Category Archives: Gangs and Crimes

Inauguration Day Protests, Looting, Destruction = Arrests

Posted on by

Image result for black bloc A global operation that began apparently in 2001. While this article is not fully vetted, there is no reason to assume it is false.

Blocks away from the swearing in on Inauguration Day for Donald Trump, there were several pockets where all kinds of nasty things were going on by people associated with the Black Bloc. As reported by USA Today in early February:

Swarms of people dressed in black invaded what was supposed to be a peaceful demonstration against right-wing commentator Milo Yiannopoulous on Wednesday evening.

The group tossed smoke bombs, set fires and started fights on the University of California – Berkeley campus where Yiannopoulous was slated to speak. He never would.

The protest’s organizers, the Berkeley Against Trump coalition, said the peaceful acts of the 1,500 demonstrators were marred by 50 to 75 anti-fascist Black Bloc protestors.

Outside of Berkeley, media outlets have linked Black Blocs to a number of modern protests, most recently in efforts opposing President Donald Trump. The Nation credits a Black Bloc protestor with punching alt-right leader Richard Spencer in the face on Trump’s inauguration day.  The Washington Post said Black Blocs were involved with violent protests in Washington, D.C. on inauguration day and in Portland following Trump’s election win.

*** For more on the tactics, training and preparation of Black Bloc, go here.

So, where are we now on those protestors in Washington DC?

Per the indictment in part:

(hereinafter, the “Rioting Defendants”) willfully engaged, incited, and

urged other people to engage in a riot, that is, a public disturbance involving an assemblage of

five or more persons, that by tumultuous and violent conduct and the threat thereof, resulted in

serious bodily harm or property damage in excess of $5,000.

  1. lt was a part of this riot that the Rioting Defendants and others gathered on the

morning of January 20, 2017 , in and around Logan Circle located at 1 3m Street and P Street

NW, Washington, D.C.

  1. lt was a part of this riot that, on January 20, 2017 ,The Rioting Defendants used a

tactic called the “Black Bloc” in which individual defendants wore black or dark colored clothing,

gloves, scarves, sunglasses, ski masks, gas masks, goggles, helmets, hoodies, and other face concealing

and face protecting items to conceal their identities in an effort to prevent law

enforcement from being able to identify the individual perpetrators of violence or destruction.

  1. lt was a part of this riot that, on January 20,2017, to facilitate violence and

destruction, individual defendants and others participating in the Black Bloc armed themselves

with items that could be used to damage persons and property. These items included hammers,

crowbars, metal poles, wooden sticks, wooden poles, bricks, rocks, pieces of concrete, lighters,

flares, firecrackers, and other explosive devices.

  1. lt was a part of this riot that, on January 20, 2017, individual defendants and

others participating in the Black Bloc brought face masks, gas masks, and goggles to eliminate

or mitigate the effectiveness of crowd control measures that might be used by law enforcement.

  1. lt was a part of this riot that, at or about 10:19 AM on January 20, 2017 ‘The

Rioting Defendants and others moved south from Logan Circle on 13h Street NW as part of the

Black Bloc.

7 . lt was a part of this riot that, at about 10:19 AM on January 20′ 201 7, individuals

participating in the Black Bloc carried flares and lit firecrackers and fireworks as the Rioting

Defendants and others moved south on 136 Street NW.

  1. lt was a part of this riot that, at or about 10:2 1 AM on January 20, 201 7, within

t\ /o (2) blocks of leaving Logan Circle, individuals participating in Black Bloc started breaking (..)

Read the full document here along with the 200+ that were arrested and charged.

What did Google Know, When did The Know it?

Posted on by

Image result for google russian hacking Techviral

A Glimpse Into How Much Google Knows About Russian Government Hackers

A 2014 leaked private report from Google shows how much the internet giant knows about government hacking groups.

Motherboard: In October of 2014 an American security company revealed that a group of hackers affiliated with the Russian government, dubbed APT28, had targeted Georgia and other Eastern European countries in a wide-ranging espionage campaign. Two and a half years later, APT28—also known as “Fancy Bear” or “Sofacy”—is a household name not just in the cybersecurity industry, but in the mainstream too, thanks to its attack on the US Democratic party and the ensuing leaks of documents and emails.

Before that report by FireEye, APT28 was a well-kept secret within the cybersecurity industry. At the time, several companies were willing to share information about the hacking group. Even Google investigated the group, and penned a 40-page technical report on the hacking group that has never been published before.

