DefenseNews reports: The site of an Army golf course named for US President Dwight Eisenhower, one long drive from the National Security Agency, is an active construction site, the future of US military cyber.
Where there were once bunkers, greens and tees is a large gray building due to become an NSA-run 600,000-square-foot, state-of-the-art server farm, a skeletal structure that will one day house US Cyber Command’s joint operations center, with plots reserved for individual Marine Corps and Navy cyber facilities.
The plans reflect the growth in ambition, manpower and resources for the five-year-old US Cyber Command. One measure of this rapid expansion is the command’s budget — $120 million at its inception in 2010 rising to $509 million for 2015.
Another measure is the $1.8 billion in construction at Fort Meade, much of it related to Cyber Command. Though Cyber Command’s service components and tactical teams are spread across the country, the headquarters for Cyber Command, the NSA and Defense Information Systems Agency make Fort Meade a growing hub for military cyber.
Earlier this year, Defense Secretary Ash Carter announced a new cyber strategy that acknowledges in the strongest terms that the Pentagon may wage offensive cyber warfare. The strategy emphasizes deterrence and sets up a reliance on the commercial technology sector, hinging on a push to strengthen ties between Silicon Valley and the Pentagon. [Continue reading…]
The Washington Post reports: The purported theft of confidential Saudi documents that have been released by WikiLeaks bears the hallmarks of Iranian hackers linked to cyberattacks in more than a dozen countries, including the United States, according to cybersecurity experts and Middle East analysts.
Last week, WikiLeaks published about 70,000 of what it said were half a million documents obtained from Saudi Arabia’s Foreign Ministry. The transparency advocacy group promises more releases of the diplomatic cables, whose authenticity has not been independently verified.
Experts said that the cables, apparently stolen over the past year, paint an unflattering portrait of Saudi diplomacy as reliant on oil-wealth patronage and obsessed with Iran, the kingdom’s chief rival, but appeared to contain no shocking revelations. [Continue reading…]
Moisés Naím writes: This month, two years after his massive leak of NSA documents detailing U.S. surveillance programs, Edward Snowden published an op-ed in The New York Times celebrating his accomplishments. The “power of an informed public,” he wrote, had forced the U.S. government to scrap its bulk collection of phone records. Moreover, he noted, “Since 2013, institutions across Europe have ruled similar laws and operations illegal and imposed new restrictions on future activities.” He concluded by asserting that “We are witnessing the emergence of a post-terror generation, one that rejects a worldview defined by a singular tragedy. For the first time since the attacks of Sept. 11, 2001, we see the outline of a politics that turns away from reaction and fear in favor of resilience and reason.”
Maybe so. I am glad that my privacy is now more protected from meddling by U.S. and European democracies. But frankly, I am far more concerned about the cyber threats to my privacy posed by Russia, China, and other authoritarian regimes than the surveillance threats from Washington. You should be too. [Continue reading…]
Reuters reports: The United States tried to deploy a version of the Stuxnet computer virus to attack North Korea’s nuclear weapons program five years ago but ultimately failed, according to people familiar with the covert campaign.
The operation began in tandem with the now-famous Stuxnet attack that sabotaged Iran’s nuclear program in 2009 and 2010 by destroying a thousand or more centrifuges that were enriching uranium. Reuters and others have reported that the Iran attack was a joint effort by U.S. and Israeli forces.
According to one U.S. intelligence source, Stuxnet’s developers produced a related virus that would be activated when it encountered Korean-language settings on an infected machine.
But U.S. agents could not access the core machines that ran Pyongyang’s nuclear weapons program, said another source, a former high-ranking intelligence official who was briefed on the program. [Continue reading…]
Scientific American: The Pentagon has made clear in recent weeks that cyber warfare is no longer just a futuristic threat—it is now a real one. U.S. government agency and industry computer systems are already embroiled in a number of nasty cyber warfare campaigns against attackers based in China, North Korea, Russia and elsewhere. As a counterpoint, hackers with ties to Russia have been accused of stealing a number of Pres. Barack Obama’s e-mails, although the White House has not formally blamed placed any blame at the Kremlin’s doorstep. The Obama administration did, however, call out North Korea for ordering last year’s cyber attack on Sony Pictures Entertainment.
