Cybersecurity researchers uncover first-ever use of LinkedIn to spread malware

LinkedInCybersecurity researchers have uncovered what is believed to be the first-ever case of hackers using LinkedIn to infect the computers of targeted users with viruses, according to a new report. The hackers appear to have been sponsored by government and to have targeted employees of carefully selected military contractors in central Europe, according to sources.

The existence of the alleged cyberespionage operation was revealed on Wednesday by researchers at ESET, a cybersecurity firm based in Bratislava, Slovakia, which is known for its firewall and anti-virus products. The researchers said that the operation was carried out in 2019 by hackers who impersonated employees of General Dynamics and Collins Aerospace, two leading global suppliers of aerospace and defense hardware.

ESET researchers said that the hackers made use of the private messaging feature embedded in LinkedIn to reach out to their targets. After making initial contact with their intended victims, the hackers allegedly offered their targets lucrative job offers and used the LinkedIn private messenger service to send them documents that were infected with malware. In many cases, the targets opened the documents and infected their computers in the process.

The use of the LinkedIn social media platform by hackers to make contact with their unsuspecting victims is hardly new. In 2017, German intelligence officials issued a public warning about what they said were thousands of fake LinkedIn profiles created by Chinese spies to gather information about Western targets. Germany’s Federal Office for the Protection of the Constitution (BfV) said it had identified 10,000 German citizens who had been contacted by Chinese spy-run fake profiles on LinkedIn in a period of just nine months. And in 2018, a report by France’s two main intelligence agencies, the General Directorate for Internal Security (DGSI) and the General Directorate for External Security (DGSE), warned of an “unprecedented threat” to security after nearly 4,000 leading French civil servants, scientists and senior executives who were found to have been accosted by Chinese spies on LinkedIn.

Tricking a target into accessing a virus-infected document file is not a new method either. However, according to the researchers at ESET, this was the first case where LinkedIn was used to actually deliver the malware to the victims. As for the identity of the hackers, there appears to be no concluding information. However, ESET said the attacks appeared to have some connections to Lazarus, a group of hackers with North Korean links. Lazarus has been linked to the 2014 Sony Pictures hack and the 2016 Central Bank of Bangladesh cyber heist, which was an attempt to defraud the bank of $1 billion.

LinkedIn told the Reuters news agency that it had identified and terminated the user accounts behind the alleged cyberespionage campaign. Citing client confidentiality, ESET said it could not reveal information about the victims of the attacks. Meanwhile, General Dynamics and Raytheon Technologies, which owns Collins Aerospace, have not commented on this report.

Author: Joseph Fitsanakis | Date: 18 June 2020 | Permalink

Lax security behind greatest data loss in CIA’s history, internal report concludes

WikiLeaksComplacency and substandard security by the United States Central Intelligence Agency were behind the Vault 7 leak of 2017, which ranks as the greatest data loss in the agency’s history, according to an internal report. The Vault 7 data loss was particularly shocking, given that the CIA should have taken precautions following numerous leaks of classified government information in years prior to 2017, according to the report.

The Vault 7 data leak occurred in the first half of 2017, when the anti-secrecy website WikiLeaks began publishing a series of technical documents belonging to the CIA. Once all documents had been uploaded to the WikiLeaks website, they amounted to 34 terabytes of information, which is equivalent to 2.2 billion pages of text. The information contained in the Vault 7 leak is believed to constitute the biggest leak of classified data in the history of the CIA.

The Vault 7 documents reveal the capabilities and operational details of some of the CIA’s cyber espionage arsenal. They detail nearly 100 different software tools that the agency developed and used between 2013 and 2016, in order to compromise targeted computers, computer servers, smartphones, cars, televisions, internet browsers, operating systems, etc. In 2017 the US government accused Joshua Adam Schulte, a former CIA software engineer, of giving the Vault 7 data to WikiLeaks. Schulte’s trial by jury was inconclusive, and a re-trial is believed to be in the works.

Now an internal report into the Vault 7 disclosure has been made public. The report was compiled by the CIA WikiLeaks Task Force, which the agency set up with the two-fold mission of assessing the damage from the leak and recommending security procedures designed to prevent similar leaks from occurring in the future. A heavily redacted copy of the report has been made available [.pdf] by Senator Ron Wyden (D-OR) who is a member of the US Senate Select Committee on Intelligence. An analysis of the report was published on Tuesday by The Washington Post.