This sort of document, which Motherboard obtained from two independent sources, may be a common sight in the threat intelligence industry, but the public rarely gets to see what such a report from Google looks like. The report draws from one of Google’s most interesting sources of data when it comes to malware and cybersecurity threats: VirusTotal, a public malware repository that the internet giant acquired in 2012.

Sofacy and X-Agent, the report read, referring to the malware used by APT28, “are used by a sophisticated state-sponsored group targeting primarily former Soviet republics, NATO members, and other Western European countries.”

“It looks like Google researchers were well aware of Sofacy before it was publicly disclosed.”

While Google security researchers don’t dwell into who’s really behind these operations, they do hint that they agree with the now widespread belief that APT28 works for the Russian government in a clever, indirect, way—in the very title of the report: “Peering into the Aquarium.”

While that might seem like an obscure title, for those who follow Russian espionage activities, it’s a clear reference to the headquarters of the military intelligence agency known as GRU or Glavnoye Razvedyvatel’noye Upravleniye, which are popularly known as “The Aquarium.”

“It looks like Google researchers were well aware of Sofacy before it was publicly disclosed,” Matt Suiche, a security researcher and the founder of Comae Technologies and the OPCDE  conference, told Motherboard in an online chat after reviewing the report. “And also attributed Sofacy and X-Agent to Russia before it was publicly done by FireEye, ESET or CrowdStrike.”

In its report Google security researcher note that APT28 attacks a large number of targets with its first-stage malware Sofacy, but only uses the more tailored and sophisticated X-Agent, which was recently used against Ukraine’s military units, for “high-priority targets.”

“Sofacy was three times more common than X-Agent in the wild, with over 600 distinct samples,” Google’s report stated.

Asked for comment, a Google spokesperson said via email that the company’s “security teams are constantly monitoring potential threats to internet users, and regularly publish information to better protect them.”

The report noted that Georgia had the highest ratio of submissions of Sofacy malware, followed by Romania, Russia and Denmark.

While this report is now a bit dated, it shows that for all its sophistication, APT28 has been often caught in the act of hacking politically interesting targets, betraying the origin of the hackers behind the dry nickname. It also reveals how much a company like Google, which doesn’t have software installed on thousands of customers computers like other antivirus and security vendors that is designed to specifically detect malware, can still learn a lot about government hacking groups thanks to the other data it has access to.

*** Related reading:

State-sponsored hackers targeting prominent journalists, Google warns

Politico: Google has warned a number of prominent journalists that state-sponsored hackers are attempting to steal their passwords and break into their inboxes, the journalists tell POLITICO.

Jonathan Chait of New York Magazine said he received several messages from Google warning him about an attack from a government-backed hacker starting shortly after the election. He said the most recent warning came two to three weeks ago.

Julia Ioffe, who recently started at The Atlantic and has covered Russia for years, said she got warnings as recently as two weeks ago. (See one of the warnings: http://bit.ly/2kMUyRb)

Some journalists getting the warnings say they suspect the hackers could be Russians looking to find incriminating emails they could leak to embarrass journalists, either by revealing alleged liberal bias or to expose the sausage-making of D.C. journalism.

“The fact that all this started right after the election suggests to me that journalists are the next wave to be targeted by state-sponsored hackers in the way that Democrats were during it,” said one journalist who got the warning. “I worry that the outcome is going to be the same: Someone, somewhere, is going to get hacked, and then the contents of their gmail will be weaponized against them — and by extension all media.”

The Russian embassy did not respond to a request for comment.

Image result for russian embassy washington dc Russian embassy Washington DC

Google cautioned that the warnings did not mean the accounts had been compromised already and were sent due to “an abundance of caution.”

“Since 2012, we’ve notified users when we believe their Google accounts are being targeted by government-backed attackers,” said a Google spokesperson in a statement. “We send these warnings out of an abundance of caution — they do not indicate that a user’s account has already been compromised or that a more widespread attack is occurring when they receive the notice.”

Ezra Klein, the founder of Vox, said he had received the warning as recently as a few days back. CNN senior media reporter Brian Stelter said he has been getting the alerts for the past few months.

Other journalists who confirmed they’ve recently gotten the warnings include New York Times national security correspondent David Sanger, Times columnist Paul Krugman and Yahoo Washington bureau chief Garance Franke-Ruta.

GQ special contributor Keith Olbermann said the warnings started a few weeks after the election, and he received the most recent alert earlier this week, a “big bright red bar” across the top of his Gmail. Some of the reporters say they are tightening up their email security to try to prevent the hackers from getting in.

