Category Archives: NSA Spying

Yemen Cyber Army, Saudi and Wikileaks

Posted on by

Here it comes again, a major hack that took place earlier this month and the documents are in a pipeline to be published. Some are out there now.

From www.securityaffairs.co who I just interviewed for radio last week:

“We have gained access to the Saudi Ministry of Foreign Affairs (MOFA) network and have full control over more than 3000 computers and servers, and thousands of users. We also have access to the emails, personal and secret information of hundreds of thousands of their diplomats in different missions around the world.” states the group.

The following image was left on the PC of the employees at the Saudi foreign ministry on Thursday morning

Yemen Cyber Army vs Saudi Gov

More details here on the Yemen Cyber Army and the Saudi hack. The Yemen Cyber Army left behind these messages for file access as well:

OPERATION Name : “Syed Hussein Badreddin al-Houthi”
OPERATION Key  : b919117da9954bd82e65677cb240bbb3e4ddbd9ac93e10f0a399257ad54d851a

Saudi Arabia Ministry of Foreign Affairs Hacked By Yemen Cyber Army
All MOFA.GOV.SA Subdomains And Servers Hacked and HDD Encrypted
Allah is the enemy of those who oppress people

This is to convey a message to Saudi Dictators, if they’ve got a listening ear!

It’s us again, Yemen Cyber Army!

We are an Islamic Group who fights against you oppressors.

What you and your puppets commit in Yemen, Syria, Bahrain, Iraq and Lebanon, remind us of crimes your forefather Yazid-ibn-Muawiya committed in Karbala. And indeed you are good successors to him. You are ISIS and ISIS is you.

Never assume our calmness is due to weakness. We are oppressed! God will judge between you and us. As we never seek help from other than him.
You are pagan oppressors as you always fawn for US and Israel, that’s what you deserve.
So congratulations to those who achieve martyrdom in fight against pagan oppressors.

“And never think of those who have been killed in the cause of Allah as dead. Rather, they are alive with their Lord, receiving provision ”

Our cyber operation is just started and by the grace of God we are expecting the Saudi regime’s collapse by the “Labbaik Ya-Hossain” slogan.
This second operation is blessed by the name of martyred “Syed Hussein Badreddin al-Houthi” and is going to be a beginning to Saudi’s overthrow, Inshallah.

We have gained access to the Saudi Ministry of Foreign Affairs (MOFA) network and have full control over more than 3000 computers and servers, and thousands of users. We also have access to the emails, personal and secret information of hundreds of thousands of their diplomats in different missions around the world.

We publish only few portions of vital information we have, just to let them know that “truly the flimsiest of houses is the spider´s house”

Some portions of visa secret information, thousands of documents from the MOFA’s automation system and secret emails will be published gradually so as to keep Saudi puppets always in fear of their identity disclosure.

This way they might slightly come to know how it feels when our innocent women and children rush into havens crying and looking for their beloved once in dark.

And that’s not all! All your computers will be automatically wiped on Wednesday – 2015 20 May and at 12:00 to become a lesson for oppressors.

We have the same access to the Interior Ministry (MOI) and Defense Ministry (MOD) of which the details will be published in near future. Wish such shocking news make Saudi dictators to come to their senses and recapture those young wild dogs’ leash to avoid Muslims exploiting hate against Saudi family.
If you did not stop attacks on Muslims in Yemen, do not blame anyone but yourself and expect greater harms.
Files PASSWORD : [email protected]

Your Network Hacked By Yemen Cyber Army
We Are Cutting Sword of Justice
All Your Data is Encrypted and You Can’t Access Them without Key
Find Out the Decryption Key This Way :
Number of Yemeni Children Killed in Saudi Air Attacks   +
Number of Yemeni Homes Destroyed By Saudi-USA Bombs   –
Number of Saudis Killed By Yemenis   –
Number of Israeli Soldiers Killed by Saudi and Arab Union in 1984!!!!

