Cyber-code, Oilrig, Iran hires Russian Hackers

Posted on May 18, 2017May 18, 2017 by Denise Simon

Update and unrelated to OilRig and reported May 18: Russia tried to take over Pentagon Twitter accounts: report

SCMedia: Attacks believed to be Iranian in origin were fended off for more than two weeks in April, but security experts examining the code detected snippets of code from an underground Russian marketplace.

Iranian hackers targeting critical infrastructure

Attacks believed to be Iranian in origin were fended off for more than two weeks in April, but security experts examining the code detected something they’d never seen before: snippets of code baring similarities to a known Russian toolkit available on the underground Russian marketplace.

The code had previously been used in a damaging cyber-attack on the Ukraine’s infrastructure in 2015.

Carl Wright, general manager and executive vice president of worldwide sales at TrapX Security, the San Mateo, California-based security firm that blocked the hackers last month, told an interviewer it was the first time his firm had detected an attack where hackers based in Iran were collaborating with Russian hackers-for-hire, according to an article in the New York Times.

Wright could not reveal the target of the attack owing to a confidentiality arrangement. But other security experts said the attackers could have purchased the Russian toolkit from an online forum and customised it for their campaign.

This hypothesis is countered by TrapX researchers, however, who noted that a number of “web domains used in the attack had been registered to a Russian alias, and that three email addresses continue to be used by a hacker in Russian hacking forums and in the underground web.”

The Iranian attackers behind the latest campaign, dubbed OilRig for their previous attacks on oil companies in Saudi Arabia and Israel, have been expanding their geographical range with hundreds of new attacks targeting a number of military, financial and energy companies in Europe as well as the United States, the Times reported.

Nearly three-quarters of the code employed in the latest campaign was previously used by OilRig in hundreds of attacks on other enterprises, including government agencies and oil companies.

But, as the defences of the newest target became more robust and the attackers evolved their tactics, the security researchers noted new weapons in their arsenal: a typical hacker’s kit, used to siphon out data, such as to steal usernames and passwords; but, more revealing, a tool never before detected in an OilRig campaign.

This was obfuscated with encryption to evade security investigators. After weeks spent decrypting the code, the researchers at TrapX determined that besides code similar to that used by OilRig in prior attacks, the bad actors were employing malware called BlackEnergy, also used previously, specifically by the Russian hackers who attacked the Ukraine power grid. Further, data was being transferred from the target to a server also used in the Ukraine attack.

TrapX lured the miscreants to inject their malware onto a server, which was then analysed by the TrapX team who were able to then shut the attackers out of their client’s system.

Forbes

*** There is more:

Iranian hackers which previously targeted organizations in Saudi Arabia are now targeting organizations in other countries, including the US, as part of a campaign identified as OilRig campaign.

In addition to expanding its reach, the group has been enhancing its malware tools.

Researchers at Palo Alto Networks have been monitoring the group for some time and have

reported observing attacks launched by a threat actor against financial institutions and technology companies in Saudi Arabia and on the Saudi defense industry. This campaign referred to as “ OilRig,” by Palo Alto Networks, entails weaponized Microsoft Excel spreadsheets tracked as

“Clayslide” and a backdoor called “Helminth.” More here.

More: Last month

The Israeli Cyber Defense Authority yesterday announced that it believes Iran was behind the a series of targeted attacks against some 250 individuals between April 19 and 24 in government agencies, high-tech companies, medical organizations, and educational institutions including the renowned Ben-Gurion University. The attackers – whom security experts say are members of the so-called OilRig aka Helix Kitten aka NewsBeef nation-state hacking group in Iran — used stolen email accounts from Ben-Gurion to send their payload to victims.

“This is the largest and most sophisticated attack they’ve [OilRig] ever performed,” says Michael Gorelik, vice president of R&D for Morphisec, who studied the attacks and confirms that the final stage was thwarted for the most part. “It was a major information-gathering [operation],” he says.

OilRig has been rapidly maturing since it kicked off operations around 2015. The attack campaign against Israeli targets employed the just-patched Microsoft CVE-2017-0199 remote code execution vulnerability in the Windows Object Linking and Embedding (OLE) application programming interface. This flaw had been weaponized in attacks prior to the patch, including Dridex banking Trojan and botnet attacks, and in at least one other cyber espionage campaign.

Forbes has more on corporate and individual hack operations in the United States by OilRig including other countries.

Turkey Evicting U.S. from Base Incirlik, Turkey?

Posted on May 16, 2017May 16, 2017 by Denise Simon

Incirlik Air Base, NATO

Primer: Last year with the attempted coup and the declining relationship between the United States and Turkey, a report to Congress weighed the alternatives to stationing nuclear weapons at Incirlik. Moving the warheads could possibly encourage Russia to cooperate more and possibly reduce their nuclear stockpile, though nothing guarantees that. More here.

Germany likely to pull troops out of Incirlik air base

The Berlin government is mulling moving its troops out of Turkey’s Incirlik air base after a second snub by Ankara. A German political delegation was denied approval to visit Bundeswehr soldiers at the military facility.

