France’s ex-cyber spy chief speaks candidly about hacking operations

Bernard BarbierThe former director of France’s cyber spy agency has spoken candidly about the recent activities and current state of French cyber espionage, admitting for the first time that France engages in offensive cyber operations. Between 2006 and 2013, Bernard Barbier was director of the technical division of the General Directorate for External Security, France’s external intelligence agency, which is commonly known as DGSE. During his tenure at DGSE, the organization’s technical division witnessed unprecedented financial and administrative growth. Today it is said to employ over 2500 people, nearly half of DGSE’s total personnel.

Earlier this month, Barbier was interviewed on stage during a symposium held by the CentraleSupélec, a top French engineering university based in Paris. He spoke with surprising candor about France’s cyber espionage operations. In the first part of his interview, which can be watched on YouTube, he recounted the history of what he described as “France’s cyber army”. He said that France began to build “teams of hackers” in 1992. Around that time, the DGSE purchased an American-built Cray supercomputer, said Barbier, and soon discovered that it could use the machine’s immense computing power to break passwords. More recently, said the former cyber spy chief, the DGSE has been trying to “catch up” with its American and British counterparts, the National Security Agency and the Government Communications Headquarters, by increasing its annual budget to over half a billion and hiring hundreds of young hackers. Many of these new employees have little to no university education, said Barbier, and are instead self-taught, having started hacking in their teenage years.

Like most governments, France will not officially admit to conducting offensive cyber operations using computer hacking and other techniques. But Barbier said during his interview that France was behind an offensive cyber operation that targeted Iran in 2009. He added that the DGSE has also directed cyber operations against Canada, Ivory Coast, Algeria, Norway, as well as its European Union partners Spain and Greece. He also complained that French government executives do not understand the importance of cyber operations and are not aiming high enough when it comes to planning, direction and hiring. The DGSE’s technical division still needs between 200 and 300 more staff members, Barbier argued in his interview.

Author: Joseph Fitsanakis | Date: 16 September 2016 | Permalink

FBI arrests two more members of hacker group that targeted CIA director

Computer hackingTwo more members of a computer hacker group that targeted senior United States intelligence officials, including the director of the Central Intelligence Agency, have been arrested by the Federal Bureau of Investigation. The arrests of Justin Liverman, 24, and Andrew Boggs, 22, took place on Thursday in Morehead City and North Wilkesboro, in the US state of North Carolina. They are accused by the FBI of being members of Crackas With Attitude (CWA) an international group of computer hackers that specialized in targeting American intelligence and law enforcement officials.

Last October, the international whistleblower website WikiLeaks published personal emails and documents belonging to CIA Director John Brennan. The documents included a 47-page application for security clearance that Brennan had submitted to the US government a few years earlier. It was apparently found on his personal America Online (AOL) email account, which had been hacked by the CWA hacker group. Members of the group, who are all in their late teens or early 20s, routinely employed a method known as ‘social engineering’ to gain access to their victims’ information. The method refers to impersonating technicians or other service provider company personnel to gain access to private email or telephone accounts.

CWA members used these techniques to target dozens of senior US government officials from October 2015 until February 2016. Their targets included the Director of National Intelligence James Clapper and the Deputy Director of the FBI, Mark Giuliano. The hackers also gained access to electronic databases belonging to the US Department of Justice, from where they obtained the names, personal telephone numbers and home addresses of nearly 30,000 employees of the FBI and the Department of Homeland Security. That information was eventually published online by the hacker group.

In February, a 16-year-old hacker known as ‘Cracka’, who is the purported ringleader of CWA, and whose name cannot be released due to his young age, was arrested in the East Midlands region of Britain. It is believed that information on the teenager’s electronic devices eventually led the FBI to the capture of Liverman and Boggs. The two men have been charged with computer crime and are expected to appear in court in the US state of Virginia next week.

Author: Joseph Fitsanakis | Date: 09 September 2016 | Permalink

Sophisticated spy malware found on Russian government computers

FSB - IAAccording to the predominant media narrative, the United States is constantly defending itself against cyber-attacks from countries like China and Russia. But, as intelNews has argued for years, this narrative is misleading. Recent intelligence disclosures clearly show that the US cyber-security posture is as offensive as that of its major adversaries. Additionally, China and Russia have to defend their computer networks as much as America does. Last weekend’s report from Moscow helps restore some of the balance that is missing from media reporting on cyber-security. According to the Russian Federal Security Service (FSB), a meticulously coded and sophisticated virus has been found on the computer networks of at least 20 major Russian agencies and organizations. The targets appear to have been carefully selected by the malware’s authors. They include government bodies, weapons laboratories and defense contractors located throughout Russia.