#OPSAUDI
#YEMEN_UNDER_ATTACK
#OPKSA

We Are Anonymous
We Are Everywhere
We Are Legion
We do Not Forgive
We do Not Forget
Stop Attacking To Our Country!

****

Now enter the documents and Wikileaks.

WikiLeaks says it’s leaking over 500,000 Saudi documents

ISTANBUL (AP) — WikiLeaks is in the process of publishing more than 500,000 Saudi diplomatic documents to the Internet, the transparency website said Friday, a move that echoes its famous release of U.S. State Department cables in 2010.

WikiLeaks said in a statement that it has already posted roughly 60,000 files. Most of them appear to be in Arabic.

There was no immediate way to verify the authenticity of the documents, although WikiLeaks has a long track record of hosting large-scale leaks of government material. Many of the documents carried green letterhead marked “Kingdom of Saudi Arabia” or “Ministry of Foreign Affairs.” Some were marked “urgent” or “classified.” At least one appeared to be from the Saudi Embassy in Washington.

If genuine, the documents would offer a rare glimpse into the inner workings of the notoriously opaque kingdom. They might also shed light on Riyadh’s longstanding regional rivalry with Iran, its support for Syrian rebels and Egypt’s military-backed government, and its opposition to an emerging international agreement on Tehran’s nuclear program.

One of the documents, dated to 2012, appears to highlight Saudi Arabia’s well-known skepticism about the Iranian nuclear talks. A message from the Saudi Arabian Embassy in Tehran to the Foreign Ministry in Riyadh describes “flirting American messages” being carried to Iran via an unnamed Turkish mediator.

Another 2012 missive, this time sent from the Saudi Embassy in Abu Dhabi, said the United Arab Emirates was putting “heavy pressure” on the Egyptian government not to try former president Hosni Mubarak, who had been overthrown in a popular uprising the year before.

Some of the concerns appear specific to Saudi Arabia.

In an Aug. 14, 2008 message marked “classified and very urgent,” the Foreign Ministry wrote to the Saudi Embassy in Washington to warn that dozens of students from Saudi Arabia and other Gulf countries had visited the Israeli Embassy in the U.S. capital as part of an international leadership program.

“They listened to diplomats’ briefings from the embassy employees, they asked questions and then they took pictures,” the message said, asking the embassy for a speedy update on the situation.

Another eye-catching item was a document addressed to the interior and justice ministers notifying them that a son of Osama bin Laden had obtained a certificate from the American Embassy in Riyadh “showing (the) death of his father.”

Many more of the dozens of documents examined by The Associated Press appeared to be the product of mundane administrative work, such as emails about setting up a website or operating an office fax machine.

The AP was able to partially verify a handful of documents’ authenticity by calling the telephone numbers included in many of them. WikiLeaks spokesman Kristinn Hrafnsson told AP he was confident that the material was genuine.

It is not clear how WikiLeaks got the documents, although in its statement the website referred to a recent electronic attack on the Saudi Foreign Ministry by a group calling itself the Yemen Cyber Army. Hrafnsson declined to elaborate on the statement or say whether the hackers subsequently passed documents on to WikiLeaks.

“As a matter of policy we’re not going to discuss the source of the material,” he said.

The Saudi Embassy in Washington did not immediately return repeated messages seeking comment.

In its statement, WikiLeaks said the release coincided with the three-year anniversary of its founder, Julian Assange, seeking asylum in the Ecuadorian Embassy in London.

Assange took refuge in the embassy to avoid extradition to Sweden, where he is wanted for questioning about alleged sex crimes. Assange has denied any wrongdoing.  To access: WikiLeaks’ Saudi Cables site: https://wikileaks.org/saudi-cables/

 

 

Chinese Intelligence at Center of OPM Hack

Posted on by

First reported there was Anthem, one of the largest healthcare providers that was hacked. 80 million personal records were compromised. What is notable is Anthem is part of the Blue Cross Blue Shield health coverage network and even more concerning is BCBS provides coverage to more that half of the federal government workforce.

