Cyber spies accessed thousands of European Union diplomatic cables

European Commission buildingA group of hackers, allegedly working for the Chinese military, accessed thousands of classified diplomatic cables from the European Union during a protracted cyber-espionage operation, a report has revealed. Over 100 organizations are believed to have been targeted in the multi-year cyber-espionage campaign, including the United Nations, international labor groups, as well as government ministries from dozens of countries. The operation was revealed on Tuesday by Area 1, a cyber-security company founded by former officials of the United States National Security Agency, and reported by The New York Times.

The compromised cables come primarily from the European Union’s COREU communication network, a Telex-based network that uses teleprinters to exchange text-based messages. The European Union uses the COREU network to transmit information that is classified “limited” or “restricted” between officials representing the executive governments of the European Union’s member states, members of the European Commission, foreign-ministry officials, and other approved parties. Top-secret information (“tres secret” in European Union parlance) is typically not shared on the COREU network. Consequently, the hacked cables contain mostly low-level information. That does not mean, however, that their access by at least one adversary power does not represent a serious security breach. Area 1 said that its forensic examination of the method used by the hackers reveals a set of cyber-espionage techniques that are closely associated with the Chinese People’s Liberation Army (PLA). These clues, in association with the PLA’s long history of attacking Western diplomatic targets, point to Beijing as a very likely culprit behind the attacks, according to Area 1.

The American cyber-security firm said it was able to access the compromised European Union cables and made over 1,100 of them available to The New York Times. The paper reported on Tuesday that the cables reflect increasing tension between Brussels and Washington, as European Union diplomats attempt to get a handle on the unpredictability of United States President Donald Trump. A series of diplomatic cables discusses the whether the European Union should bypass the White House and work directly with the Republican-controlled US Congress, which is viewed as more reliable and responsible. Another set of diplomatic exchanges describes the frustration of the Beijing’s leadership with Trump, which Chinese President Xi Jinping is said to have described to European Union officials as “a bully [engaged in a] no-rules freestyle boxing match”.

The Times said that it notified the European Union of the breach of its diplomatic cables and was told that officials were “aware of allegations regarding a potential leak of sensitive information and [were] actively investigating the issue”. The paper also contacted the White House National Security Council but did not get a response.

Author: Ian Allen | Date: 20 December 2018 | Permalink

Advertisements

Czechs accuse Moscow of ‘most serious wave of cyberespionage’ in years

Czech Security Information ServiceThe main domestic intelligence agency of the Czech Republic has accused Russia of “the most serious wave of cyberespionage” to target the country in recent years. The claim was made on Monday in Prague by the Security Information Service (BIS), the primary domestic national intelligence agency of the Czech Republic. Details of the alleged cyberespionage plot are included in the BIS’ annual report, a declassified version of which was released this week.

According to the document, the cyberespionage attacks were carried out by a hacker group known as APT28 or Fancy Bear, which is believed to operate under the command of Russian intelligence. The hacker group allegedly targeted the Czech Ministry of Defense, the Ministry of Foreign Affairs and the headquarters of the country’s Armed Forces. As a result, the electronic communication system of the Ministry of Foreign Affairs was compromised “at least since early 2016”, said the report (.pdf). More than 150 electronic mailboxes of ministry employees —including diplomats— were accessed, and a significant number of emails and attachments were copied by the hackers. The compromise was terminated a year later, when BIS security personnel detected the penetration. The BIS report goes on to say that a separate cyberespionage attack was carried out by a Russian-sponsored hacker group in December of 2016. An investigation into the attacks concluded that the hackers were not able to steal classified information, says the report. It adds, however, that they were able to access personal information about Czech government employees, which “may be used to launch subsequent attacks [or to] facilitate further illegitimate activities” by the hackers.