The FSB said that once installed, the virus gave its handler control of the infected computer system. It permitted an outside hacker to turn on a computer’s microphone or camera, and capture screenshots. It also stealthily installed keylogging software, thus allowing an outside party to monitor keyboard strokes on an infected system. Based on its functions, the malicious software seems to be designed to conduct deep surveillance on infected computers and their physical surroundings. The FSB would not attribute the malware to a specific hacking group or nation. But it said it believed that the malware attack was “coordinated”, “planned and planned professionally”. It also said that the coding of the virus “required considerable expertise”. In a brief statement released Saturday, the FSB said that aspects of the coding of the virus, as well as other identifying information, resembled those detected in preceding hacking attacks on computer servers in Russia and other countries. The statement did not elaborate, however.

The news about hacked Russian computers comes less than two weeks after it was claimed that Russian government-backed hackers stole electronic data belonging to the Democratic National Convention (DNC) in the United States. The Democratic Party’s presidential candidate, Hillary Clinton, publicly accused the Russian government of orchestrating the hacking of the DNC computer systems in an attempt to damage her campaign.

Author: Ian Allen | Date: 01 August 2016 | Permalink

Islamic State’s online army is a Russian front, says German intelligence

Cyber CaliphateA German intelligence report alleges that the so-called ‘Cyber Caliphate’, the online hacker wing of the Islamic State, is in fact a Russian front, ingeniously conceived to permit Moscow to hack Western targets without retaliation. The group calling itself Cyber Caliphate first appeared in early 2014, purporting to operate as the online wing of the Islamic State of Iraq and Syria (ISIS), later renamed Islamic State. Today the Cyber Caliphate boasts a virtual army of hackers from dozens of countries, who are ostensibly operating as the online arm of the Islamic State. Their known activities include a strong and often concentrated social media presence, and computer hacking, primarily in the form of cyber espionage and cyber sabotage.

Since its inception, the Cyber Caliphate has claimed responsibility for hacking a number of European government agencies and private media outlets. Its targets include the BBC and French television channel TV5 Monde, which was severely impacted by cyber sabotage in April of 2015. The Cyber Caliphate said it was also behind attacks on the servers of the United States Federal Bureau of Investigation, the Department of Defense, and the website of the Pentagon’s US Central Command. The US has since retaliated, both with cyber attacks and physical strikes. One such strike resulted in the killing of Junaid Hussain, a British hacker of Pakistani background, who was said to be among the Cyber Caliphate’s senior commanders. Hussain, 21, was reportedly killed in August 2015 in Raqqa, the Islamic State’s de facto capital in Syria, reportedly after clicking on a compromised link in an email, which gave away his physical whereabouts.

Now, however, a German intelligence report claims that the Cyber Caliphate is not associated with the Islamic State, but is rather a fictitious front group created by Russia. According to German newsmagazine Der Spiegel, which said it had seen the classified report, German authorities suggest that the Cyber Caliphate is in fact a project of APT28 (also known as ‘Pawn Storm’), a notorious Russian hacking collective with close ties to Russian intelligence. The German intelligence report echoes previous assessments by French authorities, which in 2015 stated that the TV5 Monde cyber attack was a false flag operation orchestrated by APT28. Also in 2015, a security report by the US State Department concluded that despite the Cyber Caliphate’s proclamations of connections to the Islamic State, there were “no indications —technical or otherwise— that the groups are tied”.

Author: Ian Allen | Date: 20 June 2016 | Permalink

German nuclear power plant found to be infected with computer viruses

Gundremmingen nuclear power plantThe computers of a nuclear power plant in southern Germany have been found to be infected with computer viruses that are designed to steal files and provide attackers with remote control of the system. The power plant, known as Gundremmingen, is located in Germany’s southern district of Günzburg, about 75 miles northwest of the city of Munich. The facility is owned and operated by RWE AG, Germany’s second-largest electricity producer, which is based in Essen, North Rhine-Westphalia. The company provides energy to over 30 million customers throughout Europe.

On Tuesday, a RWE AG spokesperson said cybersecurity experts had discovered a number of computer viruses in a part of the operating system that determines the position of nuclear rods in the power plant. The software on the system was installed in 2008 and has been designed specifically for this task, said the company. The viruses found on it include two programs known as “Conficker” and “W32.Ramnit”. Both are responsible for infecting millions of computers around the world, which run on the Microsoft Windows operating system. The malware seem to be specifically designed to target Microsoft Windows and tend to infect computer systems through the use of memory sticks. Once they infect a computer, they siphon stored files and give attackers remote access to the system when the latter is connected to the Internet. According to RWE AG, viruses were also found on nearly 20 removable data drives, including memory sticks, which were in use by employees at the power plant. However, these data drives were allegedly not connected to the plant’s main operating system.