The report recognizes that insider threats —a data leak perpetrated on purpose by a conscious and determined employee, or a group of employees— are especially difficult to stop. It adds, however, that the Vault 7 leak was made easier by “a culture of shadow IT” in which the CIA’s various units developed distinct IT security practices and their own widely different systems of safeguarding data. Many cyber units prioritized creative, out-of-the-box thinking, in order to develop cutting-edge cyber-tools. But they spent hardly any time thinking of ways to safeguard the secrecy of their projects, and failed to develop even basic counterintelligence standards —for instance keeping a log of which of their members had access to specific parts of the data— according to the report.

Such standards should have been prioritized, the report adds, given the numerous high-profile leaks that rocked the Intelligence Community in the years prior to the Vault 7 disclosure. It mentions the examples of Edward Snowden, a former contractor for the National Security Agency, who defected to Russia, as well as Chelsea Manning, an intelligence analyst for the US Army, who gave government secrets to WikiLeaks. Manning spent time in prison before being pardoned by President Barack Obama. Snowden remains in hiding in Russia.

The CIA has not commented on the release of the internal Vault 7 report. An agency spokesman, Timothy Barrett, told The New York Times that the CIA was committed to incorporating “best-in-class technologies to keep ahead of and defend against ever-evolving threats”. In a letter accompanying the release of the report, Senator Wyden warned that “the lax cybersecurity practices documented in the CIA’s WikiLeaks task force report do not appear limited to just one part of the intelligence community”.

Author: Joseph Fitsanakis | Date: 17 June 2020 | Permalink

US Pentagon bans use of Zoom teleconferencing app due to espionage concerns

Zoom softwareThe United States Department of Defense has barred its employees from using Zoom, a popular video teleconferencing application, due to concerns that foreign spies may be using the software to collect intelligence. The Pentagon made the announcement less than a day after the US Senate advised its members to refrain from using Zoom. The video teleconferencing software is owned by Zoom Video Communications, Inc., a NASDAQ-trading software firm headquartered in Jan Jose, California. It has become popular in recent weeks, due to the increasing reliance on telework resulting from the effects of the COVID-19 pandemic.

But security experts have raised concerns about the privacy and security of Zoom users. On March 30, the Federal Bureau of Investigation issued a warning stating that hackers could exploit a number of security weaknesses in Zoom’s software. The following day, the FBI warned that malicious users could use Zoom to “steal sensitive information, target individuals and businesses performing financial transactions, and engage in extortion”. On April 9, Time magazine cited “three US intelligence officials” in claiming that American counterintelligence agencies had “observed the espionage services of Russia, Iran, and North Korea attempting to spy on Americans’ video chats” on Zoom. Their aim was to acquire “financial, personal, product development, research, and intellectual property information and leads” on US government and corporate targets, said Time. On the same day, a memo by the Sergeant-at-Arms of the US Senate advised senators and their staff members to refrain from using Zoom for congressional business.

Finally, on April 10, Pentagon spokesman Lt. Col. Robert Carver (US Air Force) issued an official statement prohibiting the use of Zoom software by the Department of Defense’s military and civilian employees, including contractors. Carver said Pentagon employees could still make use of the Zoom for Business application, because it had been issued a provisional authorization under the US Federal Risk and Authorization Management Program. He added that Pentagon employees could still utilize Zoom for their personal use.

Author: Joseph Fitsanakis | Date: 14 April 2020 | Permalink

Chinese cybersecurity firm accuses CIA of 11-year cyberespionage campaign

CIA headquartersA leading Chinese cybersecurity firm has accused the United States Central Intelligence Agency of using sophisticated malicious software to hack into computers belonging to the Chinese government and private sector for over a decade.

The accusation against the CIA comes from Qihoo 360, a prominent cybersecurity firm headquartered in Beijing. On Monday, company published a report of its investigation on its website, written in both Chinese and English. The report identifies the hackers as “the CIA Hacking Group (APT-C-39)”, and says that the group has carried out activities against “China’s critical industries” for at least 11 years.

