Category Archives: China aggression

After Ukraine, DHS Warns Domestic Utility Companies

Posted on by

Feds advise utilities to pull plug on Internet after Ukraine attack

WashingtonExaminer: The Department of Homeland Security advised electric utilities Thursday that they may need to stop using the Internet altogether, after the agency found that a cyberattack that brought down Ukraine’s power grid in December could have been far more devastating than reported.

The Dec. 23 cyberattack forced U.S. regulators to place utilities on alert after unknown attackers caused thousands of Ukrainian residents to lose power for hours by installing malicious software, or malware, on utility computers. But the Department of Homeland Security said Thursday that the attack may have been directed at more than just the country’s electricity sector, suggesting the attackers were looking to cause more harm than was reported.

In response, federal investigators are recommending that U.S. utilities and other industries “take defensive measures.” To start with, they need to best practices “to minimize the risk from similar malicious cyber activity,” according to an investigative report issued Thursday by Homeland Security’s Industrial Control Systems Cyber Emergency Response Team.

But the team is also recommending more drastic action, such as keep control-system computers away from the Internet.

“Organizations should isolate [industrial control system] networks from any untrusted networks, especially the Internet,” the report says. “All unused ports should be locked down and all unused services turned off. If a defined business requirement or control function exists, only allow real-time connectivity to external networks. If one-way communication can accomplish a task, use optical separation.”

The findings show that the power outages were caused by three attacks using cyberintrusion software to attack electric power distribution companies, affecting about 225,000 customers. It also reveals that once power was restored, the utilities continued “to run under constrained operations,” implying that the damage to grid control systems was profound.

The team also learned that “three other organizations, some from other critical infrastructure sectors, were also intruded upon but did not experience operational impacts.” That suggests the attackers were going after more than just the power grid, and may have been planning a much more economy-wide attack. The team does not disclose what other sectors of the country were targeted.

The team said the attack was well-planned, “probably following extensive reconnaissance of the victim networks,” the report says. “According to company personnel, the cyberattacks at each company occurred within 30 minutes of each other and impacted multiple central and regional facilities.”

The attackers were attempting to make the damage permanent. The report says the attackers installed “KillDisk” malware onto company computers that would erase data necessary to reboot operations after a cyberattack.

There is also a mystery to the attackers’ actions.

“Each company also reported that they had been infected with BlackEnergy malware; however, we do not know whether the malware played a role in the cyberattacks,” the report says. The malware was delivered using an email embedded hacking technique known as “spear phishing” that contained a number of malicious Microsoft Office attachments.

“It is suspected that BlackEnergy may have been used as an initial access vector to acquire legitimate credentials; however, this information is still being evaluated,” the team says.

The investigation was done with Ukraine authorities and involved the FBI, Department of Energy and the North American Electric Reliability Corporation.

*** 

New research is shining a light on the ongoing evolution of the BlackEnergy malware, which has been spotted recently targeting government institutions in the Ukraine.

Security researchers at ESET and F-Secure each have dived into the malware’s evolution. BlackEnergy was first identified several years ago. Originally a DDoS Trojan, it has since morphed into “a sophisticated piece of malware with a modular architecture, making it a suitable tool for sending spam and for online bank fraud,” blogged ESET’s Robert Lipovsky.

“The targeted attacks recently discovered are proof that the Trojan is still alive and kicking in 2014,” wrote Lipovsky, a malware researcher at ESET.

ESET has nicknamed the BlackEnergy modifications first spotted at the beginning of the year ‘BlackEnergyLite’ due to the lack of a kernel-mode driver component. It also featured less support for plug-ins and a lighter overall footprint.

“The omission of the kernel mode driver may appear as a step back in terms of malware complexity: however it is a growing trend in the malware landscape nowadays,” he blogged. “The threats that were among the highest-ranked malware in terms of technical sophistication (e.g., rootkits and bootkits, such as Rustock, Olmarik/TDL4, Rovnix, and others) a few years back are no longer as common.”

