Category Archives: hacking

Following the developing Iranian cyberthreat

File 20171121 6013 1qqleza.jpg?ixlib=rb 1.1
The Iranian Cyber Army has taken over many websites.
Zone-H, CC BY-NC-ND

By Dorothy Denning, Naval Postgraduate School

Iran is one of the leading cyberspace adversaries of the United States. It emerged as a cyberthreat a few years later than Russia and China and has so far demonstrated less skill. Nevertheless, it has conducted several highly damaging cyberattacks and become a major threat that will only get worse.

Like Russia and China, the history of Iran’s cyberspace operations begins with its hackers. But unlike these other countries, Iran openly encourages its hackers to launch cyberattacks against its enemies. The government not only recruits hackers into its cyberforces but supports their independent operations.

Continue reading

Facebooktwittermail

The myth of Vladimir Putin the puppet master

Julia Ioffe writes: Over the past year, Russian hackers have become the stuff of legend in the United States. According to U.S. intelligence assessments and media investigations, they were responsible for breaching the servers of the Democratic National Committee and the Democratic Congressional Campaign Committee. They spread the information they filched through friendly outlets such as WikiLeaks, to devastating effect. With President Vladimir Putin’s blessing, they probed the voting infrastructure of various U.S. states. They quietly bought divisive ads and organized political events on Facebook, acting as the bellows in America’s raging culture wars.

But most Russians don’t recognize the Russia portrayed in this story: powerful, organized, and led by an omniscient, omnipotent leader who is able to both formulate and execute a complex and highly detailed plot.

Gleb Pavlovsky, a political consultant who helped Putin win his first presidential campaign, in 2000, and served as a Kremlin adviser until 2011, simply laughed when I asked him about Putin’s role in Donald Trump’s election. “We did an amazing job in the first decade of Putin’s rule of creating the illusion that Putin controls everything in Russia,” he said. “Now it’s just funny” how much Americans attribute to him.

A businessman who is high up in Putin’s United Russia party said over an espresso at a Moscow café: “You’re telling me that everything in Russia works as poorly as it does, except our hackers? Rosneft”—the state-owned oil giant—“doesn’t work well. Our health-care system doesn’t work well. Our education system doesn’t work well. And here, all of a sudden, are our hackers, and they’re amazing?”

In the same way that Russians overestimate America, seeing it as an all-powerful orchestrator of global political developments, Americans project their own fears onto Russia, a country that is a paradox of deftness, might, and profound weakness—unshakably steady, yet somehow always teetering on the verge of collapse. Like America, it is hostage to its peculiar history, tormented by its ghosts. [Continue reading…]

Facebooktwittermail

FBI gave heads-up to fraction of Russian hackers’ U.S. targets

The Associated Press reports: The FBI failed to notify scores of U.S. officials that Russian hackers were trying to break into their personal Gmail accounts despite having evidence for at least a year that the targets were in the Kremlin’s crosshairs, The Associated Press has found.

Nearly 80 interviews with Americans targeted by Fancy Bear, a Russian government-aligned cyberespionage group, turned up only two cases in which the FBI had provided a heads-up. Even senior policymakers discovered they were targets only when the AP told them, a situation some described as bizarre and dispiriting.

“It’s utterly confounding,” said Philip Reiner, a former senior director at the National Security Council, who was notified by the AP that he was targeted in 2015. “You’ve got to tell your people. You’ve got to protect your people.”

The FBI declined to discuss its investigation into Fancy Bear’s spying campaign, but did provide a statement that said in part: “The FBI routinely notifies individuals and organizations of potential threat information.”

