Category Archives: Cyber War

Iran’s Cyber Forces under IRGC Target Dissenters/Enemies

Posted on by

NIN is not Nine Inch Nails but rather the Supreme Leader’s tightly controlled internet platform known as the National Internet Network. It operates somewhat like an fee based system, those that can afford and pay more for access and usage get the best speed and less government oversight. The poorer class and the dissenters are controlled by the regime and not only vulnerable to the throttling of service but are subject to phishing operations, hacks and DDoS outages, all at the direction of the regime.

Image result for iran cyber unit irgc photo

It almost sounds like a marriage between the U.S. version/marriage of Google, Facebook and NSA, right? Well it is.

The NIN can filter key words and phrases and send users only to the sites it approved, according to the CHRI report. The government has also limited access to thousands of sites and platforms, including Facebook and YouTube. It is attempting to replace search engines like Google with its own state-approved versions.

Iran has also been able to influence how people use the internet through pricing. While there are private internet service providers (ISPs), they are still under government control, allowing state-run infrastructure companies to set up a tiered plan where access to international internet sites costs more than domestic. This drives traffic away from the global internet and to the NIN.

It’s not just internet censorship that Iranians are facing. The report also highlights state-sponsored cyberattacks and phishing schemes. State security agencies like the Islamic Revolutionary Guard Corps, a branch of the armed forces meant to protect the Islamic system, have hacked into individual and private online communications and arrested people on the basis of their content, which is technically illegal under Iranian law.

DDoS attacks, which aim to make specific websites unavailable or limit access to information by flooding them with illegitimate traffic, have become more prominent during politically sensitive times as well, according to the report. During the election in 2016, reformist and centrist candidates like Gaam-e Dovvom faced multiple attacks. The report said many of these are also internal attacks through the government.

Meanwhile, Iranians are not blind to the extensive surveillance they are facing online. As we’ve reported, many internet users use VPNs and other apps to try and circumvent the censorship. And millions of Iranians have turned to the Toronto-born Psiphon app to use the internet during the protests in December and this month. More here.

***  Image result for iran cyber unit irgc photo

Tehran has become increasingly adept at conducting cyber espionage and disruptive attacks against opponents at home and abroad, ranging from Iranian civil society organizations to governmental and commercial institutions in Israel, Saudi Arabia, and the United States.

A new report by carnegiendowment.org evaluates Iran’s Cyber threat environment. Just as Iran uses proxies to project its regional power, Tehran often masks its cyber operations using proxies to maintain plausible deniability. Yet such operations can frequently be linked to the country’s security apparatus, namely the Ministry of Intelligence and Islamic Revolutionary Guard Corps.

While Iran does not have a public strategic policy with respect to cyberspace, its history demonstrates a rationale for when and why it will engage in attacks. Iran uses its capabilities in response to domestic and international events. As conflict between Tehran and Washington subsided after the 2015 nuclear deal, so too did the cycle of disruptive attacks. However, Iran’s decisionmaking process is obscured and its cyber capabilities are not controlled by the presidency, as evident in cases of intragovernmental hacking.

The report claims that the United States is reliant on an inadequately guarded cyberspace and should anticipate that future conflicts, online or offline, could trigger cyber attacks on U.S. infrastructure. The first priority should be to extend efforts to protect infrastructure and the public, including increased collaboration with regional partners and nongovernmental organizations targeted by Iran. More details here.

The U.S. Army War College recently included this concern: In late-2011, the executive chairman of Google stated, “The Iranians are unusually talented in cyber war for some reason we don’t fully understand.”3 Stopping a cyber adversary from disrupting activity or stealing intellectual property has been the primary concern of government and private sector organizations, but in the military and intelligence communities, there are other concerns about Iran.

