Monthly Archives: August 2018

Eligible Receiver 97, Red Team Being Applied Today for Cyber Hacks?

Posted on by

An early classified Defense Department cybersecurity exercise named “Eligible Receiver 97” (ER97) featured a previously unpublicized series of mock terror attacks, hostage seizures, and special operations raids that went well beyond pure cyber activities in order to demonstrate the potential scope of threats to U.S. national security posed by attacks in the cyber domain, according to recently declassified documents and a National Security Agency (NSA) video posted today by the nongovernmental National Security Archive at The George Washington University.

“Joint Exercise Eligible Receiver 97”, run during the Clinton presidency, is frequently pointed to as a critical event in the United States’ appreciation of threats in cyber space. The exercise led directly to the formation of what would eventually become United States Cyber Command (USCYBERCOM) and informed key studies such as the formative Marsh Report on critical infrastructure protection. Despite the significance of ER97, however, very little is publicly known about the exercise itself.

ER97 involved an NSA Red Team playing the role of North Korean, Iranian and Cuban hostile forces whose putative aim was to attack critical infrastructure as well as military command-and-control capabilities to pressure the U.S. government into changing its policies toward those states. An interagency Blue Team was required to provide recommendations to personnel enacting defensive responses. Until now, only two phases out of three (infrastructure and command-and-control) had been publicly known.  The video and documents posted today provide new details about the third phase involving kinetic attacks in the physical domain – i.e. more traditional terrorist assaults on civilian targets – which were built upon intelligence gathered through the Red Team’s successes. Read more here on the declassified files.

*** With all the cyber terror going on today in the United States, are we doing more ‘red team’ exercises? Perhaps some of those tactics are paying off many years later.

3 Carbanak (FIN7) Hackers Charged With Stealing 15 Million ...

Three Members of Notorious International Cybercrime Group “Fin7” in Custody for Role in Attacking Over 100 U.S. Companies

Victim Companies in 47 U.S. States; Used Front Company ‘Combi Security’ to Recruit Hackers to Criminal Enterprise

          SEATTLE – Three high-ranking members of a sophisticated international cybercrime group operating out of Eastern Europe have been arrested and are currently in custody facing charges filed in U.S. District Court in Seattle, announced U.S. Attorney Annette L. Hayes, Assistant Attorney General Brian A. Benczkowski of the Justice Department’s Criminal Division and Special Agent in Charge Jay S. Tabb Jr. of the FBI’s Seattle Field Office.

According to three federal indictments unsealed today, Ukrainian nationals Dmytro Fedorov, 44, Fedir Hladyr, 33, and Andrii Kolpakov, 30, are members of a prolific hacking group widely known as FIN7 (also referred to as the Carbanak Group and the Navigator Group, among other names).  Since at least 2015, FIN7 members engaged in a highly sophisticated malware campaign to attack more than 100 U.S. companies, predominantly in the restaurant, gaming, and hospitality industries.  As set forth in the indictments, FIN7 hacked into thousands of computer systems and stole millions of customer credit and debit card numbers which were used or sold for profit.

In the United States alone, FIN7 successfully breached the computer networks of businesses in 47 states and the District of Columbia, stealing more than 15 million customer card records from over 6,500 individual point-of-sale terminals at more than 3,600 separate business locations.  Additional intrusions occurred abroad, including in the United Kingdom, Australia, and France.  Companies that have publicly disclosed hacks attributable to FIN7 include such familiar chains as Chipotle Mexican Grill, Chili’s, Arby’s, Red Robin and Jason’s Deli.  Additionally here in Western Washington FIN7 targeted the Emerald Queen Casino (EQC) and other local businesses.  The Emerald Queen Casino was able to stop the intrusion and no customer data was stolen.

“Protecting consumers and companies who use the internet to conduct business – both large chains and small ‘mom and pop’ stores — is a top priority for all of us in the Department of Justice,” said U.S. Attorney Annette L. Hayes.  “Cyber criminals who believe that they can hide in faraway countries and operate from behind keyboards without getting caught are just plain wrong.  We will continue our longstanding work with partners around the world to ensure cyber criminals are identified and held to account for the harm that they do – both to our pocketbooks and our ability to rely on the cyber networks we use.”

