The world once laughed at North Korean cyberpower. No more

The New York Times reports: When North Korean hackers tried to steal $1 billion from the New York Federal Reserve last year, only a spelling error stopped them. They were digitally looting an account of the Bangladesh Central Bank, when bankers grew suspicious about a withdrawal request that had misspelled “foundation” as “fandation.”

Even so, Kim Jong-un’s minions still got away with $81 million in that heist.

Then only sheer luck enabled a 22-year-old British hacker to defuse the biggest North Korean cyberattack to date, a ransomware attack last May that failed to generate much cash but brought down hundreds of thousands of computers across dozens of countries — and briefly crippled Britain’s National Health Service.

Their track record is mixed, but North Korea’s army of more than 6,000 hackers is undeniably persistent, and undeniably improving, according to American and British security officials who have traced these attacks and others back to the North.

Amid all the attention on Pyongyang’s progress in developing a nuclear weapon capable of striking the continental United States, the North Koreans have also quietly developed a cyberprogram that is stealing hundreds of millions of dollars and proving capable of unleashing global havoc.

Unlike its weapons tests, which have led to international sanctions, the North’s cyberstrikes have faced almost no pushback or punishment, even as the regime is already using its hacking capabilities for actual attacks against its adversaries in the West.

And just as Western analysts once scoffed at the potential of the North’s nuclear program, so did experts dismiss its cyberpotential — only to now acknowledge that hacking is an almost perfect weapon for a Pyongyang that is isolated and has little to lose. [Continue reading…]

Facebooktwittermail

How Israel caught Russian hackers scouring the world for U.S. secrets

The New York Times reports: It was a case of spies watching spies watching spies: Israeli intelligence officers looked on in real time as Russian government hackers searched computers around the world for the code names of American intelligence programs.

What gave the Russian hacking, detected more than two years ago, such global reach was its improvised search tool — antivirus software made by a Russian company, Kaspersky Lab, that is used by 400 million people worldwide, including by officials at some two dozen American government agencies.

The Israeli officials who had hacked into Kaspersky’s own network alerted the United States to the broad Russian intrusion, which has not been previously reported, leading to a decision just last month to order Kaspersky software removed from government computers.

The Russian operation, described by multiple people who have been briefed on the matter, is known to have stolen classified documents from a National Security Agency employee who had improperly stored them on his home computer, on which Kaspersky’s antivirus software was installed. What additional American secrets the Russian hackers may have gleaned from multiple agencies, by turning the Kaspersky software into a sort of Google search for sensitive information, is not yet publicly known.

The current and former government officials who described the episode spoke about it on condition of anonymity because of classification rules.

Like most security software, Kaspersky Lab’s products require access to everything stored on a computer in order to scour it for viruses or other dangers. Its popular antivirus software scans for signatures of malicious software, or malware, then removes or neuters it before sending a report back to Kaspersky. That procedure, routine for such software, provided a perfect tool for Russian intelligence to exploit to survey the contents of computers and retrieve whatever they found of interest. [Continue reading…]

Even though the reporting is sloppy, where it says an NSA employee using his home computer “on which Kaspersky’s antivirus software was installed,” there’s little reason to doubt that this software had been installed by choice by that employee. Moreover, he most likely chose that software for the same reason most experienced users do: he believed it performs better than competing products. And as for the fact that the software detected the NSA hacking tools, that’s what antivirus software is designed to do.

In spite of the cloud of suspicion that now hangs over all-things-Russian, it’s hard not to wonder whether Kaspersky provoked the ire of Israeli and American intelligence through its work on exposing the operation of Stuxnet. Kaspersky’s role in raising public awareness about cyberwarfare operations can hardly have been welcomed by the agencies running those operations.

Given that “antivirus is the ultimate back door,” as Blake Darché, a former NSA operator, observes, this raises questions that aren’t touched upon in the reporting on Kaspersky: do all brands of antivirus software present serious security risks to their users? And do companies such as Symantec actively cooperate with the NSA?

Facebooktwittermail

North Korea ‘hackers steal U.S.-South Korea war plans’

BBC News reports: Hackers from North Korea are reported to have stolen a large cache of military documents from South Korea, including a plan to assassinate North Korea’s leader Kim Jong-un.

