Category Archives: Cyber War

Zuckerberg Infected Voting Integrity

Posted on by

Founderscode wrote about this December of 2020 in detail.

RCP, in part: In the months leading up to November’s election, voting officials in major cities and counties worked with a progressive group funded by Facebook founder Mark Zuckerberg and its allies to create ballots, strategically target voters and develop “cure” letters in situations where mail-in ballots were in danger of being tossed out.

The Center for Tech and Civic Life, or CTCL, provided millions of dollars in private funding for the elections that came from a $350 million donation from Zuckerberg and his wife, Priscilla Chan.  The CTCL gave “COVID-19 response” grants of varying amounts to  2,500 municipalities in 49 states.

Facebook's Mark Zuckerberg pledges $300M to support 'safe ...

In exchange for the money, elections divisions agreed to conduct their elections according to conditions set out by the CTCL, which is led by former members of the New Organizing Institute, a training center for progressive groups and Democratic campaigns.

A CTCL partner, the Center for Civic Design, helped design absentee ballot forms and instructions, crafted voter registration letters for felons and tested automatic voter registration systems in several states, working alongside progressive activist groups in Michigan and directly with elections offices in Georgia and Utah.

Still other groups with a progressive leaning, including the Main Street Alliance, The Elections Group and the National Vote at Home Institute, provided support for some elections offices.

“COVID-19 response” grants of varying amounts to  2,500 municipalities in 49 states.
Center for Tech and Civic Life

Facebook, with the CTCL, was also part of the effort, providing a guide and webinar for election officials on how to engage voters. Included were directions to report “voter interference” to Facebook authorities. The company also provided designated employees in six regions of the U.S. to handle questions. Together, the groups strategically targeted voters and waged a voter assistance campaign aimed at low-income and minority residents who typically shun election participation, helping Democratic candidates win key spots all over the U.S.

The little-explored roles of CTCL and other such groups emerged in emails and other records obtained by RealClearInvestigations and public documents secured by conservative litigants and groups, including the Foundation for Government Accountability, which has filed more than 800 public records requests with elections offices accepting the grants.

Previously, the Zuckerberg-funded effort has been described in generally positive terms, notably when NPR reported in December on “How Private Money From Facebook’s CEO Saved The 2020 Election” — in the face of the coronavirus pandemic, President Trump’s doubts about the legitimacy of the process and “Congress’ neglect.”

In 2018, RCI reported that a New York University School of Law program funded by billionaire Michael Bloomberg had placed environmentally minded lawyers in the offices of Democratic state attorneys general to challenge Trump administration policies. And examples of private efforts to steer cash-strapped public education are numerous, from the Koch charities on the right to more recent race-conscious programs on the left emphasizing the legacy and centrality of white racism in society.

Zuckerberg did not respond to an emailed request from RCI for comment. In a post-election interview, he praised Facebook’s security work during the election and singled out its policing of “misinformation.” He noted working with polling officials to watch for information that might lead to “voter suppression” and said Facebook had strengthened its enforcement “against militias and conspiracy networks like Q-Anon.”

Facebook has banned Trump from its platform and has delisted individuals – many of them conservatives — for espousing views about the election that it insists are “misinformation.”
***
All of this and more is the reason Florida Governor, Ron DeSantis and other governors are reworking voter integrity law. Texas is the most recent to address the issue and may call a special legislative session to establish new voting laws.

Beware of Russian Influence on Vaccine Disinformation

Posted on by

It is additional definition of the cyber war…

Operatives at the behest of Moscow have never passed up the opportunity to exploit a crisis in the Western world. It has gone on for years, back to the days of the KGB, now know as the SVR.

Opinion | Operation Infektion: A three-part video series ... Yet, does media keep making the same mistakes?

Readers and researchers must validate the sources, all of them and check them often. Big media has fallen victim as well and some make corrections while others don’t bother.

Even CNN has admitted as much –>

Washington (CNN)Online platforms directed by Russian intelligence are spreading disinformation about two of the coronavirus vaccines being used in the US, a State Department spokesperson confirmed to CNN on Sunday.

The agency’s Global Engagement Center identified three Russian outlets — News Front, New Eastern Outlook and Oriental Review — that are spreading not only misinformation about the virus, but also regarding “international organizations, military conflicts, protests; and any divisive issue that they can exploit,” according to the spokesperson.
“These sites all vary in their reach, tone, and audience — but they all are spreading Russian propaganda and disinformation. The State Department’s finding of a link between these sites and Russian Intelligence is a result of a joint interagency conclusion,” the spokesperson said.