The BIS report concludes that the hacker campaign was part of “the most serious wave of cyberespionage” to target the Czech Republic in recent years. Its perpetrators appear to have targeted individuals in “virtually all the important institutions of the state” and will probably continue to do so in future attacks, it says. Moreover, other European countries probably faced similar cyberespionage breaches during the same period, though some of them may not be aware of it, according to the BIS. Czech Prime Minister Andrej Babis told parliament on Tuesday that his cabinet will discuss the BIS report findings and recommendations early in the new year.

Author: Joseph Fitsanakis | Date: 05 December 2018 | Permalink

Czech spy agency says it neutralized Hezbollah cyberespionage network

Czech Security Information ServiceOfficials in the Czech Republic have announced that the country’s spy agency headed an operation in several countries, aimed at neutralizing a cyberespionage network operated by the Lebanese militant group Hezbollah. Early last week, the Security Information Service (BIS), the primary domestic national intelligence agency of the Czech Republic, issued a short statement saying that it “played a big part in helping to identify and disconnect Hezbollah servers in the Czech Republic, other EU member states and the US”. But it did not elaborate. On Tuesday, however, ZDNet’s Zero Day security blog published more information from the Czechs about the BIS operation.

According to the BIS, its cyber security force discovered a number of servers located on Czech soil, which were “almost certainly” used by Hezbollah, the Shiite militant group that controls large swathes of territory in Lebanon. The servers were allegedly used in a wide-range cyberespionage operation that began in 2017 by a group of Hezbollah hackers based in Lebanon. It was there, said the BIS, where the command-and-control facilities of the operation were located. The servers located on Czech soil were used to download phone apps that contained malicious software. The hackers targeted individual phone users located mainly in the Middle East, according to the BIS, but other targets were in eastern and central Europe. It is believed that the majority of targets were Israeli citizens. Invariably, targeted individuals were approached online, mostly through fake Facebook profiles. Most of the targets were men, and the fake Facebook profiles featured pictures of attractive young women. After initial messages were exchanged via Facebook, the targets were convinced to download phone applications that would allow them to continue communicating with the ‘women’. These applications would install spyware on their phones, thus allowing Hezbollah hackers to capture the content of messages and calls made on the phones. The latter could also be used as eavesdropping devices.

According to BIS Director Michal Koudelka, the spy agency “played a significant role in identifying and uncovering the hackers’ system. We identified the victims and traced the attack to its source facilities. Hacker servers have been shut down”, he said. Koudelka added that some of the servers used by Hezbollah were located in other European Union countries and in the United States. These were shut down following a joint cyber operation by BIS and “partners”, said Koudelka, though he did not identify them.

Author: Joseph Fitsanakis | Date: 17 October 2018 | Permalink

Russia claims ‘misunderstanding’ led to arrests of four spies in Holland

Sergei LavrovRussia’s minister of foreign affairs has downplayed the arrest and expulsion of four Russian military intelligence officers in Holland last April, saying that the incident was caused by a “misunderstanding”. Last Thursday, the US government named and indicted seven officers of the Main Directorate of the General Staff of Russia’s Armed Forces, known as GRU. The seven are alleged to have participated in cyber-attacks on international agencies, private companies and government computer networks in at least half a dozen countries around the world since 2015. Four of the men named last week were reportedly detained in April of this year while trying to hack into the computer network of the Organization for the Prohibition of Chemical Weapons (OPCW). Headquartered in The Hague, the OPCW oversees efforts by its 193 member states to detect and eliminate chemical weapons stockpiles around the world. In the past year, the OPCW has been probing the failed attempt to poison the Russian former double spy Sergei Skripal in England, which the British government has blamed on Moscow.

