The New York Times reports: In the report, to be released Friday, Norse — which, like other cybersecurity firms, has an interest in portraying a world of cyberthreats but presumably little incentive in linking them to any particular country — traced thousands of attacks against American targets to hackers inside Iran.
The report, and a similar one from Cylance, another cybersecurity firm, make clear that Iranian hackers are moving from ostentatious cyberattacks in which they deface websites or simply knock them offline to much quieter reconnaissance. In some cases, they appear to be probing for critical infrastructure systems that could provide opportunities for more dangerous and destructive attacks.
But Norse and Cylance differ on the question of whether the Iranian attacks have accelerated in recent months, or whether Tehran may be pulling back during a critical point in the nuclear negotiations.
Norse, which says it maintains thousands of sensors across the Internet to collect intelligence on attackers’ methods, insists that Iranian hackers have shown no signs of letting up. Between January 2014 and last month, the Norse report said, its sensors picked up a 115 percent increase in attacks launched from Iranian Internet protocol, or I.P., addresses. Norse said that its sensors had detected more than 900 attacks, on average, every day in the first half of March.
Cylance came to a different conclusion, at least for Iran’s activities in the past few months, as negotiations have come to a head. Stuart McClure, the chief executive and founder of Cylance, which has been tracking Iranian hacking groups, said that there had been a notable drop in activity over the past few months, and that the groups were now largely quiet. [Continue reading…]
The New York Times reports: In late 2012, just as President Obama and his aides began secretly sketching out a diplomatic opening to Iran, American intelligence agencies were busy with a parallel initiative: The latest spy-vs.-spy move in the decade-long effort to sabotage Tehran’s nuclear infrastructure.
Investigators uncovered an Iranian businessman’s scheme to buy specialty aluminum tubing, a type the United States bans for export to Iran because it can be used in centrifuges that enrich uranium, the exact machines at the center of negotiations entering a crucial phase in Switzerland this week.
Rather than halt the shipment, court documents reveal, American agents switched the aluminum tubes for ones of an inferior grade. If installed in Iran’s giant underground production centers, they would have shredded apart, destroying the centrifuges as they revved up to supersonic speed.
But if negotiators succeed in reaching a deal with Iran, does the huge, covert sabotage effort by the United States, Israel and some European allies come to an end?
“Probably not,” said one senior official with knowledge of the program. In fact, a number of officials make the case that surveillance of Iran will intensify and covert action may become more important than ever to ensure that Iran does not import the critical materials that would enable it to accelerate the development of advanced centrifuges or pursue a covert path to a bomb. [Continue reading…]
Quartz reports: The information superhighway got diverted last week when a Ukrainian internet service provider hijacked routes used by data heading for websites in the United Kingdom, according to a company that monitors and optimizes internet performance. The action could be a mere glitch — or something more sinister in an era of geopolitical cyber conflicts.
The issue at hand is the way disparate computer networks merge into the internet. The networks announce to one another which internet users — more technically, which IP addresses — they serve so that data can be routed accordingly; a US internet service provider might tell the world it can give you access to the Library of Congress, while one in Germany would say that it can reach BMW’s main website.
Dyn, the company that noted the incident, keeps an eye on network traffic patterns. Doug Madory, the company’s director of internet analysis, spotted something strange: Vega, a Ukranian internet service provider, had announced it was serving numerous IP addresses in the United Kingdom. Advertising the wrong addresses is called “route hijacking,” and it is often a quickly-corrected mistake — for instance, an employee of an internet service provider makes a typo while typing into a router. In this case, the affected addresses included those operated by defense contractors Lockheed Martin and Thales, the UK Atomic Weapons Establishment, and the Royal Mail. [Continue reading…]
The Soufan Group IntelBrief: The capability of nations and advanced criminal groups to engage in sophisticated cyber espionage and theft is nothing new; and the capability of these actors to impact components of critical infrastructure is also nothing new (the 2012 Saudi Aramco attack comes to mind). What is new is their willingness to actually launch attacks not for intelligence or commercial gain but to impact corporate or geopolitical decisions. Whether it’s having its data stolen or even held hostage via malicious encryption, or having its operations and personnel threatened with physical violence and damage, corporations and governments will find the Age of the Cyber Bomb Threat to be as costly and frustrating as the age of counterterrorism and counter-violent extremism.
