Category Archives: Cyber War

Iran’s Mint Sandstorm, are you a Victim?

Posted on by

So, a senior official in the Trump campaign was the victim of an email phishing trick and it worked….countless emails were hacked/stolen and began to be distributed. Microsoft has confirmed this and several Iranian cyber signatures from previous hack are providing some pretty good attributions to Iran as the hackers. But no worries, the FBI, likely the Pittsburgh office as agreed t investigate.

Just last night after some recent promoting the SPACES event hosted by Donald Trump and Elon Musk was delayed for an estimated 45 minutes due to a DDOS hit. Again, that too had the signature tactics of Iran. Mint Sandstorm Campaign's Targeted Cyber Attacks on Middle Eastern Experts source

Per CSOOnline in part:

The hackers allegedly obtained sensitive data as a result of a successful phishing campaign against Trump officials. Cheung cited the Microsoft report which said in June 2024, Mint Sandstorm, a group run by the Islamic Revolutionary Guards Corp (IRGC) intelligence unit, sent a spear-phishing email to a high-ranking official of a presidential campaign from a compromised email account of a former senior advisor.

“On Friday, a new report from Microsoft found that Iranian hackers broke into the account of a ‘high ranking official’ on the US presidential campaign in June 2024, which coincides with the close timing of President Trump’s selection of a vice-presidential nominee,” Cheung added. More here.

In part:

Threat actor Mint Sandstorm, believed to be linked to Iran, has been observed using bespoke phishing lures to attack high-profile targets while leveraging a new custom backdoor called MediaPI.

In a Jan. 17 blog post, Microsoft Threat Intelligence said the attacks were on individuals working at a high level on Middle Eastern affairs at universities and research organizations in Belgium, France, Gaza, Israel, the United Kingdom, and the United States.

The Microsoft researchers said Mint Sandstorm — also known as APT35 and APT42 — used legitimate, yet compromised accounts to send phishing lures. The researchers said Mint Sandstorm continues to improve and modify the tooling used in targets’ environments, activity that might help the group persist in a compromised environment and better evade detection.

“Based on the identities of the targets observed in this campaign and the use of lures related to the Israel-Hamas war, it’s possible this campaign is an attempt to gather perspectives on events related to the war from individuals across the ideological spectrum,” wrote the researchers.

Mint Sandstorm operates as a state-sponsored actor from Iran and, as a result, serves government agency and potential military objectives, explained Balazs Greksza, threat response lead at Ontinue. Greksza said the group employs tactics such as watering hole attacks and phishing emails, to target governments, NGOs, private entities, and academia for espionage. They often pose as journalists, government officials, or academics on social media and their primary objective is to get hold of sensitive information.

“Actors like APT35 have primary goals around geopolitics, national security, counter-intelligence,” said Greksza. “As openly shared by different intelligence agencies in the past, intelligence goals may shift rapidly based on the needs of national interests, current political and military leadership and their decision and intelligence needs.”

Ngoc Bui, cybersecurity expert at Menlo Security, added that the deployment of the custom backdoor MediaPI, along with the use of other tools like MischiefTut, indicates a shift in the operational tactics of Mint Sandstorm, marking an evolution in their cyber espionage capabilities.

***

This all begs the question, just exactly what is being done to not only protect a political campaign and election, but every website or American out there from Iran, Russia, China or North Korea and their team of hackers?

CSOOnline goes on to read –>

Iran, found extremely capable in the past of conducting cyberattacks against its foes in the Middle East, earlier in 2022 had threatened to avenge the killing of General Qassem Soleimani by the United States in a drone strike ordered by the Trump administration.

During this time, among many other efforts, Mandiant reported that the news site EvenPolitics, a Tehran-controlled disinformation site, had published articles covering the 2022 US midterm elections. An inauthentic amplification network promoting the site was taken down by the X platform that same year, yet EvenPolitics continues to operate, releasing approximately ten articles per week.

Microsoft, in its report, added that Iranian cyber-enabled influence operations “have been a consistent feature of at least the last three US election cycles”.

Iran’s mission to the United Nations, in response to inquiries about the Trump campaign’s allegations, denied any involvement. Speaking to The Associated Press, the mission stated, “We dismiss these reports entirely. The Iranian government has neither the capability nor the intention to interfere in the United States presidential election.”

Have you Met John Mark Dougan, a Former Florida Deputy Sheriff?