Wolfgang Hellmich, the chairman of the Bundestag Defense Committee, told the German news agency dpa “we’re not going to be blackmailed” by the Ankara government after a second German parliamentary delegation was prevented from visiting Turkey’s Incirlik facility. The air base is being used in the international fightback against so-called “Islamic State” (IS) militants.

Go here for video.

A decision on where to move the Tornado units is likely to be made in the next few weeks, with Jordan seen as a favorite, sources from the Bundestag committee said.

New tensions

Turkey’s latest snub follows Germany’s decision to grant asylum to a number of Turkish military officers, who faced persecution following Turkey’s failed coup on July 15 last year, according to dpa.

German Chancellor Angela Merkel called Turkey’s latest move “unfortunate” in remarks to reporters in Berlin earlier in the day.

“The Bundeswehr is a parliamentary army and this makes it absolutely necessary for our lawmakers to have access to our soldiers,” Merkel said.

Turkey refused last year to grant German MPs access to the air base, only relenting in October after months of waiting.

The reason given then was that Germany had recognized the crimes committed by Ottoman Turks against Armenians in 1915 as constituting genocide.

Relations between Turkey and Germany have been in a downward spiral in recent months, with many German lawmakers outraged at what they see as flagrant repression of freedoms during Ankara’s post-coup crackdown. Dozens of journalists have been imprisoned – including the German-Turkish writer Deniz Yucel-and authorities have carried out mass sackings and arrests of public officials.

Ankara was also incensed by Berlin’s refusal to allow Turkish ministers permission to attend political rallies aimed at Turkish voters living in Germany in support of a referendum granting President Recep Tayyip Erdogan greatly extended powers. Many observers see Erdogan’s referendum success as a further step toward establishing an autocracy in Turkey.

Bundeswehr is key partner

Germany currently has several Tornado surveillance aircraft and a refueling plane deployed at the Incirlik military base in southwestern Turkey. The jets are part of the international coalition carrying out aerial attacks on IS positions in Iraq and Syria. Some 260 German military personnel are stationed there.

BusinessInsider

Meanwhile,

WASHINGTON (AP) — President Donald Trump will hold his first face-to-face meeting with Turkey’s president Tuesday amid accusations that Trump gave Russian officials classified intelligence from a foreign ally.

Trump and Turkish President Recep Tayyip Erdogan are expected to address the Syrian civil war, refugee crisis and the fight against the Islamic State group, including the U.S. decision to arm Syrian Kurdish fighters despite Turkey’s vehement objections. More here from AP.

*** As such, there is a move to evict the United States from Incirlik due to the matter of the Kurds being in full support by the United States.

WASHINGTON — A prominent Turkish newspaper has demanded the eviction of U.S. troops and warplanes from Incirlik Air Base as fallout there worsens from the Trump administration’s controversial move to arm a Kurdish militia fighting the Islamic State in neighboring Syria.

In a front-page editorial published Friday, the newspaper Sozcu called for Incirlik’s complete closure. It’s an unlikely outcome, military officials and observers say, but a clear sign of how dramatically relations have deteriorated between the NATO allies. The blustery display of anti-Americanism comes as the U.S.-backed coalition in Syria, which is poised to launch a long-awaited offensive to liberate the ISIS stronghold of Raqqa, faces widespread criticism across the border for its dependence on the YPG. The Kurdish militia force has emerged as America’s most capable proxy there, but Turkey maintains it’s a terrorist organization and has actively targeted the group’s fighters in recent weeks.

The editorial is noteworthy, too, because Sozcu’s coverage has been deeply critical of the Turkish government under President Recep Tayyip Erdogan, who expressed similar outrage when Washington’s new arms deal with the YPG was announced last week and warned that supporting the Kurds would elicit blow-back. Erdogan is likely to vent his frustration to President Donald Trump when the two leaders meet this week at the White House. Turkey approved the U.S. to fly attack and strike aircraft from Incirlik beginning in 2015, including for close-air support missions conducted by A-10 Thunderbolts. Additionally, the U.S. bases EA-6B Prowlers there, which can jam ISIS communications and improvised explosive detonators, and the KC-135 Stratotankers responsible for aerial refueling.

In May 2016, aircraft based at Incirlik accounted for nearly one-third of the international coalition’s refueling operations and one-fifth of its close-air support. Today, those numbers are likely much higher as the war’s tempo has intensified.

At the same time, Incirlik has become increasingly less hospitable for the 2,500 U.S. troops assigned there. Citing security concerns, commanders first locked down the base two years ago, prohibiting personnel and their families from venturing beyond its gates. Then, in March 2016, all 700 family members who remained there were ordered to evacuate. Inside the Pentagon, arming the YPG is seen as a calculated gamble. To facilitate its air campaign against ISIS, the U.S. relies on Incirlik’s proximity to Syria and Iraq — so there is some risk in alienating the Turks. Yet following last summer’s coup attempt, Erdogan remains unpopular among large segments of Turkish society and, despite his rhetoric, most assuredly sees advantages to keeping the U.S. close.

