Dan Lamothe reports: The U.S. military has conducted cyber attacks against the Islamic State for more than a year, and its record of success when those attacks are coordinated with elite Special Operations troops is such that the Pentagon is likely carry out similar operations with greater frequency, according to current and former U.S. defense officials.
The cyber offensive against ISIS, an acronym for the Islamic State, was a first and included the creation of a unit named Joint Task Force Ares. It focused on destroying or disrupting computer networks used by the militant group to recruit fighters and communicate inside the organization. Such offensive weapons are more commonly associated with U.S. intelligence agencies, but they were brought into the open in 2016 after then-Defense Secretary Ashton B. Carter pressured U.S. Cyber Command to become more involved in the campaign to defeat the Islamic State.
The move sparked a debate in the U.S. government over whether American allies would object to the U.S. military’s altering computer networks abroad, The Washington Post reported in May. Some intelligence officials argued that using such weapons in other countries could jeopardize the cooperation of international partners on which U.S. law enforcement and intelligence agencies depend.
But the cyber attacks were approved and launched anyway, and the campaign recently received the full-throated endorsement of Army Gen. Raymond A. “Tony” Thomas III, the head of U.S. Special Operations Command. [Continue reading…]
Thomas P. Bossert, Trump’s Homeland Security Advisor, writes: Cybersecurity isn’t easy, but simple principles still apply. Accountability is one, cooperation another. They are the cornerstones of security and resilience in any society. In furtherance of both, and after careful investigation, the U.S. today publicly attributes the massive “WannaCry” cyberattack to North Korea.
The attack spread indiscriminately across the world in May. It encrypted and rendered useless hundreds of thousands of computers in hospitals, schools, businesses and homes. While victims received ransom demands, paying did not unlock their computers. It was cowardly, costly and careless. The attack was widespread and cost billions, and North Korea is directly responsible.
We do not make this allegation lightly. It is based on evidence. We are not alone with our findings, either. Other governments and private companies agree. The United Kingdom attributes the attack to North Korea, and Microsoft traced the attack to cyber affiliates of the North Korean government. [Continue reading…]
Last May, Quinn Norton wrote: The story of WannaCry (also called Wcry and WannaCrypt) begins somewhere before 2013, in the hallways of the National Security Agency, but we can only be sure of a few details from that era. The NSA found or purchased the knowledge of a flaw of MicroSoft’s SMB V.1 code, an old bit of network software that lets people share files and resources, like printers. While SMB V.1 has long been superseded by better and safer software, it is still widely used by organizations that can’t, or simply don’t, install the newer software.
The flaw, or bug, is what what people call a vulnerability, but on its own it’s not particularly interesting. Based on this vulnerability, though, the NSA wrote another program—called an exploit—which let them take advantage of the flaw anywhere it existed. The program the NSA wrote was called ETERNALBLUE, and what they used it to do was remarkable.
The NSA gave themselves secret and powerful access to a European banking transaction system called SWIFT, and, in particular, SWIFT’s Middle Eastern transactions, as a subsequent data-dump by a mysterious hacker group demonstrated. Most people know SWIFT as a payment system, part of how they use credit cards and move money. But its anatomy, the guts of the thing, is a series of old Windows computers quietly humming along in offices around the world, constantly talking to each other across the internet in the languages computers only speak to computers.
The NSA used ETERNALBLUE to take over these machines. Security analysts, such as Matthieu Suiche, the founder of Comae Technologies, believe the NSA could see, and as far as we know, even change, the financial data that flowed through much of the Middle East—for years. Many people have speculated on why the NSA did this, speculation that has never been confirmed or denied. A spokesperson for the agency did not immediately reply to The Atlantic’s request for an interview.
But the knowledge of a flaw is simply knowledge. The NSA could not know if anyone else had found this vulnerability, or bought it. They couldn’t know if anyone else was using it, unless that someone else was caught using it. This is the nature of all computer flaws.
In 2013 a group the world would know later as The Shadow Brokers somehow obtained not only ETERNALBLUE, but a large collection of NSA programs and documents. The NSA and the United States government hasn’t indicated whether they know how this happened, or if they know who The Shadow Brokers are. The Shadow Brokers communicate publicly using a form of broken English so unlikely that many people assume they are native English speakers attempting to masquerade themselves as non-native—but that remains speculative. Wherever they are from, the trove they stole and eventually posted for all the world to see on the net contained powerful tools, and the knowledge of many flaws in software used around the world. WannaCry is the first known global crisis to come from these NSA tools. Almost without a doubt, it will not be the last.