The report claims that APT-C-39 targets included China’s energy and civilian aviation sectors, Internet service providers, scientific research universities and organizations, and various government agencies —which it does not name. The majority of the hacker group’s targets were located in Beijing, and also in China’s Zhejiang and Guangdong provinces.

According to Qihoo 360, APT-C-39 must be a “state-level hacking organization”, judging by the hacking tools that it used. These tools, such malware named by forensics experts as Grasshopper and Fluxwire, are believed to have been designed by the CIA. They were leaked in 2017 by the international whistleblower website WikiLeaks. American authorities have charged a former CIA programmer, Joshua Schulte, with leaking the malware. Schulte denies the charges.

The Qihoo 360 report also claims that the hours during which APT-C-39 hackers appear to be active correspond to the working hours of the East Coast of the United States. It also suggests that one goal behind the hacking operations against airline industry targets was to access the travel itineraries of senior figures in China’s political and industrial circles.

Author: Ian Allen | Date: 04 March 2020 | Permalink

United Nations targeted in sophisticated cyber-espionage operation

United Nations headquartersOne of the United Nations’ most sensitive computer systems was targeted in a highly sophisticated cyber-espionage operation that appears to have been sponsored by a state, according to a leaked study. The study was leaked to the media earlier this week, and was reported by the Associated Press on Wednesday.

According to the Associated Press report, hackers used IP addresses in Romania to stage a meticulously organized infiltration of dozens of United Nations computer servers. The servers that were compromised included those used by the Office of the United Nations High Commissioner for Human Rights (OHCHR), which collects sensitive personal data regarding human rights abuses by governments around the world. The OHCHR has regularly been the subject of verbal attacks by authoritarian governments around the world in recent years.

The identity of the hackers remains unclear, said the report. However, their degree of technical sophistication was so substantial that forensic investigators suspect that a state actor was behind the espionage operation, according to the Associated Press. The news agency relayed an email message it received from United Nations spokesman Rupert Colville, which claimed that the hackers did penetrate the OHCHR system but “did not get very far, [as] nothing confidential was compromised”.

But the above statement appears to contradict the leaked study, which suggests that the cyber-espionage operation against the United Nations resulted in a compromise of “core infrastructure components” that were “determined to be serious”. Among the accounts that were compromised by the hackers were those of some domain administrators, who have access to large segments of the United Nations’ computer networks. The Associated Press spoke to an anonymous United Nations official, who said that the attack was “sophisticated”, and that the organization’s computer systems were “reinforced” in the months following the incident.

Author: Joseph Fitsanakis | Date: 30 January 2020 | Permalink

Threat from espionage is bigger than terrorism, says Australia’s spy chief

Duncan LewisThe director of Australia’s main national security agency has warned in a public speech that the threat from espionage —including cyber espionage— is greater than terrorism, and poses an “existential” danger to established states. Duncan Lewis was appointed director of the Australian Security Intelligence Organisation (ASIO) in 2014, having already served for more than four decades in the Australian military and civilian government sectors. On Wednesday, Lewis gave a rare public address at the Lowy Institute in Sydney, ahead of his retirement from government service later this month.

The ASIO director said in his speech that terrorism poses “a terrible risk” and should be seen as “a very serious matter”. On the other hand, “terrorism has never been an existential threat to established states”, said Lewis. Additionally the risk from the current wave of Salafi-Jihadist terrorism has “plateaued” and should not be expected to increase drastically, he noted. On the other hand, the threat of foreign espionage “is ultimately an existential threat to the state, or it can be an existential threat to the state”, added Lewis. The ASIO director described espionage and foreign-influence activities as “typically quiet, insidious and with a long tail”. Thus, “unlike the immediacy of terrorism incidents”, the harmful effects of espionage may not appear for many years or even decades after the initial activity has been carried out, he said.

Additionally, said Lewis, Australia’s “middle power status” and close alliances with Western countries make it a major target for state-sponsored human and cyber espionage attacks. Adversary nations see Australia as “a rich target”, he said, and launched espionage operations against it daily. As a result, foreign intelligence operations against Australia are “on a growth path” and are taking place on an “unprecedented” scale and scope, according to Lewis. Such operations include “covert attempts to influence and shape the views of the [Australian] public, media, government and diaspora communities, both within Australia and overseas”, said Lewis, adding that they take place “every day”.

