Russian hacker group using Internet service providers to spy on foreign embassies

August 2, 2025 by 3 Comments

Hacking cyber - JFA HACKER GROUP LINKED to Russia’s Federal Security Service (FSB) has compromised Russia’s domestic internet infrastructure and is using it to target foreign diplomats stationed in Russia. According to a report, published last week by Microsoft Threat Intelligence, the hacker group behind this operation is Turla, also known as Snake, Venomous Bear, Group 88, Waterbug, and Secret Blizzard. Analysts have linked the group with “some of the most innovative hacking feats in the history of cyberespionage”.

Turla began its attempt to compromise a host of Russian internet service providers in February, according to Microsoft’s report. The group’s apparent goal has been to gain access to the software that enables Russian security agencies to legally intercept internet traffic, following the issuance of warrants by judges. This software is governed by Russia’s System for Operative Investigative Activities (SORM), which became law in 1995, under the presidency of Boris Yeltsin. All local, state, and federal government agencies in Russia use the SORM system to facilitate court-authorized telecommunications surveillance.

According to Microsoft, targeted Internet users receive an error message prompting them to update their browser’s cryptographic certificate. Consent by the user results in the targeted computer downloading and installing a malware. Termed ApolloShadow by Microsoft, the malware is disguised as a security update from Kaspersky, Russia’s most widely known antivirus software provider. Once installed the malware gives the hackers access to the content of the targeted user’s secure communications.

The Microsoft report states that, although Turla has been involved in prior attacks against diplomatic targets in Russia and abroad, this is the first time that the hacker group has been confirmed to have the capability to attack its targets at the Internet Service Provider (ISP) level. In doing so, Turla has been able to incorporate Russia’s domestic telecommunications infrastructure into its attack tool-kit, the report states. The report does not name the diplomatic facilities or the countries whose diplomats have been targeted by Turla hackers. But it warns that all “diplomatic personnel using local [internet service providers] or telecommunications services in Russia are highly likely targets” of the group.

Author: Joseph Fitsanakis | Date: 02 August 2025 | Permalink

Filed under Expert news and commentary on intelligence, espionage, spies and spying Tagged with , , , , , , , , , , ,

Researchers uncover secretive Russian spy unit by studying its commemorative badges

July 21, 2025 by 2 Comments

FSB RussiaA GROUP OF RESEARCHERS in Finland have managed to outline the structure and geographic footprint of a highly secretive Russian signals intelligence (SIGINT) unit by studying commemorative badges issued by the Russian government. The research group, known as CheckFirst, specializes in open-source (OSINT) investigative reporting and works to combat online disinformation.

Earlier this month, CheckFirst published its latest report titled “OSINT & Phaleristics: Unveiling FSB’s 16th  Center SIGINT Capabilities”. The 36-page report focuses on the study of Russian government-issued commemorative badges—also known as challenge coins—relating to Center 16 (16-й Центр). Also known as  Military Unit 71330, Center 16 is a secretive SIGINT unit that houses most of the cyber espionage capabilities of Russia’s Federal Security Service (FSB).

Challenge coins are custom-made medallions given by military, intelligence, and government agencies to recognize service, commemorate achievements, or build morale. Originating in the United States military during World War I, and popularized during the Vietnam War, challenge coins are routinely exchanged in ceremonies or offered to personnel as tokens of camaraderie and loyalty within a specific unit or mission.

Often regarded as collectors’ items, challenge coins from various agencies are often resold on websites such as eBay, or displayed online on websites maintained by private collectors. CheckFirst researchers tracked down several versions of Center 16 challenge coins found on a variety of publicly available websites, as well as on the websites of Russian challenge coin manufacturers, such as GosZnak, SpetsZnak, or Breget.

Based on this OSINT methodology, CheckFirst researchers were able to identify 10 distinct directorates within Center 16, which specialize on various aspects of defensive and offensive cyber espionage. Previously only a single Center 16 directorate had been identified in the unclassified domain. Moreover, by examining geographic indicators found on several of challenge coins, such as maps or coordinates, CheckFirst researchers were able to partly map out the geographic structure of Center 16, locating nearly a dozen interception facilities throughout Russia.