Retired Adm. James Stavridis, NATO’s supreme allied commander from 2009 to 2013, said Turkey is unlikely to close the base to U.S. operations because Ankara benefits significantly from associated economic incentives and intelligence sharing. “Turkey,” he added, “still values the NATO alliance, which brings prestige and a measure of security in a dangerous neighborhood.”

Consider Operation Nomad, which since 2011 has provided Turkey with intelligence gathered by U.S. drones and beamed into joint fusion centers operating out of Ankara and Incirlik. Those feeds have supplied vital information about terrorists’ movement across northern Syria and Iraq, intelligence Turkey is unlikely to surrender.

Officials at U.S. European Command echoed those sentiments. “Turkey closing their base, that would be hard to believe,” said Capt. Daniel Hernandez, a spokesman. Incirlik, he added, is “strategically important to them and the coalition.”

There would be painful political costs, too, said Aaron Stein, an expert on U.S.- Turkish relations at the Atlantic Council, a Washington think tank. “They would be blamed internationally for slowing the war against the Islamic State,” he said.

No, “Turkey has concluded it is better to be on the in than the out,” Stein added. “At least on the in, you have a say at every coalition meeting.”

North Korea and Friends, Cyber War, Nerve Gas and WMD

Posted on May 15, 2017May 15, 2017 by Denise Simon

Hey, look over there –>

WikiLeaks Reveals ‘AfterMidnight’ & ‘Assassin’ CIA Windows Malware Frameworks

When the world was dealing with the threat of the self-spreading WannaCry ransomware, WikiLeaks released a new batch of CIA Vault 7 leaks, detailing two apparent CIA malware frameworks for the Microsoft Windows platform. Dubbed “AfterMidnight” and “Assassin,” both malware programs are designed to monitor and report back actions on the infected remote host computer running the Windows operating system and execute malicious actions specified by the CIA. Since March, WikiLeaks has published hundreds of thousands of documents and secret hacking tools that the group claims came from the US Central Intelligence Agency (CIA). This latest batch is the 8th release in the whistleblowing organization’s ‘Vault 7’ series.

‘AfterMidnight’ Malware Framework

According to a statement from WikiLeaks, ‘AfterMidnight’ allows its operators to dynamically load and execute malicious payload on a target system. The main controller of the malicious payload, disguised as a self-persisting Windows Dynamic-Link Library (DLL) file and executes “Gremlins” – small payloads that remain hidden on the target machine by subverting the functionality of targeted software, surveying the target, or providing services for other gremlins. Once installed on a target machine, AfterMidnight uses an HTTPS-based Listening Post (LP) system called “Octopus” to check for any schedu led events. If found one, the malware framework downloads and stores all required components before loading all new gremlins in the memory. According to a user guide provided in the latest leak, local storage related to AfterMidnight is encrypted with a key which is not stored on the target machine. A special payload, called “AlphaGremlin,” contains a custom script language which even allows operators to schedule custom tasks to be executed on the targeted system. More detail here.

Meanwhile….

North Korean hacking group is thought to be behind cyber attack which wreaked havoc across the globe

Technical clues suggest North Korean hacking group is behind cyber attack

Ransomware left the NHS crippled with operations cancelled over the weekend

The virus is now thought to have been released by the Lazarus Group

It has already been blamed for a string of hacks dating back to at least 2009

It includes the 2014 attack on Sony that left its network offline for weeks

Okay maybe….while other IT cyber professionals point to Russian thug hackers….

Rex Tillerson last month spoke about a quasi red line with North Korea….when is enough, enough? Well his answer was, ‘we will know it when we see it’.

Nonetheless, what more needs to be known about North Korea that the media is not reporting? Plenty…..

‘Unrestricted Warfare’ (超限战, literally “warfare beyond bounds”) is a book on military strategy written in 1999 by two colonels in the People’s Liberation Army, Qiao Liang (乔良) and Wang Xiangsui (王湘穗). Its primary concern is how a nation such as China can defeat a technologically superior opponent (such as the United States) through a variety of means. Rather than focusing on direct military confrontation, this book instead examines a variety of other means. Such means include using International Law (see Lawfare) and a variety of economic means to place one’s opponent in a bad position and circumvent the need for direct military action.[1] Go here for more information.

This already tells us and the Pentagon, to not trust China….right? So how can we place trust and the burden of dealing with North Korea on Beijing? We cant.

The RGB is the KGB….

The RGB is the North Korean Reconnaissance General Bureau….much like that of the KGB, now in Russia known as the FSB.

In 2015, North Korea spies infiltrated the United Nations agencies including the World Food Program which is a major supplier of food aid to North Korea. Somehow, the Obama White House and other government agencies neglected to take real action on that or even earnestly report it. Prior to that little event, in 2010, the U.S. Treasury via and Obama Executive Order targeted North Korea for proliferation and other illicit activities including arms trafficking, money laundering and smuggling narcotics.

