Chinese state-linked cyber actor allegedly behind attack on global airline industry

Air India

A GROUP OF COMPUTER hackers with close links to the Chinese state are allegedly behind a wide-scale attack on the global airline industry, which includes espionage, as well as financial motives, according to a new report. If confirmed, the attack would constitute a global campaign against a single industry that is unprecedented in size, according to experts.

The most recent victim of this series of worldwide attacks is Air India, India’s government-owned flagship air carrier. In May of this year, the company was targeted by what officials described as “a highly sophisticated attack” that had begun over two months earlier. It was indeed in early February that the hackers had begun to collect information about Air India and trying to infiltrate its networks through a combination of methods, including spear-phishing. The resulting compromise affected the data of some 4.5 million of Air India’s passengers. Stolen information included passengers’ credit card details, as well as passport information, such as names and dates of birth.

But in a new report issued on Thursday, the Singapore-based cybersecurity firm Group-IB said that the methodology used by the perpetrators of the Air India attack resembled those used to hack other airline carriers around the world. Other victims have included Singapore Airlines, Malaysia Airlines, Finnair, as well as SITA, a Swiss-based provider of information technology services to airline operators in over 200 countries and territories around the world.

What is more, the Group-IB report claims “with moderate confidence” that the attacks on the global airline industry are being perpetrated by APT41. Also known as BARIUM, APT41 is a highly prolific group of computer hackers that is widely believed to be connected with the Chinese government. Since first appearing on the scene in 2006, APT41 has amassed a list of victims that include firms from almost every imaginable industry, including manufacturing, telecommunications, transportation, healthcare and defense. Some of its strikes are clearly financially motivated and include ransomware attacks. Others are espionage-related and point to the information needs of a nation-state —allegedly China.

In 2020, the United States Federal Bureau of Investigation added five members of APT41 to its “Most Wanted” list. The accompanying press statement accusing the five men of conducting “supply chain attacks to gain unauthorized access to networks throughout the world”, and attacking a host of companies on nearly every continent, including the Americas.

Author: Joseph Fitsanakis | Date: 11 June 2021 | Permalink

Finnish intelligence identifies Chinese state-linked group behind cyber-attack

Finnish Parliament

FINLAND’S INTELLIGENCE AGENCY HAS identified a hacker group with ties to the Chinese state as the culprit of an attack of “exceptional” magnitude and intensity that targeted the Finnish Parliament last year. The attack was reported in December 2020, but had been going on for several weeks prior to being discovered by the information security department of the Eduskunta (Parliament of Finland).

Finland’s National Bureau of Investigation (NIB) said at the time that the attack had compromised parts of the Parliament’s internal communication system, including a number of Parliamentary email accounts. Some of these accounts belonged to members of Parliament, while others belonged to members of staff, according to the NIB.

Little became known about the attack in the months after the incident was first reported by Finnish media. But on Thursday the Finnish Security and Intelligence Service (SUPO) issued a press release about the incident. It said that the attack was likely part of a state-sponsored cyber espionage operation. It also identified those responsible for the attack as Advanced Persistent Threat (APT) 31. The SUPO report did not name the state that sponsored the attack. However, several private computer security firms have linked APT31 with the Chinese government.

The SUPO report stated that the attack on the Finnish Parliament was neither random nor experimental. On the contrary, it was aimed at acquiring specific information stored at the Parliament’s computer servers. Although the motive for the attack is still being investigated, it is possible that it was part of an effort “to gather intelligence to benefit a foreign state or to harm Finland’s interests”, said SUPO. The spy agency added that it would not provide further details about the case while it remains the subject a criminal investigation.

Author: Joseph Fitsanakis | Date: 19 March 2021 | Permalink

UAE cyber-hacking program spied on Michelle Obama’s emails, book claims

Michelle ObamaMICHELLE OBAMA HAD SOME of her personal emails intercepted by a group of American cyber-spies who were working for the government of the United Arab Emirates (UAE), according to a new book. The book, This Is How They Tell Me the World Ends, is written by Nicole Perlroth, who covers cybersecurity-related topics for The New York Times. It tackles what the author describes as the global “cyber-weapons arms race” and its impact on international security.

