Category Archives: NSA Spying

Operation Blockbuster: Lazarus Group Hacks Again

Posted on by

Why should you care? There was a long investigation in separate yet concentrated efforts by both government and private/independent cyber corporations as it related to the hack of Sony. Enter the Lazarus Group, an applied name to hackers that have hit industries such as government, military, financial and entertainment. Few countries are really exempt, as their signature malware has also been found in Japan, India and China.

Image result for lazarus group cyber

Lazarus Group has been active since 2009 and to date cannot be attributed to any single actor or country.

For the comprehensive report, go here. Operation Blockbuster: Image result for operation blockbuster cyber

Recent malware attacks on Polish banks tied to wider hacking campaign

Hackers targeted more than 100 organizations in more than 30 countries

ComputerWorld: Malware attacks that recently put the Polish banking sector on alert were part of a larger campaign that targeted financial organizations from more than 30 countries.

Researchers from Symantec and BAE Systems linked the malware used in the recently discovered Polish attack to similar attacks that have taken place since October in other countries. There are also similarities to tools previously used by a group of attackers known in the security industry as Lazarus.

The hackers compromised websites that were of interest to their ultimate targets, a technique known as watering-hole attacks. They then injected code into the websites that redirected visitors to a custom exploit kit.

The exploit kit contained exploits for known vulnerabilities in Silverlight and Flash Player; the exploits only activated for visitors who had Internet Protocol addresses from specific ranges.

“These IP addresses belong to 104 different organizations located in 31 different countries,” researchers from Symantec said in a blog post Sunday. “The vast majority of these organizations are banks, with a small number of telecoms and internet firms also on the list.”

In the case of the targeted Polish banks, it’s suspected that the malicious code was hosted on the website of the Polish Financial Supervision Authority, the government watchdog for the banking sector. The BAE Systems researchers found evidence that similar code pointing to the custom exploit kit was present on the website of the National Banking and Stock Commission of Mexico in November. This is the Mexican equivalent to the Polish Financial Supervision Authority.

The same code was also found on the website of the Banco de la República Oriental del Uruguay, the largest state-owned bank in that South American country, according to BAE Systems.

Included in the list of targeted IP addresses were those of 19 organizations from Poland, 15 from the U.S., nine from Mexico, seven from the U.K., and six from Chile.

The payload of the exploits was a previously unknown malware downloader that Symantec now calls Downloader.Ratankba. Its purpose is to download another malicious program that can gather information from the compromised system. This second tool has code similarities to malware used in the past by the Lazarus group.

Lazarus has been operating since 2009, and has largely focused on targets from the U.S. and South Korea in the past, the Symantec researchers said. The group is also suspected of being involved in the theft of $81 million from the central bank of Bangladesh last year. In that attack, hackers used malware to manipulate the computers used by the bank to operate money transfers over the SWIFT network.

“The technical/forensic evidence to link the Lazarus group actors … to the watering-hole activity is unclear,” the BAE Systems researchers said in a blog post Sunday. “However, the choice of bank supervisor and state-bank websites would be apt, given their previous targeting of central banks for heists — even when it serves little operational benefit for infiltrating the wider banking sector.”

 

The Other NSA Thief Indicted, Worse than Snowden?

Posted on by

What is going on at the NSA? Or is it really the NSA contractor, Booz, Allen and Hamilton? Either way…this is beyond dangerous.

Bring in Harold Martin…..  Image result for harold martin nsa NBC

Read the full indictment here.

According to an indictment released Wednesday, the information stolen by Harold Martin, a former NSA contractor who was arrested in August of last year, may be far more damaging to the U.S. intelligence community than anything taken by Edward Snowden.

On October 5, the New York Times broke the story that the FBI had arrested an employee of the intelligence community over suspicions the worker had stolen highly classified computer code.

From that report:

“The contractor was identified as Harold T. Martin III of Glen Burnie, Md., according to a criminal complaint filed in late August and unsealed Wednesday. Mr. Martin, who at the time of his arrest was working as a contractor for the Defense Department after leaving the NSA, was charged with theft of government property and the unauthorized removal or retention of classified documents.”

According to the Times, a neighbor saw “two dozen FBI agents wearing military-style uniforms and armed with long guns” storm Martin’s home and later escort the man out in handcuffs.

At the time, there was speculation that Martin could be connected to stolen NSA code that found its way into the hands of a group called the Shadow Brokers — for a period, Martin worked for the elite NSA unit from which the data was taken — but even now, authorities can’t prove he actually passed on any information.