Much as in terrorism, cyber conflict runs the spectrum of ideology and motivation. And as with terrorism, cyber conflict’s impact goes far beyond the point of attack. The ubiquity of the Internet means that anyone and everyone is a potential target—which is the point of all forms of terrorism. On December 21, 2014, unidentified attackers (assumed, rightly or wrongly, to be associated with North Korea) hacked into the non-operational computer systems of a functioning nuclear power plant in South Korea. The operator of the plant, Korea Hydro and Nuclear Power (KHNP), stated that at no time were plant operations at risk since those are on a closed and independent system, but that sensitive personnel and plant design data were stolen. In what will become the standard modus operandi for cyber bomb threats, the attackers threatened to destroy the plant if it wasn’t shut down. The threat of additional cyber attacks will be paired with threats of physical attacks.
While North Korea could very well be behind the nuclear reactor hack as well as the Sony hack, so could a range of other actors, given that the malware tools are available online to anyone with sufficient expertise and knowledge of where to look. It is the lack of true certainty that makes cyber attacks so difficult to respond to with counter-attacks. IP addresses are misleading and the tools and the capabilities are widespread enough that “the usual suspects” are now too large to count. With the stakes so high and the public and private players so poorly accounted for, the risks of attacks once thought unlikely will increase with cascading repercussions. [Continue reading…]
Shane Harris reports: North Korea’s limited connection to the Internet was temporarily severed Monday, just three days after President Barack Obama promised a “proportional” response for what he said was Pyongyang’s brazen hacking of Sony.
It’s too soon to say whether the United States knocked the Hermit Kingdom offline, or persuaded China to do it, or whether the North Koreans did it to themselves. One hacktivist group appears to be taking responsibility for the denial-of-service strike that targeted mostly North Korean government-operated sites.
But the outage has raised the question of what that proportional response would look like, and whether it would be legal. [Continue reading…]
Bloomberg Businessweek reports: Investigators from Dell SecureWorks working for [Sheldon Adelson’s casino empire, Las Vegas] Sands have concluded that the February attack was likely the work of “hacktivists” based in Iran, according to documents obtained by Bloomberg Businessweek. The security team couldn’t determine if Iran’s government played a role, but it’s unlikely that any hackers inside the country could pull off an attack of that scope without its knowledge, given the close scrutiny of Internet use within its borders. “This isn’t the kind of business you can get into in Iran without the government knowing,” says James Lewis, a senior fellow at the Center for Strategic and International Studies in Washington. Hamid Babaei, a spokesman for Iran’s Permanent Mission to the United Nations, didn’t return several phone calls and e-mails.
The perpetrators released their malware early in the morning on Monday, Feb. 10. It spread through the company’s networks, laying waste to thousands of servers, desktop PCs, and laptops. By the afternoon, Sands security staffers noticed logs showing that the hackers had been compressing batches of sensitive files. This meant that they may have downloaded — or were preparing to download — vast numbers of private documents, from credit checks on high-roller customers to detailed diagrams and inventories of global computer systems. Michael Leven, the president of Sands, decided to sever the company entirely from the Internet.
It was a drastic step in an age when most business functions, from hotel reservations to procurement, are handled online. But Sands was able to keep many core operations functioning — the hackers weren’t able to access an IBM (IBM) mainframe that’s key to running certain parts of the business. Hotel guests could still swipe their keycards to get into their rooms. Elevators ran. Gamblers could still drop coins into slot machines or place bets at blackjack tables. Customers strolling the casino floors or watching the gondolas glide by on the canal in front of the Venetian had no idea anything was amiss.
Leven’s team quickly realized that they’d caught a major break. The Iranians had made a mistake. Among the first targets of the wiper software were the company’s Active Directory servers, which help manage network security and create a trusted link to systems abroad. If the hackers had waited before attacking these machines, the malware would have made it to Sands’ extensive properties in Singapore and China. Instead, the damage was confined to the U.S. [Continue reading…]
Ars Technica reports: Researchers have uncovered an extremely stealthy trojan for Linux systems that attackers have been using to siphon sensitive data from governments and pharmaceutical companies around the world.