Three people familiar with the matter — including a current and a former government official — said the FBI has known for more than a year the details of Fancy Bear’s attempts to break into Gmail inboxes. A senior FBI official, who was not authorized to publicly discuss the hacking operation because of its sensitivity, declined to comment on when it received the target list, but said that the bureau was overwhelmed by the sheer number of attempted hacks. [Continue reading…]

Facebooktwittermail

British cybersecurity chief warns of Russian hacking

The New York Times reports: Russian hackers over the past 12 months have tried to attack the British energy, telecommunications and media industries, the government’s top cybersecurity official said Tuesday in a summary of a speech to be delivered on Wednesday.

The warning, by Ciaran Martin, chief of the National Cyber Security Center, is the strongest indication yet that Russian cyberattacks on Western governments and industries may be far more persistent than United States or British officials have previously acknowledged. [Continue reading…]

Facebooktwittermail

How Russians hacked the Democrats’ emails

The Associated Press reports: It was just before noon in Moscow on March 10, 2016, when the first volley of malicious messages hit the Hillary Clinton campaign.

The first 29 phishing emails were almost all misfires. Addressed to people who worked for Clinton during her first presidential run, the messages bounced back untouched.

Except one.

Within nine days, some of the campaign’s most consequential secrets would be in the hackers’ hands, part of a massive operation aimed at vacuuming up millions of messages from thousands of inboxes across the world.

An Associated Press investigation into the digital break-ins that disrupted the U.S. presidential contest has sketched out an anatomy of the hack that led to months of damaging disclosures about the Democratic Party’s nominee. It wasn’t just a few aides that the hackers went after; it was an all-out blitz across the Democratic Party. They tried to compromise Clinton’s inner circle and more than 130 party employees, supporters and contractors. [Continue reading…]

Facebooktwittermail

U.S. prosecutors consider charging Russian officials in DNC hacking case

The Wall Street Journal reports: The Justice Department has identified more than six members of the Russian government involved in hacking the Democratic National Committee’s computers and swiping sensitive information that became public during the 2016 presidential election, according to people familiar with the investigation.

Prosecutors and agents have assembled evidence to charge the Russian officials and could bring a case next year, these people said. Discussions about the case are in the early stages, they said.

If filed, the case would provide the clearest picture yet of the actors behind the DNC intrusion. U.S. intelligence agencies have attributed the attack to Russian intelligence services, but haven’t provided detailed information about how they concluded those services were responsible, or any details about the individuals allegedly involved. [Continue reading…]

Facebooktwittermail

Hackers with possible Russian ties compromised the Trump Organization 4 years ago — and the company never noticed

Mother Jones reports: Four years ago, the Trump Organization experienced a major cyber breach that could have allowed the perpetrator (or perpetrators) to mount malware attacks from the company’s web domains and may have enabled the intruders to gain access to the company’s computer network. Up until this week, this penetration had gone undetected by President Donald Trump’s company, according to several internet security researchers.

In 2013, a hacker (or hackers) apparently obtained access to the Trump Organization’s domain registration account and created at least 250 website subdomains that cybersecurity experts refer to as “shadow” subdomains. Each one of these shadow Trump subdomains pointed to a Russian IP address, meaning that they were hosted at these Russian addresses. (Every website domain is associated with one or more IP addresses. These addresses allow the internet to find the server that hosts the website. Authentic Trump Organization domains point to IP addresses that are hosted in the United States or countries where the company operates.) The creation of these shadow subdomains within the Trump Organization network was visible in the publicly available records of the company’s domains. [Continue reading…]

Facebooktwittermail

The world once laughed at North Korean cyberpower. No more

The New York Times reports: When North Korean hackers tried to steal $1 billion from the New York Federal Reserve last year, only a spelling error stopped them. They were digitally looting an account of the Bangladesh Central Bank, when bankers grew suspicious about a withdrawal request that had misspelled “foundation” as “fandation.”

Even so, Kim Jong-un’s minions still got away with $81 million in that heist.

Then only sheer luck enabled a 22-year-old British hacker to defuse the biggest North Korean cyberattack to date, a ransomware attack last May that failed to generate much cash but brought down hundreds of thousands of computers across dozens of countries — and briefly crippled Britain’s National Health Service.

