Previously obscure N. Korean hacker group is now stronger than ever, say experts

APT37A little-known North Korean cyber espionage group has widened its scope and increased its sophistication in the past year, and now threatens targets worldwide, according to a new report by a leading cyber security firm. Since 2010, most cyber-attacks by North Korean hackers have been attributed to a group dubbed “Lazarus” by cyber security specialists. The Lazarus Group is thought to have perpetrated the infamous Sony Pictures attacks in 2014, and the worldwide wave or ransomware attacks dubbed WannaCry by experts in 2017. It is widely believed that the Lazarus Group operates on behalf of the government of North Korea. Most of its operations constitute destructive attacks —mostly cyber sabotage— and financial criminal activity.

For the past six years, a smaller hacker element within the Lazarus Group has engaged in intelligence collection and cyber espionage. Cyber security researchers have dubbed this sub-element “APT37”, “ScarCruft” or “Group123”. Historically, APT37 has focused on civilian and military targets with links to the South Korean government. The hacker group has also targeted human rights groups and individual North Korean defectors living in South Korea. However, a new report warns that APT37 has significantly expanded its activities in terms of both scope and sophistication in the past year. The report, published on Tuesday by the cyber security firm FireEye, suggests that APT37 has recently struck at targets in countries like Vietnam and Japan, and that its activities have disrupted telecommunications networks and commercial hubs in the Middle East.

According to the FireEye report, aerospace companies, financial institutions and telecom- munications service providers in at least three continents have been targeted by APT37 in recent months. What is even more worrying, says the report, is that the hacker group is now capable of exploiting so-called “zero-day” vulnerabilities. These are software bugs and glitches in commonly used software, which have not been detected by software providers and are therefore exploitable by malicious hackers. FireEye said in its report that the North Korean regime will be tempted to use APT37 increasingly often “in previously unfamiliar roles and regions”, as cyber security experts are catching up with some of Pyongyang’s more visible hacker groups, such as Lazarus.

Author: Joseph Fitsanakis | Date: 21 February 2018 | Permalink

Advertisements

Russian hacker claims he was hired by Kremlin to target US Democratic Party

Konstantin KozlovskyA member of a prolific Russian hacker group reportedly stated in court that he was hired by the Russian government to break into the computer systems of the Democratic Party in the United States. The hacker, Konstantin Kozlovsky, operated online as a member of Lurk, a notorious hacker group whose members are believed to have stolen in excess of $45 million from hundreds of companies since 2011. Most of the group’s members were apprehended in a wave of 50 arrests that took place throughout Russia in the summer of 2016. The group’s nine most senior members, Kozlovsky being one of them, were put on trial earlier this year.

Last Monday, Russian website The Bell reported that Kozlovsky said during his court testimony in August of this year that he was hired by the Kremlin to hack into the computers of the Democratic Party in the US. The website claimed that he and his fellow Lurk hackers regularly worked for the FSB, Russia’s Federal Security Service. For nearly a decade, said Kozlovsky, he and other hackers “performed different tasks on assignments by FSB officers”. In his testimony of August 15, Kozlovsky reportedly said that some of the tasks performed by Lurk on behalf of the FSB included hacking into the computers of the Democratic National Committee, which is the governing body for the Democratic Party in the US. He also claimed that he and his fellow hackers stole emails belonging to the Democratic presidential candidate Hillary Clinton.

The Bell published Kozlovsky’s claims on its website in both Russian and English. According to to The Times of London, the website also posted minutes from the court hearing, as well as a recording of Kozlovsky’s testimony, on its page on Facebook. Kozlovsky also claimed that the FSB recruited him in 2008, when he was 16 years old, and that he worked under the supervision of Dmitry Dokuchaev, a notorious criminal hacker known as ‘Forb’, who was arrested and subsequently recruited by the FSB. Kozlovsky added that he participated in “very serious military enterprises of the United States and other organizations” under Dokuchaev’s supervision.

Author: Ian Allen | Date: 15 December 2017 | Permalink

CopyKittens cyber espionage group linked to Iranian state, says report

CopyKittensA cyber espionage group that has alarmed security researchers by its careful targeting of government agencies has links to the Iranian state, according to a new report. The existence of the group calling itself CopyKittens was first confirmed publicly in November of 2015. Since that time, forensic analyses of cyber attacks against various targets have indicated that the group has been active since at least early 2013. During that time, CopyKittens has carefully targeted agencies or officials working for Jordan, Saudi Arabia, Turkey, Israel, the United States, and Germany, among other countries. It has also targeted specific offices and officials working for the United Nations.