Author: Joseph Fitsanakis | Date: 21 July 2025 | Permalink

Filed under Expert news and commentary on intelligence, espionage, spies and spying Tagged with , , , , , , , , ,

US-led ‘Five Eyes’ alliance dismantled Russia’s ‘premier espionage cyber-tool’

May 11, 2023 by 3 Comments

Computer hackingAN ESPIONAGE TOOL DESCRIBED by Western officials as the most advanced in the Russian cyber-arsenal has been neutralized after a 20-year operation by intelligence agencies in the United States, Australia, Canada, the United Kingdom and New Zealand. The operation targeted Turla, a hacker group that cyber-security experts have long associated with the Russian government.

Turla is believed to be made up of officers from Center 16, a signals intelligence unit of Russia’s Federal Security Service (FSB), one of the Soviet-era KGB’s successor agencies. Since its appearance in 2003, Turla has used a highly sophisticated malware dubbed ‘Snake’ to infect thousands of computer systems in over 50 countries around the world. Turla’s victims include highly sensitive government computer networks in the United States, including those of the Department of Defense, the National Aeronautics and Space Administration, and the United States Central Command.

The Snake malware has also been found in computers of privately owned firms, especially those belonging to various critical infrastructure sectors, such as financial services, government facilities, electronics manufacturing, telecommunications and healthcare. For over two decades, the Snake malware used thousands of compromised computers throughout the West as nodes in complex peer-to-peer networks. By siphoning information through these networks, the Turla hackers were able to mask the location from where they launched their attacks.

On Tuesday, however, the United States Department of Justice announced that the Federal Bureau of Investigation (FBI), along with its counterparts in the United States-led ‘Five Eyes’ intelligence-sharing alliance, had managed to dismantle Snake. This effort, codenamed Operation MEDUSA, was reportedly launched nearly 20 years ago with the goal of neutralizing the Snake malware. In the process, Five Eyes cyber-defense experts managed to locate Turla’s facilities in Moscow, as well as in Ryazan, an industrial center located about 120 miles southeast of the Russian capital.

The complex cyber-defense operation culminated with the development of an anti-malware tool that the FBI dubbed PERSEUS. According to the Department of Justice’s announcement, PERSEUS was designed to impersonate the Turla operators of Snake. In doing so, it was able to take over Snake’s command-and-control functions. Essentially, PERSEUS hacked into Snake and instructed the malware to self-delete from the computers it had compromised. As of this week, therefore, the worldwide peer-to-peer network that Snake had painstakingly created over two decades, has ceased to exist, as has Snake itself.

Author: Joseph Fitsanakis | Date: 11 May 2023 | Permalink

Filed under Expert news and commentary on intelligence, espionage, spies and spying Tagged with , , , , , , , , ,

Newly discovered cyber-espionage group spies for money using state-actor methods

May 4, 2022 by 1 Comment

Computer hackingA NEWLY DISCOVERED CYBER-espionage group appears to target the senior leadership of private corporations involved in large-scale financial transactions, but employs skills and methods that are usually associated with state-sponsored threat actors. The group has been termed “UNC3524” by the American cybersecurity firm Mandiant, which says it discovered it in December of 2019. In a detailed blog post published earlier this week, a team of cyber-security researchers at Mandiant say they have been studying the group for over two years, and have been surprised by their findings.

Given its targets, as well as the information it goes after, there is little doubt that UNC3524 is interested in financial gain. However, its operational profile differs markedly from those of other financially oriented hacker groups, according to Mandiant. Its sophisticated approach to espionage demonstrates aspects that are typically associated with government-sponsored intelligence operations. Notably, UNC3524 operatives take their time to get to know their targets, and are not in a hurry to exploit the online environments they penetrate. Mandiant reported that UNC3524 attacks can take up to 18 months to conclude. In contrast, the average financially-motivated cyber-espionage attack rarely lasts longer than three weeks.

Additionally, UNC3524 operatives make a point of maintaining an extremely stealthy and low-key online profile, and have even developed a series of novel exploitation techniques, which Mandiant has termed “QuietExit”. The latter appear to focus on exploiting Internet of Things (IoT) devices that are typically found in corporate settings, but are not protected by traditional anti-virus systems. Once they penetrate the digital environment of their target, UNC3524 operatives meticulously build sophisticated back-doors into the system, and are known to return sometimes within hours after they are detected and repelled.

