Category Archives: Citizens Duty

Have you Heard of the FBI’s Trojan Shield Program?

Posted on by

New court records detail how the FBI turned encrypted phone company ‘Anom’ into a honeypot for organized crime.

Vice: For years the FBI has secretly run an encrypted communications app used by organized crime in order to surreptitiously collect its users’ messages and monitor criminals’ activity on a massive scale, according to a newly unsealed court document. In all, the elaborate operation netted more than 20 million messages from over 11,800 devices used by suspected criminals.

The news signals a major coup for law enforcement: ordinarily, agencies either shut down or crack messages on an already established service, such as Phantom Secure or Encrochat, two similar encrypted messaging networks. But in this case, the FBI took control of a communications company called ‘Anom’ in its infancy and turned that into a wide reaching honeypot, with the suspected criminal users instead coming to them.

“The FBI opened a new covert investigation, Operation Trojan Shield, which centered on exploiting Anom by inserting it into criminal networks and working with international partners, including the Australian Federal Police (“AFP”), to monitor the communications,” the unsealed court record reads, referring to Anom, the app at the center of the investigation. Seamus Hughes, a researcher at George Washington University, shared the document with Motherboard.

Do you know anything else about Anom? Were you a user? We’d love to hear from you. Using a non-work phone or computer, you can contact Joseph Cox securely on Signal on +44 20 8133 5190, Wickr on josephcox, OTR chat on [email protected], or email [email protected].

The AFP began going public with the contours of Anom Tuesday morning local time, and announced it had begun making arrests with data pulled from the honeypot.

In 2018, the FBI arrested Vincent Ramos, the CEO of Phantom Secure, which provided custom, privacy-focused devices to organized criminals. In the wake of that arrest, a confidential human source (CHS) who previously sold phones on behalf of Phantom and another firm called Sky Global, was developing their own encrypted communications product. This CHS then “offered this next generation device, named ‘Anom,’ to the FBI to use in ongoing and new investigations,” the court document reads. While criminals left Phantom, they flocked to other offerings. One of those was Anom; the FBI started what it called Operation Trojan Shield, in which it effectively operated a communications network targeted to criminals and intercepted messages running across it.

The FBI, AFP, and CHS built the Anom system in such a way that a master key silently attached itself to every message set through the app, enabling “law enforcement to decrypt and store the message as it is transmitted,” the document reads.

“A user of Anom is unaware of this capability,” it adds.

But first the FBI and their source needed to establish Anom as an option in the criminal underworld. As Motherboard showed in a years-long investigation, using sources around Phantom as well as FBI files, Phantom was particularly popular in Australia. The CHS introduced Anom to his already trusted distributors of mobile devices, who were in turn trusted by criminal organizations, the document reads. Three people in Australia who had previously distributed Phantom, “seeing a huge payday,” agreed to then sell these Anom devices, the document adds. With this, “the FBI aimed to grow the use of Anom organically through these networks,” it reads.

anom-site.png

A screenshot of the Anom site Motherboard took before Anom closed. Image: Motherboard.

Earlier on Monday before obtaining the court record, Motherboard reviewed Anom’s social media presence. The company’s Reddit account first announced the existence of the company two years ago, according to a since deleted but cached Reddit post that Motherboard found.

“Introducing Anom—a Ultra-Secure Mobile-Cell-Phone Messaging App for Android,” the announcement read. “Your Confidentiality, Assured. Software hardened against targeted surveillance and intrusion—Anom Secure. Keep Secrets Safe!”

Anom started to grow, with initially 50 devices distributed in Australia and the AFP able to monitor the phones. It was slow at first, but soon word of the new devices spread, with Anom gathering several hundred users a year later, the document continued.

A third country also got involved in the investigation, and provided the FBI with Anom user data three times a week.

