Please Don’t Sign it Mr. Trump, You Cant Sign it…

(CNN)FBI Director James Comey warned Wednesday that Americans should not have expectations of “absolute privacy,” adding that he planned to finish his term leading the FBI.

“There is no such thing as absolute privacy in America; there is no place outside of judicial reach,” Comey said at a Boston College conference on cybersecurity. He made the remark as he discussed the rise of encryption since 2013 disclosures by former National Security Agency contractor Edward Snowden revealed sensitive US spy practices.
“Even our communications with our spouses, with our clergy members, with our attorneys are not absolutely private in America,” Comey added. “In appropriate circumstances, a judge can compel any one of us to testify in court about those very private communications.”
Did you get that? What? Keep reading, it gets worse….

Here’s the Data Republicans Just Allowed ISPs to Sell Without Your Consent

Privacy watchdogs blasted the vote as a brazen GOP giveaway to the broadband industry.

Motherboard: Financial and medical information. Social Security numbers. Web browsing history. Mobile app usage. Even the content of your emails and online chats.

These are among the types of private consumer information that House Republicans voted on Tuesday to allow your internet service provider (ISP) to sell to the highest bidder without your permission, prompting outrage from privacy watchdogs.

The House action, which was rammed through by a vote of 215 – 205 on a largely partisan basis by the GOP majority, represents another nail in the coffin of landmark Federal Communications Commission consumer privacy rules that were passed in 2016. The rules, which were set to go into effect later this year, would have required broadband providers to obtain “opt-in” consent before using, sharing, or selling private consumer data.

“Ignoring calls from thousands of their constituents, House Republicans just joined their colleagues in the Senate in violating internet users’ privacy rights,” Craig Aaron, CEO of DC-based public interest group Free Press Action Fund, said in a statement. “They voted to take away the privacy rights of hundreds of millions of Americans just so a few giant companies could pad their already considerable profits.”

Last week, the Senate passed its version of the legislation. President Trump, who “strongly” supports the FCC privacy rollback, is expected to sign the measure soon, as part of the widening Republican campaign to reverse federal safeguards across broad swaths of the economy, including rules protecting the environment, public health, and consumer interests.

Privacy watchdogs say the FCC’s policy is necessary because ISPs can see everything that consumers do online. Unless you use a Virtual Private Network (VPN), every website you visit, every mobile app you use, every online search you conduct, is visible on their networks. Needless to say, this data is immensely valuable because it can be used to create detailed profiles for marketing and tracking purposes.

Related reading: Is Your Favorite Website Spying on You?

Corporate giants like Comcast, AT&T and Verizon already rake in billions of dollars annually from internet, cable, and mobile subscriptions. Now, these broadband firms will be able to make even more money by selling your private data to third party marketers without your permission.

“What the heck are you thinking? What is in your mind?”

Last year, the FCC detailed the data covered by its privacy policy. Thanks to Capitol Hill Republicans, ISPs will no longer be required to obtain “opt-in” consent before using, sharing, or selling this data.

Image: FCC

“What the heck are you thinking?” Rep. Michael Capuano, the Massachusetts Democrat, demanded of his GOP colleagues during floor debate earlier Tuesday. “What is in your mind? Why would you want to give out any of your personal information to a faceless corporation for the sole purpose of them selling it?”

Privacy advocates are particularly outraged because Republican lawmakers are nuking the FCC privacy policy using a controversial legislative tool called the Congressional Review Act (CRA), which allows Congress to nullify recently-approved federal regulations. “Resolutions of disapproval” passed under the CRA cannot be filibustered, and prohibit the agency in question, in this case the FCC, from adopting “substantially similar” privacy rules in the future.

“Once President Trump signs this resolution, there will be no effective federal cop on the beat to proactively protect consumer information collected by ISPs,” Dallas Harris, Policy Fellow at DC-based digital rights group Public Knowledge, said in a statement. “Without the FCC’s broadband privacy rules, Americans go from being internet users to marketing data—from people to the product.”