Interestingly, UNC3524 operatives do not waste time on low-level employees of targeted corporations. Once inside, they go straight for executive-level targets, including those in corporate strategy and development, mergers and acquisitions, and even information security. Mandiant says a few other actors, notably Russian-linked groups like Cozy Bear, Fancy Bear, APT28 or APT29, are also known to operate with such high-level targets in mind. However, there is little other operational overlap between them and UNC3524, the blog post claims.

Author: Joseph Fitsanakis | Date: 04 May 2022 | Permalink

Filed under Expert news and commentary on intelligence, espionage, spies and spying Tagged with , , , , ,

United States reaches agreement with ex-NSA staff who helped Emirates hack targets

September 16, 2021 by Leave a comment

US Department of JusticeThree former employees of American spy agencies, who helped the United Arab Emirates hack targets around the world, including United States citizens, have agreed to cooperate with the investigation into their activities. The US Department of Justice said on Tuesday that it had reached a “deferred prosecution agreement” with the three Americans, Ryan Adams, Marc Baier and Daniel Gericke. At least two of them are believed to have worked for the US National Security Agency before transferring their skills to the private sector.

According to US government prosecutors, the three men initially worked for a US-owned private cyber firm, before being hired by another firm that is registered to the UAE, which offered them “significant increases in their salaries”. According to the book This Is How They Tell Me the World Ends, by New York Times reporter Nicole Perlroth, the UAE firm was behind Project RAVEN, a highly intrusive cyber-espionage campaign against domestic and international critics of the UAE monarchy.

As intelNews reported earlier this year, the existence of Project RAVEN was revealed by the Reuters news agency in 2019. Its extensive list of targets included foreign governments, officials of international bodies, as well as lawyers, human rights activists and suspected terrorists. Several of those targets were reportedly American citizens. Perlroth claims in her book that among Project RAVEN’s targets was former First Lady Michelle Obama.

The information released this week by the US Department of Justice details an agreement between the three defendants and the US government, according to which they are required to cooperate fully with the investigation into their activities. They are also required to pay a combined total of nearly $1.7 million to the US government as a form of restitution for violating military export-control standards. Moreover, they are banned from holding security clearances in the future, and are subject to a number of employment restrictions.

Several US news outlets described the agreement between the US government and the three defendants as the first of its kind. Meanwhile, a number of US government officials, including Bryan Vorndran, assistant director of the FBI’s Cyber Division, warned other former US government employees to not violate “export-controlled information for the benefit of a foreign government or a foreign commercial company”.

Author: Joseph Fitsanakis | Date: 16 September 2021 | Permalink

Filed under Expert news and commentary on intelligence, espionage, spies and spying Tagged with , , , , , ,

Finnish intelligence identifies Chinese state-linked group behind cyber-attack

March 19, 2021 by 3 Comments

Finnish Parliament

FINLAND’S INTELLIGENCE AGENCY HAS identified a hacker group with ties to the Chinese state as the culprit of an attack of “exceptional” magnitude and intensity that targeted the Finnish Parliament last year. The attack was reported in December 2020, but had been going on for several weeks prior to being discovered by the information security department of the Eduskunta (Parliament of Finland).

Finland’s National Bureau of Investigation (NIB) said at the time that the attack had compromised parts of the Parliament’s internal communication system, including a number of Parliamentary email accounts. Some of these accounts belonged to members of Parliament, while others belonged to members of staff, according to the NIB.

Little became known about the attack in the months after the incident was first reported by Finnish media. But on Thursday the Finnish Security and Intelligence Service (SUPO) issued a press release about the incident. It said that the attack was likely part of a state-sponsored cyber espionage operation. It also identified those responsible for the attack as Advanced Persistent Threat (APT) 31. The SUPO report did not name the state that sponsored the attack. However, several private computer security firms have linked APT31 with the Chinese government.

The SUPO report stated that the attack on the Finnish Parliament was neither random nor experimental. On the contrary, it was aimed at acquiring specific information stored at the Parliament’s computer servers. Although the motive for the attack is still being investigated, it is possible that it was part of an effort “to gather intelligence to benefit a foreign state or to harm Finland’s interests”, said SUPO. The spy agency added that it would not provide further details about the case while it remains the subject a criminal investigation.