In part:

French and German YouTubers, bloggers and influencers have been offered money by a supposedly UK-based PR agency with apparent Russian connections to falsely tell their followers the Pfizer/BioNTech vaccine is responsible for hundreds of deaths.

Fazze, an “influencer marketing platform … connecting bloggers and advertisers”, claimed to be based at 5 Percy Street in London but is not registered there. On Tuesday, it temporarily closed its website and made its Instagram account private.

The agency contacted several French health and science YouTubers last week and asked them, in poor English, to “explain … the death rate among the vaccinated with Pfizer is almost 3x higher than the vaccinated by AstraZeneca”.

The influencers were told to publish links on YouTube, Instagram or TikTok to reports in Le Monde, on Reddit and on the Ethical Hacker website about a leaked report containing data that supposedly substantiates the claim.

The article in Le Monde is about data reportedly stolen by Russian hackers from the European Medicines Agency and later published on the Dark Web. It contains no information on mortality rates. The pages on the other two sites have been deleted.

The influencers were asked to tell their subscribers that “the mainstream media ignores this theme”, and to ask: “Why some governments actively purchasing Pfizer vaccine, which is dangerous to the health of the people?”

The brief also included requests to “act like you have the passion and interest in this topic”, and to avoid using the words “advertising” or “sponsored” in posts or videos because “the material should be presented as your own independent view”.

Screen shots of the emails were posted on Twitter by Léo Grasset, a popular French science YouTuber with nearly 1.2m subscribers. Grasset said the campaign had a “colossal budget” but that the agency refused to identify its client.

The French investigative news site Numerama also published extracts from the exchanges, including Fazze’s exhortation to “encourage viewers to draw their own conclusions, take care of themselves and their loved ones”.

Mirko Drotschman, a German YouTuber and podcaster with 1.5 million subscribers, also posted a screenshot of an email asking him to take part in an “information campaign” about “a significant number of deaths” after the Pfizer shot.

“Please send us statistics on the age of your subscribers … and how much it would cost,” the mail concluded. The French investigative website Fact&Furious posted a mail describing Fazze’s budget as “considerable” and the fee as “the rate you wish”.

According to LinkedIn, Fazze’s management come from Moscow and have worked for an agency reportedly founded by a Russian entrepreneur.

French media have pointed to the similarities between Fazze’s message and the official Twitter account of Russia’s Sputnik V – a viral vector vaccine like AstraZeneca – which has repeatedly claimed “real world data” shows they are “safer and more efficient” than mRNA vaccines.

An EU study last month accused Russian and Chinese media of “state-sponsored disinformation” aimed at sowing mistrust in western vaccines by sensationalising safety concerns, making “unfounded links between shots and deaths in Europe”, and promoting Russian and Chinese vaccines as superior.

 

The Finer Details of the DarkSide, Hackers of the Colonial Pipeline

Posted on by

Primer: Five months before DarkSide attacked the Colonial pipeline, two researchers discovered a way to rescue its ransomware victims. Then an antivirus company’s announcement alerted the hackers.

Colonial Pipeline hack is latest example of cybersecurity ...

Related reading

On January 11, antivirus company Bitdefender said it was “happy to announce” a startling breakthrough. It had found a flaw in the ransomware that a gang known as DarkSide was using to freeze computer networks of dozens of businesses in the US and Europe. Companies facing demands from DarkSide could download a free tool from Bitdefender and avoid paying millions of dollars in ransom to the hackers.

But Bitdefender wasn’t the first to identify this flaw. Two other researchers, Fabian Wosar and Michael Gillespie, had noticed it the month before and had begun discreetly looking for victims to help. By publicizing its tool, Bitdefender alerted DarkSide to the lapse, which involved reusing the same digital keys to lock and unlock multiple victims. The next day, DarkSide declared that it had repaired the problem, and that “new companies have nothing to hope for.”

“Special thanks to BitDefender for helping fix our issues,” DarkSide said. “This will make us even better.”

DarkSide soon proved it wasn’t bluffing, unleashing a string of attacks. This month, it paralyzed the Colonial Pipeline Co., prompting a shutdown of the 5,500-mile pipeline that carries 45% of the fuel used on the East Coast—quickly followed by a rise in gasoline prices, panic buying of gas across the Southeast, and closures of thousands of gas stations. Absent Bitdefender’s announcement, it’s possible that the crisis might have been contained, and that Colonial might have quietly restored its system with Wosar and Gillespie’s decryption tool.

