Category Archives: Cyber War

3 Chinese Nationals Charged with Hacking, Stealing Intellectual Property

Posted on by

Indictment found here.

Wonder if President Trump has called President Xi….The U.S. Treasury should at least sanction Guangzhou Bo Yu Information Technology Company Limited….

Pittsburgh:

The Justice Department on Monday unsealed an indictment against three Chinese nationals in connection with cyberhacks and the alleged theft of intellectual property of three companies, according to US officials briefed on the investigation.

But the Trump administration is stopping short of publicly confronting the Chinese government about its role in the breach. The hacks occurred during both the Obama and Trump administrations.
The charges being brought in Pittsburgh allege that the hackers stole intellectual property from several companies, including Trimble, a maker of navigation systems; Siemens, a German technology company with major operations in the US; and Moody’s Analytics.
US investigators have concluded that the three charged by the US attorney in Pittsburgh were working for a Chinese intelligence contractor, the sources briefed on the investigation say. But missing from court documents filed in the case is any explicit mention that the thefts were state-sponsored.
A 2015 deal between then-President Barack Obama and Chinese President Xi Jinping prohibits the US and China from stealing intellectual property for the purpose of giving advantage to domestic companies.
In recent months some US intelligence agencies have concluded that China is breaking the agreement, sources briefed on the matter say. But there’s debate among intelligence officials about whether there’s sufficient evidence to publicly reveal the Chinese government’s role in the infractions, these people say.
Obama administration officials had touted the Obama-Xi agreement, as well as 2014 Justice Department charges against members of the Chinese People’s Liberation Army for commercial espionage, for reducing some of the Chinese cyberactivity against companies in the US.
But the 2015 Obama-Xi deal was met with skepticism inside the US agencies whose job it is to guard against Chinese cyberactivity targeting US companies. Some now say there was only a brief drop in the number of cyberspying incidents, if at all.
In the waning months of the Obama administration, intelligence officials briefed senior White House officials on information showing that the Chinese cyberattacks were back to levels previously seen, sources familiar with the matter told CNN. Early in the Trump administration, US intelligence officials briefed senior officials, including the President and vice president, as well as advisers Jared Kushner and Steve Bannon. More here.
***

Acting U.S. Attorney for Western Pennsylvania Soo C. Song charged Wu Yingzhuo, Dong Hao and Xia Lei with conspiracy to commit computer fraud and abuse, conspiracy to steal trade secrets, wire fraud and identity theft.

The most serious charge, wire fraud, carries a sentence of up 20 years in federal prison. Each conspiracy charge has a possible sentence of up to 10 years and the identity theft carries a sentence of up to two years.

The indictment alleged that Wu, Dong and Xia worked with Guangzhou Bo Yu Information Technology Company Limited, a Chinese cybersecurity firm in Guangzhou, but used their skills to launch attacks on corporations in the U.S.

Between 2011 and May 2017, the trio stole files containing documents and data pertaining to a new technology under development by Trimble, along with employee usernames and passwords and 407 gigabytes of proprietary data concerning Siemens’ energy, technology and transportation efforts, according to the indictment. The trio gained access to the internal email server at Moody’s Analytics and forwarded all emails sent to an “influential economist” working for the firm, the indictment stated. Those emails contained proprietary and confidential economic analyses, findings and opinions. The economist was not named in the indictment.

A Siemens spokesperson said that the company “rigorously” monitors and protects its infrastructure and continually detects and hunts for breaches. The company did not comment on the alleged breach by the Chinese hackers and declined to comment on internal security measures.

Michael Adler, a spokesman for Moody’s Analytics, said that to the company’s knowledge no confidential consumer data or other personal employee information was exposed in the alleged hack.

“We take information security very seriously and continuously review and enhance our cybersecurity defenses to safeguard the integrity of our data and systems,” Adler wrote in an email to the Tribune-Review.

Trimble, in a statement sent to the Trib, wrote that no client data was breached. The company concluded that the attack had no meaningful impact on its business.

Song, however, said the loss to the companies targeted was considerable.

“The fruit of these cyber intrusions and exfiltration of data represent a staggering amount of dollars and hours lost to the companies,” Song said.

Wu, Dong and Xia used “spearphish” emails to gain access to computers, spread malware to infect networks and covered their tracks by exploiting other computers known as “hop points.”

Hop points allow users to hide their identities and locations by routing themselves through third-party computer networks.

“But there were missteps that led our investigators right to them,” said FBI Special Agent in Charge Bob Johnson of the Pittsburgh office.