But the mere fact that he possessed such highly sensitive material is enough to put Martin away for the rest of his life, as the recently released indictment indicates.

“For more than two decades,” Business Insider wrote on Thursday, “Martin allegedly made off with highly-classified documents that were found in his home and car that included discussions of the US military’s capabilities and gaps in cyberspace, specific targets, and ‘extremely sensitive’ operations against terror groups, according to an indictment released Wednesday.”

The indictment gives the public a much clearer look at the type of data Martin allegedly stole. And next to Edward Snowden, whose security clearance limited the documents he took to mostly training materials, it appears Harold Martin’s reach went far further into the national intelligence community.

Martin is charged with 20 counts of having unauthorized possession of classified material. The government alleges that over this long intelligence career, the 51-year-old took material from the NSA, the National Reconnaissance Office, U.S. Cyber Command, and even the CIA.

Some of the items allegedly taken, according to text from the indictment, include:

A 2008 CIA document containing information regarding foreign intelligence collection sources and methods, and relating to a foreign intelligence collection target.

A USCYBERCOM document, dated August 17, 2016, discussing capabilities and gaps in capabilities of the US military and details of specific operations.

A description of the technical architecture of an NSA communications system.

An outline of a classified exercise involving real-world NSA and US military resources to demonstrate existing cyber intelligence and operational capabilities.

Martin’s first court appearance is set for February 14. If found guilty, he faces up to 200 years in prison. More here.

***

Meanwhile, Putin is allegedly considering returning Edward Snowden to the United States as a goodwill gesture. If so, it is a double game as Putin would never do anything out of kindness without something attached. If Snowden does stand trial for treason/espionage or theft, the United States would then have to offer up classified material and reveal sources and methods which is likely what Russia wants. The Kremlin extended the visa for Snowden until 2020.

*** Image result for edward snowden

In part from NBC: Snowden’s ACLU lawyer, Ben Wizner, told NBC News they are unaware of any plans that would send him back to the United States.

“Team Snowden has received no such signals and has no new reason for concern,” Wizner said.

Snowden responded to NBC’s report on Twitter and said it shows that he did not work with the Russian government.

“Finally: irrefutable evidence that I never cooperated with Russian intel,” Snowden said. “No country trades away spies, as the rest would fear they’re next.”

Snowden’s Russian lawyer, Anatoly Kucherena, reacted to the report with dismay.

“There are no reasons to extradite Edward Snowden to the U.S.,” Kucherena said, according to TASS, the state-owned news agency. “This is some kind of speculation coming from so-called US special service sources. I think this topic was and remains on the political plane in the U.S., but it’s American special services that are puppeteering this story with sporadic information plants.”

“There is not the slightest reason to raise or discuss this topic in Russia,” Kucherena said.

Russia, he said, does not sell people. “The Snowden issue cannot be a bargaining chip on any level, neither political nor economic,” he said, according to the news agency.

Former deputy national security adviser Juan Zarate urged the Trump administration to be cautious in accepting any Snowden offer from Russian President Vladimir Putin.

“For Russia, this would be a win-win. They’ve already extracted what they needed from Edward Snowden in terms of information and they’ve certainly used him to beat the United States over the head in terms of its surveillance and cyber activity,” Zarate said.

 

Russian Hacking, We knew Because we had an Inside Operative(s)

Posted on by

This Executive Order is in draft form and does not include Russia, which is quite curious. The question of ‘why’ must be asked based on information noted below.

The Trump administration’s draft of the executive order on cybersecurity obtained by the Washington Post by April Glaser on Scribd

Those people involved in internet forensics and that track hackers, malicious code, malware, ransomware and intrusions are all dedicated to finding the cracks in code and even more finding the hackers while further understanding their code and patterns. I get emails about this topic every day that include a variety of global companies operating in this realm.

Back in December of 2015, ODNI James Clapper announced Russian intrusions into several American infrastructure locations. This was before the announcement of Russian intrusions into the U.S. political apparatus. In can be presumed the United States has long had the help of operatives inside adversarial countries, most of all Russia. Spies are out there and further, it is estimated there are 100,000 foreign spies inside the United States as of this moment. Heh, before Barack Obama left his presidency, he did expelled many Russians and closed two Russian compounds.

IN 2014, U.S. Cyber operations quietly penetrated Russian systems without declaring in specific language the exact operations.

