Despite expectations, a cyber-blitz has not occurred in Ukraine. Experts explain why

July 1, 2022 by 1 Comment

Russian invasion of Ukraine IN THE OPENING STAGES of the Russian invasion of Ukraine, there was a widespread expectation among security experts that the world would witness a new chapter in the history of cyber-warfare: something akin to carpet-bombing in cyberspace. These fears, however, have not materialized. Although cyber-attacks have occurred on both sides, their scale has remained markedly modest. Consequently, their effect has been limited and has had no traceable strategic impact on the conflict.

Why is that? According to two experts, Nadiya Kostyuk, assistant professor at Georgia Tech’s School of Cybersecurity and Privacy, and Aaron Brantly, assistant professor and director of Virginia Tech’s Tech4Humanity Lab, the reasons partly relate to how nation-states form cyber-alliances, as well as to Russia’s overall approach to this war. The two experts attempt to forensically analyze this topic in their article entitled “War in the Borderland Through Cyberspace: Limits of Defending Ukraine Through Interstate Cooperation”, which was published on June 29 in Contemporary Security Policy.

Does the Improved Cyber-Defense Argument Stand to Reason?

In their article, Kostyuk and Brantly systematically scrutinize a number of reasons that other experts have proposed to explain the absence of a major cyber-war campaign by Russia. Among them is the view that Ukraine significantly improved its cyber-defenses after 2015, when it began collaborating closely with Western countries —notably the United States and the United Kingdom. Specially designated “cyber-warfare teams” from these countries have been helping Ukraine in tasks ranging from “the synchronization of [its] cyber-related legislation” with Western standards, as well as aligning them with NATO standards, so that Ukrainian cyber-warfare units can make use of advanced technologies and systems. Could it be, therefore, that Ukraine has improved its cyber-security posture enough to be able to defend itself against relentless Russian cyber-attacks?

That is unlikely, say the authors, given that “Ukraine’s cyber capabilities are still organizationally and operationally under- developed” in comparison to Russia’s. That is exacerbated by the endemic corruption and clientelism (the creation of patronage networks) in Ukraine, as well as by the bitter in-fighting between government agencies —notably the Ministry of Defense and the Security Service of Ukraine. It should not go without notice, Kostyuk and Brantly note, that the Ukrainian government sought frantically to develop a “volunteer cyber-army” on an ad hoc basis to defend the nation in the first days of the Russian invasion. That did not exactly instill trust in the country’s level of preparation to withstand a cyber-campaign by Moscow. Read more of this post

Filed under Expert news and commentary on intelligence, espionage, spies and spying Tagged with , , , , , ,

Newly discovered cyber-espionage group spies for money using state-actor methods

May 4, 2022 by 1 Comment

Computer hackingA NEWLY DISCOVERED CYBER-espionage group appears to target the senior leadership of private corporations involved in large-scale financial transactions, but employs skills and methods that are usually associated with state-sponsored threat actors. The group has been termed “UNC3524” by the American cybersecurity firm Mandiant, which says it discovered it in December of 2019. In a detailed blog post published earlier this week, a team of cyber-security researchers at Mandiant say they have been studying the group for over two years, and have been surprised by their findings.

Given its targets, as well as the information it goes after, there is little doubt that UNC3524 is interested in financial gain. However, its operational profile differs markedly from those of other financially oriented hacker groups, according to Mandiant. Its sophisticated approach to espionage demonstrates aspects that are typically associated with government-sponsored intelligence operations. Notably, UNC3524 operatives take their time to get to know their targets, and are not in a hurry to exploit the online environments they penetrate. Mandiant reported that UNC3524 attacks can take up to 18 months to conclude. In contrast, the average financially-motivated cyber-espionage attack rarely lasts longer than three weeks.

Additionally, UNC3524 operatives make a point of maintaining an extremely stealthy and low-key online profile, and have even developed a series of novel exploitation techniques, which Mandiant has termed “QuietExit”. The latter appear to focus on exploiting Internet of Things (IoT) devices that are typically found in corporate settings, but are not protected by traditional anti-virus systems. Once they penetrate the digital environment of their target, UNC3524 operatives meticulously build sophisticated back-doors into the system, and are known to return sometimes within hours after they are detected and repelled.