Among the topics discussed in the book is Project RAVEN, a highly intrusive cyber-espionage effort by the government of the UAE. The project was allegedly aimed at neutralizing domestic and international targets, which the UAE monarchy saw as threats to its survival. According to the Reuters news agency, which revealed the existence of Project RAVEN in 2019, its targets included foreign governments, officials of international bodies, as well as suspected terrorists and human rights activists.

As the dispute between the UAE and Qatar deepened, Project RAVEN increasingly targeted the island oil kingdom. In one notable instance, UAE cyber-spies hacked into the email accounts of officials at the International Federation of Association Football (FIFA) in an unsuccessful effort to sabotage Qatar’s bid to host the 2022 football World Cup. According to Reuters, the cyber-spies sought to unearth damaging and potentially embarrassing private information about Qatari officials, and leak them in order to damage Qatar’s candidacy for the high-profile sporting competition. According to the news agency, several American former employees of the National Security Agency were involved in Project RAVEN.

Now Perlroth’s book claims that Project RAVEN’s cyber-spies acquired a series of emails exchanged between Moza bint Nasser, wife of Qatar’s then-ruling Emir, Hamad bin Khalifa Al Thani, and Michelle Obama, when she held the position of America’s First Lady. The emails, which were intercepted in 2015, contained the US first lady’s personal thoughts, information on her security detail, and the travel details of her planned visit to Doha later that year. According to Perlroth, the inclusion of Obama’s emails into Project RAVEN’s targets caused at least one American involved in the effort, a former NSA analyst, to quit and leave the UAE. The Emirati monarchy has not commented on allegations about Project RAVEN.

Author: Joseph Fitsanakis | Date: 08 February 2021 | Permalink

Analysis: Potential espionage aspects of attack on US Capitol must be considered

US CapitolTHE INSURGENTS WHO STORMED the United States Capitol Building Complex on January 6 may have unwittingly provided cover for teams of foreign spies, who could have stolen or compromised sensitive electronic equipment. This largely neglected security-related aspect of the attack is discussed in an insightful article by David Gewitz, a ZDNet and CNET columnist who writes about cybersecurity affairs.

Hundreds of unauthorized people entered the US Capitol last Wednesday. Many of them entered the offices of several members of Congress, some of whom are members of Congressional committees on intelligence, armed services, defense, and other sensitive matters. According to Gewitz, “there is absolutely no knowing what actions were taken against digital gear inside the building” by the intruders. Most of them were clearly members of disorganized mobs, who appeared to have no concrete plan of action once inside the Capitol. However, points Gewitz, it would have been easy for foreign actors to blend in with the crowd of wild-eyed rioters and surreptitiously entered the Capitol in order to steal or compromise sensitive electronic equipment.

In addition to stealing electronic equipment, foreign spies could have stolen sensitive documents, access codes and passcodes, says Gewitz. He adds that more sophisticated efforts could have included loading malware onto Capitol computer systems, or plugging surreptitious USB drives into the internal ports of tower PCs —a process that takes less than two minutes for someone who is equipped with an pocket-size electric screwdriver. Foreign actors could also have left dozens of “generic USB drives in various drawers and on various desks” around the Capitol, hoping that members of Congress or their aides will make use of them in the coming days or weeks. For all we know, says Gewitz, the place could now be riddled with USB chargers with built-in wireless key-loggers, devices that look like power strips but actually hide wireless network hacking tools, fake smoke detectors, electric outlets or switches that contain bugs, and many other surreptitious spying devices.

What should Capitol security personnel do to prevent the potential espionage fallout from the January 6 attack? Gewitz argues that, given the extremely sensitive nature of the information that is stored in the Capitol’s digital systems, federal cybersecurity personnel should “assume that ALL the digital devices at the Capitol have been compromised”, he writes. They will therefore need to resort to “a scorched Earth remediation effort”, meaning that they will have to “completely scrub” those systems, and even lock the USB drive slots of every PC in the building complex. This damage will take months, even years, to clean up, he concludes.