“The three Ukrainian nationals indicted today allegedly were part of a prolific hacking group that targeted American companies and citizens by stealing valuable consumer data, including personal credit card information, that they then sold on the Darknet,” said Assistant Attorney General Benczkowski.  “Because hackers are committed to finding new ways to harm the American public and our economy, the Department of Justice remains steadfast in its commitment to working with our law enforcement partners to identify, interdict, and prosecute those responsible for these threats.”

“The naming of these FIN7 leaders marks a major step towards dismantling this sophisticated criminal enterprise,” said Special Agent in Charge Jay S. Tabb Jr., of the FBI’s Seattle Field Office.  “As the lead federal agency for cyber-attack investigations, the FBI will continue to work with its law enforcement partners worldwide to pursue the members of this devious group, and hold them accountable for stealing from American businesses and individuals.”

Each of the three FIN7 conspirators is charged with 26 felony counts alleging conspiracy, wire fraud, computer hacking, access device fraud, and aggravated identity theft.

In January 2018, at the request of U.S. officials, foreign authorities separately arrested Ukrainian Fedir Hladyr and a second FIN7 member, Dmytro Fedorov.  Hladyr was arrested in Dresden, Germany, and is currently detained in Seattle pending trial.  Hladyr allegedly served as FIN7’s systems administrator who, among other things, maintained servers and communication channels used by the organization and held a managerial role by delegating tasks and by providing instruction to other members of the scheme.  Hladyr’s trial is currently scheduled for October 22, 2018.

Fedorov, a high-level hacker and manager who allegedly supervised other hackers tasked with breaching the security of victims’ computer systems, was arrested in Bielsko-Biala, Poland.  Fedorov remains detained in Poland pending his extradition to the United States.

In late June 2018, foreign authorities arrested a third FIN7 member, Ukrainian Andrii Kolpakov in Lepe, Spain.  Kolpakov, also is alleged to be a supervisor of a group of hackers, remains detained in Spain pending the United States’ request for extradition.

According to the indictments, FIN7, through its dozens of members, launched numerous waves of malicious cyberattacks on numerous businesses operating in the United States and abroad.  FIN7 carefully crafted email messages that would appear legitimate to a business’ employee, and accompanied emails with telephone calls intended to further legitimize the email. Once an attached file was opened and activated, FIN7 would use an adapted version of the notorious Carbanak malware in addition to an arsenal of other tools to ultimately access and steal payment card data for the business’ customers. Since 2015, many of the stolen payment card numbers have been offered for sale through online underground marketplaces. (Supplemental document “How FIN7 Attacked and Stole Data” explains the scheme in greater detail.)

FIN7 used a front company, Combi Security, purportedly headquartered in Russia and Israel, to provide a guise of legitimacy and to recruit hackers to join the criminal enterprise.  Combi Security’s website indicated that it provided a number of security services such as penetration testing.  Ironically, the sham company’s website listed multiple U.S. victims among its purported clients.

 

The charges in the indictments are merely allegations, and the defendants are presumed innocent until proven guilty beyond a reasonable doubt in a court of law.

The indictments are the result of an investigation conducted by the Seattle Cyber Task Force of the FBI and the U.S. Attorney’s Office for the Western District of Washington, with the assistance of the Justice Department’s Computer Crime and Intellectual Property Section and Office of International Affairs, the National Cyber-Forensics and Training Alliance, numerous computer security firms and financial institutions, FBI offices across the nation and globe, as well as numerous international agencies. Arrests overseas were executed in Poland by the “Shadow Hunters” from CBŚP (Polish Central Bureau of Investigation); in Germany by LKA Sachsen – Dezernat 33, (German State Criminal Police Office) and the Polizeidirektion Dresden (Dresden Police); and in Spain by the Grupo de Seguridad Logica within the Unidad de Investigación Technologica of the Cuerpo Nacional de Policía (Spanish National Police).

This case is being prosecuted by Assistant U.S. Attorneys Francis Franze-Nakamura and Steven Masada of the Western District of Washington, and Trial Attorney Anthony Teelucksingh of the Justice Department’s Computer Crime and Intellectual Property Section.

how_fin7_attacked_and_stole_data.pdf

Fugitive Extradited in Border Patrol Agent Brian Terry Murder

Posted on by

border.jpg Heraclio Osorio-Arellanes, left, and Border Agent Brian Terry FBI/ATF

SAN DIEGO, CA – Heraclio Osorio-Arellanes, who is charged with the first-degree murder of U.nited S.tates Border Patrol Agent Brian Terry, was extradited from Mexico to the United States today, announced Attorney General Jeff Sessions and Southern District of California U.S. Attorney Adam Braverman for the Southern District of California.  He will be arraigned in U.nited S.tates District Court in, Tucson, Arizona, Wednesday tomorrow afternoon.  Osorio-Arellanes has been in custody awaiting extradition since his arrest by Mexican authorities on April 12, 2017.