Interestingly, UNC3524 operatives do not waste time on low-level employees of targeted corporations. Once inside, they go straight for executive-level targets, including those in corporate strategy and development, mergers and acquisitions, and even information security. Mandiant says a few other actors, notably Russian-linked groups like Cozy Bear, Fancy Bear, APT28 or APT29, are also known to operate with such high-level targets in mind. However, there is little other operational overlap between them and UNC3524, the blog post claims.

Author: Joseph Fitsanakis | Date: 04 May 2022 | Permalink

Filed under Expert news and commentary on intelligence, espionage, spies and spying Tagged with , , , , ,

Chinese-linked hacker group breached Indonesian spy agency’s networks

September 14, 2021 by Leave a comment

Indonesian State Intelligence Agency

A GROUP OF COMPUTER hackers with links to the Chinese state is likely behind a major breach of networks belonging to at least ten Indonesian government ministries and agencies, including the country’s primary intelligence service. The breach was first reported on September 10 by cybersecurity firm Insikt Group, whose researchers say they have been monitoring the hacks since April of this year.

Insikt Group said experts in its threat research division noticed that a number of PlugX malware command and control servers were regularly communicating with hosts inside the networks of the Indonesian government. After forensically examining the communication patterns, the researchers concluded that the initial contact between the command and control servers and the Indonesian government networks was made in March of this year, if not earlier. The technical details of the intrusion are still being determined, according to Insikt Group.

The firm said that the breach was perpetrated by Mustang Panda, a mysterious advanced persistent threat actor, which is also known as BRONZE PRESIDENT, HoneyMyte, and Red Lich. In the past, Mustang Panda has been particularly active in Southeast Asia, targeting servers in Mongolia, Malaysia and Vietnam. The targets of this latest breach included the Indonesian State Intelligence Agency, known as BIN. According to Insikt Group, BIN was “the most sensitive target compromised in the campaign”.

The company said it notified the Indonesian government twice about these intrusions, in June and July. Although no response was forthcoming from the Indonesian government, changes in its computer networks since that time may be taken as evidence that the authorities took steps to “identify and clean the infected systems”, according to Insikt Group’s report.

Author: Ian Allen | Date: 14 September 2021 | Permalink

Filed under Expert news and commentary on intelligence, espionage, spies and spying Tagged with , , , , , , ,

Main suspect in potentially momentous hacker-for-hire case seeks plea deal in NY

July 2, 2021 by Leave a comment

Computer hacking

IN A DRAMATIC CASE, described by observers as “unusual”, a suspect in a hacker-for-hire scheme of potentially global proportions has told United States government prosecutors he is ready to discuss a plea deal. The case centers on Aviram Azari, a highly sought-after private detective who served in an Israeli police surveillance unit in the 1990s before launching a private career in investigations.

Azari was arrested in Florida in 2019 during a family vacation, and was shortly afterwards indicted in New York on charges of aggravated identity theft, conspiracy to commit computer hacking, and wire fraud. These charges reportedly date back to 2017 and 2018. Azari’s alleged objective was to target carefully selected individuals in order to steal their personal information, including email usernames and passwords. Last year, The New York Times reported that the case against Azari is connected with a potentially massive hacker-for-hire scheme code-named DARK BASIN.

Further information about DARK BASIN was published by Citizen Lab, a research unit of the University of Toronto’s Munk School of Global Affairs and Public Policy, which focuses on information technology, international security and human rights. It said DARK BASIN was orchestrated by an India-based firm called BellTroX InfoTech Services. It also claimed that the company is one of a number of hacker-for-hire firms based in India. These companies are said to be employed by private detectives in Western countries, who are usually hired by large multinationals or wealthy individuals.

Accordingly, the targets of DARK BASIN activities appear to have been investment firms based in the US and elsewhere, as well as government officials, pharmaceutical companies, lawyers, large banks, and even environmental activists who campaign against large multinationals. Additionally, some of DARK BASIN’s thousands of targets appear to be people involved in high-stakes divorce proceedings. Perhaps more alarmingly, among DARK BASIN’s targets are journalists around the world, who seem to have been targeted systematically in efforts to reveal their sources of information.