A few months ago, someone told Microsoft about the vulnerabilities in the NSA tools before The Shadow Brokers released their documents. There is much speculation about who did this, but, as with so many parts of this story, it is still only that—speculation. Microsoft may or may not even know for sure who told them. Regardless, Microsoft got the chance to release a program that fixed the flaw in SMB V.1 before the flaw became public knowledge. But they couldn’t make anyone use their fix, because using any fix—better known as patching or updating—is always at the discretion of the user. They also didn’t release it for very old versions of Windows. Those old versions are so flawed that Microsoft has every reason to hope people stop using them—and not just because it allows the company to profit from new software purchases.
There is another wrinkle in this already convoluted landscape: Microsoft knew SMB V.1, which was decades old, wasn’t very good software. They’d been trying to abandon it for 10 years, and had replaced it with a stronger and more efficient version. But they couldn’t throw out SMB V.1 completely because so many people were using it. After WannaCry had started its run around the world, the head of SMB for Microsoft tweeted this as part of a long and frustrated thread:
That's the irony: Windows has not used or needed SMB1 for 10 years. The usage is mostly from Linux systems and firmware.
— Ned Pyle (@NerdPyle) May 13, 2017
The more new and outdated systems connect, the more chance there is to break everything with a single small change.
We live in an interconnected world, and in a strange twist of irony, that interconnectedness can make it difficult to change anything at all. This is why so many systems remain insecure for years: global banking systems, and Spanish telecoms, and German trains, and the National Health Service of the United Kingdom. [Continue reading…]
Iran is one of the leading cyberspace adversaries of the United States. It emerged as a cyberthreat a few years later than Russia and China and has so far demonstrated less skill. Nevertheless, it has conducted several highly damaging cyberattacks and become a major threat that will only get worse.
Like Russia and China, the history of Iran’s cyberspace operations begins with its hackers. But unlike these other countries, Iran openly encourages its hackers to launch cyberattacks against its enemies. The government not only recruits hackers into its cyberforces but supports their independent operations.
Julia Ioffe writes: Over the past year, Russian hackers have become the stuff of legend in the United States. According to U.S. intelligence assessments and media investigations, they were responsible for breaching the servers of the Democratic National Committee and the Democratic Congressional Campaign Committee. They spread the information they filched through friendly outlets such as WikiLeaks, to devastating effect. With President Vladimir Putin’s blessing, they probed the voting infrastructure of various U.S. states. They quietly bought divisive ads and organized political events on Facebook, acting as the bellows in America’s raging culture wars.
But most Russians don’t recognize the Russia portrayed in this story: powerful, organized, and led by an omniscient, omnipotent leader who is able to both formulate and execute a complex and highly detailed plot.
Gleb Pavlovsky, a political consultant who helped Putin win his first presidential campaign, in 2000, and served as a Kremlin adviser until 2011, simply laughed when I asked him about Putin’s role in Donald Trump’s election. “We did an amazing job in the first decade of Putin’s rule of creating the illusion that Putin controls everything in Russia,” he said. “Now it’s just funny” how much Americans attribute to him.
A businessman who is high up in Putin’s United Russia party said over an espresso at a Moscow café: “You’re telling me that everything in Russia works as poorly as it does, except our hackers? Rosneft”—the state-owned oil giant—“doesn’t work well. Our health-care system doesn’t work well. Our education system doesn’t work well. And here, all of a sudden, are our hackers, and they’re amazing?”
In the same way that Russians overestimate America, seeing it as an all-powerful orchestrator of global political developments, Americans project their own fears onto Russia, a country that is a paradox of deftness, might, and profound weakness—unshakably steady, yet somehow always teetering on the verge of collapse. Like America, it is hostage to its peculiar history, tormented by its ghosts. [Continue reading…]
The Associated Press reports: The FBI failed to notify scores of U.S. officials that Russian hackers were trying to break into their personal Gmail accounts despite having evidence for at least a year that the targets were in the Kremlin’s crosshairs, The Associated Press has found.
