Category Archives: Cyber War

Grid Hacking Tool Found, Have a Generator Yet?

Posted on by

Researchers Found a Hacking Tool that Targets Energy Grids on the Dark Web

Motherboard: A sophisticated piece of government-made malware, designed to do reconnaissance on energy grid’s system ahead of an eventual cyberattack on critical infrastructure, was found on a dark web hacking forum.

Cybersecurity researchers usually catch samples of malicious software like spyware or viruses when a victim who’s using their software such as an antivirus, gets infected. But at times, they find those samples somewhere else. Such was the case for Furtim, a newly discovered malware, caught recently by researchers from the security firm SentinelOne.

SentinelOne’s researchers believe the malware was created by a team of hackers working for a government, likely from eastern Europe, according to a report published on Tuesday.

Hacking forums, of course, are home to a lot of malicious data and software. But they are usually not places where sophisticated government-made hacking tools get exchanged.

Udi Shamir, chief security officer at SentinelOne, said that it’s normal to find reused code and malware on forums because “nobody tries to reinvent the wheel again and again and again.” But in this case, “it was very surprising to see such a sophisticated sample” appear in hacking forums, he told Motherboard in a phone interview.

“This was not the work of a kid. […] It was cyberespionage at its best.”

Shamir said that the malware, dubbed Furtim, was “clearly not” made by cybercriminals to make some money but for a government spying operations.

Furtim is a “dropper tool,” a platform that infects a machine and then serves as a first step to launch further attacks. It was designed to target specifically European energy companies using Windows, was released in May, and is still active, according to SentinelOne.

Another interesting characteristic is that Furtim actively tries to avoid dozens of common antivirus products, as well as sandboxes and virtual machines, in an attempt to evade detection and stay hidden as long as possible. The goal is “to remove any antivirus software that is installed on the system and drop its final payload,” SentintelOne’s report reads.

Security experts believe that critical infrastructure, such as the energy grid, is highly vulnerable to cyberattacks, and believe a future conflict might start with taking down the power using malware. While it might sound far-fetched, at the end of last year, hackers believed to be working for the Russian government caused a blackout in parts of Ukraine after gaining access to the power grid using malware.

It’s unclear who’s behind this cyberespionage operation, but Shamir said it’s likely a government from Eastern Europe, with a lot of resources and skills. The malware’s developers were very familiar with Windows; they knew it “to the bone,” according to him.

“This was not the work of a kid,” he said. “It was cyberespionage at its best.”

****

The dropper’s principle mission is to avoid detection; it will not execute if it senses it’s being run in a virtualized environment such as a sandbox, and it also can bypass antivirus protection running on compromised machines.

The sample also includes a pair of privilege escalation exploits for patched Windows vulnerabilities (CVE-2014-4113 and CVE-2015-1701), as well as a bypass for Windows User Account Control (UAC), which limits user privileges.

“It escalates privileges after all these checks and registers a hidden binary that it drops onto the hard drive that runs early in the boot process,” SentinelOne senior security researcher Joseph Landry said. “It will go through and systematically remove any AV on the machine that it targets. Then it drops another payload to the Windows directory and runs it during login time.” More from ThreatPost

NATO Website Goes Dark During Summit

Posted on by

Those Russians are good, good at hacking…

A suspicious outage was reported and interesting that Obama was there too. The Warsaw Summit hosted by Poland where several distinct events happened. 1. There was an agreement to strengthen the alliance with military presence in the East that includes Estonia, Latvia and Lithuania. 2. The alliances also agreed to operational strength of ballistic missile defense as well as cyber defenses and applying cyberspace as an operational domain. 3. For Afghanistan, a resolution was approved to continue the mission and funding forces through 2020. 4. A comprehensive assistance package for Ukraine passed. 5. The NATO website/domain was likely hacked.

 

So….the chatter at more casual breakout sessions and in formal session did include escalating protections in the cyber realm. Obama got the message. Certainly on the heels of the Hillary emailgate scandal, Barack Obama finally admits there things still to be done to tighten up security.

Obama says U.S. government must improve cyber security

Reuters: U.S. President Barack Obama said on Sunday that the U.S. government has to improve its cyber security practices for the modern age of smart phones and other technology, saying that hackers had targeted the White House.