Azari has pleaded not guilty. But the fact that he his lawyer has now communicated his client’s desire to seek a plea deal with US government prosecutors may be a major game-changer in this case, which may have global ramifications. The Reuters news agency, which reported the latest developments on this case this week, said it reached out to the US Attorney’s Office in Manhattan, but spokesmen there declined to provide any information on Azari’s case.

Author: Joseph Fitsanakis | Date: 02 July 2021 | Permalink

Filed under Expert news and commentary on intelligence, espionage, spies and spying Tagged with , , , , , , , ,

US government takes control of Internet domains used by SolarWinds hackers

June 3, 2021 by Leave a comment

Computer hacking

THE UNITED STATES GOVERNMENT has taken control of two Internet domains used last month in a large-scale phishing campaign by the same Russian-linked hacker group that was behind SolarWinds. The Department of Justice said on Tuesday it seized the two domains, theyardservice[.]com and worldhomeoutlet[.]com, on May 28, following a decision by a US court that authorized the action.

The large-scale attack was detected on May 25, and was delivered in over 3,000 emails sent from a compromised account belonging to the United States Agency for International Development (USAID). The compromised account was paired with the services of a legitimate email marketing company called Constant Contact. It was subsequently used to deliver phishing emails to the employees of over 150 organizations worldwide, most of them American.

The phishing emails featured an official USAID logo, beneath which was an embedded link to a purported “USAID Special Alert” titled “Donald Trump has published new documents on election fraud”. The link sent users to one of the two illicit subdomains, which infected victim machines with malware. The latter created a back door into infected computers, which allowed the hackers to maintain a constant presence in the compromised systems.

According to Microsoft Corporation, the hackers behind the phishing attack originated from the same group that orchestrated the infamous SolarWinds hack in 2020. The term refers to a large-scale breach of computer systems belonging to the United States federal government and to organizations such as the European Union and the North Atlantic Treaty Organization. The threat actor behind the attack is referred to by cybersecurity experts as APT29 or Nobelium, among other names.

Speaking on behalf of the US Department of Justice’s National Security Division, Assistant Attorney General John C. Demers said on Tuesday that the seizure of the two Internet domains demonstrated the Department’s “commitment to proactively disrupt hacking activity prior to the conclusion of a criminal investigation”.

Author: Joseph Fitsanakis | Date: 03 June 2021 | Permalink

Filed under Expert news and commentary on intelligence, espionage, spies and spying Tagged with , , , , , , , , ,

COVID-19 is changing the map of cyber-crime activity, says British spy agency

November 5, 2020 by Leave a comment

GCHQ - IA

THE CYBER-SECURITY BRANCH of Britain’s signals intelligence agency has said in a new report that the coronavirus pandemic is changing the map of cyber-crime by illicit actors, including state-sponsored hackers. The unclassified report was released on Tuesday by the National Cyber Security Centre (NCSC), which is the cyber-security branch of the Government Communications Headquarters (GCHQ). Founded over a century ago, the GCHQ is responsible for, among other things, securing the communications systems of the British government and the country’s armed forces.

In its latest Annual Review, the NCSC warns that “criminals and hostile states” are exploiting the COVID-19 pandemic in order to challenge the national security of Britain and its allies. In an introductory note included in the report, NCSC director Jeremy Fleming says that the balance of cyber-threats has changed in 2020 as a result of the pandemic. According to the report, British cyber-security agencies saw a 10% rise in serious cyber-threat incidents in 2020. More than a third of these incidents were related to COVID-19, and many targeted Britain’s healthcare sector.

The report suggests that attacks against the British National Healthcare Service and vaccine research facilities constitute a rapidly emerging cyber-espionage risk. The majority of these attacks were carried out by state-sponsored actors, including Advanced Persistent Threat (APT) 29, which is also known as “Cozy Bear” and “The Dukes”. According to Western intelligence services, APT29 is a Russian state-sponsored cyber-espionage outfit, which has been known to target facilities involved in the development of coronavirus-related vaccines.