The malware variants ESET has tracked in 2014 – both of BlackEnergy and of BlackEnergy Lite – have been used in targeted attacks. This was underscored by the presence of plugins meant for network discovery, remote code execution and data collection, Lipovsky noted.

“We have observed over a hundred individual victims of these campaigns during our monitoring of the botnets,” he blogged. “Approximately half of these victims are situated in Ukraine and half in Poland, and include a number of state organizations, various businesses, as well as targets which we were unable to identify. The spreading campaigns that we have observed have used either technical infection methods through exploitation of software vulnerabilities, social engineering through spear-phishing emails and decoy documents, or a combination of both.”

In a whitepaper, researchers at F-Secure noted that in the summer of 2014, the firm saw samples of BlackEnergy targeting Ukrainian government organizations for the purposes of stealing information. These samples were nicknamed BlackEnergy 3 by F-Secure and identified as the work of a group the company refers to as “Quedagh.” According to F-Secure, the group is suspected to have been involved in cyber-attacks launched against Georgia during that country’s conflict with Russia in 2008.

“The Quedagh-related customizations to the BlackEnergy malware include support for proxy servers and use of techniques to bypass User Account Control and driver signing features in 64-bit Windows systems,” according to the F-Secure whitepaper. “While monitoring BlackEnergy samples, we also uncovered a new variant used by this group. We named this new variant BlackEnergy 3.”

Only Quedagh is believed to be using BlackEnergy 3, and it is not available for sale on the open market, noted Sean Sullivan, security advisor at F-Secure.

“The name [of the group] is based on a ship taken by Captain Kidd, an infamous privateer,” he said. “It is our working theory that the group has previous crimeware experience. Its goals appear to be political but they operate like a crimeware gang. There have been several cases this year of which BlackEnergy is the latest. The trend is one of off-the-shelf malware being used in an APT [advanced persistent threat] kind of way. The tech isn’t currently worthy of being called APT, but its evolving and scaling in that direction.”

Within a month of Windows 8.1’s release, the group added support for 64-bit systems. They also used a technique to bypass the driver-signing requirement on 64-bit Windows systems.

In the case of BlackEnergy 3, the malware will only attempt to infect a system if the current user is a member of the local administration group. If not, it will re-launch itself as Administrator on Vista. This will trigger a User Account Control (UAC) prompt. However, on Windows 7 and later, the malware will look to bypass the default UAC settings.  

“The use of BlackEnergy for a politically-oriented attack is an intriguing convergence of criminal activity and espionage,” F-Secure notes in the paper. “As the kit is being used by multiple groups, it provides a greater measure of plausible deniability than is afforded by a custom-made piece of code.”

In 2014 from the Department of Interior and DHS:

Summary: Investigation of NPS-GCNP SCADA SYSTEM

Report Date: August 7, 2014

OIG investigated allegations that the Supervisory Control and Data Acquisition (SCADA) system at Grand Canyon National Park (Park) may be obsolete and prone to failure. In addition, it was alleged only one Park employee controlled the system, increasing the potential for the system to fail or become unusable.

The SCADA system is a private utilities network that monitors and controls critical infrastructure elements at the Park. Failure of the system could pose a health and safety risk to millions of Park visitors. Due to potential risks that system failure posed, we consulted with the U.S. Department of Homeland Security Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) and asked that they assess the overall architecture and cybersecurity of the Park’s SCADA system.

ICS-CERT conducted an onsite review and issued a report outlining the weaknesses it found at the Park’s SCADA system, including obsolete hardware and software, inadequate system documentation and policies, insufficient logging and data retention. We provided a copy of ICS-CERT’s assessment report to the National Park Service for review and action.

 

 

Chilling Details of the Sony Hack, Reported

Posted on by

These Are the Cyberweapons Used to Hack Sony

MotherBoard: In late November 2014, a mysterious group of hackers calling itself “God’sApstls” sent an ominous and jumbled email to a few high-level Sony Pictures executives.

“The compensation for it, monetary compensation we want,” the hackers wrote. “Pay the damage, or Sony Pictures will be bombarded as a whole.”