The previously undiscovered malware represents a missing puzzle piece tied to “Turla,” a so-called advanced persistent threat (APT) disclosed in August by Kaspersky Lab and Symantec. For at least four years, the campaign targeted government institutions, embassies, military, education, research, and pharmaceutical companies in more than 45 countries. The unknown attackers—who are probably backed by a nation-state, according to Symantec—were known to have infected several hundred Windows-based computers by exploiting a variety of vulnerabilities, at least two of which were zero-day bugs. The malware was notable for its use of a rootkit that made it extremely hard to detect.
Now researchers from Moscow-based Kaspersky Lab have detected Linux-based malware used in the same campaign. Turla was already ranked as one of the top-tier APTs, in the same league as the recently disclosed Regin for instance. The discovery of the Linux component suggests it is bigger than previously thought and may presage the discovery of still more infected systems. [Continue reading…]
Jeff Moskowitz reports: Over the summer, in the middle of a two-month-long Israeli-Palestinian war, representatives of some of the biggest names in tech crammed into the stairwell of a Tel Aviv skyscraper to wait out Hamas rocket fire. Wearing Sequoia Capital name tags and TechCrunch T-shirts, they squeezed against one another, passing the time by talking about the Paris startup scene and the success rate of Iron Dome, Israel’s missile defense system.
They came to Tel Aviv for the demo day of a uniquely Israeli brand of startup incubator: one conducted by graduates of Israel Defense Forces Unit 8200 – the Israeli NSA. It was a fitting reminder of the close ties between Israel’s Silicon Wadi (the nickname for Israel’s startup ecosystem) and the country’s military establishment.
The 8200 is the largest unit in the Israeli army. It’s responsible for signals intelligence, eavesdropping and wiretapping, as well as advanced technical jobs and translating work. It is also widely acknowledged as producing a disproportionately high percentage of Israel’s tech executives and startup founders, including the brains behind Check Point Software Technologies, NICE Systems, and Mirabilis (creator of the proto-instant messaging system ICQ) – three of the biggest Israeli tech companies. [Continue reading…]
Moscow Times reports: A recent influx of reports about Russian electronic espionage activity has prompted fresh concerns that the Kremlin may be gunning for a cyberwar with the West.
Not everyone is convinced: Russian IT analysts interviewed by The Moscow Times were more inclined to blame the spike in attack reports on media hype and cybersecurity companies exploiting clients’ fears.
But Russia’s leading expert on domestic security services, Andrei Soldatov, said the pattern of the attacks indicated that the Russian government may be mounting a covert Internet offensive.
Experts could not say, however, whether heavy guns with the FSB electronic espionage agencies have been deployed.
“All government-linked attacks so far have been carried out by people on the market: the cyber-mercenaries,” Soldatov, editor-in-chief of the Agentura.ru website, said Wednesday. [Continue reading…]
The Guardian reports: Regin is the latest malicious software to be uncovered by security researchers, though its purpose is unknown, as are its operators. But experts have told the Guardian it was likely spawned in the labs of a western intelligence agency.
None of the targets of the Regin hackers reside on British soil, nor do any live in the US. Most victims are based in Russia and Saudi Arabia – 28% and 24% respectively.
Ireland had the third highest number of targets – 9% of overall detected infections. The infections lists doesn’t include any “five eyes” countries – Australia, Canada, New Zealand, the UK and the US.
“We believe Regin is not coming from the usual suspects. We don’t think Regin was made by Russia or China,” Mikko Hypponen, chief research officer at F-Secure, told the Guardian. His company first spied Regin hiding on a Windows server inside a customer’s IT infrastructure in Northern Europe.
Only a handful of countries are thought capable of creating something as complex as Regin. If China and Russia are ruled out, that would leave the US, UK or Israel as the most likely candidates. [Continue reading…]
Barton Gellman reports: CloudShield Technologies, a California defense contractor, dispatched a senior engineer to Munich in the early fall of 2009. His instructions were unusually opaque.
As he boarded the flight, the engineer told confidants later, he knew only that he should visit a German national who awaited him with an off-the-books assignment. There would be no written contract, and on no account was the engineer to send reports back to CloudShield headquarters.