Author: Joseph Fitsanakis | Date: 19 March 2021 | Permalink

Filed under Expert news and commentary on intelligence, espionage, spies and spying Tagged with , , , , , , ,

UAE cyber-hacking program spied on Michelle Obama’s emails, book claims

February 8, 2021 by Leave a comment

Michelle ObamaMICHELLE OBAMA HAD SOME of her personal emails intercepted by a group of American cyber-spies who were working for the government of the United Arab Emirates (UAE), according to a new book. The book, This Is How They Tell Me the World Ends, is written by Nicole Perlroth, who covers cybersecurity-related topics for The New York Times. It tackles what the author describes as the global “cyber-weapons arms race” and its impact on international security.

Among the topics discussed in the book is Project RAVEN, a highly intrusive cyber-espionage effort by the government of the UAE. The project was allegedly aimed at neutralizing domestic and international targets, which the UAE monarchy saw as threats to its survival. According to the Reuters news agency, which revealed the existence of Project RAVEN in 2019, its targets included foreign governments, officials of international bodies, as well as suspected terrorists and human rights activists.

As the dispute between the UAE and Qatar deepened, Project RAVEN increasingly targeted the island oil kingdom. In one notable instance, UAE cyber-spies hacked into the email accounts of officials at the International Federation of Association Football (FIFA) in an unsuccessful effort to sabotage Qatar’s bid to host the 2022 football World Cup. According to Reuters, the cyber-spies sought to unearth damaging and potentially embarrassing private information about Qatari officials, and leak them in order to damage Qatar’s candidacy for the high-profile sporting competition. According to the news agency, several American former employees of the National Security Agency were involved in Project RAVEN.

Now Perlroth’s book claims that Project RAVEN’s cyber-spies acquired a series of emails exchanged between Moza bint Nasser, wife of Qatar’s then-ruling Emir, Hamad bin Khalifa Al Thani, and Michelle Obama, when she held the position of America’s First Lady. The emails, which were intercepted in 2015, contained the US first lady’s personal thoughts, information on her security detail, and the travel details of her planned visit to Doha later that year. According to Perlroth, the inclusion of Obama’s emails into Project RAVEN’s targets caused at least one American involved in the effort, a former NSA analyst, to quit and leave the UAE. The Emirati monarchy has not commented on allegations about Project RAVEN.

Author: Joseph Fitsanakis | Date: 08 February 2021 | Permalink

Filed under Expert news and commentary on intelligence, espionage, spies and spying Tagged with , , , , , , , , ,

Analysis: Potential espionage aspects of attack on US Capitol must be considered

January 12, 2021 by 4 Comments

US CapitolTHE INSURGENTS WHO STORMED the United States Capitol Building Complex on January 6 may have unwittingly provided cover for teams of foreign spies, who could have stolen or compromised sensitive electronic equipment. This largely neglected security-related aspect of the attack is discussed in an insightful article by David Gewitz, a ZDNet and CNET columnist who writes about cybersecurity affairs.

Hundreds of unauthorized people entered the US Capitol last Wednesday. Many of them entered the offices of several members of Congress, some of whom are members of Congressional committees on intelligence, armed services, defense, and other sensitive matters. According to Gewitz, “there is absolutely no knowing what actions were taken against digital gear inside the building” by the intruders. Most of them were clearly members of disorganized mobs, who appeared to have no concrete plan of action once inside the Capitol. However, points Gewitz, it would have been easy for foreign actors to blend in with the crowd of wild-eyed rioters and surreptitiously entered the Capitol in order to steal or compromise sensitive electronic equipment.

In addition to stealing electronic equipment, foreign spies could have stolen sensitive documents, access codes and passcodes, says Gewitz. He adds that more sophisticated efforts could have included loading malware onto Capitol computer systems, or plugging surreptitious USB drives into the internal ports of tower PCs —a process that takes less than two minutes for someone who is equipped with an pocket-size electric screwdriver. Foreign actors could also have left dozens of “generic USB drives in various drawers and on various desks” around the Capitol, hoping that members of Congress or their aides will make use of them in the coming days or weeks. For all we know, says Gewitz, the place could now be riddled with USB chargers with built-in wireless key-loggers, devices that look like power strips but actually hide wireless network hacking tools, fake smoke detectors, electric outlets or switches that contain bugs, and many other surreptitious spying devices.