Author: Joseph Fitsanakis | Date: 12 January 2021 | Permalink

Massive hacker attack triggers US National Security Council emergency meeting

White HouseA large-scale cyberespionage attack targeting United States government computer systems, which some experts described as potentially being among “the most impactful espionage campaigns on record”, triggered an emergency meeting of the US National Security Council on Sunday, according to reports. Chaired by the US president, the National Security Council is the country’s most senior decision-making body.

Although it was only discovered last week, the cyberespionage campaign is believed to date to last spring, possibly as early as March. Sources called it a highly sophisticated operation that originated from a “top-tier” adversary –a term that refers to a handful of state actors that have access to the most elite cyber operatives and advanced technologies known to exist.

As of last night, US government officials had not publicly identified the state actor believed to be behind the cyberespionage campaign, which experts have coined the “2020 supply chain attack”. But several American and European news outlets pointed to Russia as the culprit, citing sources familiar with the investigation. The Washington Post said the Russian Foreign Intelligence Service, known as SVR, was behind the attack. The Russian government denied on Monday that its agencies had any role in the attacks.

The origins of the attack are believed to be in the private sector. It began when a sophisticated illicit cyber actor, known by the nickname Advanced Persistent Threat (APT) 29, or Cozy Bear, stole cyber tools used by two major government contractors, FireEye and SolarWinds. These cyber tools are used to detect and patch vulnerabilities in computer systems. These companies provide services to numerous US government customers, including the Departments of Defense, State, Treasury and Commerce. Other US government customers include the National Security Agency and the Office of the President, including the White House Situation Room. All of these entities have reportedly been affected by this cyber espionage operation.

By disguising their malicious software as software patches, the hackers were reportedly able to access and monitor, in real time, email traffic within and between government agencies. It is not known at this time whether US intelligence agencies, other than the National Security Agency, have been affected by this hack. All branches of the US military maintain intelligence components. Additionally, the Department of the Treasury operates the Office of Intelligence Analysis, while the Department of State is in charge of the Bureau of Intelligence and Research. The White House said yesterday that it had asked the Federal Bureau of Investigation and the Cybersecurity and Infrastructure Security Agency to probe the attack and evaluate the extent of the damage caused to US government operations.

Author: Joseph Fitsanakis | Date: 15 December 2020 | Permalink

Cybersecurity researchers uncover first-ever use of LinkedIn to spread malware

LinkedInCybersecurity researchers have uncovered what is believed to be the first-ever case of hackers using LinkedIn to infect the computers of targeted users with viruses, according to a new report. The hackers appear to have been sponsored by government and to have targeted employees of carefully selected military contractors in central Europe, according to sources.

The existence of the alleged cyberespionage operation was revealed on Wednesday by researchers at ESET, a cybersecurity firm based in Bratislava, Slovakia, which is known for its firewall and anti-virus products. The researchers said that the operation was carried out in 2019 by hackers who impersonated employees of General Dynamics and Collins Aerospace, two leading global suppliers of aerospace and defense hardware.

ESET researchers said that the hackers made use of the private messaging feature embedded in LinkedIn to reach out to their targets. After making initial contact with their intended victims, the hackers allegedly offered their targets lucrative job offers and used the LinkedIn private messenger service to send them documents that were infected with malware. In many cases, the targets opened the documents and infected their computers in the process.

The use of the LinkedIn social media platform by hackers to make contact with their unsuspecting victims is hardly new. In 2017, German intelligence officials issued a public warning about what they said were thousands of fake LinkedIn profiles created by Chinese spies to gather information about Western targets. Germany’s Federal Office for the Protection of the Constitution (BfV) said it had identified 10,000 German citizens who had been contacted by Chinese spy-run fake profiles on LinkedIn in a period of just nine months. And in 2018, a report by France’s two main intelligence agencies, the General Directorate for Internal Security (DGSI) and the General Directorate for External Security (DGSE), warned of an “unprecedented threat” to security after nearly 4,000 leading French civil servants, scientists and senior executives who were found to have been accosted by Chinese spies on LinkedIn.