Barack Obama, simply annexed a GW Bush Executive Order adding a few new items noted below:

President Obama also identified the following entities and individual for sanctions by listing them on the Annex to the Order:

·   The Reconnaissance General Bureau (RGB), North Korea’s premiere intelligence organization involved in North Korea’s conventional arms trade;

·       RGB commander Lieutenant General Kim Yong Chol;

·   Green Pine Associated Corporation, a North Korean conventional arms dealer subordinated to the control of the RGB; and

·   Office 39 of the Korean Workers’ Party, which provides critical support to North Korean leadership in part through engaging in illicit economic activities and managing the leadership’s slush funds.

The U.S. government has longstanding concerns regarding North Korea’s involvement in a range of illicit activities conducted through government agencies and associated front companies. North Korea’s nuclear and missile proliferation activity and other illicit conduct violate UN Security Council Resolutions 1718 and 1874, and these activities and their other illicit conduct violate international norms and destabilize the Korean Peninsula and the entire region. In signing this Order, President Obama has frozen the property and interests in property of the three entities and one individual listed on the Annex. This Order provides the United States with new tools to disrupt illicit economic activity conducted by North Korea.

As a matter of note, in recent days, Russia has stepped in to offer some diplomatic assistance dealing with North Korea as it appears China is dragging the diplomatic and political anchor dealing with the DPRK. Ah Russia again right? The in depth study is here on North Korea, It includes, history, terror attacks, cyber attacks, assassination attempts, raids and details on unrestricted warfare.

Just for some context, Russia and China have been aiding North Korea for decades…..but has the media done their work to expose this or the State Department? Nope…

Image result for north korea general o kuk ryol Courtesy

You see, General O Kuk ryol and Kim Jong Un both manage Unit 121. Unit 121, is part of the RGB and did the Sony hack, remember that? Well General O, is a graduate of the Mangyongdae Revolutionary School and the Kim Il sung University….but most importantly, he graduated also from Frunze Military Academy in 1962….where is that? Ah….Moscow, and at the time, it was the Soviet Union.

Frunze Military Academy in Devichie pole, Moscow

Strategy: Integrate their cyber forces into an overall battle strategy as part of a combined arms campaign. Additionally they wish to use cyber weapons as a limited non-war time method to project their power and influence.

Experience: Hacked into the South Korea and caused substantial damage; hacked into the U.S. Defense Department Systems. More here.

Meanwhile, we also have the Korea Computer Center…there are 9 production facilities and 11 regional centers. However, the KCC also has offices in China, Germany and Syria..further it should be noted that an estimated 10,000 North Korean IT developers operate in China, where it is common that $500.00 of their monthly salary goes back to the North Korean state.

So, we have Syria, Russia, China all colluding with North Korea….Iran is as well but the United Nations too? Yup…

FNC: For more than a year, a United Nations agency in Geneva has been helping North Korea prepare an international patent application for production of sodium cyanide — a chemical used to make the nerve gas Tabun — which has been on a list of materials banned from shipment to that country by the U.N. Security Council since 2006.

The World Intellectual Property Organization, or WIPO, has made no mention of the application to the Security Council committee monitoring North Korea sanctions, nor to the U.N. Panel of Experts that reports sanctions violations to the committee, even while concerns about North Korean weapons of mass destruction, and the willingness to use them, have been on a steep upward spiral.

Fox News told both U.N. bodies of the patent application for the first time late last week, after examining the application file on a publicly available WIPO internal website.

Information on the website indicates that North Korea started the international patent process on Nov. 1, 2015 — about two months before its fourth illegal nuclear test. The most recent document on the website is a “status report,” dated May 14, 2017 (and replacing a previous status report of May 8), declaring the North Korean applicants’ fitness “to apply for and be granted a patent.”

CLICK HERE FOR THE STATUS REPORT

During all that time, however, the U.N.’s Panel of Experts on North Korea “has no record of any communication from WIPO to the Committee or the Panel regarding such a serious patent application,” said Hugh Griffiths, coordinator of the international U.N. expert team, in response to a Fox News question.

The Panel of Experts has now officially “opened an investigation into this matter,” he said.

“This is a disturbing development that should be of great concern to the U.S. administration and to Congress, as well as the U.S. Representative to the U.N.,” William Newcomb, a member of the U.N. Panel of Experts for nearly three years ending in 2014, told Fox News.

Said an expert familiar with the sanctions regime: “It undermines sanctions to have this going on. The U.N. agencies involved should have been much more alert to checking these programs out.”

Questions sent last week to the U.S. State Department about WIPO’s patent dealings with North Korea had not been answered before this story was published.

For its part, a WIPO spokesperson told Fox News by email, in response to the question of whether it had reported the patent application to the U.N. sanctions committee, only that the organization “has strict procedures in place to ensure that it fully complies with all requirements in relation to U.N. Security Council sanction regimes.”