Rhee Cheol-hee, a South Korean lawmaker, said the information was from his country’s defence ministry.

The compromised documents include wartime contingency plans drawn up by the US and South Korea.

They also include reports to the allies’ senior commanders.

The South Korean defence ministry has so far refused to comment about the allegation.

Plans for the South’s special forces were reportedly accessed, along with information on significant power plants and military facilities in the South.

Mr Rhee belongs to South Korea’s ruling party, and sits on its parliament’s defence committee. He said some 235 gigabytes of military documents had been stolen from the Defence Integrated Data Centre, and that 80% of them have yet to be identified. [Continue reading…]

Facebooktwittermail

John Kelly’s personal cellphone was compromised, White House believes

Politico reports: White House officials believe that chief of staff John Kelly’s personal cellphone was compromised, potentially as long ago as December, according to three U.S. government officials.

The discovery raises concerns that hackers or foreign governments may have had access to data on Kelly’s phone while he was secretary of Homeland Security and after he joined the West Wing.

Tech support staff discovered the suspected breach after Kelly turned his phone in to White House tech support this summer complaining that it wasn’t working or updating software properly.

Kelly told the staffers the phone hadn’t been working properly for months, according to the officials. [Continue reading…]

Facebooktwittermail

Russian hacker wanted by U.S. tells court he worked for Putin’s party

Reuters reports: A Russian hacker arrested in Spain on a U.S. warrant said on Thursday he previously worked for President Vladimir Putin’s United Russia party and feared he would be tortured and killed if extradited, RIA news agency reported.

Peter Levashov was arrested while on holiday in Barcelona in April. U.S. prosecutors later charged him with hacking offences, accusing him of operating a network of tens of thousands of infected computers used by cyber criminals.

Levashov’s comments offered a rare glimpse into the relationship between cyber criminals and the Russian state. U.S. officials say Russian authorities routinely shield hackers from prosecution abroad before recruiting them for espionage work. [Continue reading…]

Facebooktwittermail

NSA warned White House against using personal email

Politico reports: The National Security Agency warned senior White House officials in classified briefings that improper use of personal cellphones and email could make them vulnerable to espionage by Russia, China, Iran and other adversaries, according to officials familiar with the briefings.

The briefings came soon after President Donald Trump was sworn into office on Jan. 20, and before some top aides, including senior adviser Jared Kushner, used their personal email and phones to conduct official White House business, as disclosed by POLITICO this week.

The NSA briefers explained that cyberspies could be using sophisticated malware to turn the personal cellphones of White House aides into clandestine listening devices, to take photos and video without the user’s knowledge and to transfer vast amounts of data via Wi-Fi networks and Bluetooth, according to one former senior U.S. intelligence official familiar with the briefings. [Continue reading…]

Facebooktwittermail

21 states told they were targeted by Russian hackers during 2016 election

The Washington Post reports: The Department of Homeland Security contacted election officials in 21 states Friday to notify them that they had been targeted by Russian government hackers during the 2016 election.

Three months ago, DHS officials said that people connected to the Russian government tried to hack voting registration files or public election sites in 21 states, but Friday was the first time that government officials contacted individual state election officials to let them know they were targeted.

Officials said DHS told officials in all 50 states whether they were hacked or not.

“We heard feedback from the secretaries of state that this was an important piece of information,” said Bob Kolasky, acting deputy undersecretary for DHS’s National Protection and Programs Directorate. “We agreed that this information would help election officials make security decisions.”

He said it was important that the states shore up their systems now “rather than a few weeks before” the 2018 midterm elections. [Continue reading…]

Facebooktwittermail

U.S. bans use of Kaspersky software in federal agencies amid concerns of Russian espionage

The Washington Post reports: The U.S. government on Wednesday moved to ban the use of a Russian brand of security software by federal agencies amid concerns the company has ties to state-sponsored cyberespionage activities.

In a binding directive, acting homeland security secretary Elaine Duke ordered that federal civilian agencies identify Kaspersky Lab software on their networks. After 90 days, unless otherwise directed, they must remove the software, on the grounds that the company has connections to the Russian government and its software poses a security risk.