His contact, Martin J. Muench, turned out to be a former developer of computer security tools who had long since turned to the darkest side of their profession. Gamma Group, the British conglomerate for which Muench was a managing director, built and sold systems to break into computers, seize control clandestinely, and then copy files, listen to Skype calls, record every keystroke and switch on Web cameras and microphones at will.
According to accounts the engineer gave later and contemporary records obtained by The Washington Post, he soon fell into a shadowy world of lucrative spyware tools for sale to foreign security services, some of them with records of human rights abuse.
Over several months, the engineer adapted Gamma’s digital weapons to run on his company’s specialized, high-speed network hardware. Until then CloudShield had sold its CS-2000 device, a multipurpose network and content processing product, primarily to the Air Force and other Pentagon customers, who used it to manage and defend their networks, not to attack others.
CloudShield’s central role in Gamma’s controversial work — fraught with legal risk under U.S. export restrictions — was first uncovered by Morgan Marquis-Boire, author of a new report released Friday by the Citizen Lab at the University of Toronto’s Munk School of Global Affairs. He shared advance drafts with The Post, which conducted its own month-long investigation. [Continue reading…]
In “The most wanted man in the world,” his feature article for Wired on Edward Snowden, James Bamford writes: The massive surveillance effort was bad enough, but Snowden was even more disturbed to discover a new, Strangelovian cyberwarfare program in the works, codenamed MonsterMind. The program, disclosed here for the first time, would automate the process of hunting for the beginnings of a foreign cyberattack. Software would constantly be on the lookout for traffic patterns indicating known or suspected attacks. When it detected an attack, MonsterMind would automatically block it from entering the country — a “kill” in cyber terminology.
Programs like this had existed for decades, but MonsterMind software would add a unique new capability: Instead of simply detecting and killing the malware at the point of entry, MonsterMind would automatically fire back, with no human involvement. That’s a problem, Snowden says, because the initial attacks are often routed through computers in innocent third countries. “These attacks can be spoofed,” he says. “You could have someone sitting in China, for example, making it appear that one of these attacks is originating in Russia. And then we end up shooting back at a Russian hospital. What happens next?”
In addition to the possibility of accidentally starting a war, Snowden views MonsterMind as the ultimate threat to privacy because, in order for the system to work, the NSA first would have to secretly get access to virtually all private communications coming in from overseas to people in the US. “The argument is that the only way we can identify these malicious traffic flows and respond to them is if we’re analyzing all traffic flows,” he says. “And if we’re analyzing all traffic flows, that means we have to be intercepting all traffic flows. That means violating the Fourth Amendment, seizing private communications without a warrant, without probable cause or even a suspicion of wrongdoing. For everyone, all the time.”
Mother Jones reports: The shadowy hacker collective known as Anonymous has announced it will launch a round of cyber-attacks this Friday against the Israeli government, in retaliation for Israel’s ongoing military intervention in Gaza. This onslaught would add to a wave of cyber assaults staged in recent weeks by hackers largely from the Middle East, Asia, and South America, who are supporting “OpSaveGaza,” an Anonymous-backed campaign targeting Israeli government websites that has succeeded in temporarily taking down the sites of the Israeli defense ministry and the Tel Aviv police department.
This isn’t the first time Anonymous has zeroed in on Israel; the collective has been launching cyber-attacks against the country for several years, with mixed results. “As a collective ‘Anonymous’ does not hate Israel, it hates that Israel’s government is committing genocide & slaughtering unarmed people in Gaza to obtain more land at the border,” an Anonymous spokesperson, using the Twitter handle @YourAnonCentral, tells Mother Jones. The spokesperson notes that there has never been any Anonymous action taken against Palestinian targets, including Hamas, the outfit governing Gaza and launching rocket attacks against Israel.