The executives at the Hollywood studio, which was about to release the controversial James Franco and Seth Rogen’s comedy The Interview, ignored the email. Just three days later, the hackers’ followed through with their threat and breached the studio’s systems, displaying a message on the computer screen of every employee: “Hacked by #GOP [Guardians of Peace].”

The hackers not only defaced employee’s computers, they then wiped their hard disks, crippling Sony Pictures for weeks, and costing the company $35 million in IT damages, according to its own estimate.

Now, more than a year later, several security researchers are still hunting down the hackers behind the attack, which the FBI officially identified as North Korean government-employed hackers. And despite the fact that the group is apparently still alive and well, a coalition of security researchers believes they can now disrupt them by exposing their extensive malware arsenal.

On Wednesday, a group of companies led by Novetta released a report detailing the Sony hackers’ long history of operations, as well as its large stock of malware. It’s perhaps the most detailed and extensive look at the group behind what might be the most infamous cyberattack ever.

Andre Ludwig, the senior technical director at Novetta Research and Interdiction Group, said that the investigation started from four hashes (values that uniquely identify a file) that the Department of Homeland security published after the attack. With those few identifying strings, and after months of sleuthing, the researchers found 2,000 malware samples, both from online malware portal VirusTotal, as well as from antivirus companies. Of those, they manually reviewed and catalogued 1,000, and were able to identify 45 unique malware strains, revealing that the Sony hackers had an arsenal more sophisticated and varied than previously thought.

The researchers hope that by shedding light on the hackers’ toolkit, the group, which the researchers called “Lazarus Group,” will be forced to adapt, spending resources and time, and perhaps even lose capabilities after antivirus companies and potential targets put up new defenses.

“There is no more shadows to hide in for these tools.”

“If all of a sudden you have antivirus signatures that detect and delete all the group’s arsenal, boom!” Jaime Blasco, the chief scientist at AlienVault Labs and one of the researchers who investigated the Sony hackers, told Motherboard. “They lose access to all the victims’ they got before.”

As Ludwig put it, “there is no more shadows to hide in for these tools.”

As it turns out, the hackers’ arsenal contains not only malware capable of wiping and destroying files on a hard disk like the Sony hack, but also Distributed Denial of Service (DDoS) tools, tools that allow for remotely eavesdropping on a victim’s computer, and more, according to the report. The researchers tracked some of this tools in cyberattacks and espionage operations that go as far as back as 2009, perhaps even 2007, showing the hackers that hit Sony have a long history.

While others suspected this before, Blasco said that nobody demonstrated it as conclusively until now.

Novetta researchers and their partners, which include AlienVault and Kaspersky Lab, don’t get into saying who the hackers really are, but they also don’t question the FBI’s controversial claim that North Korea was behind the attack.

The main reason, LaMontagne explained, is that the new data they found discredits the alternative theories that the hackers were actually a disgruntled former employee or just an independent hacktivist group.

A former Sony system administrator is unlikely to have built more than 45 malware tools in the span of more than seven years, LaMontagne told me. And the same time, he added, it’s also unlikely that a previously unheard of hacktivist group would pop up, claim responsibility for such a high-profile attack, and then disappear.

“They’re extremely motivated, regimented, organized, and they can definitely execute.”

“We have no reason to dispute what the US government and other governments have asserted as the threat being North Korean,” Peter LaMontagne, the CEO of Novetta, told me.

And as it turns out, those hackers have been around for longer than anyone thought—wielding sophisticated weapons. This, according to the researchers, shows the group was much more seasoned than anyone believed.

“Their motivation and operational execution, it’s impressive,” Ludwig said. “They’re extremely motivated, regimented, organized, and they can definitely execute.”

Now that their methods and tools are exposed, however, the researchers hope that they won’t be as effective.

The head-scratcher is sanctions are only for the missile test?

US to present UN sanctions resolution on North Korea

United Nations (United States) (AFP) – The United States will on Thursday present a draft UN resolution toughening sanctions on North Korea after reaching agreement with China on a joint response to Pyongyang’s fourth nuclear test and a rocket launch.