“I am concerned about it, I don’t think we have it perfect. We have to do better, we have to learn from mistakes,” Obama told a news conference in Madrid. “We know that we have had hackers in the White House,” he added.

Concerns have been raised about the security of government information after the head of the FBI said presidential nominee Hillary Clinton’s email servers may have been accessed by foreign actors when she was Secretary of State.

****

In 2015, Obama held a cyber security summit. Also there was an Executive Order. He wants better coordination between government and the private sector to fight online threats. Companies on board include Apple and Intel. It was a busy year in 2015 as Obama Announces New Cybersecurity Legislative Proposal and Other Cybersecurity Efforts.

Earmarking $19 billion for cyber programs by Obama also included a czar, Howard A. Schmidt. So how smart is Schmidt, or rather how UN-smart is he?

So far, there is no official proof that any country has ever engaged in a cyber attack, although certain malware attacks have been linked to different nations. The Stuxnet worm, which disrupted Iran’s nuclear facilities, has been attributed to the United States and Israel and the recently uncovered cyber espionage operation Red October is rumored to be either a Russian or a Chinese operation.

To avoid a cyber arms-race and an escalation in cyber attacks, Kaspersky has openly advocated for more online regulation, including international treaties limiting the use of malware — just like there are treaties against biological and nuclear weapons.

For Schmidt, that’s not a viable solution because it would be hard to enforce such a treaty. “At some point in the future maybe that will work but right now, number one, we have enough difficulty enforcing treaties of physical things that you can actually count, whether it’s weapon systems or whether it’s export import of these things, it’s extremely difficult,” he said.

Instead of a treaty that will take decades to become reality, Schmidt thinks countries should just respect the rules of engagement that already apply in real warfare. In war “we don’t just arbitrarily start shooting at people, we don’t send planes, we have respect for airspace, we have respect for a lot of the international laws,” he said. “Cyberspace should not be any different.” More here from Mashable.

One more thing to Obama and Mr. Schmidt….don’t forget the Office of Personnel Management, that experienced one of the largest intrusions of data belonging to and managed by the Federal government. Furthermore, that lady, Mrs. Katharine Archuleta who ran OPM never had any security experience with cyber and directly after the hearings on the cyber hack of the agency, well….she quit.

Cyber doom is here and no one talks about it….most of all the media…it is the best kept secret and classified condition inside the beltway.

 

FBI: Hillary is Above the Law

Posted on by

FBI Director, James Comey laid out the facts and it is beyond debate that Hillary and her team are official members of the Bill Ayers of guilty but nothing to see here club. The nation of laws is but a distant memory. Comey laid out gross negligence and careless but is not recommending prosecution.

When Loretta Lynch said she would accept the FBI’s and prosecutor’s recommendation, the formal plan was already in play. What say you?

SHE SHOULD LOSE HER SECURITY CLEARANCE FOREVER, but judge for yourself.

Comey’s official statement:

Washington, D.C. July 05, 2016
  • FBI National Press Office (202) 324-3691

Remarks prepared for delivery at press briefing.

Good morning. I’m here to give you an update on the FBI’s investigation of Secretary Clinton’s use of a personal e-mail system during her time as Secretary of State.

After a tremendous amount of work over the last year, the FBI is completing its investigation and referring the case to the Department of Justice for a prosecutive decision. What I would like to do today is tell you three things: what we did; what we found; and what we are recommending to the Department of Justice.

This will be an unusual statement in at least a couple ways. First, I am going to include more detail about our process than I ordinarily would, because I think the American people deserve those details in a case of intense public interest. Second, I have not coordinated or reviewed this statement in any way with the Department of Justice or any other part of the government. They do not know what I am about to say.

I want to start by thanking the FBI employees who did remarkable work in this case. Once you have a better sense of how much we have done, you will understand why I am so grateful and proud of their efforts.

So, first, what we have done:

The investigation began as a referral from the Intelligence Community Inspector General in connection with Secretary Clinton’s use of a personal e-mail server during her time as Secretary of State. The referral focused on whether classified information was transmitted on that personal system.

Our investigation looked at whether there is evidence classified information was improperly stored or transmitted on that personal system, in violation of a federal statute making it a felony to mishandle classified information either intentionally or in a grossly negligent way, or a second statute making it a misdemeanor to knowingly remove classified information from appropriate systems or storage facilities.