Posted on by

I continue to see friends on Facebook and a few other social media sites claiming that Ukraine’s President Zelensky and his wife are using millions if not billions of U.S. aid money to buy fancy cars and mansions….ehhh….c’mon people do that work please and stop getting punked by a former Marine and sheriff deputy from Florida that too fled to Russia….yes…fled and he is loving his deep fake life there and you are helping him win the bot/disinformation/propaganda war…and many members of Congress have bought into all this….but save yourself the humiliation and read on…

***

It is not just here in the United States by the way…Europe is getting pummeled too:

The article looks real enough, though petrolheads may note the misspelling of Tourbillon. It even cites as evidence a video recorded by a dealership employee describing the supposed sale, and a picture of a Bugatti invoice for €4.5 million made out to Mrs. Olena Zelenska. If you were under any doubt, the site’s name should lay your fears to rest: Verite Cachee or, in English, hidden truth.

In fact, the video is a deepfake, the invoice is falsified, and the entire site is part of a Kremlin-linked influence operation, using AI-generated content to deliver a payload of Russian talking points. The false attack on Zelenska was designed, it seems, to hint at corruption.

Veritecachee.fr is one of two sites set up less than two weeks after French president Emmanuel Macron announced a surprise election, the other called France en Colere (Angry France). The Bureau of Investigative Journalism (TBIJ) and the Tow Center have connected both to a network of websites linked to John Dougan, an American former police officer now living in Moscow and known for spreading Kremlin-backed disinformation. This network was first identified by researchers at Clemson University in December last year.

Even as this Dougan-affiliated network has targeted the French election, another Russia-linked disinformation operation, unmasked by French authorities earlier this year, has ramped up its activity in Europe. In June, the “Portal Kombat” network launched ten new sites, mostly aimed at Europe. Another five targeting Eastern Europe were set up in April and May. Read it all here for further context. Zelensky just bought a brand new $4.5 Million Dollar Bugatti for his ...

*** In part below:

It starts with a NewsGuard analyst happening upon what appeared to be a fledgling Washington D.C.-based news site promoting Russian propaganda. Unbeknownst to her, this was six months after her boss and his family had been threatened in a YouTube video that included an aerial shot of his home and calls to his unlisted phone number by a Russian disinformation operative working from a studio in Moscow. It turns out that this D.C. website, those threats to NewsGuard’s co-CEO, and what NewsGuard discovered were dozens of similar hostile information operations — including a “documentary” that the Russians used as an excuse to invade Ukraine — were all orchestrated by the same man — John Mark Dougan, a former Florida deputy sheriff who fled to Moscow after being investigated for computer hacking and extortion.

As of this writing, NewsGuard has discovered 167 Russian disinformation websites that appear to be part of Dougan’s network of websites masquerading as independent local news publishers in the U.S. and 15 films on Dougan’s since-removed YouTube channel. Ranging from Ukrainian President Volodymyr Zelensky siphoning off money meant to aid the war against Russia so he could buy an estate in England owned by King Charles, to a non-existent U.S. bioweapons lab in Ukraine being the reason the Russians had to invade that country, these concocted stories have been amplified on social media accounts to reach a broad global audience of more than 37 million views—including 1,300,000 views of just the narrative about Zelensky buying the king’s estate.

As a journalist based in Washington who scrutinizes the credibility of news outlets as a profession, I was familiar with the landscape of trusted local publications in the area. DCWeekly did not appear to be one of them.

I first noticed the site when it published an article reporting that the Ukrainian Azov Battalion was recruiting in France. It carried the byline “Jessica Devlin,” who was described as a “distinguished and highly acclaimed journalist.” Another scoop: The U.S. had bought a mansion for Ukrainian President Volodymyr Zelensky in Vero Beach, Florida.

Everything about the website and these articles was a red flag: The site presented itself as a credible new local news source yet was propagating fabricated narratives that smelled of Russian influence.

It turned out that “DCWeekly” is not actually based in the nation’s capital. Nor is “Jessica Delvin” a real person. As uncovered by researchers at Clemson University, the site operates from Moscow, hosted on an IP address belonging to John Mark Dougan.

His is a name I would come to know well over the coming months.

In further briefings, I learned that Dougan, a former marine, had been an officer in the Sheriff’s Department in Palm Beach County, Florida, until 2016, when he fled to Russia and was granted asylum after being targeted in a computer hacking scheme. Since then, I was told, he had become well known to the FBI and, as they put it, “our sister security agencies” as a Russian operative who specialized in producing some of the Russians’ most elaborate disinformation campaigns and narrating them as if he were an independent American journalist. 

Relatedly, it appeared that the aerial video of my home in Dougan’s video was not a simple Google satellite shot. Instead, it had probably been taken by a drone that someone had hired. [Dougan denies this; see below.] I was also told that those same sister agencies reported that Dougan was still in Russia. “So he poses no imminent threat to you,” the lead agent on the case said.