The UN Security Council will meet at 2:00 pm (1900 GMT) to discuss the draft text detailing a new package of measures to punish North Korea, but there will be no immediate vote.

US Ambassador Samantha Power “intends to submit for consideration by the Security Council a draft sanctions resolution in response to the DPRK’s recent nuclear test and subsequent proscribed ballistic missile launch,” US spokesman Kurtis Cooper said, using the abbreviation for North Korea’s formal name.

“We look forward to working with the Council on a strong and comprehensive response to the DPRK’s latest series of tests aimed at advancing their nuclear weapons program.”

UN diplomats said a vote was expected as early as Friday.

U.S. Poised to Take on China Aggressions

Posted on by

The Pentagon Readies Backup Island in Case of Chinese Missile Onslaught

Threat prompts the U.S. military to prepare a fallback option

WiB: The United States can no longer count on its Pacific air bases to be safe from missile attack during a war with China. On the contrary, a 2015 paper from the influential RAND Corporation noted that in the worst case scenario, “larger and accurate attacks sustained over time against a less hardened posture could be devastating, causing large losses of aircraft and prolonged airfield closures.”

Kadena Air Base in Okinawa, due to its relative proximity, would be hardest hit. To up the stakes, China in September 2015 publicly revealed its DF-26 ballistic missile, which can strike Andersen Air Force Base in Guam — nearly 3,000 miles away — from the Chinese mainland. Andersen and Kadena are among the U.S. military’s largest and most important overseas bases.

Enter Tinian. The lush, small island near Guam is emerging as one of the Air Force’s backup landing bases. On Feb. 10, the flying branch announced that it selected Tinian as a divert airfield “in the event access to Andersen Air Force Base, Guam, or other western Pacific locations is limited or denied.”

In the Pentagon’s 2017 budget request, it asked for $9 million to buy 17.5 acres of land “in support of divert activities and exercise intiatives,” the Saipan Tribune reported. In peacetime, the expanded Tinian airfield will host “up to 12 tanker aircraft and associated support personnel for divert operations,” according to the Air Force.

7637127318_661f4e4d60_kAbove — Tinian’s West Field in 1945. At top — Tinian seen from the cockpit of a C-130H. U.S. Air Force photo

Tinian is now a sleepy place.

During World War II, the 4th and 2nd Marine Divisions captured the island, which later based the B-29 Superfortresses Enola Gay and Bockscar which took off from Tinian’s North Field and dropped the atomic bombs on Hiroshima and Nagasaki. An arsenal during the war, most of its airstrips are now abandoned and unused. The island’s other former air base, West Field, is a small, neglected international airport.

The Air Force first wanted Saipan for its airfield. Very close to Tinian, Saipan has 15 times the population, a larger airport and a harbor. But this proposal met opposition from local activists due to the effect on “coral, potable water, local transportation and socioeconomic factors on surrounding communities,” Stars and Stripes reported.

The opposition even included the pro-business Saipan Chamber of Commerce, which worried that Tinian’s rusty airport would miss out on the flood of Pentagon spending. Saipan’s airport is also overcrowded — with locals not happy about the prospect of hundreds of airmen flying in for military exercises lasting up to eight weeks ever year.

In a way, its a return to the past. The United States dispersed air bases to varying degrees — and in different parts of the world — during the Cold War, but as the threat of a Soviet missile attack evaporated and post-Persian Gulf War budget cuts hit hard in the 1990s, the trend shifted toward larger mega-bases that operate on economies of scale.

But dispersed bases are more survivable, RAND’s Alan Vick noted in his 2015 paper:

Dispersing aircraft across many bases creates redundancy in operating surfaces and facilities. This enhances basic safety of flight by providing bases for weather or inflight-emergency diverts. It also increases the number of airfields that adversary forces must monitor and can greatly complicate their targeting problem (in part by raising the prospect that friendly forces might move among several bases).

