Dutch spies identified Russian hackers who meddled in 2016 US election

Cozy BearDutch spies identified a notorious Russian hacker group that compromised computer servers belonging to the Democratic Party of the United States and notified American authorities of the attack, according to reports. In 2016, US intelligence agencies determined that a Russian hacker group known as Cozy Bear, or APT29, led a concerted effort to interfere in the US presidential election. The effort, which according to US intelligence agencies was sponsored by the Russian government, involved cyber-attacks against computer systems in the White House and the Department of State, among other targets. It also involved the theft of thousands of emails from computer servers belonging to the Democratic National Committee, which is the governing body of the Democratic Party. The stolen emails were eventually leaked to WikiLeaks, DCLeaks, and other online outlets. Prior descriptions of the Russian hacking in the media have hinted that US intelligence agencies were notified of the Russian cyber-attacks by foreign spy agencies. But there was no mention of where the initial clues came from.

Last Thursday, the Dutch current affairs program Nieuwsuur, which airs daily on Holland’s NPO 2 television, said that the initial tipoff originated from the AIVD, Holland’s General Intelligence and Security Service. On the same day, the Dutch newspaper De Volkskrant published a detailed account of what it described as AIVD’s successful penetration of Cozy Bear. According to these reports, AIVD was able to penetrate Cozy Bear in mid-2014, before the hacker group intensified its campaign against political targets in the US. Citing “six American and Dutch sources who are familiar with the material, but wish to remain anonymous”, De Volkskrant said that the AIVD was able to detect the physical base of the Cozy Bear hackers. The latter appeared to be working out of an academic facility that was adjacent to Moscow’s Red Square. The AIVD team was then able to remotely take control of security camera networks located around the facility. Eventually, the Dutch team hacked into another security camera network located inside the buildings in which the hackers worked. They soon began to collect pictures and footage of Cozy Bear members, which they then compared with photos of “known Russian spies”, according to De Volkskrant.

The paper said that the AIVD team continued to monitor Cozy Bear’s activities until at least 2017, while sharing intelligence with the Central Intelligence Agency and the National Security Agency in the US. The intelligence was allegedly instrumental in alerting US spy agencies about Russian government-sponsored efforts to meddle in the 2016 presidential election. Several newspapers, including The Washington Post in the US and The Independent in Britain, contacted the AIVD and the MIVD —Holland’s military intelligence agency— over the weekend. But the two agencies said they would not comment on reports concerning Cozy Bear.

Author: Joseph Fitsanakis | Date: 29 January 2018 | Research credit: E.J. & E.K. | Permalink

Advertisements

Russian hackers behind US election attacks also targeted hundreds of journalists

Fancy BearThe Russian hacker group that targeted the United States presidential election in 2016 also attacked hundreds of reporters around the world, most of them Americans, an Associated Press investigation shows. The group is often referred to in cyber security circles as Fancy Bear, but is also known as Pawn Storm, Sednit, APT28, Sofacy, and STRONTIUM. It has been linked to a long-lasting series or coordinated attacks against at least 150 senior figures in the US Democratic Party. The attacks occurred in the run-up to last year’s presidential elections in the US, which resulted in a victory for Donald Trump. The hacker group’s targets included Democratic Party presidential candidate Hillary Clinton and her campaign chairman John Podesta. But its hackers also went after senior US diplomatic and intelligence officials, as well as foreign officials in countries like Canada and the Ukraine.

Now a new investigation by the Associated Press news agency, based on data collected over a period of two years by the cyber security firm Secureworks, appears to show that Fancy Bear also attacked journalists. In a leading article published last week, the Associated Press said that journalists appeared to be the third largest professional group targeted by Fancy Bear, after politicians and diplomats. The investigation shows that nearly half of all journalists that were systematically targeted by the hacker group worked for a single newspaper, The New York Times. At least fifty Times reporters feature on the hacker group’s target list. The latter includes another 50 reporters working for Russian outlets that known to be critical of the Kremlin, and dozens of Eastern European reporters based in the Baltics, Moldova, Armenia, Georgia and Ukraine.

The Associated Press said that prominent names on the Fancy Bear target list include The Washington Post’s Josh Rogin, The Daily Beast’s intelligence correspondent Shane Harris, CNN’s security correspondent Michael Weiss, and Ellen Barry, the former Moscow bureau chief for The New York Times. The report also said that some American journalists were not only targeted online, but also physically. One of them, The New Yorker’s Masha Gessen, claims that she was routinely followed by Russian-speaking men in the period leading up to the 2016 presidential election. In April of this year, a study by the Tokyo-based cybersecurity firm Trend Micro showed that Fancy Bear was behind systematic efforts to subvert recent national elections in France and Germany. And a few weeks ago, Russian media reported that Konstantin Kozlovsky, a member of the prolific Russian hacker group Lurk, alleged that he had been hired by the Kremlin to help target the US Democratic Party.