“This data comprises the encrypted messages of all of the users of Anoms with a few exceptions (e.g., the messages of approximately 15 Anom users in the U.S. sent to any other Anom device are not reviewed by the FBI),” the document reads.

Anom had grown exponentially in size, stretching beyond its Australian beginnings to having over 10,000 devices in over 90 countries. Germany, the Netherlands, Spain, and Serbia were also popular, with over 300 distinct transnational criminal organizations (TCOs) using the devices, the document reads. When authorities closed down Sky, as Motherboard reported in March, Anom’s user base tripled.

The number of obtained messages totalled at over 20 million messages since October 2019. Messages include discussions around drug smuggling, corruption, and other high-level organized criminal activities. The document also includes direct quotes of messages from Anom users discussing cocaine shipments.

anom-message.png

A series of messages included in the court document. Image: Motherboard.

“There is 2kg put inside french diplomatic sealed envelopes out of Bogotta [sic],” one message reads referring to how the people are allegedly hiding shipments of cocaine.

“The Trojan Shield investigation has uncovered that Anom devices are used by TCOs to traffic drugs and launder the proceeds of those drug sales,” the document reads. “The distributors of these devices also obstruct justice by remotely wiping the content of devices when law enforcement seizes them. Additionally, the review of Anom messages has initiated numerous high-level public corruption cases in several countries. The most prominent distributors are currently being investigated by the FBI for participating in an enterprise which promotes international drug trafficking, money laundering, and obstruction of justice.”

anom-map.png

A screenshot of a map showing what the FBI says its Anom’s spread around the world. Image: Motherboard

Late Monday, the FBI said that it would be holding “a news conference announcing a massive worldwide takedown based on the San Diego FBI’s unprecedented investigation involving the interception of encrypted communications” on Tuesday.

The Phantom, Sky, and Encrochat operations showed that law enforcement may shutdown or even hack into encrypted phone companies. But the Anom case shows that law enforcement will also go one step further: they will run such a network themselves. A previous DEA operation involved something similar but on a much smaller scale with BlackBerry devices.

“A goal of the Trojan Shield investigation is to shake the confidence in this entire industry because the FBI is willing and able to enter this space and monitor messages,” the document reads.

US has Recovered Ransom Payment of the Colonial Pipeline Hack

Posted on by

Just last month, this site posted a detailed article about the fallout of DarkSide, the hackers of the Colonial Pipeline. In short, U.S. officials seized at least two servers.

Now there is more….like the ransom payment, not all of it, but $2.3 million in real dollars, remember it was paid in cryptocurrency. (Remember, money was paid out to all the dark actors of the DarkSide)

“In addition, a couple of hours after the seizure, funds from the payment server (belonging to us and our clients) were withdrawn to an unknown account,” the DarkSide ransomware operation told its affiliates.

DarkSide: New targeted ransomware demands million dollar ...

****

(AP) — The Justice Department has recovered the majority of a multimillion-dollar ransom payment to hackers after a cyberattack that caused the operator of the nation’s largest fuel pipeline to halt its operations last month, officials said Monday.

The operation to recover the cryptocurrency from the Russia-based hacker group is believed to be the first of its kind, and reflects what U.S. officials say is an increasingly aggressive approach to deal with a ransomware threat that in the last month has targeted critical industries around the world.

“By going after an entire ecosystem that fuels ransomware and digital currency, we will continue to use all of our tools and all of our resources to increase the costs and the consequences of ransomware attacks and other cyber-enabled attacks,” Deputy Attorney General Lisa Monaco said at a news conference announcing the operation.

Georgia-based Colonial Pipeline, which supplies roughly half the fuel consumed on the East Coast, temporarily shut down its operations on May 7 after a gang of criminal hackers known as DarkSide broke into its computer system.

Colonial officials have said they took their pipeline system offline before the attack could spread to its operating system, and decided to pay a roughly $4.4 million ransom in an effort to bring itself back online as soon as it could.