The Department of Homeland Security “is concerned about the ties between certain Kaspersky officials and Russian intelligence and other government agencies, and requirements under Russian law that allow Russian intelligence agencies to request or compel assistance from Kaspersky and to intercept communications transiting Russian networks,” the department said in a statement. “The risk that the Russian government, whether acting on its own or in collaboration with Kaspersky, could capitalize on access provided by Kaspersky products to compromise federal information and information systems directly implicates U.S. national security.” [Continue reading…]

Facebooktwittermail

WikiLeaks turned down leaks on Russian government during U.S. presidential campaign

Foreign Policy reports: In the summer of 2016, as WikiLeaks was publishing documents from Democratic operatives allegedly obtained by Kremlin-directed hackers, Julian Assange turned down a large cache of documents related to the Russian government, according to chat messages and a source who provided the records.

WikiLeaks declined to publish a wide-ranging trove of documents — at least 68 gigabytes of data — that came from inside the Russian Interior Ministry, according to partial chat logs reviewed by Foreign Policy.

The logs, which were provided to FP, only included WikiLeaks’s side of the conversation.

“As far as we recall these are already public,” WikiLeaks wrote at the time.

“WikiLeaks rejects all submissions that it cannot verify. WikiLeaks rejects submissions that have already been published elsewhere or which are likely to be considered insignificant. WikiLeaks has never rejected a submission due to its country of origin,” the organization wrote in a Twitter direct message when contacted by FP about the Russian cache.

(The account is widely believed to be operated solely by Assange, the group’s founder, but in a Twitter message to FP, the organization said it is maintained by “staff.”)

In 2014, the BBC and other news outlets reported on the cache, which revealed details about Russian military and intelligence involvement in Ukraine. However, the information from that hack was less than half the data that later became available in 2016, when Assange turned it down.

“We had several leaks sent to Wikileaks, including the Russian hack. It would have exposed Russian activities and shown WikiLeaks was not controlled by Russian security services,” the source who provided the messages wrote to FP. “Many Wikileaks staff and volunteers or their families suffered at the hands of Russian corruption and cruelty, we were sure Wikileaks would release it. Assange gave excuse after excuse.”

The Russian cache was eventually quietly published online elsewhere, to almost no attention or scrutiny. [Continue reading…]

Facebooktwittermail

In Ukraine, a malware expert who could blow the whistle on Russian hacking

The New York Times reports: The hacker, known only by his online alias “Profexer,” kept a low profile. He wrote computer code alone in an apartment and quietly sold his handiwork on the anonymous portion of the internet known as the Dark Web. Last winter, he suddenly went dark entirely.

Profexer’s posts, already accessible only to a small band of fellow hackers and cybercriminals looking for software tips, blinked out in January — just days after American intelligence agencies publicly identified a program he had written as one tool used in the hacking of the Democratic National Committee.

But while Profexer’s online persona vanished, a flesh-and-blood person has emerged: a fearful man who the Ukrainian police said turned himself in early this year, and has now become a witness for the F.B.I.

“I don’t know what will happen,” he wrote in one of his last messages posted on a restricted-access website before going to the police. “It won’t be pleasant. But I’m still alive.”

It is the first known instance of a living witness emerging from the arid mass of technical detail that has so far shaped the investigation into the D.N.C. hack and the heated debate it has stirred. The Ukrainian police declined to divulge the man’s name or other details, other than that he is living in Ukraine and has not been arrested. [Continue reading…]

Facebooktwittermail

A guide to Russia’s high tech tool box for subverting U.S. democracy

Garrett M Graff writes: A dead dog in Moscow. A dead dissident in London. Twitter trolls run by the Kremlin’s Internet Research Agency. Denial of service attacks and ransomware deployed across Ukraine. News reports from the DC offices of Sputnik and RT. Spies hidden in the heart of Wall Street. The hacking of John Podesta’s creamy risotto recipe. And a century-old fabricated staple of anti-Semitic hate literature.

At first glance these disparate phenomena might seem only vaguely connected. Sure, they can all be traced back to Russia. But is there any method to their badness? The definitive answer, according to Russia experts inside and outside the US government, is most certainly yes. In fact, they are part of an increasingly digital intelligence playbook known as “active measures,” a wide-ranging set of techniques and strategies that Russian military and intelligence services deploy to influence the affairs of nations across the globe.