Other cyber-threat actors have no connections to foreign governments, but are instead motivated by profit. The NCSC said it had managed to disrupt over 15,000 campaigns by cyber-criminals to use coronavirus as a bait in order to trick unsuspecting Internet users into downloading malicious software or providing personal information online. Some cyber-criminal networks contacted clinics and other businesses who were in desperate need of personal protective equipment, coronavirus testing kits, and even purported cures against the virus, said the NCSC. Some of these unsuspecting victims were offered fictitious quantities of coronavirus-related equipment, which were never delivered.

Author: Ian Allen | Date: 05 November 2020 | Permalink

Filed under Expert news and commentary on intelligence, espionage, spies and spying Tagged with , ,

FBI reorganizes cyber-crime and foreign cyber-espionage divisions as cases rise

October 2, 2020 by Leave a comment

FBI

The United States Federal Bureau of Investigation is reorganizing its cyber-crime and foreign cyber-espionage divisions in order to combat growing activity in those areas, while also increasing its cross-agency contacts. The goal is to reinforce investigations into computer hacking perpetrated by organized cyber-criminals, as well as by foreign states aiming to steal government and corporate secrets.

According to the Reuters news agency, the FBI made the decision to reorganize its cyber divisions after Internet-based crime and espionage cases rose to unprecedented levels in the past year, a trend that is partly driven by the COVID-19 epidemic. Aside from the damage caused to national security, the financial loss associated with computer hacking is said to be incalculable.

In an interview with Reuters, Matt Gorham, assistant director of the FBI’s Cyber Division (established in 2002), said the reorganization includes both the Bureau’s cyber-crime and foreign cyber-espionage wings. It also includes increased FBI emphasis on the National Cyber Investigative Joint Task Force (NCIJTF), an amalgamation of cyber-security specialists from dozens of US federal agencies, including the Secret Service, the National Security Agency, the Department of Homeland Security and the Central Intelligence Agency.

Under the new system, the NCIJTF will serve as the coordinating body of the US government’s cyber-security efforts. Additionally, said Gorham, the FBI is creating “mission centers” located within various cyber units, and connect their work with the NCIJTF. These mission centers will include concentrations on specific cyber-espionage actors, such as Iran, North Korea, China or Russia. Lastly, the restructured NCIJTF will increase its contacts with domestic and foreign law enforcement agencies, such as the Australian Federal Police, as well as with telecommunications service providers, which are engaged on the front lines of the fight against cyber-crime and cyber-espionage.

Author: Ian Allen | Date: 02 October 2020 | Permalink

Filed under Expert news and commentary on intelligence, espionage, spies and spying Tagged with , , , , , ,

Russian government cyber spies ‘hid behind Iranian hacker group’

October 22, 2019 by Leave a comment

Computer hackingRussian hackers hijacked an Iranian cyber espionage group and used its infrastructure to launch attacks, hoping that their victims would blame Iran, according to British and American intelligence officials. The information, released on Monday, concerns a Russian cyber espionage group termed “Turla” by European cyber security experts.

Turla is believed to operate under the command of Russia’s Federal Security Service (FSB), and has been linked to at least 30 attacks on industry and government facilities since 2017. Since February of 2018, Turla is believed to have successfully carried out cyber espionage operations in 20 different countries. Most of the group’s targets are located in the Middle East, but it has also been connected to cyber espionage operations in the United States and the United Kingdom.

On Monday, officials from Britain’s Government Communications Headquarters (GCHQ) and America’s National Security Agency (NSA) said Turla had hijacked the attack infrastructure of an Iranian cyber espionage group. The group has been named by cyber security researchers as Advanced Persistent Threat (APT) 34, and is thought to carry out operations under the direction of the Iranian government.

The officials said there was no evidence that APT34 was aware that some of its operations had been taken over by Turla. Instead, Russian hackers stealthily hijacked APT34’s command-and-control systems and used its resources —including computers, servers and malicious codes— to attack targets without APT34’s knowledge. They also accessed the computer systems of APT34’s prior targets. In doing so, Turla hackers masqueraded as APT34 operatives, thus resorting to a practice that is commonly referred to as ‘fourth party collection’, according to British and American officials.

The purpose of Monday’s announcement was to raise awareness about state-sponsored computer hacking among industry and government leaders, said the officials. They also wanted to demonstrate the complexity of cyber attack attribution in today’s computer security landscape. However, “we want to send a clear message that even when cyber actors seek to mask their identity, our capabilities will ultimately identify them”, said Paul Chichester, a senior GCHQ official.