Chait also said he was “contacted over email by a stranger who offered to help me by giving me an encryption key to protect me from hackers. He would not give me his name, meet me or talk on the phone, despite repeated requests.”

The stranger also emailed The Atlantic’s David Frum, James Fallows and Adam Serwer, Andrew Sullivan and Ars Technica’s Dan Goodin.

Stanford professor Michael McFaul, the former U.S. ambassador to Russia, said he also received hacking warnings from Google. He added: “Given my background, one would have to guess that it’s the Russians.”

Trump’s Aggressive Immigration Plan Released

Posted on by

When it comes to asylum seekers, a person under the Obama administration only needed to say they were seeking asylum. Trump’s plan raises the bar where conditions for being granted asylum must be proven.

Image result for trump immigration plan Image result for trump immigration detention centers

In part from Reuters:

WHAT IS “CREDIBLE FEAR”?

Under the Immigration and Nationality Act, an applicant must generally demonstrate “a well-founded fear of persecution on account of race, religion, nationality, membership in a particular social group, or political opinion.”

Immigration lawyers say any applicants who appear to meet that criteria in their initial interviews should be allowed to make their cases in court. They oppose encouraging asylum officers to take a stricter stance on questioning claims and rejecting applications.

Interviews to assess credible fear are conducted almost immediately after an asylum request is made, often at the border or in detention facilities by immigration agents or asylum officers, and most applicants easily clear that hurdle. Between July and September of 2016, U.S. asylum officers accepted nearly 88 percent of the claims of credible fear, according to U.S. Citizenship and Immigration Services data.

Asylum seekers who fail the credible fear test can be quickly deported unless they file an appeal. Currently, those who pass the test are eventually released and allowed to remain in the United States awaiting hearings, which are often scheduled years into the future because of a backlog of more than 500,000 cases in immigration courts.

Between October 2015 and April 2016, nearly 50,000 migrants claimed credible fear, 78 percent of whom were from Honduras, El Salvador, Guatemala or Mexico, according to statistics from USCIS.

The number of migrants from those three countries who passed credible fear and went to court to make their case for asylum rose sharply between 2011 and 2015, from 13,970 claims to 34,125, according to data from the Justice Department. More here from Reuters.

 

Implementing the President’s Border Security and Immigration Enforcement Improvements Policies by USA TODAY on Scribd

FNC: Homeland Security Secretary John Kelly moved Tuesday to implement a host of immigration enforcement changes ordered by President Trump, directing agency heads to hire thousands more officers, end so-called “catch-and-release” policies and begin work on the president’s promised U.S.-Mexico border wall.

“It is in the national interest of the United States to prevent criminals and criminal organizations from destabilizing border security,” Kelly wrote in one of two memos released Tuesday by the department.

The memos follow up on Trump’s related executive actions from January and, at their heart, aim to toughen immigration enforcement.

The changes would spare so-called “dreamers.” On a conference call with reporters, a DHS official stressed that the directives would not affect Obama-era protections for illegal immigrants who came to the U.S. as children and others given a reprieve in 2014. But outside those exemptions, Kelly wrote that DHS “no longer will exempt classes or categories of removable aliens from potential enforcement.”

A DHS official said the agencies are “going back to our traditional roots” on enforcement.

The memos cover a sprawling set of initiatives including:

  • Prioritizing criminal illegal immigrants and others for deportation, updating guidance from previous administration
  • Expanding the 287(g) program, which allows participating local officers to act as immigration agents – and had been rolled back under the Obama administration
  • Starting the planning, design and construction of a U.S.-Mexico border wall
  • Hiring 10,000 Immigration and Customs Enforcement agents and officers
  • Hiring 5,000 Border Patrol agents
  • Ending “catch-and-release” policies under which illegal immigrants subject to deportation potentially are allowed to “abscond” and fail to appear at removal hearings

It’s unclear what timelines the secretary is setting for some of these objectives, and what budgetary and other constraints the department and its myriad agencies will face. In pursuing an end to “catch-and-release,” one memo called for a plan with the Justice Department to “surge” immigration judges and asylum officers to handle additional cases.

While congressional Republicans have vowed to work with Trump to fund the front-end costs associated with his promised border wall, the same memo also hints at future efforts to potentially use money otherwise meant for Mexico – following on Trump’s repeated campaign vow to make Mexico pay for the wall. The secretary called for “identifying and quantifying” sources of aid to Mexico, without saying in the memo how that information might be used.