Consistent with our counterintelligence responsibilities, we have also investigated to determine whether there is evidence of computer intrusion in connection with the personal e-mail server by any foreign power, or other hostile actors.

I have so far used the singular term, “e-mail server,” in describing the referral that began our investigation. It turns out to have been more complicated than that. Secretary Clinton used several different servers and administrators of those servers during her four years at the State Department, and used numerous mobile devices to view and send e-mail on that personal domain. As new servers and equipment were employed, older servers were taken out of service, stored, and decommissioned in various ways. Piecing all of that back together—to gain as full an understanding as possible of the ways in which personal e-mail was used for government work—has been a painstaking undertaking, requiring thousands of hours of effort.

For example, when one of Secretary Clinton’s original personal servers was decommissioned in 2013, the e-mail software was removed. Doing that didn’t remove the e-mail content, but it was like removing the frame from a huge finished jigsaw puzzle and dumping the pieces on the floor. The effect was that millions of e-mail fragments end up unsorted in the server’s unused—or “slack”—space. We searched through all of it to see what was there, and what parts of the puzzle could be put back together.

FBI investigators have also read all of the approximately 30,000 e-mails provided by Secretary Clinton to the State Department in December 2014. Where an e-mail was assessed as possibly containing classified information, the FBI referred the e-mail to any U.S. government agency that was a likely “owner” of information in the e-mail, so that agency could make a determination as to whether the e-mail contained classified information at the time it was sent or received, or whether there was reason to classify the e-mail now, even if its content was not classified at the time it was sent (that is the process sometimes referred to as “up-classifying”).

From the group of 30,000 e-mails returned to the State Department, 110 e-mails in 52 e-mail chains have been determined by the owning agency to contain classified information at the time they were sent or received. Eight of those chains contained information that was Top Secret at the time they were sent; 36 chains contained Secret information at the time; and eight contained Confidential information, which is the lowest level of classification. Separate from those, about 2,000 additional e-mails were “up-classified” to make them Confidential; the information in those had not been classified at the time the e-mails were sent.

The FBI also discovered several thousand work-related e-mails that were not in the group of 30,000 that were returned by Secretary Clinton to State in 2014. We found those additional e-mails in a variety of ways. Some had been deleted over the years and we found traces of them on devices that supported or were connected to the private e-mail domain. Others we found by reviewing the archived government e-mail accounts of people who had been government employees at the same time as Secretary Clinton, including high-ranking officials at other agencies, people with whom a Secretary of State might naturally correspond.

This helped us recover work-related e-mails that were not among the 30,000 produced to State. Still others we recovered from the laborious review of the millions of e-mail fragments dumped into the slack space of the server decommissioned in 2013.

With respect to the thousands of e-mails we found that were not among those produced to State, agencies have concluded that three of those were classified at the time they were sent or received, one at the Secret level and two at the Confidential level. There were no additional Top Secret e-mails found. Finally, none of those we found have since been “up-classified.”

I should add here that we found no evidence that any of the additional work-related e-mails were intentionally deleted in an effort to conceal them. Our assessment is that, like many e-mail users, Secretary Clinton periodically deleted e-mails or e-mails were purged from the system when devices were changed. Because she was not using a government account—or even a commercial account like Gmail—there was no archiving at all of her e-mails, so it is not surprising that we discovered e-mails that were not on Secretary Clinton’s system in 2014, when she produced the 30,000 e-mails to the State Department.

It could also be that some of the additional work-related e-mails we recovered were among those deleted as “personal” by Secretary Clinton’s lawyers when they reviewed and sorted her e-mails for production in 2014.

The lawyers doing the sorting for Secretary Clinton in 2014 did not individually read the content of all of her e-mails, as we did for those available to us; instead, they relied on header information and used search terms to try to find all work-related e-mails among the reportedly more than 60,000 total e-mails remaining on Secretary Clinton’s personal system in 2014. It is highly likely their search terms missed some work-related e-mails, and that we later found them, for example, in the mailboxes of other officials or in the slack space of a server.

It is also likely that there are other work-related e-mails that they did not produce to State and that we did not find elsewhere, and that are now gone because they deleted all e-mails they did not return to State, and the lawyers cleaned their devices in such a way as to preclude complete forensic recovery.