It should come as no surprise that many of the Republicans leading the charge to roll back the FCC’s privacy rules, including Rep. Marsha Blackburn of Tennessee, have received vast sums of campaign cash from the broadband industry.

Over the course of Blackburn’s 14-year career in the House, she has received $75,750 from AT&T and $72,650 from Verizon, her second and third largest corporate donors, respectively, according to the Center for Responsive Politics. Blackburn has also received $66,000 from NCTA, the broadband industry trade group, and $49,500 from Comcast.

For the last year, the broadband industry has complained that the FCC’s privacy policy is unfair because it doesn’t apply to so-called “edge providers” like Google and Facebook, which are regulated by the Federal Trade Commission (FTC). But instead of fighting to bolster the FTC’s privacy policy to create a level playing field, Republican lawmakers instead chose to eliminate the FCC’s more robust protections. Now the measure moves to Trump’s desk.

“If President Trump was serious about his campaign promises to stand up for the rights of the individual over the powerful special interests in Washington DC, then he would veto this bill,” Nathan White, Senior Legislative Manager at Access Now, said in a statement.

Trump’s Son-in-Law to Head new WH Office

Really, at issue for smoother government operations is upgrading computer software across all agencies. Some parts of government is operating on Microsoft products no longer supported while others in fact still use DOS. It was never a lack of appropriations by Congress but rather using those funds for other expenditures and in some cases paying bonuses or for travel to classes, seminars or training.

Rather than have the White House launch this initiative, an outside advisory group should be mobilized to introduce and demonstrate innovation as the private sector is the cutting edge. Each agency lead or cabinet secretary should submit a ‘wants and needs’ wish list such that outside agencies can address those potential solutions, otherwise we end up with the fraud and collusion endured with the launch of the front-end, back-end and website for Obamacare. Anyone remember that disaster?

Image result for white house innovation summit

Anyway, the Obama administration did an innovation summit and solutions showcase at the White House. Has the Trump administration been through those files? Google visited the Obama White House at least once a week. This may be a good mission for government in the end, as Google is in fact offering some assistance to some issues the Trump White House is considering.

***

Trump Pledges New Office to Bring Business Innovation to Government Operations

The Trump administration is launching a new office to spur innovation in government operations, the White House announced Monday, promising to give business acumen a more prominent role in federal activities.

President Trump tapped Jared Kushner, his son-in-law and senior adviser, to lead the new White House Office of American Innovation. The administration is billing the initiative — first reported by The Washington Post — as a SWAT team of former business executives. The goal, the White House said, is to shake up the status quo of the federal bureaucracy by infusing new ideas that allow private enterprises to succeed.

The administration billed the office as non-partisan, looking for any new ideas from both inside and outside government. It will aim to make improvements at every federal agency, including through technology overhauls, projects stemming from Trump’s promised infrastructure investment and procurement reform. A particular area of focus will be improving the Veterans Affairs Department. The White House said the innovation office will function as a service organization offering its assistance to agencies.

Trump formally created the office through a presidential memorandum issued Monday, in which he vowed the office would “solve today’s most intractable problems.” It will consist of about a dozen existing White House staff and consult with the directors of the Office of Management and Budget and the Office of Science and Technology Policy. After hearing from private sector leaders and government officials, the office will make policy recommendations to the president and “coordinate implementation of any resulting plans.”

When an agency is struggling with certain projects, the office and its team of White House advisers and business leaders will come in to offer creative and cost-efficient solutions. The team will look to ensure agencies keep pace with the latest innovations in the private sector.

The office will “apply the president’s ahead-of-schedule and under budget mentality to a variety of government operations and services, enhancing the quality of life for all Americans,” White House Press Secretary Sean Spicer said Monday. He conceded that “government is not business,” as there are certain things that “business would never do” and government must pick up the slack. Business leaders, he explained, can “help us deliver a better product, a better service to the American people.”

The business leaders participating in the project are “looking to give back in some way, shape or form,” Spicer said.