The battle has begun. “External actors probe and scan [U.S. Department of Defense (DoD)] networks for vulnerabilities millions of times each day, and over 100 foreign intelligence agencies continually attempt to infiltrate DoD networks,” Eric Rosenbach, assistant secretary for homeland defense and global security, testified in April before the U.S. Senate Committee on Armed Services, Subcommittee on Emerging Threats and Capabilities. “Unfortunately, some incursions — by both state and nonstate entities — have succeeded.”
After years of debate as to how the fog of war will extend to the Internet, Obama last month signed an executive order declaring cyber attacks launched from abroad against U.S. targets a “national emergency” and levying sanctions against those responsible. Penalties include freezing the U.S. assets of cyber attackers and those aiding them as well as preventing U.S. residents from conducting financial transactions with those targeted by the executive order. [Continue reading…]
The New York Times reports: In the report, to be released Friday, Norse — which, like other cybersecurity firms, has an interest in portraying a world of cyberthreats but presumably little incentive in linking them to any particular country — traced thousands of attacks against American targets to hackers inside Iran.
The report, and a similar one from Cylance, another cybersecurity firm, make clear that Iranian hackers are moving from ostentatious cyberattacks in which they deface websites or simply knock them offline to much quieter reconnaissance. In some cases, they appear to be probing for critical infrastructure systems that could provide opportunities for more dangerous and destructive attacks.
But Norse and Cylance differ on the question of whether the Iranian attacks have accelerated in recent months, or whether Tehran may be pulling back during a critical point in the nuclear negotiations.
Norse, which says it maintains thousands of sensors across the Internet to collect intelligence on attackers’ methods, insists that Iranian hackers have shown no signs of letting up. Between January 2014 and last month, the Norse report said, its sensors picked up a 115 percent increase in attacks launched from Iranian Internet protocol, or I.P., addresses. Norse said that its sensors had detected more than 900 attacks, on average, every day in the first half of March.
Cylance came to a different conclusion, at least for Iran’s activities in the past few months, as negotiations have come to a head. Stuart McClure, the chief executive and founder of Cylance, which has been tracking Iranian hacking groups, said that there had been a notable drop in activity over the past few months, and that the groups were now largely quiet. [Continue reading…]
The New York Times reports: In late 2012, just as President Obama and his aides began secretly sketching out a diplomatic opening to Iran, American intelligence agencies were busy with a parallel initiative: The latest spy-vs.-spy move in the decade-long effort to sabotage Tehran’s nuclear infrastructure.
Investigators uncovered an Iranian businessman’s scheme to buy specialty aluminum tubing, a type the United States bans for export to Iran because it can be used in centrifuges that enrich uranium, the exact machines at the center of negotiations entering a crucial phase in Switzerland this week.
Rather than halt the shipment, court documents reveal, American agents switched the aluminum tubes for ones of an inferior grade. If installed in Iran’s giant underground production centers, they would have shredded apart, destroying the centrifuges as they revved up to supersonic speed.
But if negotiators succeed in reaching a deal with Iran, does the huge, covert sabotage effort by the United States, Israel and some European allies come to an end?
“Probably not,” said one senior official with knowledge of the program. In fact, a number of officials make the case that surveillance of Iran will intensify and covert action may become more important than ever to ensure that Iran does not import the critical materials that would enable it to accelerate the development of advanced centrifuges or pursue a covert path to a bomb. [Continue reading…]
Quartz reports: The information superhighway got diverted last week when a Ukrainian internet service provider hijacked routes used by data heading for websites in the United Kingdom, according to a company that monitors and optimizes internet performance. The action could be a mere glitch — or something more sinister in an era of geopolitical cyber conflicts.
The issue at hand is the way disparate computer networks merge into the internet. The networks announce to one another which internet users — more technically, which IP addresses — they serve so that data can be routed accordingly; a US internet service provider might tell the world it can give you access to the Library of Congress, while one in Germany would say that it can reach BMW’s main website.