The most recent round of cyber-attacks began in early July, and the Anonymous spokesperson claims that collective members sabotaged “thousands” of Israeli websites. Several of the sites targeted were indeed down recently. The International Business Times reported last week that “numerous Israeli government homepages have been replaced by graphics, slogans, and auto-playing audio files.” On Monday, hackers leaked a list of log-in details they claim belong to Israeli government officials, but the government hasn’t confirmed this. [Continue reading…]
Bloomberg Businessweek reports: In October 2010, a Federal Bureau of Investigation system monitoring U.S. Internet traffic picked up an alert. The signal was coming from Nasdaq. It looked like malware had snuck into the company’s central servers. There were indications that the intruder was not a kid somewhere, but the intelligence agency of another country. More troubling still: When the U.S. experts got a better look at the malware, they realized it was attack code, designed to cause damage.
As much as hacking has become a daily irritant, much more of it crosses watch-center monitors out of sight from the public. The Chinese, the French, the Israelis — and many less well known or understood players — all hack in one way or another. They steal missile plans, chemical formulas, power-plant pipeline schematics, and economic data. That’s espionage; attack code is a military strike. There are only a few recorded deployments, the most famous being the Stuxnet worm. Widely believed to be a joint project of the U.S. and Israel, Stuxnet temporarily disabled Iran’s uranium-processing facility at Natanz in 2010. It switched off safety mechanisms, causing the centrifuges at the heart of a refinery to spin out of control. Two years later, Iran destroyed two-thirds of Saudi Aramco’s computer network with a relatively unsophisticated but fast-spreading “wiper” virus. One veteran U.S. official says that when it came to a digital weapon planted in a critical system inside the U.S., he’s seen it only once — in Nasdaq.
The October alert prompted the involvement of the National Security Agency, and just into 2011, the NSA concluded there was a significant danger. A crisis action team convened via secure videoconference in a briefing room in an 11-story office building in the Washington suburbs. Besides a fondue restaurant and a CrossFit gym, the building is home to the National Cybersecurity and Communications Integration Center (NCCIC), whose mission is to spot and coordinate the government’s response to digital attacks on the U.S. They reviewed the FBI data and additional information from the NSA, and quickly concluded they needed to escalate.
Thus began a frenzied five-month investigation that would test the cyber-response capabilities of the U.S. and directly involve the president. Intelligence and law enforcement agencies, under pressure to decipher a complex hack, struggled to provide an even moderately clear picture to policymakers. After months of work, there were still basic disagreements in different parts of government over who was behind the incident and why. “We’ve seen a nation-state gain access to at least one of our stock exchanges, I’ll put it that way, and it’s not crystal clear what their final objective is,” says House Intelligence Committee Chairman Mike Rogers, a Republican from Michigan, who agreed to talk about the incident only in general terms because the details remain classified. “The bad news of that equation is, I’m not sure you will really know until that final trigger is pulled. And you never want to get to that.”
Bloomberg Businessweek spent several months interviewing more than two dozen people about the Nasdaq attack and its aftermath, which has never been fully reported. Nine of those people were directly involved in the investigation and national security deliberations; none were authorized to speak on the record. “The investigation into the Nasdaq intrusion is an ongoing matter,” says FBI New York Assistant Director in Charge George Venizelos. “Like all cyber cases, it’s complex and involves evidence and facts that evolve over time.”
While the hack was successfully disrupted, it revealed how vulnerable financial exchanges—as well as banks, chemical refineries, water plants, and electric utilities—are to digital assault. One official who experienced the event firsthand says he thought the attack would change everything, that it would force the U.S. to get serious about preparing for a new era of conflict by computer. He was wrong. [Continue reading…]
Jarno Limnéll writes: A hundred years ago, World War I moved warfare into the skies. Today no nation regards its security as complete without an air force, and no serious future conflict will lack a cyber aspect, either.
Russia and Ukraine apparently traded cyber attacks during the referendum on Crimea. Media reports indicate NATO and Ukrainian media websites suffered DDoS (denial of service) assaults during the vote, and that servers in Moscow took apparently retaliatory – and bigger – strikes afterward.
Observers tend to miss, though, that these are relatively modest skirmishes in cyber space. They routinely break out among competing states, even without concurrent political or military hostilities. Angling to hobble an opponent’s web resources by clogging networks with junk traffic? Another day at the office.
I see three distinct levels or “rings” to contemporary cyber conflicts. Only the first is clearly apparent in the Ukraine crisis. Full-blown cyber war is not yet occurring. The prospect of escalation, however, is real and worrisome. The West should watch carefully, because developments in Ukraine offer a model for contemporary conflicts worldwide – which will henceforth have integral cyber elements for all but the least developed nations.