The spokesperson added that “we communicate with the relevant U.N. oversight committees as necessary.”

But apparently, help with preparing international patent applications for a sanctioned nerve gas “chemical precursor” does not necessarily count as grounds for such communication, if the Panel of Experts records are correct.

This is by no means the first time that WIPO, led by its controversial director general, Francis Gurry, has flabbergasted other parts of the U.N. and most Western nations with its casual and undeclared assistance, with potential WMD implications, to the bellicose and unstable North Korean regime.

And, as before, how the action is judged may depend upon razor-thin, legalistic interpretations of U.N. sanctions law on the one side vs. staggering violations of, at a minimum, common sense in dealing with the unstable North Korean regime, which among other things has never signed the international convention banning the development, production, stockpiling and use of chemical weapons.

While the patent process went on at WIPO, that regime has conducted five illegal nuclear tests — two in the past year, while the patent process was under way — and at least ten illegal ballistic missile launches since 2016, while issuing countless threats of mass destruction against its neighbors and the U.S.

In 2012, Fox News reported that WIPO had shipped U.S.-made computers and sophisticated computer servers to North Korea, and also to Iran, without informing sanctions committee officials.

The shipments were ostensibly part of a routine technology upgrade. Neither country could obtain the equipment on the open market, and much of it would have required special export licenses if shipped from the U.S.

The report kicked off an uproar, but after a lengthy investigation, the U.N. sanctions committee decided that the world organization’s porous restrictions had not been violated, while also noting WIPO’s defense that as an international organization, it was not subject to the rules aimed at its own member states.

Nonetheless, the investigators declared that “we simply cannot fathom how WIPO could have convinced itself that most Member States would support the delivery of equipment to countries whose behavior was so egregious it forced the international community to impose embargoes.”

The investigators also declared that “WIPO, as a U.N. agency, shares the obligation to support the work of other U.N. bodies, including the Sanctions Committees,” and that in response to the furor, WIPO had “implemented new requirements to check on sanctions compliance in advance of program implementation.”

There is no doubt about the banned nature of sodium cyanide — which can also be used to produce deadly cyanide gas, another weapon of mass destruction.

The chemical appears on a Security Council list of “items, materials, equipment, goods and technology” related to North Korea’s “other weapons of mass destruction programs” beyond nuclear weapons, which first appeared after U.N. Security Council resolution 1718 was approved in 2006.

CLICK HERE FOR THE LIST

That resolution, voted after North Korea conducted its first nuclear test, ordained that member states “prevent the direct or indirect supply, sale or transfer” to the regime known as the Democratic People’s Republic of Korea, or DPRK, of the listed items “which could contribute to DPRK’s nuclear-related, ballistic missile-related or other weapons of mass destruction-related programs.”

It also declared that “all member states shall prevent any transfers to the DPRK by their nationals or from their territories, or from the DPRK by its nationals or from its territory, of technical training, advice, services or assistance related to the provision, manufacture, maintenance or use of the items” listed.

Additionally, it demanded a freeze by U.N. member states or all “funds, other financial assets and economic resources” that could be used in the mass destruction-related programs.

CLICK HERE FOR RESOLUTION 1718

A subsequent Security Council resolution, 2270, in 2016 broadened things by declaring that “economic resources” referred to in Resolution 1718 “includes assets of every kind, whether tangible or intangible, movable or immovable, accrual or potential, which potentially may be used to obtain funds, goods or services” by DPRK.

This may open up another controversial aspect of the cyanide patent application, since, along with its mass-destructive uses, the chemical is considered the most common agent in the extraction of gold from ores and concentrates.

Further, according to the North Korean application to WIPO, the new process it wants to make ready for international patenting is a lower-cost process that produces ultra-high-grade product.

CLICK HERE FOR THE PROCESS APPLICATION DESCRIPTION

In WIPO’s response to Fox News, the agency’s spokesperson emphasized that “WIPO is not a patent-granting authority. Its role in handling these applications is to ensure that they conform to the procedural requirements” of the 152-member Patent Cooperation Treaty, or PCT, “and to publish them in accordance with the provisions of the treaty.” North Korea is a PCT signatory.

Translation: WIPO is merely a neutral, technical pass-through mechanism. As the spokesperson put it: “The decisions concerning whether or not to ultimately grant the patent are the sole purview of each jurisdiction where protection is being sought, in accordance with national law.”

While that may be true, it is also true, according to the WIPO website, that the U.N. agency gives those who use its services a lot of financially meaningful help.

That starts with the fact that by filing an international filing application with the agency, you have to pay only one fee rather than more than 150 to get an application acceptable in all PCT countries (which include the U.S. as one of the treaty’s biggest users).

WIPO also provides one-stop research on whether a patent overlaps with those elsewhere, and offers the possibility of widespread dissemination and publicity — i.e., stimulating demand, and thus at least the potential for sanctions-breaking in any subsequent licensing the North Korean patent.