 

At the least, dispersal (because it increases the ratio of runways to aircraft) forces an attacker to devote considerably more resources to runway attacks than would be the case for a concentrated force. It also greatly increases construction and operating costs to spread aircraft across many major bases. To mitigate these costs, dispersal bases tend to have more-modest facilities and, at times, might be nothing more than airstrips.

Now China Deployed Fighter Jets to Disputed Islands

Posted on by

EXCLUSIVE: China sends fighter jets to contested island in South China Sea

FNC: EXCLUSIVE: In a move likely to further increase already volatile tensions in the South China Sea, China has deployed fighter jets to a contested island in the South China Sea, the same island where China deployed surface-to-air missiles last week, two U.S. officials tell Fox News.

The dramatic escalation comes minutes before Secretary of State John Kerry was to host his Chinese counterpart, Foreign Minister Wang Yi, at the State Department.

Chinese Shenyang J-11s (“Flanker”) and  Xian JH-7s (“Flounder”) have been seen by U.S. intelligence on Woody Island in the past few days, the same island where Fox News reported exclusively last week that China had sent two batteries of HQ-9 surface-to-air missiles while President Obama was hosting 10 Southeast Asian leaders in Palm Springs.

Wang was supposed to visit the Pentagon Tuesday, but the visit was canceled. It was not immediately clear which side canceled the visit. Pentagon press secretary Peter Cook said a “scheduling conflict” prevented the meeting, when asked by Fox News at Tuesday’s press briefing.

When asked about the earlier Fox News story in Beijing, Wang said the deployment of the missiles was for “defensive purposes.”

Woody Island is the largest island in the Paracel chain of islands in the South China Sea.  It lies 250 miles southeast of a major Chinese submarine base on Hainan Island. China has claimed Woody Island since the 1950s, but it is contested by Taiwan and Vietnam.

Ahead of Wang’s visit to Washington, a spokeswoman likened China’s military buildup on Woody Island to the U.S. Navy’s in Hawaii.

“There is no difference between China’s deployment of necessary national defense facilities on its own territory and the defense installation by the U.S. in Hawaii,” Foreign Ministry spokeswoman Hua Chunying said Monday.

More than $5 trillion of worth of natural resources and goods transit the South China Sea each year.

Earlier Tuesday, the head of the U.S. military’s Pacific Command said China is “clearly militarizing” the South China Sea, in testimony before the Senate Armed Services Committee.

“You’d have to believe in a flat Earth to believe otherwise,” Admiral Harry Harris said.

China has sent fighter jets to Woody Island before. In November, Chinese state media published images showing J-11 fighter jets on the island, but this was the first deployment of fighter jets since the Chinese sent commercial airliners to test the runway at one of its artificial islands in the South China Sea.

The Pentagon sailed a guided-missile destroyer past a contested island in the South China Sea as a result.  Late last year, the U.S. military conducted a flight of B-52 bombers and another warship to conduct a “freedom of navigation” exercise.

The Chinese have protested the moves and vowed “consequences.”

On Monday, new civilian satellite imagery from CSIS showed a possible high frequency radar installation being constructed in late January.

The imagery shows radar installations on China’s artificial islands in the Spratley Island chain of reefs-Gaven, Hughes, Johnson South, and primarily on Cuarteron reefs—the outermost island in the South China Sea.

*** 

FNC: China apparently has been building radar facilities on some of the artificial islands it constructed in the South China Sea in a move to bolster its military power in the region, according to a report released Tuesday by a U.S.-based think tank.

The Center for Strategic and International Studies (CSIS) says the radars on the outposts of Gaven, Hughes, Johnson South and Cuarteron reefs in the disputed Spratly Islands “speak to a long-term anti-access strategy by China—one that would see it establish effective control over the sea and airspace throughout the South China Sea.”

The report was released one week after Fox News reported that China had deployed an advanced surface-to-air missile system as well as a radar system on Woody Island, part of the Paracel Island chain located north of the Spratlys.