What should Capitol security personnel do to prevent the potential espionage fallout from the January 6 attack? Gewitz argues that, given the extremely sensitive nature of the information that is stored in the Capitol’s digital systems, federal cybersecurity personnel should “assume that ALL the digital devices at the Capitol have been compromised”, he writes. They will therefore need to resort to “a scorched Earth remediation effort”, meaning that they will have to “completely scrub” those systems, and even lock the USB drive slots of every PC in the building complex. This damage will take months, even years, to clean up, he concludes.

Author: Joseph Fitsanakis | Date: 12 January 2021 | Permalink

Filed under Expert news and commentary on intelligence, espionage, spies and spying Tagged with , , , , ,

Massive hacker attack triggers US National Security Council emergency meeting

December 15, 2020 by 2 Comments

White HouseA large-scale cyberespionage attack targeting United States government computer systems, which some experts described as potentially being among “the most impactful espionage campaigns on record”, triggered an emergency meeting of the US National Security Council on Sunday, according to reports. Chaired by the US president, the National Security Council is the country’s most senior decision-making body.

Although it was only discovered last week, the cyberespionage campaign is believed to date to last spring, possibly as early as March. Sources called it a highly sophisticated operation that originated from a “top-tier” adversary –a term that refers to a handful of state actors that have access to the most elite cyber operatives and advanced technologies known to exist.

As of last night, US government officials had not publicly identified the state actor believed to be behind the cyberespionage campaign, which experts have coined the “2020 supply chain attack”. But several American and European news outlets pointed to Russia as the culprit, citing sources familiar with the investigation. The Washington Post said the Russian Foreign Intelligence Service, known as SVR, was behind the attack. The Russian government denied on Monday that its agencies had any role in the attacks.

The origins of the attack are believed to be in the private sector. It began when a sophisticated illicit cyber actor, known by the nickname Advanced Persistent Threat (APT) 29, or Cozy Bear, stole cyber tools used by two major government contractors, FireEye and SolarWinds. These cyber tools are used to detect and patch vulnerabilities in computer systems. These companies provide services to numerous US government customers, including the Departments of Defense, State, Treasury and Commerce. Other US government customers include the National Security Agency and the Office of the President, including the White House Situation Room. All of these entities have reportedly been affected by this cyber espionage operation.

By disguising their malicious software as software patches, the hackers were reportedly able to access and monitor, in real time, email traffic within and between government agencies. It is not known at this time whether US intelligence agencies, other than the National Security Agency, have been affected by this hack. All branches of the US military maintain intelligence components. Additionally, the Department of the Treasury operates the Office of Intelligence Analysis, while the Department of State is in charge of the Bureau of Intelligence and Research. The White House said yesterday that it had asked the Federal Bureau of Investigation and the Cybersecurity and Infrastructure Security Agency to probe the attack and evaluate the extent of the damage caused to US government operations.

Author: Joseph Fitsanakis | Date: 15 December 2020 | Permalink

Filed under Expert news and commentary on intelligence, espionage, spies and spying Tagged with , , , , , , , , ,

Cybersecurity researchers uncover first-ever use of LinkedIn to spread malware

June 18, 2020 by Leave a comment

LinkedInCybersecurity researchers have uncovered what is believed to be the first-ever case of hackers using LinkedIn to infect the computers of targeted users with viruses, according to a new report. The hackers appear to have been sponsored by government and to have targeted employees of carefully selected military contractors in central Europe, according to sources.

The existence of the alleged cyberespionage operation was revealed on Wednesday by researchers at ESET, a cybersecurity firm based in Bratislava, Slovakia, which is known for its firewall and anti-virus products. The researchers said that the operation was carried out in 2019 by hackers who impersonated employees of General Dynamics and Collins Aerospace, two leading global suppliers of aerospace and defense hardware.

ESET researchers said that the hackers made use of the private messaging feature embedded in LinkedIn to reach out to their targets. After making initial contact with their intended victims, the hackers allegedly offered their targets lucrative job offers and used the LinkedIn private messenger service to send them documents that were infected with malware. In many cases, the targets opened the documents and infected their computers in the process.