Igniting controversy has been a characteristic of Director General Gurry’s reign — indeed, even before he first took WIPO’s top executive office in 2008.

In 2015, the U.N.’s watchdog Office of Internal Oversight Services (OIOS) was asked by WIPO’s own General Assembly chair to investigate Gurry for allegedly ordering, in 2008, break-ins of the offices of staffers to seek DNA evidence that they wrote anonymous letters against him. Gurry was WIPO’s No. 2 at the time.

A year later, after much byzantine maneuvering, a heavily redacted version of the report declared that “while there were indications that Mr. Gurry had a direct interest in the outcome of the DNA analysis, there is no evidence that he was involved in the taking of DNA samples.”

But the same document also found that Gurry had bent the organization’s rules and steered a sensitive cyber-security contract to a business acquaintance, , something alleged by one of Gurry’s former top deputies, James Pooley.

Under Gurry, WIPO also has been the only U.N. agency ever sanctioned by the U.S. State Department, on the grounds that it failed to adopt “best practices” in ethics and whistle-blower standards — a punishment first meted out by the pro-U.N. Obama administration in September 2015.

Among the whistle-blowers who say they were forced to leave WIPO during Gurry’s tenure for drawing attention to the agency’s previous computer shipments to North Korea is Miranda Brown, formerly Gurry’s senior strategic advisor.

Brown has repeatedly asked for her reinstatement at the WIPO, and just as often has been turned down by Gurry’s office.

2008, the Russians Hacked Obama’s Campaign Too

Posted on May 12, 2017May 12, 2017 by Denise Simon

Why are we learning this now? It is a dereliction of duty to advise the American electorate, campaign operators and all later political candidates, regardless of the kind of race. Further, should we be blaming Obama on this and did he invite the FBI to investigate? If so, the matters of phishing operations and Russia should have been a clarion call.

Further, why would Obama and Hillary even consider ‘resetting’ relations with Russia? Oh yeah……’cut it out Vladimir’..remember that?

Okay read on….the anger mounts.

Exclusive: Russian Hackers Attacked the 2008 Obama Campaign

Jeff Stein: Russian hackers targeted the 2008 Barack Obama campaign and U.S. government officials as far back as 2007 and have continued to attack them since they left their government jobs, according to a new report scheduled for release Friday.

The targets included several of the 2008 Obama campaign field managers, as well as the president’s closest White House aides and senior officials in the Defense, State and Energy Departments, the report says.

It names several officials by title, but not by name, including “several officials involved in Russian policy, including a U.S. ambassador to Russia,” according to a draft version of the report, authored by Area 1 Security, a Redwood City, California, company founded by former National Security Agency veterans.

“They’re still getting fresh attacks,” the company says.

The attacks on their email accounts have continued as the officials migrated to think tanks, universities and private industry, the company says. The favored weapon of the Russians and other hackers is the so-called “phishing” email, in which the recipient is invited to click on a innocent-looking link, which opens a door to the attackers.

Michael McFaul, Obama’s ambassador to Russia from 2011 to 2014, tells Newsweek that he gets “frequent” warnings of phishing attacks by an unnamed “foreign government” from both his Google email service and Stanford University, where he is now a professor of political science. He says his “colleagues, assistants and people like that” at Stanford also get attacked “on a fairly regular basis.”

“I have not been successfully penetrated, to the best of my knowledge,” McFaul says, speaking Thursday in a brief telephone interview. So far as he knows, “I have not been compromised.” There were three other U.S. ambassadors to Russia during Obama’s eight years in office who could not immediately be reached for comment.

The role of Russia in attacks on the 2008 campaigns of Obama and his Republican rival, Senator John McCain of Arizona, has not been previously reported. On the eve of a U.S.-China summit meeting in 2013, U.S. intelligence officials told NBC News that Beijing alone was responsible for a 2008 cyberattack on the Obama and McCain campaigns.

China can’t be excluded as a perpetrator in those attacks, Area 1 Security’s report says, but its new data “show that Russia tried to hack several members of the Obama campaign and could have done so at the same time as someone that achieved massive data exfiltration.”

Blake Darché, a former NSA technical analyst who co-founded Area 1 Security, tells Newsweek that “state-sponsored Russian hackers have been targeting United States officials and politicians since at least 2007 through phishing attacks.” Russian hackers reportedly breached the Joint Chiefs of Staff email system in 2015.

The company says one of the Russian targets was a “deputy campaign manager” in the 2008 Obama campaign, but was otherwise unidentified in its report. There were a number of them over a period of time. One was Steve Hildebrand. Reached in Sioux Falls, South Dakota, where he now runs a specialty bakery and coffee shop, Hildebrand says he was “not aware” that he might have been a Russian target and didn’t remember being warned about cyberattacks of any kind during the campaign. Another senior 2008 campaign aide (and later White House National Security Council spokesman), Tommy Vietor, tells Newsweek he had “no knowledge” of Russian hacking at the time.