The release of the report also coincides with the first day of a three-day visit to the U.S. by Chinese Foreign Minister Wang Yi, during which the issue of competing South China Sea claims is expected to be discussed, as well as North Korea’s latest nuclear test.

Obama Secret Talks, World is Normalized with DPRK

Posted on by

Upon Obama’s departure from  the Oval Office in January 2017, there will be no more rogue nations or enemies of America and the West.

Next up after Iran and Cuba is North Korea. (shhhh, but I predicted this)

TheHill: The White House had signaled to the Kim Jung Un regime that it is willing to cut a deal similar to that brokered with Iran to curtail its nuclear program in exchange for sanctions relief.

But North Korea has expedited its plans to develop a nuclear bomb, which it sees as a valuable bargaining chip in eventual peace negotiations.

A long-range rocket launched by North Korea earlier this month triggered additional international sanctions, including a law signed Thursday by President Obama imposing steeper penalties.

Un, who took power at the end of 2011, has demanded additional conditions for a treaty with South Korea, 63 years after the Korean War ended with an armistice.

Obama Administration Secretly Approached North Korea About Diplomatic Talks Days Before Its Latest Nuclear Test: WSJ

Days before North Korea’s Jan. 6 nuclear test, the Obama administration clandestinely agreed to talks that would have formally ended the Korean War, the Wall Street Journal reported Sunday.

As part of the offer, reported to have been made at a U.N. meeting, the U.S. dropped its longstanding prerequisite that North Korea first make efforts to reduce its nuclear arsenal, instead calling for the military dictatorship to make its nuclear weapons program part of the talks. But the test ended those discussions.

North Korea began 2016 on a belligerent footing, even considering the unpredictable pariah state’s history. In addition to the January nuclear test, North Korea launched a rocket earlier this month, resulting in swift pushback from Japan and South Korea, which closed a joint industrial park that provided North Korea with valuable hard currency.

The most recent offer to North Korea was one of several overtures extended by the Obama administration, insiders told the Journal, which happened at the same time the administration was working on an ultimately successful diplomatic outreach to Iran. North Korea first tested a nuclear weapon in 2006, and its nuclear capabilities were confirmed in 2009. North and South Korea have technically been at war ever since the “hot” phase of the Korean War ended in 1953, but the North’s recent nuclear developments have increased the urgency to ultimately resolve the dispute diplomatically.

In addition to its unsanctioned nuclear activity, the North Korean regime is also alleged to operate a system of concentration camps where political prisoners are worked and starved to death. The U.N. released a 2014 report that suggested the regime’s security chiefs and leader Kim Jong Un should be prosecuted for crimes against humanity.

*** Note there is nothing about Unit 121, North Korea’s hacking division. Known since at least 2007.

CNet: North Korea’s Reconnaissance General Bureau (RGB) is in charge of both traditional and cyber operations, and is known for sending agents abroad for training in cyberwarfare. The RGB reportedly oversees six bureaus that specialize in operations, reconnaissance, technology, and cyber matters — and two of which have been identified as the No. 91 Office and Unit 121. The two bureaus in question comprise of intelligence operations and are based in China.

The RGB also reportedly oversees state-run espionage businesses located in 30 to 40 countries, often hosted in unsuspecting places such as cafes. Members of this espionage network reportedly “send more than $100 million in cash per year to the regime and provide cover for spies,” the report says.

In addition, the country’s Worker’s Party oversees a faction of ethnic North Koreans living in Japan. Established in 1955, the group — dubbed the Chosen Soren — refuse to assimilate in to Japanese culture and live in the country in order to covertly raise funds via weapons trafficking, drug trafficking, and other black market activities. The group also gathers intelligence for the country and attempts to procure advanced technologies.

Despite aging infrastructure and power supply problems, North Korea reportedly was able to gain access to 33 of 80 South Korean military wireless communication networks in 2004, and an attack on the US State Department believed to be approved by North Korean officials coincided with US-North Korea talks over nuclear missile testing in the same time period. In addition, a month later, South Korea claimed that Unit 121 was responsible for hacking into South Korean and US defense department networks.