But he knows where I live and the Russians must have people all over the United States, I said. And he must have followers here on his YouTube channel that could act on their own. The FBI agents agreed. This was more serious than a few random crank emails. In a meeting a few days later with three agents and my wife sitting at our dining room table, we agreed on a multifaceted security plan to be implemented by a private security company.

I now live in a home surrounded by twelve motion-detecting security cameras, monitored remotely by the security service, and filled with dead-bolt window and door locks and other reminders of Dougan’s video—which produced multiple new death threats.

***

Related reading from the BBC 

RUSSIA’S BOT FARM OPERATES ON X, US AND ITS ALLIES WARN

Posted on by

In full disclosure, years ago I did a radio interview with Pierluigi…due to his long validated resume….I continue to trust his work…as a result this is fair warning to validate information at with at least 3 unique sources.

(Officially shut down –> you be the judge)

Russia has officially made one dystopian prediction about artificial intelligence (AI) come true: it used AI to lie better, faster, and more believably. Last week, the U.S. Department of Justice, along with counterparts in Canada and the Netherlands, disrupted a Russian bot farm that was spreading pro-Russian propaganda. The FBI director and deputy attorney general in a press release highlighted the use of AI to create the bot farm as a disturbing new development. What they did not say, however, is that the West is unprepared to defend itself against this new threat.

This capability enables quick reactions on a huge scale to highly divisive world events. For example, the Russian operation could choose to spread divisive messages about the assassination attempt on former president Trump. In the past, this would have been a labor-intensive task of crafting a variety of credible messages designed to outrage both ends of the political spectrum, then iterating until a divisive note hit a nerve. Now, AI can craft the message, alter it for different audiences, and distribute it rapidly. Russia could enter the chat almost immediately.

***Yandex's Russian AI Bot Shows Promise in Rivalry with US-Based ChatGPT .... Additional reading here

The US and its allies disrupted an AI-powered Russia-linked bot farm on the social media platform X relying on the Meliorator AI software.

The U.S. FBI and Cyber National Mission Force, along with Dutch and Canadian intelligence and security agencies, warned social media companies about Russian state-sponsored actors using covert AI software, Meliorator, in disinformation campaigns. Affiliates of Russia’s media organization RT used Meliorator to create fake online personas to spread disinformation on X. The campaigns targeted various countries, including the U.S., Poland, Germany, the Netherlands, Spain, Ukraine, and Israel.

“Although the tool was only identified on X, the authoring organizations’ analysis of Meliorator indicated the developers intended to expand its functionality to other social media platforms.” reads the report. “The authoring organizations’ analysis also indicated the tool is capable of the following:

  • Creating authentic appearing social media personas en masse;
  • Deploying content similar to typical social media users;
  • Mirroring disinformation of other bot personas;
  • Perpetuating the use of pre-existing false narratives to amplify malign foreign influence; and
  • Formulating messages, to include the topic and framing, based on the specific archetype of the bot.”

As early as 2022, RT had access to the AI-powered bot farm generation and management software Meliorator. By June 2024, it was operational only on X (formerly Twitter), with plans to expand to other platforms. The software includes an admin panel called “Brigadir” and a seeding tool named “Taras,” and is accessed via a virtual network computing (VNC) connection. Developers managed Meliorator using Redmine software, hosted at dtxt.mlrtr[.]com.

The identities (also called “souls”) of these bots are determined by selecting specific parameters or archetypes. The experts said that any unselected fields are auto-generated. Bot archetypes group ideologically aligned bots through an algorithm that constructs each bot’s persona, including location, political ideologies, and biographical data. Taras creates these identities and the AI software registers them on social media platforms. The identities are stored in a MongoDB, enabling ad hoc queries, indexing, load-balancing, aggregation, and server-side JavaScript execution.

Meliorator manages automated scenarios or actions for a soul or group of souls through the “thoughts” tab. The software can instruct personas to like, share, repost, and comment on others’ posts, including videos or links. It also allows for maintenance tasks, creating new registrations, and logging into existing profiles.

“The creators of the Meliorator tool considered a number of barriers to detection and attempted to mitigate those barriers by coding within the tool the ability to obfuscate their IP, bypass dual factor authentication, and change the user agent string.” continues the joint advisory. “Operators avoid detection by using a backend code designed to auto-assign a proxy IP address to the AI generated persona based on their assumed location.”

The report also provides the infrastructure associated with the bot farm and mitigations.