The espionage threat to Australia does not come from “one particular nation”, said the AFIO director, although some nations tend to display more “intent, sophistication and commitment” than others. Australia is obligated to resist against these threats by continuing to develop its counter-espionage capabilities and finding innovative and effective ways to detect and defend against foreign interference, Lewis said at the conclusion of his talk.

Author: Joseph Fitsanakis | Date: 05 September 2019 | Permalink

Attack by Chinese hacker group targeted high-profile individuals around the world

Operation SOFTCELLA hacker attack of impressive magnitude targeted specific individuals of interest to the Chinese government as they moved around the world, in what appears to be the first such operation in the history of cyberespionage. The attack was revealed late last month by Cybereason, an American cybersecurity firm based in Boston, Massachusetts. Company experts described the scope and length of the attack, dubbed Operation SOFTCELL, as a new phenomenon in state-sponsored cyberespionage. Cybereason said SOFTCELL has been in operation since at least 2017, and identified the culprit as APT10, a hacker group that is believed to operate on behalf of China’s Ministry of State Security.

The operation is thought to have compromised close to a dozen major global telecommunications carriers in four continents —the Middle East, Europe, Asia and Africa. According to Cybereason, the hackers launched persistent multi-wave attacks on their targets, which gave them “complete takeover” of the networks. However, they did not appear to be interested in financial gain, but instead focused their attention on the call detail records (CDRs) of just 20 network users. With the help of the CDRs, the hackers were able to track their targets’ movements around the world and map their contacts based on their telephone activity. According to The Wall Street Journal, which reported on Cybereason’s findings, the 20 targets consisted of senior business executives and government officials. Others were Chinese dissidents, military leaders, as well as law enforcement and intelligence officials.

An especially impressive feature of SOFTCELL was that the hackers attacked new telecommunications carriers as their targets moved around the world and made use of new service providers. The attacks thus followed the movements of specific targets around the world. Although this is not a new phenomenon in the world of cyberespionage, the geographical scope and persistence of the attacks are unprecedented, said The Wall Street Journal. Speaking last week at the 9th Annual International Cybersecurity Conference in Tel Aviv, Israel, Lior Div, Cybereason’s chief executive officer and co-founder, said SOFTCELL attacks occurred in waves over the course of several months. The hackers used a collection of techniques that are commonly associated with identified Chinese hacker groups. If detected and repelled, the hackers would retreat for a few weeks or months before returning and employing new methods. The Cybereason security experts said that they were unable to name the targeted telecommunications carriers and users “due to multiple and various limitations”.

Author: Joseph Fitsanakis | Date: 09 July 2019 | Permalink

Western spies used ‘crown jewel’ of espionage tools to hack into Russia’s Google

Yandex RussiaHackers used a malware described by experts as the “crown jewel” of cyber-espionage tools to hack into Russia’s version of Google, in an effort to breach user accounts, according to the Reuters news agency. The hackers targeted Yandex (Яндекс), a Moscow-headquartered company that operates as the Russian version of Google. Yandex is the largest technology venture company in the Russian Federation and the fifth most popular search engine in the world. It also provides services such as mapping and email in Russia and several other countries in Central Asia and the Middle East. It claims that it serves more than 150 million monthly users worldwide.

On Thursday, Reuters cited “four people with knowledge on the matter […] in Russia and elsewhere”, who said that Yandex was targeted by a sophisticated hacking operation between October and November of 2018. The news agency said that three of its sources had direct knowledge of the details of the cyber-espionage operation against Yandex. According to the unnamed sources, the hackers appeared to be primarily interested in breaching the accounts of specific employees in Yandex’s research and development unit. Their purpose was to acquire technical information about how Yandex authenticates user accounts. That information could potentially enable them to impersonate Yandex users and access private information, including email messages, geolocation information, and other sensitive private data. Reuters said that the hackers attempted to breach Yandex for purposes of espionage, not sabotage or disruption, or stealing intellectual property for commercial purposes.