By observing Ukraine we can deduce not only the capabilities of cyber weapons, but the goals and policies behind their use. [Continue reading…]
The Washington Post reports: The Pentagon is significantly growing the ranks of its cyberwarfare unit in an effort to deter and defend against foreign attacks on crucial U.S. networks, Defense Secretary Chuck Hagel said Friday.
In his first major speech on cyber policy, Hagel sought to project strength but also to tame perceptions of the United States as an aggressor in computer warfare, stressing that the government “does not seek to militarize cyberspace.”
His remarks, delivered at the retirement ceremony of Gen. Keith Alexander, the outgoing director of the National Security Agency and Cyber Command, come in advance of Hagel’s trip to China next week, his first as defense secretary. The issues of cyberwarfare and cyber-espionage have been persistent sources of tensions between Washington and Beijing.
Hagel said that the fighting force at U.S. Cyber Command will number more than 6,000 people by 2016, making it one of the largest such forces in the world. The force will help expand the president’s options for responding to a crisis with “full-spectrum cyber capabilities,” Hagel said, a reference to cyber operations that can include destroying, damaging or sabotaging an adversary’s computer systems and that can complement other military operations.
But, Hagel said, the military’s first purpose is “to prevent and de-escalate conflict.” The Pentagon will maintain “an approach of restraint to any cyber operations outside of U.S. government networks.”
Although some U.S. adversaries, notably China and Russia, which also have formidable cyber capabilities, may view his remarks with skepticism, Hagel said the Pentagon is making an effort to be “open and transparent” about its cyberforces and doctrine. The hope, senior officials said, is that transparency will lead to greater stability in cyberspace. [Continue reading…]
The New York Times reports: The Chinese government called on the United States on Monday to explain its actions and halt the practice of cyberespionage after news reports said that the National Security Agency had hacked its way into the computer systems of China’s largest telecommunications company.
The reports, based on documents provided by the former security contractor Edward J. Snowden, related how the spy agency penetrated servers owned by the company, Huawei, and monitored communications by its senior executives in an effort to discover whether the executives had links to the Chinese military. The operation also sought to exploit the company’s technology and gain access to the communications of customers who use Huawei cellphones, fiber optic cables and network hubs.
American officials have been working to block Huawei from entering the American telecommunications market because of concerns that its equipment could provide Chinese hackers with a “back door” for stealing American corporate and government secrets.[Continue reading…]
MIT Technology Review: Security experts have been warning for some time that computer networks are not secure from intruders. But in 2013, we learned that the mayhem has become strategic. Governments now write computer viruses. And if they can’t, they can purchase them. A half-dozen boutique R&D houses, like Italy’s Hacking Team, develop computer vulnerabilities and openly market them to government attackers.
Criminals use common computer weaknesses to infect as many machines as possible. But governments assemble large research teams and spend millions patiently pursuing narrow objectives. Costin Raiu, who investigates such “advanced persistent threats” as director of research and analysis for anti-virus company Kaspersky Lab, says he logs on to his computer assuming he is not alone. “I operate under the principle that my computer is owned by at least three governments,” he says.
That is a threat mainstream technology companies are grappling with. The U.S. government circumvented Google’s security measures and secretly collected customer data. British spies scooped up millions of webcam images from Yahoo. In December, on Microsoft’s official blog, the company’s top lawyer, Brad Smith, said he had reason to view surreptitious “government snooping” as no different from criminal malware. Microsoft, along with Google and Yahoo, has responded by greatly widening its use of encryption (see “The Year of Encryption”).
“We’re living in a very interesting time, where companies are becoming unwilling pawns in cyberwarfare,” says Menny Barzilay, a former Israeli intelligence officer now working in IT security for the Bank Hapoalim Group, in Tel Aviv. In this new context, nobody can say where the responsibilities of a company may end and those of a nation might begin. Should a commercial bank be expected to expend resources to defend itself when its attacker is a country? “This is not a ‘maybe’ situation. This is happening right now,” says Barzilay. “And this is just the beginning.” [Continue reading…]