Johnson would not elaborate on the missteps the accused hackers took, claiming doing so could jeopardize future investigations.

The U.S. Attorney’s Office led the investigation and was assisted by the FBI’s Pittsburgh Division, the Navy Criminal Investigative Service Cyber Operations Field Office and the Air Force Office of Special Investigations.

AP Blames FBI for Few Warning on Fancy Bear Hacks

Posted on by

While much of the global hacking came to a scandal status in 2015-16, the Russian ‘Fancy Bear’ activity goes back to at least 2008. The FBI is an investigative wing and works in collaboration with foreign intelligence and outside cyber experts. For official warnings to be provided to U.S. government agencies, contractors, media or political operations, the FBI will generally make an official visit to affected entities to gather evidence. The NSA, Cyber Command and the DHS all have cyber experts that track and work to make accurate attributions of the hackers.

Image result for fancy bear apt 28

The Department of Homeland Security is generally the agency to make official warnings. The Associated Press gathered independent cyber experts to perform an independent study and is ready to blame the FBI for not going far enough in warnings.

When it came to the Clinton presidential campaign hack, the FBI made several attempts to officials there and were met with disdain and distrust. The FBI wanted copies of the ‘log-in’ files for evidence and were denied.

In part the AP report states:

“CLOAK-AND-DAGGER”

In the absence of any official warning, some of those contacted by AP brushed off the idea that they were taken in by a foreign power’s intelligence service.

“I don’t open anything I don’t recognize,” said Joseph Barnard, who headed the personnel recovery branch of the Air Force’s Air Combat Command.

That may well be true of Barnard; Secureworks’ data suggests he never clicked the malicious link sent to him in June 2015. But it isn’t true of everyone.

An AP analysis of the data suggests that out of 312 U.S. military and government figures targeted by Fancy Bear, 131 clicked the links sent to them. That could mean that as many as 2 in 5 came perilously close to handing over their passwords.

It’s not clear how many gave up their credentials in the end or what the hackers may have acquired.

Some of those accounts hold emails that go back years, when even many of the retired officials still occupied sensitive posts.

Overwhelmingly, interviewees told AP they kept classified material out of their Gmail inboxes, but intelligence experts said Russian spies could use personal correspondence as a springboard for further hacking, recruitment or even blackmail.

“You start to have information you might be able to leverage against that person,” said Sina Beaghley, a researcher at the RAND Corp. who served on the NSC until 2014.

In the few cases where the FBI did warn targets, they were sometimes left little wiser about what was going on or what to do.

Rob “Butch” Bracknell, a 20-year military veteran who works as a NATO lawyer in Norfolk, Virginia, said an FBI agent visited him about a year ago to examine his emails and warn him that a “foreign actor” was trying to break into his account.

“He was real cloak-and-dagger about it,” Bracknell said. “He came here to my work, wrote in his little notebook and away he went.”

Left to fend for themselves, some targets have been improvising their cybersecurity.

Retired Gen. Roger A. Brady, who was responsible for American nuclear weapons in Europe as part of his past role as commander of the U.S. Air Force there, turned to Apple support this year when he noticed something suspicious on his computer. Hughes, a former DIA head, said he had his hard drive replaced by the “Geek Squad” at a Best Buy in Florida after his machine began behaving strangely. Keller, the former senior spy satellite official, said it was his son who told him his emails had been posted to the web after getting a Google alert in June 2016.

A former U.S. ambassador to Russia, Michael McFaul, who like many others was repeatedly targeted by Fancy Bear but has yet to receive any warning from the FBI, said the lackluster response risked something worse than last year’s parade of leaks.

“Our government needs to be taking greater responsibility to defend its citizens in both the physical and cyber worlds, now, before a cyberattack produces an even more catastrophic outcome than we have already experienced,” McFaul said. Read the full article here.

Image result for fancy bear apt 28 photo

***

Every organization has a Chief Technology Officer, even small business has a ‘go-to’ person for issues. To be in denial there are any vulnerabilities is reckless and dangerous. To assume systems are adequately protected against cyber intrusions is also derelict in duty.

Fancy Bear is listed as APT 28. APT=Advanced Persistent Threat.