Author: Joseph Fitsanakis | Date: 22 October 2019 | Permalink

Filed under Expert news and commentary on intelligence, espionage, spies and spying Tagged with , , , , , , , , ,

Western spies used ‘crown jewel’ of espionage tools to hack into Russia’s Google

June 28, 2019 by Leave a comment

Yandex RussiaHackers used a malware described by experts as the “crown jewel” of cyber-espionage tools to hack into Russia’s version of Google, in an effort to breach user accounts, according to the Reuters news agency. The hackers targeted Yandex (Яндекс), a Moscow-headquartered company that operates as the Russian version of Google. Yandex is the largest technology venture company in the Russian Federation and the fifth most popular search engine in the world. It also provides services such as mapping and email in Russia and several other countries in Central Asia and the Middle East. It claims that it serves more than 150 million monthly users worldwide.

On Thursday, Reuters cited “four people with knowledge on the matter […] in Russia and elsewhere”, who said that Yandex was targeted by a sophisticated hacking operation between October and November of 2018. The news agency said that three of its sources had direct knowledge of the details of the cyber-espionage operation against Yandex. According to the unnamed sources, the hackers appeared to be primarily interested in breaching the accounts of specific employees in Yandex’s research and development unit. Their purpose was to acquire technical information about how Yandex authenticates user accounts. That information could potentially enable them to impersonate Yandex users and access private information, including email messages, geolocation information, and other sensitive private data. Reuters said that the hackers attempted to breach Yandex for purposes of espionage, not sabotage or disruption, or stealing intellectual property for commercial purposes.

Moreover, the hackers used Regin, a highly sophisticated malware that a technical expert from the Symantec Corporation described as “the crown jewel of attack frameworks used for espionage”. Regin was identified as a malware employed by intelligence services of the so-called Five Eyes intelligence alliance between spy agencies of the United Kingdom, Canada, New Zealand, Australia and the United States. It was identified as a Western cyber-espionage tool in 2014, based on revelations made by Edward Snowden, the American former employee of the National Security Agency and the Central Intelligence Agency who defected to Russia. The same malware was used in 2013 to access about a dozen mainframe computers of Belgacom, Belgium’s largest telecommunications service provider, which is partly state-owned. The attack was widely attributed to a consortium of Western intelligence services led by the NSA.

According to Reuters, the hackers were able to penetrate Yandex’s networks for several weeks or longer, without being noticed by the company’s cyber-security monitors. When the penetration was detected, Yandex hired a cyber-security team from the Russian anti-virus firm Kaspersky. The Kaspersky team identified Regin and, according to Reuters, concluded that the hackers behind the cyber-espionage operation were tied to Western intelligence agencies. Kaspersky, the Russian government, and intelligence agencies from the Five Eyes alliance declined requests by Reuters to comment on the story. Yandex confirmed the cyber-espionage attack in a statement to Reuters, but said that its cyber-security experts had been able to detect and “fully neutralize [it] before any damage was done”. Consequently, said Yandex, “no user data was compromised in the attack”.

Author: Joseph Fitsanakis | Date: 28 June 2019 | Permalink

Filed under Expert news and commentary on intelligence, espionage, spies and spying Tagged with , , , , , ,

Cyber spies accessed thousands of European Union diplomatic cables

December 20, 2018 by 1 Comment

European Commission buildingA group of hackers, allegedly working for the Chinese military, accessed thousands of classified diplomatic cables from the European Union during a protracted cyber-espionage operation, a report has revealed. Over 100 organizations are believed to have been targeted in the multi-year cyber-espionage campaign, including the United Nations, international labor groups, as well as government ministries from dozens of countries. The operation was revealed on Tuesday by Area 1, a cyber-security company founded by former officials of the United States National Security Agency, and reported by The New York Times.