Mexican officials repeatedly have said they will not pay for a border barrier. DHS said it has identified initial locations to build a wall where current fencing is not effective, near El Paso, Texas; Tucson, Ariz.; and El Centro, Calif.

The DHS directives come as the Trump White House continues to work on rewriting its controversial executive order suspending the U.S. refugee program as well as travel from seven mostly Muslim countries. The order was put on hold by a federal court, and Trump’s team is said to be working on a new measure.

The directives also come as the Trump administration faces criticism from Democratic lawmakers and immigration advocacy groups for recent ICE raids of illegal immigrants.

DHS officials on Tuesday’s conference call stressed that they are operating under existing law and once again shot down an apparently erroneous news report from last week claiming National Guard troops could be utilized to round up illegal immigrants. That will not happen, an official said.

“We’re going to treat everyone humanely and with dignity, but we are going to execute the laws of the United States,” a DHS official said on the conference call.

Trump Sanctions VP of Venezuela, Finally

Posted on by

U.S. Hits Venezuelan Vice President With ‘Kingpin’ Act Sanctions

  • Tareck El Aissami is highest-ranking Venezuelan on list
  • People on Treasury Department list have assets blocked
 
Nicolas Maduro, Venezuela’s president, right, waves to attendees while accompanied by Tareck El Aissami, Venezuela’s vice president, before the start of his annual address at the Supreme Court in Caracas on Jan. 15, 2017. Photographer: Carlos Becerra/Bloomberg

Bloomberg: The Trump administration imposed sanctions against Venezuelan Vice President Tareck El Aissami, after years of investigation by U.S. authorities into his alleged participation in drug trafficking and money laundering.

The Treasury Department announced the move Monday, placing El Aissami and another Venezuelan on a U.S. list of foreign nationals with suspected ties to drug trafficking. El Aissami has consistently denied all allegations against him. His office declined to comment on the U.S. decision after it was announced.

“He facilitated shipments of narcotics from Venezuela, to include control over planes that leave from a Venezuelan air base, as well as control of drug routes through the ports in Venezuela,” according to a Treasury Department statement. “He also facilitated, coordinated, and protected other narcotics traffickers operating in Venezuela.”

El Aissami is the highest-ranking Venezuelan hit by U.S. sanctions and the most-senior government leader of any country on the so-called Specially Designated Nationals list, according to a U.S. official, who discussed the matter on condition of anonymity. Those listed have their assets blocked and U.S. citizens, institutions and companies are prohibited worldwide from dealing with them, according to the Treasury Department.

The sanctions mark an extraordinary step against the second-in-command of a foreign government and are sure to lead to a further deterioration of U.S. relations with the government of Venezuelan President Nicolas Maduro, who appointed El Aissami as vice president on Jan. 4 amid a deepening economic and humanitarian crisis.

Business Associate

The U.S. also listed Samark Lopez Bello, a Venezuelan citizen with no public government affiliation, who’s considered to be El Aissami’s business associate. According to the official, El Aissami facilitated shipments of more than 1,000 kilograms of drugs on multiple occasions from Venezuela to U.S. and Mexico, and used Lopez Bello to acquire properties on his behalf.

“Lopez Bello is a key frontman for El Aissami and in that capacity launders drug proceeds,” according to the Treasury statement.

Sanctions were also imposed on eight companies based in Venezuela, the British Virgin Islands, Panama and the U.K. The U.S. also froze assets of five U.S.-based companies with real estate holdings in Miami, according to the statement. Together, the actions are designed to freeze tens of millions of dollars in assets, said the U.S. official.

While U.S. officials were gathering evidence under President Barack Obama and prior to El Aissami’s ascent to the vice presidency, action stalled until now. The designations didn’t require President Donald Trump’s personal approval, and Trump has not been involved in the discussions, according to another U.S. official, who also spoke on condition of anonymity.

Any Tool

“It is not a political message, an economic message, it is not a message between governments,” said William R. Brownfield, assistant U.S. secretary of state for international narcotics and law enforcement affairs and a former ambassador to Venezuela between 2004-2007. “It is not even a message of diplomacy. It is a message that says that we will in fact use any tool, any legal and lawful tool in our inventory, to go after those that are engaged in international drug trafficking.”

The measures are being imposed under the the Foreign Narcotics Kingpin Designation Act, which was signed into law by President Bill Clinton in 1999. It has targeted approximately 2,000 individuals since 1999, including eight Venezuelan officials, U.S. officials said.

