Dutch intelligence disrupt large-scale botnet belonging to Russian spy agency

March 7, 2022 by Leave a comment

GRU KtON MARCH 3, 2022, Dutch newspaper Volkskrant reported that the Dutch Military Intelligence and Security Service (MIVD) took action in response to abuse of SOHO-grade network devices in the Netherlands. The attacks are believed to have been perpetrated by the Main Intelligence Directorate of the General Staff of the Russian Armed Forces (GRU) Unit 74455. The unit, which is also known as Sandworm or BlackEnergy, is linked to numerous instances of influence operations and sabotage around the world.

The devices had reportedly been compromised and made part of a large-scale botnet consisting of thousands of devices around the globe, which the GRU has been using to carry out digital attacks. The MIVD traced affected devices in the Netherlands and informed their owners, MIVD chief Jan Swillens told Volkskrant. The MIVD’s discovery came after American and British [pdf] services warned in late February that Russian operatives were using a formerly undisclosed kind of malware, dubbed Cyclops Blink. According to authorities, the botnet in which the compromised devices were incorporated has been active since at least June 2019.

Cyclops Blink leverages a vulnerability in WatchGuard Firebox appliances that can be exploited if the device is configured to allow unrestricted remote management. This feature is disabled by default. The malware has persistence, in that it can survive device reboots and firmware updates. The United Kingdom’s National Cyber Security Centre describes Cyclops Blink as a “highly sophisticated piece of malware”.

Some owners of affected devices in the Netherlands were asked by the MIVD to (voluntarily) hand over infected devices. They were advised to replace the router, and in a few cases given a “coupon” for an alternative router, according to the Volkskrant. The precise number of devices compromised in the Netherlands is unclear, but is reportedly in the order of dozens. Swillens said the public disclosure is aimed at raising public awareness. “The threat is sometimes closer than you think. We want to make citizens aware of this. Consumer and SOHO devices, used by the grocery around the corner, so to speak, are leveraged by foreign state actors”, he added.

The disclosure can also be said to fit in the strategy of public attribution that was first mentioned in the Netherlands’ Defense Cyber Strategy of 2018. Published shortly after the disclosure of the disruption by MIVD of an attempted GRU attack against the computer network of the OPCW, the new strategy included the development of attribution capabilities, as well as the development of offensive capabilities in support of attribution. It advocates the view that state actors “that are [publicly] held accountable for their actions will make a different assessment than attackers who can operate in complete anonymity”.

Author: Matthijs Koot | Date: 07 March 2022 | Permalink

Filed under A specialized intelligence website written by experts, since 2008 Tagged with , , , , , , , ,

United States charges six Russian intelligence operatives with hacking

October 20, 2020 by 2 Comments

US Department of Justice

THE UNITED STATES DEPARTMENT of Justice has unsealed charges against six members of Russia’s military intelligence agency for allegedly engaging in worldwide computer hacking against several countries. The charges, announced in Pittsburgh on Monday, represent in a rare move that targets specific intelligence operatives and identifies them by name and visually. According to the US government, the six Russian operatives were instrumental in some of the most destructive and costly cyber-attacks that have taken place worldwide in the past five years.

The indictment alleges that the six Russian intelligence operatives were members of a hacker group named “Sandworm Team” and “Voodoo Bear” by cybersecurity experts. In reality, however, they were —and probably still are— employees of Unit 74455 of the Russian Armed Forces’ Main Intelligence Directorate, known as GRU. Their cyber-attacks employed the full resources of the GRU, according to the indictment. They were thus “highly advanced”, and were carried out in direct support of “Russian economic and national objectives”. At times, the group allegedly tried to hide its tracks and connections to the Russian government, by making it seem like its cyber-attacks were carried out by Chinese- and North Korean-linked hackers. However, according to the US government, its operations and targets were carried out “for the strategic benefit of Russia”.

The hacker group has been active since the end of 2015, and is alleged to have continued its operations until at least October of 2019. Alleged attacks include a major assault on the power grid of Ukraine in December of 2015, which left hundreds of thousands without electricity and heat. Other alleged attacks targeted the government of Georgia and the French national elections of 2017. The charges include alleged attacks on Western chemical laboratories that examined the toxic substance used in 2018 against former GRU officer Sergei Skripal in England.

Finally, some of the group’s alleged efforts centered on sabotaging the 2018 Winter Olympics in Pyeongchang, South Korea. Russian athletes were barred from the games, after the Russian government was accused of participating in wholesale doping of its Olympic team. Notably, none of the attacks connected with the group’s operations appeared to have directly targeted the United States —though some of the viruses that were allegedly unleashed by the group affected some American companies.

Author: Joseph Fitsanakis | Date: 21 October 2020 | Permalink

Filed under A specialized intelligence website written by experts, since 2008 Tagged with , , , , , , ,

%d bloggers like this: