9 Iranians Charged in Hacking 176 Universities, Intellectual Property

Nine Iranians Charged With Conducting Massive Cyber Theft Campaign On Behalf Of The Islamic Revolutionary Guard Corps

Mabna Institute Hackers Penetrated Systems Belonging to Hundreds of Universities, Companies, and Other Victims to Steal Research, Academic Data, Proprietary Data, and Intellectual Property

Rod J. Rosenstein, the Deputy Attorney General of the United States, Geoffrey S. Berman, the United States Attorney for the Southern District of New York, William F. Sweeney Jr., the Assistant Director-in-Charge of the New York Field Division of the Federal Bureau of Investigation (“FBI”), and John C. Demers, Assistant Attorney General for National Security, announced today the unsealing of an indictment charging GHOLAMREZA RAFATNEJAD, EHSAN MOHAMMADI, ABDOLLAH KARIMA, a/k/a “Vahid Karima,” MOSTAFA SADEGHI, SEYED ALI MIRKARIMI, MOHAMMED REZA SABAHI, ROOZBEH SABAHI, ABUZAR GOHARI MOQADAM, and SAJJAD TAHMASEBI.  The defendants were each leaders, contractors, associates, hackers-for-hire, and affiliates of the Mabna Institute, an Iran-based company that was responsible for a coordinated campaign of cyber intrusions that began in at least 2013 into computer systems belonging to 144 U.S.-based universities, 176 universities across 21 foreign countries, 47 domestic and foreign private sector companies, the United States Department of Labor, the Federal Energy Regulatory Commission, the State of Hawaii, the State of Indiana, the United Nations, and the United Nations Children’s Fund.  Through the activities of the defendants, the Mabna Institute conducted these intrusions to steal over 30 terabytes of academic data and intellectual property from universities, and email inboxes from employees of victim private sector companies, government victims, and non-governmental organizations.  The defendants conducted many of these intrusions on behalf of the Islamic Republic of Iran’s (“Iran”) Islamic Revolutionary Guard Corps (“IRGC”), one of several entities within the government of Iran responsible for gathering intelligence, as well as other Iranian government clients.  In addition to these criminal charges, today the Department of Treasury’s Office of Foreign Assets Control (OFAC) designated the Mabna Institute and the nine defendants for sanctions for the malicious cyber-enabled activity outlined in the Indictment.

Deputy Attorney General Rod J. Rosenstein said:  “These nine Iranian nationals allegedly stole more than 31 terabytes of documents and data from more than 140 American universities, 30 American companies, five American government agencies, and also more than 176 universities in 21 foreign countries.  For many of these intrusions, the defendants acted at the behest of the Iranian government and, specifically, the Iranian Revolutionary Guard Corps.  The Department of Justice will aggressively investigate and prosecute hostile actors who attempt to profit from America’s ideas by infiltrating our computer systems and stealing intellectual property.  This case is important because it will disrupt the defendants’ hacking operations and deter similar crimes.”

Manhattan U.S. Attorney Geoffrey S. Berman said:  “Today, in one of the largest state-sponsored hacking campaigns ever prosecuted by the Department of Justice, we have unmasked criminals who normally hide behind the ones and zeros of computer code.  As alleged, this massive and brazen cyber-assault on the computer systems of hundreds of universities in 22 countries, including the United States, and dozens of private sector companies and governmental organizations was conducted on behalf of Iran’s Islamic Revolutionary Guard.  The hackers targeted innovations and intellectual property from our country’s greatest minds.  These defendants are now fugitives from American justice, no longer free to travel outside Iran without risk of arrest.  The only way they will see the outside world is through their computer screens, but stripped of their greatest asset – anonymity.”

FBI Assistant Director William F. Sweeney Jr. said:  “The numbers alone in this case are staggering, over 300 universities and 47 private sector companies both here in the United States and abroad were targeted to gain unauthorized access to online accounts and steal data.  An estimated 30 terabytes was removed from universities’ accounts since this attack began, which is roughly equivalent of 8 billion double-sided pages of text.  It is hard to quantify the value on the research and information that was taken from victims but it is estimated to be in the billions of dollars. The nine Iranians indicted today now find themselves wanted by the FBI and our partner law enforcement agencies around the globe – and like other cyber criminals they will soon learn their ability to freely move was just limited to the virtual world only.”

According to the allegations contained in the Indictment[1] unsealed today in Manhattan federal court:

Background on the Mabna Institute

GHOLAMREZA RAFATNEJAD and EHSAN MOHAMMADI, the defendants, founded the Mabna Institute in approximately 2013 to assist Iranian universities and scientific and research organizations in stealing access to non-Iranian scientific resources.  In furtherance of its mission, the Mabna Institute employed, contracted, and affiliated itself with hackers-for-hire and other contract personnel to conduct cyber intrusions to steal academic data, intellectual property, email inboxes and other proprietary data, including ABDOLLAH KARIMA, a/k/a “Vahid Karima,” MOSTAFA SADEGHI, SEYED ALI MIRKARIMI, MOHAMMED REZA SABAHI, ROOZBEH SABAHI, ABUZAR GOHARI MOQADAM, and SAJJAD TAHMASEBI.  The Mabna Institute contracted with both Iranian governmental and private entities to conduct hacking activities on their behalf, and specifically conducted the university spearphishing campaign on behalf of the IRGC.  The Mabna Institute is located at Tehran, Sheikh Bahaii Shomali, Koucheh Dawazdeh Metri Sevom, Plak 14, Vahed 2, Code Posti 1995873351.

University Hacking Campaign

The Mabna Institute, through the activities of the defendants, targeted over 100,000 accounts of professors around the world.  They successfully compromised approximately 8,000 professor email accounts across 144 U.S.-based universities, and 176 universities located in foreign countries, including Australia, Canada, China, Denmark, Finland, Germany, Ireland, Israel, Italy, Japan, Malaysia, Netherlands, Norway, Poland, Singapore, South Korea, Spain, Sweden, Switzerland, Turkey, and the United Kingdom.  The campaign started in approximately 2013, and has continued through at least December 2017, and broadly targeted all types of academic data and intellectual property from the systems of compromised universities, including, among other things, academic journals, theses, dissertations, and electronic books.  Through the course of the conspiracy, U.S.-based universities spent over approximately $3.4 billion to procure and access such data and intellectual property.

The hacking campaign against universities was conducted across multiple stages.  First, the defendants conducted online reconnaissance of university professors, including to determine these professors’ research interests and the academic articles they had published.  Second, using the information collected during the reconnaissance phase, the defendants created and sent spearphishing emails to targeted professors, which were personalized and created so as to appear to be sent from a professor at another university.  In general, those spearphishing emails indicated that the purported sender had read an article the victim professor had recently published, and expressed an interest in several other articles, with links to those additional articles included in the spearphishing email.  If the targeted professor clicked on certain links in the email, the professor would be directed to a malicious Internet domain named to appear confusingly similar to the authentic domain of the recipient professor’s university.  The malicious domain contained a webpage designed to appear to be the login webpage for the victim professor’s university.  It was the defendants’ intent that the victim professor would be led to believe that he or she had inadvertently been logged out of his or her university’s computer system, prompting the victim professor for his or her login credentials.  If a professor then entered his or her login credentials, those credentials were then logged and captured by the hackers.

Finally, the members of the conspiracy used stolen account credentials to obtain unauthorized access to victim professor accounts, through which they then exfiltrated intellectual property, research, and other academic data and documents from the systems of compromised universities, including, among other things, academic journals, theses, dissertations, and electronic books.  The defendants targeted data across all fields of research and academic disciplines, including science and technology, engineering, social sciences, medical, and other professional fields.  At least approximately 31.5 terabytes of academic data and intellectual property from compromised universities were stolen and exfiltrated to servers under the control of members of the conspiracy located in countries outside the United States.

In addition to stealing academic data and login credentials for university professors for the benefit of the Government of Iran, the defendants also sold the stolen data through two websites, Megapaper.ir (“Megapaper”) and Gigapaper.ir (“Gigapaper”).  Megapaper was operated by Falinoos Company (“Falinoos”), a company controlled by ABDOLLAH KARIMA, a/k/a “Vahid Karima,” the defendant, and Gigapaper was affiliated with KARIMA.  Megapaper sold stolen academic resources to customers within Iran, including Iran-based public universities and institutions, and Gigapaper sold a service to customers within Iran whereby purchasing customers could use compromised university professor accounts to directly access the online library systems of particular United States-based and foreign universities.

Prior to the unsealing of the Indictment, the FBI provided foreign law enforcement partners with detailed information regarding victims within their jurisdictions, so that victims in foreign countries could be notified and so that foreign partners could assist in remediation efforts.

Private Sector Hacking Victims

In addition to targeting and compromising universities, the Mabna Institute defendants targeted and compromised employee email accounts for at least approximately 36 United States-based private companies, and at least approximately 11 private companies based in Germany, Italy, Switzerland, Sweden, and the United Kingdom, and exfiltrated entire email mailboxes from compromised employees’ accounts.  Among the United States-based private sector victims were three academic publishers, two media and entertainment companies, one law firm, 11 technology companies, five consulting firms, four marketing firms, two banking and/or investment firms, two online car sales companies, one healthcare company, one employee benefits company, one industrial machinery company, one biotechnology company, one food and beverage company, and one stock images company.

In order to compromise accounts of private sector victims, members of the conspiracy used a technique known as “password spraying,” whereby they first collected lists of names and email accounts associated with the intended victim company through open source Internet searches.  Then, they attempted to gain access to those accounts with commonly-used passwords, such as frequently used default passwords, in order to attempt to obtain unauthorized access to as many accounts as possible.  Once they obtained access to the victim accounts, members of the conspiracy, among other things, exfiltrated entire email mailboxes from the victims.  In addition, in many cases, the defendants established automated forwarding rules for compromised accounts that would prospectively forward new outgoing and incoming email messages from the compromised accounts to email accounts controlled by the conspiracy.

In connection with the unsealing of the Indictment, today the FBI issued a FBI Liaison Alert System (FLASH) message, providing detailed information regarding the vulnerabilities targeted and the intrusion vectors used by the Mabna Institute in their campaign against private sector companies, to provide the public with information to assist in detecting and remediating the threat.

U.S. Government and NGO Hacking Victims

In the same time period as the university and private sector hacking campaigns described above, the Mabna Institute also conducted a computer hacking campaign against various governmental and non-governmental organizations within the United States.  During the course of that campaign, employee login credentials were stolen by members of the conspiracy through password spraying.  Among the victims were the following, all based in the United States:  the United States Department of Labor, the Federal Energy Regulatory Commission, the State of Hawaii, the State of Indiana, the State of Indiana Department of Education, the United Nations, and the United Nations Children’s Fund.  As with private sector victims, the defendants targeted for theft email inboxes of employees of these organizations.

*                *                *

GHOLAMREZA RAFATNEJAD, EHSAN MOHAMMADI, ABDOLLAH KARIMA, a/k/a “Vahid Karima,” MOSTAFA SADEGHI, SEYED ALI MIRKARIMI, MOHAMMED REZA SABAHI, ROOZBEH SABAHI, ABUZAR GOHARI MOQADAM, and SAJJAD TAHMASEBI, the defendants, are citizens and residents of Iran.  Each is charged with one count of conspiracy to commit computer intrusions, which carries a maximum sentence of five years in prison; one count of conspiracy to commit wire fraud, which carries a maximum sentence of 20 years in prison; two counts of unauthorized access of a computer, each of which carries a maximum sentence of five years in prison; two counts of wire fraud, each of which carries a maximum sentence of 20 years in prison; and one count of aggravated identity theft, which carries a mandatory sentence of two years in prison.  The maximum potential sentences in this case are prescribed by Congress and are provided here for informational purposes only, as any sentencings of the defendants will be determined by the assigned judge.

Mr. Berman praised the outstanding investigative work of the FBI, the assistance of the United Kingdom’s National Crime Agency (NCA), and the support of the OFAC.  The case is being handled by the Office’s Complex Frauds and Cybercrime Unit.  Assistant United States Attorneys Timothy T. Howard, Jonathan Cohen, and Richard Cooper are in charge of the prosecution, with assistance provided by Heather Alpino and Jason McCullough of the National Security Division’s Counterintelligence and Export Control Section.

The charges contained in the Indictment are merely accusations and the defendants are presumed innocent unless and until proven guilty.


[1] As the introductory phrase signifies, the entirety of the text of the Indictment, and the description of the Indictment set forth herein, constitute only allegations, and every fact described should be treated as an allegation.

Topic(s):
Cyber Crime
Press Release Number:
18-089

POTUS and Omnibus, No Line Item Veto?

2232 pages of stupid and everyone should take the time to just scan the $1.3 trillion spending bill. I got to page 184 last night and went to bed mad. There is no line item veto but there should be. President Trump can veto the whole truck load of crap and should. In place of the line item veto, he can wield his pen and sign an Executive Order eliminating countless crazy spending things or suspend some of the acts for the rest of his term. Something like the Food for Progress Act. And we are still bailing out the healthcare insurance companies…. anyway…there is also $687 million to address Russian interference. Just what is that plan?

  1. How about the Cloud Act? Foreign governments get access to our data? WHAT?   2. Okay how about Trump’s “wall funding.” It’s not a wall. It’s repairs, drones and pedestrian fencing – no construction. 3. Then we have the House Freedom Caucus with their letter to President Trump:   So…need more?  Conservative Review has these 10 items for your consideration.Here are the top 10 problems with the bill:

    1) Eye-popping debt: This bill codifies the $143 billion busting of the budget caps, which Congress adopted in February, for the remainder of this fiscal year. This is on top of the fact that government spending already increased $130 billion last year over the final year of Obama’s tenure. Although the Trump administration already agreed to this deal in February, the OMB put out a memo suggesting that Congress appropriate only $10 billion of the extra $63 billion in non-defense discretionary spending. Now it’s up to Trump to follow through with a veto threat. It’s not just about 2018. This bill paves the road to permanently bust the budget caps forever, which will lead to trillions more in spending and cause interest payments on the debt to surge past the cost of the military or even Medicaid in just eight years.

    Keep in mind that all the additional spending will be stuffed into just six months remaining to the fiscal year, not a 12-month period. A number of onerous bureaucracies will get cash booster shots instead of the cuts President Trump wanted.

    Remember when Mick Mulvaney said the fiscal year 2017 budget betrayal was needed so that he could do great things with the fiscal year 2018 budget? Good times.

    2) Bait and switch on the wall: Since this bill increases spending for everything, one would think that at least the president would get the $15 billion or so needed for the wall. No. The bill includes only $641 million for 33 miles of new border fencing but prohibits that funding for being used for concrete barriers. My understanding is that President Trump already has enough money to begin construction for roughly that much of the fence, and pursuant to the Secure Fence Act, he can construct any barrier made from any This actually weakens current law.

    3) Funds sanctuary cities: When cities and states downright violate federal law and harbor illegal aliens, Congress’ silence in responding to it is deafening. Cutting off block grants to states as leverage against this dangerous crisis wasn’t even under discussion, even as many other extraneous and random liberal priorities were seriously considered.

    4) Doesn’t fund interior enforcement: Along with clamping down on sanctuary cities, interior enforcement at this point is likely more important than a border wall. After Obama’s tenure left us with a criminal alien and drug crisis, there is an emergency to ramp up interior enforcement. Trump requested more ICE agents and detention facilities, but that call was ignored in this bill. Trump said that the midterms must focus on Democrats’ dangerous immigration policies. Well, this bill he is supporting ensures that they will get off scot-free.

    5) Doesn’t defund court decisions: Some might suggest that this bill was a victory because at least it didn’t contain amnesty. But we have amnesty right now, declared, promulgated, and perpetuated by the lawless judiciary. For Congress to pass a budget bill and not defund DACA or defund the issuance of visas from countries on Trump’s immigration pause list in order to fight back against the courts is tantamount to Congress directly passing amnesty.

    6) Funds Planned Parenthood: We have no right to a border wall or more ICE funding, but somehow funding for a private organization harvesting baby organs was never in jeopardy or even under discussion as a problem.

    7) Gun control without due process: Some of you might think I’m being greedy, demanding that “extraneous policies” be placed in a strict appropriations bill. Well, gun control made its way in. They slipped in the “Fix NICS” bill, which pressures and incentivizes state and federal agencies to add more people to the system even though there is already bipartisan recognition that agencies are adding people who should not be on the list, including veterans, without any due process in a court of law. They are passing this bill without the House version of the due process protections and without the promised concealed carry reciprocity legislation. Republicans were too cowardly to have an open debate on such an important issue, so they opted to tack it onto a budget bill, which is simply unprecedented. The bill also throws more funding at “school violence” programs when they refuse to repeal the gun-free zone laws that lie at the root of the problem.

    8) More “opioid crisis funding” without addressing the problem: The bill increases funding for “opioid addiction prevention and treatment” by $2.8 billion relative to last year, on top of the $7 billion they already spent in February. This is the ultimate joke of the arsonist pretending to act as the firefighter, because as we’ve chronicled in detail, these funds are being used to clamp down on legitimate prescription painkillers and create a de facto national prescription registry so that government can violate privacy and practice medicine. Meanwhile, the true culprits are illicit drugs and Medicaid expansion, exacerbated by sanctuary cities, as the president observed himself. Yet those priorities are jettisoned from the bill.

    9) Student loan bailout: The bill offers $350 million in additional student loan forgiveness … but only for graduates who take “lower-paid” government jobs or work for some non-profits! This was a big priority of Sen. Elizabeth Warren.  Government created this problem of skyrocketing student debt by fueling it with subsidies and giving the higher education cartel a monopoly of accreditation, among other things. Indeed, this very same bill increases Pell grants by $2 billion. But more money is always the solution, especially when it helps future government workers.

    10) Schumer’s Gateway projects earmark: Conservatives had a wish list of dozens of items, but it’s Schumer’s local bridge and tunnel project that got included. While the bill didn’t contain as much as Schumer asked for (remember the tactic of starting off high), the program would qualify for up to $541 million in new transportation funding. Also, the bill would open up $2.9 billion in grants through the Federal Transit Administration for this parochial project that should be dealt with on a state level. New York has high taxes for a reason.

 

Assassinations of Russians, a Trend or Long Game?

A registry of foreign agents to Russia, compiled by the Justice Department, includes many of Washington’s most powerful legal, communications and lobbying firms, including Sidley Austin, Venable, APCO and White & Case. A review of those records, by the Center for Responsive Politics, found 279 registrations of Russian agents in the United States. More here.

***

“Putin’s inner circle is already subject to personal U.S. sanctions, imposed over Russia’s 2014 annexation of Ukraine’s’ Crimea region,” the Reuters news agency points out. … “But the so-called ‘oligarchs’ list’ that was released on Tuesday … covers many
people beyond Putin’s circle and reaches deep into Russia’s business elite.”

Prime Minister Dmitry Medvedev is among the 114 senior political figures in Russia’s government who made the list, along with 42 of Putin’s aides, Cabinet ministers such as Foreign Minister Sergey Lavrov, and top officials in Russia’s leading spy agencies, the FSB and GRU. The CEOs of major state-owned companies, including energy giant Rosneft and Sberbank, are also on the list.

So are 96 wealthy Russians deemed “oligarchs” by the Treasury Department, which said each is believed to have assets totaling $1 billion or more. Some are the most famous of wealthy Russians, among them tycoons Roman Abramovich and Mikhail Prokhorov, who challenged Putin in the 2012 election. Aluminum magnate Oleg Deripaska, a figure in the Russia investigation over his ties to former Trump campaign chairman Paul Manafort, is included.

Russian Deputy Prime Minister Arkady Dvorkovich dismissed the list as simply a “who’s who” of Russian politics. He told Russian news agencies Tuesday he wasn’t surprised to find his name on the list, too, saying that it “looks like a ‘who’s who’ book.” Dvorkovich stopped short of saying how Russia would react to it, saying the Kremlin would “monitor the situation.” More here.

*** So when there are murder cases of Russian asylees in Britain, what are the agencies in the United States thinking?

Putin foe shot dead on Moscow street | New York Post photo

photo

Litvinenko: Not first Putin critic to end up dead - CNN.com photo

Well there was Mikhail Lesin, a former friend of Putin found dead in his hotel in Dupont Circle, Washington DC. Then there was Operation Ghost Stories, the massive spy swap.

Imagine what the context and case reference is for the FBI when it comes to Russian operations in the United States and in allied countries.Or how many planes have been shot out of the sky where clues and evidence point to Russia? More explained in video below.

Beyond the attempted assassination of Skripal and his daughter in Salisbury two weeks ago, there was yet another confirmed death.

Whoever is behind the murder of a prominent Russian exile, who believed he was on a Kremlin hit list, managed to get inside his home without breaking in, police believe.

Nikolai Glushkov, 68, was found dead at home last week at his home in southwest London, and officers are now hunting for the culprits. His official cause of death is “compression to the neck.”

Before his death, Glushkov warned that a close friend of his had been murdered, and that he would be next.

In a Monday morning update on the investigation, the Metropolitan Police said they examined Glushkov’s house and found no signs of forced entry.

*** How bad is this trend?

Citigroup Pentagon Payment Portal 1.3 Million Weekend Hack Attempts

There are 47 pages of regulations for Department of Defense personnel using Citigroup credit cards while traveling.

Pentagon confirms hack attempt against Defense Department credit card holders

  • The Pentagon on Thursday confirmed that there was a hacking attempt against an online financial services portal that Citigroup manages for the Defense Department.
  • Citigroup had told CNBC that a “malicious actor” attempted to gain access to several Citi credit card accounts tied to the Department of Defense.
  • The attack, which included 1.3 million attempts, occurred over this past weekend.

The Pentagon on Thursday confirmed that there was a hacking attempt this past weekend against an online financial services portal that Citigroup manages for Defense Department credit card holders.

The confirmation comes a day after Citigroup told CNBC that a “malicious actor” attempted to gain access to information for Pentagon-linked credit card accounts.

The bank had responded to CNBC’s inquiry regarding an attempted hack this past weekend. The Pentagon, citing information from Citigroup, confirmed to CNBC on Thursday that there was an attack over the weekend of March 10.

Pentagon Paying For Transgender Soldier's - One News Page ...

The bank told the Defense Department that the attack came from a computer system that was randomly guessing cardholder account usernames and passwords.

The program hit Citigroup’s Pentagon online account application more than 1.3 million times. The hackers did successfully guess 318 Pentagon cardholders’ usernames and passwords, but they did not get past a secondary layer of account authentication.

“No data compromise occurred,” Citi told the Pentagon.

Citi provides financial services for the Government Travel Charge Card, or GTCC, which is used by Department of Defense personnel to pay for authorized expenses when on official travel.

CitiManager is the online portal used by the Defense Department to view statements online, make payments and confirm account balances.

The Pentagon’s Defense Travel Management Office oversees the processing of the GTCC.

*** Back in 2016, there was a hacker contest held by the Pentagon under Secretary Ash Carter….guess they missed that payment portal vulnerability possibility.

When the Pentagon announced the “Hack the Pentagon” event back in March, many wondered what kinds of vulnerabilities hackers would find when checking government websites for bugs. Now we know.

According to Defense Secretary Ash Carter, more than 250 participants out of the 1,400 submitted at least one vulnerability report, with 138 of those vulnerabilities determined to be “legitimate, unique and eligible for a bounty,” he said. The bounties ranged per person from $100 to around $15,000 if someone submitted multiple bugs.

The pilot program, which ran from April 18 to May 12, cost about $150,000, with around half of that going to participants. The results were released on Friday, according to the Department of Defense’s website.

“Hack the Pentagon” was deemed a cost-effective way to scour five of the US defense departments’ websites (defense.gov, dodlive.mil, dvidshub.net, myafn.net and dimoc.mil, according to a DoD spokesman) for security bugs. Instead of going to outside security firms, which would’ve cost upwards of $1 million, the government instead recruited amateur hackers to do it for much less, some who were only in high school.

In addition to reporting on the number of bugs, Carter also said that the government has worked with HackerOne, a bug bounty platform, to fix the vulnerabilities and that the department has “built stronger bridges to innovative citizens who want to make a difference to our defense mission.” Carter wants the “bug bounty” program to extend to other areas of the government and wants to ensure that hackers and researchers can report bugs without a dedicated program.

“When it comes to information and technology, the defense establishment usually relies on closed systems,” he said. “But the more friendly eyes we have on some of our systems and websites, the more gaps we can find, the more vulnerabilities we can fix, and the greater security we can provide to our warfighters.”

Many website already have bug bounty programs in place, but it was the first time the federal government had come up with such a program. It’s good experience for young hackers and security fiends who want to try and hack a government agency, although that’s a small amount of money for their time.

4 Days of Food Left…Panic? National Grid Hacked

If there is no transportation, there is no food, medicine or basic supplies….what country is ready to deal with this?

British cities would be uninhabitable within days and the country is only a few meals from anarchy if the National Grid was taken down in a cyber attack or solar storm, disaster and security experts have warned.

Modern life is so reliant on electricity that a prolonged blackout would quickly lead to a loss of water, fuel, banking, transport and communications that would leave the country “in the Stone Age”.

Russia plot to cut off UK with hackers taking down ... photo

The warning comes weeks after the Defence Secretary, Gavin Williamson, said Russia had been spying on the UK’s energy infrastructure and could cause “thousands and thousands and thousands” of deaths if it crippled the power supply.