Prior to 2009, much of Iran’s cyber efforts were focused internally on countering government dissidence. The influential Iranian Revolutionary Guard Corp (IRGC) proposed the development of an Iranian Cyber Army in 2005 to combat internal threats. It sought out professional hackers through voluntary means or by using blackmail and threats to boost its ranks. In early March 2012, Supreme Leader of Iran Ayatollah Ali Khameni publicly announced to state media the creation by decree of a new Supreme Council of Cyberspace charged “to oversee the defense of the Islamic Republic’s computer networks and develop new ways of infiltrating or attacking the computer networks of its enemies.”7 It included heads of intelligence, militia, security, media chiefs, and the IRGC. It has its own budget and offices along with the power to enact laws. Additionally, the IRGC stated that a secure internal network for high-level command and control called “Basir” (Persian for perceptive) was created to counter outside threats to online activities.8 However, it is clear from its actions against opposition influences and dissident groups that the regime continues internal censorship and monitoring as well. Furthermore, Reporters Without Borders, in its 2012 annual report of countries that restrict internet access, filter content, and imprison bloggers, “ranked Iran the number one enemy of the Internet…ahead of 11 other countries—including Saudi Arabia, Bahrain, Syria, China, and Belarus.”9

In late-2011, Iran invested at least $1 billion dollars in cyber technology, infrastructure, and expertise.10 In March 2012, the IRGC claimed it had recruited around 120,000 personnel over the past 3 years to combat “a soft cyber war against Iran.”11 In early-2013, an IRGC general publically claimed Iran had the “fourth biggest cyber power among the world’s cyber armies.”12 Regardless of the numbers, the fact is that Iran’s cyber capability continues to mature. The IRGC has its own Cyber Defense Command which recruits and trains cyber warriors to spy on dissidents on the internet and spread Iranian government propaganda.13 The IRGC also now owns and controls Iran’s largest communication company and manages the skilled cyber technicians and specialists of Iran’s Cyber Army trained to hack into opposition websites and conduct other types of offensive cyber operations. On the law enforcement side, the FETA police (in Persian it literally means Police of the Space of Creating and Exchanging Information) handle typical internet crimes as well as more opaque enforcement activities such as political and security crimes. There are other Iranian organizations and companies recruited and/or affiliated with Iran’s cyber capabilities, either knowingly or by loose association. The full summary is here.

Space X Zuma Launched Failed, or did it?

Posted on by

Could this have been a classified payload to destroy North Korea’s own spy satellite or their next ICBM launch or Iran’s or Russia’s such that the real answers will never be forthcoming, meaning it is a ploy? Maybe even China?

Image result for zuma payload photo and more information here.

Space-Track has cataloged the Zuma payload as USA 280, international designation 2018-001A. Catalog number 43098. No orbit details given. No reentry date given, but for a secret payload it might not be. Implication is Space-Track thinks it completed at least one orbit.

Related reading: Did SpaceX’s secret Zuma mission actually fail?

SpaceX’s latest rocket may have launched successfully – but the mission didn’t end as a win. The Zuma payload it was carrying, a mysterious classified piece of cargo for the U.S. government believed to be a spy satellite, was lost after it failed to separate from the second stage of the rocket after the first stage of the Falcon 9 separated as planned and returned to Earth.

The WSJ reports, and we’ve confirmed separately, that the payload is thought to have fallen back through the Earth’s atmosphere after reaching space, because of the failure to separate. The failure is one that can happen when cargo doesn’t properly detach as planned, since the second stage is designed to fall back to Earth and burn up in re-entry.

SpaceX had launched as planned on January 7 in its target window, and recovered the first stage of the booster with a landing at its Cape Canaveral facility. Because of the nature of the mission, coverage and information regarding the progress of the rocket and its payload from then on was not disclosed.

The payload, codenamed Zuma, was contracted for launch by Northrop Grumman by the U.S. government, and Northrop selected SpaceX as the launch provider. SpaceX had previously launched the U.S. Air Force’s X-37B spacecraft, and was approved for flying U.S. government payloads with national security missions.