We have conducted interviews and done technical examination to attempt to understand how that sorting was done by her attorneys. Although we do not have complete visibility because we are not able to fully reconstruct the electronic record of that sorting, we believe our investigation has been sufficient to give us reasonable confidence there was no intentional misconduct in connection with that sorting effort.

And, of course, in addition to our technical work, we interviewed many people, from those involved in setting up and maintaining the various iterations of Secretary Clinton’s personal server, to staff members with whom she corresponded on e-mail, to those involved in the e-mail production to State, and finally, Secretary Clinton herself.

Last, we have done extensive work to understand what indications there might be of compromise by hostile actors in connection with the personal e-mail operation.

That’s what we have done. Now let me tell you what we found:

Although we did not find clear evidence that Secretary Clinton or her colleagues intended to violate laws governing the handling of classified information, there is evidence that they were extremely careless in their handling of very sensitive, highly classified information.

For example, seven e-mail chains concern matters that were classified at the Top Secret/Special Access Program level when they were sent and received. These chains involved Secretary Clinton both sending e-mails about those matters and receiving e-mails from others about the same matters. There is evidence to support a conclusion that any reasonable person in Secretary Clinton’s position, or in the position of those government employees with whom she was corresponding about these matters, should have known that an unclassified system was no place for that conversation. In addition to this highly sensitive information, we also found information that was properly classified as Secret by the U.S. Intelligence Community at the time it was discussed on e-mail (that is, excluding the later “up-classified” e-mails).

None of these e-mails should have been on any kind of unclassified system, but their presence is especially concerning because all of these e-mails were housed on unclassified personal servers not even supported by full-time security staff, like those found at Departments and Agencies of the U.S. Government—or even with a commercial service like Gmail.

Separately, it is important to say something about the marking of classified information. Only a very small number of the e-mails containing classified information bore markings indicating the presence of classified information. But even if information is not marked “classified” in an e-mail, participants who know or should know that the subject matter is classified are still obligated to protect it.

While not the focus of our investigation, we also developed evidence that the security culture of the State Department in general, and with respect to use of unclassified e-mail systems in particular, was generally lacking in the kind of care for classified information found elsewhere in the government.

With respect to potential computer intrusion by hostile actors, we did not find direct evidence that Secretary Clinton’s personal e-mail domain, in its various configurations since 2009, was successfully hacked. But, given the nature of the system and of the actors potentially involved, we assess that we would be unlikely to see such direct evidence. We do assess that hostile actors gained access to the private commercial e-mail accounts of people with whom Secretary Clinton was in regular contact from her personal account. We also assess that Secretary Clinton’s use of a personal e-mail domain was both known by a large number of people and readily apparent. She also used her personal e-mail extensively while outside the United States, including sending and receiving work-related e-mails in the territory of sophisticated adversaries. Given that combination of factors, we assess it is possible that hostile actors gained access to Secretary Clinton’s personal e-mail account.

So that’s what we found. Finally, with respect to our recommendation to the Department of Justice:

In our system, the prosecutors make the decisions about whether charges are appropriate based on evidence the FBI has helped collect. Although we don’t normally make public our recommendations to the prosecutors, we frequently make recommendations and engage in productive conversations with prosecutors about what resolution may be appropriate, given the evidence. In this case, given the importance of the matter, I think unusual transparency is in order.

Although there is evidence of potential violations of the statutes regarding the handling of classified information, our judgment is that no reasonable prosecutor would bring such a case. Prosecutors necessarily weigh a number of factors before bringing charges. There are obvious considerations, like the strength of the evidence, especially regarding intent. Responsible decisions also consider the context of a person’s actions, and how similar situations have been handled in the past.

In looking back at our investigations into mishandling or removal of classified information, we cannot find a case that would support bringing criminal charges on these facts. All the cases prosecuted involved some combination of: clearly intentional and willful mishandling of classified information; or vast quantities of materials exposed in such a way as to support an inference of intentional misconduct; or indications of disloyalty to the United States; or efforts to obstruct justice. We do not see those things here.

To be clear, this is not to suggest that in similar circumstances, a person who engaged in this activity would face no consequences. To the contrary, those individuals are often subject to security or administrative sanctions. But that is not what we are deciding now.