In 2014, National Security Agency chief Adm. Mike Rogers told Congress that U.S. adversaries are performing electronic “reconnaissance” on a regular basis so that they can be in a position to disrupt the industrial control systems that run everything from chemical facilities to water treatment plants.

“All of that leads me to believe it is only a matter of when, not if, we are going to see something dramatic,” he said at the time.

Rogers didn’t discuss the U.S.’s own penetration of adversary networks. But the hacking undertaken by the NSA, which regularly penetrates foreign networks to gather intelligence, is very similar to the hacking needed to plant precursors for cyber weapons, said Gary Brown, a retired colonel and former legal adviser to U.S. Cyber Command, the military’s digital war fighting arm. More here.

It is unclear if we have recruited people inside Russia to work on the behalf of the United States, but clues tell us we did, with success.

In part from RFEL: At the simplest level, two FSB officers working in cyberdefense, Sergei Mikhailov and Dmitry Dokuchayev, as well as Ruslan Stoyanov, a former Interior Ministry official who works for the cyber security company Kaspersky Lab, are reportedly being charged with espionage.

According to Russian media reports, Mikhailov is suspected of alerting U.S. intelligence to the FSB’s connection to a Russian server-rental company called King Servers.

Last year, the U.S.-based cybersecurity firm ThreatConnect had identified King Servers as the nexus for hacking attacks against the United States.

If U.S. intelligence did indeed have a highly placed source like Mikhailov, it would explain why it was able to conclude with such a high degree of confidence that Russia was behind the cyberattacks during the election campaign.

The timing of the arrests and the timing of the decision by former U.S. President Barack Obama to declassify and make public parts of the U.S. intelligence report on the alleged Russian hacking also makes sense.

Mikhailov was arrested in December. And the U.S. released the intelligence report a month later, in January.

If Mikhailov was indeed a source, then Washington would have been reluctant to declassify its intelligence for fear of compromising him.

After he was arrested, this, of course, would no longer be an issue.

So far, so straightforward. Until it isn’t.

Leaks to the Russian media have also connected Mikhailov and his subordinate Dokuchayev to a hacker group known as Shaltai-Boltai, or Humpty Dumpty, which in the past has released embarrassing material about top Russian officials.

Vladimir Anikeyev, the founder of Shaltai-Boltai, has also been arrested, but is not being charged with espionage.

Moreover, Russian media reports claim that Dokuchayev is actually a former hacker known as Forb, who was serving a prison sentence for credit-card theft when he was recruited by the FSB, where he held the rank of major.

As Leonid Bershidsky notes in his column for Bloomberg, “parallel to their official duties, officers often run private security operations involving blackmail and protection. If Mikhailov ran such a business out of the FSB’s Information Security Center, he wouldn’t stand out among his colleagues.”

And it’s also not unusual for the FSB to recruit former hackers. In fact, it’s pretty much standard practice.

This is where the story diverts into the murky world of FSB officers and their civilian collaborators monetizing their positions and forming protection rackets.

“An FSB officer, recruited from the hacking community, can use his rank and position to obtain compromising material and sell it to wealthy clients. A team profiting from these opportunities can include both officers and civilians,” Bershidsky writes.

“The Russian government can hire such a team through intermediaries if it needs something sensitive done — but so can foreign intelligence services. It’s a murky world in which actors are both predator and prey. The Kremlin enjoys access to brilliant and unscrupulous people; the downside, of course, is that they may be hard to control.”

If you follow this line of logic, then it’s easy to imagine that Mikhailov and Dokuchayev inadvertently or unwittingly sold information exposing King Server’s FSB connections to a front for U.S. intelligence.

But the fact of the matter is we simply don’t know.

And if things aren’t confusing enough yet, there is also the matter of the bitter personal and clan rivalries in the shadow world of the Russian security services.

In a recent post on his blog KrebsOnSecurity, Brian Krebs, author of the book Spam Nation: The Inside Story Of Organized Cybercrime, suggested the whole affair might be traced to a personal rivalry between Mikhailov and Pavel Vrublevsky, an Internet businessman whose partner owns King Servers.

Mark Galeotti, an expert on Russia’s security services and a senior research fellow at the Institute of International Relations in Prague, notes that the FSB’s Information Security Center, which Mikhailov headed and where Dokuchayev was his subordinate, has emerged as “a pivotal agency” and “a source of power.”

And this makes it a prime arena for fierce rivalries and power plays.

“This is probably an intelligence leak that is being cleared up. But the question is: why now? And I wonder if domestic politics explains the leaking of the information now. It could be a rebuke to the FSB for having messed up,” Galeotti said on last week’s Power Vertical Podcast.