RWE AG spokespersons insisted this week that “Conficker”, “W32.Ramnit”, and other such malware, did not pose a threat to the nuclear power plant’s computer systems, because the facility is not connected to the Internet. Consequently, it would be impossible for an attacker associated with the viruses to acquire remote access to Gundremmingen’s computer systems. The company did not clarify whether it believed that the viruses had specifically targeted at the power plant. But they insisted that cyber security measures had been strengthened following the discovery of the malware, and said that they had notified Germany’s Federal Office for Information Security (BSI), which is now looking into the incident.

Author: Ian Allen | Date: 29 April 2016 | Permalink

America’s most senior intelligence official has his phone, email hacked

James ClapperA member of a hacker group that took responsibility for breaking into the personal email account of the director of the Central Intelligence Agency last year has now hacked the email of the most senior intelligence official in the United States. In October 2015, the hacker group referred to by its members as “Crackas With Attitude” —CWA for short— claimed it was behind the hacking of an AOL personal email account belonging to John Brennan, who heads the CIA. Less than a month later, the CWA assumed responsibility for breaking into an online portal used by US law enforcement to read arrest records and share sensitive information about crimes involving shootings. Shortly after the second CWA hack, the Federal Bureau of Investigation issued an alert to all government employees advising them to change their passwords and be cautious about suspicious emails and other phishing attempts.

On Monday, an alleged member of CWA contacted Motherboard, an online media outlet belonging to Vice Media, and alleged that the group had managed to hack into the personal email account of James Clapper, Director of National Intelligence (DNI). Clapper’s job is to help synchronize the operations of US intelligence agencies and to mediate between the US Intelligence Community and the Executive. According to CWA, clapper’s personal telephone and Internet service had also been compromised, as had his spouse’s personal email, which is hosted by Yahoo! services. The alleged CWA member told Motherboard that the forwarding settings of Clapper’s home telephone had been changed. As a result, calls made to the DNI were being forwarded to the headquarters of the Free Palestine Movement in California. Shortly afterwards, Free Palestine Movement executives confirmed that they had received a number of phone calls for Clapper. Last year, when they hacked the email of the director of the CIA, the CWA dedicated their action to the Free Palestine Movement.

Motherboard said that a spokesman at the Office of the DNI, Brian Hale, confirmed that Clapper’s personal email and telephone service had indeed been hacked. He told Motherboard’s Lorenzo Franceschi-Bicchierai that Office of the DNI was “aware of the matter” and had “reported it to the appropriate authorities”. The FBI was contacted as well but did not respond.

Author: Ian Allen | Date: 14 January 2016 | Permalink

Security firm says it shut down extensive Iranian cyber spy program

IRGC IranA security firm with headquarters in Israel and the United States says it detected and neutralized an extensive cyber espionage program with direct ties to the government of Iran. The firm, called Check Point Software, which has offices in Tel Aviv and California, says it dubbed the cyber espionage program ROCKET KITTEN. In a media statement published on its website on Monday, Check Point claims that the hacker group maintained a high-profile target list of 1,600 individuals. The list reportedly includes members of the Saudi royal family and government, American and European officials, North Atlantic Treaty Organization officers and nuclear scientists working for the government of Israel. The list is said to include even the names of spouses of senior military officials from numerous nations.

News agency Reuters quoted Check Point Software’s research group manager Shahar Tal, who said that his team was able to compromise the ROCKET KITTEN databases and acquire the list of espionage targets maintained by the group. Most targets were from Saudi Arabia, Israel, and the United States, he said, although countries like Turkey and Venezuela were also on the list. Tal told Reuters that the hackers had compromised servers in the United Kingdom, Germany and the Netherlands, and that they were using these and other facilities in Europe to launch attacks on their unsuspecting targets. According to Check Point, the hacker group was under the command of Iran’s Revolutionary Guards Corps, a branch of the Iranian military that is ideologically committed to the defense of the 1979 Islamic Revolution.

Reuters said it contacted the US Federal Bureau of Investigation and Europol, but that both agencies refused comment, as did the Iranian Ministry of Foreign Affairs. However, an unnamed official representing the Shin Bet, Israel’s domestic security agency, said that ROCKET KITTEN “is familiar to us and is being attended to”. The official declined to provide further details. Meanwhile, Check Point said it would issue a detailed report on the subject late on Monday.

Author: Joseph Fitsanakis | Date: 10 November 2015 | Permalink