On Monday, Russia’s Minister of Foreign Affairs Sergei Lavrov dismissed Washington’s accusations against the GRU and said that the Dutch authorities had overreacted in detaining the four Russian officers in April. Following a meeting in Moscow with his Italian counterpart Enzo Moavero Milanesi, Lavrov said that the visit of the four GRU officers in Holland had been “customary”, adding that “there was nothing clandestine in it”. The GRU specialists were in Holland in order to secure computer servers used at the Russian embassy there. “They were not trying to hide from anyone once they arrived at the airport”, said Lavrov. They then “checked into a hotel and paid a visit to our embassy”, he added. Had they been engaged in espionage, the men would have taken strict precautions, said the Russian foreign affairs minister. They were eventually “detained by Dutch police without any reason or explanations, and were not allowed to contact our embassy”, said Lavrov. Eventually they were “asked to leave the country”, but it was “all because of a misunderstanding”, he concluded.

The Russian official did not address the information provided a series of photographs released by Holland’s Ministry of Defense, which show a car used by the four Russians at the time of their arrest in April. The photographs show that the car was equipped with WiFi antennas and transformers. A wireless server and batteries can also be seen in the photographs. Lavrov said that the allegations against the GRU were meant to draw attention to Russia and distract Western citizens from “widening divisions that exist between Western nations”.

Author: Joseph Fitsanakis | Date: 09 October 2018 | Research credit: S.F. | Permalink

Iran spied on ISIS supporters through fake phone wallpaper app, say researchers

Cell Phone - IASupporters of the Islamic State, most of them Persian speakers, were spied on by the government of Iran after they downloaded a fake smartphone application with wallpaper images, according to an online security firm. Iran is a major adversary of the radical Sunni group Islamic State. The latter considers Shiism (Iran’s state religion) as an abomination. Not surprisingly, therefore, the Islamic State, which is also known as the Islamic State of Iraq and Syria (ISIS), relies largely on supporters from the Arabic-speaking regions of the Levant. But according to estimates, Sunnis constitute about 10 percent of Iran’s population, and ISIS has found some fertile ground among Iran’s 8 million-strong Sunni minority. As a result, the government in Tehran is highly mistrustful of Iranian Sunnis, many of whom are ethnic Kurds, Baluchis, Azeris or Turkomans, and systematically spies on them.

According to the Israeli online security firm Check Point Software Technologies, one way in which Tehran has spied on Persian-speaking ISIS supporters is through fake smartphone applications. In an article published last week, the company said it had uncovered a state-sponsored surveillance operation that it had codenamed “Domestic Kitten”. The Check Point article said that the operation had gone on for more than two years, but had remained undetected “due to the artful deception of its attackers towards their targets”. The surveillance of targeted phones was carried out with the help of an application that featured pro-ISIS-themed wallpapers, which users could download on their devices. Yet another program linked to the same vendor was a fake version of the Firat News Agency mobile phone application. The Firat News Agency is a legitimate Iranian information service featuring news about Iran’s Kurdish minority. But both applications were in fact malware that gave a remote party full access to all text messages sent or received on the compromised phones. They also gave a remote party access to records of phone calls, Internet browser activity and bookmarks, and all files stored on the compromised phones. Additionally, the fake applications gave away the geo-location of compromised devices, and used their built-in cameras and microphones as surveillance devices.

Check Point said that the majority of compromised phones belonged to Persian-speaking members of Iran’s Kurdish and Turkoman minorities. The company stressed that it was not able to confirm the identity of the sponsoring party with absolute accuracy. However, the nature of the fake applications, the infrastructure of the surveillance operation, as well as the identities of those targeted, posed a strong possibility that “Domestic Kitten” was sponsored by the government of Iran, it concluded. Last July, the American cyber security firm Symantec said that it had uncovered a new cyber espionage group called “Leafminer”, which was allegedly sponsored by the Iranian state. The group had reportedly launched attacks on more than 800 agencies and organizations in in countries such as Israel, Egypt, Bahrain, Qatar, Kuwait, the United Arab Emirates, Afghanistan and Azerbaijan.