Tricking a target into accessing a virus-infected document file is not a new method either. However, according to the researchers at ESET, this was the first case where LinkedIn was used to actually deliver the malware to the victims. As for the identity of the hackers, there appears to be no concluding information. However, ESET said the attacks appeared to have some connections to Lazarus, a group of hackers with North Korean links. Lazarus has been linked to the 2014 Sony Pictures hack and the 2016 Central Bank of Bangladesh cyber heist, which was an attempt to defraud the bank of $1 billion.

LinkedIn told the Reuters news agency that it had identified and terminated the user accounts behind the alleged cyberespionage campaign. Citing client confidentiality, ESET said it could not reveal information about the victims of the attacks. Meanwhile, General Dynamics and Raytheon Technologies, which owns Collins Aerospace, have not commented on this report.

Author: Joseph Fitsanakis | Date: 18 June 2020 | Permalink

Lax security behind greatest data loss in CIA’s history, internal report concludes

WikiLeaksComplacency and substandard security by the United States Central Intelligence Agency were behind the Vault 7 leak of 2017, which ranks as the greatest data loss in the agency’s history, according to an internal report. The Vault 7 data loss was particularly shocking, given that the CIA should have taken precautions following numerous leaks of classified government information in years prior to 2017, according to the report.

The Vault 7 data leak occurred in the first half of 2017, when the anti-secrecy website WikiLeaks began publishing a series of technical documents belonging to the CIA. Once all documents had been uploaded to the WikiLeaks website, they amounted to 34 terabytes of information, which is equivalent to 2.2 billion pages of text. The information contained in the Vault 7 leak is believed to constitute the biggest leak of classified data in the history of the CIA.

The Vault 7 documents reveal the capabilities and operational details of some of the CIA’s cyber espionage arsenal. They detail nearly 100 different software tools that the agency developed and used between 2013 and 2016, in order to compromise targeted computers, computer servers, smartphones, cars, televisions, internet browsers, operating systems, etc. In 2017 the US government accused Joshua Adam Schulte, a former CIA software engineer, of giving the Vault 7 data to WikiLeaks. Schulte’s trial by jury was inconclusive, and a re-trial is believed to be in the works.

Now an internal report into the Vault 7 disclosure has been made public. The report was compiled by the CIA WikiLeaks Task Force, which the agency set up with the two-fold mission of assessing the damage from the leak and recommending security procedures designed to prevent similar leaks from occurring in the future. A heavily redacted copy of the report has been made available [.pdf] by Senator Ron Wyden (D-OR) who is a member of the US Senate Select Committee on Intelligence. An analysis of the report was published on Tuesday by The Washington Post.

The report recognizes that insider threats —a data leak perpetrated on purpose by a conscious and determined employee, or a group of employees— are especially difficult to stop. It adds, however, that the Vault 7 leak was made easier by “a culture of shadow IT” in which the CIA’s various units developed distinct IT security practices and their own widely different systems of safeguarding data. Many cyber units prioritized creative, out-of-the-box thinking, in order to develop cutting-edge cyber-tools. But they spent hardly any time thinking of ways to safeguard the secrecy of their projects, and failed to develop even basic counterintelligence standards —for instance keeping a log of which of their members had access to specific parts of the data— according to the report.

Such standards should have been prioritized, the report adds, given the numerous high-profile leaks that rocked the Intelligence Community in the years prior to the Vault 7 disclosure. It mentions the examples of Edward Snowden, a former contractor for the National Security Agency, who defected to Russia, as well as Chelsea Manning, an intelligence analyst for the US Army, who gave government secrets to WikiLeaks. Manning spent time in prison before being pardoned by President Barack Obama. Snowden remains in hiding in Russia.

The CIA has not commented on the release of the internal Vault 7 report. An agency spokesman, Timothy Barrett, told The New York Times that the CIA was committed to incorporating “best-in-class technologies to keep ahead of and defend against ever-evolving threats”. In a letter accompanying the release of the report, Senator Wyden warned that “the lax cybersecurity practices documented in the CIA’s WikiLeaks task force report do not appear limited to just one part of the intelligence community”.