Agent Terry was fatally shot on Dec.ember 14, 2010, when he and other U.S. Border Patrol agents encountered Osorio-Arellanes and four other members of a “rip crew” (a criminal gang that attempts to steal from drug and alien smugglers) operating in a rural area north of Nogales, Arizona.  Of the six defendants charged along with Osorio-Arellanes in the case, three have pleaded guilty, two were convicted following a jury trial, and one other defendant – Jesus Rosario Favela Astorga (arrested by Mexican authorities in October, 2017) – has not yet been tried. is pending extradition to the United States.

“The Department of Justice is pleased that the suspected killer of Border Patrol Agent Brian Terry has been successfully extradited to the United States and will now face justice for this terrible crime,” said Attorney General Jeff Sessions. “We are grateful for the efforts of the Federal Bureau of Investigation, U.S. Marshals Service and U.S. Customs and Border Protection as well as our law enforcement partners in Mexico. To anyone who would take the life of an American citizen, in particular an American law enforcement officer, this action sends a clear message: Working closely with our international partners, we will hunt you down, we will find you, and we will bring you to justice.”

“The arrest and extradition of Osorio-Arellanes reflects the steadfast commitment and tireless work of the United States and our law enforcement partners in Mexico, who shared the common goal of seeking justice for the murder of Agent Brian Terry,” said U.nited S.tates Attorney Adam Braverman.  “When an agent makes the ultimate sacrifice while serving his country, we must hold all the individuals who played a part in this tragic outcome accountable for their actions.  This extradition moves that important goal forward.”

The indictment charges the defendants with first-degree murder, second-degree murder, conspiracy to interfere with commerce by robbery, attempted interference with commerce by robbery, use and carrying a firearm during a crime of violence and assault on a federal officer.  In addition to the murder of Agent Terry, the indictment alleges that the defendants assaulted U.S. Border Patrol Agents William Castano, Gabriel Fragoza and Timothy Keller, who were with Agent Terry during the firefight with the “rip crew.”

This case is being prosecuted in federal court in Tucson by attorneys from the Southern District of California, Special Attorneys Todd W. Robinson and David D. Leshner.  The U.S. Attorney’s Office for the District of Arizona is recused.  The case is being investigated by the FBI.  The Government of Mexico assisted in the apprehension and extradition.  The Justice Department’s Office of International Affairs provided assistance with the extradition of defendant Osorio-Arellanes.

The public is reminded that an indictment is a formal charging document and defendants are presumed innocent until the government meets its burden in court of proving guilt beyond a reasonable doubt.

DEFENDANT                                                                        Case No. 11-CR-00150-TUC-DCB (BPV)     

Heraclio Osorio-Arellanes

AGENCIES

Federal Bureau of Investigation

U.S. Customs and Border Protection

United States Border Patrol

DOJ Office of International Affairs         

***

 Federal authorities said Tuesday that Heraclio Osorio-Arellanes will be arraigned in U.S. District Court in Tucson on Wednesday.               

 Osorio-Arellanes had been in custody awaiting extradition since being arrested by Mexican authorities on April 12, 2017. Osorio-Arellanes is charged in the death of Border Patrol Agent Brian Terry, who was shot and killed Dec. 14, 2010 when he and other agents encountered a gang preying on smugglers north of Nogales, Arizona.

Terry was part of a four-man team in an elite Border Patrol unit staking out the southern Arizona desert on a mission to find “rip-off” crew members who rob drug smugglers.

They encountered a five-man group of suspected marijuana bandits and identified themselves as police in trying to arrest them.

A jury in Tucson in October 2015 found two men, Jesus Leonel Sanchez-Meza and Ivan Soto-Barraza, guilty on murder and other charges. Another man, Manual Osorio-Arellanes, pleaded guilty to murder and was sentenced to 30 years in prison in 2014.

A fourth man, Rosario Rafael Burboa-Alvarez, pleaded guilty to murder. He was not present during the shooting but is accused of assembling the rip crew.

Authorities are still looking for Jesus Rosario Favela-Astorga, who’s wanted on murder, conspiracy, robbery, assault and firearm charges, reports CBS affiliate KOLD.