Brownfield, who has served in his position since 2011, said in his experience the evidence behind the planned designations “is as tight an evidence package as I have seen.”

El Aissami, the son of Syrian and Lebanese immigrants, has long been one of Venezuela’s most controversial and feared politicians. In just over a decade, the 42-year-old climbed government ranks from a student leader in rural Venezuela, to interior minister, to his previous post as the governor of Aragua state.

Decree Powers

In the weeks since becoming vice president, El Aissami received wide-reaching decree powers from Maduro, who tapped him to lead a newly formed “commando unit” against alleged coup plotters and officials suspected of treason. Among the slew of arrests since the unit’s formation is a substitute legislator from a hard-line opposition party and a retired general who, years before, broke ranks with the government.

The sanctions are coming less than a week after a bipartisan group of U.S. lawmakers called for further measures against Maduro’s government. In a Feb. 8 letter to Trump, 34 members of Congress including Senators Ted Cruz and Robert Menendez cited El Aissami’s appointment and urged the U.S. to “take immediate action to sanction regime officials.”

The measures promise to worsen a relationship long strained by mistrust and Venezuelan accusations that Washington supported a failed attempt to overthrow then-President Hugo Chavez in 2002. In the years following the attempted coup, Chavez aggressively criticized U.S. ties to Latin America, helped lead rallies around South America against “Yankee aggression” and nationalized investments by companies including U.S.-based Exxon Mobil Corp.

Oil Prices

“It is obviously a decision for the government of Venezuela and its constitutional authorities to determine what steps they will take and how they will react to this designation,” Brownfield said.

Even under Obama, who generally avoided engaging publicly with Chavez or Maduro, ties between the two nations remained strained. In March 2015, Obama expanded U.S. sanctions against Venezuelan officials and declared worsening relations with the South American nation to be a national emergency as Maduro attempted to stifle dissent.

With the drop in oil prices that began in 2014, Venezuela’s economy collapsed. A nation that just a few decades ago was the wealthiest in Latin America has become synonymous with dysfunction, with consumers forced to wait in hours-long lines for basic goods, including medicine. An informal inflation index compiled by Bloomberg shows that prices are rising at almost 1,200 percent annually, the fastest rate in the world.

Political Network

It is in this context that El Aissami, nicknamed “the narco of Aragua” by Venezuela’s beleaguered opposition, has thrived. Critics allege he has used his vast political network to help turn the country into an international hub for drugs. The State Department, in its 2015 International Narcotics Control Strategy Report, described the Caribbean nation as a “major cocaine transit country,” citing “endemic corruption throughout commerce and government, including law enforcement.”

The vice president’s ties to the nation’s civil registry services before he became interior minister have also fueled accusations by U.S. investigators that he’s aided Middle Eastern extremists by allowing them to create Venezuelan identities and a web of front companies to move money outside the country’s borders.

El Aissami has previously denied any alleged drug ties, saying they are little more than media slander, and has offered to hand himself over to authorities if anyone could produce proof.

El Aissami has been investigated by the Homeland Security Department and Drug Enforcement Administration since at least 2011 for alleged money laundering to the Middle East, specifically Lebanon, according to two people familiar with the probe.

As the number two official in Venezuela, El Aissami would be in line to replace Maduro should he cede to opposition pressure to step aside because of the country’s economic implosion and social unrest. Maduro has so far quashed the opposition’s attempt to hold a referendum on his removal before his term ends in about two years.

***

Hat tip to Infodio for the summary dated 2013.

Hugo Chavez’s soft spot for terrorists wasn’t reserved to Basques only. For there’s extensive documentation (link is external) proving Chavez’s association, and support to Colombia’s narco-terrorists from FARC (link is external). With regards to Middle Eastern terrorists there’s been much in the way of talk but little proof. It has been said that Margarita Island in Venezuela is a Hezbollah hotbed. Others have claimed, without much evidence, that Venezuela has “sent shipments” of Uranium to Iran. However, the U.S. Department of the Treasury announced in June 2012 that it was targetting a money laundering network related to Hezbollah and its operations in Colombia and Venezuela (link is external). And here’s where things get interesting.