 

The War has Begun in the S. China Sea, but it is a Quiet One

Posted on by

So quiet…no one domestically is reporting it….Electronic warfare/jamming and cyber are cheap tools of destruction…and then there is space. So, has the Commander in Chief…if there is one…approved real Rules of Engagement….anywhere?

(below is word for word)

***

Over the vast expanse of the South China Sea, a war without gunfire quietly unfolded, its unique impact capturing the world’s attention. On June 30th, a brief yet meaningful tweet from the official Weibo account of China’s Southern Theater Command—“Thick smoke deep in the blue sea, good night”—sparked a massive online reaction, leaving netizens speculating about the secrets behind it.

Recently, there have been widespread rumors online of an intense electronic warfare between China and the United States in the South China Sea, ending with the US deciding to withdraw.

Reports indicate that the skies over northern Philippines recently fell into an unprecedented silence, with all electronic signals cut off. Satellite phones, GPS navigation, television signals—everything reliant on electronic communication seemed to lose its vitality overnight. The twelve-hour “blackout” shocked local residents and global public opinion. This was a direct result of an intense electronic warfare over the South China Sea.

The story begins with a minor conflict between the Philippines and China. Following a fierce confrontation at Ren’ai Reef, the Philippines felt aggrieved by China’s legitimate actions, and the US, as its backer, seized the opportunity. A joint military exercise involving 29 countries was held in the South China Sea, ostensibly to showcase “unity” and “strength,” but with hidden motives—the US military intended to use this opportunity to lay newly developed anti-submarine devices on the seabed, spying on the movements of China’s strategic nuclear submarines and further restricting China’s strategic space.

However, China’s response was swift and decisive. When the US military’s P-8A anti-submarine patrol aircraft quietly dropped high-tech monitoring equipment in the South China Sea, it was promptly detected by the PLA. The Chinese Coast Guard quickly launched a recovery operation. The US military panicked, as losing this equipment would mean wasted effort, and the advanced technology could not fall into PLA hands. This sparked a sensitive reaction, leading to a battle over these critical pieces of equipment.

The US hastily deployed a joint fleet to intercept the Chinese Coast Guard vessels. With the addition of the Shandong carrier strike group, a standoff formed between Chinese and US fleets in the South China Sea. Seeing the unfavorable situation, the US immediately dispatched electronic warfare aircraft to assist the joint fleet in launching severe interference against the Chinese fleet. In response, China rapidly deployed its Y-9 electronic warfare aircraft and 815A electronic reconnaissance ship.

In this battlefield without smoke, electronic warfare took center stage. The US deployed Growler electronic warfare aircraft and RC-135 electronic reconnaissance aircraft in an all-out effort to paralyze the command systems of the Chinese fleet with strong electronic interference. However, the Chinese forces did not retreat; the Y-9 electronic warfare aircraft and 815A electronic reconnaissance ship quickly countered, engaging in fierce electronic offensive and defensive operations over the South China Sea.

The intense electronic warfare near the northern Philippines far exceeded external expectations. Ultimately, the US fleet faced an unprecedented crisis—screens full of static and a total loss of GPS signals. In modern naval warfare, losing communication and navigation capabilities is akin to losing sight and hearing. Confronted with such a scenario, the US had to choose to retreat to avoid greater losses.

The entire electronic warfare lasted a full twelve hours, plunging northern Philippines into complete communication paralysis and sparking widespread global attention and discussion. According to Taichung News, the mysterious battle gained an official tone, with retired generals critiquing the US military’s outdated electronic warfare equipment, asserting it is a full generation behind China’s.

Biden Ignoring Hybrid Warfare by China Against the U.S.

Posted on by

Active Measures and Three Warfares

Irregular warfare is not new. During the Cold War, Russian services like the KGB waged aggressive irregular campaigns against the United States around the globe. Oleg Kalugin, the former head of foreign counterintelligence for the KGB, described aktivnyye meropriyatiya and similar operations as the “heart and soul of Soviet intelligence” that were used to “weaken the United States” and to “drive wedges in the Western community alliance of all sorts.”1

As the Biden administration takes office, U.S. adversaries are utilizing irregular strategies and tactics. Perhaps the quintessential example is Russia. Under President Vladimir Putin, Chief of the General Staff Valery Gerasimov, and other officials, Russia employs a mix of offensive cyber operations, espionage, covert action, and information and disinformation campaigns to weaken the United States and expand Moscow’s influence. Russia has meddled in U.S. elections and waged a disinformation campaign inside the United States, attempting to inflame social, racial, and political tensions through such issues as Black Lives Matter, Covid-19, the Me Too movement, gun control, white supremacy, abortion, and immigration. Russia has placed malware, such as Triton and BlackEnergy, in U.S. critical infrastructure—threatening power plants, electricity grids, communications networks, and financial systems in the U.S. homeland. Russian agencies have also leveraged shadowy organizations to help conduct information operations and cyberattacks, including the Internet Research Agency (IRA); Kaspersky Lab; networks and online personas with creative names like “Cozy Bear,” “Fancy Bear,” and “Guccifer 2.0”; and private military companies like the Wagner Group.