Author: Joseph Fitsanakis | Date: 17 June 2020 | Permalink

US Pentagon bans use of Zoom teleconferencing app due to espionage concerns

Zoom softwareThe United States Department of Defense has barred its employees from using Zoom, a popular video teleconferencing application, due to concerns that foreign spies may be using the software to collect intelligence. The Pentagon made the announcement less than a day after the US Senate advised its members to refrain from using Zoom. The video teleconferencing software is owned by Zoom Video Communications, Inc., a NASDAQ-trading software firm headquartered in Jan Jose, California. It has become popular in recent weeks, due to the increasing reliance on telework resulting from the effects of the COVID-19 pandemic.

But security experts have raised concerns about the privacy and security of Zoom users. On March 30, the Federal Bureau of Investigation issued a warning stating that hackers could exploit a number of security weaknesses in Zoom’s software. The following day, the FBI warned that malicious users could use Zoom to “steal sensitive information, target individuals and businesses performing financial transactions, and engage in extortion”. On April 9, Time magazine cited “three US intelligence officials” in claiming that American counterintelligence agencies had “observed the espionage services of Russia, Iran, and North Korea attempting to spy on Americans’ video chats” on Zoom. Their aim was to acquire “financial, personal, product development, research, and intellectual property information and leads” on US government and corporate targets, said Time. On the same day, a memo by the Sergeant-at-Arms of the US Senate advised senators and their staff members to refrain from using Zoom for congressional business.

Finally, on April 10, Pentagon spokesman Lt. Col. Robert Carver (US Air Force) issued an official statement prohibiting the use of Zoom software by the Department of Defense’s military and civilian employees, including contractors. Carver said Pentagon employees could still make use of the Zoom for Business application, because it had been issued a provisional authorization under the US Federal Risk and Authorization Management Program. He added that Pentagon employees could still utilize Zoom for their personal use.

Author: Joseph Fitsanakis | Date: 14 April 2020 | Permalink

Chinese cybersecurity firm accuses CIA of 11-year cyberespionage campaign

CIA headquartersA leading Chinese cybersecurity firm has accused the United States Central Intelligence Agency of using sophisticated malicious software to hack into computers belonging to the Chinese government and private sector for over a decade.

The accusation against the CIA comes from Qihoo 360, a prominent cybersecurity firm headquartered in Beijing. On Monday, company published a report of its investigation on its website, written in both Chinese and English. The report identifies the hackers as “the CIA Hacking Group (APT-C-39)”, and says that the group has carried out activities against “China’s critical industries” for at least 11 years.

The report claims that APT-C-39 targets included China’s energy and civilian aviation sectors, Internet service providers, scientific research universities and organizations, and various government agencies —which it does not name. The majority of the hacker group’s targets were located in Beijing, and also in China’s Zhejiang and Guangdong provinces.

According to Qihoo 360, APT-C-39 must be a “state-level hacking organization”, judging by the hacking tools that it used. These tools, such malware named by forensics experts as Grasshopper and Fluxwire, are believed to have been designed by the CIA. They were leaked in 2017 by the international whistleblower website WikiLeaks. American authorities have charged a former CIA programmer, Joshua Schulte, with leaking the malware. Schulte denies the charges.

The Qihoo 360 report also claims that the hours during which APT-C-39 hackers appear to be active correspond to the working hours of the East Coast of the United States. It also suggests that one goal behind the hacking operations against airline industry targets was to access the travel itineraries of senior figures in China’s political and industrial circles.

Author: Ian Allen | Date: 04 March 2020 | Permalink

United Nations targeted in sophisticated cyber-espionage operation

United Nations headquartersOne of the United Nations’ most sensitive computer systems was targeted in a highly sophisticated cyber-espionage operation that appears to have been sponsored by a state, according to a leaked study. The study was leaked to the media earlier this week, and was reported by the Associated Press on Wednesday.

According to the Associated Press report, hackers used IP addresses in Romania to stage a meticulously organized infiltration of dozens of United Nations computer servers. The servers that were compromised included those used by the Office of the United Nations High Commissioner for Human Rights (OHCHR), which collects sensitive personal data regarding human rights abuses by governments around the world. The OHCHR has regularly been the subject of verbal attacks by authoritarian governments around the world in recent years.