The use of the LinkedIn social media platform by hackers to make contact with their unsuspecting victims is hardly new. In 2017, German intelligence officials issued a public warning about what they said were thousands of fake LinkedIn profiles created by Chinese spies to gather information about Western targets. Germany’s Federal Office for the Protection of the Constitution (BfV) said it had identified 10,000 German citizens who had been contacted by Chinese spy-run fake profiles on LinkedIn in a period of just nine months. And in 2018, a report by France’s two main intelligence agencies, the General Directorate for Internal Security (DGSI) and the General Directorate for External Security (DGSE), warned of an “unprecedented threat” to security after nearly 4,000 leading French civil servants, scientists and senior executives who were found to have been accosted by Chinese spies on LinkedIn.

Tricking a target into accessing a virus-infected document file is not a new method either. However, according to the researchers at ESET, this was the first case where LinkedIn was used to actually deliver the malware to the victims. As for the identity of the hackers, there appears to be no concluding information. However, ESET said the attacks appeared to have some connections to Lazarus, a group of hackers with North Korean links. Lazarus has been linked to the 2014 Sony Pictures hack and the 2016 Central Bank of Bangladesh cyber heist, which was an attempt to defraud the bank of $1 billion.

LinkedIn told the Reuters news agency that it had identified and terminated the user accounts behind the alleged cyberespionage campaign. Citing client confidentiality, ESET said it could not reveal information about the victims of the attacks. Meanwhile, General Dynamics and Raytheon Technologies, which owns Collins Aerospace, have not commented on this report.

Author: Joseph Fitsanakis | Date: 18 June 2020 | Permalink

Filed under Expert news and commentary on intelligence, espionage, spies and spying Tagged with , , , , , , ,

Lax security behind greatest data loss in CIA’s history, internal report concludes

June 17, 2020 by 1 Comment

WikiLeaksComplacency and substandard security by the United States Central Intelligence Agency were behind the Vault 7 leak of 2017, which ranks as the greatest data loss in the agency’s history, according to an internal report. The Vault 7 data loss was particularly shocking, given that the CIA should have taken precautions following numerous leaks of classified government information in years prior to 2017, according to the report.

The Vault 7 data leak occurred in the first half of 2017, when the anti-secrecy website WikiLeaks began publishing a series of technical documents belonging to the CIA. Once all documents had been uploaded to the WikiLeaks website, they amounted to 34 terabytes of information, which is equivalent to 2.2 billion pages of text. The information contained in the Vault 7 leak is believed to constitute the biggest leak of classified data in the history of the CIA.

The Vault 7 documents reveal the capabilities and operational details of some of the CIA’s cyber espionage arsenal. They detail nearly 100 different software tools that the agency developed and used between 2013 and 2016, in order to compromise targeted computers, computer servers, smartphones, cars, televisions, internet browsers, operating systems, etc. In 2017 the US government accused Joshua Adam Schulte, a former CIA software engineer, of giving the Vault 7 data to WikiLeaks. Schulte’s trial by jury was inconclusive, and a re-trial is believed to be in the works.

Now an internal report into the Vault 7 disclosure has been made public. The report was compiled by the CIA WikiLeaks Task Force, which the agency set up with the two-fold mission of assessing the damage from the leak and recommending security procedures designed to prevent similar leaks from occurring in the future. A heavily redacted copy of the report has been made available [.pdf] by Senator Ron Wyden (D-OR) who is a member of the US Senate Select Committee on Intelligence. An analysis of the report was published on Tuesday by The Washington Post.

The report recognizes that insider threats —a data leak perpetrated on purpose by a conscious and determined employee, or a group of employees— are especially difficult to stop. It adds, however, that the Vault 7 leak was made easier by “a culture of shadow IT” in which the CIA’s various units developed distinct IT security practices and their own widely different systems of safeguarding data. Many cyber units prioritized creative, out-of-the-box thinking, in order to develop cutting-edge cyber-tools. But they spent hardly any time thinking of ways to safeguard the secrecy of their projects, and failed to develop even basic counterintelligence standards —for instance keeping a log of which of their members had access to specific parts of the data— according to the report.

Such standards should have been prioritized, the report adds, given the numerous high-profile leaks that rocked the Intelligence Community in the years prior to the Vault 7 disclosure. It mentions the examples of Edward Snowden, a former contractor for the National Security Agency, who defected to Russia, as well as Chelsea Manning, an intelligence analyst for the US Army, who gave government secrets to WikiLeaks. Manning spent time in prison before being pardoned by President Barack Obama. Snowden remains in hiding in Russia.