Author: Ian Allen | Date: 14 September 2018 | Permalink

Researchers uncover ‘ambitious’ Iranian hacker group that targets the Middle East

Computer hackingAn American cyber security firm has reported the discovery of a previously undetected, “highly active” Iranian cyber espionage group, whose extensive target list consists mainly of large organizations and companies in the Middle East. The cyber security firm Symantec, makers of Norton antivirus software, which uncovered the cyber espionage group’s existence, has dubbed it “Leafminer”. It said the group has been active since the beginning of 2017, but has “significantly ramped up its activities” in 2018 and is currently involved in dozens of ongoing attacks.

In a report published on Wednesday, Symantec said that its security experts managed to obtain what appears to be Leafminer’s master list of targets. The list is written in the Farsi language and contains just over 800 organizations, which according to Symantec researchers is “an ambitious goal” for any cyber espionage group. The organizations listed on the target sheet come from a variety of sectors, including government, transportation, the financial sector, energy and telecommunications. But the majority of the group’s targets appear to be in the petrochemical and government sectors. Additionally, virtually all of Leafminer’s targets are located in the Middle East and North Africa, in countries such as Israel, Egypt, Bahrain, Qatar, Kuwait and the United Arab Emirates. Some of the group’s targets are located in Afghanistan and Azerbaijan.

Symantec said its researchers observed the Leafminer hackers execute attacks in real time on at least 40 targets in the Middle East, including on the website of an intelligence agency in Lebanon. According to the cyber security company, Leafminer uses a variety of hacking tools, including custom-designed malware and some publicly available software. The group’s operational sophistication is also varied, and ranges from complex, multilayered attacks to brute-force login attempts. Symantec said it concluded that the cyber espionage group originates from Iran because its master target list is written in Farsi and because Iran is virtually the only country in the Middle East that is missing from the target list. However, it said that it did not have sufficient evidence to link Leafminer to the Iranian government. In a separate development, Germany’s domestic intelligence agency, the Federal Office for the Protection of the Constitution (BfV), said this week in its annual report that the government of Iran has significantly expanded its cyber warfare capabilities and “poses a danger to German companies and research institutions”.

Author: Joseph Fitsanakis | Date: 26 July 2018 | Permalink

German spy chief warns against Chinese investment in German hi-tech firms

Hans-Georg MaassenThe head of Germany’s domestic intelligence agency has warned of security risks resulting from Chinese direct investment in high-technology German and other European companies. Since 2012, Hans-Georg Maassen has served as director of the Federal Office for the Protection of the Constitution, Germany’s domestic security and counterintelligence agency. Speaking to reporters on Wednesday, Maassen said his agency had noticed an inverse correlation between cyber-espionage attacks on Germany by Chinese actors and the acquisition of German technology firms by Chinese companies. German counter-intelligence officials were puzzled, he said, about a dramatic reduction in Chinese cyber-espionage activities in 2016. But they eventually realized that cyber-espionage operations had been replaced by “lawful methods”, he said, such as direct takeovers of German hi-tech firms by Chinese companies.

The purpose of these takeovers was “to gain access to German technical know-how”, added Maassen. He went on to say that “industrial cyberespionage is no longer needed if an actor can simply exploit liberal economic regulations to buy companies, and then proceed to disembowel them, essentially cannibalize them, to gain access to their know-how”. The spy chief noted that Germany did not object to foreign investment and the free flow of capital from all countries, including China. However, he added, “certain direct investments in specific technologies can compromise domestic security”. Maassen mentioned several examples in his presentation, including the takeover of Kuka, a German robotics firm, by a Chinese investor in 2016. He said that in the past few months alone, Chinese companies have attempted to purchase stakes in 50Hertz, a German energy grid operator, German car manufacturer Daimler, and Cotesa, a German aerospace contractor.

In response to a question from a journalist about policy coordination between Germany and the European Union, Maassen said that Germany, France and Italy have been pressuring Brussels to update and modernize its screening procedures against foreign takeovers of companies that are involved in manufacturing and selling “sensitive technologies”. He noted that a new EU-wide screening mechanism should be in place by the end of 2018.

Author: Joseph Fitsanakis | Date: 12 April 2018 | Permalink