APT28 made at least two attempts to compromise Eastern European government organizations:
In a late 2013 incident, a FireEye device
deployed at an Eastern European Ministry of
Foreign Affairs detected APT28 malware in
the client’s network.
More recently, in August 2014 APT28 used a
lure (Figure 3) about hostilities surrounding a
Malaysia Airlines flight downed in Ukraine in
a probable attempt to compromise the Polish
government. A SOURFACE sample employed
in the same Malaysia Airlines lure was
referenced by a Polish computer security
company in a blog post.
The Polish security
company indicated that the sample was “sent
to the government,” presumably the Polish
government, given the company’s locations and visibility.
Additionally:
Other probable APT28 targets that we have
identified:
Norwegian Army (Forsvaret)
Government of Mexico
Chilean Military
Pakistani Navy
U.S. Defense Contractors
European Embassy in Iraq
Special Operations Forces Exhibition (SOFEX)
in Jordan
Defense Attaches in East Asia
Asia-Pacific Economic Cooperation
There is also NATO, the World Bank and military trade shows. Pure and simple, it is industrial espionage.
MALWARE
Evolves and Maintains Tools for Continued, Long-Term Use
Uses malware with flexible and lasting platforms
Constantly evolves malware samples for continued use
Malware is tailored to specific victims’ environments, and is designed to hamper reverse engineering efforts
Development in a formal code development environment
Various Data Theft Techniques
Backdoors using HTTP protocol
Backdoors using victim mail server
Local copying to defeat closed/air gapped networks
TARGETING
Georgia and the Caucasus
Ministry of Internal Affairs
Ministry of Defense
Journalist writing on Caucasus issues
Kavkaz Center
Eastern European Governments & Militaries
Polish Government
Hungarian Government
Ministry of Foreign Affairs in Eastern Europe
Baltic Host exercises
Security-related Organizations
NATO
OSCE
Defense attaches
Defense events and exhibitions
RUSSIAN ATTRIBUTES
Russian Language Indicators
Consistent use of Russian language in malware over a period of six years
Lure to journalist writing on Caucasus issues suggests APT28 understands both Russian and English
Malware Compile Times Correspond to Work Day in Moscow’s Time Zone
Consistent among APT28 samples with compile times from 2007 to 2014
The compile times align with the standard workday in the UTC + 4 time zone which includes major Russian cities such as Moscow and St. Petersburg
FireEye, is a non-government independent cyber agencies that has performed and continues to perform cyber investigations and attributions. There are others that do the same. To blame exclusively the FBI for lack of warnings is unfair.
Hacking conditions were especially common during the Obama administration and countless hearings have been held on The Hill, while still there is no cyber policy, legislation or real consequence. Remember too, it was the Obama administration that chose to do nothing with regard to Russia’s interference until after the election in November and then only in December did Obama expel several Russians part of diplomatic operations and those possibly working under cover including shuttering two dachas and one mission post in San Francisco.

Foreign Agent Registry, in U.S. and Russia for Media

Posted on by

FARA is the most broken system we have when it comes to checks and balances…we cant begin to determine foreign media operations in the U.S. that are really espionage networks much less ad agencies or lobbyists. Scary right? How about foreign students that are operatives or foreign workers with jobs in government roles or in government contractor positions…we dont even know what we dont know….

Senator Chuck Grassley has called for some changes to FARA.

This is getting testier by the day….the United States is requiring RT to register as a foreign agent. Likewise, Moscow is requiring the same…so thinking about WikiLeaks or Fusion GPS, is there enough evidence they should be registered as foreign agents? Sheesh…here is the rub…

Russian Lawmakers: 9 US-Funded News Outlets Could Be Forced to Register as ‘Foreign Agents’

Russia said Thursday it has warned nine United States government-funded news operations they will probably be designated “foreign agents” under new legislation in retaliation to a U.S. demand that Kremlin-supported television station RT register as such in the United States.

The Russian Justice Ministry said Thursday it had notified the Voice of America (VOA), Radio Free Europe/Radio Liberty (RFE/RL) and seven separate regional outlets active in Russia they could be affected.

The ministry published a list of the outlets on its website, including a statement that said the changes were likely to become law “in the near future.”

Expands 2012 law

Russia’s lower house of parliament approved amendments Wednesday to expand a 2012 law that targets non-governmental organizations to include foreign media. A declaration as a foreign agent would require foreign media to regularly disclose their objectives, full details of finances, funding sources and staffing.

Media outlets also may be required to disclose on their social platforms and internet sites visible in Russia that they are “foreign agents.” The amendments also would allow the extrajudicial blocking of websites the Kremlin considers undesirable.

“We can’t say at this time what effect this will have on our news gathering operations within Russia,” said VOA Director Amanda Bennett. “All we can say is that Voice of America is, by law, an independent, unbiased, fact-based newsorganization, and we remain committed to those principles.”