The compromised cables come primarily from the European Union’s COREU communication network, a Telex-based network that uses teleprinters to exchange text-based messages. The European Union uses the COREU network to transmit information that is classified “limited” or “restricted” between officials representing the executive governments of the European Union’s member states, members of the European Commission, foreign-ministry officials, and other approved parties. Top-secret information (“tres secret” in European Union parlance) is typically not shared on the COREU network. Consequently, the hacked cables contain mostly low-level information. That does not mean, however, that their access by at least one adversary power does not represent a serious security breach. Area 1 said that its forensic examination of the method used by the hackers reveals a set of cyber-espionage techniques that are closely associated with the Chinese People’s Liberation Army (PLA). These clues, in association with the PLA’s long history of attacking Western diplomatic targets, point to Beijing as a very likely culprit behind the attacks, according to Area 1.

The American cyber-security firm said it was able to access the compromised European Union cables and made over 1,100 of them available to The New York Times. The paper reported on Tuesday that the cables reflect increasing tension between Brussels and Washington, as European Union diplomats attempt to get a handle on the unpredictability of United States President Donald Trump. A series of diplomatic cables discusses the whether the European Union should bypass the White House and work directly with the Republican-controlled US Congress, which is viewed as more reliable and responsible. Another set of diplomatic exchanges describes the frustration of the Beijing’s leadership with Trump, which Chinese President Xi Jinping is said to have described to European Union officials as “a bully [engaged in a] no-rules freestyle boxing match”.

The Times said that it notified the European Union of the breach of its diplomatic cables and was told that officials were “aware of allegations regarding a potential leak of sensitive information and [were] actively investigating the issue”. The paper also contacted the White House National Security Council but did not get a response.

Author: Ian Allen | Date: 20 December 2018 | Permalink

Filed under Expert news and commentary on intelligence, espionage, spies and spying Tagged with , , , , , , , ,

Czechs accuse Moscow of ‘most serious wave of cyberespionage’ in years

December 5, 2018 by Leave a comment

Czech Security Information ServiceThe main domestic intelligence agency of the Czech Republic has accused Russia of “the most serious wave of cyberespionage” to target the country in recent years. The claim was made on Monday in Prague by the Security Information Service (BIS), the primary domestic national intelligence agency of the Czech Republic. Details of the alleged cyberespionage plot are included in the BIS’ annual report, a declassified version of which was released this week.

According to the document, the cyberespionage attacks were carried out by a hacker group known as APT28 or Fancy Bear, which is believed to operate under the command of Russian intelligence. The hacker group allegedly targeted the Czech Ministry of Defense, the Ministry of Foreign Affairs and the headquarters of the country’s Armed Forces. As a result, the electronic communication system of the Ministry of Foreign Affairs was compromised “at least since early 2016”, said the report (.pdf). More than 150 electronic mailboxes of ministry employees —including diplomats— were accessed, and a significant number of emails and attachments were copied by the hackers. The compromise was terminated a year later, when BIS security personnel detected the penetration. The BIS report goes on to say that a separate cyberespionage attack was carried out by a Russian-sponsored hacker group in December of 2016. An investigation into the attacks concluded that the hackers were not able to steal classified information, says the report. It adds, however, that they were able to access personal information about Czech government employees, which “may be used to launch subsequent attacks [or to] facilitate further illegitimate activities” by the hackers.

The BIS report concludes that the hacker campaign was part of “the most serious wave of cyberespionage” to target the Czech Republic in recent years. Its perpetrators appear to have targeted individuals in “virtually all the important institutions of the state” and will probably continue to do so in future attacks, it says. Moreover, other European countries probably faced similar cyberespionage breaches during the same period, though some of them may not be aware of it, according to the BIS. Czech Prime Minister Andrej Babis told parliament on Tuesday that his cabinet will discuss the BIS report findings and recommendations early in the new year.

Author: Joseph Fitsanakis | Date: 05 December 2018 | Permalink

Filed under Expert news and commentary on intelligence, espionage, spies and spying Tagged with , , , , , , , , ,

Britain sees Russian government hackers behind Islamic State cyber group

October 5, 2018 by Leave a comment

Cyber CaliphateA new report by the British government alleges that the so-called ‘Cyber Caliphate’, the online hacker wing of the Islamic State, is one of several supposedly non-state groups that are in fact operated by the Russian state. The group calling itself Cyber Caliphate first appeared in early 2014, purporting to operate as the online wing of the Islamic State of Iraq and Syria (ISIS), which was later renamed Islamic State. Today the Cyber Caliphate boasts a virtual army of hackers from dozens of countries, who are ostensibly operating as the online arm of the Islamic State. Their known activities include a strong and often concentrated social media presence, as well as computer hacking, primarily in the form of cyber espionage and cyber sabotage.