Author: Ian Allen | Date: 26 December 2017 | Permalink

Russian hacker claims he was hired by Kremlin to target US Democratic Party

Konstantin KozlovskyA member of a prolific Russian hacker group reportedly stated in court that he was hired by the Russian government to break into the computer systems of the Democratic Party in the United States. The hacker, Konstantin Kozlovsky, operated online as a member of Lurk, a notorious hacker group whose members are believed to have stolen in excess of $45 million from hundreds of companies since 2011. Most of the group’s members were apprehended in a wave of 50 arrests that took place throughout Russia in the summer of 2016. The group’s nine most senior members, Kozlovsky being one of them, were put on trial earlier this year.

Last Monday, Russian website The Bell reported that Kozlovsky said during his court testimony in August of this year that he was hired by the Kremlin to hack into the computers of the Democratic Party in the US. The website claimed that he and his fellow Lurk hackers regularly worked for the FSB, Russia’s Federal Security Service. For nearly a decade, said Kozlovsky, he and other hackers “performed different tasks on assignments by FSB officers”. In his testimony of August 15, Kozlovsky reportedly said that some of the tasks performed by Lurk on behalf of the FSB included hacking into the computers of the Democratic National Committee, which is the governing body for the Democratic Party in the US. He also claimed that he and his fellow hackers stole emails belonging to the Democratic presidential candidate Hillary Clinton.

The Bell published Kozlovsky’s claims on its website in both Russian and English. According to to The Times of London, the website also posted minutes from the court hearing, as well as a recording of Kozlovsky’s testimony, on its page on Facebook. Kozlovsky also claimed that the FSB recruited him in 2008, when he was 16 years old, and that he worked under the supervision of Dmitry Dokuchaev, a notorious criminal hacker known as ‘Forb’, who was arrested and subsequently recruited by the FSB. Kozlovsky added that he participated in “very serious military enterprises of the United States and other organizations” under Dokuchaev’s supervision.

Author: Ian Allen | Date: 15 December 2017 | Permalink

Israel reportedly behind discovery of Russian antivirus company’s spy links

Computer hackingIsraeli spy services were reportedly behind the United States government’s recent decision to purge Kaspersky Lab antivirus software from its computers, citing possible collusion with Russian intelligence. Last month, the US Department of Homeland Security issued a directive ordering that all government computers should be free of software products designed by Kaspersky Lab. Formed in the late 1990s by Russian cybersecurity expert Eugene Kaspersky, the multinational antivirus software provider operates out of Moscow but is technically based in the United Kingdom. Its antivirus and cybersecurity products are installed on tens of millions of computers around the world, including computers belonging to government agencies in the US and elsewhere. But last month’s memorandum by the US government’s domestic security arm alarmed the cybersecurity community by alleging direct operational links between the antivirus company and the Kremlin.

On Tuesday, The New York Times reported that the initial piece of intelligence that alerted the US government to the alleged links between Kaspersky Lab and Moscow was provided by Israel. The American paper said that Israeli cyber spies managed to hack into Kaspersky’s systems and confirm the heavy presence of Russian government operatives there. The Times’ report stated that the Israelis documented real-time cyber espionage operations by the Russians, which targeted the government computer systems of foreign governments, including the United States’. The Israeli spies then reportedly approached their American counterparts and told them that Kaspersky Lab software was being used by Russian intelligence services as a backdoor to millions of computers worldwide. The Israelis also concluded that Kaspersky’s antivirus software was used to illegally steal files from these computers, which were essentially infected by spy software operated by the Russian government.

It was following the tip by the Israelis that he Department of Homeland Security issued its memorandum saying that it was “concerned about the ties between certain Kaspersky [Lab] officials and Russian intelligence and other government agencies”. The memorandum resulted in a decision by the US government —overwhelmingly supported by Congress— to scrap all Kaspersky software from its computer systems. Kaspersky Lab has rejected allegations that it works with Russian intelligence. In a statement issued in May of this year, the company said it had “never helped, nor will help, any government in the world with its cyberespionage efforts”.

Author: Joseph Fitsanakis | Date: 11 October 2017 | Pemalink

Iranian state-backed cyber spies becoming increasingly skilled, says report

Computer hackingA group of cyber spies with close links to the Iranian government is becoming increasingly competent and adept, and could soon bring down entire computer networks, according to a leading cyber security firm. The California-based cyber security company FireEye said that it has been monitoring the operations of the mysterious group of cyber spies since 2013. The company, whose clients include Sony Pictures, JP Morgan Chase and Target, said that the Iranian group appears to be especially interested in gathering secrets from aviation, aerospace and petrochemical companies.

In a detailed report published on Wednesday, FireEye said that the Iranian group has a very narrow target focus. Moreover, it attacks its targets —which are typically companies— in highly customizable ways. The latter includes the use of cleverly designed phishing tools that are designed to attract the attention of the company’s unsuspecting employees. So far, companies that have been targeted include Saudi petrochemical conglomerates, American aviation firms, as well as South Korean and other Southeast Asian companies that have aviation or energy holdings, said FireEye. The security company said it had codenamed the group “APT33”, which stands for “Advanced Persistent Threat #33”. It also said that APT33 was clearly distinct from other known Iranian hacker groups, because of the sophistication of its operations and the quality of its cyber weapons. The cyber security firm said that APT33 was the first Iranian hacker group to be included on a select list of the most capable cyber spy groups from around the world.