The identity of the hackers remains unclear, said the report. However, their degree of technical sophistication was so substantial that forensic investigators suspect that a state actor was behind the espionage operation, according to the Associated Press. The news agency relayed an email message it received from United Nations spokesman Rupert Colville, which claimed that the hackers did penetrate the OHCHR system but “did not get very far, [as] nothing confidential was compromised”.

But the above statement appears to contradict the leaked study, which suggests that the cyber-espionage operation against the United Nations resulted in a compromise of “core infrastructure components” that were “determined to be serious”. Among the accounts that were compromised by the hackers were those of some domain administrators, who have access to large segments of the United Nations’ computer networks. The Associated Press spoke to an anonymous United Nations official, who said that the attack was “sophisticated”, and that the organization’s computer systems were “reinforced” in the months following the incident.

Author: Joseph Fitsanakis | Date: 30 January 2020 | Permalink

Threat from espionage is bigger than terrorism, says Australia’s spy chief

Duncan LewisThe director of Australia’s main national security agency has warned in a public speech that the threat from espionage —including cyber espionage— is greater than terrorism, and poses an “existential” danger to established states. Duncan Lewis was appointed director of the Australian Security Intelligence Organisation (ASIO) in 2014, having already served for more than four decades in the Australian military and civilian government sectors. On Wednesday, Lewis gave a rare public address at the Lowy Institute in Sydney, ahead of his retirement from government service later this month.

The ASIO director said in his speech that terrorism poses “a terrible risk” and should be seen as “a very serious matter”. On the other hand, “terrorism has never been an existential threat to established states”, said Lewis. Additionally the risk from the current wave of Salafi-Jihadist terrorism has “plateaued” and should not be expected to increase drastically, he noted. On the other hand, the threat of foreign espionage “is ultimately an existential threat to the state, or it can be an existential threat to the state”, added Lewis. The ASIO director described espionage and foreign-influence activities as “typically quiet, insidious and with a long tail”. Thus, “unlike the immediacy of terrorism incidents”, the harmful effects of espionage may not appear for many years or even decades after the initial activity has been carried out, he said.

Additionally, said Lewis, Australia’s “middle power status” and close alliances with Western countries make it a major target for state-sponsored human and cyber espionage attacks. Adversary nations see Australia as “a rich target”, he said, and launched espionage operations against it daily. As a result, foreign intelligence operations against Australia are “on a growth path” and are taking place on an “unprecedented” scale and scope, according to Lewis. Such operations include “covert attempts to influence and shape the views of the [Australian] public, media, government and diaspora communities, both within Australia and overseas”, said Lewis, adding that they take place “every day”.

The espionage threat to Australia does not come from “one particular nation”, said the AFIO director, although some nations tend to display more “intent, sophistication and commitment” than others. Australia is obligated to resist against these threats by continuing to develop its counter-espionage capabilities and finding innovative and effective ways to detect and defend against foreign interference, Lewis said at the conclusion of his talk.

Author: Joseph Fitsanakis | Date: 05 September 2019 | Permalink

Attack by Chinese hacker group targeted high-profile individuals around the world

Operation SOFTCELLA hacker attack of impressive magnitude targeted specific individuals of interest to the Chinese government as they moved around the world, in what appears to be the first such operation in the history of cyberespionage. The attack was revealed late last month by Cybereason, an American cybersecurity firm based in Boston, Massachusetts. Company experts described the scope and length of the attack, dubbed Operation SOFTCELL, as a new phenomenon in state-sponsored cyberespionage. Cybereason said SOFTCELL has been in operation since at least 2017, and identified the culprit as APT10, a hacker group that is believed to operate on behalf of China’s Ministry of State Security.

The operation is thought to have compromised close to a dozen major global telecommunications carriers in four continents —the Middle East, Europe, Asia and Africa. According to Cybereason, the hackers launched persistent multi-wave attacks on their targets, which gave them “complete takeover” of the networks. However, they did not appear to be interested in financial gain, but instead focused their attention on the call detail records (CDRs) of just 20 network users. With the help of the CDRs, the hackers were able to track their targets’ movements around the world and map their contacts based on their telephone activity. According to The Wall Street Journal, which reported on Cybereason’s findings, the 20 targets consisted of senior business executives and government officials. Others were Chinese dissidents, military leaders, as well as law enforcement and intelligence officials.