Throughout its existence, CopyKittens has alarmed cyber security researchers by its strategic focus on political targets belonging to governments. The group’s methods of operation do not resemble those of most other hacker groups, which are usually crude by comparison. Now a new report by two leading cyber security groups claims that CopyKittens is linked to the Iranian state. The report was published on Tuesday as a joint effort by Japan’s Trend Micro and Israel’s ClearSky firms. The report analyzes several operations by CopyKittens, some conducted as recently as last April. It concludes that CopyKittens is “an active cyber espionage actor whose primary focus [is] foreign espionage on strategic targets”. Additionally, the report suggests that the group operates using “Iranian government infrastructure”.

According to the Trend Micro/ClearSky report, CopyKittens tends to use relatively simple hacking techniques, such as fake social media profiles, attacks on websites, or emails that contain attachments that are infected with malicious codes. However, its members appear to be “very persistent” and usually achieve their goal “despite lacking technological sophistication”. The security report did not directly address the political ramifications of implicating the Iranian government in the CopyKittens’ hacking operations. The Reuters news agency contacted Iranian officials at the United Nations about the CopyKittens report, but they nobody was available for comment.

Author: Ian Allen| Date: 26 July 2017 | Permalink

Same hacker group is targeting French and German elections, says report

Konrad Adenauer FoundationThe same group cyber-spies that attacked the campaign of French presidential candidate Emmanuel Macron is now attacking German institutions that are connected to the country’s ruling coalition parties, according to a report by a leading cyber-security firm. The Tokyo-based security software company Trend Micro published a 41-page report on Tuesday, in which it tracks and traces the attacks against French and German political targets over the past two years. The report, entitled From Espionage to Cyber Propaganda: Pawn Storm’s Activities over the Past Two Years, concludes that the hackers are seeking to influence the results of the national elections in the European Union’s two most powerful nations, France and Germany.

The Trend Micro report focuses on a mysterious group that cyber-security experts have dubbed Pawn Storm —otherwise known as Sednit, Fancy Bear, APT28, Sofacy, and STRONTIUM. It says that the group has launched an aggressive phishing campaign against German political institutions, which has intensified in the past two months. The group allegedly set up fake computer servers in Germany and the Ukraine, and used them to try to infiltrate the computer networks of two elite German think-tanks, the Konrad Adenauer Foundation (KAF) and the Friedrich Ebert Foundation (FEF). The KAF is connected with the Christian Democratic Union party, which is led by Germany’s Chancellor, Angela Merkel. The FEF has strong ties with the centrist Social Democratic Party, which is part of Germany’s governing alliance.

The report’s leading author, cyber-security expert Feike Hacquebord, told the Reuters news agency that the hackers were possibly seeking to infiltrate the two think-tanks as a means of gaining access to the two political parties that are connected with them. Some cyber-security experts in Europe and the United States have said that the Russian Main Intelligence Directorate, the country’s military intelligence agency, known as GRU, is behind the cyber-attacks on France, Germany and the United States. But the Trend Micro report did not attempt to place blame on Moscow or any other country for the cyber-attacks. The Kremlin has denied involvement with the alleged hacking operations.

Author: Ian Allen | Date: 26 April 2017 | Permalink

New report details one of history’s “largest ever” cyber espionage operations

GCHQ center in Cheltenham, EnglandA new report authored by a consortium of government and private organizations in Britain has revealed the existence of a computer hacking operation, allegedly based in China, that is said to be “one of the largest ever” such campaigns globally. The operation is believed to have compromised sensitive information from an inestimable number of private companies in Southeast Asia, Europe and the United States. The report was produced by a consortium of public and private organizations, including BAE systems and the London-based National Cyber Security Centre, an office of the United Kingdom’s signals intelligence agency, the Government Communications Headquarters. It details the outcome of Operation CLOUD HOPPER, which was launched to uncover the cyber espionage activities.

According to the report, the attacks were first launched several years ago against targets in Japan’s government and private sector. But after 2016, they spread to at least 14 other countries, including France, the United Kingdom and the United States. It is claimed that the attacks are “highly likely” to originate from China, given that the targets selected appear to be “closely aligned with strategic Chinese interests”. The authors of the report have named the hacker group APT10, but provide limited information about its possible links —or lack thereof— with the Chinese government.

The report claims that APT10 uses specially designed malware that is customized for most of their targets, thus constituting what experts describe as “spear fishing”. Past successful attacks have already resulted in an “unprecedented web of victims” who have had their information compromised, say the authors. The victims’ losses range from intellectual property to personal data. One of the report’s authors, Dr. Adrian Nish, who is head of threat intelligence at BAE Systems, told the BBC that it is currently impossible to estimate the number of organizations and agencies that have been impacted by APT10’s activities.