 

 

High Risk: National Security Personnel in Foreign Own Buildings

Posted on by

 FBI St. Louis  Little Rock

Oh Donald, Mr. President sir…you’re the expert here….need an immediate executive order on this one. By the way, don’t stay in the Waldorf Astoria any more, perhaps don’t go to movie theaters either if you’re concerned for personal reasons.

First on CNN: Report finds national security agencies at risk in foreign-owned buildings

Washington (CNN)US law-enforcement agencies are at risk of being spied on and hacked because some of their field offices are located in foreign-owned buildings without even knowing it, according to a new government report.

The report by the Government Accountability Office, which was obtained by CNN and is due to be released later Monday, reveals that a number of FBI, Homeland Security, Secret Service and Drug Enforcement Agency offices across the country are housed in space leased from firms based in China and other nations.
Experts told the GAO that the agencies could be vulnerable to espionage and cyber intrusions because the foreign owners could gain unauthorized access to the properties, be able to secretly install surveillance equipment, and have knowledge of building systems like heating, ventilation and electronics which could facilitate hacking.
The General Services Administration, which handles leasing for many federal agencies, is renting space in 20 buildings from foreign owners — and its investigators were unable to identify who the property owners for about one-third of the government’s more than 1,400 “high-security leases.”
Nine of the 14 agencies the GAO contacted were unaware the building space they were using was foreign owned.
“It’s an eye opener,” Rep. Jason Chaffetz, R-Utah, told CNN about the report. “Certainly our security professionals should know who owns the piping in the buildings that they occupy.”
Chaffetz, along with Sen. Tammy Duckworth, D-Illinois, and Rep. Elijah Cummings, D-Maryland, called for the GAO review.
The chairman of the House Oversight and Government Reform Committee said he doesn’t necessarily think the agencies should be barred from leasing office space from foreign owners, but added that he would feel “much more comfortable if they’re at least aware.”
Currently, the GSA is not required to determine whether a building is foreign owned when it is considering whether to lease space.
Among the report’s findings were that DEA, Homeland Security and Secret Service offices in Little Rock, Arkansas, Jacksonville, Florida, and Shreveport, Louisiana, along with an FBI office in St. Louis, Missouri, were leased from “Gemini Investments” — a company based in China.
The GAO report noted that Chinese-owned properties were of particular concern because the country has been linked to numerous instances of hacking.
After the Waldorf-Astoria Hotel in Manhattan was sold to Chinese investors, then-President Barack Obama didn’t stay there, as had long been the custom of US presidents, with security concerns being one of the factors.
Other federal offices listed in the study are located in buildings owned by companies in Canada, Israel, the United Kingdom, Germany, South Korea and Japan.
GAO investigators talked to officials who assess foreign investments in the US, as well as real estate representatives, who warned about the potential danger.
” … (L)easing space in foreign-owned buildings could present security risks such as espionage, unauthorized cyber and physical access to the facilitates, and sabotage,” the report said. “For example, a DHS foreign investment official said that potential threat actors could coerce owners into collecting intelligence about the personnel and activities of the facilities when maintaining the property.”
The report also noted other possible “insider threats,” referring to “disgruntled employees, contractors, or other persons abusing their position of trust” who pose a “significant threat” to building access.
But this doesn’t mean that the threats have materialized. Chaffetz said he was unaware of any specific instances where sensitive information had been compromised. The report also said two real estate representatives determined it wasn’t a security risk to lease foreign-owned space.
“One of the representatives said that access at high-security facilities is strictly controlled, including access by the owners, and that passive investors in properties do not have access to the buildings,” the report said.
In addition to hacking and espionage, the report also cautioned that renting from foreign owners presented the possibility of the US agencies becoming unwittingly involved in money laundering, since real estate purchases are often used to conceal the criminal source of the investment funds.
The report recommended that the GSA should start informing the agencies if their space is foreign owned, so they can put the necessary security precautions in place. The GSA said it agreed with the recommendation.
“I hope this is a wake-up call,” Chaffetz said.