Nearly 80 interviews with Americans targeted by Fancy Bear, a Russian government-aligned cyberespionage group, turned up only two cases in which the FBI had provided a heads-up. Even senior policymakers discovered they were targets only when the AP told them, a situation some described as bizarre and dispiriting.
“It’s utterly confounding,” said Philip Reiner, a former senior director at the National Security Council, who was notified by the AP that he was targeted in 2015. “You’ve got to tell your people. You’ve got to protect your people.”
The FBI declined to discuss its investigation into Fancy Bear’s spying campaign, but did provide a statement that said in part: “The FBI routinely notifies individuals and organizations of potential threat information.”
Three people familiar with the matter — including a current and a former government official — said the FBI has known for more than a year the details of Fancy Bear’s attempts to break into Gmail inboxes. A senior FBI official, who was not authorized to publicly discuss the hacking operation because of its sensitivity, declined to comment on when it received the target list, but said that the bureau was overwhelmed by the sheer number of attempted hacks. [Continue reading…]
Bloomberg reports: Wendy McElroy is ready for most doomsday scenarios: a one-year supply of nonperishable food is stacked in a cellar at her farm in rural Ontario. Her blueprint for survival also depends upon working internet: part of her money, assuming she needs some after civilization collapses, is in bitcoin.
Across the North American countryside, preppers like McElroy are storing more and more of their wealth in invisible wallets in cyberspace instead of stockpiling gold bars and coins in their bunkers and basement safes.
They won’t be able to access their virtual cash the moment a catastrophe knocks out the power grid or the web, but that hasn’t dissuaded them. Even staunch survivalists are convinced bitcoin will endure economic collapse, global pandemic, climate change catastrophes and nuclear war. [Continue reading…]
Bloomberg reports: Hackers stole the personal data of 57 million customers and drivers from Uber Technologies Inc., a massive breach that the company concealed for more than a year. This week, the ride-hailing company ousted Joe Sullivan, chief security officer, and one of his deputies for their roles in keeping the hack under wraps.
Compromised data from the October 2016 attack included names, email addresses and phone numbers of 50 million Uber riders around the world, the company told Bloomberg on Tuesday. The personal information of about 7 million drivers were accessed as well, including some 600,000 U.S. driver’s license numbers. No Social Security numbers, credit card details, trip location info or other data were taken, Uber said.
At the time of the incident, Uber was negotiating with U.S. regulators investigating separate claims of privacy violations. Uber now says it had a legal obligation to report the hack to regulators and to drivers whose license numbers were taken. Instead, the company paid hackers $100,000 to delete the data and keep the breach quiet. Uber said it believes the information was never used but declined to disclose the identities of the attackers.
“None of this should have happened, and I will not make excuses for it,” Dara Khosrowshahi, who took over as chief executive officer in September, said in an emailed statement. “We are changing the way we do business.” [Continue reading…]
The New York Times reports: Russian hackers over the past 12 months have tried to attack the British energy, telecommunications and media industries, the government’s top cybersecurity official said Tuesday in a summary of a speech to be delivered on Wednesday.
The warning, by Ciaran Martin, chief of the National Cyber Security Center, is the strongest indication yet that Russian cyberattacks on Western governments and industries may be far more persistent than United States or British officials have previously acknowledged. [Continue reading…]
The Associated Press reports: It was just before noon in Moscow on March 10, 2016, when the first volley of malicious messages hit the Hillary Clinton campaign.
The first 29 phishing emails were almost all misfires. Addressed to people who worked for Clinton during her first presidential run, the messages bounced back untouched.
Within nine days, some of the campaign’s most consequential secrets would be in the hackers’ hands, part of a massive operation aimed at vacuuming up millions of messages from thousands of inboxes across the world.
An Associated Press investigation into the digital break-ins that disrupted the U.S. presidential contest has sketched out an anatomy of the hack that led to months of damaging disclosures about the Democratic Party’s nominee. It wasn’t just a few aides that the hackers went after; it was an all-out blitz across the Democratic Party. They tried to compromise Clinton’s inner circle and more than 130 party employees, supporters and contractors. [Continue reading…]
The Wall Street Journal reports: The Justice Department has identified more than six members of the Russian government involved in hacking the Democratic National Committee’s computers and swiping sensitive information that became public during the 2016 presidential election, according to people familiar with the investigation.