Author: Ian Allen | Date: 05 April 2017 | Permalink

Arrested contractor may have worked for NSA’s elite cyber spy unit

NSAA United States federal contractor, who remains in detention following his arrest last summer for stealing classified documents, may have worked for an elite cyber espionage unit of the National Security Agency. The man was identified by The New York Times last week as Harold Thomas Martin III, a 51-year-old employee of Booz Allen Hamilton, one of the largest federal contractors in the US. The paper said that, prior to joining Booz Allen Hamilton, Martin served as a US Navy officer for over a decade, where he specialized in cyber security and acquired a top secret clearance. But last August, agents of the Federal Bureau of Investigation raided Martin’s house in Maryland and arrested him on charges of stealing government property and illegally removing classified material.

Media reports suggest that the FBI discovered significant quantities of classified information, some of it dating back to 2006, on a variety of electronic devices that Martin had stored —though apparently not hidden— in his house and car. Another interesting aspect of the case is that there is no proof at this point that Martin actually shared the classified information with a third party. There is some speculation that he may be behind a disclosure of a collection of NSA hacking tools, which were leaked in August of this year by a previously unknown group calling itself “the Shadow Brokers”. But some speculate that Martin may have taken the classified material home so he could write his dissertation for the PhD he is currently undertaking at the University of Maryland’s Information Systems program.

A few days ago, The Daily Beast quoted an unnamed former colleague of Martin who said that the NSA contractor was a member of one of the agency’s elite cyber spy units. The existence of the secretive unit, which is known as the NSA’s Office of Tailored Access Operations, was revealed in June 2013 by veteran NSA watcher Matthew M. Aid. Writing in Foreign Policy, Aid cited “a number of highly confidential sources” in alleging that the NSA maintained a substantial “hacker army” tasked with conducting offensive cyber espionage against foreign targets. More information on NSA’s TAO was provided in January 2014 by German newsmagazine Der Spiegel. If The Daily Beast’s allegations about Martin are accurate, they would explain why anonymous government sources told The Washington Post last week that some of the documents Martin took home “could be expected to cause exceptionally grave damage to the national security of the United States”. The case also highlights the constant tension between security and the privatization of intelligence, which was also a major parameter in the case of Edward Snowden, another Booz Allen Hamilton contractor who defected to Russia in 2013.

Meanwhile, Martin remains in detention. If he is convicted, he will face up to 11 years behind bars.

Author: Joseph Fitsanakis | Date: 10 October 2016 | Permalink

France’s ex-cyber spy chief speaks candidly about hacking operations

Bernard BarbierThe former director of France’s cyber spy agency has spoken candidly about the recent activities and current state of French cyber espionage, admitting for the first time that France engages in offensive cyber operations. Between 2006 and 2013, Bernard Barbier was director of the technical division of the General Directorate for External Security, France’s external intelligence agency, which is commonly known as DGSE. During his tenure at DGSE, the organization’s technical division witnessed unprecedented financial and administrative growth. Today it is said to employ over 2500 people, nearly half of DGSE’s total personnel.

Earlier this month, Barbier was interviewed on stage during a symposium held by the CentraleSupélec, a top French engineering university based in Paris. He spoke with surprising candor about France’s cyber espionage operations. In the first part of his interview, which can be watched on YouTube, he recounted the history of what he described as “France’s cyber army”. He said that France began to build “teams of hackers” in 1992. Around that time, the DGSE purchased an American-built Cray supercomputer, said Barbier, and soon discovered that it could use the machine’s immense computing power to break passwords. More recently, said the former cyber spy chief, the DGSE has been trying to “catch up” with its American and British counterparts, the National Security Agency and the Government Communications Headquarters, by increasing its annual budget to over half a billion and hiring hundreds of young hackers. Many of these new employees have little to no university education, said Barbier, and are instead self-taught, having started hacking in their teenage years.

Like most governments, France will not officially admit to conducting offensive cyber operations using computer hacking and other techniques. But Barbier said during his interview that France was behind an offensive cyber operation that targeted Iran in 2009. He added that the DGSE has also directed cyber operations against Canada, Ivory Coast, Algeria, Norway, as well as its European Union partners Spain and Greece. He also complained that French government executives do not understand the importance of cyber operations and are not aiming high enough when it comes to planning, direction and hiring. The DGSE’s technical division still needs between 200 and 300 more staff members, Barbier argued in his interview.

Author: Joseph Fitsanakis | Date: 16 September 2016 | Permalink