The satellite was likely worth billions, according to the WSJ, which makes this the second billion-dollar plus payload that SpaceX has lost in just over two years; the last was Facebook’s internet satellite, which was destroyed when the Falcon 9 it was supposed to launch on exploded during preflight preparations in September 2016.

This could be a significant setback for SpaceX, since these kinds of contracts can be especially lucrative, and it faces fierce competition from existing launch provider ULA, jointly operated by Boeing and Lockheed Martin.

We’ve reached out to SpaceX and will update if they provide additional comment.

Update – SpaceX provided the following statement regarding the mission, which could suggest the fault lies with something provided by launch partner Northrop Grumman or the payload itself:

“We do not comment on missions of this nature; but as of right now reviews of the data indicate Falcon 9 performed nominally.“

Iran’s Supreme Leader, the Nuclear Deal, Protests and Boeing

Posted on by

It is the conglomerate that the Supreme Leader, the Ayatollah Khamenei owns exclusively. “Setad Ejraiye Farmane Hazrate Emam,” or Setad.

Image result for Setad Ejraiye Farmane Hazrate Emam

Setad was originally sanctioned by the U.S. Treasury in June 2013. The conglomerate “produces billions of dollars in profits for the Iranian regime each year,” said David Cohen, then the Treasury’s under secretary for terrorism and financial intelligence, at a Senate banking committee hearing that year.

Setad, Cohen said at the time, controls “massive off-the-books investments” hidden from the Iranian people and regulators.

All entities sanctioned for being part of the Iranian government are being taken off the SDN list as part of the nuclear deal, also called the Joint Comprehensive Plan of Action (JCPOA), though U.S. persons and entities will still be banned from dealing with them.

In January of 2017, a review by Reuters noted: But a Reuters review of business accords reached since then shows that the Iranian winners so far are mostly companies owned or controlled by the state, including Iran’s Supreme Leader, Ayatollah Ali Khamenei.

Of nearly 110 agreements worth at least $80 billion that have been struck since the deal was reached in July 2015, 90 have been with companies owned or controlled by Iranian state entities, the Reuters analysis shows.

In December of 2017: Treasury Department officials must publish a report chronicling the financial assets of Iran’s top leaders, under a bill that passed the House on Wednesday.

The legislation, which passed 289-135, must still clear the Senate before President Trump can sign it into law. It’s a potential boon to Iranian dissidents against the regime, who stand to gain insight into corruption by top officials.

Related:

Podcast – Upheaval in Iran: Causes and Consequences

Meanwhile, as the protests continue in Iran against the regime and rightly so, questions arise due to not only Senate votes on sanctions but staying with the Joint Comprehensive Plan of Action, meaning the Iran nuclear deal.

Image result for Setad Ejraiye Farmane Hazrate Emam photo

Why is there even a question based on additional facts surfacing in the last year? Well, the left and those that remain with John Kerry and Barack Obama are adding new pressures to stay in the JCPOA. Further, complications arise from those countries that are also part of the deal. They too want the deal sustained.

In a story titled “U.S. security experts back Iran nuclear deal, as Trump faces deadlines,” Reuters reports that a coalition of national security experts want the president to continue the Iran deal. The report claims, without any context, that all of the people who signed a letter in favor of the deal are “national security experts.” Additionally, these “experts” are from an organization called the “National Coalition to Prevent an Iranian Nuclear Weapon.”

It turns out, however, that some of those listed on the document have severe conflicts of interests, none of which were disclosed in the letter.

It also turns out that the National Coalition to Prevent an Iranian Nuclear Weapon is not an actual organization. A Google search of the group turned up nothing before Monday. The group was created this week with the apparent purpose of garnering support for the nuclear deal. None of this is reported in the Reuters article. It is only revealed through the group’s statement provided on The National Interest website.

The outfit’s title also presumes its members are national security hawks, when this is far from the case.

Members of the “National Coalition” include a who’s who of the prominent organizers of the campaign to rally support for the Obama administration’s nuclear deal with Tehran.