The new office is the latest in a series of moves from Trump aiming to streamline government operations. Earlier this month, he issued an order calling for a “comprehensive plan for reorganizing the executive branch,” which will require a “thorough examination” of every agency to identify “where money can be saved and services improved.” Another order has sent task forces to every agency to identify regulations for elimination or modification.

It also follows initiatives by several recent presidential administrations to modernize and streamline the way agencies do their work. On the technology side, a key focus of the new innovation office, President Obama launched the U.S. Digital Service in 2014 as a White House office to offer a “SWAT team” in troubleshooting high-priority information technology projects, as well as the General Services Administration’s 18F to provide consultant services to agencies looking to build up new technology-based offerings. Still, Spicer said some functions of government are so “outdated and unmodernized” that agencies are no longer serving their constituencies.

Through his Grace Commission, President Reagan tapped business executives to help identify waste and inefficiencies in government.

“What we need from you and your expertise and your associates is to literally come in to the various departments and agencies of government and look at them as if you were considering a merger or a takeover, and to see how modern business practices could be put to work to make government more efficient and more effective,” Reagan told his group in 1982. The commission eventually identified $424 billion in cuts. “There are a million things that you think of and take for granted every day in your business that you’ll find they don’t take it for granted in Washington, and it isn’t done that way, and that’s what it’s all about,” Reagan said.

President Clinton’s National Partnership for Reinventing Government promised to remake the federal government. Its National Performance Review proposed 1,200 changes to “serve customers better,” similar to Kushner’s promise to “achieve successes and efficiencies for our customers, who are the citizens.”

WikiLeaks Releases CIA Cyber Docs, Problem?

Primer: Steve Bannon works for President Trump in the White House.

Steve Bannon is a star – for Al-Qaeda, that featured him on the cover of their newspaper

steve-bannon-is-a-star---for-al-qaeda-that-featured-him-on-the-cover-of-their-paper

Then this headline….

The new scandal headlines for today is WikiLeaks, telling us they published the largest cache of secret CIA documents relating to the CIA’s ability to hack, break encryption and install malware. This is a problem? The problem is not the tools the CIA has, the problem is that someone inside the agency stole them and delivered them to WikiLeaks.

It is a good thing that the agency has these resources, why you ask?

Well….try this…The threat is real from Russians, Chinese, North Korea, Iran, Syria, Ukraine, al Qaeda and Islamic State…

Image result for stuxnet

Remember Stuxnet? This was a successful joint program under the Bush presidency with Israel to infect the Iranian nuclear program and it was to forces the centrifuges to spin out of control, which they did. Ultimately, it caused the progress of the Iranian infrastructure to be delayed substantially. It was in fact later uncovered by cyber scientists working for Siemens, the hardware and software platform used as the operating system. Good right? Yes.

Image result for u.s. cyber command

Well, there is more…

In recent years, Iran and North Korea have been sharing nuclear scientists and engineers, parts, testing and missile collaboration. So far, the missiles launched by North Korea for the most part have been unsuccessful, or at least did not achieve the ultimate objective and that is an official target strike. Why? Because of the United States. How so you ask?

Over the weekend, North Korea fired off 4 missiles in succession toward Japan. They did not reach the mainland but did reach the waterway that is part of the Japanese economic zone for maritime operations. We have American cyberwarriors that are doing effective work causing the missiles to fly off course or to technically fail. The objective is to use non-explosive weaponry to foul the North Korea and hence Iran’s missile program and while North Korea is not especially connected to the internet, some related systems are connected and then there is electronic warfare.

Image result for foreign hacking omb

We know that Islamic State is a terror operation that has militant cells in an estimated 30 countries. While they have depraved methods of murder, rape and terror, they too have a cyber operation.

The Will to Act

One question is whether ISIS will be consumed with the protection and continued expansion of its immediate fighting fronts, i.e., the “near enemy,” or whether its scope of vision includes America’s homeland. The Economist advances a strong case that desire for such expansion not only exists but will be exercised: “With its ideological ferocity, platoons of Western passport holders, hatred of America and determination to become the leader of global jihadism, ISIS will surely turn, sooner or later, to the ‘far enemy’ of America and Europe.”