RFE/RL President Tom Kent said until the legislation becomes law, “we do not know how the Ministry of Justice will use this law in the context of our work.”

No access to cable in Russia

Kent said unlike Sputnik and other Russian media operating in the U.S., U.S. media outlets operating in Russia do not have access to cable television and radio frequencies.

“Russian media in the U.S. are distributing their programs on American cable television. Sputnik has its own radio frequency in Washington. This means that even at the moment there is no equality,” he said.

The speaker of Russia’s lower house, the Duma, said Tuesday that foreign-funded media outlets that refused to register as foreign agents under the proposed legislation would be prohibited from operating in the country.

However, since the law’s language is so broad, it potentially could be used to target any foreign media group, especially if it is in conflict with the Kremlin. Comparatively, the U.S. law targets only state-funded groups. The privately owned American television channel CNN and the German public broadcaster Deutsche Welle also have been mentioned as potential targets.

The amendments, which Amnesty International said would inflict a “serious blow” to media freedom in Russia if they become law, were approved in response to a U.S. accusation that RT executed a Russian-mandated influence campaign on U.S. citizens during the 2016 presidential election, a charge the television channel denies.

Putin has last word

The amendments must next be approved by the Russian Senate and then signed into law by President Vladimir Putin.

RT, which is funded by the Kremlin to provide Russia’s perspective on global issues, confirmed Monday it met the Justice Department’s deadline by registering as a foreign agent in the U.S.

The United States considers RT a propaganda arm of Russia, and told it to register its foreign operation under the Foreign Agents Registration Act aimed at attorneys and lobbyists representing political interests.

Former KGB Officer Hired for US Embassy Moscow Security

Posted on by

Image result for u.s. embassy moscow

photo

:
Added: Oct 27, 2017 1:51 pm

Local Guard Services for US Mission Russia.  Contract was awarded in accordance with FAR 6.302-2, Unusual and compelling urgency.

Contract is in accordance with 52.216-25 CONTRACT DEFINITIZATION.

The 4 page contract is here, it appears it was an emergency choice and hire.
Are there any people left in the contract office that have any brains? Is there anyone at the State Department providing guidance or final approvals with brains?

US embassy hires security firm of former Russian spy who worked with Putin

The US embassy in Moscow is to be guarded by a company owned by a former head of KGB counter-intelligence who worked with British double agent Kim Philby and young Vladimir Putin, after cuts to US staff demanded by Russia.

Elite Security Holdings was awarded a $2.83 million contract to provide “local guard services for US mission Russia,” which includes the Moscow embassy and consulates in St Petersburg, Yekaterinburg and Vladivostok, according to a post on a US state procurement website.

The contract and background of the firm came to light in a Kommersant newspaper report on Friday.

Elite Security, a private company and the oldest part of the eponymous holding, was founded in 1997 by Viktor Budanov and his son Dmitry, according to a Russian business registry.

A 2002 article posted on the site of Russia’s foreign intelligence service identified Mr Budanov as a major general in the agency who became a Soviet spy in 1966 and retired a year after the collapse of the USSR.

His long work in Soviet and Russian intelligence could raise questions about whether the guard services contract poses a security or intelligence risk to the US mission.

The US embassy referred The Telegraph to the state department, which did not respond to requests for comment.

Moscow forced Washington to cut its diplomatic staff in Russia from more than 1,200 to 455 in response to sanctions adopted against Russia in August.

Before his work in foreign intelligence Mr Budanov was the director of the KGB’s counter-intelligence division, he has told Russian media.

He also was head of the KGB branch in East Germany in the late 1980s, where a young Mr Putin served under him. In a 2007 interview, Mr Budanov lamented the collapse of the USSR, praised Mr Putin’s leadership and warned that Russia “can’t constantly act as (the Americans) want” or it would be destroyed.

He has also said he worked with Britain’s most infamous Soviet double agent after Philby defected to the USSR in 1963 and was once a guest at a private lunch given in Philby’s honour by Yury Andropov, the KGB head who became leader of the Soviet Union.

In the 1990s, Mr Budanov became acquainted with high-level US intelligence officials while providing business intelligence and security to foreign companies.

He formed a joint venture with the former assistant director of the National Security Agency and said in 2007 he personally knew the head of security at the US embassy in Moscow.

International Risk and Information Services, a company Mr Budanov founded in 1992 that later became part of Elite Security Holdings, says on its website it employs staff with experience in “state security organs”.