Dyn, the company that noted the incident, keeps an eye on network traffic patterns. Doug Madory, the company’s director of internet analysis, spotted something strange: Vega, a Ukranian internet service provider, had announced it was serving numerous IP addresses in the United Kingdom. Advertising the wrong addresses is called “route hijacking,” and it is often a quickly-corrected mistake — for instance, an employee of an internet service provider makes a typo while typing into a router. In this case, the affected addresses included those operated by defense contractors Lockheed Martin and Thales, the UK Atomic Weapons Establishment, and the Royal Mail. [Continue reading…]
The Soufan Group IntelBrief: The capability of nations and advanced criminal groups to engage in sophisticated cyber espionage and theft is nothing new; and the capability of these actors to impact components of critical infrastructure is also nothing new (the 2012 Saudi Aramco attack comes to mind). What is new is their willingness to actually launch attacks not for intelligence or commercial gain but to impact corporate or geopolitical decisions. Whether it’s having its data stolen or even held hostage via malicious encryption, or having its operations and personnel threatened with physical violence and damage, corporations and governments will find the Age of the Cyber Bomb Threat to be as costly and frustrating as the age of counterterrorism and counter-violent extremism.
Much as in terrorism, cyber conflict runs the spectrum of ideology and motivation. And as with terrorism, cyber conflict’s impact goes far beyond the point of attack. The ubiquity of the Internet means that anyone and everyone is a potential target—which is the point of all forms of terrorism. On December 21, 2014, unidentified attackers (assumed, rightly or wrongly, to be associated with North Korea) hacked into the non-operational computer systems of a functioning nuclear power plant in South Korea. The operator of the plant, Korea Hydro and Nuclear Power (KHNP), stated that at no time were plant operations at risk since those are on a closed and independent system, but that sensitive personnel and plant design data were stolen. In what will become the standard modus operandi for cyber bomb threats, the attackers threatened to destroy the plant if it wasn’t shut down. The threat of additional cyber attacks will be paired with threats of physical attacks.
While North Korea could very well be behind the nuclear reactor hack as well as the Sony hack, so could a range of other actors, given that the malware tools are available online to anyone with sufficient expertise and knowledge of where to look. It is the lack of true certainty that makes cyber attacks so difficult to respond to with counter-attacks. IP addresses are misleading and the tools and the capabilities are widespread enough that “the usual suspects” are now too large to count. With the stakes so high and the public and private players so poorly accounted for, the risks of attacks once thought unlikely will increase with cascading repercussions. [Continue reading…]
Shane Harris reports: North Korea’s limited connection to the Internet was temporarily severed Monday, just three days after President Barack Obama promised a “proportional” response for what he said was Pyongyang’s brazen hacking of Sony.
It’s too soon to say whether the United States knocked the Hermit Kingdom offline, or persuaded China to do it, or whether the North Koreans did it to themselves. One hacktivist group appears to be taking responsibility for the denial-of-service strike that targeted mostly North Korean government-operated sites.
But the outage has raised the question of what that proportional response would look like, and whether it would be legal. [Continue reading…]
Bloomberg Businessweek reports: Investigators from Dell SecureWorks working for [Sheldon Adelson’s casino empire, Las Vegas] Sands have concluded that the February attack was likely the work of “hacktivists” based in Iran, according to documents obtained by Bloomberg Businessweek. The security team couldn’t determine if Iran’s government played a role, but it’s unlikely that any hackers inside the country could pull off an attack of that scope without its knowledge, given the close scrutiny of Internet use within its borders. “This isn’t the kind of business you can get into in Iran without the government knowing,” says James Lewis, a senior fellow at the Center for Strategic and International Studies in Washington. Hamid Babaei, a spokesman for Iran’s Permanent Mission to the United Nations, didn’t return several phone calls and e-mails.