As the investigation into Russia’s influence on the 2016 election—and the Trump campaign’s potential participation in that effort—has intensified this summer, the Putin regime’s systematic effort to undermine and destabilize democracies has become the subject of urgent focus in the West. According to interviews with more than a dozen US and European intelligence officials and diplomats, Russian active measures represent perhaps the biggest challenge to the Western order since the fall of the Berlin Wall. The consensus: Vladimir Putin, playing a poor hand economically and demographically at home, is seeking to destabilize the multilateral institutions, partnerships, and Western democracies that have kept the peace during the past seven decades.

The coordinated and multifaceted Russia efforts in the 2016 election—from the attacks on the DNC and John Podesta’s email to a meeting between a Russian lawyer and Donald Trump Jr. that bears all the hallmarks of an intelligence mission—likely involved every major Russian intelligence service: the foreign intelligence service (known as the SVR) as well as the state security service (the FSB, the successor to the KGB), and the military intelligence (the GRU), both of which separately penetrated servers at the DNC.

Understanding just how extensive and coordinated Russia’s operations against the West are represents the first step in confronting—and defeating—Putin’s increased aggression, particularly as it becomes clear that the 2016 election interference was just a starting point. “If there has ever been a clarion call for vigilance and action against a threat to the very foundation of our democratic political system, this episode is it,” former director of national intelligence James Clapper said this spring. “I hope the American people recognize the severity of this threat and that we collectively counter it before it further erodes the fabric of our democracy.”

Indeed, Western intelligence leaders have warned throughout the spring that they expect Russia to use similar tricks in German parliamentary election this fall, as well as in the 2018 US congressional midterms and the 2020 presidential race. “Russia is not constrained by a rule of law or a sense of ethics—same with ISIS, same with China,” says Chris Donnelly, director of the UK-based Institute for Statecraft. “They’re trying to change the rules of the game, which they’ve seen us set in our favor.” [Continue reading…]

Facebooktwittermail

The hacking wars are going to get much worse

Adam Segal writes: Reports this month that the United Arab Emirates orchestrated the hacking of a Qatari news agency, helping to incite a crisis in the Middle East, are as unsurprising as they are unwelcome. For years, countries — in particular Russia — have used cyberattacks and the dissemination of disinformation through social media and news outlets to provoke protests, sway elections and undermine trust in institutions. It was only a matter of time before smaller states tried their hand at these tactics.

With few accepted rules of behavior in cyberspace, countries as big as China or as small as Bahrain can be expected to use these kinds of attacks. And they may eventually spill over into real-world military conflicts.

The hacking attacks in the Gulf seem to follow a typical pattern of going after the media and the email accounts of prominent individuals. According to American intelligence officials, in late May, hackers supported by the United Arab Emirates infiltrated Qatari government news and social media sites. The attackers planted quotations falsely attributed to Sheikh Tamim bin Hamad al-Thani, Qatar’s leader, praising Iran, Hamas and Israel. [Continue reading…]

Facebooktwittermail

Russia used Facebook to try to spy on Macron campaign

Reuters reports: Russian intelligence agents attempted to spy on President Emmanuel Macron’s election campaign earlier this year by creating phony Facebook personas, according to a U.S. Congressman and two other people briefed on the effort.

About two dozen Facebook accounts were created to conduct surveillance on Macron campaign officials and others close to the centrist former financier as he sought to defeat far-right nationalist Marine Le Pen and other opponents in the two-round election, the sources said. Macron won in a landslide in May.

Facebook said in April it had taken action against fake accounts that were spreading misinformation about the French election. But the effort to infiltrate the social networks of Macron officials has not previously been reported. [Continue reading…]

Facebooktwittermail

In cyberwarfare, everyone is a combatant

The Wall Street Journal reports: This is already a banner year for hacks, breaches and cyberwarfare, but the past week was exceptional.