And perhaps any doubt the militant’s sights are on America was removed by ISIS leader Abu Bakr al-Baghdadi’s Sept. 22 call for jihadists to not wait for the order but to rise, take up arms, and “kill Americans and other infidels” wherever they are. Clearly the group is showing no hesitancy in its desire to strike the U.S. heartland on a personal scale.

Cyber Operations Capability?

As to whether ISIS will have the capability to mount cyber operations against the U.S., David DeWalt, head of cybersecurity firm FireEye, believes that ISIS will follow in the footsteps of the Syrian Electronic Army and the Iran-based Ajax Security Team to target the United States and other Western nations.

“We’ve begun to see signs that rebel terrorist organizations are attempting to gain access to cyber weaponry,” DeWalt stated recently. He added that booming underground markets dealing in malicious software make offensive cyber weapons just an “Internet transaction” away for groups such as ISIS. More here.

Is there more to this that we should know? Yes…

There is the Middle East and we have a major vested interest in the region.

***

Cybersecurity in the Gulf: The Middle East’s Virtual Frontline

Cybersecurity is often discussed in relation to the major global powers: China’s economic espionage, Russian influence operations, and U.S. dragnet global surveillance to thwart terrorism.

However, as other countries move to digitize their economies, cybercriminals are zeroing in on these new and lucrative targets while regional players are quickly incorporating cyber capabilities into their own arsenals for achieving strategic ends.

The Middle East, particularly the Gulf states, are quickly recognizing the urgent need for better cybersecurity, while regional adversaries such as Iran have begun weaponizing code as an extension of broader strategic goals within the region. What, though, is the Gulf’s current cybersecurity atmosphere, and how does Iran’s emerging use of offensive cyber capabilities fit into its broader strategy in the Middle East?

Wajdi Al Quliti, the Director of Information Technology at the Organization of Islamic Cooperation, notes that “the region’s dramatic strides towards digitization—expected to add over $800 billion to GDP and over 4 million jobs by 2020—is making the Gulf a major target for fast evolving cyber threats.” Much like other regions, the Gulf is finding it difficult to sufficiently create criminal deterrence due to segmented laws and difficulties in attribution. Al Quliti argues “cross-border cooperation and common cybersecurity structures could prove to be a game-changing advantage in the fight against cybercrime.” However, “the elephant in the room,” according to Al Quliti, “is the issue of state-sponsored hacking, in which case harmonized laws are unlikely to make a difference.”

A critical point in nation-state hacking in the Middle East begins with the Stuxnet worm. Discovered in 2010 burrowed deep in Iranian networks, the worm had slowly been sabotaging Iran’s nuclear ambitions. Then in 2011 CrySyS Lab discovered Duqu, a cyber espionage tool tailored to gather information from industrial control systems, and in 2012, Kaspersky Labs identified Flame, another espionage tool, targeting various organizations in the Middle East. Both Duqu and Flame are associated with Stuxnet and attributed back to the Equation Group, widely considered an arm of the National Security Agency.

In 2012, Iranian officials found a wiper virus erasing files in the network of the Oil Ministry headquarters in Tehran, leading the ministry to disconnect all oil terminals from the Internet to prevent the virus from spreading. It is uncertain who was behind the attacks, but a mere four months later, Saudi Arabia’s largest oil company, Saudi Aramco, was hit with a similar wiper virus known as Disttrack—possibly coopted from the previous attack on Iran’s oil industry.

The data-erasing malware sabotaged three-quarters, some 35,000 of the company’s computers while branding screens with an image of a burning American flag. A few months later, another wiper virus attacked Qatar’s RasGas.

Al Quliti identifies “the region’s heavy dependence on oil and gas—as well as the oil and gas-powered desalination plants that provide much of the region’s fresh water”—as “a source of cyber vulnerability,” adding that “any cyber attack on these installations could prove catastrophic and might result in a humanitarian disaster.”