Moreover, the hackers used Regin, a highly sophisticated malware that a technical expert from the Symantec Corporation described as “the crown jewel of attack frameworks used for espionage”. Regin was identified as a malware employed by intelligence services of the so-called Five Eyes intelligence alliance between spy agencies of the United Kingdom, Canada, New Zealand, Australia and the United States. It was identified as a Western cyber-espionage tool in 2014, based on revelations made by Edward Snowden, the American former employee of the National Security Agency and the Central Intelligence Agency who defected to Russia. The same malware was used in 2013 to access about a dozen mainframe computers of Belgacom, Belgium’s largest telecommunications service provider, which is partly state-owned. The attack was widely attributed to a consortium of Western intelligence services led by the NSA.

According to Reuters, the hackers were able to penetrate Yandex’s networks for several weeks or longer, without being noticed by the company’s cyber-security monitors. When the penetration was detected, Yandex hired a cyber-security team from the Russian anti-virus firm Kaspersky. The Kaspersky team identified Regin and, according to Reuters, concluded that the hackers behind the cyber-espionage operation were tied to Western intelligence agencies. Kaspersky, the Russian government, and intelligence agencies from the Five Eyes alliance declined requests by Reuters to comment on the story. Yandex confirmed the cyber-espionage attack in a statement to Reuters, but said that its cyber-security experts had been able to detect and “fully neutralize [it] before any damage was done”. Consequently, said Yandex, “no user data was compromised in the attack”.

Author: Joseph Fitsanakis | Date: 28 June 2019 | Permalink

Cyber spies accessed thousands of European Union diplomatic cables

European Commission buildingA group of hackers, allegedly working for the Chinese military, accessed thousands of classified diplomatic cables from the European Union during a protracted cyber-espionage operation, a report has revealed. Over 100 organizations are believed to have been targeted in the multi-year cyber-espionage campaign, including the United Nations, international labor groups, as well as government ministries from dozens of countries. The operation was revealed on Tuesday by Area 1, a cyber-security company founded by former officials of the United States National Security Agency, and reported by The New York Times.

The compromised cables come primarily from the European Union’s COREU communication network, a Telex-based network that uses teleprinters to exchange text-based messages. The European Union uses the COREU network to transmit information that is classified “limited” or “restricted” between officials representing the executive governments of the European Union’s member states, members of the European Commission, foreign-ministry officials, and other approved parties. Top-secret information (“tres secret” in European Union parlance) is typically not shared on the COREU network. Consequently, the hacked cables contain mostly low-level information. That does not mean, however, that their access by at least one adversary power does not represent a serious security breach. Area 1 said that its forensic examination of the method used by the hackers reveals a set of cyber-espionage techniques that are closely associated with the Chinese People’s Liberation Army (PLA). These clues, in association with the PLA’s long history of attacking Western diplomatic targets, point to Beijing as a very likely culprit behind the attacks, according to Area 1.

The American cyber-security firm said it was able to access the compromised European Union cables and made over 1,100 of them available to The New York Times. The paper reported on Tuesday that the cables reflect increasing tension between Brussels and Washington, as European Union diplomats attempt to get a handle on the unpredictability of United States President Donald Trump. A series of diplomatic cables discusses the whether the European Union should bypass the White House and work directly with the Republican-controlled US Congress, which is viewed as more reliable and responsible. Another set of diplomatic exchanges describes the frustration of the Beijing’s leadership with Trump, which Chinese President Xi Jinping is said to have described to European Union officials as “a bully [engaged in a] no-rules freestyle boxing match”.

The Times said that it notified the European Union of the breach of its diplomatic cables and was told that officials were “aware of allegations regarding a potential leak of sensitive information and [were] actively investigating the issue”. The paper also contacted the White House National Security Council but did not get a response.

Author: Ian Allen | Date: 20 December 2018 | Permalink

Czechs accuse Moscow of ‘most serious wave of cyberespionage’ in years

Czech Security Information ServiceThe main domestic intelligence agency of the Czech Republic has accused Russia of “the most serious wave of cyberespionage” to target the country in recent years. The claim was made on Monday in Prague by the Security Information Service (BIS), the primary domestic national intelligence agency of the Czech Republic. Details of the alleged cyberespionage plot are included in the BIS’ annual report, a declassified version of which was released this week.