Some experts believe that APT33 is run by Iran’s Revolutionary Guard Corps, an irregular branch of the Iranian military, which is seen by many as a state within a state in post-1979 Iran. The FireEye report does not appear conclusive on this point. However, it notes that APT33 has built an offensive cyber arsenal “with potential destructive capabilities”, but that it currently appears to focus solely on intelligence collection, not sabotage or warfare.

Author: Joseph Fitsanakis | Date: 21 September 2017 | Permalink

North Korean state now uses cyber attacks to steal cash, says report

North KoreaNorth Korea’s intelligence establishment has shifted its attention from spying for political gain to spying for commercial advantage –primarily to secure funds for the cash-strapped country, according to a new report. Since the 1990s, the Democratic People’s Republic of Korea (DPRK) has used computer hacking in order to steal political and military secrets from its rivals. But there is increasing evidence that Pyongyang is now deploying armies of computer hackers in order to steal cash from foreign financial institutions and internet-based firms. This is the conclusion of a new report by the Financial Security Institute of South Korea, an agency that was set up by Seoul to safeguard the stability of the country’s financial sector.

The report, published last week, analyzed patterns of cyber attacks against South Korean state-owned and private financial institutions that took place between 2015 and 2017. It identified two separate computer hacking groups, which it named Lazarus and Andariel. According to the report, both groups’ activities, which are complementary, appear to be directed by the government of North Korea. An analysis of the groups’ targets suggests that Pyongyang has been directing its computer spies to find ways to secure hard currency for use by the government. Foreign currency has been increasingly hard to come by in North Korea in recent years, due to a host of international sanctions that were imposed on the country as a form of pressure against its nuclear weapons program.

Several cyber security experts and firms have claimed in recent months that North Korea has been behind recent cyber attacks against international banking institutions. The DPRK has also been blamed for a 2014 attack against the Hollywood studios of the Japanese multinational conglomerate Sony. Regular readers of intelNews will recall our story in March of this year about comments made on the subject of North Korea by Rick Ledgett, a 30-year veteran of the United States National Security Agency. Speaking at a public event hosted by the Aspen Institute in Washington, Ledgett expressed certainty that the government of North Korea was behind an attempt to steal nearly $1 billion from Bangladesh Bank —the state-owned central bank of Bangladesh—in 2016. Eventually the bank recovered most of the money, which were made through transactions using the SWIFT network. But the hackers managed to get away with approximately $81 million.

More recently, cyber security experts have claimed that the government of North Korea has been behind attempts to hack into automated teller machines, as well as behind efforts to steal cash from online gambling sites. In April of this year, the Russian-based cyber security firm Kaspersky Lab identified a third North Korean hacker group, which it named Bluenoroff. The Russian experts said Bluenoroff directed the majority of its attacks against foreign financial firms. There are rumors that Pyongyang was behind the wave of WannaCry ransomware attacks that infected hundreds of thousands of computers in over 150 countries in May. But no concrete evidence of North Korean complicity in the attacks has been presented.

Author: Joseph Fitsanakis | Date: 31 July 2017 | Permalink

CopyKittens cyber espionage group linked to Iranian state, says report

CopyKittensA cyber espionage group that has alarmed security researchers by its careful targeting of government agencies has links to the Iranian state, according to a new report. The existence of the group calling itself CopyKittens was first confirmed publicly in November of 2015. Since that time, forensic analyses of cyber attacks against various targets have indicated that the group has been active since at least early 2013. During that time, CopyKittens has carefully targeted agencies or officials working for Jordan, Saudi Arabia, Turkey, Israel, the United States, and Germany, among other countries. It has also targeted specific offices and officials working for the United Nations.

Throughout its existence, CopyKittens has alarmed cyber security researchers by its strategic focus on political targets belonging to governments. The group’s methods of operation do not resemble those of most other hacker groups, which are usually crude by comparison. Now a new report by two leading cyber security groups claims that CopyKittens is linked to the Iranian state. The report was published on Tuesday as a joint effort by Japan’s Trend Micro and Israel’s ClearSky firms. The report analyzes several operations by CopyKittens, some conducted as recently as last April. It concludes that CopyKittens is “an active cyber espionage actor whose primary focus [is] foreign espionage on strategic targets”. Additionally, the report suggests that the group operates using “Iranian government infrastructure”.

According to the Trend Micro/ClearSky report, CopyKittens tends to use relatively simple hacking techniques, such as fake social media profiles, attacks on websites, or emails that contain attachments that are infected with malicious codes. However, its members appear to be “very persistent” and usually achieve their goal “despite lacking technological sophistication”. The security report did not directly address the political ramifications of implicating the Iranian government in the CopyKittens’ hacking operations. The Reuters news agency contacted Iranian officials at the United Nations about the CopyKittens report, but they nobody was available for comment.

Author: Ian Allen| Date: 26 July 2017 | Permalink