Their track record is mixed, but North Korea’s army of more than 6,000 hackers is undeniably persistent, and undeniably improving, according to American and British security officials who have traced these attacks and others back to the North.

Amid all the attention on Pyongyang’s progress in developing a nuclear weapon capable of striking the continental United States, the North Koreans have also quietly developed a cyberprogram that is stealing hundreds of millions of dollars and proving capable of unleashing global havoc.

Unlike its weapons tests, which have led to international sanctions, the North’s cyberstrikes have faced almost no pushback or punishment, even as the regime is already using its hacking capabilities for actual attacks against its adversaries in the West.

And just as Western analysts once scoffed at the potential of the North’s nuclear program, so did experts dismiss its cyberpotential — only to now acknowledge that hacking is an almost perfect weapon for a Pyongyang that is isolated and has little to lose. [Continue reading…]

Facebooktwittermail

How Israel caught Russian hackers scouring the world for U.S. secrets

The New York Times reports: It was a case of spies watching spies watching spies: Israeli intelligence officers looked on in real time as Russian government hackers searched computers around the world for the code names of American intelligence programs.

What gave the Russian hacking, detected more than two years ago, such global reach was its improvised search tool — antivirus software made by a Russian company, Kaspersky Lab, that is used by 400 million people worldwide, including by officials at some two dozen American government agencies.

The Israeli officials who had hacked into Kaspersky’s own network alerted the United States to the broad Russian intrusion, which has not been previously reported, leading to a decision just last month to order Kaspersky software removed from government computers.

The Russian operation, described by multiple people who have been briefed on the matter, is known to have stolen classified documents from a National Security Agency employee who had improperly stored them on his home computer, on which Kaspersky’s antivirus software was installed. What additional American secrets the Russian hackers may have gleaned from multiple agencies, by turning the Kaspersky software into a sort of Google search for sensitive information, is not yet publicly known.

The current and former government officials who described the episode spoke about it on condition of anonymity because of classification rules.

Like most security software, Kaspersky Lab’s products require access to everything stored on a computer in order to scour it for viruses or other dangers. Its popular antivirus software scans for signatures of malicious software, or malware, then removes or neuters it before sending a report back to Kaspersky. That procedure, routine for such software, provided a perfect tool for Russian intelligence to exploit to survey the contents of computers and retrieve whatever they found of interest. [Continue reading…]

Even though the reporting is sloppy, where it says an NSA employee using his home computer “on which Kaspersky’s antivirus software was installed,” there’s little reason to doubt that this software had been installed by choice by that employee. Moreover, he most likely chose that software for the same reason most experienced users do: he believed it performs better than competing products. And as for the fact that the software detected the NSA hacking tools, that’s what antivirus software is designed to do.

In spite of the cloud of suspicion that now hangs over all-things-Russian, it’s hard not to wonder whether Kaspersky provoked the ire of Israeli and American intelligence through its work on exposing the operation of Stuxnet. Kaspersky’s role in raising public awareness about cyberwarfare operations can hardly have been welcomed by the agencies running those operations.

Given that “antivirus is the ultimate back door,” as Blake Darché, a former NSA operator, observes, this raises questions that aren’t touched upon in the reporting on Kaspersky: do all brands of antivirus software present serious security risks to their users? And do companies such as Symantec actively cooperate with the NSA?

Facebooktwittermail

North Korea ‘hackers steal U.S.-South Korea war plans’

BBC News reports: Hackers from North Korea are reported to have stolen a large cache of military documents from South Korea, including a plan to assassinate North Korea’s leader Kim Jong-un.

Rhee Cheol-hee, a South Korean lawmaker, said the information was from his country’s defence ministry.

The compromised documents include wartime contingency plans drawn up by the US and South Korea.

They also include reports to the allies’ senior commanders.

The South Korean defence ministry has so far refused to comment about the allegation.