The FBI generally discourages the payment of ransom, fearing it could encourage additional hacks.

SCOTUS Unanimous Decision on Temporary Protective Status

Posted on by

There have been several unanimous decisions out of the Supreme Court lately and this one is curious. The progressive Jurist Elena Kagan wrote this on regarding immigrants obtaining a green cards status….simple description….NO, they can’t have one.

Sounds good…but hold on.

And remember –> The Trump administration has ordered an end to TPS benefits for nearly all immigrants who had them, stating that the program is meant to provide temporary rather than long-term relief. But a series of lawsuits challenging the administration’s decision have blocked those orders from taking effect, giving the vast majority of these immigrants a reprieve until early 2021.

Immigrants from 10 nations have Temporary Protected Status

LATimes:

The Supreme Court on Monday dealt a setback to hundreds of thousands of immigrants who have so-called temporary protected status, ruling they can’t have a green card if they entered the country illegally.

That means TPS recipients who entered the county legally as students or tourists, and stayed under TPS may obtain a green card, said Justice Elena Kagan. But the same is not true of those who entered illegally.

“Because a grant of TPS does not come with a ticket of admission,” she wrote in Sanchez vs. Mayorkas, “it does not eliminate the disqualifying effect of an unlawful entry.”

Temporary protected status has been extended to about 320,000 immigrants from El Salvador, Haiti, Honduras, Nepal, Nicaragua and Sudan.

But lower courts had been divided over whether these migrants, many of whom have lived here for decades, may apply for and receive lawful permanent status. Four years ago, the 9th Circuit Court in California ruled that TPS recipients were eligible for green cards even if they entered the country illegally.

The case decided by the Supreme Court began when Jose Sanchez and his wife, Sonia Gonzalez, sought green cards. They arrived from El Salvador in the late 1990s, established lives and careers in New Jersey and had four sons. But they were not lawfully admitted.

Kagan said Congress is considering legislation that would allow such TPS recipients to obtain lawful permanent resident status, but only Congress, not the court, can change the law in this respect.

“Sanchez was not lawfully admitted, and his TPS does not alter that fact,” she wrote. “He therefore cannot become a permanent resident of this country.”

***

When can the Secretary designate a country for TPS?

The Secretary can designate a country for TPS due to:

  • Ongoing armed conflict (such as civil war),
  • An environmental disaster (such as earthquake or hurricane), or an epidemic, or
  • Other extraordinary and temporary conditions.

Who is eligible for TPS?

TPS can be granted to an individual who is a national of a designated country, has filed for status during a specified registration period, and who has been continuously physically present in the U.S. since a designated date.

What are the benefits of TPS?

During a designated period, TPS holders are:

  • Not removable from the U.S. and not detainable by DHS on the basis of his or her immigration status,
  • Eligible for an employment authorization document (EAD), and
  • Eligible for travel authorization.

How many individuals are currently granted TPS?

The U.S. currently provides TPS to over 400,000 foreign nationals from the following countries, not including individuals from Venezuela and Burma as they were just recently designated:

Country Estimated Number
Venezuela 323,000 eligible
El Salvador 251,567
Honduras 80,709
Haiti 56,453
Nepal 14,575
Syria 7,010
Nicaragua 4,526
Yemen 1,465
Sudan 805
Somalia 465
South Sudan 83
Burma N/A

Where do TPS holders live?

TPS holders reside all over the United States. The largest populations of TPS holders live in California (17.95%), Florida (13.75%), Texas (12.88%), New York (12.33%), and Virginia (6.75%). Most TPS holders from El Salvador live in the Washington, DC (32,359), Los Angeles (30,415) and New York (23,168) metropolitan areas. Honduran TPS holders live mostly in the New York (8,818), Miami (7,467) and Houston (6,060) metropolitan areas. Haitian TPS holders live mainly in the Miami (16,287), New York (9,402) and Boston (4,302) metropolitan areas. source

We have no idea how many people have been granted TPS, there are only estimates as noted here.