Instead, Colonial paid DarkSide $4.4 million in Bitcoin for a key to unlock its files. “I will admit that I wasn’t comfortable seeing money go out the door to people like this,” CEO Joseph Blount told the Wall Street Journal.

The missed opportunity was part of a broader pattern of botched or half-hearted responses to the growing menace of ransomware, which during the pandemic has disabled businesses, schools, hospitals, and government agencies across the country. The incident also shows how antivirus companies eager to make a name for themselves sometimes violate one of the cardinal rules of the cat-and-mouse game of cyberwarfare: Don’t let your opponents know what you’ve figured out. During World War II, when the British secret service learned from decrypted communications that the Gestapo was planning to abduct and murder a valuable double agent, Johnny Jebsen, his handler wasn’t allowed to warn him for fear of cluing in the enemy that its cipher had been cracked. Today, ransomware hunters like Wosar and Gillespie try to prolong the attackers’ ignorance, even at the cost of contacting fewer victims. Sooner or later, as payments drop off, the cybercriminals realize that something has gone wrong.

Whether to tout a decryption tool is a “calculated decision,” said Rob McLeod, senior director of the threat response unit for cybersecurity firm eSentire. From the marketing perspective, “You are singing that song from the rooftops about how you have come up with a security solution that will decrypt a victim’s data. And then the security researcher angle says, ‘Don’t disclose any information here. Keep the ransomware bugs that we’ve found that allow us to decode the data secret, so as not to notify the threat actors.’”

In a post on the dark web, DarkSide thanked Bitdefender for identifying a flaw in the gang’s ransomware. (Highlight added by ProPublica.)

Wosar said that publicly releasing tools, as Bitdefender did, has become riskier as ransoms have soared and the gangs have grown wealthier and more technically adept. In the early days of ransomware, when hackers froze home computers for a few hundred dollars, they often couldn’t determine how their code was broken unless the flaw was specifically pointed out to them.

Today, the creators of ransomware “have access to reverse engineers and penetration testers who are very very capable,” he said. “That’s how they gain entrance to these oftentimes highly secured networks in the first place. They download the decryptor, they disassemble it, they reverse-engineer it, and they figure out exactly why we were able to decrypt their files. And 24 hours later, the whole thing is fixed. Bitdefender should have known better.”

It wasn’t the first time Bitdefender trumpeted a solution that Wosar or Gillespie had beaten it to. Gillespie had broken the code of a ransomware strain called GoGoogle, and was helping victims without any fanfare, when Bitdefender released a decryption tool in May 2020. Other companies have also announced breakthroughs publicly, Wosar and Gillespie said.

“People are desperate for a news mention, and big security companies don’t care about victims,” Wosar said.

Bogdan Botezatu, director of threat research at Bucharest, Romania–based Bitdefender, said the company wasn’t aware of the earlier success in unlocking files infected by DarkSide.

Regardless, he said, Bitdefender decided to publish its tool “because most victims who fall for ransomware do not have the right connection with ransomware support groups and won’t know where to ask for help unless they can learn about the existence of tools from media reports or with a simple search.”

Bitdefender has provided free technical support to more than a dozen DarkSide victims, and “we believe many others have successfully used the tool without our intervention,” Botezatu said. Over the years, Bitdefender has helped individuals and businesses avoid paying more than $100 million in ransom, he said.

Bitdefender recognized that DarkSide might correct the flaw, Botezatu said: “We are well aware that attackers are agile and adapt to our decryptors.” But DarkSide might have “spotted the issue” anyway. “We don’t believe in ransomware decryptors made silently available. Attackers will learn about their existence by impersonating home users or companies in need, while the vast majority of victims will have no idea that they can get their data back for free.”

The attack on Colonial Pipeline, and the ensuing chaos at the gas pumps throughout the Southeast, appears to have spurred the federal government to be more vigilant. President Joe Biden issued an executive order to improve cybersecurity and create a blueprint for a federal response to cyberattacks. DarkSide said it was shutting down under US pressure, although ransomware crews have often disbanded to avoid scrutiny and then re-formed under new names, or their members have launched or joined other groups.

“As sophisticated as they are, these guys will pop up again, and they’ll be that much smarter,” said Aaron Tantleff, a Chicago cybersecurity attorney who has consulted with 10 companies attacked by DarkSide. “They’ll come back with a vengeance.”