Take note of the following fro Threatconnect.com:

“Anthem Themed Infrastructure & Signed Malware:
In September 2014, the ThreatConnect Intelligence Research Team (TCIRT) observed a variant of the Derusbi APT malware family, MD5: 0A9545F9FC7A6D8596CF07A59F400FD3, which was signed by a valid digital signature from the Korean company DTOPTOOLZ Co. Derusbi is a family of malware used by multiple actor groups but associated exclusively with Chinese APT. TCIRT began tracking the DTOPTOOLZ signature for additional signed malware samples and memorialized them within our Threat Intelligence Platform over time.
Analyst Comment: The DTOPTOOLZ signature has also been observed in association with Korean Adware that is affiliated with the actual DTOPTOOLZ Co. This adware should not be confused with the APT malware that is abusing the same digital signature.
Later, in mid-November we discovered another implant that was digitally signed with the DTOPTOOLZ signature. This implant, MD5: 98721c78dfbf8a45d152a888c804427c, was from the “Sakula” (aka. Sakurel) family of malware, a known variant of the Derusbi backdoor, and was configured to communicate with the malicious command and control (C2) domains extcitrix.we11point[.]com and www.we11point[.]com. Through our Farsight  Security passive DNS integration, we uncovered that this malicious infrastructure was likely named in such a way to impersonate the legitimate Wellpoint IT infrastructure.”

This brings us to the hack or rather simply sign-on as a root user of the 14 million personnel records of Office of Personnel Management (OPM) located in Colorado.

From Reuters:

U.S. employee data breach tied to Chinese intelligence

The Chinese hacking group suspected of stealing sensitive information about millions of current and former U.S. government employees has a different mission and organizational structure than the military hackers who have been accused of other U.S. data breaches, according to people familiar with the matter.

While the Chinese People’s Liberation Army typically goes after defense and trade secrets, this hacking group has repeatedly accessed data that could be useful to Chinese counter-intelligence and internal stability, said two people close to the U.S. investigation.

Washington has not publicly accused Beijing of orchestrating the data breach at the U.S. Office of Personnel Management (OPM), and China has dismissed as “irresponsible and unscientific” any suggestion that it was behind the attack.

Sources told Reuters that the hackers employed a rare tool to take remote control of computers, dubbed Sakula, that was also used in the data breach at U.S. health insurer Anthem Inc last year.

The Anthem attack, in turn, has been tied to a group that security researchers said is affiliated with China’s Ministry of State Security, which is focused on government stability, counter-intelligence and dissidents. The ministry could not immediately be reached for comment.

In addition, U.S. investigators believe the hackers registered the deceptively named OPM-Learning.org website to try to capture employee names and passwords, in the same way that Anthem, formerly known as Wellpoint, was subverted with spurious websites such as We11point.com, which used the number “1” instead of the letter “l”.

Both the Anthem and OPM breaches used malicious software electronically signed as safe with a certificate stolen from DTOPTOOLZ Co, a Korean software company, the people close to the inquiry said. DTOPTOOLZ said it had no involvement in the data breaches.

The FBI did not respond to requests for comment. People familiar with its investigation said Sakula had only been seen in use by a small number of Chinese hacking teams.

“Chinese law prohibits hacking attacks and other such behaviors which damage Internet security,” China’s Foreign Ministry said in a statement. “The Chinese government takes resolute strong measures against any kind of hacking attack. We oppose baseless insinuations against China.”

MANY UNKNOWNS

Most of the biggest U.S. cyber attacks blamed on China have been attributed, with varying degrees of certitude, to elements of the Chinese army. In the most dramatic case two years ago, the U.S. Justice Department indicted five PLA officers for alleged economic espionage.

Far less is known about the OPM hackers, and security researchers have differing views about the size of the group and what other attacks it is responsible for.

People close to the OPM investigation said the same group was behind Anthem and other insurance breaches. But they are not yet sure which part of the Chinese government is responsible.

“We are seeing a group that is only targeting personal information,” said Laura Gigante, manager of threat intelligence at FireEye Inc, which has worked on a number of the high-profile network intrusions.