(From uscis.gov website)

Schumer and Dark Money Called Majority Forward Investigation

Posted on by

Points back again to that pesky Marc Elias –>

Majority Forward was incorporated in June by Perkins Coie lawyer Marc Elias, who represents Senate Majority PAC.

Elias, who is also general counsel for the campaign of Democratic presidential candidate Hillary Clinton, said Friday night he could not immediately comment.

Forward Majority | Millennial Politics

FNC: A dark money group aligned with Senate Majority Leader Chuck Schumer, D-N.Y., is facing an Internal Revenue Service complaint from a liberal watchdog group for concealing their political activity where they attempted to damper GOP election turnout for certain races in 2018.

Recently released tax records from the liberal nonprofit Majority Forward showed the dark money group gave $2.7 million to a different nonprofit, the Coalition for a Safe and Secure America (CSSA), in 2018, according to Axios.

Majority Forward is part of the Senate Majority PAC, serving as its nonprofit arm. The $2.7 million it gave made up the majority of the $4 million raised by CSSA that year.

CSSA converted that money into multiple direct-mailing campaigns and digital advertisements during the 2018 midterm cycle targeting Republican lawmakers, including Sens. Josh Hawley, R-Mo., and Mike Braun, R-Ind.

The ads were deceptive in their nature, claiming the candidates had changed their position on central conservative tenets, and were posted to state-specific Facebook pages.

The ads led to the liberal watchdog group Citizens for Responsibility and Ethics in Washington (CREW) to file an IRS complaint against CSSA. Majority Forward also recently admitted it left off legally required disclosures from direct-mail pieces in the 2018 midterm cycle.

“Coalition for a Safe Secure America appears to have falsely told the IRS they were not involved in politics. Dark money groups too often bypass the law in their efforts to secretly and improperly influence who is elected,” CREW president Noah Bookbinder said in a statement published last month. “We urge the IRS to open an investigation into Coalition for a Safe Secure America and take swift and appropriate action for any potential violations.”

CSSA’s ad targeting Hawley accused him of siding “with Washington liberals against gun owners.” Braun was labeled “Tax-Hike-Mike.”

Additionally, former Sen. Dean Heller, R-Nev., and Rep. Matt Rosendale, R-Mont., were targeted by its ads during the 2018 cycle. Heller and Rosendale both lost their races.

Heller was charged with allowing “almost 200,000 foreign workers a backdoor entry into our country.” Rosendale was accused of supporting “drone monitoring” while running for a Montana Senate seat.

Some of the ads also promoted Libertarian Party candidates to siphon votes away from the targeted Republicans.

Majority Forward was able to finance the ads while hiding its true reasons behind the ads through loopholes in campaign finance laws that allowed limited political activity from nonprofits.

Feds Seized 2 Cyber Domains of Hackers/SolarWinds

Posted on by

DOJ:

Domain Names Were in Part Used to Control a Cobalt Strike Software Tool that the Actors Implanted on Victim Networks

WASHINGTON – On May 28, pursuant to court orders issued in the Eastern District of Virginia, the United States seized two command-and-control (C2) and malware distribution domains used in recent spear-phishing activity that mimicked email communications from the U.S. Agency for International Development (USAID). This malicious activity was the subject of a May 27 Microsoft security alert, titled “New sophisticated email-based attack from Nobelium,” and a May 28 FBI and Cybersecurity and Infrastructure Security Agency joint cybersecurity advisory.

The Department’s seizure of the two domains was aimed at disrupting the malicious actors’ follow-on exploitation of victims, as well as identifying compromised victims. However, the actors may have deployed additional backdoor accesses between the time of the initial compromises and last week’s seizures.