Plans for the South’s special forces were reportedly accessed, along with information on significant power plants and military facilities in the South.

Mr Rhee belongs to South Korea’s ruling party, and sits on its parliament’s defence committee. He said some 235 gigabytes of military documents had been stolen from the Defence Integrated Data Centre, and that 80% of them have yet to be identified. [Continue reading…]

Facebooktwittermail

John Kelly’s personal cellphone was compromised, White House believes

Politico reports: White House officials believe that chief of staff John Kelly’s personal cellphone was compromised, potentially as long ago as December, according to three U.S. government officials.

The discovery raises concerns that hackers or foreign governments may have had access to data on Kelly’s phone while he was secretary of Homeland Security and after he joined the West Wing.

Tech support staff discovered the suspected breach after Kelly turned his phone in to White House tech support this summer complaining that it wasn’t working or updating software properly.

Kelly told the staffers the phone hadn’t been working properly for months, according to the officials. [Continue reading…]

Facebooktwittermail

Russian hacker wanted by U.S. tells court he worked for Putin’s party

Reuters reports: A Russian hacker arrested in Spain on a U.S. warrant said on Thursday he previously worked for President Vladimir Putin’s United Russia party and feared he would be tortured and killed if extradited, RIA news agency reported.

Peter Levashov was arrested while on holiday in Barcelona in April. U.S. prosecutors later charged him with hacking offences, accusing him of operating a network of tens of thousands of infected computers used by cyber criminals.

Levashov’s comments offered a rare glimpse into the relationship between cyber criminals and the Russian state. U.S. officials say Russian authorities routinely shield hackers from prosecution abroad before recruiting them for espionage work. [Continue reading…]

Facebooktwittermail

21 states told they were targeted by Russian hackers during 2016 election

The Washington Post reports: The Department of Homeland Security contacted election officials in 21 states Friday to notify them that they had been targeted by Russian government hackers during the 2016 election.

Three months ago, DHS officials said that people connected to the Russian government tried to hack voting registration files or public election sites in 21 states, but Friday was the first time that government officials contacted individual state election officials to let them know they were targeted.

Officials said DHS told officials in all 50 states whether they were hacked or not.

“We heard feedback from the secretaries of state that this was an important piece of information,” said Bob Kolasky, acting deputy undersecretary for DHS’s National Protection and Programs Directorate. “We agreed that this information would help election officials make security decisions.”

He said it was important that the states shore up their systems now “rather than a few weeks before” the 2018 midterm elections. [Continue reading…]

Facebooktwittermail

WikiLeaks turned down leaks on Russian government during U.S. presidential campaign

Foreign Policy reports: In the summer of 2016, as WikiLeaks was publishing documents from Democratic operatives allegedly obtained by Kremlin-directed hackers, Julian Assange turned down a large cache of documents related to the Russian government, according to chat messages and a source who provided the records.

WikiLeaks declined to publish a wide-ranging trove of documents — at least 68 gigabytes of data — that came from inside the Russian Interior Ministry, according to partial chat logs reviewed by Foreign Policy.

The logs, which were provided to FP, only included WikiLeaks’s side of the conversation.

“As far as we recall these are already public,” WikiLeaks wrote at the time.

“WikiLeaks rejects all submissions that it cannot verify. WikiLeaks rejects submissions that have already been published elsewhere or which are likely to be considered insignificant. WikiLeaks has never rejected a submission due to its country of origin,” the organization wrote in a Twitter direct message when contacted by FP about the Russian cache.

(The account is widely believed to be operated solely by Assange, the group’s founder, but in a Twitter message to FP, the organization said it is maintained by “staff.”)

In 2014, the BBC and other news outlets reported on the cache, which revealed details about Russian military and intelligence involvement in Ukraine. However, the information from that hack was less than half the data that later became available in 2016, when Assange turned it down.