At least until now, private researchers and companies have often been more effective than the government in fighting ransomware. Last October, Microsoft disrupted the infrastructure of Trickbot, a network of more than 1 million infected computers that disseminated the notorious Ryuk strain of ransomware, by disabling its servers and communications. That month, ProtonMail, the Swiss-based email service, shut down 20,000 Ryuk-related accounts.

Wosar and Gillespie, who belong to a worldwide volunteer group called the Ransomware Hunting Team, have cracked more than 300 major ransomware strains and variants, saving an estimated 4 million victims from paying billions of dollars.

By contrast, the FBI rarely decrypts ransomware or arrests the attackers, who are typically based in countries like Russia or Iran that lack extradition agreements with the US. DarkSide, for instance, is believed to operate out of Russia. Far more victims seek help from the Hunting Team, through websites maintained by its members, than from the FBI.

The US Secret Service also investigates ransomware, which falls under its purview of combating financial crimes. But, especially in election years, it sometimes rotates agents off cyber assignments to carry out its better-known mission of protecting presidents, vice presidents, major-party candidates, and their families. European law enforcement, especially the Dutch National Police, has been more successful than the US in arresting attackers and seizing servers.

Similarly, the US government has made only modest headway in pushing private industry, including pipeline companies, to strengthen cybersecurity defenses. Cybersecurity oversight is divided among an alphabet soup of agencies, hampering coordination. The Department of Homeland Security conducts “vulnerability assessments” for critical infrastructure, which includes pipelines.

It reviewed Colonial Pipeline in around 2013 as part of a study of places where a cyberattack might cause a catastrophe. The pipeline was deemed resilient, meaning that it could recover quickly, according to a former DHS official. The department did not respond to questions about any subsequent reviews.

Five years later, DHS created a pipeline cybersecurity initiative to identify weaknesses in pipeline computer systems and recommend strategies to address them. Participation is voluntary, and a person familiar with the initiative said that it is more useful for smaller companies with limited in-house IT expertise than for big ones like Colonial. The National Risk Management Center, which oversees the initiative, also grapples with other thorny issues such as election security.

Ransomware has skyrocketed since 2012, when the advent of Bitcoin made it hard to track or block payments. The criminals’ tactics have evolved from indiscriminate “spray and pray” campaigns seeking a few hundred dollars apiece to targeting specific businesses, government agencies and nonprofit groups with multimillion-dollar demands.

Attacks on energy businesses in particular have increased during the pandemic—not just in the US but in Canada, Latin America, and Europe. As the companies allowed employees to work from home, they relaxed some security controls, McLeod said.

Continue reading here.

Chinese Operations Expanding Businesses in America

Posted on by

Even after more than a year of the China virus, why is no one saying NO?

Let’s begin in California shall we?

Chinese autonomous vehicle startup Pony.ai has received a permit from California’s Department of Motor Vehicles to test its driverless cars without human safety drivers behind the wheel on specified streets in three cities.

China’s Robocars Are Way Behind Their U.S. Counterparts Getty Images

Pony has been authorized to test autonomous vehicles with safety drivers in California since 2017, but the new permit will let it test six autonomous vehicles without safety drivers on specific streets in Fremont, Alameda County; Milpitas, Santa Clara County; and Irvine, Orange County. According to the DMV, the vehicles are designed to be driven on roads with speed limits of 45 miles per hour or less, in clear weather and light precipitation. The first testing will be in Fremont and Milpitas on weekdays between 10AM and 3PM.

A total of 55 companies have active permits to test driverless vehicles in California according to the DMV, but Pony is only the eighth company to receive a driverless testing permit, joining fellow Chinese companies AutoX, Baidu, and WeRide, along with US companies Cruise, Nuro, Waymo, and Zoox. Nuro is the only company so far to receive a deployment permit that allows it to operate its autonomous vehicles in California commercially.

Pony.ai, which is based in Guangzhou and Silicon Valley, was valued at $3 billion after a $400 million investment from Toyota last year. The company said earlier this month its robotaxis will be ready for customers in 2023. Pony claims it’s the first company to launch autonomous ride-hailing and provide self-driving car rides to the general public in China.

***

More than 100 American cities, towns and counties have purchased surveillance systems made in China that the U.S. government has restricted for use by its own agencies, according to a new study.

Critics say China’s ruling Commnist Party has used the system to crush dissent at home and repress minorities.

Thermal-imaging and video technology from companies Dahua and Hikvision cost municipalities many thousands of dollars, according to the new report from IPVM, video surveillance researchers, and TechCrunch, a tech-focused publication.