CrowdStrike and other security companies, however, say the Anthem hackers also engaged in stealing defense and industry trade secrets. CrowdStrike calls the group “Deep Panda,” EMC Corp’s RSA security division dubs it “Shell Crew,” and other firms have picked different names.

The OPM breach gave hackers access to U.S. government job applicants’ security clearance forms detailing past drug use, love affairs, and foreign contacts that officials fear could be used for blackmail or recruiting.

In contrast to hacking outfits associated with the Chinese army, “Deep Panda” appears to be affiliated with the Ministry of State Security, said CrowdStrike co-founder Dmitri Alperovitch.

Information about U.S. spies in China would logically be a top priority for the ministry, Alperovitch said, adding that “Deep Panda’s” tools and techniques have also been used to monitor democracy protesters in Hong Kong.

An executive at one of the first companies to connect the Anthem and OPM compromises, ThreatConnect, said the disagreements about the boundaries of “Deep Panda” could reflect a different structure than that in top-down military units.

“We think it’s likely a cohort of Chinese actors, a bunch of mini-groups that are handled by one main benefactor,” said Rich Barger, co-founder of ThreatConnect, adding that the group could get software tools and other resources from a common supplier.

“We think this series of activity over time is a little more distributed, and that is why there is not a broad consensus as to the beginning and end of this group.”

China did Not Hack OPM, Operative Just Signed In

Posted on by

Per ARS Technica: Not only were the database records of POM not encrypted, it simply did not matter. At least 14 million personnel files have been compromised and protecting social security numbers by encryption did not mater.

But even if the systems had been encrypted, it likely wouldn’t have mattered. Department of Homeland Security Assistant Secretary for Cybersecurity Dr. Andy Ozment testified that encryption would “not have helped in this case” because the attackers had gained valid user credentials to the systems that they attacked—likely through social engineering. And because of the lack of multifactor authentication on these systems, the attackers would have been able to use those credentials at will to access systems from within and potentially even from outside the network.

House Oversight Chairman Jason Chaffetz (R-Utah) told Archuleta and OPM Chief Information Officer Donna Seymour, “You failed utterly and totally.” He referred to OPM’s own inspector general reports and hammered Seymour in particular for the 11 major systems out of 47 that had not been properly certified as secure—which were not contractor systems but systems operated by OPM’s own IT department. “They were in your office, which is a horrible example to be setting,” Chaffetz told Seymour. In total, 65 percent of OPM’s data was stored on those uncertified systems.’

Even more chilling, a person or team just found a way to sign in as a root user.

Some of the contractors that have helped OPM with managing internal data have had security issues of their own—including potentially giving foreign governments direct access to data long before the recent reported breaches. A consultant who did some work with a company contracted by OPM to manage personnel records for a number of agencies told Ars that he found the Unix systems administrator for the project “was in Argentina and his co-worker was physically located in the [People’s Republic of China]. Both had direct access to every row of data in every database: they were root. Another team that worked with these databases had at its head two team members with PRC passports. I know that because I challenged them personally and revoked their privileges. From my perspective, OPM compromised this information more than three years ago and my take on the current breach is ‘so what’s new?'”

Given the scope and duration of the data breaches, it may be impossible for the US government to get a handle on the exact extent of the damage done just by the latest attack on OPM’s systems. If anything is clear, it is that the aging infrastructure of many civilian agencies in Washington magnify the problems the government faces in securing its networks, and OPM’s data breach may just be the biggest one that the government knows about to date.

Future consequences of lack of security of data systems is blackmail

Reuters: The same hackers breached several health insurance companies last summer and made off with the medical records of 11 million people, including members of Blue Cross/Blue Shield’s District of Columbia affiliate CareFirst.

Media pundits spent all week talking about how Deep Panda could compile all this information to craft a potential blackmail database on U.S. operatives for its patron, presumably China. But that’s ridiculous. Beijing is smarter than that.