“We had several leaks sent to Wikileaks, including the Russian hack. It would have exposed Russian activities and shown WikiLeaks was not controlled by Russian security services,” the source who provided the messages wrote to FP. “Many Wikileaks staff and volunteers or their families suffered at the hands of Russian corruption and cruelty, we were sure Wikileaks would release it. Assange gave excuse after excuse.”

The Russian cache was eventually quietly published online elsewhere, to almost no attention or scrutiny. [Continue reading…]

Facebooktwittermail

In Ukraine, a malware expert who could blow the whistle on Russian hacking

The New York Times reports: The hacker, known only by his online alias “Profexer,” kept a low profile. He wrote computer code alone in an apartment and quietly sold his handiwork on the anonymous portion of the internet known as the Dark Web. Last winter, he suddenly went dark entirely.

Profexer’s posts, already accessible only to a small band of fellow hackers and cybercriminals looking for software tips, blinked out in January — just days after American intelligence agencies publicly identified a program he had written as one tool used in the hacking of the Democratic National Committee.

But while Profexer’s online persona vanished, a flesh-and-blood person has emerged: a fearful man who the Ukrainian police said turned himself in early this year, and has now become a witness for the F.B.I.

“I don’t know what will happen,” he wrote in one of his last messages posted on a restricted-access website before going to the police. “It won’t be pleasant. But I’m still alive.”

It is the first known instance of a living witness emerging from the arid mass of technical detail that has so far shaped the investigation into the D.N.C. hack and the heated debate it has stirred. The Ukrainian police declined to divulge the man’s name or other details, other than that he is living in Ukraine and has not been arrested. [Continue reading…]

Facebooktwittermail

A guide to Russia’s high tech tool box for subverting U.S. democracy

Garrett M Graff writes: A dead dog in Moscow. A dead dissident in London. Twitter trolls run by the Kremlin’s Internet Research Agency. Denial of service attacks and ransomware deployed across Ukraine. News reports from the DC offices of Sputnik and RT. Spies hidden in the heart of Wall Street. The hacking of John Podesta’s creamy risotto recipe. And a century-old fabricated staple of anti-Semitic hate literature.

At first glance these disparate phenomena might seem only vaguely connected. Sure, they can all be traced back to Russia. But is there any method to their badness? The definitive answer, according to Russia experts inside and outside the US government, is most certainly yes. In fact, they are part of an increasingly digital intelligence playbook known as “active measures,” a wide-ranging set of techniques and strategies that Russian military and intelligence services deploy to influence the affairs of nations across the globe.

As the investigation into Russia’s influence on the 2016 election—and the Trump campaign’s potential participation in that effort—has intensified this summer, the Putin regime’s systematic effort to undermine and destabilize democracies has become the subject of urgent focus in the West. According to interviews with more than a dozen US and European intelligence officials and diplomats, Russian active measures represent perhaps the biggest challenge to the Western order since the fall of the Berlin Wall. The consensus: Vladimir Putin, playing a poor hand economically and demographically at home, is seeking to destabilize the multilateral institutions, partnerships, and Western democracies that have kept the peace during the past seven decades.

The coordinated and multifaceted Russia efforts in the 2016 election—from the attacks on the DNC and John Podesta’s email to a meeting between a Russian lawyer and Donald Trump Jr. that bears all the hallmarks of an intelligence mission—likely involved every major Russian intelligence service: the foreign intelligence service (known as the SVR) as well as the state security service (the FSB, the successor to the KGB), and the military intelligence (the GRU), both of which separately penetrated servers at the DNC.

Understanding just how extensive and coordinated Russia’s operations against the West are represents the first step in confronting—and defeating—Putin’s increased aggression, particularly as it becomes clear that the 2016 election interference was just a starting point. “If there has ever been a clarion call for vigilance and action against a threat to the very foundation of our democratic political system, this episode is it,” former director of national intelligence James Clapper said this spring. “I hope the American people recognize the severity of this threat and that we collectively counter it before it further erodes the fabric of our democracy.”