The sabotage operations against the Gulf’s oil industry have been attributed by various cybersecurity firms—but not officially by any government—to a group called Shamoon, thought to be an arm of the Iranian government.

Michael Eisenstadt, the Director of the Military and Security Studies Program at the Washington Institute for Near East Policy, notes that “cyber allows Iran to strike at adversaries globally, instantaneously, and on a sustained basis, and to potentially achieve strategic effects in ways it cannot in the physical domain.” For example, in March 2016, the Justice Department indicted seven Iranian Revolutionary Guard members for distributed denial of service attacks against U.S. banks in 2012 in retaliation for Iran sanctions imposed the previous year, as well as for infiltrating the systems of a small New York dam in 2013—a possible testing ground for penetrating larger pieces of U.S. critical infrastructure. In 2014, the same year North Korea set its sights on Sony Pictures, Iran’s cyber capabilities again reached into the United States, using another wiper virus to sabotage the operations of the Las Vegas Sands casino, whose chief executive, a staunch supporter of Israel, had suggested detonating a nuclear bomb in the heart of Tehran.

Last November, right before a major OPEC meeting, a variation of the Disttrack wiper used against Saudi Aramco struck again, now fitted with a picture of Alan Kurdi, the drowned Syrian toddler who washed up in Turkey in 2015. The virus targeted six Saudi organizations, most notably the Saudi General Authority of Civil Aviation, delivering its payload at the close of business on a Thursday, the start of the Islamic weekend, for maximum impact. Some experts speculate the November attack could have also been a false-flag operation to derail the Iranian nuclear deal.

Interestingly, for both the 2012 and 2016 Shamoon attacks, the wiper came fitted with stolen login credentials that Symantec now believes could have been gleaned from a cyber espionage tool, known as Greenbug, found on one of the administrator computers of a Saudi organization targeted in November. The potential link between Greenbug and the Shamoon group opens up possible investigations into the group’s involvement in a host of other Greenbug attacks throughout the Middle East, including breaches in Saudi Arabia, Bahrain, Iraq, Qatar, Kuwait, Turkey, and even Iran—though likely for domestic surveillance on dissidents. Just last week, another wiper virus hit 15 Saudi organizations, including the Ministry of Labor, prompting the government to issue an urgent warning of pending Shamoon attacks.

Eisenstadt points out that “Iran’s cyber activities show that a third-tier cyber power can carry out significant nuisance and cost-imposing attacks,” and “its network reconnaissance activities seem to indicate that it is developing contingency plans to attack its enemies’ critical infrastructure.” According to Eisentadt, is now seems that “in the past decade, Iran’s cyber toolkit has evolved from a low-tech means of lashing out at its enemies by defacing websites and conducting DDoS attacks, to a central pillar of its national security concept.”

Beginning to understand why the CIA and the other agencies are building cyber command war-rooms?

 

What did Google Know, When did The Know it?

Image result for google russian hacking Techviral

A Glimpse Into How Much Google Knows About Russian Government Hackers

A 2014 leaked private report from Google shows how much the internet giant knows about government hacking groups.

Motherboard: In October of 2014 an American security company revealed that a group of hackers affiliated with the Russian government, dubbed APT28, had targeted Georgia and other Eastern European countries in a wide-ranging espionage campaign. Two and a half years later, APT28—also known as “Fancy Bear” or “Sofacy”—is a household name not just in the cybersecurity industry, but in the mainstream too, thanks to its attack on the US Democratic party and the ensuing leaks of documents and emails.

Before that report by FireEye, APT28 was a well-kept secret within the cybersecurity industry. At the time, several companies were willing to share information about the hacking group. Even Google investigated the group, and penned a 40-page technical report on the hacking group that has never been published before.

This sort of document, which Motherboard obtained from two independent sources, may be a common sight in the threat intelligence industry, but the public rarely gets to see what such a report from Google looks like. The report draws from one of Google’s most interesting sources of data when it comes to malware and cybersecurity threats: VirusTotal, a public malware repository that the internet giant acquired in 2012.