Russia Arrests Kaspersky ‘Treason Probe’

Posted on by

Russian President-elect Dmitry Medvedev, right, speaks with Yevgeny Kaspersky, head of the Kaspersky Lab company, at the 2008 Internet Forum outside Moscow, Thursday, April 3, 2008. (AP Photo/RIA-Novosti, Mikhail Klimentyev, Pool)

Forbes: One of Russia’s most successful cybercrime investigators and hacker hunter at one of the world’s biggest security companies, Kaspersky Lab, has been arrested by Russian law enforcement as part of a probe into possible treason, according to reports. Kaspersky has confirmed that its incident response chief Ruslan Stoyanov was at the center of an investigation, but could not offer more details.

“This case is not related to Kaspersky Lab. Ruslan Stoyanov is under investigation for a period predating his employment at Kaspersky Lab,” a Kaspersky spokesperson said in an emailed statement. “We do not possess details of the investigation. The work of Kaspersky Lab’s Computer Incidents Investigation Team is unaffected by these developments.”

Reports of the arrest landed today from national paper Kommersant, which said Stoyanov’s arrest may be tied to an investigation into Sergei Mikhailov, deputy head of the information security department of the FSB, Russia’s national security service. Both men were said to have been arrested in December. Kommersant cited sources who claimed the investigation was exploring the receipt of money from foreign companies by Stoyanov and his links to Mikhailov.

The FBI consistently investigates Russian cybercrime operations, the best-known case being the alleged 2016 hacks of the U.S. election, following a breach at the Democratic National Committee.

Major player in fighting Russian cybercrime

In his role at Kaspersky, Stoyanov was in charge of incident response, the group that helped organizations investigate and recover from breaches or other security events. According to his LinkedIn profile, prior to his 2012 move to Kaspersky, he spent six years as a major in the Ministry of Interior’s cybercrime unit between 2000 and 2006 before moving into the private sector.

A source familiar with Stoyanov’s past work told FORBES that during his time chasing cybercriminals for the Russian government, he was the lead investigator into a hacker crew that was launching denial of service attacks on U.K. betting shops, extorting them for a total of $4 million. Three individuals were arrested and each sentenced in 2006 to eight years in prison.

In recent years, Stoyanov has assisted Russian authorities in some major investigations into cybercrime, including one that led to arrests of 50 individuals involved in the Lurk gang, which stole as much as $45 million from local banks.

“Stoyanov was involved in every big arrest of cybercriminals in Russia in past years,” the source added.

Kaspersky has repeatedly aroused suspicion in the U.S. for its ties to the Kremlin, thanks to articles alleging CEO Eugene Kaspersky’s ties with the state. The firm has denied any collusion with the government, however. The charismatic chief wrote in FORBES in 2015 that he had never worked for the FSB and his companies had no ties to Russia or any other government. He wrote: “A few reporters who seem to be openly hostile to Kaspersky Lab will no doubt be planning their next fictional installment.”

**** Was this because Kaspersky blew the whistle on the hack of the NSA which maybe had Russian fingerprints? Let’s see…

In part from Motherboard: A mysterious hacker or hackers going by the name “The Shadow Brokers” claims to have hacked a group linked to the NSA and dumped a bunch of its hacking tools. In a bizarre twist, the hackers are also asking for 1 million bitcoin (around $568 million) in an auction to release more files.

“Attention government sponsors of cyber warfare and those who profit from it!!!!” the hackers wrote in a manifesto posted on Pastebin, on GitHub, and on a dedicated Tumblr. “How much you pay for enemies cyber weapons? […] We find cyber weapons made by creators of stuxnet, duqu, flame.”

The hackers referred to their victims as the Equation Group, a codename for a government hacking group widely believed to be the NSA.

”We find cyber weapons made by creators of stuxnet, duqu, flame.”

The security firm Kaspersky Lab unmasked Equation Group in 2015, billing it as the most advanced hacking group Kaspersky researchers had ever seen. While Kaspersky Lab stopped short of saying it’s the NSA, its researchers laid out extensive evidence pointing to the American spy agency, including a long series of codenames used by the Equation Group and found in top secret NSA documents released by Edward Snowden. The Equation Group, according to Kaspersky Lab, targeted the same victims as the group behind Stuxnet, which is widely believed to have been a joint US-Israeli operation targeting Iran’s nuclear program, and also used two of the same zero-day exploits.

The Shadow Brokers claimed to have hacked the Equation Group and stolen some of its hacking tools. They publicized the dump on Saturday, tweeting a link to the manifesto to a series of media companies.

The dumped files mostly contain installation scripts, configurations for command and control servers, and exploits targeted to specific routers and firewalls. The names of some of the tools correspond with names used in Snowden documents, such as “BANANAGLEE” or “EPICBANANA.” Read more here from Motherboard.