Tareck Zaidan El Aissami Maddah (DOB 12 Nov. 1974, ID. 12.354.211) is the current chavista Governor of Aragua state in Venezuela. He is one of five children of Zaidan Amin El Aissami El Musfi and May Maddah de El Aissami, a Muslim couple of Lebanese origin. El Aissami (TEAM) has had a meteoric rise within chavismo, owing to his excellent relations with Adan Chavez, brother and mentor of the late Hugo, whom he met while reading law in Universidad de los Andes. Despite his young age, El Aissami has been appointed to sensitive roles, such as Head of ONIDEX: Venezuela’s equivalent to the Home Office, responsible for identification and immigration.

The most interesting aspect of El Aissami’s operation however, is not money laundering by his proxies, but rather abuse of his station at ONIDEX to give Venezuelan IDs to a number of internationally wanted criminals / terrorists. The news from OFAC linked above reveal that Hezbollah operatives in South America got Venezuelan IDs under El Aissami’s “watch”. While in charge, ONIDEX created new identities for a number of people. Intelligence reports sent to us claim that as many as 173 individuals believed to be collaborating with terrorism, drug trafficking and money laundering were either naturalised, or got Venezuelan visas and IDs using fake names. Abbas Hussein HARB, for instance, identified by OFAC as part of a money laundering network related to Hezbollah and Ayman Saied JOUMAA, has two Venezuelan IDs (21495203 and 26405022). As of this writing both are valid. Kassem Mohamad SALEH, also designated as Hezbollah collaborator, has a valid Venezuelan ID (22075502), as shown in electoral records. Read the full summary here, excellent work.

Operation Blockbuster: Lazarus Group Hacks Again

Posted on by

Why should you care? There was a long investigation in separate yet concentrated efforts by both government and private/independent cyber corporations as it related to the hack of Sony. Enter the Lazarus Group, an applied name to hackers that have hit industries such as government, military, financial and entertainment. Few countries are really exempt, as their signature malware has also been found in Japan, India and China.

Image result for lazarus group cyber

Lazarus Group has been active since 2009 and to date cannot be attributed to any single actor or country.

For the comprehensive report, go here. Operation Blockbuster: Image result for operation blockbuster cyber

Recent malware attacks on Polish banks tied to wider hacking campaign

Hackers targeted more than 100 organizations in more than 30 countries

ComputerWorld: Malware attacks that recently put the Polish banking sector on alert were part of a larger campaign that targeted financial organizations from more than 30 countries.

Researchers from Symantec and BAE Systems linked the malware used in the recently discovered Polish attack to similar attacks that have taken place since October in other countries. There are also similarities to tools previously used by a group of attackers known in the security industry as Lazarus.

The hackers compromised websites that were of interest to their ultimate targets, a technique known as watering-hole attacks. They then injected code into the websites that redirected visitors to a custom exploit kit.

The exploit kit contained exploits for known vulnerabilities in Silverlight and Flash Player; the exploits only activated for visitors who had Internet Protocol addresses from specific ranges.

“These IP addresses belong to 104 different organizations located in 31 different countries,” researchers from Symantec said in a blog post Sunday. “The vast majority of these organizations are banks, with a small number of telecoms and internet firms also on the list.”

In the case of the targeted Polish banks, it’s suspected that the malicious code was hosted on the website of the Polish Financial Supervision Authority, the government watchdog for the banking sector. The BAE Systems researchers found evidence that similar code pointing to the custom exploit kit was present on the website of the National Banking and Stock Commission of Mexico in November. This is the Mexican equivalent to the Polish Financial Supervision Authority.

The same code was also found on the website of the Banco de la República Oriental del Uruguay, the largest state-owned bank in that South American country, according to BAE Systems.

Included in the list of targeted IP addresses were those of 19 organizations from Poland, 15 from the U.S., nine from Mexico, seven from the U.K., and six from Chile.

The payload of the exploits was a previously unknown malware downloader that Symantec now calls Downloader.Ratankba. Its purpose is to download another malicious program that can gather information from the compromised system. This second tool has code similarities to malware used in the past by the Lazarus group.

Lazarus has been operating since 2009, and has largely focused on targets from the U.S. and South Korea in the past, the Symantec researchers said. The group is also suspected of being involved in the theft of $81 million from the central bank of Bangladesh last year. In that attack, hackers used malware to manipulate the computers used by the bank to operate money transfers over the SWIFT network.

“The technical/forensic evidence to link the Lazarus group actors … to the watering-hole activity is unclear,” the BAE Systems researchers said in a blog post Sunday. “However, the choice of bank supervisor and state-bank websites would be apt, given their previous targeting of central banks for heists — even when it serves little operational benefit for infiltrating the wider banking sector.”