The CIA has not commented on the release of the internal Vault 7 report. An agency spokesman, Timothy Barrett, told The New York Times that the CIA was committed to incorporating “best-in-class technologies to keep ahead of and defend against ever-evolving threats”. In a letter accompanying the release of the report, Senator Wyden warned that “the lax cybersecurity practices documented in the CIA’s WikiLeaks task force report do not appear limited to just one part of the intelligence community”.

Author: Joseph Fitsanakis | Date: 17 June 2020 | Permalink

Filed under Expert news and commentary on intelligence, espionage, spies and spying Tagged with , , , , , , ,

US Pentagon bans use of Zoom teleconferencing app due to espionage concerns

April 14, 2020 by Leave a comment

Zoom softwareThe United States Department of Defense has barred its employees from using Zoom, a popular video teleconferencing application, due to concerns that foreign spies may be using the software to collect intelligence. The Pentagon made the announcement less than a day after the US Senate advised its members to refrain from using Zoom. The video teleconferencing software is owned by Zoom Video Communications, Inc., a NASDAQ-trading software firm headquartered in Jan Jose, California. It has become popular in recent weeks, due to the increasing reliance on telework resulting from the effects of the COVID-19 pandemic.

But security experts have raised concerns about the privacy and security of Zoom users. On March 30, the Federal Bureau of Investigation issued a warning stating that hackers could exploit a number of security weaknesses in Zoom’s software. The following day, the FBI warned that malicious users could use Zoom to “steal sensitive information, target individuals and businesses performing financial transactions, and engage in extortion”. On April 9, Time magazine cited “three US intelligence officials” in claiming that American counterintelligence agencies had “observed the espionage services of Russia, Iran, and North Korea attempting to spy on Americans’ video chats” on Zoom. Their aim was to acquire “financial, personal, product development, research, and intellectual property information and leads” on US government and corporate targets, said Time. On the same day, a memo by the Sergeant-at-Arms of the US Senate advised senators and their staff members to refrain from using Zoom for congressional business.

Finally, on April 10, Pentagon spokesman Lt. Col. Robert Carver (US Air Force) issued an official statement prohibiting the use of Zoom software by the Department of Defense’s military and civilian employees, including contractors. Carver said Pentagon employees could still make use of the Zoom for Business application, because it had been issued a provisional authorization under the US Federal Risk and Authorization Management Program. He added that Pentagon employees could still utilize Zoom for their personal use.

Author: Joseph Fitsanakis | Date: 14 April 2020 | Permalink

Filed under Expert news and commentary on intelligence, espionage, spies and spying Tagged with , , , , , ,

Chinese cybersecurity firm accuses CIA of 11-year cyberespionage campaign

March 4, 2020 by 1 Comment

CIA headquartersA leading Chinese cybersecurity firm has accused the United States Central Intelligence Agency of using sophisticated malicious software to hack into computers belonging to the Chinese government and private sector for over a decade.

The accusation against the CIA comes from Qihoo 360, a prominent cybersecurity firm headquartered in Beijing. On Monday, company published a report of its investigation on its website, written in both Chinese and English. The report identifies the hackers as “the CIA Hacking Group (APT-C-39)”, and says that the group has carried out activities against “China’s critical industries” for at least 11 years.

The report claims that APT-C-39 targets included China’s energy and civilian aviation sectors, Internet service providers, scientific research universities and organizations, and various government agencies —which it does not name. The majority of the hacker group’s targets were located in Beijing, and also in China’s Zhejiang and Guangdong provinces.

According to Qihoo 360, APT-C-39 must be a “state-level hacking organization”, judging by the hacking tools that it used. These tools, such malware named by forensics experts as Grasshopper and Fluxwire, are believed to have been designed by the CIA. They were leaked in 2017 by the international whistleblower website WikiLeaks. American authorities have charged a former CIA programmer, Joshua Schulte, with leaking the malware. Schulte denies the charges.

The Qihoo 360 report also claims that the hours during which APT-C-39 hackers appear to be active correspond to the working hours of the East Coast of the United States. It also suggests that one goal behind the hacking operations against airline industry targets was to access the travel itineraries of senior figures in China’s political and industrial circles.