South Carolina reported hackers attempted to access the state’s voter-registration system 150,000 times on Election Day last November—part of what former Homeland Security Secretary Jeh Johnson alleges is a 21-state attack perpetrated by Russia. And U.S. intelligence officials alleged that agents working for the United Arab Emirates planted false information in Qatari news outlets and social media, leading to sanctions and a rift with Qatar’s allies. Meanwhile, Lloyd’s of London declared that the takedown of a significant cloud service could lead to monetary damages on par with those of Hurricane Katrina.

Threats to the real world from the cyberworld are worse than ever, and the situation continues to deteriorate. A new kind of war is upon us, one characterized by coercion rather than the use of force, says former State Department official James Lewis, a cybersecurity specialist at the Center for Strategic and International Studies.

Businesses and individuals now are directly affected in ways that were impossible in the first Cold War. In another age, the threat of nuclear annihilation loomed over everyone’s heads, but the cloak-and-dagger doings of global powers remained distinct from the day-to-day operations of businesses. Now, they are hopelessly entangled. The often unfathomable priorities of terrorists, cybercriminals and state-affiliated hackers only make things worse.

The current climate of cyberattacks is “crazy,” says Christopher Ahlberg of Recorded Future, a private intelligence firm that specializes in cyberthreats. “It’s like a science-fiction book. If you told anybody 10 years ago about what’s going on now, they wouldn’t believe it.”

In the first Cold War, the U.S., China and the Soviet Union fought proxy wars rather than confront one another directly. In Cold War 2.0, we still have those—Syria and whatever is brewing in North Korea come to mind—but much of the proxy fighting now happens online.

The result is significant collateral damage for businesses that aren’t even a party to the conflicts, says Corey Thomas, chief executive of cybersecurity firm Rapid 7. Recent ransomware attacks that some analysts attribute to Russia might have been aimed at Ukraine but resulted in the shutdown of computer systems at businesses and governments around the world. Russia has denied involvement in these attacks. Botnets made of internet-connected devices, stitched together by an unknown hacker for unknown reasons, caused countless internet services and websites to become unavailable in October 2016. [Continue reading…]

Facebooktwittermail

Putin’s hackers now under attack — from Microsoft

The Daily Beast reports: A new offensive by Microsoft has been making inroads against the Russian government hackers behind last year’s election meddling, identifying over 120 new targets of the Kremlin’s cyber spying, and control-alt-deleting segments of Putin’s hacking apparatus.

How are they doing it? It turns out Microsoft has something even more formidable than Moscow’s malware: Lawyers.

Last year attorneys for the software maker quietly sued the hacker group known as Fancy Bear in a federal court outside Washington DC, accusing it of computer intrusion, cybersquatting, and infringing on Microsoft’s trademarks. The action, though, is not about dragging the hackers into court. The lawsuit is a tool for Microsoft to target what it calls “the most vulnerable point” in Fancy Bear’s espionage operations: the command-and-control servers the hackers use to covertly direct malware on victim computers. These servers can be thought of as the spymasters in Russia’s cyber espionage, waiting patiently for contact from their malware agents in the field, then issuing encrypted instructions and accepting stolen documents. [Continue reading…]

Facebooktwittermail

UAE orchestrated hacking of Qatari sites, sparking regional upheaval, according to U.S. intel officials

The Washington Post reports: The United Arab Emirates orchestrated the hacking of Qatari government news and social media sites in order to post incendiary false quotes attributed to Qatar’s emir, Sheikh Tamim Bin Hamad al-Thani, in late May that sparked the ongoing upheaval between Qatar and its neighbors, according to U.S. intelligence officials.

Officials became aware last week that newly analyzed information gathered by U.S. intelligence agencies confirmed that on May 23, senior members of the UAE government discussed the plan and its implementation. The officials said it remains unclear whether the UAE carried out the hacks itself or contracted to have them done. The false reports said that the emir, among other things, had called Iran an “Islamic power” and praised Hamas.

The hacks and posting took place on May 24, shortly after President Trump completed a lengthy counterterrorism meeting with Persian Gulf leaders in neighboring Saudi Arabia and declared them unified. [Continue reading…]

Facebooktwittermail

Soviet veteran who met with Trump Jr. is a master of the dark arts

The New York Times reports: Rinat Akhmetshin, the Russian-American lobbyist who met with Donald Trump Jr. at Trump Tower in June 2016, had one consistent message for the journalists who met him over the years at the luxury hotels where he stayed in Moscow, London and Paris, or at his home on a leafy street in Washington: Never use email to convey information that needed to be kept secret.