As a result, although the Department of Justice makes final decisions on matters like this, we are expressing to Justice our view that no charges are appropriate in this case.

I know there will be intense public debate in the wake of this recommendation, as there was throughout this investigation. What I can assure the American people is that this investigation was done competently, honestly, and independently. No outside influence of any kind was brought to bear.

I know there were many opinions expressed by people who were not part of the investigation—including people in government—but none of that mattered to us. Opinions are irrelevant, and they were all uninformed by insight into our investigation, because we did the investigation the right way. Only facts matter, and the FBI found them here in an entirely apolitical and professional way. I couldn’t be prouder to be part of this organization.

Terror Database Hacked/Leaked

Posted on by

Terror-suspect database used by banks, governments, has been leaked

 

Thomson Reuters has secured the source of the leak

CSOnline: A database described by some as a “terrorism blacklist” has fallen into the hands of a white-hat hacker who may decide to make it accessible to the public online.

The database, called World-Check, belongs to Thomson Reuters and is used by banks, governments and intelligence agencies to screen people for criminal ties and links to terrorism.

Security researcher Chris Vickery claims to have obtained a 2014 copy of the database. He announced the details on Tuesday in a post on Reddit.

“No hacking was involved in my acquisition of this data,” he wrote. “I would call it more of a leak than anything, although not directly from Thomson Reuters.”Vickery declined to share how he obtained the data, but he’s already contacted Thomson Reuters about securing the source of the leak.

In an email, Thomson Reuters said on Wednesday that it was “grateful” to Vickery for the alert. The “third-party” that leaked the database has taken it down, the company added.

Vickery has previously exposed database leaks related to Mexican voters, a Hello Kitty online fan community and medical records.

His copy of the World-Check database contains the names of over 2.2 million people and organizations declared “heightened risks.” Only a small part of the data features a terrorism category. Additional categories include individuals with ties to money laundering, organized crime, corruption and others.

He is asking Reddit users whether he should leak the database to the public. His concern is that innocent people with no criminal ties may have been placed on the list.

The information isn’t really secret either. Users can buy access to the database from Thomson Reuters.

Leaking the database, however, could create risks and tip off “actual bad guys” that they’ve been placed on the list, Vickery said.

Thomson Reuters declined to say how it might respond if Vickery decides to publicize the information. The World-Check database is sourced from the company’s analysts, “industry sources” and government records.

Related reading: Thomson Reuters World-Check KYC, AML, CFT and PEP Due Diligence

*****

 

Much more goes on besides just a terror database:

Truth Technologies’ Sentinel with World-Check lets you quickly and cost-effectively mitigate risks associated with PEPs, money laundering and terrorist financing. Sentinel gives you seamless access to the Data-File to determine whether customers are Politically Exposed Persons (PEPs), terrorists, or financial criminals, and to conduct enhanced due diligence. As a hosted solution for reducing your organization’s risk, there is no software for you to install, maintain or update, allowing you to focus on your core mission.

A comprehensive solution for regulatory compliance, World-Check’s risk intelligence database, contains hundreds of thousands of meticulously structured profiles on individuals and entities known to represent a financial, regulatory or reputation risk to organizations. Coverage includes; money launderers, fraudsters, terrorists, organized crime and sanctioned entities amongst other high risk categories. In addition, World Check tracks Politically Exposed Persons (PEPs) and their relationship networks plus individuals and businesses from other categories. World-Check’s database find direct application in financial compliance, Anti-Money Laundering (AML), Know Your Customer (KYC), PEP screening, Enhanced Due Diligence (EDD), fraud prevention, government intelligence and other identity authentication, background screening and risk prevention practices.

So, That Cyber Caliphate is Not ISIS, it is Russian!

Posted on by

Cyber Caliphate or Kremlin False-Flag?

The so-called Cyber Caliphate, the supposed cyber army of jihadist organization ISIS, has featured prominently in the news in recent years with a string of high profile attacks on significant targets. The Cyber Caliphate defaced US government websites, hacked into Department of Defence databases and released personal information of 1,400 US military affiliates, hijacked several feeds belonging to French TV channel TV5Monde and defacing its websites with the tagline “Je suis ISIS,” and more, much more.