Indeed, Western intelligence leaders have warned throughout the spring that they expect Russia to use similar tricks in German parliamentary election this fall, as well as in the 2018 US congressional midterms and the 2020 presidential race. “Russia is not constrained by a rule of law or a sense of ethics—same with ISIS, same with China,” says Chris Donnelly, director of the UK-based Institute for Statecraft. “They’re trying to change the rules of the game, which they’ve seen us set in our favor.” [Continue reading…]

Facebooktwittermail

The hacking wars are going to get much worse

Adam Segal writes: Reports this month that the United Arab Emirates orchestrated the hacking of a Qatari news agency, helping to incite a crisis in the Middle East, are as unsurprising as they are unwelcome. For years, countries — in particular Russia — have used cyberattacks and the dissemination of disinformation through social media and news outlets to provoke protests, sway elections and undermine trust in institutions. It was only a matter of time before smaller states tried their hand at these tactics.

With few accepted rules of behavior in cyberspace, countries as big as China or as small as Bahrain can be expected to use these kinds of attacks. And they may eventually spill over into real-world military conflicts.

The hacking attacks in the Gulf seem to follow a typical pattern of going after the media and the email accounts of prominent individuals. According to American intelligence officials, in late May, hackers supported by the United Arab Emirates infiltrated Qatari government news and social media sites. The attackers planted quotations falsely attributed to Sheikh Tamim bin Hamad al-Thani, Qatar’s leader, praising Iran, Hamas and Israel. [Continue reading…]

Facebooktwittermail

In cyberwarfare, everyone is a combatant

The Wall Street Journal reports: This is already a banner year for hacks, breaches and cyberwarfare, but the past week was exceptional.

South Carolina reported hackers attempted to access the state’s voter-registration system 150,000 times on Election Day last November—part of what former Homeland Security Secretary Jeh Johnson alleges is a 21-state attack perpetrated by Russia. And U.S. intelligence officials alleged that agents working for the United Arab Emirates planted false information in Qatari news outlets and social media, leading to sanctions and a rift with Qatar’s allies. Meanwhile, Lloyd’s of London declared that the takedown of a significant cloud service could lead to monetary damages on par with those of Hurricane Katrina.

Threats to the real world from the cyberworld are worse than ever, and the situation continues to deteriorate. A new kind of war is upon us, one characterized by coercion rather than the use of force, says former State Department official James Lewis, a cybersecurity specialist at the Center for Strategic and International Studies.

Businesses and individuals now are directly affected in ways that were impossible in the first Cold War. In another age, the threat of nuclear annihilation loomed over everyone’s heads, but the cloak-and-dagger doings of global powers remained distinct from the day-to-day operations of businesses. Now, they are hopelessly entangled. The often unfathomable priorities of terrorists, cybercriminals and state-affiliated hackers only make things worse.

The current climate of cyberattacks is “crazy,” says Christopher Ahlberg of Recorded Future, a private intelligence firm that specializes in cyberthreats. “It’s like a science-fiction book. If you told anybody 10 years ago about what’s going on now, they wouldn’t believe it.”

In the first Cold War, the U.S., China and the Soviet Union fought proxy wars rather than confront one another directly. In Cold War 2.0, we still have those—Syria and whatever is brewing in North Korea come to mind—but much of the proxy fighting now happens online.

The result is significant collateral damage for businesses that aren’t even a party to the conflicts, says Corey Thomas, chief executive of cybersecurity firm Rapid 7. Recent ransomware attacks that some analysts attribute to Russia might have been aimed at Ukraine but resulted in the shutdown of computer systems at businesses and governments around the world. Russia has denied involvement in these attacks. Botnets made of internet-connected devices, stitched together by an unknown hacker for unknown reasons, caused countless internet services and websites to become unavailable in October 2016. [Continue reading…]

Facebooktwittermail