Espionage is a long game, not a race, and countries are patient. Blackmail is a quick, brutal method of acquiring information in the short term.

It typically begins when foreign agents play on a target’s existing weakness — a penchant for gambling, for example, or deviant sexual behavior — enticing the target to indulge in it and then threatening exposure.

That’s a lot of work for a short-term gain. Blackmail targets are almost always found out, or turn on their blackmailers or end their lives. No, a better use for that database is as a reference to create the background for the perfect mole. Many additional details found here.

An additional security concern of real proporations is this cyber intrusion has affected Hill and Congressional staff.

In Part from the Hill: Officials had initially said the breach only encompassed 4.2 million federal employees, all within the executive branch. But the discovery of a second breach that compromised security clearance data has many expecting the breach to eventually expose up to 14 million people.

According to an email sent to House staff members shortly before midnight Tuesday and obtained by The Hill, many of them are at risk.

“It now appears likely that the service records of current House employees employed previously by ANY federal government entity (including the House, if an individual left the House and later returned to a House position) may have been compromised,” said the email said, sent by House Chief Administrative Officer Ed Cassidy.

When staffers leave Capitol Hill, or any federal agency, their retirement records are forwarded to the OPM.

“In addition, the background investigation files of individuals holding security clearances (whether currently active or not) may have been exposed,” the email added.

Senate staffers received a similar email from the Senate Sergeant at Arms several hours earlier on Tuesday, according to multiple reports.

 

 

Listen and Read How Wrong Obama is on Iran

Posted on by

Even the Russians did not lie as badly as the Iranians have and Kerry at the behest of the White House is ignoring the historical lies.

Sen. Bob Corker (R-Tenn.) has sent a blistering letter to President Obama denouncing reported Iran concessions. It reads:

Dear Mr. President:

It is breathtaking to see how far from your original goals and statements the P5+1 have come during negotiations with Iran. Under your leadership, six of the world’s most important nations have allowed an isolated country with roguish policies to move from having its nuclear program dismantled to having its nuclear proliferation managed. Negotiators have moved from a 20-year agreement to what is in essence a 10-year agreement that allows Iran to simultaneously continue development of an advanced ballistic missile program and research and development of advanced centrifuges. This also will allow Iran’s economy to be restored with billions of dollars returned to its coffers, a development that administration officials concede will be used at some level to export terrorism in the region.

I am alarmed by recent reports that your team may be considering allowing the deal to erode even further. Only you and those at the table know whether there is any truth to these allegations, and I hope reports indicating potential concessions on inspections and on the full disclosure of Iran’s possible military dimensions (PMDs) are inaccurate.

Regarding inspections, surely your administration and those involved in the negotiations will adhere to an “anytime, anywhere” standard. No bureaucratic committees. No moving the ball. No sites off limits.

You have publicly acknowledged Iran’s long history of covert nuclear activity.  We all are aware of the importance of having a full understanding of Iran’s nuclear program, including PMDs of those activities as part of any agreement. Yet, recently I have heard of a potential cumbersome process where the International Atomic Energy Agency (IAEA), with no confirmation from Iran, will make PMD determinations about Iran’s nuclear program in order to protect Iran’s national pride, meaning Iran will not have to publicly admit to these activities. Today, the IAEA cannot get access to information Iran agreed to share pursuant to a 2013 agreement. By not requiring Iran to explicitly disclose their previous weaponization efforts on the front end of any final agreement, we will likely never know, in a timely fashion, the full extent of Iranian capabilities.

I understand the dynamics that can develop when a group believes they are close to a deal and how your aides may view this as a major legacy accomplishment. However, as you know, the stakes here are incredibly high and the security implications of these negotiations are difficult to overstate. As your team continues their work, if Iran tries to cross these few remaining red lines, I would urge you to please pause and consider rethinking the entire approach. Walking away from a bad deal at this point would take courage, but it would be the best thing for the United States, the region and the world.

One hopes that Corker’s colleagues are paying attention and that they are ready to prevent a catastrophic deal.