Besides top officials in the Energy, Defense and State departments, the Area 1 Security report cites a half-dozen positions in the Obama White House that were targeted from 2008 through 2016, including the president’s deputy assistant, special assistant, the special assistant to the political director, advance team leaders for first lady Michelle Obama, and the White House deputy counsel. None of them could immediately be reached for comment.

Among the State Department targets named by Area 1 Security were three top offices dealing with Russia and Europe. Evelyn Farkas, who served as the Obama administration’s deputy assistant secretary of defense for Russia/Ukraine/Eurasia from 2012 to 2015, says she could not discuss matters that remain classified, but says “the biggest impact” she remembered offhand was the Russian hack of the Joint Chiefs.

Among the three top, unnamed targets at the Energy Department was the director of the Office of Nuclear Threat Science, which is responsible for overseeing the U.S. Nuclear Counterterrorism Program.

The Area 1 Security report names the “Dukes,” also known as “Cozy Bear” and APT-29, for the Obama attacks, the same Russian actors named in the 2015 and 2016 hacking of the Democratic National Committee (DNC) and the State Department.

In an interview, Darché calls the Dukes a front for Russia’s “premier intelligence-gathering arm,” which would be the SVR, or External Intelligence Service, the Kremlin equivalent to the CIA, although he declined to specifically name it. As opposed to the DNC hacks launched to steal and publicize information damaging to the campaign of Hillary Clinton, he says, the Russian offensives that Area 1 Security uncovered were clandestine “intelligence gathering operations” designed to secretly penetrate a wide variety of institutions and industry.

Clinton had harshly criticized the Kremlin’s suppression of human rights and seizure of the Crimea, while her rival Donald Trump had repeatedly said he wanted to be “friends” with Russian President Vladimir Putin.

Oren Falkowitz, a former analyst at the National Security Agency who co-founded Area 1 Security, says he launched the company to stop phishing attacks, which until then was thought to be impossible because so many employees continue to click on risky links in emails. The key to the company’s success was persuading clients to let it monitor its servers, he told The New York Times in a 2016 interview.

In Friday’s report, Area 1 Security says it uses a “vast active sensor network” to detect and trace phishing attacks. It says it could imagine the Dukes “operating a giant spreadsheet where new targets are added, but never leave.” It “moves quickly, compromising a server or service to send out phishing emails from it, and then leaves, never returning to check for bounced email messages to cull from its list.”

Most ex-officials don’t realize they are carrying “the blemish of being a Russian target into their new workplace,” the Area 1 Security report says. As a result, “they give the Dukes beachheads in companies and organizations they never even planned on or imagined hacking,” such as Washington think tanks, defense contractors, lobbyist offices, financial institutions and pharmaceutical companies stocked with high ranking former political, military and intelligence officials.

Russia is “notoriously persistent in pursuing targets,” the report says. “It’s a lesson on why every organization needs great security.”

***

FireEye CEO: Russians are at Work in Election Hacking

FireEye CEO Kevin Mandia said Thursday that strengthening U.S. cybersecurity defenses begins with protecting the country’s own systems first, and he is hopeful the Trump administration will implement a strategy to defend from cyber threats, during an interview on FOX Business’ “Countdown to the Closing Bell.”

“You gotta protect critical infrastructure and under times of duress, you have to be able to have shields up as a nation, and I think this order is going to move toward that,” he said, referring to the executive order President Trump signed Thursday, aimed at strengthening the America’s infrastructure to help prevent cyberattacks.

Cyber hacking has been in the forefront of an FBI investigation over Russia’s alleged involvement in the 2016 presidential election. Mandia said he believes acting FBI Director Andrew McCabe will continue the investigation into these claims.

“When you awake the sleeping giant, they get the job done and I think the FBI, whenever they apply the resources at their disposal and their capability, they can get the job done as they see fit,” he said.

Mandia believes the Russians are at work in election hacking and thinks it will continue to happen.

“The tool in every emerging nation’s tool box now [is] a cyber component,” he said.

The FireEye CEO added that the risks from cyberattacks can’t be eliminated because persistent hackers are exploiting human trust and not exploiting systems.

Russian “information operations troops” (“cyber troops”)

Posted on May 11, 2017May 11, 2017 by Denise Simon

Russian ‘Cyber Troops’: A Weapon of Aggression

Eurasia Daily Monitor: Speaking to the Russian parliament (Duma) last February, Russian Minister of Defense Sergei Shoigu announced the creation of “information operations troops” (“cyber troops”) within the Armed Forces. He emphasized that state “propaganda should be smart, accurate and effective” and that that these new formations “will be much more efficient than the ‘counter-propaganda’ department that operated during the Soviet period” (TASS, February 22). It is dubious, however, that the responsibilities of “cyber troops” will be reduced solely to “propaganda.” Rather, it seems that this unit is to become the main tool of Russia’s offensive cyber operations as a part of “information warfare.” The official history of the Russian cyber troops goes back to 2012, when Dmitry Rogozin (at the time heading the Russian Foundation for Advanced Research Projects in the Defense Industry) addressed the issue publicly for the first time. In 2013, an anonymous source confided that formations of this kind had been established under the umbrella of the Russian Armed Forces (RBC, February 22), but at the time there was no solid evidence available.