Included on the list is Joseph Cirincione, who served as the money man for President Obama’s Iran “echo chamber.” Cirincione has admitted to paying off a “network of 85 organizations and 200 individuals” who were “decisive in the battle for public opinion” over the Iran deal.

Gary Sick, another signee, was one of the chief organizers of the Iran echo chamber. According to the Washington Free Beacon, Sick created an invite-only listserv to distribute pro-Tehran talking points to Obama-friendly journalists and influential figures.

The coalition also includes Ambassador Thomas Pickering, who is a paid lobbyist for Boeing. The aviation company is attempting to secure a multi-billion-dollar jetliner deal with the Iranian regime. If the Iran deal falls through, so does Boeing’s deal.

Paul Pillar, a disgraced former CIA officer who was also on the letter, once drafted talking points arguing that it’s not a big deal if Iran is able to develop a nuclear weapon. “If Iran develops a nuclear weapon, the United States and the West could live with it, without important compromise to U.S. interests,” he wrote, according to Eli Lake of Bloomberg News.

It remains a mystery what President Trump will decide this time around. He has been troubled by Iran’s violent response to countrywide protests. The president has leveraged social media and several executive departments to raise awareness about the plight of Iranian protesters. He has also mulled enacting further sanctions against the regime.

As an aside, there too is pressure from Boeing, they want to protect the sale agreements of planes to Iran such that they have offered to ‘finance’ the payments, essentially layaway. Iran is looking for a method to make payments of $44B to both Air Bus and Boeing. Humm….but that Supreme leader has a major conglomerate remember?

 

 

CDC Planning for a Nuclear Attack

Posted on by

“Join us for this session of Grand Rounds to learn what public health programs have done on a federal, state, and local level to prepare for a nuclear detonation,” urges the CDC email advising people on one of the agency’s mailing lists about the session. “Learn how planning and preparation efforts for a nuclear detonation are similar and different from other emergency response planning efforts.”

The CDC holds grand rounds virtually monthly on topics such as birth defects prevention, diseases spread by ticks, and sodium reduction. A previous grand rounds on radiological and nuclear disaster preparedness was offered in March 2010. More here.

Image result for nuclear detonation photo

Hawaii has already been preparing and practicing.

Perhaps CNN and MSNBC would do well to report this rather than the constant harangue of Donald Trump… CNN kinda has reported this, but you had to look hard to find it.

Welcome to 2018. It’s been an apocalyptic start to the new year. And according to the US Centers for Disease Control and Prevention, the worst could be yet to come.

The agency wants the American public to get ready for the possibility of a nuclear strike, reports Politico, and it has posted a notice for a Jan. 16 briefing titled “Public Health Response to a Nuclear Detonation.” The session in Atlanta, Georgia will include experts on radiation and disaster preparedness and discuss what federal, state and local governments are doing to prepare.

The CDC is pictured. | AP Photo Over the weekend, a former chairman of the joint chiefs of staff under two presidents said the U.S. is closer to nuclear war with North Korea “than we have ever been.” | AP Photo

While they are meeting, here is a 204 page document for review.

Kinda serious here:

The CDC wants the public to be prepared for nuclear war.

The agency has posted a notice touting a Jan. 16 briefing about the work that federal, state and local governments are doing in case of a possible nuclear strike.

CDC on Friday said that the event has been in the works since last April.

The briefing is part of the agency’s monthly “Grand Rounds” sessions at its Atlanta headquarters. Upcoming briefings are mostly devoted to more conventional public health concerns, such as childhood vaccinations and hepatitis C. More here.

*** Here is a recommendation document by government agencies for review.

While a nuclear detonation is unlikely, it would have devastating results and there would be limited time to take critical protection steps. Despite the fear surrounding such an event, planning and preparation can lessen deaths and illness. For instance, most people don’t realize that sheltering in place for at least 24 hours is crucial to saving lives and reducing exposure to radiation. While federal, state, and local agencies will lead the immediate response efforts, public health will play a key role in responding.