Russia China Pact with Snowden in the Middle

Posted on by

Going beyond the major hack by China into the Office of Personnel Management that cultivated at least 14 million personnel files of government, intelligence and military, China is building a database of individuals in America. Would they share it with Russia? The wake of destruction is yet to be known and future predictions are impossible to imagine.

Russia is turning to China and likewise China is delighted for the relationship as proven by the Silk Road Economic objectives.

Putin’s vision of a ‘greater Europe’ from Lisbon to Vladivostok, made up of the European Union and the Russian-led Eurasian Economic Union, is being replaced by a ‘greater Asia’ from Shanghai to St. Petersburg.

China's silk road

In part:

The rupture between Russia and the West stemming from the 2014 crisis over Ukraine has wide-ranging geopolitical implications. Russia has reverted to its traditional position as a Eurasian power sitting between the East and the West, and it is tilting toward China in the face of political and economic pressure from the United States and Europe. This does not presage a new Sino-Russian bloc, but the epoch of post-communist Russia’s integration with the West is over. In the new epoch, Russia will seek to expand and deepen its relations with non-Western nations, focusing on Asia. Western leaders need to take this shift seriously.


Russia’s Pivot to Asia
Russia’s pivot to Asia predates the Ukraine crisis, but it has become more pronounced since then. This is in part because China is the largest economy outside of the coalition that has imposed sanctions on Russia as a result of the crisis.

What was originally Moscow’s “marriage of convenience” with Beijing has turned into a much closer partnership that includes cooperation on energy trade, infrastructure development, and defense.

Putin’s vision of a “greater Europe” from Lisbon to Vladivostok, made up of the European Union and the Russian-led Eurasian Economic Union, is being replaced by a “greater Asia” from Shanghai to St. Petersburg.

Russia is now more likely to back China in the steadily growing competition between Beijing and Washington, which will strengthen China’s hand.
Takeaways for Western Leaders
Russia’s confrontation with the United States will help mitigate Sino-Russian rivalries, mostly to China’s advantage. But this doesn’t mean Russia will be dominated by China—Moscow is likely to find a way to craft a special relationship with its partner.

With China’s economic might and Russia’s great-power expertise, the BRICS group (of which Russia is a part, along with Brazil, India, China, and South Africa) will increasingly challenge the G7 as a parallel center of global governance.

The Shanghai Cooperation Organization, due to include India and Pakistan this year, is on its way to becoming the principal development and security forum for continental Asia.

Through its enhanced relations with non-Western countries, Russia will actively promote a concept of world order that seeks to reduce U.S. global dominance and replace it with a broader great-power consensus. Much more detail here.

Enter Snowden

Confirmed: UK agents ‘moved over Snowden files’

Russia, China Decrypt Snowden Files

Russia and China have allegedly decrypted the top-secret cache of files stolen by whistleblower Edward Snowden, according to a report from The Sunday Times, to be published tomorrow.

The info has compelled British intelligence agency MI6 to withdraw some of its agents from active operations and other Western intelligence agencies are now actively involved in rescue operations. In a July 2013 email to a former U.S. Senator, Snowden stated that, “No intel­li­gence ser­vice—not even our own—has the capac­ity to com­pro­mise the secrets I con­tinue to pro­tect. While it has not been reported in the media, one of my spe­cial­iza­tions was to teach our peo­ple at DIA how to keep such infor­ma­tion from being com­pro­mised even in the high­est threat counter-intelligence envi­ron­ments (i.e. China).” Many in the intelligence agencies at the time greeted this claim with scepticism. Now, one senior British official said Snowden had “blood on his hands,” but another said there’s yet no evidence anyone was harmed. Snowden eventually fled to Russia via Hong Kong after downloading some 1.7 million documents from U.S. government computers and leaking them to journalists out of a desire to protect “privacy and basic liberties.” The revelations of mass spying outraged populations and governments around the world, at least temporarily damaged relations, and eventually led to changes in the mass surveillance policies of the NSA and British GCHQ.