According to the document, the cyberespionage attacks were carried out by a hacker group known as APT28 or Fancy Bear, which is believed to operate under the command of Russian intelligence. The hacker group allegedly targeted the Czech Ministry of Defense, the Ministry of Foreign Affairs and the headquarters of the country’s Armed Forces. As a result, the electronic communication system of the Ministry of Foreign Affairs was compromised “at least since early 2016”, said the report (.pdf). More than 150 electronic mailboxes of ministry employees —including diplomats— were accessed, and a significant number of emails and attachments were copied by the hackers. The compromise was terminated a year later, when BIS security personnel detected the penetration. The BIS report goes on to say that a separate cyberespionage attack was carried out by a Russian-sponsored hacker group in December of 2016. An investigation into the attacks concluded that the hackers were not able to steal classified information, says the report. It adds, however, that they were able to access personal information about Czech government employees, which “may be used to launch subsequent attacks [or to] facilitate further illegitimate activities” by the hackers.

The BIS report concludes that the hacker campaign was part of “the most serious wave of cyberespionage” to target the Czech Republic in recent years. Its perpetrators appear to have targeted individuals in “virtually all the important institutions of the state” and will probably continue to do so in future attacks, it says. Moreover, other European countries probably faced similar cyberespionage breaches during the same period, though some of them may not be aware of it, according to the BIS. Czech Prime Minister Andrej Babis told parliament on Tuesday that his cabinet will discuss the BIS report findings and recommendations early in the new year.

Author: Joseph Fitsanakis | Date: 05 December 2018 | Permalink

Czech spy agency says it neutralized Hezbollah cyberespionage network

Czech Security Information ServiceOfficials in the Czech Republic have announced that the country’s spy agency headed an operation in several countries, aimed at neutralizing a cyberespionage network operated by the Lebanese militant group Hezbollah. Early last week, the Security Information Service (BIS), the primary domestic national intelligence agency of the Czech Republic, issued a short statement saying that it “played a big part in helping to identify and disconnect Hezbollah servers in the Czech Republic, other EU member states and the US”. But it did not elaborate. On Tuesday, however, ZDNet’s Zero Day security blog published more information from the Czechs about the BIS operation.

According to the BIS, its cyber security force discovered a number of servers located on Czech soil, which were “almost certainly” used by Hezbollah, the Shiite militant group that controls large swathes of territory in Lebanon. The servers were allegedly used in a wide-range cyberespionage operation that began in 2017 by a group of Hezbollah hackers based in Lebanon. It was there, said the BIS, where the command-and-control facilities of the operation were located. The servers located on Czech soil were used to download phone apps that contained malicious software. The hackers targeted individual phone users located mainly in the Middle East, according to the BIS, but other targets were in eastern and central Europe. It is believed that the majority of targets were Israeli citizens. Invariably, targeted individuals were approached online, mostly through fake Facebook profiles. Most of the targets were men, and the fake Facebook profiles featured pictures of attractive young women. After initial messages were exchanged via Facebook, the targets were convinced to download phone applications that would allow them to continue communicating with the ‘women’. These applications would install spyware on their phones, thus allowing Hezbollah hackers to capture the content of messages and calls made on the phones. The latter could also be used as eavesdropping devices.

According to BIS Director Michal Koudelka, the spy agency “played a significant role in identifying and uncovering the hackers’ system. We identified the victims and traced the attack to its source facilities. Hacker servers have been shut down”, he said. Koudelka added that some of the servers used by Hezbollah were located in other European Union countries and in the United States. These were shut down following a joint cyber operation by BIS and “partners”, said Koudelka, though he did not identify them.

Author: Joseph Fitsanakis | Date: 17 October 2018 | Permalink

Russia claims ‘misunderstanding’ led to arrests of four spies in Holland

Sergei LavrovRussia’s minister of foreign affairs has downplayed the arrest and expulsion of four Russian military intelligence officers in Holland last April, saying that the incident was caused by a “misunderstanding”. Last Thursday, the US government named and indicted seven officers of the Main Directorate of the General Staff of Russia’s Armed Forces, known as GRU. The seven are alleged to have participated in cyber-attacks on international agencies, private companies and government computer networks in at least half a dozen countries around the world since 2015. Four of the men named last week were reportedly detained in April of this year while trying to hack into the computer network of the Organization for the Prohibition of Chemical Weapons (OPCW). Headquartered in The Hague, the OPCW oversees efforts by its 193 member states to detect and eliminate chemical weapons stockpiles around the world. In the past year, the OPCW has been probing the failed attempt to poison the Russian former double spy Sergei Skripal in England, which the British government has blamed on Moscow.