Prosecutors and agents have assembled evidence to charge the Russian officials and could bring a case next year, these people said. Discussions about the case are in the early stages, they said.
If filed, the case would provide the clearest picture yet of the actors behind the DNC intrusion. U.S. intelligence agencies have attributed the attack to Russian intelligence services, but haven’t provided detailed information about how they concluded those services were responsible, or any details about the individuals allegedly involved. [Continue reading…]
— Julia Davis (@JuliaDavisNews) October 30, 2017
Mother Jones reports: Four years ago, the Trump Organization experienced a major cyber breach that could have allowed the perpetrator (or perpetrators) to mount malware attacks from the company’s web domains and may have enabled the intruders to gain access to the company’s computer network. Up until this week, this penetration had gone undetected by President Donald Trump’s company, according to several internet security researchers.
In 2013, a hacker (or hackers) apparently obtained access to the Trump Organization’s domain registration account and created at least 250 website subdomains that cybersecurity experts refer to as “shadow” subdomains. Each one of these shadow Trump subdomains pointed to a Russian IP address, meaning that they were hosted at these Russian addresses. (Every website domain is associated with one or more IP addresses. These addresses allow the internet to find the server that hosts the website. Authentic Trump Organization domains point to IP addresses that are hosted in the United States or countries where the company operates.) The creation of these shadow subdomains within the Trump Organization network was visible in the publicly available records of the company’s domains. [Continue reading…]
The New York Times reports: When North Korean hackers tried to steal $1 billion from the New York Federal Reserve last year, only a spelling error stopped them. They were digitally looting an account of the Bangladesh Central Bank, when bankers grew suspicious about a withdrawal request that had misspelled “foundation” as “fandation.”
Even so, Kim Jong-un’s minions still got away with $81 million in that heist.
Then only sheer luck enabled a 22-year-old British hacker to defuse the biggest North Korean cyberattack to date, a ransomware attack last May that failed to generate much cash but brought down hundreds of thousands of computers across dozens of countries — and briefly crippled Britain’s National Health Service.
Their track record is mixed, but North Korea’s army of more than 6,000 hackers is undeniably persistent, and undeniably improving, according to American and British security officials who have traced these attacks and others back to the North.
Amid all the attention on Pyongyang’s progress in developing a nuclear weapon capable of striking the continental United States, the North Koreans have also quietly developed a cyberprogram that is stealing hundreds of millions of dollars and proving capable of unleashing global havoc.
Unlike its weapons tests, which have led to international sanctions, the North’s cyberstrikes have faced almost no pushback or punishment, even as the regime is already using its hacking capabilities for actual attacks against its adversaries in the West.
And just as Western analysts once scoffed at the potential of the North’s nuclear program, so did experts dismiss its cyberpotential — only to now acknowledge that hacking is an almost perfect weapon for a Pyongyang that is isolated and has little to lose. [Continue reading…]
The New York Times reports: It was a case of spies watching spies watching spies: Israeli intelligence officers looked on in real time as Russian government hackers searched computers around the world for the code names of American intelligence programs.
What gave the Russian hacking, detected more than two years ago, such global reach was its improvised search tool — antivirus software made by a Russian company, Kaspersky Lab, that is used by 400 million people worldwide, including by officials at some two dozen American government agencies.
The Israeli officials who had hacked into Kaspersky’s own network alerted the United States to the broad Russian intrusion, which has not been previously reported, leading to a decision just last month to order Kaspersky software removed from government computers.
The Russian operation, described by multiple people who have been briefed on the matter, is known to have stolen classified documents from a National Security Agency employee who had improperly stored them on his home computer, on which Kaspersky’s antivirus software was installed. What additional American secrets the Russian hackers may have gleaned from multiple agencies, by turning the Kaspersky software into a sort of Google search for sensitive information, is not yet publicly known.
The current and former government officials who described the episode spoke about it on condition of anonymity because of classification rules.
Like most security software, Kaspersky Lab’s products require access to everything stored on a computer in order to scour it for viruses or other dangers. Its popular antivirus software scans for signatures of malicious software, or malware, then removes or neuters it before sending a report back to Kaspersky. That procedure, routine for such software, provided a perfect tool for Russian intelligence to exploit to survey the contents of computers and retrieve whatever they found of interest. [Continue reading…]
Even though the reporting is sloppy, where it says an NSA employee using his home computer “on which Kaspersky’s antivirus software was installed,” there’s little reason to doubt that this software had been installed by choice by that employee. Moreover, he most likely chose that software for the same reason most experienced users do: he believed it performs better than competing products. And as for the fact that the software detected the NSA hacking tools, that’s what antivirus software is designed to do.