Author: Ian Allen | Date: 04 March 2020 | Permalink

Filed under Expert news and commentary on intelligence, espionage, spies and spying Tagged with , , , , , , , ,

United Nations targeted in sophisticated cyber-espionage operation

January 30, 2020 by 1 Comment

United Nations headquartersOne of the United Nations’ most sensitive computer systems was targeted in a highly sophisticated cyber-espionage operation that appears to have been sponsored by a state, according to a leaked study. The study was leaked to the media earlier this week, and was reported by the Associated Press on Wednesday.

According to the Associated Press report, hackers used IP addresses in Romania to stage a meticulously organized infiltration of dozens of United Nations computer servers. The servers that were compromised included those used by the Office of the United Nations High Commissioner for Human Rights (OHCHR), which collects sensitive personal data regarding human rights abuses by governments around the world. The OHCHR has regularly been the subject of verbal attacks by authoritarian governments around the world in recent years.

The identity of the hackers remains unclear, said the report. However, their degree of technical sophistication was so substantial that forensic investigators suspect that a state actor was behind the espionage operation, according to the Associated Press. The news agency relayed an email message it received from United Nations spokesman Rupert Colville, which claimed that the hackers did penetrate the OHCHR system but “did not get very far, [as] nothing confidential was compromised”.

But the above statement appears to contradict the leaked study, which suggests that the cyber-espionage operation against the United Nations resulted in a compromise of “core infrastructure components” that were “determined to be serious”. Among the accounts that were compromised by the hackers were those of some domain administrators, who have access to large segments of the United Nations’ computer networks. The Associated Press spoke to an anonymous United Nations official, who said that the attack was “sophisticated”, and that the organization’s computer systems were “reinforced” in the months following the incident.

Author: Joseph Fitsanakis | Date: 30 January 2020 | Permalink

Filed under Expert news and commentary on intelligence, espionage, spies and spying Tagged with , , , , ,

Threat from espionage is bigger than terrorism, says Australia’s spy chief

September 5, 2019 by 1 Comment

Duncan LewisThe director of Australia’s main national security agency has warned in a public speech that the threat from espionage —including cyber espionage— is greater than terrorism, and poses an “existential” danger to established states. Duncan Lewis was appointed director of the Australian Security Intelligence Organisation (ASIO) in 2014, having already served for more than four decades in the Australian military and civilian government sectors. On Wednesday, Lewis gave a rare public address at the Lowy Institute in Sydney, ahead of his retirement from government service later this month.

The ASIO director said in his speech that terrorism poses “a terrible risk” and should be seen as “a very serious matter”. On the other hand, “terrorism has never been an existential threat to established states”, said Lewis. Additionally the risk from the current wave of Salafi-Jihadist terrorism has “plateaued” and should not be expected to increase drastically, he noted. On the other hand, the threat of foreign espionage “is ultimately an existential threat to the state, or it can be an existential threat to the state”, added Lewis. The ASIO director described espionage and foreign-influence activities as “typically quiet, insidious and with a long tail”. Thus, “unlike the immediacy of terrorism incidents”, the harmful effects of espionage may not appear for many years or even decades after the initial activity has been carried out, he said.

Additionally, said Lewis, Australia’s “middle power status” and close alliances with Western countries make it a major target for state-sponsored human and cyber espionage attacks. Adversary nations see Australia as “a rich target”, he said, and launched espionage operations against it daily. As a result, foreign intelligence operations against Australia are “on a growth path” and are taking place on an “unprecedented” scale and scope, according to Lewis. Such operations include “covert attempts to influence and shape the views of the [Australian] public, media, government and diaspora communities, both within Australia and overseas”, said Lewis, adding that they take place “every day”.

The espionage threat to Australia does not come from “one particular nation”, said the AFIO director, although some nations tend to display more “intent, sophistication and commitment” than others. Australia is obligated to resist against these threats by continuing to develop its counter-espionage capabilities and finding innovative and effective ways to detect and defend against foreign interference, Lewis said at the conclusion of his talk.

Author: Joseph Fitsanakis | Date: 05 September 2019 | Permalink

Filed under Expert news and commentary on intelligence, espionage, spies and spying Tagged with , , , , , ,

Older posts