Tommy Robinson is Free, but Hold on….

Posted on by

Daniel Pipes posted:

But Robinson still has to go to court again for another hearing, where he could still be found guilty of contempt of court, which would be in breach of his suspended sentence that still stands, for doing the same thing previously.

Manchester far-right protestors tussle with police | Daily ...

Tommy Robinson has been freed from prison on bail after judges quashed findings that he committed contempt of court in Leeds.

But the Court of Appeal dismissed the far-right figure’s case against another incident in Canterbury and ordered him to attend a new hearing where he could be jailed again.

The Lord Chief Justice took little over a minute to read out the judgment to a packed courtroom, silencing Robinson’s supporters as they started applauding.

Lord Burnett said the court was allowing his appeal only “in respect of the committal for contempt at Leeds Crown Court” and granted Robinson bail ahead of a hearing to take place at the Old Bailey in London.

Supporters who had gathered outside the Royal Courts of Justice cheered as news of the judgment came through, as counter-demonstrators shouted “Nazi scum, off our streets” through a megaphone.

Robinson, whose real name is Stephen Yaxley-Lennon, was released from HMP Onley later on Wednesday.

“I have a lot to say, but not to you,” he told journalists while flanked by two men carrying his luggage, before being driven away.

High-profile backers including the Ukip leader Gerard Batten, Dutch opposition leader Geert Wilders and the former Breitbart London editor Raheem Kassam hailed the verdict as a victory for “freedom of speech”.

But judges did not say Robinson had not committed contempt of court, and accused him of delaying the appeals “for tactical reasons and collateral advantage”.

They dismissed calls to quash findings that he committed contempt at Canterbury Crown Court in May 2017, saying criticism by Robinson’s legal team “had no substance”.

Robinson was handed a three-month suspended sentence for trying to film defendants inside the court during jury deliberations, after being told to stop and warned filming was against the law.

But Lord Burnett, Mr Justice Turner and Mrs Justice McGowan found that procedural failings by a judge who later jailed Robinson for 13 months at Leeds Crown Court “gave rise to unfairness” and meant proceedings were “fundamentally flawed”.

Robinson was arrested on 25 May after broadcasting a Facebook Live video that broke a blanket reporting restriction on an ongoing set of trials, and jailed hours later.

The Court of Appeal previously heard that footage of Robinson discussing the ongoing case caused jury deliberations to be paused, sparking an attempt by defence lawyers to have the case dismissed.

Judges found that while Geoffrey Marson QC was right to bring Robinson before him to have the video deleted and protect jury deliberations, the case was dealt with too fast and did not follow criminal procedure rules.

“There was no clarity about what parts of the video were relied upon as amounting to contempt, what parts the appellant accepted through his counsel amounted to contempt and for what conduct he was sentenced,” the judgment said.

“Whilst the judge was entitled to deal with the contempt himself, the urgency went out of the matter when the appellant agreed to take down the video from Facebook. There should have been an adjournment to enable the particulars of contempt to be properly formulated and for a hearing at a more measured pace, as had happened in Canterbury.”

They ordered the matter to be heard again at the Old Bailey “as soon as reasonably possible”, and bailed Robinson on the condition he attends the new hearing and does not go within 400m of Leeds Crown Court. More here.

Finally U.S. Sanctions Turkey over U.S. prisoners

Posted on by

Primer:

Ankara for years has been providing support to Hamas, Iran, ISIS, al Queda and Libya jihadists, yet it’s this incredibly stupid decision to hold an American hostage that has ultimately earned Turkey its first US sanctions.

U.S. Prepares List of Turkey Economic Sanctions Targets

The U.S. has prepared a list of Turkish entities and individuals to target should it decide to impose sanctions on Recep Tayyip Erdogan’s government for imprisoning U.S. citizens and employees of its diplomatic mission, according to two people with knowledge of the matter.

The lira slid.

While negotiations to release one of the people, evangelical Pastor Andrew Brunson, are ongoing, the preparation of the so-called “designation packages” shows how close the U.S. has come to imposing unprecedented penalties against a NATO ally. The sanctions are modeled on those against the Russian government and oligarchs close to President Vladimir Putin, the people said, asking not to be named because of the sensitivity of the issue.

The U.S. has extended deadlines this week to release Brunson or face sanctions, according to Turkish and U.S. officials familiar with the talks. The people and entities determined in the designation packages would need to be approved by the Treasury secretary and secretary of state.