An especially impressive feature of SOFTCELL was that the hackers attacked new telecommunications carriers as their targets moved around the world and made use of new service providers. The attacks thus followed the movements of specific targets around the world. Although this is not a new phenomenon in the world of cyberespionage, the geographical scope and persistence of the attacks are unprecedented, said The Wall Street Journal. Speaking last week at the 9th Annual International Cybersecurity Conference in Tel Aviv, Israel, Lior Div, Cybereason’s chief executive officer and co-founder, said SOFTCELL attacks occurred in waves over the course of several months. The hackers used a collection of techniques that are commonly associated with identified Chinese hacker groups. If detected and repelled, the hackers would retreat for a few weeks or months before returning and employing new methods. The Cybereason security experts said that they were unable to name the targeted telecommunications carriers and users “due to multiple and various limitations”.

Author: Joseph Fitsanakis | Date: 09 July 2019 | Permalink

Western spies used ‘crown jewel’ of espionage tools to hack into Russia’s Google

Yandex RussiaHackers used a malware described by experts as the “crown jewel” of cyber-espionage tools to hack into Russia’s version of Google, in an effort to breach user accounts, according to the Reuters news agency. The hackers targeted Yandex (Яндекс), a Moscow-headquartered company that operates as the Russian version of Google. Yandex is the largest technology venture company in the Russian Federation and the fifth most popular search engine in the world. It also provides services such as mapping and email in Russia and several other countries in Central Asia and the Middle East. It claims that it serves more than 150 million monthly users worldwide.

On Thursday, Reuters cited “four people with knowledge on the matter […] in Russia and elsewhere”, who said that Yandex was targeted by a sophisticated hacking operation between October and November of 2018. The news agency said that three of its sources had direct knowledge of the details of the cyber-espionage operation against Yandex. According to the unnamed sources, the hackers appeared to be primarily interested in breaching the accounts of specific employees in Yandex’s research and development unit. Their purpose was to acquire technical information about how Yandex authenticates user accounts. That information could potentially enable them to impersonate Yandex users and access private information, including email messages, geolocation information, and other sensitive private data. Reuters said that the hackers attempted to breach Yandex for purposes of espionage, not sabotage or disruption, or stealing intellectual property for commercial purposes.

Moreover, the hackers used Regin, a highly sophisticated malware that a technical expert from the Symantec Corporation described as “the crown jewel of attack frameworks used for espionage”. Regin was identified as a malware employed by intelligence services of the so-called Five Eyes intelligence alliance between spy agencies of the United Kingdom, Canada, New Zealand, Australia and the United States. It was identified as a Western cyber-espionage tool in 2014, based on revelations made by Edward Snowden, the American former employee of the National Security Agency and the Central Intelligence Agency who defected to Russia. The same malware was used in 2013 to access about a dozen mainframe computers of Belgacom, Belgium’s largest telecommunications service provider, which is partly state-owned. The attack was widely attributed to a consortium of Western intelligence services led by the NSA.

According to Reuters, the hackers were able to penetrate Yandex’s networks for several weeks or longer, without being noticed by the company’s cyber-security monitors. When the penetration was detected, Yandex hired a cyber-security team from the Russian anti-virus firm Kaspersky. The Kaspersky team identified Regin and, according to Reuters, concluded that the hackers behind the cyber-espionage operation were tied to Western intelligence agencies. Kaspersky, the Russian government, and intelligence agencies from the Five Eyes alliance declined requests by Reuters to comment on the story. Yandex confirmed the cyber-espionage attack in a statement to Reuters, but said that its cyber-security experts had been able to detect and “fully neutralize [it] before any damage was done”. Consequently, said Yandex, “no user data was compromised in the attack”.