While not, he insisted, an expert in the technical aspects of hacking nor, a spy, Mr. Akhmetshin talked openly about how he had worked with a counterintelligence unit while serving with the Red Army after its 1979 invasion of Afghanistan and how easy it was to find tech-savvy professionals ready and able to plunder just about any email account.

A journalist who visited his home was given a thumb drive containing emails that had apparently been stolen by hackers working for one of his clients.

On another occasion, at a meeting with a New York Times reporter at the Ararat Park Hyatt hotel in Moscow, Mr. Akhmetshin, by then an American citizen, informed the journalist he had recently been reading one of his emails: a note sent by the reporter to a Russian-American defense lawyer who had once worked for Mikhail Khodorkovsky, the anti-Kremlin oligarch.

In that instance, the reporter’s email had become public as part of a lawsuit. But the episode suggests Mr. Akhmetshin’s professional focus in the decades since he immigrated to the United States — and the experience that he brought to a meeting last June in New York with President Trump’s oldest son, Donald Trump Jr., his son-in-law, Jared Kushner, and the then-head of the Trump presidential campaign, Paul J. Manafort. [Continue reading…]

Facebooktwittermail

Trump team met Russian accused of international hacking conspiracy

The Daily Beast reports: The alleged former Soviet intelligence officer who attended the now-infamous meeting with Donald Trump Jr. and other top campaign officials last June was previously accused in federal and state courts of orchestrating an international hacking conspiracy.

Rinat Akhmetshin told the Associated Press on Friday he accompanied Russian lawyer Natalia Veselnitskaya to the June 9, 2016, meeting with Donald Trump Jr., Jared Kushner, and Paul Manafort. Trump’s attorney confirmed Akhmetshin’s attendance in a statement.

Akhmetshin’s presence at Trump Tower that day adds another layer of controversy to an episode that already provides the clearest indication of collusion between the Kremlin and the Trump campaign. In an email in the run-up to that rendezvous, Donald Trump Jr. was promised “very high level and sensitive information” on Hillary Clinton as “part of Russia and its government’s support for Mr. Trump.”

Akhmetshin had been hired by Veselnitskaya to help with pro-Russian lobbying efforts in Washington. He also met and lobbied Rep. Dana Rohrabacher, chairman of the Foreign Affairs Sub-Committee for Europe, in Berlin in April. [Continue reading…]

Facebooktwittermail

Kaspersky Lab has been working with Russian intelligence

Bloomberg reports: The previously unreported emails, from October 2009, are from a thread between Eugene Kaspersky and senior staff. In Russian, Kaspersky outlines a project undertaken in secret a year earlier “per a big request on the Lubyanka side,” a reference to the FSB offices. Kaspersky Lab confirmed the emails are authentic.

The software that the CEO was referring to had the stated purpose of protecting clients, including the Russian government, from distributed denial-of-service (DDoS) attacks, but its scope went further. Kaspersky Lab would also cooperate with internet hosting companies to locate bad actors and block their attacks, while assisting with “active countermeasures,” a capability so sensitive that Kaspersky advised his staff to keep it secret.

“The project includes both technology to protect against attacks (filters) as well as interaction with the hosters (‘spreading’ of sacrifice) and active countermeasures (about which, we keep quiet) and so on,” Kaspersky wrote in one of the emails.

“Active countermeasures” is a term of art among security professionals, often referring to hacking the hackers, or shutting down their computers with malware or other tricks. In this case, Kaspersky may have been referring to something even more rare in the security world. A person familiar with the company’s anti-DDoS system says it’s made up of two parts. The first consists of traditional defensive techniques, including rerouting malicious traffic to servers that can harmlessly absorb it. The second part is more unusual: Kaspersky provides the FSB with real-time intelligence on the hackers’ location and sends experts to accompany the FSB and Russian police when they conduct raids. That’s what Kaspersky was referring to in the emails, says the person familiar with the system. They weren’t just hacking the hackers; they were banging down the doors. [Continue reading…]

Facebooktwittermail