In spite of the cloud of suspicion that now hangs over all-things-Russian, it’s hard not to wonder whether Kaspersky provoked the ire of Israeli and American intelligence through its work on exposing the operation of Stuxnet. Kaspersky’s role in raising public awareness about cyberwarfare operations can hardly have been welcomed by the agencies running those operations.
Given that “antivirus is the ultimate back door,” as Blake Darché, a former NSA operator, observes, this raises questions that aren’t touched upon in the reporting on Kaspersky: do all brands of antivirus software present serious security risks to their users? And do companies such as Symantec actively cooperate with the NSA?
BBC News reports: Hackers from North Korea are reported to have stolen a large cache of military documents from South Korea, including a plan to assassinate North Korea’s leader Kim Jong-un.
Rhee Cheol-hee, a South Korean lawmaker, said the information was from his country’s defence ministry.
The compromised documents include wartime contingency plans drawn up by the US and South Korea.
They also include reports to the allies’ senior commanders.
The South Korean defence ministry has so far refused to comment about the allegation.
Plans for the South’s special forces were reportedly accessed, along with information on significant power plants and military facilities in the South.
Mr Rhee belongs to South Korea’s ruling party, and sits on its parliament’s defence committee. He said some 235 gigabytes of military documents had been stolen from the Defence Integrated Data Centre, and that 80% of them have yet to be identified. [Continue reading…]
Politico reports: White House officials believe that chief of staff John Kelly’s personal cellphone was compromised, potentially as long ago as December, according to three U.S. government officials.
The discovery raises concerns that hackers or foreign governments may have had access to data on Kelly’s phone while he was secretary of Homeland Security and after he joined the West Wing.
Tech support staff discovered the suspected breach after Kelly turned his phone in to White House tech support this summer complaining that it wasn’t working or updating software properly.
Kelly told the staffers the phone hadn’t been working properly for months, according to the officials. [Continue reading…]
Reuters reports: A Russian hacker arrested in Spain on a U.S. warrant said on Thursday he previously worked for President Vladimir Putin’s United Russia party and feared he would be tortured and killed if extradited, RIA news agency reported.
Peter Levashov was arrested while on holiday in Barcelona in April. U.S. prosecutors later charged him with hacking offences, accusing him of operating a network of tens of thousands of infected computers used by cyber criminals.
Levashov’s comments offered a rare glimpse into the relationship between cyber criminals and the Russian state. U.S. officials say Russian authorities routinely shield hackers from prosecution abroad before recruiting them for espionage work. [Continue reading…]
Politico reports: The National Security Agency warned senior White House officials in classified briefings that improper use of personal cellphones and email could make them vulnerable to espionage by Russia, China, Iran and other adversaries, according to officials familiar with the briefings.
The briefings came soon after President Donald Trump was sworn into office on Jan. 20, and before some top aides, including senior adviser Jared Kushner, used their personal email and phones to conduct official White House business, as disclosed by POLITICO this week.
The NSA briefers explained that cyberspies could be using sophisticated malware to turn the personal cellphones of White House aides into clandestine listening devices, to take photos and video without the user’s knowledge and to transfer vast amounts of data via Wi-Fi networks and Bluetooth, according to one former senior U.S. intelligence official familiar with the briefings. [Continue reading…]
The Washington Post reports: The Department of Homeland Security contacted election officials in 21 states Friday to notify them that they had been targeted by Russian government hackers during the 2016 election.
Three months ago, DHS officials said that people connected to the Russian government tried to hack voting registration files or public election sites in 21 states, but Friday was the first time that government officials contacted individual state election officials to let them know they were targeted.
Officials said DHS told officials in all 50 states whether they were hacked or not.
“We heard feedback from the secretaries of state that this was an important piece of information,” said Bob Kolasky, acting deputy undersecretary for DHS’s National Protection and Programs Directorate. “We agreed that this information would help election officials make security decisions.”
He said it was important that the states shore up their systems now “rather than a few weeks before” the 2018 midterm elections. [Continue reading…]