Author: Joseph Fitsanakis | Date: 28 June 2019 | Permalink

Cyber spies accessed thousands of European Union diplomatic cables

European Commission buildingA group of hackers, allegedly working for the Chinese military, accessed thousands of classified diplomatic cables from the European Union during a protracted cyber-espionage operation, a report has revealed. Over 100 organizations are believed to have been targeted in the multi-year cyber-espionage campaign, including the United Nations, international labor groups, as well as government ministries from dozens of countries. The operation was revealed on Tuesday by Area 1, a cyber-security company founded by former officials of the United States National Security Agency, and reported by The New York Times.

The compromised cables come primarily from the European Union’s COREU communication network, a Telex-based network that uses teleprinters to exchange text-based messages. The European Union uses the COREU network to transmit information that is classified “limited” or “restricted” between officials representing the executive governments of the European Union’s member states, members of the European Commission, foreign-ministry officials, and other approved parties. Top-secret information (“tres secret” in European Union parlance) is typically not shared on the COREU network. Consequently, the hacked cables contain mostly low-level information. That does not mean, however, that their access by at least one adversary power does not represent a serious security breach. Area 1 said that its forensic examination of the method used by the hackers reveals a set of cyber-espionage techniques that are closely associated with the Chinese People’s Liberation Army (PLA). These clues, in association with the PLA’s long history of attacking Western diplomatic targets, point to Beijing as a very likely culprit behind the attacks, according to Area 1.

The American cyber-security firm said it was able to access the compromised European Union cables and made over 1,100 of them available to The New York Times. The paper reported on Tuesday that the cables reflect increasing tension between Brussels and Washington, as European Union diplomats attempt to get a handle on the unpredictability of United States President Donald Trump. A series of diplomatic cables discusses the whether the European Union should bypass the White House and work directly with the Republican-controlled US Congress, which is viewed as more reliable and responsible. Another set of diplomatic exchanges describes the frustration of the Beijing’s leadership with Trump, which Chinese President Xi Jinping is said to have described to European Union officials as “a bully [engaged in a] no-rules freestyle boxing match”.

The Times said that it notified the European Union of the breach of its diplomatic cables and was told that officials were “aware of allegations regarding a potential leak of sensitive information and [were] actively investigating the issue”. The paper also contacted the White House National Security Council but did not get a response.

Author: Ian Allen | Date: 20 December 2018 | Permalink

Czechs accuse Moscow of ‘most serious wave of cyberespionage’ in years

Czech Security Information ServiceThe main domestic intelligence agency of the Czech Republic has accused Russia of “the most serious wave of cyberespionage” to target the country in recent years. The claim was made on Monday in Prague by the Security Information Service (BIS), the primary domestic national intelligence agency of the Czech Republic. Details of the alleged cyberespionage plot are included in the BIS’ annual report, a declassified version of which was released this week.

According to the document, the cyberespionage attacks were carried out by a hacker group known as APT28 or Fancy Bear, which is believed to operate under the command of Russian intelligence. The hacker group allegedly targeted the Czech Ministry of Defense, the Ministry of Foreign Affairs and the headquarters of the country’s Armed Forces. As a result, the electronic communication system of the Ministry of Foreign Affairs was compromised “at least since early 2016”, said the report (.pdf). More than 150 electronic mailboxes of ministry employees —including diplomats— were accessed, and a significant number of emails and attachments were copied by the hackers. The compromise was terminated a year later, when BIS security personnel detected the penetration. The BIS report goes on to say that a separate cyberespionage attack was carried out by a Russian-sponsored hacker group in December of 2016. An investigation into the attacks concluded that the hackers were not able to steal classified information, says the report. It adds, however, that they were able to access personal information about Czech government employees, which “may be used to launch subsequent attacks [or to] facilitate further illegitimate activities” by the hackers.

The BIS report concludes that the hacker campaign was part of “the most serious wave of cyberespionage” to target the Czech Republic in recent years. Its perpetrators appear to have targeted individuals in “virtually all the important institutions of the state” and will probably continue to do so in future attacks, it says. Moreover, other European countries probably faced similar cyberespionage breaches during the same period, though some of them may not be aware of it, according to the BIS. Czech Prime Minister Andrej Babis told parliament on Tuesday that his cabinet will discuss the BIS report findings and recommendations early in the new year.

Author: Joseph Fitsanakis | Date: 05 December 2018 | Permalink