In testimony before a UK court in 1993, Oleg Gordievsky, a KGB bureau chief in London who became a British agent, said ​Mr Budanov had drugged and interrogated him after he was recalled to Moscow under suspicion.

Mr Budanov also handled sensitive operations like teaching Bulgarian agents how to use a poisonous umbrella to kill dissidents, Mr Gordievsky said.

Drug Cartels Upped the Game with Weaponized Drones

Posted on by

Image result for cartels weaponized drones

photo

Police in Mexico pulled over four men in a pickup truck near the city of Salamanca in Guanajuato state on October 20 and got a nasty surprise. Along with an AK-47 assault rifle, the men had in their possession an unmanned aerial vehicle fitted with a “large explosive device” and a remote detonator.

That’s right: a weaponized drone.

Police didn’t say whether they suspected the men of ties to drug cartels. But Guanajuato is currently contested by several drug gangs, including the Sinaloa cartel, Los Zetas, and Cártel Jalisco Nueva Generación, or CJNG, according to Dr. Robert Bunker, a fellow with Small Wars Journal, a military trade publication.

ISIS set up factories in Iraq and Syria to modify mortar bombs—basically, small artillery shells—to fit on small drones. During intensive fighting in the Iraqi city of Mosul in February, ISIS’s drones were “the main problem” for coalition troops, Captain Ali, an Iraqi officer, told War Is Boring.

The cartels, for their part, have been using so-called “potato bombs”—hand-grenade-size improvised explosive devices—in attacks on each other and authorities. Bunker said the explosive the police found alongside the drone in Guanajuato is “consistent” with a potato bomb.

The cartels could also draw inspiration from online-retailer Amazon and its delivery drones. “As both Islamic State and Amazon have shown, small drones are an efficient way of carrying a payload to a target,” said Nick Waters, a former British Army officer and independent drone expert. “Whether that payload is your new book or several hundred grams of explosive is up to the sender.”

But don’t panic, Waters and other experts said. Drug cartels were plenty dangerous before they weaponized flying robots. Potato bomb-hauling drones might just give narcos more options for perpetrating crimes they are perfectly capable of pulling off some other way. “Considering their already impressive traditional capability, I think this will probably be another tool rather than a game-changing capability,” Waters said.

You should be “no more worried than you should be by cartels also using machine guns, car bombs, machetes, etc,” Singer said. More here.

New report shows how Mexican cartels are infiltrating Texas

Mexican cartels smuggle more drugs into the U.S. than any other criminal group, the federal Drug Enforcement Administration said in a new report.

The 2017 National Drug Threat Assessment released in October lists six cartels as having major influences across the country and Texas.

Cartels’ influence in Texas is far-reaching, affecting cities hundreds of miles from the state’s border with Mexico.

San Antonio is the only city in the state with a drug trade controlled by the Cartel Jalisco Nueva Generacion, which deals mostly with methamphetamine, cocaine, heroin and marijuana, according to the DEA.

The Gulf Cartel has a hold on cities in Texas’ tip and coastal bend. McAllen, Brownsville, Corpus Christi, Galveston, Houston and Beaumont are impacted most by the Gulf Cartel which mostly brings marijuana and cocaine into the area, according to the DEA. Drugs smuggled through the Gulf Cartel are mostly brought in through the area between the Rio Grande Valley and South Padre Island.

Every week in Houston, a relative of a Gulf Cartel leader receives 100 kilograms of cocaine, according to the DEA.

Moving West, Los Zetas control two cities and the Juarez Cartel has a hold on Alpine, Midland, El Paso and Lubbock.

While the arrests of two Los Zetas leaders has weakened the cartel’s influence on Eagle Pass and Laredo, its presence is still felt because of members who have assumed control, bringing cocaine, heroin, methamphetamine and marijuana into Texas.

The Sinaloa Cartel, formerly run by prison escape artist Joaquin “El Chapo” Guzman,” is most found in Dallas, Lubbock and Fort Worth, according to the DEA.

DEA map of Mexican cartels in the US photo

The FY 2017 OCDETF Program Budget Request comprises 2,975 positions, 2,902 FTE,
and $522.135 million in funding for the Interagency Crime and Drug Enforcement (ICDE)
Appropriation, to be used for investigative and prosecutorial costs associated with OCDETF cases targeting high-level criminal drug and money laundering networks as well as priority transnational poly-crime organizations whose primary criminal activity may not necessarily be drug-related. Go here to read the full report.
.