***

The U.S. government has just released an important cybersecurity alert that confirms Russian government cyberattacks targeting energy and other critical infrastructure sectors in the United States.

While there has recently been a significant rise in cyberattacks in these industries, up to now we’ve only been able to speculate on who the actors are, or what their motives may be. In this case the threat actor and their strategic intent has been clearly confirmed, something the U.S. government rarely does publicly.

In addition, the US-CERT alert provides descriptions of each stage of the attack, detailed indicators of compromise (IOCs), and a long list of detection and prevention measures. Many of the attack tactics are like Dragonfly 2.0, so much so that one might call this an expanded playbook for Dragonfly. The Nozomi Networks solution ships today with an analysis toolkit that identifies the presence of Dragonfly 2.0 IOCs.

This article is intended to help you gain perspective on this recent alert, provide additional guidance on what security measures to take, and describe how the Nozomi Networks solution can help.

Russian-Cyberattacks-on-Infrastructure

U.S. energy facilities, like this one, are one of the critical infrastructure targets of the Russian cyberattacks.

Multi-Stage Campaigns Provide Opportunities for Early Detection

The US-CERT alert characterizes this attack as a multi-stage cyber intrusion campaign where Russian cyber actors conducted spear phishing and gained remote access into targeted industrial networks. After obtaining access, the threat vectors conducted network reconnaissance, moved laterally, and collected information pertaining to Industrial Control Systems (ICS).

This pattern of behavior is typical of APTs (Advanced Persistent Threats). APTs occur over an extended period, meaning there is an opportunity to detect and stop them before damage is done. With the right technology monitoring the industrial network, it is much harder for them to go unobserved before their final attack.

In this case the Russian cyberattacks started by infecting staging targets, which are peripheral organizations, such as trusted third-party suppliers, as pivot points for attacking the final intended targets.

The attackers used a multitude of tactics involving information relevant to industrial control professionals for initial infection of the staging targets. Examples include:

  • Altering trade publication websites
  • Sending emails containing resumes for ICS personnel as infected Microsoft Word attachments
  • Analyzing publicly available photos that inadvertently contained information about industrial systems

The credentials of staging targets’ staff were in turn used to send spear phishing emails to the staff of the intended targets. They received malicious .docx files, which communicated with a command and control (C2) server to steal their credentials.

The SMB (Server Message Block) network protocol was used throughout the spear phishing phases to communicate with external servers, as was described for the Dragonfly 2.0 attacks.This is a distinctive tactic. SMB is usually only used to communicate within LANs, not for outbound communications. Now that this is known, asset owners should ensure their firewalls are locked down for outbound service restrictions.

The credentials of the intended targets were used to access victim’s networks. From there, the malware established multiple local administrator accounts, each with a specific purpose. The goals ranged from creation of additional accounts to cleanup activity. For the report, click here.

***

What Is Known

Forensic analysis shows that the threat actors sought information on network and organizational design and control system capabilities within the organization. In one instance, the report says, the threat actors downloaded a small photo from a publicly accessible human resource page, which, when expanded, was a high-resolution photo that displayed control systems equipment models and status information in the background. The threat actors also compromised third-party suppliers to download source code for several intended targets’ websites. They also attempted to remotely access corporate web-based email and virtual private network (VPN) connections.

Once inside the intended target’s network, the threat actors used privileged credentials to access domain controllers via remote desktop protocols (RDP) and then used the batch scripts to enumerate hosts and users, as well as to capture screenshots of systems across the network.

The threat is inside. US-CERT on March 15 warned that threat actors associated with the Russian government had infiltrated ICS and SCADA systems at power plants using a variety of tactics. This image is a DHS reconstruction of a screenshot fragment of a human machine interface (HMI) that the threat actors accessed. Source: US-CERT

The threat is inside. US-CERT on March 15 warned that threat actors associated with the Russian government had infiltrated ICS and SCADA systems at power plants using a variety of tactics. This image is a DHS reconstruction of a screenshot fragment of a human machine interface (HMI) that the threat actors accessed. Source: US-CERT

Along with publishing an extensive list of indicators of compromise, the DHS and FBI recommended that network administrators review IP addresses, domain names, file hashes, network signatures, and a consolidated set of YARA rules for malware associated with the intrusion authored by the National Cybersecurity and Communications Integration Center. YARA is an open-source and multiplatform tool that provides a mechanism to exploit code similarities between malware samples within a family.