China has allegedly relied on Hikvision and Dahua to surveil the Uyghur Muslim minority population in China. Dahua denies that its technology targets ethnic groups and also has rejected allegations of impropriety it says were implied in the 2019 defense authorization law.

The FY 2019 National Defense Authorization Act prohibited the use of Hikvision and Dahua by federal agencies for public safety, security and surveillance purposes. The study found that local governments did not stop purchasing the technology even after it was effectively banned at the federal level.

“The biggest spender, according to data and as previously reported by IPVM, showed that the Board of Education in Fayette County, Georgia, spent $490,000 in August 2020 on dozens of Hikvision thermal cameras, used for temperature checks at public schools,” wrote TechCrunch’s Zack Whittaker.

Hikvision created a map of where the technology was purchased in the U.S. since 2015 and reported that Dahua and Hikvision technology sales to U.S. government entities rose 80% between 2019 and 2020 because of its fever-camera sales.

CNA Financial reportedly paid $40 million due to Ransomware Demand

Posted on by

CNA is the seventh largest commercial insurer in the United States as of 2018. CNA provides property and casualty insurance products and services for businesses and professionals in the U.S., Canada, Europe and Asia.

CNA itself is 90% owned by a holding company, Loews Corporation. This holding company also has interests in offshore oil and gas drilling rigs, natural gas transmission pipelines, oil and gas exploration, hotel operations and package manufacturing.

CNA Financial Corporation – Jenkins MBA Careers | Poole College of Management | NC State University

CNA Financial, one of the largest US insurance companies, paid $40 million to free itself from a ransomware attack that occurred in March, according to a report from Bloomberg. The hackers reportedly demanded $60 million when negotiations started about a week after some of CNA’s systems were encrypted, and the insurance company paid the lower sum a week later.

If the $40 million figure is accurate, CNA’s payout would rank as one of the highest ransomware payouts that we know about, though that’s not for lack of trying by hackers: both Apple and Acer had data that was compromised in separate $50 million ransomware demands earlier this year. It also seems like the hackers are looking for bigger payouts: just this week we saw reports that Colonial Pipeline paid a $4.4 million ransom to hackers. While that number isn’t as staggering as the demands made to CNA, it’s still much higher than the estimated average enterprise ransomware demand in 2020.

Law enforcement agencies recommend against paying ransoms, saying that payouts will encourage hackers to keep asking for higher and higher sums. For its part, CNA told Bloomberg that it wouldn’t comment on the ransom, but that it had “followed all laws, regulations, and published guidance, including OFAC’s 2020 ransomware guidance, in its handling of this matter.” In an update from May 12, CNA says that it believes its policyholders’ data were unaffected.

According to Bloomberg, the ransomware that locked CNA’s systems was Phoenix Locker, a derivative of another piece of malware called Hades. Hades was allegedly created by a Russian group with the Mr. Robot-esque name Evil Corp.

***

Ransomware Attack Payment

Ransomware attack payments are rarely disclosed. According to Palo Alto Networks, the average payment in 2020 was $312,493, and it is a 171% increase from the payments that companies made in 2019.

The $40 million payment made by CNA Financial is bigger than any previously disclosed payments to hackers, The Verge reported.

Disclosure of the payment is likely to draw the ire of lawmakers and regulators that are already unhappy that companies from the United States are making large payouts to criminal hackers who, over the last year, have targeted hospitals, drug makers, police forces, and other entities that are critical to public safety.

The FBI discourage organizations from paying ransom because it encourages additional attacks and does not guarantee that data will be returned.

Ransomware is a type of malware that encrypts the data of the victim. Cybercriminals using ransomware usually steal the data too. The hackers, then, ask for a payment to unlock the files and promise not to leak stolen data. In recent years, hackers have been targeting victims with cyber insurance policies and huge volumes of sensitive consumer data that make them more likely to pay a ransom.

Last year was a banner year for ransomware groups, with security experts and law enforcement agencies estimating that victims paid about $350 million in ransom. The cybercriminals took advantage of the pandemic, a time when hospitals, medical companies, and insurance companies were the busiest.

As per Bloomberg’s report, CNA Financial initially ignored the hackers’ demands while pursuing options to recover their files without engaging with the criminals. However, within a week, the company decided to start negotiations with the hackers, who were demanding $60 million.

Payment was made a week later. source

CNA notifying cyberattack

Source

The ransomware cyberattack interrupted the company’s employee and customer services for three days as the firm closed down “out of an abundance of caution” to prevent further damage. Certain CNA systems were impacted, including corporate email.