who is head of threat intelligence at BAE Systems, told the BBC that it is currently impossible to estimate the number of organizations and agencies that have been impacted by APT10’s activities.

Author: Ian Allen | Date: 05 April 2017 | Permalink