Join us for this session of Grand Rounds to learn what public health programs have done on a federal, state, and local level to prepare for a nuclear detonation. Learn how planning and preparation efforts for a nuclear detonation are similar and different from other emergency response planning efforts.

 

 

Singapore IP Address Hacking the Winter Olympics

Posted on by

BBC: Hackers have attempted to steal sensitive data from groups involved with next month’s Winter Olympics, cyber-security firm McAfee said.

The report found malware-infected emails were sent last month to organisations linked to the Pyeongchang Games.

It did not identify those responsible, but said more attacks tied to the upcoming Olympics were likely.

In similar past attacks, hackers tried to obtain passwords and financial data.

‘Casting net wide’

McAfee said a number of groups associated with the Olympics had received malicious emails – including several affiliated with ice hockey.

“The majority of these organisations had some association with the Olympics, either in providing infrastructure or in a supporting role,” the security firm said.

“The attackers appear to be casting a wide net with this campaign.”

The emails were sent from a Singapore IP address and told readers to open a text document in Korean.

McAfee said the hackers were trying to trick recipients into believing the emails had come from South Korea’s National Counter-Terrorism Center – which at the time was in the process of conducting anti-terror drills in the region.

In some cases the hackers used a technique in known as steganography which hides malware in text and images.

McAfee echoed recent warnings from University of California researchers to expect more cyber-attacks targeting major sporting events.

“With the upcoming Olympics, we expect to see an increase in cyber attacks using Olympics-related themes,” the security firm said.

It comes as Pyongyang prepares to hold official talks with South Korea for the first time in more than two years.

North Korea accepted an offer to attend the meeting on 9 January that will focus on finding a way for its athletes to attend the Games.

***

It uses a previously unseen form of malware designed to hand control of the victim’s machine over to the attackers. Among those sent the messages are individuals associated with the ice hockey tournament at the Games. The attack has been dubbed ‘Operation PowerShell Olympics’ by the researchers at McAfee Labs, who uncovered it taking place in late December.

winter-oympic-phishing.png

The lure document used in the cyber-attacks targeting the South Korea Winter Olympics.

Image: McAfee Labs

During the course of the investigation, researchers discovered a cached Apache server log which showed an IP address from South Korea connecting to the specific URL paths contained in the PowerShell implants, indicating that the intended targets were likely to have been infected.

Further investigation revealed the IP address from the PowerShell implant was connected to an anonymous domain provider based in Costa Rica, with the attacker using this domain to link up to the South Korean Ministry of Agriculture and Forestry, which the attacker has somehow managed to use parts of to carry out the attack.

Researchers are uncertain how many have been infected by the attack, but the campaign is thought to have targeted a wide range of South Korean organisations in the run up to the Winter Olympics. In similar campaigns in the past, victims were targeted for their passwords and financial information.

The phishing document was created on December 22, but rather than containing macros, it uses OLE (Objective Linking and Embedding) streams to carry out the attack. The document has been created by the same author, ‘John’, who created the malicious PowerShell script.

However, despite some evidence about how the attacks took place, researchers haven’t been able to identify the perpetrator — but they do note that whoever is behind the campaign must be fluent in the Korean language and the motive is to gather intelligence about organisations involved in the South Korea-hosted Winter Olympics.

“Technical details alone are often not enough to determine attribution. We are able to ascertain that the attackers have been trained in Korean language to ensure that the targets open the attachment, and the objective seems to be to gather information on the planning, direction and infrastructure related to the Olympics,” said Sherstobitoff.

Researchers warn that in the run up to the Winter Olympics, attackers will continue to use the event as a lure to carry out cyber-attacks.

To avoid falling victim to such attacks — including fileless malware distributed as part of Operation Powershell Olympics — organisations should educate their employees to be mindful of suspicious emails and unexpected attachments. More here from zdnet