The perpetrators released their malware early in the morning on Monday, Feb. 10. It spread through the company’s networks, laying waste to thousands of servers, desktop PCs, and laptops. By the afternoon, Sands security staffers noticed logs showing that the hackers had been compressing batches of sensitive files. This meant that they may have downloaded — or were preparing to download — vast numbers of private documents, from credit checks on high-roller customers to detailed diagrams and inventories of global computer systems. Michael Leven, the president of Sands, decided to sever the company entirely from the Internet.
It was a drastic step in an age when most business functions, from hotel reservations to procurement, are handled online. But Sands was able to keep many core operations functioning — the hackers weren’t able to access an IBM (IBM) mainframe that’s key to running certain parts of the business. Hotel guests could still swipe their keycards to get into their rooms. Elevators ran. Gamblers could still drop coins into slot machines or place bets at blackjack tables. Customers strolling the casino floors or watching the gondolas glide by on the canal in front of the Venetian had no idea anything was amiss.
Leven’s team quickly realized that they’d caught a major break. The Iranians had made a mistake. Among the first targets of the wiper software were the company’s Active Directory servers, which help manage network security and create a trusted link to systems abroad. If the hackers had waited before attacking these machines, the malware would have made it to Sands’ extensive properties in Singapore and China. Instead, the damage was confined to the U.S. [Continue reading…]
Ars Technica reports: Researchers have uncovered an extremely stealthy trojan for Linux systems that attackers have been using to siphon sensitive data from governments and pharmaceutical companies around the world.
The previously undiscovered malware represents a missing puzzle piece tied to “Turla,” a so-called advanced persistent threat (APT) disclosed in August by Kaspersky Lab and Symantec. For at least four years, the campaign targeted government institutions, embassies, military, education, research, and pharmaceutical companies in more than 45 countries. The unknown attackers—who are probably backed by a nation-state, according to Symantec—were known to have infected several hundred Windows-based computers by exploiting a variety of vulnerabilities, at least two of which were zero-day bugs. The malware was notable for its use of a rootkit that made it extremely hard to detect.
Now researchers from Moscow-based Kaspersky Lab have detected Linux-based malware used in the same campaign. Turla was already ranked as one of the top-tier APTs, in the same league as the recently disclosed Regin for instance. The discovery of the Linux component suggests it is bigger than previously thought and may presage the discovery of still more infected systems. [Continue reading…]
Jeff Moskowitz reports: Over the summer, in the middle of a two-month-long Israeli-Palestinian war, representatives of some of the biggest names in tech crammed into the stairwell of a Tel Aviv skyscraper to wait out Hamas rocket fire. Wearing Sequoia Capital name tags and TechCrunch T-shirts, they squeezed against one another, passing the time by talking about the Paris startup scene and the success rate of Iron Dome, Israel’s missile defense system.
They came to Tel Aviv for the demo day of a uniquely Israeli brand of startup incubator: one conducted by graduates of Israel Defense Forces Unit 8200 – the Israeli NSA. It was a fitting reminder of the close ties between Israel’s Silicon Wadi (the nickname for Israel’s startup ecosystem) and the country’s military establishment.
The 8200 is the largest unit in the Israeli army. It’s responsible for signals intelligence, eavesdropping and wiretapping, as well as advanced technical jobs and translating work. It is also widely acknowledged as producing a disproportionately high percentage of Israel’s tech executives and startup founders, including the brains behind Check Point Software Technologies, NICE Systems, and Mirabilis (creator of the proto-instant messaging system ICQ) – three of the biggest Israeli tech companies. [Continue reading…]
Moscow Times reports: A recent influx of reports about Russian electronic espionage activity has prompted fresh concerns that the Kremlin may be gunning for a cyberwar with the West.
Not everyone is convinced: Russian IT analysts interviewed by The Moscow Times were more inclined to blame the spike in attack reports on media hype and cybersecurity companies exploiting clients’ fears.
But Russia’s leading expert on domestic security services, Andrei Soldatov, said the pattern of the attacks indicated that the Russian government may be mounting a covert Internet offensive.
Experts could not say, however, whether heavy guns with the FSB electronic espionage agencies have been deployed.