Sofacy and X-Agent, the report read, referring to the malware used by APT28, “are used by a sophisticated state-sponsored group targeting primarily former Soviet republics, NATO members, and other Western European countries.”

“It looks like Google researchers were well aware of Sofacy before it was publicly disclosed.”

While Google security researchers don’t dwell into who’s really behind these operations, they do hint that they agree with the now widespread belief that APT28 works for the Russian government in a clever, indirect, way—in the very title of the report: “Peering into the Aquarium.”

While that might seem like an obscure title, for those who follow Russian espionage activities, it’s a clear reference to the headquarters of the military intelligence agency known as GRU or Glavnoye Razvedyvatel’noye Upravleniye, which are popularly known as “The Aquarium.”

“It looks like Google researchers were well aware of Sofacy before it was publicly disclosed,” Matt Suiche, a security researcher and the founder of Comae Technologies and the OPCDE  conference, told Motherboard in an online chat after reviewing the report. “And also attributed Sofacy and X-Agent to Russia before it was publicly done by FireEye, ESET or CrowdStrike.”

In its report Google security researcher note that APT28 attacks a large number of targets with its first-stage malware Sofacy, but only uses the more tailored and sophisticated X-Agent, which was recently used against Ukraine’s military units, for “high-priority targets.”

“Sofacy was three times more common than X-Agent in the wild, with over 600 distinct samples,” Google’s report stated.

Asked for comment, a Google spokesperson said via email that the company’s “security teams are constantly monitoring potential threats to internet users, and regularly publish information to better protect them.”

The report noted that Georgia had the highest ratio of submissions of Sofacy malware, followed by Romania, Russia and Denmark.

While this report is now a bit dated, it shows that for all its sophistication, APT28 has been often caught in the act of hacking politically interesting targets, betraying the origin of the hackers behind the dry nickname. It also reveals how much a company like Google, which doesn’t have software installed on thousands of customers computers like other antivirus and security vendors that is designed to specifically detect malware, can still learn a lot about government hacking groups thanks to the other data it has access to.

*** Related reading:

State-sponsored hackers targeting prominent journalists, Google warns

Politico: Google has warned a number of prominent journalists that state-sponsored hackers are attempting to steal their passwords and break into their inboxes, the journalists tell POLITICO.

Jonathan Chait of New York Magazine said he received several messages from Google warning him about an attack from a government-backed hacker starting shortly after the election. He said the most recent warning came two to three weeks ago.

Julia Ioffe, who recently started at The Atlantic and has covered Russia for years, said she got warnings as recently as two weeks ago. (See one of the warnings: http://bit.ly/2kMUyRb)

Some journalists getting the warnings say they suspect the hackers could be Russians looking to find incriminating emails they could leak to embarrass journalists, either by revealing alleged liberal bias or to expose the sausage-making of D.C. journalism.

“The fact that all this started right after the election suggests to me that journalists are the next wave to be targeted by state-sponsored hackers in the way that Democrats were during it,” said one journalist who got the warning. “I worry that the outcome is going to be the same: Someone, somewhere, is going to get hacked, and then the contents of their gmail will be weaponized against them — and by extension all media.”

The Russian embassy did not respond to a request for comment.

Image result for russian embassy washington dc Russian embassy Washington DC

Google cautioned that the warnings did not mean the accounts had been compromised already and were sent due to “an abundance of caution.”

“Since 2012, we’ve notified users when we believe their Google accounts are being targeted by government-backed attackers,” said a Google spokesperson in a statement. “We send these warnings out of an abundance of caution — they do not indicate that a user’s account has already been compromised or that a more widespread attack is occurring when they receive the notice.”

Ezra Klein, the founder of Vox, said he had received the warning as recently as a few days back. CNN senior media reporter Brian Stelter said he has been getting the alerts for the past few months.