***.image

 

Additional reading here. 

China’s perspective of national power is broad and includes several elements which the U.S. government considers either irrelevant or in the realm of private industry and non-governmental organizations. China uses soft power and competes in issues the United States often does not even recognize as a part of a wider conflict. Rand’s Andrew Scobell explains, “China’s current perspective on its relationship with the United States is centered on competition that encompasses a wide range of issues embodied in China’s concept of comprehensive national power.”3 Along with the obvious issues of defense and diplomacy, China’s authoritarian government considers technology, cultural, and internal stability issues essential to national power. China sees a future where “war becomes increasingly civilianized,” relying on non-military means to neutralize threats and gain advantages over competitors.4 The U.S. may not recognize some of these issues are part of the competition, but the authoritarian Chinese Communist Party (CCP) uses all these means to build advantage.

Chinese manipulation and theft of valuable U.S. science and technology (S&T) is a recognized danger. Chinese intelligence services acquire U.S. and other nations’ scientific research and technology through methods that include: hacking, sending Chinese students and researchers to study and work at western institutions of higher education, and purchasing U.S. companies. William Holsten explains, “There is a massive, coordinated assault taking place on American technology, perhaps the largest, fastest transfer of intellectual property in human history, and much of it is taking place on U.S. soil.”5 In 2017, China passed a legislative framework directing all Chinese to contribute to state security.6 The Center for Strategic and International Studies (CSIS) assessed, “It is likely that citizens can be compelled to assist PRC state actors in interference efforts if and when those efforts fall under the broader definition of ‘national intelligence work’ and ‘national intelligence efforts’ as noted in the Law.”7 This assessment in combination with the approximately 350,000 Chinese students attending U.S.’ universities, gives China an incredible capacity to use espionage to procure developing technology.8 A second aspect of the theft of science and technology is the acquisition of U.S. businesses and their subcontracted suppliers by PRC-backed private companies. One example is the acquisition of A123, a U.S. company that develops and supplies lithium-ion batteries.9 A123, after receiving approximately $1 billion from private investors and $100 million in federal government backing, as well as technical advice from General Motors, Motorola, and QualComm, went bankrupt and was subsequently purchased by the Chinese Wanxiang Group Corp for $257 million.10 This acquisition gave China the company’s technological research and manufacturing facilities at an incredibly discounted rate.

Within the U.S. government, multiple agencies, including the Federal Bureau of Investigation, National Security Agency, Federal Trade Commission, work on different aspects of this problem. They observe, detect, and respond individually to the Chinese intellectual property theft. A coordinated U.S. government effort would be more capable of detecting the Chinese malign behavior, creating comprehensive deterrence, and formulating a powerful response. Source

***

As a 2020 Department of Defense publication explained, irregular warfare “favors indirect and asymmetric approaches” by countries “in order to erode an adversary’s power, influence, and will.” It includes numerous tools of statecraft that governments can use to shift the balance of power in their favor: information operations (including psychological operations and propaganda), cyber operations, support to state and nonstate partners, covert action, espionage, and economic coercion.

Many of these tools, such as information and cyber operations, can be used for irregular and conventional campaigns. They are simply a means. In irregular warfare, however, a country designs and uses these tools to undermine its adversaries as part of balance-of-power competition without engaging in set-piece battles. Other government officials and scholars have used different terms—such as political warfare, hybrid warfare, gray zone activity, asymmetric conflict, and the indirect approach—to capture some or all of these activities.

In particular, irregular warfare is distinct from conventional warfare, which has sometimes been referred to as “traditional” or “regular” warfare. Conventional warfare involves the use of direct land, naval, air, and other military capabilities to defeat an adversary’s armed forces on a battlefield; control territory, populations, and forces; or annihilate an enemy’s war-making capacity. Irregular warfare is also different from nuclear warfare, which involves the use—or threat—of nuclear weapons against adversaries. Finally, irregular warfare is distinct from routine foreign policy, which can include diplomatic, humanitarian, intelligence, and other activities that have little or nothing to do with competition against adversaries.