But an increasing number of reports, primarily by Western government agencies, have claimed in recent years that the Cyber Caliphate is in fact part of a Russian state-sponsored operation, ingeniously conceived to permit Moscow to hack Western targets without retaliation. On Wednesday, a new report by Britain’s National Cyber Security Centre (NCSC) described the Cyber Caliphate and other similar hacker groups as “flags of convenience” for the Kremlin. The report was authored by the NCSC in association with several British and European intelligence agencies. American spy agencies, including the National Security Agency and the Federal Bureau of Investigation, also helped compile the report, according to the NCSC. The report names several hacker groups that have been implicated in high-profile attacks in recent years, including Sofacy, Pawnstorm, Sednit, Cyber Berkut, Voodoo Bear, BlackEnergy Actors, Strontium, Tsar Team, and Sandworm. Each of these, claims the NCSC report, is “an alias of the Main Directorate of the General Staff of Russia’s Armed Forces”, more commonly known as the GRU. The report concludes that Cyber Caliphate is the same hacker group as APT 28, Fancy Bear, and Pawn Storm, three cyber espionage outfits that are believed to be online arms of the GRU.

The NCSC report echoes the conclusion of a German government report that was leaked to the media in June of 2016, which argued that the Cyber Caliphate was a fictitious front group created by Russia. In 2015, a security report by the US State Department concluded that despite the Cyber Caliphate’s proclamations of connections to the Islamic State, there were “no indications —technical or otherwise— that the groups are tied”. In a statement issued alongside the NCSC report on Wednesday, Britain’s Secretary of State for Foreign and Commonwealth Affairs, Jeremy Hunt, described the GRU as Moscow’s “chosen clandestine weapon in pursuing its geopolitical goals”. The Russian government has denied these allegations.

Author: Ian Allen | Date: 05 October 2018 | Permalink

Filed under Expert news and commentary on intelligence, espionage, spies and spying Tagged with , , , , , , , , , ,

Singapore officials reject rumors of spy devices used at Trump-Kim summit

June 25, 2018 by 2 Comments

USB fan espionageSingaporean officials have dismissed reports that a promotional item given away for free during the June 12 summit between the leaders of the United States and North Korea contained an espionage device. Over 2500 reporters from nearly every country covered the meeting between US President Donald Trump and North Korean Supreme Leader Kim Jong-un. Upon arriving in Singapore’s Sentosa Island, where the summit took place, journalists were given a free promotional packet that included novelty items such as pens, notepads, a water bottle, and a USB fan. The USB fan consisted of blades connected to a miniature electric motor, which was in turn connected to a USB cable. The cable allowed the device to be powered by a computer or other electronic device with a built-in USB port.

But rumors soon emerged in the media that the free USB fans, which were made in China, contained malware. As soon as the fans were plugged into an electronic device, the malware penetrated its operating system, allowing hackers to access its contents remotely, said the reports. The allegations were first aired on Radio France Internationale, the French government’s international broadcaster. They were then picked up by the BBC, which said that many reporters covering the historic summit had been warned “not to plug [the USB fans] in to their laptops”. According to the reports, the malware installed on the USB fans was able to steal computer files and turn a laptop’s built-in camera and microphone into remotely-controlled eavesdropping devices.

But the government of Singapore has strongly rejected these reports. In a statement issued in English, Singapore’s Ministry of Communications and Information said that the USB fans had been a gift of the Sentosa Development Corporation, a Singapore government body tasked with promoting tourism in Sentosa Island, where the Trump-Kim summit took place. The ministry added that the USB fans had been produced long before Trump and Kim decided to meet in Singapore and that they had been originally manufactured as gifts for tourists visiting the island. The statement issued by the ministry also said that reporters appreciated the fans, given the tropical climate on Sentosa Island, where the temperature reached 33C (91F) on the day of the summit.

Author: Ian Allen | Date:  25 June 2018 | Permalink

Filed under Expert news and commentary on intelligence, espionage, spies and spying Tagged with , , , , , , ,