“All government-linked attacks so far have been carried out by people on the market: the cyber-mercenaries,” Soldatov, editor-in-chief of the Agentura.ru website, said Wednesday. [Continue reading…]
The Guardian reports: Regin is the latest malicious software to be uncovered by security researchers, though its purpose is unknown, as are its operators. But experts have told the Guardian it was likely spawned in the labs of a western intelligence agency.
None of the targets of the Regin hackers reside on British soil, nor do any live in the US. Most victims are based in Russia and Saudi Arabia – 28% and 24% respectively.
Ireland had the third highest number of targets – 9% of overall detected infections. The infections lists doesn’t include any “five eyes” countries – Australia, Canada, New Zealand, the UK and the US.
“We believe Regin is not coming from the usual suspects. We don’t think Regin was made by Russia or China,” Mikko Hypponen, chief research officer at F-Secure, told the Guardian. His company first spied Regin hiding on a Windows server inside a customer’s IT infrastructure in Northern Europe.
Only a handful of countries are thought capable of creating something as complex as Regin. If China and Russia are ruled out, that would leave the US, UK or Israel as the most likely candidates. [Continue reading…]
Barton Gellman reports: CloudShield Technologies, a California defense contractor, dispatched a senior engineer to Munich in the early fall of 2009. His instructions were unusually opaque.
As he boarded the flight, the engineer told confidants later, he knew only that he should visit a German national who awaited him with an off-the-books assignment. There would be no written contract, and on no account was the engineer to send reports back to CloudShield headquarters.
His contact, Martin J. Muench, turned out to be a former developer of computer security tools who had long since turned to the darkest side of their profession. Gamma Group, the British conglomerate for which Muench was a managing director, built and sold systems to break into computers, seize control clandestinely, and then copy files, listen to Skype calls, record every keystroke and switch on Web cameras and microphones at will.
According to accounts the engineer gave later and contemporary records obtained by The Washington Post, he soon fell into a shadowy world of lucrative spyware tools for sale to foreign security services, some of them with records of human rights abuse.
Over several months, the engineer adapted Gamma’s digital weapons to run on his company’s specialized, high-speed network hardware. Until then CloudShield had sold its CS-2000 device, a multipurpose network and content processing product, primarily to the Air Force and other Pentagon customers, who used it to manage and defend their networks, not to attack others.
CloudShield’s central role in Gamma’s controversial work — fraught with legal risk under U.S. export restrictions — was first uncovered by Morgan Marquis-Boire, author of a new report released Friday by the Citizen Lab at the University of Toronto’s Munk School of Global Affairs. He shared advance drafts with The Post, which conducted its own month-long investigation. [Continue reading…]
In “The most wanted man in the world,” his feature article for Wired on Edward Snowden, James Bamford writes: The massive surveillance effort was bad enough, but Snowden was even more disturbed to discover a new, Strangelovian cyberwarfare program in the works, codenamed MonsterMind. The program, disclosed here for the first time, would automate the process of hunting for the beginnings of a foreign cyberattack. Software would constantly be on the lookout for traffic patterns indicating known or suspected attacks. When it detected an attack, MonsterMind would automatically block it from entering the country — a “kill” in cyber terminology.
Programs like this had existed for decades, but MonsterMind software would add a unique new capability: Instead of simply detecting and killing the malware at the point of entry, MonsterMind would automatically fire back, with no human involvement. That’s a problem, Snowden says, because the initial attacks are often routed through computers in innocent third countries. “These attacks can be spoofed,” he says. “You could have someone sitting in China, for example, making it appear that one of these attacks is originating in Russia. And then we end up shooting back at a Russian hospital. What happens next?”
In addition to the possibility of accidentally starting a war, Snowden views MonsterMind as the ultimate threat to privacy because, in order for the system to work, the NSA first would have to secretly get access to virtually all private communications coming in from overseas to people in the US. “The argument is that the only way we can identify these malicious traffic flows and respond to them is if we’re analyzing all traffic flows,” he says. “And if we’re analyzing all traffic flows, that means we have to be intercepting all traffic flows. That means violating the Fourth Amendment, seizing private communications without a warrant, without probable cause or even a suspicion of wrongdoing. For everyone, all the time.”