Other journalists who confirmed they’ve recently gotten the warnings include New York Times national security correspondent David Sanger, Times columnist Paul Krugman and Yahoo Washington bureau chief Garance Franke-Ruta.

GQ special contributor Keith Olbermann said the warnings started a few weeks after the election, and he received the most recent alert earlier this week, a “big bright red bar” across the top of his Gmail. Some of the reporters say they are tightening up their email security to try to prevent the hackers from getting in.

Chait also said he was “contacted over email by a stranger who offered to help me by giving me an encryption key to protect me from hackers. He would not give me his name, meet me or talk on the phone, despite repeated requests.”

The stranger also emailed The Atlantic’s David Frum, James Fallows and Adam Serwer, Andrew Sullivan and Ars Technica’s Dan Goodin.

Stanford professor Michael McFaul, the former U.S. ambassador to Russia, said he also received hacking warnings from Google. He added: “Given my background, one would have to guess that it’s the Russians.”

Operation Blockbuster: Lazarus Group Hacks Again

Why should you care? There was a long investigation in separate yet concentrated efforts by both government and private/independent cyber corporations as it related to the hack of Sony. Enter the Lazarus Group, an applied name to hackers that have hit industries such as government, military, financial and entertainment. Few countries are really exempt, as their signature malware has also been found in Japan, India and China.

Image result for lazarus group cyber

Lazarus Group has been active since 2009 and to date cannot be attributed to any single actor or country.

For the comprehensive report, go here. Operation Blockbuster: Image result for operation blockbuster cyber

Recent malware attacks on Polish banks tied to wider hacking campaign

Hackers targeted more than 100 organizations in more than 30 countries

ComputerWorld: Malware attacks that recently put the Polish banking sector on alert were part of a larger campaign that targeted financial organizations from more than 30 countries.

Researchers from Symantec and BAE Systems linked the malware used in the recently discovered Polish attack to similar attacks that have taken place since October in other countries. There are also similarities to tools previously used by a group of attackers known in the security industry as Lazarus.

The hackers compromised websites that were of interest to their ultimate targets, a technique known as watering-hole attacks. They then injected code into the websites that redirected visitors to a custom exploit kit.

The exploit kit contained exploits for known vulnerabilities in Silverlight and Flash Player; the exploits only activated for visitors who had Internet Protocol addresses from specific ranges.

“These IP addresses belong to 104 different organizations located in 31 different countries,” researchers from Symantec said in a blog post Sunday. “The vast majority of these organizations are banks, with a small number of telecoms and internet firms also on the list.”

In the case of the targeted Polish banks, it’s suspected that the malicious code was hosted on the website of the Polish Financial Supervision Authority, the government watchdog for the banking sector. The BAE Systems researchers found evidence that similar code pointing to the custom exploit kit was present on the website of the National Banking and Stock Commission of Mexico in November. This is the Mexican equivalent to the Polish Financial Supervision Authority.

The same code was also found on the website of the Banco de la República Oriental del Uruguay, the largest state-owned bank in that South American country, according to BAE Systems.

Included in the list of targeted IP addresses were those of 19 organizations from Poland, 15 from the U.S., nine from Mexico, seven from the U.K., and six from Chile.

The payload of the exploits was a previously unknown malware downloader that Symantec now calls Downloader.Ratankba. Its purpose is to download another malicious program that can gather information from the compromised system. This second tool has code similarities to malware used in the past by the Lazarus group.

Lazarus has been operating since 2009, and has largely focused on targets from the U.S. and South Korea in the past, the Symantec researchers said. The group is also suspected of being involved in the theft of $81 million from the central bank of Bangladesh last year. In that attack, hackers used malware to manipulate the computers used by the bank to operate money transfers over the SWIFT network.

“The technical/forensic evidence to link the Lazarus group actors … to the watering-hole activity is unclear,” the BAE Systems researchers said in a blog post Sunday. “However, the choice of bank supervisor and state-bank websites would be apt, given their previous targeting of central banks for heists — even when it serves little operational benefit for infiltrating the wider banking sector.”