Then, in April 2015, the official state news agency TASS reported that a unit of Russian “information operations forces” were deployed to the territory of the Crimean Peninsula (TASS, April 17, 2015). Nonetheless, in the meantime, the Russian side continued to deny the existence of cyber troops. For instance, in January 2017, the first deputy director of the Russian Duma Defense Committee, Alexander Sherin, claimed that “Russia does not have such formations.” Similar statements were made by top-ranking Russian officials related to security and mass communications, such as Viktor Ozerov and Alexey Volin (Interfax, January 16). This silence was interrupted only by Defense Minister Shoigu’s official announcement in February. Commenting on the main tasks of the cyber troops, Franz Klintsevych, a high-ranking member of the Russian Federation Council (upper house of parliament), identified the disclosure of subversive activities by foreign intelligence services in electronic, paper and TV media outlets. He suggested that the cyber troops would deal with such hacker attacks as their main responsibility. But this assessment fails to fully reflect the true essence and tasks of the new unit. According to Yaakov Kedmi—who used to head Nativ, the former Israeli intelligence service charged with facilitating the immigration of Jews from the Soviet Bloc—“cyber troops” exist in “all serious armies” and are subordinated to their respective defense ministries. Their main tasks are “propagandist” (propaganda and counter-propaganda) and “operational” (activities designed to distract the adversary by providing false information). Yet, he also highlighted that so-called “political propaganda” falls outside the range of responsibilities for such formations (Kommersant, February 22).

Another revealing bit of information on the secretive cyber troops can be found in research conducted by Zecurion Analytics, a Russian software company established in 2001. According to a report the firm published several months ago, Russia may be placed in the top five countries with the “most powerful” cyber troop units, in terms of the number of personnel employed (which Zecurion Analytics estimates at approximately 1,000) and financial expenditures (around $300 million per annum). The company’s head, Vladimir Ylianov, has stated that the main tasks of Russian “cyber troops” include espionage, cyber attacks, and informational warfare (Kommersant, January 1). This assessment, however, also may underestimate the real capabilities of these cyber forces. Thanks to introduction of so-called “research units,” Russian cyber defense is inseparable from the Armed Forces and its resources, which exponentially increases its offensive potential (see EDM, November 30, 2016).

A somewhat different opinion was expressed by pro-Kremlin cyber security specialist Igor Panarin. He hopes that the creation of the cyber troops will allow Russia to overcome its inferiority in the cyber domain compared to other countries, like the United States, and beef up its offensive capabilities. According to the expert, the 2008 Russian-Georgian War in fact demonstrated that Russian failed to act efficiently when it came to offense, and it instead relied on “defense and containment” in its cyber operations. Panarin suggested that unlike the Department of Information and Mass Communication, which was created under the umbrella of the Ministry of Defense in 2016 and tasked with defensive activities, the cyber troops—which could and should act in concert with the Federal Security Service (FSB) and the Foreign Intelligence Service (SVR)—will be specifically charged with conducting offensive operations in the “cyber sphere” (kiber prostranstvo) (Militarynews.ru, February 22). If accurate, this demonstrates Russia’s continuing development of offensive cyber capabilities and a delineation between “cyber” and “information” operations.

Panarin also outlined a number of supplementary steps Russia needs to take, which included the following elements (Vz.ru, February 28, 2017):

1. The establishment of a State Council (that is to include various governmental structures, public diplomacy organizations, media sources, representatives of business, political parties and non-governmental organizations) tasked with issues related to “information confrontation” (informatsionnoye protivoborstvo—understood as a struggle in the information sphere with the broad aim of achieving information dominance over one’s opponent);

2. The establishment of a position of a “Presidential Advisor” on information operations, tasked with the coordination of informational-analytical units connected with the “cyber troops,” the Ministry of Defense, FSB, Federal Protective Service (FSO), SVR and other key ministries;

3. The creation of a media holding—based on existing media resources of Russian TV Channel One, All-Russia State Television and Radio Broadcasting Company (VGTRK), RT and others—subordinated to the Ministry of Foreign Affairs of the Russian Federation. It is imperative to copy the US experience while implementing this initiative, Panarin alleged; and finally

4. The formation of separate centers of information operations pertaining to the FSB, FSO and SVR. Panarin’s suggested program should be seen as an extremely ambitious and far-reaching strategy, fully complying with the steps and activities already conducted by the Russian side in the domain of cyber security and information operations. Within this development of the country’s cyber capabilities, the Russian cyber troops should be seen mainly as an offensive operations force, and not as a defensive mechanism.

–Sergey Sukhankin

For reference, here is the testimony before

THE SELECT COMMITTEE ON INTELLIGENCE DISINFORMATION A PRIMER IN RUSSIAN ACTIVE MEASURES AND INFLUENCE CAMPAIGNS