On Monday, Russia’s Minister of Foreign Affairs Sergei Lavrov dismissed Washington’s accusations against the GRU and said that the Dutch authorities had overreacted in detaining the four Russian officers in April. Following a meeting in Moscow with his Italian counterpart Enzo Moavero Milanesi, Lavrov said that the visit of the four GRU officers in Holland had been “customary”, adding that “there was nothing clandestine in it”. The GRU specialists were in Holland in order to secure computer servers used at the Russian embassy there. “They were not trying to hide from anyone once they arrived at the airport”, said Lavrov. They then “checked into a hotel and paid a visit to our embassy”, he added. Had they been engaged in espionage, the men would have taken strict precautions, said the Russian foreign affairs minister. They were eventually “detained by Dutch police without any reason or explanations, and were not allowed to contact our embassy”, said Lavrov. Eventually they were “asked to leave the country”, but it was “all because of a misunderstanding”, he concluded.

The Russian official did not address the information provided a series of photographs released by Holland’s Ministry of Defense, which show a car used by the four Russians at the time of their arrest in April. The photographs show that the car was equipped with WiFi antennas and transformers. A wireless server and batteries can also be seen in the photographs. Lavrov said that the allegations against the GRU were meant to draw attention to Russia and distract Western citizens from “widening divisions that exist between Western nations”.

Author: Joseph Fitsanakis | Date: 09 October 2018 | Research credit: S.F. | Permalink

Iran spied on ISIS supporters through fake phone wallpaper app, say researchers

Cell Phone - IASupporters of the Islamic State, most of them Persian speakers, were spied on by the government of Iran after they downloaded a fake smartphone application with wallpaper images, according to an online security firm. Iran is a major adversary of the radical Sunni group Islamic State. The latter considers Shiism (Iran’s state religion) as an abomination. Not surprisingly, therefore, the Islamic State, which is also known as the Islamic State of Iraq and Syria (ISIS), relies largely on supporters from the Arabic-speaking regions of the Levant. But according to estimates, Sunnis constitute about 10 percent of Iran’s population, and ISIS has found some fertile ground among Iran’s 8 million-strong Sunni minority. As a result, the government in Tehran is highly mistrustful of Iranian Sunnis, many of whom are ethnic Kurds, Baluchis, Azeris or Turkomans, and systematically spies on them.

According to the Israeli online security firm Check Point Software Technologies, one way in which Tehran has spied on Persian-speaking ISIS supporters is through fake smartphone applications. In an article published last week, the company said it had uncovered a state-sponsored surveillance operation that it had codenamed “Domestic Kitten”. The Check Point article said that the operation had gone on for more than two years, but had remained undetected “due to the artful deception of its attackers towards their targets”. The surveillance of targeted phones was carried out with the help of an application that featured pro-ISIS-themed wallpapers, which users could download on their devices. Yet another program linked to the same vendor was a fake version of the Firat News Agency mobile phone application. The Firat News Agency is a legitimate Iranian information service featuring news about Iran’s Kurdish minority. But both applications were in fact malware that gave a remote party full access to all text messages sent or received on the compromised phones. They also gave a remote party access to records of phone calls, Internet browser activity and bookmarks, and all files stored on the compromised phones. Additionally, the fake applications gave away the geo-location of compromised devices, and used their built-in cameras and microphones as surveillance devices.

Check Point said that the majority of compromised phones belonged to Persian-speaking members of Iran’s Kurdish and Turkoman minorities. The company stressed that it was not able to confirm the identity of the sponsoring party with absolute accuracy. However, the nature of the fake applications, the infrastructure of the surveillance operation, as well as the identities of those targeted, posed a strong possibility that “Domestic Kitten” was sponsored by the government of Iran, it concluded. Last July, the American cyber security firm Symantec said that it had uncovered a new cyber espionage group called “Leafminer”, which was allegedly sponsored by the Iranian state. The group had reportedly launched attacks on more than 800 agencies and organizations in in countries such as Israel, Egypt, Bahrain, Qatar, Kuwait, the United Arab Emirates, Afghanistan and Azerbaijan.