The sanctions are being prepared under the Global Magnitsky Act of 2016, which allows the U.S. government to target individuals, companies or other entities involved in corruption or human-rights abuses anywhere in the world. Sanctions under the act allow for the seizure of assets in the U.S., travel bans and prohibitions on doing business with U.S. entities.

Lira Plunges

Turkey’s lira plunged to a record low of 4.9985 after Bloomberg News reported the possible sanctions, extending its decline to 4.5 percent since July 26, when Vice President Mike Pence threatened sanctions over the Brunson case. Yields on Turkey’s 10-year debt hit a record 18.86 percent on Tuesday. The Borsa Istanbul 100 index has lost 36 percent in dollar-adjusted terms this year, the second-worst performance in the world after Venezuela.

A U.S. Treasury spokesman didn’t immediately reply to an emailed request for comment.

The scope of the sanctions highlights the disconnect between Washington and Ankara as they try to negotiate a way out of the deadlock, with Turkish officials still apparently believing the Trump administration is bluffing.

Bankers who have met with Turkish officials say the sanctions threats are not being taken seriously in Ankara, even as they risk cutting off financing to an economy dependent on imported capital. For their part, U.S. officials’ patience with Turkey’s negotiating tactics is wearing thin.

‘Hostages’

Within the State Department, Brunson and other prisoners including NASA scientist Serkan Golge and three Turkish employees of the U.S. mission to Turkey are referred to as “hostages.” The U.S. says they’re innocent and being held by Turkey for the sole purpose of extracting concessions on other points of tension in the U.S.-relationship.

The two countries have quarreled over a panoply of foreign policy issues that have driven the onetime allies to outright hostility. Foremost among them are differences over policy in Syria and Iran, Turkish suspicions about the U.S. response to a 2016 coup attempt against Erdogan, and the Turkish leadership’s budding friendship with Putin.

The Magnitsky sanctions under consideration could be just the start of what would look like a U.S. assault on Turkey’s vulnerable economy. The U.S. is also considering a hefty fine on state-run lender Turkiye Halk Bankasi AS for its role in evading U.S. sanctions targeting Iran’s nuclear program, and it would impose sanctions on Turkey when it receives delivery of a missile defense system from Russia, expected in 2019.

Deal Fails

As of last week, the Americans thought they had a deal that would bring Brunson home, according to accounts by officials on both sides of the matter. In return for the release of evangelical pastor, who’s been imprisoned for almost two years on charges including involvement in the failed coup, the U.S. administration would recommend a lenient fine on Halkbank. The U.S. also offered to send Mehmet Hakan Atilla, a former executive at the bank who’s been jailed in the U.S., back to Turkey to serve out the rest of his term.

As a final sweetener to the Turks, U.S. President Donald Trump said he’d get Israeli Prime Minister Benjamin Netanyahu to release a Turkish citizen, Ebru Ozkan, who’d been arrested in Israel on accusations of abetting Hamas. Netanyahu did it, and Ozkan was sent back to Turkey on July 16.

The Americans waited for Erdogan to deliver on his side of the deal: Brunson was to be released and then deported at a hearing on July 18. Instead, Turkey changed the conditions of the agreement at the last minute, with Foreign Minister Mevlut Cavusoglu interjecting to demand that any probe of Halkbank be dropped, according to Turkish and U.S. officials. The deal fell apart and Brunson was moved to house arrest.

The Americans had been carrying out the negotiations through a backchannel with a person close to Erdogan, according to people familiar with the matter. But they have had a difficult time gauging whether or not the Turkish side fully comprehends the possible consequences of U.S. sanctions on Turkey’s economy.

That’s made it harder for the U.S. to take decisive action as the U.S. is reluctant to take action that could risk tanking the economy of a nominally allied country, or bringing down its banking system. Turkish companies and banks depend on foreign capital to plug one of the world’s largest current-account deficits, which requires about $200 million a day in foreign financing.

Ironically, the damage that U.S. action could do to Turkey makes it more hesitant to act and strengthens Turkey’s negotiating position, according to Asli Aydintasbas, an Istanbul-based senior policy fellow at the European Council on Foreign Relations.

“I have seen this over and over in this relationship going back two decades, on a much smaller scale,” Aydintasbas said. “The price of actually doing something is so big that Turkey has a psychological advantage. It’s as if they have more power, whereas it’s the other way around.”