“Last week’s action is a continued demonstration of the Department’s commitment to proactively disrupt hacking activity prior to the conclusion of a criminal investigation,” said Assistant Attorney General John C. Demers for the Justice Department’s National Security Division. “Law enforcement remains an integral part of the U.S. government’s broader disruption efforts against malicious cyber-enabled activities, even prior to arrest, and we will continue to evaluate all possible opportunities to use our unique authorities to act against such threats.”

“Cyber intrusions and spear-phishing email attacks can cause widespread damage throughout affected computer networks, and can result in significant harm to individual victims, government agencies, NGOs, and private businesses,” said Acting U.S. Attorney Raj Parekh for the Eastern District of Virginia. “As demonstrated by the court-authorized seizure of these malicious domains, we are committed to using all available tools to protect the public and our government from these worldwide hacking threats.”

“Friday’s court-authorized domain seizures reflect the FBI Washington Field Office’s continued commitment to cyber victims in our region,” said Assistant Director in Charge Steven M. D’Antuono of the FBI’s Washington Field Office. “These actions demonstrate our ability to quickly respond to malicious cyber activities by leveraging our unique authorities to disrupt our cyber adversaries.”

“The FBI remains committed to disrupting this type of malicious cyber activity targeting our federal agencies and the American public,” said Assistant Director Bryan Vorndran of the FBI’s Cyber Division. “We will continue to use all of the tools in our toolbelt and leverage our domestic and international partnerships to not only disrupt this type of hacking activity but to impose risk and consequences upon our adversaries to combat these threats.”

On or about May 25, malicious actors commenced a wide-scale spear-phishing campaign leveraging a compromised USAID account at an identified mass email marketing company. Specifically, the compromised account was used to send spear-phishing emails, purporting to be from USAID email accounts and containing a “special alert,” to thousands of email accounts at over one hundred entities. More here.

Solarwinds Management Tools - Full Control Networks source

More details on the backstory of SolarWinds

“This release includes bug fixes, increased stability and performance improvements.”

The routine software update may be one of the most familiar and least understood parts of our digital lives. A pop-up window announces its arrival and all that is required of us is to plug everything in before bed. The next morning, rather like the shoemaker and the elves, our software is magically transformed.

Last spring, a Texas-based company called SolarWinds made one such software update available to its customers. It was supposed to provide the regular fare — bug fixes, performance enhancements — to the company’s popular network management system, a software program called Orion that keeps a watchful eye on all the various components in a company’s network. Customers simply had to log into the company’s software development website, type a password and then wait for the update to land seamlessly onto their servers.

The routine update, it turns out, is no longer so routine.

Hackers believed to be directed by the Russian intelligence service, the SVR, used that routine software update to slip malicious code into Orion’s software and then used it as a vehicle for a massive cyberattack against America.

“Eighteen thousand [customers] was our best estimate of who may have downloaded the code between March and June of 2020,” Sudhakar Ramakrishna, SolarWinds president and CEO, told NPR. “If you then take 18,000 and start sifting through it, the actual number of impacted customers is far less. We don’t know the exact numbers. We are still conducting the investigation.”

On Thursday, the Biden administration announced a roster of tough sanctions against Russia as part of what it characterized as the “seen and unseen” response to the SolarWinds breach.

NPR’s months-long examination of that landmark attack — based on interviews with dozens of players from company officials to victims to cyber forensics experts who investigated, and intelligence officials who are in the process of calibrating the Biden administration’s response — reveals a hack unlike any other, launched by a sophisticated adversary who took aim at a soft underbelly of digital life: the routine software update.

By design, the hack appeared to work only under very specific circumstances. Its victims had to download the tainted update and then actually deploy it. That was the first condition. The second was that their compromised networks needed to be connected to the Internet, so the hackers could communicate with their servers.

For that reason, Ramakrishna figures the Russians successfully compromised about 100 companies and about a dozen government agencies. The companies included Microsoft, Intel and Cisco; the list of federal agencies so far includes the Treasury, Justice and Energy departments and the Pentagon.