As the Cyber Caliphate threat grew, western intelligence agencies took note and devoted significant resources to exposing and fighting the organisation. These efforts increased with the recent announcement that the various ISIS hackers were merging under a new umbrella organisation, the United Cyber Caliphate, which could constitute a major threat online.

In late February, the Pentagon announced the beginning of a full-scale cyber-war against ISIS, including activity by the US Cyber Command and a drone strike which killed Junaid Hussain, British jihadist of Pakistani origin who was the Caliphate’s best-known hacker.

However, not all is at it seems in the land of jihadi cyber warfare. Following the TV5Monde attack, French intelligence services scrutinised the group’s activity and concluded that the hackers involved had, in fact, no ties to ISIS, but a rather better established organisation famous for its deceptive spying practices. French investigators traced the attacks back to Moscow, and in particular APT 28, a group well-known as the Kremlin’s secret cyber-arm.

 

Similar conclusions were reached following analysis in other countries, too. The US State Department said in a mid-2015 report that although the “Cyber Caliphate declares to support [ISIS], there are no indications—technical or otherwise—that the groups are tied.” According to Der Spiegel, German intelligence also believes the Cyber Caliphate to be a Russian false-flag operation, part of Moscow’s 4,000-strong hacking staff.

To those versed in the practices of the clandestine world of spies, none of this should come as a surprise. The Kremlin has had over 100 years to perfect its false-flag practices, with the only innovation being that these sort of operations now take place in the cyber-world. For Moscow, this is just another tool in their arsenal, but it does indicate that ISIS is not nearly as formidable as it once seemed.

Yes, there is more bad news. If you are going to the Olympics, beware:

Officials warn that U.S. travelers to Rio Olympics face hack risk

USAToday: WASHINGTON — If Zika, political instability and contaminated water weren’t enough, U.S. intelligence officials are warning Americans traveling to the August Olympic Games in Rio and other destinations abroad that proprietary information stored on electronic devices is at high risk for theft by spies and cyber criminals who are increasingly targeting global events as troughs rich in valuable intelligence.

Bill Evanina, the nation’s chief counter-intelligence executive, is urging travelers to carry “clean’’ devices, free of potentially valuable archives that could be tapped for economic advantage, personal data or security information.

Just as the Olympics draw the world’s most talented athletes, Evanina said the games and other international events represent a “great playground’’ for government intelligence services and criminals, if only because of the “sheer number of devices.’’

A little more than a month before the Rio games and in the midst of the summer travel season, the U.S. government is launching a multimedia campaign Wednesday to advise travelers of the increasing threat. The program, “Know the Risk; Raise Your Shield,” warns in part that foreign security services and criminals are tracking visitors’ movements through their mobile phones and are able to control such things as internal microphones remotely, often without the users’ knowledge.

“When you travel abroad, assume that your personal information will be breached,’’ Evanina said.

Though the campaign is aimed at all U.S. travelers abroad, the approaching Olympics, which traditionally draws thousands of U.S. visitors, offer a specific focus of concern for authorities.

As part of the U.S. government’s awareness campaign, Evanina, through the National Counterintelligence and Security Center, is advising Americans traveling abroad, regardless of their destination and purpose, to take a variety of precautions.

Among them:

• Leave unnecessary devices at home.
• Back up data on devices in use and leave those copies in secure locations at home.
• Change passwords at regular intervals during travel and on return.
• Avoid prolonged sessions on local Wi-Fi networks.
• Submit company devices for examination on return for presence of malware.

National security agencies raised similar concerns in advance of the 2008 games in China and the 2014 Winter Olympics in Russia, as both countries represent the U.S.’s most aggressive cyber adversaries. Prior to the 2014 Sochi games, for example, the Department of Homeland Security warned that “all communications and files” stored on personal electronic devices were vulnerable to interception.

Brazil, while not considered such an adversary, nevertheless will likely draw intelligence units from other countries and outside criminal elements all seeking to mine the global event that attracts top government leaders and a constellation of Wall Street and corporate executives, Evanina said.

Ray Mey, a former FBI official who has managed security operations at Olympics in Salt Lake City and Torino, Italy, said that businesses may be more inclined to bolster their cyber defenses in places like China and Russia, even though Rio is expected to be used as an information collection and recruitment opportunity. More from USAToday