Author: Ian Allen | Date: 14 September 2018 | Permalink

Researchers uncover ‘ambitious’ Iranian hacker group that targets the Middle East

Computer hackingAn American cyber security firm has reported the discovery of a previously undetected, “highly active” Iranian cyber espionage group, whose extensive target list consists mainly of large organizations and companies in the Middle East. The cyber security firm Symantec, makers of Norton antivirus software, which uncovered the cyber espionage group’s existence, has dubbed it “Leafminer”. It said the group has been active since the beginning of 2017, but has “significantly ramped up its activities” in 2018 and is currently involved in dozens of ongoing attacks.

In a report published on Wednesday, Symantec said that its security experts managed to obtain what appears to be Leafminer’s master list of targets. The list is written in the Farsi language and contains just over 800 organizations, which according to Symantec researchers is “an ambitious goal” for any cyber espionage group. The organizations listed on the target sheet come from a variety of sectors, including government, transportation, the financial sector, energy and telecommunications. But the majority of the group’s targets appear to be in the petrochemical and government sectors. Additionally, virtually all of Leafminer’s targets are located in the Middle East and North Africa, in countries such as Israel, Egypt, Bahrain, Qatar, Kuwait and the United Arab Emirates. Some of the group’s targets are located in Afghanistan and Azerbaijan.

Symantec said its researchers observed the Leafminer hackers execute attacks in real time on at least 40 targets in the Middle East, including on the website of an intelligence agency in Lebanon. According to the cyber security company, Leafminer uses a variety of hacking tools, including custom-designed malware and some publicly available software. The group’s operational sophistication is also varied, and ranges from complex, multilayered attacks to brute-force login attempts. Symantec said it concluded that the cyber espionage group originates from Iran because its master target list is written in Farsi and because Iran is virtually the only country in the Middle East that is missing from the target list. However, it said that it did not have sufficient evidence to link Leafminer to the Iranian government. In a separate development, Germany’s domestic intelligence agency, the Federal Office for the Protection of the Constitution (BfV), said this week in its annual report that the government of Iran has significantly expanded its cyber warfare capabilities and “poses a danger to German companies and research institutions”.

Author: Joseph Fitsanakis | Date: 26 July 2018 | Permalink

German spy chief warns against Chinese investment in German hi-tech firms

Hans-Georg MaassenThe head of Germany’s domestic intelligence agency has warned of security risks resulting from Chinese direct investment in high-technology German and other European companies. Since 2012, Hans-Georg Maassen has served as director of the Federal Office for the Protection of the Constitution, Germany’s domestic security and counterintelligence agency. Speaking to reporters on Wednesday, Maassen said his agency had noticed an inverse correlation between cyber-espionage attacks on Germany by Chinese actors and the acquisition of German technology firms by Chinese companies. German counter-intelligence officials were puzzled, he said, about a dramatic reduction in Chinese cyber-espionage activities in 2016. But they eventually realized that cyber-espionage operations had been replaced by “lawful methods”, he said, such as direct takeovers of German hi-tech firms by Chinese companies.

The purpose of these takeovers was “to gain access to German technical know-how”, added Maassen. He went on to say that “industrial cyberespionage is no longer needed if an actor can simply exploit liberal economic regulations to buy companies, and then proceed to disembowel them, essentially cannibalize them, to gain access to their know-how”. The spy chief noted that Germany did not object to foreign investment and the free flow of capital from all countries, including China. However, he added, “certain direct investments in specific technologies can compromise domestic security”. Maassen mentioned several examples in his presentation, including the takeover of Kuka, a German robotics firm, by a Chinese investor in 2016. He said that in the past few months alone, Chinese companies have attempted to purchase stakes in 50Hertz, a German energy grid operator, German car manufacturer Daimler, and Cotesa, a German aerospace contractor.

In response to a question from a journalist about policy coordination between Germany and the European Union, Maassen said that Germany, France and Italy have been pressuring Brussels to update and modernize its screening procedures against foreign takeovers of companies that are involved in manufacturing and selling “sensitive technologies”. He noted that a new EU-wide screening mechanism should be in place by the end of 2018.

Author: Joseph Fitsanakis | Date: 12 April 2018 | Permalink